08 — Governance Cockpit Data Hardening (Branch H, ready pack)
08 — Governance Cockpit Data Hardening (Branch H, ready pack)
Session choice: zero-mutation. The cockpit function fn_phase0_cockpit() (committed by the predecessor campaign) already returns gate state, G1–G4 status, factory rows, candidate-registry state, KG, and Phase-0 blockers in one read-only call. The additions below are ready-to-commit (each is a SECURITY-INVOKER read-only view/function, reversal = DROP), deferred to a privileged session to keep this session at zero new objects.
1. Coverage gap analysis (what cockpit already covers vs. what's missing)
| Surface | Covered by fn_phase0_cockpit? | Proposed addition |
|---|---|---|
| Gate status | ✅ (gates block) | — |
| G1/G2/G3/G4 state | ✅ (phase0_blockers + candidate_registry + factories) | — |
| Factory rows | ✅ | — |
| Candidate Registry state | ✅ | — |
| review_decision proposed/pending | ❌ (cutter_governance walled from readonly) | v_review_decision_pending (must run as a role that can see cutter_governance) |
| DLQ | ❌ | v_phase0_dlq_health (wraps v_iu_route_dead_letter_open + job_dead_letter) |
| IU Pilot | partial (KG only) | v_phase0_pilot_board (b/c/f wrapper snapshot + routes + DLQ) |
| KG health | ✅ (kg block) | — |
| Phase 0 blockers | ✅ | — |
2. Ready-to-commit view A — v_phase0_dlq_health (read-only)
CREATE OR REPLACE VIEW v_phase0_dlq_health AS
SELECT
(SELECT count(*) FROM v_iu_route_dead_letter_open) AS route_dlq_open,
(SELECT count(*) FROM job_dead_letter) AS job_dlq_total,
(SELECT count(*) FROM iu_outbound_route WHERE enabled) AS routes_enabled,
(SELECT count(*) FROM iu_outbound_route WHERE COALESCE(dry_run,true)) AS routes_dry_run;
-- reversal: DROP VIEW v_phase0_dlq_health;
3. Ready-to-commit view B — v_phase0_pilot_board (read-only)
CREATE OR REPLACE VIEW v_phase0_pilot_board AS
SELECT
(SELECT iu_count FROM (SELECT (to_jsonb(b)->>'iu_count')::int AS iu_count
FROM fn_iu_filter_axis_b('legal_domain:knowledge_systems',1) b) x) AS axis_b_iu,
(SELECT (to_jsonb(a)->>'total_edges')::int FROM fn_iu_kg_edge_audit() a) AS kg_total_edges;
-- reversal: DROP VIEW v_phase0_pilot_board;
-- NOTE: validate SECURITY/STABLE semantics before commit; functions are STABLE so view is safe.
4. Ready-to-commit function C — v_review_decision_pending (privileged role only)
Must be created by a role that can see cutter_governance; exposes only proposed/pending counts + ids (no payload), SECURITY-INVOKER so it never elevates the reader. Spec only here (cannot author from readonly).
5. Commit protocol (when a privileged session runs it)
BEGIN;create the view;SELECT * FROM <view>;to prove it resolves; checkfn_iu_gate_verify_closed()still all_safe.- Prove reversal:
ROLLBACK;first (dry-run), then a cleanBEGIN; CREATE…; COMMIT;. - Verify in a fresh connection that the view reads and equals the direct query.
- Catalog (optional) as a
dot_*read entry if the project wants it discoverable.
6. Why deferred this session
Read channel is context_pack_readonly (no DDL). Committing would require the workflow_admin apply channel; the session's safety posture is zero-mutation and the existing cockpit is sufficient for the human handoff. These views add marginal convenience, not capability — safe to defer to the activation session.