KB-1C7C

Gate-Resolution 04 — Human-Action Packet (5-box) + exact next-agent commit prompt

6 min read Revision 1

one-roofphase1human-action-packetratificationAPR-BOOT-AUTHMODEL-1next-macro-prompt2026-06-02

04 — Commit Results / Human-Action Packet

Commit results: NONE — no commit occurred (Path C). What follows is the human-action packet: the single sovereign act that unblocks everything, reduced to the minimum number of steps.

One-page human checklist (5 boxes)

The whole Phase-1 coverage activation is blocked on one thing: a President (human) must ratify the governance auth-model so that os_proposal_approvals ≥ 1. Everything technical is already built, proven, and staged. Estimated time: a few minutes.

┌──────────────────────────────────────────────────────────────────────────┐
│ ONE-ROOF PHASE-1 — SOVEREIGN RATIFICATION (do these in order)             │
├──────────────────────────────────────────────────────────────────────────┤
│ ☐ 1. CREATE the auth-model approval request                              │
│      In Directus → collection `approval_requests` → create item:         │
│        code            = APR-BOOT-AUTHMODEL-1                             │
│        action          = modify                                          │
│        proposed_action_code = (leave BLANK)                              │
│        title           = "Adopt One-Roof governance auth-model           │
│                           (L0–L4) + authorize Phase-1 coverage seed"     │
│        status          = pending                                         │
│                                                                          │
│ ☐ 2. L2 QUORUM — record approvals in `apr_approvals` (link via apr_id):  │
│        • ≥1 approver who is a PRESIDENT (human)                          │
│        • ≥2 approvers of type ai_council                                 │
│        • 0 rejects                                                        │
│        • the proposer must NOT be one of the approvers                   │
│                                                                          │
│ ☐ 3. Set the request `status = approved` once quorum is met.            │
│                                                                          │
│ ☐ 4. L4 PRESIDENT E-SIGNATURE (out-of-band, in Directus):               │
│        Complete the President e-sign so `os_proposal_approvals` gains    │
│        a row (esignature_agreement = true). THIS is the gate.           │
│                                                                          │
│ ☐ 5. TELL THE NEXT AGENT: "ratification done — run the F-6 seed commit". │
│      (Exact prompt below.)                                               │
└──────────────────────────────────────────────────────────────────────────┘

Note on roles: "president" is identified as a human approver whose role matches president (live rule fn_apr_quorum_check: president = human + role ILIKE '%president%', NOT approver_type='president'). Confirm the human signer satisfies this.

Why only a human can do this

Writing os_proposal_approvals directly, or self-approving the request, would forge the sovereign President's e-signature. No agent may do it. The legitimate writer is the President e-signing in Directus, out-of-band. This is the line the project has correctly held for 15+ sessions.

Verification the human (or next agent) runs AFTER the act

Read-only — see sql/human_verification.sql. GO only if all hold:

G1 os_proposal_approvals ≥ 1
G2 APR-BOOT-AUTHMODEL-1 status = approved
G3 votes show quorum, 0 rejects
G4 inventory=35, containment=35, active_scopes=6, gap=210, ownership=0 (substrate still clean)

Exact next-agent commit prompt (copy-paste)

MISSION: ONE_ROOF_PHASE1_F6_OWNERSHIP_SEED_COMMIT_ON_RATIFICATION

Preconditions (verify live first, abort if any fails):
  - os_proposal_approvals >= 1
  - approval_requests.code='APR-BOOT-AUTHMODEL-1' status='approved' with L2 quorum, 0 rejects
  - v_object_owner_gap = 210, governance_object_ownership = 0,
    v_governance_object_inventory = 35, v_governance_object_containment = 35,
    active scopes (status='active') = 6, v_object_owner_conflict = 0

Action (only if all preconditions pass):
  Run sql/commit_ready_f6_ownership_seed.sql from package
  one-roof-phase1-coverage-gate-resolution-and-ownership-seed-decision-2026-06-02,
  passing -v ratified_apr=APR-BOOT-AUTHMODEL-1, via:
    ssh contabo -> docker exec -i postgres psql -U workflow_admin -d directus -f -
  The script is self-guarding (aborts the txn if ospa<1 or pre/post asserts fail).

Post-commit: run sql/post_commit_verification.sql. Expect ownership=30, gap=0,
  conflict=0, gov_emit=0, system_issues unchanged, all worker/candidate/scan_run=0.
Rollback if needed: sql/rollback_f6_ownership_seed.sql (delete-by-key, 0 triggers).

FORBIDDEN: activation, scanner worker loop, backfill, event emit, system_issues
  insert, DOT run, handler/UI/Directus/Qdrant mutation, any write beyond the 30 rows.

No-mutation proof for THIS run

All DB access was query_pg (read-only role, READ ONLY transaction).
Entry == exit by construction: nothing was written. governance_object_ownership = 0 at start and unchanged; os_proposal_approvals = 0; event_outbox governance = 0; system_issues movement is organic background traffic, not from this run.
No ssh ... psql write channel was opened. No BEGIN was issued.