07 — Step D: Issue / Event / Log Boundary on Clone

Verdict: PASS — emit boundary is DB-enforced fail-closed; no outbound emit; issue path read-only. SQL sql/D_issue_event_boundary_clone.sql sha256 06b7cdd81bae6848741cdb6e660480bdf371c8e8fbfb1a3b8cba8c7fc299bde5.

1. Payload shaping (read-only) from live state: coverage.scan_completed {total_cells:210, gap_cells:0, covered_cells:210, coverage_pct:100.0, conflicts:0, ruleset_version:RS-CLONE-TEST-1}; candidate.scan_completed {groups_scanned:5, objects_materialized:35, last_run:SCAN-CLONE-TEST-2}; would-be coverage-gap issues = 0 rows (gap=0).

2. Emit boundary proof (BEGIN..ROLLBACK, nothing persisted): event_outbox BEFORE-INSERT trigger fn_event_type_validate (SECURITY DEFINER) is fail-closed — unknown (domain,type)→EXCEPTION unknown; active=false→EXCEPTION is inactive; stream/lane mismatch→EXCEPTION. N1 insert governance/coverage.scan_completed (active=false) → rejected "is inactive". N2 insert governance/totally.made_up → rejected "unknown". gov_emit_in_txn=0; rolled back; final gov_emit=0. All 7 governance event types ship active=false ⇒ every governance emit blocked at DB level — structural guarantee, not convention.

3. Issue boundary (read-only by design): system_issues carries 9 triggers (not inert) — writing could fire unknown cascades; handled read-only (only payload shaped, nothing inserted); system_issues unchanged (200480); gap=0 ⇒ no real issues anyway.

Net: issue/event/log surface exercised for shaping/validation while dispatch stays off (inactive types + no clone dispatcher + no system_issues writes). Activation of emit requires flipping event_type_registry.active = a governed step, not a scan side effect.