One-Roof Nonprod Clone Extended — 04 Issue/Event Activation Simulation (Obj C, 9/9 PASS)
04 — Objective C: Issue / Event Activation Simulation
Verdict: SIM PASS (9/9) rollback-only. Activation works; three independent fail-closed layers proven; no in-DB dispatcher; emit returns to 0.
SQL: sql/C_issue_event_activation_sim_rollback_only_clone.sql
Substrate (verified live on clone)
- 5 governance
event_type_registryrows, allactive=false(backfill.sweep_completed, candidate.scan_completed, coverage.scan_completed, handoff.object_born, input.untrusted_source). event_outboxcarries exactly one trigger:BEFORE INSERT trg_event_outbox_type_validate → fn_event_type_validate(SECURITY DEFINER). It rejects: unknown(domain,type), inactive type,event_streammismatch,delivery_lanemismatch.- No AFTER-INSERT trigger and no
pg_notifyonevent_outbox⇒ inserting is a pure store; nothing auto-dispatches. (The onlypg_notifyuser in the DB isfn_context_pack_on_dot_register, ondot_tools, unrelated.) event_outboxtotal rows = 191,904; governance domain = 0.
What the prior package proved vs. what this adds
Prior (Step D): emit of an inactive/unknown type is rejected. This macro goes further — it activates a type and proves a correctly-shaped, fully-provenanced emit is accepted, then proves it is inert (no dispatcher), all rolled back.
Checks (9/9 PASS)
| # | check | result |
|---|---|---|
| C0 | baseline: gov emit=0, gov types active=0 | PASS |
| C1 | inactive emit rejected (fail-closed layer 1: active flag) | PASS |
| C2 | after activating coverage.scan_completed, well-shaped+provenanced emit accepted; gov emit 0→1 |
PASS |
| C2b | same emit without provenance (canonical_address NULL) rejected |
PASS |
| C3 | stream mismatch rejected even when active (fail-closed layer 2: stream/lane match) | PASS |
| C4 | no extra (dispatcher) trigger on event_outbox |
PASS |
| C5 | issue payload shaped read-only (open_cells=0; system_issues never written) |
PASS |
Post-rollback: gov_emit=0, gov_active=0 — state fully restored.
Three fail-closed layers (discovered/confirmed)
- Active flag —
fn_event_type_validaterejects unless the type isactive=true(governed flip). - Stream/lane match — even an active type is rejected if
event_stream/delivery_lanedon't match the registry row. - Mandatory provenance —
event_outboxhas NOT-NULLcanonical_address,actor_ref,source_system(+ CHECKs: non-empty actor/address,payload_classification ∈ {safe_metadata,restricted},safe_payloadmay not carry body/content/raw/vector/embedding/secret/token/password/ssn/personal_data). An emit without full, safe provenance cannot be written.
No external emit — structural
A row in event_outbox does nothing on its own: no AFTER trigger, no NOTIFY, no consumer on the clone. Outbound delivery requires a separate dispatcher that reads the outbox — which does not exist in the DB and was never run. Even the activation UPDATE and the accepted emit were rolled back.
Production guidance
Activating governance emit on production is a two-part governed step that must NOT be automated: (1) UPDATE event_type_registry SET active=true … per type, and (2) standing up a dispatcher that consumes event_outbox. The coverage scanner produces no emit as a side effect. Keep all governance event types active=false until emit is explicitly decided. system_issues (9 triggers) is read-only for any scan — never bulk-written.