Verified-green vs gated: why we publish an honest status register
'The code exists and is tested' is a different claim than 'it runs in production moving real money.' We keep those two claims separate on purpose — and we publish which is which.
Three registers, always attached
Every status claim in our specs carries one of three registers. verified-green means tests pass at HEAD — the code exists and is adversarially checked. draft means docs and templates — scaffolding, not certification. gated means the code is done but is awaiting a named human or legal gate before it can be real.
The rule is simple and non-negotiable: “code exists and is verified green” is a different claim from “runs in production,” and the register says which one you’re reading. Most vendor marketing blurs exactly this line. We refuse to.
The honest register, in full
No real dollar has ever moved. Three generations of rails, all sandbox; every rail ships flag-off and fail-closed with advanceAmountCents=0. No real PHI has ever flowed — the dress rehearsal that exists ran on the real gate and reconciliation cores at zero advance, which is the right rehearsal, not yet the real performance.
The go-live critical path is human and legal, not engineering: secret rotation, BAAs and unsigned ATTEST gates, PSV credentials, an AMA CPT license, a money-transmission opinion, a BSA/AML program, SOC 2. Governance docs are self-assessments correctly labeled DRAFT. We publish this list because a system that hides its gaps is indistinguishable from one that doesn’t know it has them.
The migration runbook as a worked example
The money-units migration is a textbook case of the register in action. Its runbook header reads “PREPARED, not executed.” The code that renames the columns and fixes the 100× bugs is verified-green — tsc-clean, suites passing. But the production apply is gated: it needs live Cloud SQL, a shadow DB, a backfill parity check that SUM(cents) equals ROUND(SUM(float)*100) per clinic, and a money-path integration run on de-identified volume.
We built the expand/contract stages so the apply is reversible right up to the final DROP COLUMN. “The code is ready” and “we ran it in production” are two sentences, and we never let the first impersonate the second.
# spec header, verbatim discipline
# Status: PREPARED, not executed. Requires the live DB env.
# Verified: tsc 0 errors; suites pass.
# APPLY is user-gated (prod migration + coordinated redeploy).Why regulatory items stay explicitly gated
The FedNow message layer is built and certification-ready — parsers for the full inbound set, pacs.008builders, a conformance manifest. It is not certified, and we will not write “certified.” The application is a business milestone gated on a sponsor bank, a BSA/AML program, and capital, sequenced after revenue exists. Same for SOC 2, money transmission, and money-movement itself.
Keeping these gated isn’t modesty — it’s the load-bearing distinction that lets a reader trust the verified-green claims. When we say the settlement gate is a six-condition conjunction that fails closed, that claim is worth something precisely because we didn’t inflate the ones next to it.
The maintenance rule
There is one orbit-point document, and competing manifests are retired on sight. Sessions and agents update it in place with dated edits, and every new status claim must arrive with its register attached. This is how a fleet of agents building at speed avoids drifting into optimistic fiction: the honest register is a single file with a single rule, and the rule is that you cannot make a claim without labeling how true it is yet.
verified-greendraftorgated— pick one, every time.