One-Roof Nonprod Clone Extended — 07 Production Rollout Automation Packet (Obj F)
07 — Objective F: Production Rollout Automation Packet
Verdict: PRODUCED — exact preflight, gated seed, verification, rollback, with step gates, expected deltas, stop conditions, and the human input that opens the gate.
SQL artifacts: sql/F_prod_00_preflight.sql, F_prod_01_ownership_seed_commit.sql, F_prod_02_verify.sql, F_prod_03_rollback.sql
Production target DB =
directus. None of these were executed by this run. They are the automation packet to run after the sovereign gate opens. Every script is self-guarding and aborts on precondition drift.
The ONE human gate (non-automatable)
os_proposal_approvals >= 1, produced by L2 quorum + L4 President e-signature ratifying the authorization model (APR-BOOT-AUTHMODEL-1). Until then every step below is NO-GO. Nothing technical can or should substitute for this human act. Handoff packets for the human step already exist in prior KB packages (one-roof-human-ratification-handoff-2026-06-02, …auth-model-ratification-intake…).
Channel
ssh contabo → docker exec -i postgres psql -U workflow_admin -d directus -f - (stdin). The seed takes -v ratified_apr=APR-BOOT-AUTHMODEL-1.
Step sequence, gates, deltas, stop conditions
| step | script | gate (abort unless) | expected delta | stop condition |
|---|---|---|---|---|
| 0 Preflight | F_prod_00_preflight.sql |
db=directus; ospa≥1; gap=210; own=0; conflict=0; inventory=35; scopes=6 | none (read-only) | any assert fails → STOP (gate closed or drift) |
| 1 Seed | F_prod_01_ownership_seed_commit.sql |
re-checks db + ospa≥1 + gap=210 + own=0 + conflict=0 in-txn | ownership 0→30; gap 210→0; conflict 0; gov_emit 0 (0 triggers on table) |
pre-commit assert fails → txn aborts, no change |
| 2 Verify | F_prod_02_verify.sql |
— | none (read-only) | own≠30 / gap≠0 / effective≠240 / emit≠0 → STOP + rollback |
| (rollback) | F_prod_03_rollback.sql |
— | ownership 30→0; gap 0→210 |
rollback assert fails → STOP |
Provenance: seed rows carry created_by='F6_OWNERSHIP_SEED_COMMIT', approval_ref=<ratified_apr>. Rollback targets exactly that created_by tag.
Expected final state after step 2 (clone-proven identical)
own=30 | gap=0 | conflict=0 | effective_owner=240 (30 direct + 210 inherited) | gov_emit=0 | coverage_pct=100.
What CAN be automated after the gate opens
- Preflight + seed + verify (steps 0–2): the scripts are self-guarding (abort on any drift, including a re-closed gate), so they can run unattended in sequence. This is the clone-proven Step A minus the gate-removal.
- Scanner read+write (candidate materialization, Phase 2): idempotent natural-key upsert, bounded (one
candidate_scan_runrow per run), no side effects — safe to schedule. Requires a realgovernance_ruleset+ validsource_snapshot_ref(anevolution_snapshotsid). - Cursor advance: monotonic (stale/retry are no-ops) — safe in a bounded loop.
What must NEVER be automated (human/governed)
- Opening the sovereign gate (
ospa≥1) — L2/L4 e-signature. - Flipping
event_type_registry.active=true(turning on outbound emit) + standing up a dispatcher (doc 04). - The axis-model ownership extension (doc 03).
- Any
os_proposal_approvals/ approval / e-sign / law / version / status change. - Registering or executing DOTs as part of coverage (doc 05) — keep scanning in SQL.
Risk notes carried from the clone
- After any production restore/clone,
v_governance_object_inventory's definition may differ cosmetically (array-cast rendering) → an md5 diff that does not change results. Don't be alarmed. system_issues(9 triggers) andevent_outbox(validation trigger) are not inert — never bulk-write them in a scan.governance_object_ownershiphas 0 triggers — the seed is a clean insert with no cascade and no emit.