docs(ops): formalize production promotion protocol with lockdown test

[ctol3r]

Summary

Adds docs/ops/production-promotion-protocol.md — the operational answer to the recurring "verify production" brief pattern. With 33 PRs (#305–#337) open against main, there has been no single authoritative reference for how to promote them safely. This doc closes that gap.

Documents:

• 7-gate verification flow: env vars present → runtime channel matches target → Clerk auth operational → trust endpoints reachable → replay attribution wired → audit durability operational → Codex SAFE verdicts
• 4-phase merge order for the open queue, with Phase 4 explicitly flagged as DB-dependent (prisma migrate dev gated by feat(backend): DURABILITY-1 PR345A durable schema additions #319)
• Required env vars table per runtime channel (local_dev / operator_preview / staging / production)
• Concrete verification commands (curl /api/health, curl /.well-known/jwks.json, curl /api/receipts/verify, pg_dump, generate-signing-keypair.mjs, check-onboarding-readiness.sh)
• Rollback path + closing-the-rephrasing-pattern section

A lockdown test (apps/web/__tests__/production-promotion-protocol.test.ts, 78 cases) pins every artifact reference against actual source so the doc can't drift:

• 6 referenced source files exist on origin/main
• Every PR feat(wallet): W3-PR200A wallet activation reality pass #305–feat(runtime): formalize 4-value runtime channel taxonomy #337 number appears in the doc
• All 7 gate headings present
• All 4 phases documented with explicit Phase 4 DB dependency
• Required env vars table includes 10 specific vars + 4 runtime channels
• Verification commands concrete
• Closing-pattern + rollback sections + Codex SAFE warning
• Banned-strings scan clean

Truth rules

• Doc does NOT claim automation of verification, instant credentialing, compliance certification, or risk transfer.
• 7th gate explicitly warns against bypassing Codex SAFE with --admin.
• Status of unmerged PRs framed as "open / awaiting gate", never "shipped".

Validation

• Targeted vitest: 78/78 passing
• Truth-contract scan: CLEAN
• Build: docs/test-only PR, no product code touched

Scope

• docs/ops/production-promotion-protocol.md (new)
• apps/web/__tests__/production-promotion-protocol.test.ts (new)

No apps/web/{app,lib,components} source changes.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
vcv-web	Ready	Preview, Comment	May 12, 2026 3:18am
vitalcv	Ready	Preview, Comment	May 12, 2026 3:18am

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3929009cf1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Expand artifact-existence lockdown to all referenced sources

REFERENCED_FILES only validates 6 paths, but the protocol doc’s “Authoritative-source” and command sections reference many additional concrete artifacts (for example backup/onboarding scripts and status-route docs). Because those paths are not included here, the claimed “pins every artifact reference” guarantee is false and the doc can silently drift to broken file references without any test failure.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Include PR #331 in the enforced PR coverage list

This suite states that every PR from #305 to #337 must be referenced, but the enforced PR_NUMBERS array skips 331. That gap means the protocol can omit one PR in the declared range and still pass the lockdown test, weakening the completeness check this test is meant to provide.

Useful? React with 👍 / 👎.