04 — Operator Runbook (Non-Technical)

Date: 2026-06-03. Audience: owner / approver — no SQL needed.

What this is

A governance upgrade for One-Roof is fully built, fully tested, and waiting on one human approval. When it runs, it makes named authorities (GOV-COUNCIL, GOV-KG-SYS, GOV-DOT, GOV-MOIT) formally accountable for 35 governed collections, closing the "ownership gap" from 210 to 0. Nothing has touched production yet.

The one blocker

A single approval record, os_proposal_approvals, is currently 0. It must be ≥ 1, created by human ratification of the authorization model (e.g. APR-BOOT-AUTHMODEL-1). Intentional: the system refuses to assert "who is accountable for what" until a person signs off. Only a human can create that record. The Agent cannot and will not.

What to check (anyone, anytime)

Ask for the gate status — one word: BLOCKED (approval not given; nothing to do — today's state) or READY (approval in place; rollout can run).

What happens when you approve

1. You complete ratification → approval record becomes ≥ 1. 2. The Agent re-checks the gate, sees READY, runs the rollout automatically (~1 minute). 3. The Agent verifies and reports: gap 0, no conflicts, nothing emitted externally, all green.

Will / won't

Will: create governance accountability records + read-only dashboards; close the gap to 0. Won't: send any email/notification/external message; change any app/workflow/screen behavior; touch billing, sign-off, or law documents. External event emission stays off (a separate, later, separately-approved step).

Safety (all proven)

• Refuses to run unless approval is in place and production is in the exact expected state; otherwise stops and changes nothing.
• Rehearsed end-to-end on a fresh copy of production this week: reached the correct end-state, then fully reversed to the starting point with one command. Reversal proven and repeatable.
• Can be fully undone after running via one rollback command (gap back to 210, records removed).

To stop it

Before approval: nothing — it cannot run. During: ~1-minute job; aborts itself on any problem, leaves nothing partial. After: ask the Agent for the full rollback.

What NOT to do

• Do not ask anyone to "just set the approval to 1 to test it." There is no separate test DB — directus is production. Faking it asserts real accountability nobody ratified (declined — doc 08).
• Do not approve unless you intend GOV-COUNCIL / GOV-KG-SYS / GOV-DOT / GOV-MOIT to be accountable for those collections — that is exactly what you approve.

Bottom line

Everything technical is done and verified. The next move is a human ratification decision, not an engineering task. Once made, the Agent finishes unattended.