12 — Next Macro / Approval Handoff

The engineering is ready; the gates are authority, not code

Every technical question this macro was asked to de-risk is answered PROVEN/READY. What remains is not engineering — it is owner approval, registrar credentials, an external scheduler, and (for governance activation only) a human OSPA seed.

Decision gate before the next macro

The next macro applies the packet (doc 10). It must not start until:

1. Owner DDL approval for the apply packet — at minimum: permit table, composite unique + drop of single-col unique, the two function patches, the pilot gate + finalize, the family flag.
2. Explicit acknowledgement of the step-7 one-way door (dropping UNIQUE(entity_code) becomes irreversible once a second-collection code is born).
3. dot-dot-register credentials — to register the dot-birth-admit DOT (and the 15 FILE_NO_REGISTRY scripts).
4. External scheduler decision (cron/systemd) — pg_cron is absent; the expiry sweep, drift comparator, and handoff consumer need one.
5. (Governance only) human OSPA ≥ 1 — needed to activate handoffs; not needed to apply birth.

Recommended next macro

PRE_BIRTH_PILOT_DOT_TOOLS_APPLY_PERMIT_AND_COMPOSITE_OWNER_GATED

Scope, in order, each step individually reversible with a STOP between step 6 and step 7:

1. Apply permit table (reversible).
2. Apply composite unique CONCURRENTLY + promote (reversible).
3. Patch both functions (OID-stable, reversible).
4. Smoke-test in a rolled-back txn.
5. STOP — owner confirms before dropping single-col unique.
6. Drop single-col unique; birth the 5 pivots as a separate reversible DML (orphan 59 → 54).
7. Apply pilot gate + finalize on dot_tools (family-flagged; no global flip).
8. Replace hardcoded code rule with registry-driven rule.
9. Capture drift baselines; wire gate_drift BLOCK dim into the guard.
10. (Separate, OSPA-gated) activate the governance handoff consumer.

Out of scope / still blocked (unchanged)

• RP cleanup — NO-GO, enforced by fn_assert_safe_for_dot_action (4 BLOCK dims: 59/6/16/1). Resumes only when all four reach 0.
• dot-pivot-update — STAGED_FILE_ONLY / UNBORN / NOT_VALID_DOT; not executed.
• dot_iu_command_catalog (54) — still triple-absent; owner identity/onboarding decision required (this drives most of the 59 orphan-critical).
• 6 REAL_MISSING phantoms — owner retire/restore decision + a retire mechanism (none exists; all 1.12M rows status='born', no CHECK, no retire fn). The retire mechanism is a separate design item (not in this pilot).

One-line handoff

The pre-birth admission model is proven and reversible for the dot_tools pilot. Apply is owner-gated, not engineering-gated. Birth-first is not achieved — this remains rehearsal until the apply macro runs under owner approval.