# AR DIRECTIVE — AGE ACT ENFORCEMENT IS MANDATORY

**Directive ID:** AR-DIRECTIVE-2026-05-16-AGE-MANDATORY  
**Issued by:** AR (Adam)  
**Date:** 2026-05-16  
**Authority:** AR direct order  
**Status:** PERMANENT — NEVER SUSPENDED  
**Enforcement:** ALL AGENTS, ALL SESSIONS, ALL WORK

---

## The Order

> "use AGE and keep with the enforcement always never ever do not do this"

— AR, 2026-05-16

## Translation

AGE Act (AG-001) governance is mandatory for every change, every deploy, every session, every agent. No exceptions. Never bypassed. Never skipped to save time. Never deferred for convenience.

## Why This Directive Exists

Today's session (2026-05-16) demonstrated the cost of skipping AGE Act:

- `add-dashboard-billing.sh` deployed without WO → broke login → wasted hours
- GemWallet retry fix deployed without persistence plan → broke twice → caused AR to lose time on the road
- Verify.html patched piecemeal across sessions → "fix one, break two" cycle
- Nav drift across pages → 5 separate UI bugs from the same root cause
- API key hardcoded in frontend (security violation) → caught only by manual review

Every single one of these would have been caught by AGE-enforced smoke tests and Check→Sign→Deploy gates.

## Mandatory Protocol — Every Change

| Step | Required |
|---|---|
| 1. Check-In | Declare what you're about to change, before touching anything |
| 2. WO filed | Work Order with scope, files, rollback plan |
| 3. Mini-split | Break work into single-purpose micro-steps |
| 4. Backup | Timestamped backup of every file before edit |
| 5. Change | Make the smallest scoped change |
| 6. Content smoke | Verify CONTENT (not just HTTP 200) — grep for actual strings/code |
| 7. Sign | Second-agent or self-cert that smoke passed |
| 8. Deploy | Only after sign |
| 9. Post-deploy smoke | Verify live site still works for all critical paths |
| 10. Evidence | File 8-field report with WO, backup path, smoke output |
| 11. Check-Out | Declare complete with evidence link |
| 12. PTF/APAR | File PTF for the fix and APAR if a defect was found |

If any step is skipped, the deploy is invalid and must be rolled back.

## Critical-Path Smoke Tests (Non-Negotiable)

Every deploy touching DataCert.ai must verify:

1. `POST /api/auth/login.php` with valid creds returns token
2. `GET /api/auth/me.php` with auth returns 200 with user record
3. `GET /api/v1/certifications` returns live API info
4. `GET /api/v1/certifications/{address}` returns DB record or graceful miss
5. verify.html references GemWallet detection retry (standalone JS preferred)
6. Wallet form rejects `s`-prefix (secret key guard)
7. All pages use shared nav include (no per-page nav drift)
8. i18n loader present and language switcher works

Deploy script must FAIL and ROLL BACK if any smoke check fails. No human override.

## Standing Prohibitions

- NEVER deploy without backup
- NEVER deploy without smoke test
- NEVER deploy without WO
- NEVER deploy if smoke fails — roll back instead
- NEVER patch the same file twice in one session without re-verifying critical paths between patches
- NEVER put API keys in frontend code
- NEVER duplicate critical logic inline across HTML pages (use standalone JS files)
- NEVER suspend AGE Act "just this once"

## Enforcement Authority

Any agent observing another agent skip AGE Act has authority and obligation to:

1. Stop the non-compliant deploy
2. File an APAR documenting the violation
3. Notify AR via handover or queue

AGE Act compliance is not a suggestion. It is the operating constitution.

## Reference Documents

- AGE Act: `/opt/veritize-docker/ops/governance/AG-001_AGENT_GOVERNANCE_AND_EVIDENCE_CONTROL_ACT_2026-05-11.md`
- This directive: `/opt/veritize-docker/ops/governance/AR-DIRECTIVE-2026-05-16-AGE-MANDATORY.md`
- Today's session bundle: `/opt/veritize-docker/ops/governance/session-2026-05-16/`
- Template of correct practice: PTF-2026-05-16-006-ZH-FULL-COVERAGE.md