CVN-N001-EK-S01 — Runbook¶
Story artifact required by ADR-0101. For a governance Story the runbook is the operational playbook: how the protocol's gates are operated, how the ADR/charter are amended or rolled back, the owner handoff, and the waiver path. Architecture context: architecture.md.
1. Roles¶
| Role | Authority |
|---|---|
| Operator | runs the pipeline, registers tuples, triggers transitions; launcher (≠ locker) |
| Methodology reviewer | plan_review / design validation; co-signs the charter lock; resolves material-equivalence disputes |
| Risk owner | blocking veto (scope: architecture §7); co-signs the charter lock; never the launcher |
Role separation (invariant): the charter locker (S03) ≠ the run launcher (S04).
2. Operating the gates (per tuple)¶
- Register the tuple (full schema, architecture §4.1) with its
prior_rationalerecorded before registration. - Killed-tuple check (architecture §4.2) — if materially equivalent, stop; escalate to methodology + risk owner for a dispute/reopening decision.
- Phase 2 predictivity vs the locked null-gate, under FDR. Record the test in the FDR ledger.
- Read the verdict off the state machine; take only a legal next action (advance · prepaid action-policy correction · new tuple · terminal verdict).
- Continue Phases 3→6 only when each phase's entry condition holds.
- Final holdout is read once, at the verdict; log the dated access.
Hard stops during operation:
- killed-equivalent tuple → reject (step 2);
- holdout second-touch → verdict invalidated (architecture §4.4);
- FDR/family budget exhausted → no further tests in that family;
- risk-owner veto active → pipeline blocked.
3. Amending the ADR (durable rules)¶
The ADR adr/0102 is Accepted. Amendment follows the normal ADR process (a new revision via PR +
plan_review); it is not edited silently. A rule change that would loosen an anti-snooping invariant
requires methodology + risk-owner sign-off. Superseded rules are marked, never deleted (audit trail).
4. Charter lifecycle (lock / amend / rollback)¶
| Action | Procedure |
|---|---|
| Fill placeholders | S02 derives values (no lock) |
| Lock (S03) | joint sign-off (operator + methodology + risk owner); values frozen; immutability via hash / write-once |
| Amend after lock | only via a recorded re-lock with the same joint sign-off + a reason; the prior locked version is retained |
| Rollback | revert to the prior locked charter version (retained); any tuple evaluated under the rolled-back values is re-assessed |
5. Waiver path¶
A waiver (e.g. proceeding despite a risk-owner objection, or reopening a killed tuple) requires: an explicit written rationale, a named accountable owner, an expiry, and reviewer approval. Waivers are recorded against the Story / OpenProject and reported separately — a risk-owner objection cannot be waived by methodology approval alone (architecture §7).
6. Owner handoff¶
- Source of truth: OpenProject wp#271 (status) + this Story hub (artifacts) + the ADR/charter (rules/values).
- A new owner picks up from: the locked charter (or its current draft), the registered- and killed-tuple registers, the FDR ledger, and the holdout access log.
- Never infer authority from a green pipeline: trading/deployment is out of scope and requires separate approval (architecture §1).
7. Rollback of this Story's deliverable¶
Reverting S01 = revert the ADR adr/0102 + charter draft + this doc set. No runtime/code impact — the
artifacts are governance conventions. Downstream Stories (S02+) that depend on the ADR/charter are blocked
until it is re-established.