05 — Scanner/Coverage Dry-Run Gates (10 pre-flight ABORT gates + in-flight ROLLBACK assertions + entry==exit post-conditions; 2026-06-02)
05 — Scanner / Coverage Dry-Run Gates
Strict pre-conditions, in-flight assertions, and post-conditions that bound a future coverage dry-run. A gate failure = abort + rollback, never "continue and clean up later."
5.1 Pre-flight gates (ALL must pass before the dry-run starts)
| # | Gate | Check | Fail action |
|---|---|---|---|
| G-1 | No production activation | dry-run prompt explicitly states read-only/rollback-only; no COMMIT planned | ABORT |
| G-2 | Gate intact | os_proposal_approvals=0 |
ABORT |
| G-3 | Events inactive | governance event_type_registry.active all false |
ABORT |
| G-4 | No emit baseline | governance emit in event_outbox = 0 |
ABORT |
| G-5 | No worker running | gov_worker_cursor=0 rows; no background process holding the cursor |
ABORT |
| G-6 | No DOT registered | dot_tools=309 (baseline) |
ABORT |
| G-7 | Clean tx state | idle_in_transaction=0 |
ABORT |
| G-8 | Substrate inert | census == doc 01 | ABORT |
| G-9 | Scope bounded | subset = 3 governed collections (doc 03) | ABORT |
| G-10 | Rollback staged | SB-2 inert-restore rollback script present on disk | ABORT |
5.2 In-flight assertions (checked during the transaction; any false ⇒ immediate ROLLBACK)
- No row explosion: inventory ≤ 38, gap ≤ 38, effective-owner ≤ 228 (doc 03 ceilings). Exceeding any ⇒ ROLLBACK.
- No emit: governance
event_outboxcount unchanged (delta 0). Any insert ⇒ ROLLBACK. - No issue rows:
system_issuescount unchanged (delta 0). - No persisted candidate/owner: counts unchanged outside the rolled-back scope.
- No handler fired: no
apr_action_typeshandler dispatched (allunimplementedanyway). - Acyclic containment: if Seam B wired, recursive depth ≤ small bound; a saturated 64-depth guard ⇒ ROLLBACK +
containment_cyclenote (log-only, no issue row).
5.3 Post-conditions (entry == exit)
After ROLLBACK, re-verify read-only via query_pg:
- 8 tables + 6 views present; seams back to
WHERE false. - All counts == doc 01 baseline (gba 0, ruleset 0, cursor 0, candidate_* 0, ownership 0, scope 6, relations 8, dot_tools 309, ospa 0, appr 211/42).
- governance emit 0;
idle_in_transaction=0; no lingeringworkflow_adminsession.
5.4 Hard forbidden during dry-run (restatement)
No COMMIT of governance state · no event_outbox insert · no system_issues insert · no notification · no event-type activation · no DOT register/run · no background worker · no birth_registry full sweep · no Directus/Qdrant/Nuxt · no os_proposal_approvals/approval/e-sign · no law change.
5.5 Noise thresholds (even for log-only output)
- Coalesce findings at governance grain (per collection / per object) — never per-row chatter.
- Materiality floor: below-threshold findings are informational log lines, not surfaced as alerts (and in the dry-run, never as
system_issuesrows). count > 1= candidacy for review, not an action.- Decaying-verdict semantics apply conceptually but write nothing (candidate_state stays 0).
5.6 Cleanup / rollback path
The dry-run is rollback-only ⇒ cleanup is automatic (ROLLBACK discards seam wiring + any rehearsal seed). The backstop is the staged SB-2 inert-restore script (recreates v_governance_object_* as WHERE false) — used only if a stray COMMIT ever occurred (it must not).
5.7 Scanner/coverage gate verdict
STRICT. 10 pre-flight ABORT gates, hard in-flight ROLLBACK assertions (explosion / emit / issue / persist / cycle), entry==exit post-conditions, automatic rollback cleanup, and noise thresholds that hold even for log-only output. A dry-run cannot silently activate or explode.