09 — Rollout Plan, Time Estimate, Risk

Posture: incremental, fail-closed-only-where-clean, reversible. Effort in focused engineering-days (1 day ≈ 1 deep session). Estimates assume the named prerequisite is satisfied at phase start.

Phase 0 — Live verification ✅ DONE (this macro)

Effort: 0.5 d (done). Prereq: read channels (query_pg). Risk: none.
Pass: birth/gate/identity/governance state established from live catalog; SSOT confirmed (59/6/16/1). Rollback: n/a (read-only). Approval: none.

Phase 1 — Design + rollback-only rehearsal

Scope: this report set + a BEGIN…ROLLBACK rehearsal that, in one transaction on prod, (a) creates a temp birth_admission_permit-shaped CTE/temp object, (b) inserts a dot_tools row, (c) demonstrates a permit-less insert would be rejected by a prototype check, (d) ROLLBACK. 0 prod mutation.
Effort: 1–2 d. Prereq: none. Risk: low (transactional).
Pass: rehearsal shows permit-less insert rejected + permit-bound insert finalizes, all rolled back; entry hash == exit hash on dot_tools/birth_registry. Rollback: inherent. Approval: none (rehearsal only).

Phase 2 — Pilot family enforcement (`dot_tools`)

Scope: create birth_admission_permit (empty); composite-unique (entity_code, collection_name) migration on birth_registry + change fn_birth_registry_auto conflict target; extend fn_birth_gate to consume a permit for dot_tools; add the DEFERRABLE finalize constraint trigger (report-only globally); set dot_tools cutoff + flip dot_tools to blocking.
Effort: 3–5 d. Prereq: owner DDL approval; registrar wired to issue permits; composite-unique rehearsed online; dot_tools orphan-clean (✓ live).
Risk: medium — composite-unique on a 1.12M-row table (online build; rehearse); could block legitimate DOT creation if registrar isn't issuing permits.
Pass: new dot_tools insert w/o permit blocked; with permit → CONSUMED → FINALIZED → BORN; 309 legacy rows grandfathered; no other family affected. Rollback: mode→warning, detach gate extension, drop finalize trigger, drop permit table, unset cutoff (the composite-unique fix is kept — it is a pure improvement). Approval: owner + admin (DDL) + admin (registrar creds).

Phase 3 — Sequential DOT entrypoint (`dot-birth-admit`)

Scope: author + register the governed DOT wrapping the doc-03 state machine; default --dry-run.
Effort: 3–5 d. Prereq: dot-dot-register creds (ABSENT today) + permit table live (Phase 2).
Risk: medium (new governed surface). Pass: operator runs one command; sequence enforced; dry-run==commit on no-op; failed/expired permits visible. Rollback: retire the DOT (existing retire path) + leave permit table. Approval: admin (registrar) + owner.

Phase 4 — Governance handoff

Scope: add gov_handoff_intake cursor row (reuse iu_route_worker_cursor shape); seed governance_ruleset (≥1); flip the 5 governance event types active=true; start the cursor-tail worker on an external scheduler (pg_cron absent); wire queue_heartbeat.
Effort: 5–8 d. Prereq: OSPA ≥ 1 (human); external scheduler chosen; ruleset authored.
Risk: medium. Pass: acceptance test — no event_outbox governance row until its type active=true; finalized births appear as governance_candidate_state dirty; heartbeat ticks; silent-gap detectable. Rollback: stop worker, flip types active=false (captured-only), candidate-state is additive/inert. Approval: human OSPA.

Phase 5 — Stage-2 gate expansion (registry-driven)

Scope: implement the anti-hardcode replacements (doc 08: per-family code rule, registry-derived coverage, critical-family predicate, single installer) + STOP-on-mismatch guard; then extend permit-first to collection_registry, meta_catalog.
Effort: 5–8 d. Prereq: pilot stable ≥ 1–2 weeks; H1/H2/H3/H10 done. Risk: medium-high (broader coverage). Pass: STOP-on-mismatch green; the two new families enforce permit-first; no regression on the 150 ungated tables. Rollback: per-family mode→warning. Approval: owner + (governance for governed families).

Phase 6 — Legacy / backfill cutoff

Scope: finalize per-family cutoffs; turn on v_birth_admission_violation (report→block); replace silent app.bypass_birth_gate with logged break-glass; ensure backfill sweep is phase-bounded.
Effort: 3–5 d. Prereq: each family's backlog resolved (orphans=0). Risk: medium. Pass: post-cutoff permit-less births impossible for enforced families; break-glass fully audited. Rollback: unset cutoffs. Approval: owner.

Phase 7 — RP return decision

Scope: re-evaluate RP cleanup once all four current BLOCK dims reach 0.
Effort: depends on backlog (gated, not engineering). Prereq: iu_cmd onboarded/exempted (54), 5 pivot collisions fixed (Phase 2 composite-unique helps), 6 phantoms retired (needs the retire-transition mechanism — design exists via fn_retire_gate_check, transition fn + status vocab to build), 16 FS files registered, dot-pivot-update registered. Risk: unchanged by this work. Pass: fn_assert_safe_for_dot_action stops raising. Approval: owner + admin + OSPA.

Time estimate (realistic, sequential, gated)

phase	effort	dominant gate
0	done	—
1	1–2 d	none
2	3–5 d	owner DDL + registrar creds
3	3–5 d	registrar creds (absent)
4	5–8 d	OSPA ≥ 1 (human)
5	5–8 d	anti-hardcode build
6	3–5 d	per-family backlog clean
7	gated	full backlog + retire mechanism

Engineering total: ≈ 20–33 focused days (≈ 4–7 calendar weeks) assuming approvals/creds arrive promptly. Wall-clock is dominated by human/owner gates, not code: the single biggest accelerator is obtaining registrar creds + one OSPA sign-off; without them, only Phases 0–1 (design + rehearsal) are reachable.

Cross-cutting risks

Superuser bypass is not closable in-DB (doc 07) — accept as detect-only; build the drift/hash monitor early (cheap, high value).
pg_cron absent — every worker/watchdog/scanner needs an external scheduler; don't design as if cron exists.
Composite-unique migration is the one genuinely heavy DDL on a 1.12M-row table — rehearse the online build + measure lock window before applying.
Registrar creds absent is the critical-path blocker for Phases 2/3 — surface to owner now.