Lesson 95: Signed Operator Override Ledger - Dual-Signature, Time-Boxed External Send During an Active Lesson 94 Kill-Switch Hold
Direct answer: A signed operator override ledger is the append-only record that authorizes a narrow, time-boxed external send while a Lesson 94 kill-switch still trips K1–K4. It requires two independent signatures, a channel allowlist, a pre-written rollback artifact, and hashes that bind the override to the active kill_switch_event_id and Lesson 93 bundle rows—so “executive pressure” cannot become silent bypass.
What this lesson solves
Holds protect truth; contracts and player trust still have clocks. This lesson gives you a papered exception path that is harder to forge than a Slack thumbs-up.
Prerequisites: An open kill_switch_event_id with send_state=held, Lesson 93 rows for the bundles in question, and clarity on which trip_gate fired. Expected time: about eighty-five minutes including a tabletop on a CEO “send the tweet now” demand.
What you will build
lesson78_signed_operator_override_ledger_policy.md(contract below)lesson78_signed_operator_override_ledger.csv(one row per override attempt, including denied requests)- A dual-approval workflow in your ticket tool or CMS (manual routing is fine at small scale)
Step 1 - Define override gate classes
| gate | fail signal | owner action |
|---|---|---|
| O1 – Identity collision | requester matches signer_a_id or signer_b_id |
reject; recruit independent approvers |
| O2 – Scope creep | channels outside scope_channel_allowlist or copy outside override_body_hash |
reject or split new override row |
| O3 – Clock breach | send after valid_to_utc |
treat as unauthorized; trigger incident review |
| O4 – Missing rollback | no rollback_message_id_ref row with ready plaintext |
block unlock |
Step 2 - Author lesson78_signed_operator_override_ledger_policy.md
Minimum sections:
- Purpose – allow bounded sends during drift holds without dissolving the Lesson 92 evidence chain.
- Eligibility – overrides never clear the underlying drift; they only unlock specific
external_message_id_refrows for a defined window. - Signer rules –
signer_a= on-call live-ops lead;signer_b= legal or finance delegate not reporting to requester; rotate rosters quarterly. - Copy discipline – override body must include a residual risk banner citing the active
trip_gateand truncatedkill_switch_evidence_hash. - Rollback –
rollback_message_id_refmust pre-exist as a drafted Lesson 93 row with its ownsigned_message_body_hash, ready to publish if the send misfires. - Revocation – any new Lesson 90 ingestion append or governance bump auto-expires
valid_to_utctonowunless a fresh override row is filed.
Step 3 - Author lesson78_signed_operator_override_ledger.csv
| column | purpose |
|---|---|
override_event_id |
stable id |
train_cycle_id |
ties Lessons 89–94 |
kill_switch_event_id_ref |
Lesson 94 log row being overridden |
external_message_id_ref |
Lesson 93 bundle |
trip_gate_ack |
must echo active K1–K4 |
valid_from_utc / valid_to_utc |
max four hours default; shorter for social |
scope_channel_allowlist |
comma list; no wildcards |
signer_a_id / signer_b_id |
human ids with org keys |
override_body_hash |
sha256 canonical body including banner |
rollback_message_id_ref |
Lesson 93 rollback bundle |
override_evidence_hash |
sha256 over prior columns + signer timestamps |
Step 4 - Run the override ceremony (40 minutes)
- Freeze narrative – paste the kill-switch row and the exact copy diff leadership wants.
- Draft rollback – write the “we pulled the optimistic line” message first; hash it.
- Narrow scope – if they want three channels, open three override rows or one row with explicit allowlist; never “etc.”
- Collect signatures – both signers attest they read
trip_gate_ackand the footer hashes. - Unlock – automation keys off
override_evidence_hashmatch; human mode requires paste of hash into send console.
Step 5 - Tabletop - “legal says email only”
Leadership demands social plus email but only email is rehearsed. Outcome: O2 failure; either expand rehearsal or issue two overrides with separate bodies—no implicit channel expansion.
Pro tips
- Shorter clocks for virality – social gets ninety-minute windows; partner APIs get four hours when contracts demand.
- Deny loudly – log denied override requests with reason codes; they train the org faster than silent nos.
- Pair with finance – if the hold ties to refund posture, keep signer_b in finance when
trip_gatereferences macro tiers from earlier borrow lessons.
Troubleshooting
| symptom | likely cause | fix |
|---|---|---|
| Automation still blocks after signatures | hash mismatch on whitespace | canonicalize UTF-8 NFC before hashing |
| Rollback never ships | rollback row lacks channel bundle | duplicate rollback per channel |
| Repeat overrides nightly | underlying drift unresolved | escalate to ingestion merge, not more overrides |
Common mistakes
- Letting the CEO be
signer_b. - Using one override for “the campaign” instead of per
external_message_id. - Forgetting to close the override window in monitoring after
valid_to_utc.
FAQ
Does an override clear the kill-switch?
No. It authorizes a send under known stale facts. The hold row stays until hashes reconcile or a new dry-run passes.
Can we override if Lesson 92 was defer?
No. Overrides bind to Lesson 94 events that reference a pass rehearsal; defer still blocks external copy.
What if rollback triggers?
Publish rollback_message_id_ref, log revoke_state=rollback_sent, and open a new Lesson 92 dry-run before the next optimistic message.
Lesson recap
Overrides are leases, not pardons. Two signatures and a rollback stub turn a dangerous exception into an auditable transaction.
Next lesson teaser
Next: Lesson 96: Post-Override Rollback Verification Packet proves rollback SLA, hashes live pages against Lesson 93, reconciles telemetry, and closes Lesson 95 overrides with verified or renewed-freeze outcomes.
Related learning
- Lesson 94: Escalation Send Kill-Switch
- Lesson 93: External Escalation Messaging Packet
- How to Score Forecast Calibration Drift Before Release Gates for Live-Ops Teams (2026)
Treat overrides as notarized leases, not verbal hall passes.