03 · Deploy Risk

D1 — Is the UI branch/package enough for operator deploy? — NO — P0

• The shippable packages bind versioned views, not _current (doc 01 R1). There is no _current UI package. An operator deploying today wires the stale v1 contract.
• The real PR branch feat/process-axis-dashboard is a thin 2-file / +159 slice, not the full RP supervision UI. It is not the reliability-badge UI the next macro targets.
• Action: the next macro must author the _current package (routes + render model + install/PR/rollback/smoke) before any deploy is meaningful.

D2 — Are commands complete? — PARTIAL — P1

The v2 package includes INSTALL_AND_PR + drill-v2.patch. But those install v2-bound routes. There is no install/command set for _current-bound routes because that package doesn't exist. Commands are complete for the wrong target.

D3 — Are rollback steps complete? — PARTIAL

• DB side: every T1 macro shipped a paired 99_rollback.sql (CREATE OR REPLACE + drops) — reversible, good.
• UI side: rollback = "don't merge / revert branch" (git), but with divergent history (ahead17/behind13) a clean revert is non-trivial. No documented _current-package rollback. P1.

D4 — Are smoke-test routes complete? — NO for _current — P1

Prior packages have smoke payloads (7 live smoke paths PASS) but against v2 surfaces. The next macro needs smoke routes against _current: contract_current, proof_matrix_current, invariant, acceptance_current, and a per-axis drill (incl. an AX-PXT FAIL node to prove it renders non-green). None authored yet.

D5 — No deploy-guard view exists — P1 (key gap)

The prior T2 STEP 1 design called for v_rp_contract_current_guard (assert rowcount==87, column superset, 0 null next_route/drill_action, 0 invariant FAIL_*, _current==reliability identity → single PASS/FAIL). Live check: it does NOT exist (no *guard* view in public; only v_rp_contract_version_inventory + v_rp_contract_divergence_detector were built). Without it, CI / operator has no machine gate that blocks a deploy when _current silently regresses to v1, drops below 87 rows, or carries a real FAIL. Strongly recommend T1 build it before UI deploy.

D6 — Is divergent git still a blocker? — YES — P3 (operator)

feat/process-axis-dashboard ahead17/behind13 vs origin/main; auto-snapshot cron commits main 04:00/16:00 → must use an isolated worktree (prior gotcha). Convergence is an operator task.

D7 — Any secret/credential assumption? — YES — P3 (operator)

• No push creds for the agent (gh_pat_sync_secrets is secret-sync-scoped, not a push token) → GitHub push/PR/merge is operator-only. Do not assume the agent can deploy.
• Nuxt deploy + real_run_enabled flip are operator/authority actions.
• The pass-through routes use the established rpQuery (Directus) path — no direct-PG-from-Nuxt credential is introduced (constitutional PG → Directus → Nuxt). Good — no new secret surface.

Deploy-risk verdict

HIGH — not deployable as a supervision surface as-is. Engineering blockers (_current package, deploy-guard view, _current smoke set) are T1-fixable without authority; the remaining blockers (git convergence, push creds, Nuxt deploy, real_run) are operator/authority (P3). Nothing here requires faking authority.