KB-4E40

03 — Step 1: SB-0 Build Results — COMMITTED (Phase-1 Test-Mode Build, 2026-06-02)

3 min read Revision 1

one-roof-governancephase1test-mode-buildsb-0authorization-spine2026-06-02

03 — Step 1: SB-0 Build Results — COMMITTED

Authorization substrate (L3 technical build-authorization). sql/sb0_ddl.sql, sql/sb0_rollback.sql.

3.1 Objects committed

governance_build_authorization (PK auth_code; FK request_ref→approval_requests(code); CHECKs risk_level/status enums, chk_expiry, chk_sov_esign, chk_consumed_pair, chk_revoked_pair; partial-unique uq_one_active_grant_per_step; idx on request_ref/status/expires_at); quorum_passed(text); valid_sovereign_esign(text); v_build_auth_valid; fn_build_commit_allowed(text,text). Trigger-less table (no F-83-1 exposure).

3.2 Rehearsal (BEGIN..ROLLBACK) — GREEN

All 5 objects compiled live.
quorum recompute on real requests: APR-S178F18-FALLBACK-5=t, APR-0234=f (mirrors live fn_apr_quorum_check; president filter = approver_type='human' AND approver ILIKE '%president%' per F-AUTH-LIVE-1).
anti-forgery keystone: of 7 seeded grants, v_build_auth_valid admitted only the 2 genuinely valid (BA-VALID, BA-SELF); 5 active-but-invalid (insufficient quorum / expired / consumed / revoked / unsigned-sovereign) inert.
verifier matrix 9/9 fail-closed: ALLOW only for a valid grant consumed by a non-granter; DENY for self-grant (INV-5, even on a legitimate grant), no-quorum, expired, consumed, revoked, no-e-sign, no-grant.
6 CHECK negatives all fired: chk_expiry, chk_sov_esign, chk_consumed_pair, uq_one_active_grant_per_step, FK request_ref, status enum.
post-ROLLBACK same session: all NULL. Separate-connection residue check: all absent, idle_in_tx=0. entry==exit.

3.3 Commit + post-commit verify

COMMIT executed (DDL only, no seed). Independent query_pg: all 5 objects present; gba_rows=0, valid_grants=0 (inert — no grants exist, so nothing can authorize a commit; gate remains genuinely closed). apr_action_types=6, appr=211, osprop=0, event_outbox unchanged, idle_in_tx=0.

3.4 Out-of-scope check / verdict

No approval, e-sign, event, DOT, or law write; only the 5 SB-0 objects added. SB-0 = BUILT + VERIFIED. The verifier v_build_auth_valid/fn_build_commit_allowed exists but returns 0 (no valid grant) — the authorization substrate is live yet fail-closed by construction.