05 — Production Executor: Design & Artifacts

Artifact

sql/prod/99_run_all.sql — single self-guarding executor. Chains the tiers with \i, \set ON_ERROR_STOP on. Run from sql/prod/.

Hard-gate guarantees

1. db = directus — every mutating file re-checks current_database(); 00_preflight aborts otherwise.
2. os_proposal_approvals >= 1 — checked in 00_preflight AND independently in every mutating tier (2–6). With ospa=0, 00_preflight aborts before any mutation; even if invoked out of order, each tier self-aborts.
3. Preflight mismatch — aborts on missing prereq seam views, gap≠210, ownership≠0, conflict≠0, gov_emit≠0.
4. Already (partially) applied — aborts if any axis substrate table exists (greenfield-only). Use rollback first to re-baseline.
5. Apply in order; verify after each — tier order enforced by \i sequence; each tier asserts its own post-state before COMMIT; 90_verify re-asserts the whole end-state.
6. Stop on first failure — ON_ERROR_STOP turns any RAISE EXCEPTION into a full-run abort.
7. No external events — no tier writes event_outbox; governance event types remain inactive; Tier 6 asserts emittable=0 and outbox=0.
8. Logs to stdout/file — … | tee rollout_<ts>.log; nothing written to system_issues.

Invocation (only after ratification sets ospa≥1)

ssh contabo -> docker exec -i postgres psql -U workflow_admin -d directus \
   -v ON_ERROR_STOP=1 -v ratified_apr=<REAL_RATIFIED_APR_CODE> \
   -f 99_run_all.sql 2>&1 | tee rollout_$(date +%Y%m%dT%H%M%SZ).log

:ratified_apr MUST be the real ratified APR code (provenance for the sovereign ownership seed, e.g. APR-BOOT-AUTHMODEL-1).

NOT executed

This executor has not been run on production and must not be while os_proposal_approvals = 0. 00_preflight.sql will abort it. Status: packaged, clone-validated, gate-blocked.

Files

prod/00_preflight.sql · 10_structure.sql · 20_responsibility_axis.sql · 30_ownership_seed.sql · 40_containment.sql · 50_topic_finalization.sql · 60_scanner_baseline.sql · 90_verify.sql · 99_run_all.sql