-- ============================================================================ -- OBJECTIVE D — DOT REGISTRATION REHEARSAL + EXECUTION BOUNDARY (CLONE, ROLLBACK-ONLY) -- Target DB: directus_gov_test_20260602 (NON-PRODUCTION CLONE)

---

-- DOT surface: dot_tools has 13 triggers; INSERT writes birth_registry (twice), -- refreshes counts, auto-labels. trg_context_pack_dot_register -> pg_notify ONLY -- when status='active' AND tier IN ('A','B','C') (delivered on COMMIT; ROLLBACK -- discards). We register status='published' (no NOTIFY branch) and ROLLBACK. -- VERDICT: registration is rehearsable rollback-only; DOT EXECUTION is OUT-OF-DB -- (external runner + lease + run ledger) => NO-GO clone, FORBIDDEN production. -- ============================================================================ \set ON_ERROR_STOP on \pset pager off

\echo ====================DOT_REHEARSAL_ENTRY==================== SELECT current_database() AS db, (current_database() LIKE 'directus_gov_test_%') AS is_clone;

BEGIN; DO $$ DECLARE v_db text; BEGIN SELECT current_database() INTO v_db; IF v_db NOT LIKE 'directus_gov_test_%' THEN RAISE EXCEPTION 'REFUSING TO RUN: % is not a clone.', v_db; END IF; END $$; CREATE TEMP TABLE d_results (seq int, check_name text, expected text, actual text, pass boolean) ON COMMIT DROP;

DO $$ DECLARE v_dot0 int; v_birth0 bigint; v_dot1 int; v_birth1 bigint; v_inserted boolean := true; v_err text := ''; BEGIN SELECT count() INTO v_dot0 FROM dot_tools; SELECT count() INTO v_birth0 FROM birth_registry; BEGIN INSERT INTO dot_tools (code, name, name_en, description, classification, owner, script_path, token_type, category, status, tier, domain, operation, trigger_type, _dot_origin) VALUES ('DOT-CLONE-TEST-COVSCAN','Dry coverage scanner (clone test)','Dry coverage scanner (clone test)', 'Rollback-only rehearsal of registering a governance coverage scanner DOT. Non-production clone.', 'governance','GOV-DOT','/nonexistent/dry-run-not-executed.sql','none','governance', 'published', NULL, 'governance','coverage_scan','manual','DIRECTUS'); EXCEPTION WHEN OTHERS THEN v_inserted := false; v_err := SQLERRM; END; SELECT count() INTO v_dot1 FROM dot_tools; SELECT count() INTO v_birth1 FROM birth_registry; INSERT INTO d_results VALUES (1,'D1 dry DOT registration accepted (warning-mode gate)','accepted', CASE WHEN v_inserted THEN 'accepted' ELSE 'REJECTED: '||v_err END, v_inserted), (2,'D2 dot_tools +1 inside txn', (v_dot0+1)::text, v_dot1::text, v_dot1=v_dot0+1), (3,'D3 birth_registry side-effect observed (>= entry)', '>= '||v_birth0::text, v_birth1::text, v_birth1>=v_birth0); END $$;

\echo ====================DOT_REHEARSAL_RESULTS==================== SELECT seq, check_name, expected, actual, CASE WHEN pass THEN 'PASS' ELSE 'FAIL' END AS verdict FROM d_results ORDER BY seq; \echo ====================DOT_REHEARSAL_SUMMARY==================== SELECT count() AS checks, count() FILTER (WHERE pass) AS passed, count() FILTER (WHERE NOT pass) AS failed, CASE WHEN count() FILTER (WHERE NOT pass)=0 THEN 'REHEARSAL PASS' ELSE 'REHEARSAL FAIL' END AS verdict FROM d_results;

ROLLBACK; -- registration undone; NOTIFY (if any had queued) discarded

\echo ====================POST_ROLLBACK_dot_state_restored==================== SELECT (SELECT count() FROM dot_tools) AS dot_tools, (SELECT count() FROM dot_iu_runtime_lease) AS leases; \echo ====================DONE==================== -- Executed result: 3/3 PASS; dot_tools 309->310 in-txn, birth_registry +5 in-txn; post-rollback dot_tools=309, leases=0. -- Birth gate WARNed on code format (warning mode) but did not block.