F-2 Rollback-Only Coverage Dry-Run — 06 Entry==Exit & Rollback Verification
06 — Entry==Exit & Rollback Verification
Proof that the transaction persisted nothing, from two independent channels.
6.1 First-attempt fail-safe (incidental proof)
The first execution attempt failed at S1 (cannot change data type of view column "object_ref" from text to character varying(255)). Because ON_ERROR_STOP=on, psql aborted mid-BEGIN and the connection closed ⇒ implicit ROLLBACK. The independent census taken before the corrected re-run still showed the full baseline (ownership 0, seams inert, relations 8) — i.e. even a mid-transaction abort left zero residue. This is the rollback-only guarantee demonstrated involuntarily.
6.2 In-session entry==exit (execution channel)
PRE_CENSUS (before BEGIN) vs POST_CENSUS (after ROLLBACK), same psql session:
| Metric | PRE | POST | Δ |
|---|---|---|---|
governance_object_ownership |
0 | 0 | 0 |
governance_ruleset |
0 | 0 | 0 |
candidate_scan_run |
0 | 0 | 0 |
governance_candidate_state |
0 | 0 | 0 |
governance_relations |
8 | 8 | 0 |
event_outbox (governance) |
0 | 0 | 0 |
system_issues |
198,442 | 198,442 | 0 |
v_object_effective_owner columns |
9 | 9 | 0 |
v_governance_object_inventory rows |
0 | 0 | 0 |
v_object_effective_owner rows |
0 | 0 | 0 |
v_object_owner_gap rows |
0 | 0 | 0 |
| idle-in-transaction sessions | — | 0 | — |
The two seams are back to their inert WHERE false definitions (0 rows) — the CREATE OR REPLACE was undone by ROLLBACK, as DDL is transactional.
6.3 In-txn confirmation the rows did exist (so the rollback is real, not a no-op)
Before ROLLBACK, inside the transaction:
ownership | ruleset | scan_run | cand_state
-----------+---------+----------+------------
1 | 1 | 1 | 1
The transient rows genuinely existed mid-transaction (proving the inserts were real work), then vanished on ROLLBACK — confirming the entry==exit result is a true rollback, not inserts that silently failed.
6.4 Independent read-only channel (query_pg) — post-rollback
A separate connection (AST-validated read-only query_pg role) after the transaction closed:
| Metric | Value | Expected |
|---|---|---|
| ownership / ruleset / scan_run / cand_state / cand_object | 0 / 0 / 0 / 0 / 0 | OK |
| relations | 8 | OK |
event_outbox governance emit |
0 | OK |
| system_issues | 198,442 | OK |
os_proposal_approvals (activation gate) |
0 | OK intact |
| apr_action_types | 14 | OK |
gov event_type_registry active=true |
0 | OK |
v_object_effective_owner columns |
9 | OK |
| inventory seam / containment seam rows | 0 / 0 | OK inert |
| gap view / effective-owner view rows | 0 / 0 | OK inert |
| idle-in-transaction sessions | 0 | OK |
6.5 No dangling session
pg_stat_activity for workflow_admin showed one connection (pid 38) with xact_age=NULL — no open transaction (it is a long-lived background pool connection; its state/query are hidden from the read-only role by privilege). The F-2 psql session had already exited with the ssh command. Global idle-in-transaction = 0. Zero F-2 residue.
6.6 Entry==exit verdict
PROVEN — both channels, Δ=0 on every governance metric. The transaction did real work in-flight (4 transient rows, 2 rewired seams, 2 covered object/scopes, 6 rejections) and persisted absolutely nothing. No COMMIT occurred.