00 — READ ME FIRST: One-Roof Governance Phase-1 Production Release Packet

Date: 2026-06-03 · Status: PACKAGED · CLONE-VALIDATED · GATE-BLOCKED (NO-GO)

What this is

The single canonical production rollout system for One-Roof Governance Phase-1. It consolidates every prior package's scattered rollout SQL into one self-contained, dependency-ordered, self-guarding, reversible release — validated against the golden clone harness and hard-gated for production.

What is READY

• Structure (sql/prod/10_structure.sql): 11 tables + 31 views + 1 function, fully inert, idempotent. Fixes the prior packages' incomplete/pointer-only DDL.
• Tiers 2–6 (sql/prod/20..60): responsibility axis, sovereign ownership seed (gap 210→0), containment (gap 0), topic finalization (divergent 0/projection 0), scanner baseline (fail-closed). All gated + asserting.
• Executor (sql/prod/99_run_all.sql): chains tiers, stops on first failure.
• Rollback (sql/prod_rollback/): full greenfield teardown + per-tier.
• Verify (sql/prod/90_verify.sql, sql/prod_verify/): asserting + read-only probes.

What is BLOCKED

All production mutation. The only blocker is os_proposal_approvals >= 1 (human L2/L4 ratification). With ospa=0, the preflight aborts the executor before any mutation. There is no production GO while ospa=0.

The command after the gate opens

ssh contabo -> docker exec -i postgres psql -U workflow_admin -d directus \
   -v ON_ERROR_STOP=1 -v ratified_apr=<REAL_RATIFIED_APR_CODE> \
   -f sql/prod/99_run_all.sql 2>&1 | tee rollout_$(date +%Y%m%dT%H%M%SZ).log

Evidence that this is safe

• Production was read-only throughout; entry==exit (ospa 0 / ownership 0 / gap 210 / conflict 0 / gov emit 0 / idle 0). Doc 01, 09.
• Clone revalidation (rollback-only, harness untouched): canonical verify passes, consolidated DDL recompiles against the live graph, scanner idempotent (38 findings stable). Doc 04.
• Every mutating tier self-guards on db=directus + ospa>=1 and asserts its post-state before COMMIT.

How to roll back

sql/prod_rollback/99_rollback_full.sql → ownership 0, gap 210, axis absent (byte-baseline). Or per-tier blocks in per_tier_rollback.sql. Doc 06.

Who/what must be checked before running

1. Human: complete L2/L4 ratification → os_proposal_approvals >= 1 (the real APR code becomes :ratified_apr).
2. Operator: confirm the Tier-5 topic assignment reference set matches production's intended classification (guarded, but review advised).
3. Run prod/00_preflight.sql standalone first — it is read-only and will tell you exactly which precondition (if any) is unmet.

Document map

01 state/baselines · 02 inventory/conflicts · 03 canonical sequence · 04 clone revalidation · 05 executor · 06 rollback · 07 verify suite · 08 gate options · 09 GO/NO-GO · 10 self-review. SQL: sql/prod/, sql/prod_rollback/, sql/prod_verify/, sql/clone_revalidation/. Integrity: manifest-sha256.txt.