11 — Branch K: Next Mega Prompt Pack (20 prompts)

Each prompt is open-goal, self-contained after a context clear, pins host/channel/preflight/forbidden.

Standard preamble (paste into every prompt):

Host: contabo VPS. Container: postgres. DB: directus (PG16.13). Read channel: MCP query_pg role context_pack_readonly. Apply channel (if safe): ssh contabo → docker exec -i postgres psql -U workflow_admin -d directus. Hard Gate 0: confirm host/container/db; no idle-in-transaction orphans (pg_stat_activity); fn_iu_gate_verify_closed()->>'all_safe'=true; snapshot via fn_phase0_cockpit(). Forbidden: no self-minted human approval; no law enactment; no Candidate Registry commit without valid human Điều 32; no 4-Mothers runtime; no generated workflows/tasks/forms/reports; no Nuxt/UI; no Directus mutation; no vector write (vector_sync_enabled stays false); no allow_no_review_decision=true; no gate left open; no hidden second SoT; no open idle tx; no client-timeout-kill of open tx; no event delivery; no job execution. Method: dress-rehearse mutations in BEGIN..ROLLBACK; commit only additive read-only objects or human-authorized acts; prove durability in a fresh connection. Do not ask the user. KB sources under knowledge/dev/reports/architecture/phase0-human-activation-and-config-only-readiness-campaign-2026-05-29/.

1. G1 human activation run — execute doc01; verify valid Điều 32 review_decision (verdict=approve, cross_signed≥2, reviewer≠automated_agent, real manifest) FIRST; if absent STOP, do not self-mint; preflight→activation(COMMIT)→post-verify; soft-retire fallback.
2. G2 human-org-role law enactment — execute doc02; confirm sovereign enacted Điều 37-H; apply human_org_role+human_role_grant DDL, seed 6 roles, Directus policy map; verify no conflict vs Điều 37; do not enact law yourself.
3. G3 production review_decision governance activation — execute doc03; apply automated_agent⇒not approve/reject CHECK + proposed-only fn_review_decision_propose; dress-rehearse builder CANNOT approve; wire human promotion path; no agent self-approval.
4. G4 factory draft-to-active activation — execute doc04; confirm G1 born+G2 enacted; re-verify 4 rows+capabilities+no-double-ownership; on council authorization flip GOV-MOW/MOT/MOIT/MOUT draft→active with cockpit verify; reversal status='draft'; do not activate mother.* events.
5. Phase 0 config-only implementation — execute doc05 after G1+G2+G4; insert draft config per Mother envelope, status='draft'; prove no-double-ownership; nothing generated; no runtime.
6. MOW config-only prototype — owner GOV-MOW, can_create=workflows; dress-rehearse draft workflow-config rows (not executable); verify owns only workflows.
7. MOT config-only prototype — owner GOV-MOT, can_create=tasks; draft task-config rows; verify owns only tasks.
8. MOIT config-only prototype — owner GOV-MOIT, can_create={input_form_registry,field_registry}; requires G1 born; draft field/form-config rows; verify disjoint.
9. MOUT config-only prototype — owner GOV-MOUT, can_create=design_templates; draft template-config rows (not rendered); no Nuxt/UI.
10. Governance Cockpit data layer build — extend fn_phase0_cockpit() with review/dlq/iu_pilot keys; dress-rehearse then commit additive CREATE OR REPLACE FUNCTION; SECURITY INVOKER/STABLE; verify readonly-callable.
11. IU Pilot Day 1 run — execute doc06; Hard Gate 0 + canonical writer in gateway allowlist; ≤20 governed IU ops with review_decision_id; open/midday/close health checks; evidence doc; honor stop conditions.
12. IU Pilot Week 1 monitoring — 5 days health checks; track iu_relation provenanced growth, run error rate, gate all_safe, DLQ=0; Week1 rollup + go/no-go; read-only.
13. KG relation vocab and DOT enrichment — execute doc08; dress-rehearse vocab CHECK 6→8 (do NOT commit, atom-law); commit read-only fn_iu_kg_edge_audit_v2(); design fn_iu_kg_edge_assert (provenance-required, iu_relation-only, not committed); vector off, single SoT.
14. Master Design truth patch — execute doc09; apply 9 status patches P1–P9 as appendix/changelog blocks; do not rewrite prose; verify vs cockpit.
15. P-pub staged promotion — survey authority coverage (133/219 lacked); design warn→block_new→backfill→block_all via iu_create.ppub.enforcement_mode; dress-rehearse warn→block_new; do not block_all.
16. Mother event type validation — verify 9 mother.* types shape (domain/stream/lane/severity) all active=false; cross-check vs Mother lifecycle; validation matrix; no activation.
17. No-double-ownership verifier — read-only verifier proving pairwise-disjoint can_create + flag can_create∩must_not_own inconsistency; dress-rehearse, commit read-only; wire to cockpit.
18. Factory birth contract verifier — read-only per-Mother check: owner exists, capability well-formed, output_family∈can_create, referenced families exist, birth preconditions (G1 for MOIT); commit read-only.
19. Phase 0 final go/no-go — re-run doc10 board vs live via fn_phase0_cockpit(); confirm G1/G2/G3/G4; human approval packet; read-only; report drift.
20. First runtime readiness review — DESIGN only: which gate(s) to govern-open (emit_enabled, operator_runtime_enabled), under what authority, rollback, smallest safe first op; enumerate preconditions before any job/event; no gate opened.

All 20 cover real remaining work. 1–4 human-gated activations; 5–9 config-only; 10/17/18 additive read-only commits; 11–12 pilot ops; 13/15/20 design+dress-rehearsal; 14/16/19 verification/patch.