00 — Overview & State Recovery (F-2 Rollback-Only Coverage Dry-Run)

Mission ONE_ROOF_PHASE1_COVERAGE_DRY_RUN_F2_ROLLBACK_ONLY, executed 2026-06-02. Class: rollback-only operational coverage dry-run. Mode: single BEGIN..ROLLBACK, NO COMMIT, NO persistent mutation. Verdict: PASS — see doc 08.

0.1 What F-1 proved (input state)

The F-1 read-only dry-run (one-roof-phase1-coverage-dry-run-f1-readonly-2026-06-02/, accepted) proved, over a 3-collection subset (agents, approval_requests, apr_action_types), purely read-only:

• the collection-grain inventory seam logic is sound (3 bounded rows, correct requires_owner/born flags);
• owner-resolution returns 0 because governance_object_ownership is empty (honest, not fabricated);
• the gap logic reports honest under-coverage (every object × active scope is a gap);
• correction F-DR-1: gap grain = (object × scope); 3 × 6 = 18 rows, not "≤3"; full ceiling = 35 × 6 = 210, not 38;
• zero mutation.

F-1 ran the seam expression inline through the read-only query_pg role — it never created the real view object.

0.2 F-2 objective

Test the next operational level by wiring the seams as real view objects and seeding the real stores inside a single controlled transaction, then ROLLBACK and prove entry==exit:

1. wire Seam-A inventory and the containment seam onto the real collection_registry source (3-collection subset);
2. seed a transient draft governance_ruleset row + the candidate path (candidate_scan_run + governance_candidate_state);
3. seed governance_object_ownership test rows producing one direct owner, one inherited owner, one missing owner;
4. re-run gap/conflict against the now-live-in-txn views;
5. exercise FK/CHECK/UNIQUE rejection (negative tests);
6. ROLLBACK — persist nothing; prove entry==exit from an independent read-only channel.

0.3 Exact allowed rollback-only scope

Inside one transaction: transient seam view CREATE OR REPLACE (DDL is transactional → auto-restored on ROLLBACK); transient draft ruleset row; transient scan-run + candidate-state rows; transient ownership rows; SELECT-based gap/conflict tests; SAVEPOINT negative tests.

0.4 Exact forbidden scope (all honored — doc 08 §forbidden-compliance)

No COMMIT; no persistent schema/data; no event_outbox insert; no system_issues insert; no registry_changelog insert; no DOT insert/run; no handler/scanner/worker activation; no worker-cursor advancement; no backfill; no Directus/Qdrant/Nuxt mutation; no os_proposal_approvals write; no approval/e-sign creation; no law/version/status change.

0.5 F-1 correction to thresholds (carried into F-2 gates)

Per F-DR-1, the in-flight gap ceiling is per scope: subset ceiling = 3 collections × 6 active scopes = 18; full Phase-1 ceiling = 35 governed collections × 6 = 210. F-2 used 18 as the pre-ownership ceiling and observed exactly 18 (doc 03).

0.6 Expected output & stop conditions

Expected: 18 gaps pre-ownership → 16 gaps post-ownership (2 covered: 1 direct + 1 inherited); owner-resolution = 2 rows; conflict view = 0 (unique index) + detector predicate = 1 on an index-less probe; 6 negative tests reject; entry==exit after ROLLBACK. Stop/abort (none triggered): rows > 18 ceiling, any emit/issue/cursor/DOT/handler activation, out-of-scope table change, unrecoverable failed transaction, un-closable idle transaction.

0.7 State-recovery sources read

gpt-review-f1-readonly-dry-run-pass-go-f2-rollback-only-2026-06-02.md (named state-recovery input — NOT found on disk or KB, same discrepancy class as F-DR-6; GO is grounded in the published F-1 package doc 07 = GO — F-2 rollback-only); the F-1 package; the operational-readiness/activation-boundary package; the test-mode deferred-substrate-completion package (SB-2 recursive views + SB-10 aux); the test-mode build package (SB-0..SB-13). The governing law file knowledge/dev/laws/prompt-muc-tieu-mo-for-claude-code.md is empty/absent on disk (logged, immaterial — the governing principles are honored throughout: honest reporting/no overclaim, no hardcode, fail-closed, no hidden island).