Start Building

Lesson 172: Q3 2026 Submission Intake Mock Audit Tabletop Scoring Rubric (2026)

Why this matters now

Through 2026 the cert-window intake density on Quest, Steam, and console partner lanes has shifted: instead of one cert window per quarter, small teams now face two-to-three submission cadences inside Q3 alone (Gamescom-adjacent partner reviews, Steam autumn deck verification refresh, Meta holiday window opening early). The teams that ship clean through Q3 are the teams that rehearse the full packet stack against a single shared rubric, not the teams that nailed any one chapter from Lessons 162-171.

You have built the parts. Lesson 162 gave you SLA breach forecasting and freeze gates. Lesson 163 added carve-out audit trails. Lesson 164 synchronised leadership and partner SLA snapshots. Lesson 165 pinned footer semver and the replay-parser contract. Lesson 166 added weekly SLA reconciliation. Lesson 167 added the synthetic replay diff gate. Lesson 168 put staffing buffer burn-down on the dashboard. Lesson 169 rehearsed the freeze-lift dry run. Lesson 170 disciplined FAQ rewrites. Lesson 171 auto-blocked tuple drift at the publish pipeline.

This lesson is the integration drill. One scoring rubric. One 90-minute tabletop. Seven weighted dimensions. A pass-fail line that mirrors what the real partner reviewer will use when your Q3 packet lands in their queue.

A small team that runs this drill twice per cert window arrives at the real submission window with muscle memory instead of frantic chapter-by-chapter reading of the runbook. That muscle memory is the actual deliverable of Lessons 162-171; this lesson is where it gets exercised.

Lesson objectives

By the end of this lesson you will have:

  • A mock audit packet manifest - the full file list the tabletop assembles in staging before the drill begins.
  • A seven-dimension scoring rubric with weights, pass thresholds, and named failure modes.
  • A tabletop format for a 90-minute, 4-person panel that produces a single score and a deficiency log.
  • A deficiency-to-ticket conversion workflow so every dimension that scores below pass produces a tracked remediation row, not a footnote.
  • A mock-to-real conversion gate so the team cannot enter a real cert window with any deficiency still open.
  • A cadence schedule placing two mock audits per cert window: one T-14 days for systemic issues and one T-3 days for last-touch verification.

Prerequisites from earlier lessons

This lesson assumes all of Lessons 162-171 are implemented. If any of the following is missing or partial, the rubric will score it red and you will spend the tabletop arguing about scope instead of practising the audit:

  • Lesson 162 - SLA breach forecasting + freeze gates.
  • Lesson 163 - freeze bypass audit trails + carve-out annex.
  • Lesson 164 - leadership / partner SLA dashboard sync.
  • Lesson 165 - footer schema semver + replay parser contract.
  • Lesson 166 - weekly SLA reconciliation job.
  • Lesson 167 - synthetic replay diff gate.
  • Lesson 168 - staffing buffer burn-down dashboard slices.
  • Lesson 169 - freeze-lift dry-run rehearsal.
  • Lesson 170 - FAQ-bound readback discipline.
  • Lesson 171 - publish-pipeline tuple-drift block.

If any of these are stubs or "we mean to get to that," return to them. The mock audit is not a substitute for the underlying chapters.

Step 1 - Assemble the mock audit packet

A mock audit packet is the same shape as a real partner submission packet, frozen at a specific point in staging time. Assemble it the day before the tabletop runs:

mock-audit-packets/
  q3-2026-window-1/
    T-14-rehearsal/
      manifest.json
      leadership-snapshot.csv         (Lesson 164 export)
      partner-annex-snapshot.csv      (Lesson 164 export, partner side)
      reconciliation-job-log.csv      (Lesson 166 latest run)
      synthetic-replay-diff.csv       (Lesson 167 latest run)
      faq-readback-rows.csv           (Lesson 170 export)
      publish-replay-audit.csv        (Lesson 171 export)
      carve-out-annex.pdf             (Lesson 163 latest)
      footer-schema-registry.txt      (Lesson 165 current version)
      staffing-buffer-burn-down.csv   (Lesson 168 export)
      freeze-lift-dry-run-pass.txt    (Lesson 169 latest pass)
    T-3-rehearsal/
      ... (same shape, fresh exports closer to real cert date)

manifest.json records the freeze IDs, dry-run IDs, and revision pins each file was exported at. Without the manifest, the tabletop cannot decide whether two files belong to the same evidence vintage.

The packet is immutable during the tabletop. If the team wants to "just fix one cell," that becomes a deficiency row and a remediation ticket - not an edit to the packet under review.

Step 2 - The seven rubric dimensions

The rubric has seven dimensions, each weighted, each with a named pass threshold:

# Dimension Source lesson Weight Pass threshold
1 Leadership vs partner SLA snapshot alignment 164, 166 20% Variance within epsilon_policy_version on every shared row; reconciliation job green within last 7 days.
2 Carve-out annex presence and signer ack 163 10% Every active freeze_bypass_id from the cert window has a signed annex row; no open carve-out without an expires_at_utc.
3 Footer semver + replay parser contract pin 165 10% footer_schema_semver matches footer_schema_registry.current_semver; replay_parser_contract matches the registered allow-list version.
4 Weekly reconciliation job green 166 15% Last two reconciliation_job_run rows are status = 'green'; no signer ack older than the configured ack SLA.
5 Synthetic replay diff gate green 167 15% Last synthetic_replay_run_id finished green against the goldens; epsilon_policy_version pin unchanged from the packet manifest.
6 FAQ-bound readback discipline 170 15% Every redline_id in the registry is bound to an active FAQ row; no pending_review rows older than the configured review window; no unsigned faq_change_id events.
7 Publish-pipeline tuple-drift block clean 171 15% publish_replay_audit shows zero status = 'blocked' rows without a matching resolved or withdrawn; no open_publish_block reason was used to refuse a freeze lift since the last cert window closed.

Total weight is 100%. A passing audit is >= 90% weighted score with no dimension below 50%. The "no dimension below 50%" rule matters - a single red dimension means an entire pillar of the stack is unreliable, regardless of how many other dimensions are green.

Each dimension also has a named failure mode the tabletop scribe can write next to a low score:

  • Dimension 1 - partner_lead_variance (variance exceeds epsilon).
  • Dimension 2 - unsigned_carve_out (active bypass without annex row).
  • Dimension 3 - footer_drift (semver mismatch with registry).
  • Dimension 4 - reconciliation_red (job not green for two consecutive runs).
  • Dimension 5 - replay_diff_red (synthetic replay finished non-green).
  • Dimension 6 - faq_unsigned (rewrite without faq_change_id ack).
  • Dimension 7 - tuple_drift_open (unresolved publish_replay_audit block).

Free text scoring is not allowed; if the tabletop wants to flag something outside this set, the right answer is to expand the rubric in a separate session, not to invent a category mid-drill.

Step 3 - The tabletop format (90 minutes, 4 people)

The drill takes 90 minutes and runs with a four-person panel:

  • Scribe - records scores, failure-mode names, and deficiency rows. Does not score.
  • Leadership voice - reads the leadership-side rows and presses on partner alignment, redlines, and freeze-lift decisions.
  • Partner voice - reads the partner-annex rows and presses on carve-outs, FAQ wording, and reviewer-question response habits.
  • Engineering voice - reads the SQL artifacts (publish_replay_audit, synthetic_replay_run, reconciliation_job_run) and presses on technical evidence and pipeline runs.

The schedule:

Time Phase
0:00-0:10 Packet handoff: scribe reads manifest.json aloud; the three voices confirm files they will press on.
0:10-1:00 Seven 7-minute rounds, one per rubric dimension. In each round, one voice leads, the other two cross-check, the scribe records 0-100 with one failure-mode tag if below pass.
1:00-1:20 Deficiency log review: scribe reads each below-pass dimension; the panel agrees on a 1-line remediation summary per row.
1:20-1:30 Score finalisation: scribe computes the weighted total, writes the deficiency-ticket count, signs off the audit row.

A timer is enforced. A round that runs over budget collapses into "score what you can defend in the remaining minute and tag time_pressure_deficiency" - this models real cert-week pressure where reviewers also do not get unlimited time.

The output is a single row in the mock_audit_log:

CREATE TABLE mock_audit_log (
    mock_audit_id TEXT PRIMARY KEY,
    cert_window_id TEXT NOT NULL,
    rehearsal_kind TEXT NOT NULL CHECK (rehearsal_kind IN ('T-14','T-3')),
    weighted_score INT NOT NULL,
    pass BOOLEAN NOT NULL,
    dimension_scores_json TEXT NOT NULL,
    deficiency_count INT NOT NULL,
    scribe_user_id TEXT NOT NULL,
    panel_user_ids_json TEXT NOT NULL,
    started_at_utc TIMESTAMP NOT NULL,
    finished_at_utc TIMESTAMP NOT NULL
);

dimension_scores_json is the scribe's seven-row JSON record with one failure-mode tag per below-pass dimension. The audit row itself is immutable after sign-off.

Step 4 - Deficiency-to-ticket conversion

Every below-pass dimension produces a tracked remediation ticket. The conversion is mechanical, not creative:

INSERT INTO mock_audit_deficiency_ticket (
    deficiency_ticket_id,
    mock_audit_id,
    dimension_number,
    failure_mode,
    summary_1_line,
    owner_user_id,
    sla_resolution_hours,
    status,
    created_at_utc
)
VALUES (
    :ticket_id,
    :mock_audit_id,
    :dim,
    :failure_mode,
    :summary,
    :owner,
    CASE WHEN :rehearsal_kind = 'T-14' THEN 168 ELSE 48 END,
    'open',
    NOW()
);

Two SLAs by rehearsal kind:

  • T-14 rehearsal - 168 hours (7 days) to resolution before the second rehearsal.
  • T-3 rehearsal - 48 hours to resolution before the real cert window opens.

A T-3 deficiency that misses its 48-hour SLA becomes a cert-window blocker in step 6.

Step 5 - The mock-to-real conversion gate

Before the real cert-window publish runs, one query gates the whole submission:

SELECT COUNT(*) AS open_deficiencies
FROM mock_audit_deficiency_ticket
WHERE cert_window_id = :current_cert_window_id
  AND status = 'open';

If open_deficiencies > 0, the publish pipeline (Lesson 171) refuses to leave pending_gate regardless of hash agreement. The block reason extends with mock_audit_open_deficiency. The carve-out workflow (Lesson 163) is the only way to publish with an open deficiency, and it requires a signed annex row tying the carve-out to the specific deficiency ticket.

This closes the loop: a deficiency caught in the mock audit cannot quietly slip into a real submission, and the carve-out lane forces a paper trail when overriding the gate.

Step 6 - Cadence: two rehearsals per cert window

The two rehearsals serve different purposes:

Rehearsal When Purpose
T-14 days Two weeks before cert window opens Find systemic issues - missing signer routes, dimensions that have been red for weeks, broken reconciliation jobs. T-14 deficiencies get a 7-day SLA so the second rehearsal exercises the fixes.
T-3 days Three days before cert window opens Find last-touch issues - stale exports, today's FAQ rewrite that didn't get acked, yesterday's freeze that isn't yet covered by a carve-out annex. T-3 deficiencies get a 48-hour SLA and a hard cert-window gate.

For Q3 2026 specifically, both Gamescom-adjacent and Steam autumn windows tend to overlap by 2-3 weeks. Run two separate rehearsal pairs (one per window) - do not merge them into a single packet. The mock_audit_log cert_window_id is the key that keeps them separable.

Step 7 - First-window habit: pre-mint a deliberately failing packet

The first time you run this drill, pre-mint a packet you know will fail. Choose two dimensions to score below pass before the tabletop begins. The team practices:

  1. Scoring honestly when the evidence is genuinely red.
  2. Writing 1-line deficiency summaries that another team member could action.
  3. Filing the remediation tickets without arguing about scope.
  4. Watching the publish-gate refuse to leave pending_gate until the tickets close.

A team's first passing mock audit is much less valuable than its first failing mock audit. The failure-mode muscle memory is what carries you through the real window.

Common mistakes to avoid

  • Treating below-pass as "we'll talk about it later" - every below-pass dimension produces a ticket with an SLA. The conversion is mechanical, not negotiable.
  • Editing the packet during the tabletop - the packet is immutable for the 90 minutes. Edits become tickets.
  • Skipping the failure-mode tag on a below-pass score - the failure-mode tag is the column retros (Lesson 160) consume. Skipping it destroys the recurrence histogram.
  • Allowing free-text dimensions - if the panel wants to flag something outside the seven dimensions, that is a separate rubric-expansion session, not a mid-drill addition.
  • Running the T-3 rehearsal without the T-14 fixes verified - the second rehearsal exercises the fixes, not the original deficiencies. If T-14 fixes are not in, the T-3 rehearsal re-scores the same issues and wastes the slot.
  • Using mock audit results to grade individuals - the rubric grades the packet stack, not the people. Conflating the two destroys honest scoring.
  • Allowing carve-out overrides to be the default path through the gate - a carve-out is an exception, not a workflow. Two carve-outs per cert window is a red flag, not a habit.

Verification checklist

  • [ ] A mock_audit_packets/q3-2026-window-1/T-14-rehearsal/ directory exists with all eleven manifest files plus manifest.json.
  • [ ] The scoring rubric table is pinned in the team runbook, including weights, pass thresholds, and failure-mode names.
  • [ ] The four panel roles are assigned by name for at least the next two cert windows.
  • [ ] mock_audit_log and mock_audit_deficiency_ticket tables exist with the schemas above.
  • [ ] The Lesson 171 publish gate's block_reason enum has been extended with mock_audit_open_deficiency.
  • [ ] A deliberately-failing packet has been pre-minted for the first rehearsal so the team practises honest below-pass scoring.
  • [ ] A 90-minute calendar block is scheduled at T-14 and T-3 for every cert window in Q3 2026.

If any item is missing, fix it before running the first real rehearsal. The drill's value is its honesty; one missing scaffold collapses the rest.

What you have just earned

After this lesson the team practices the entire governance packet stack on a fixed cadence with a single shared rubric. The seven dimensions trace directly to Lessons 162-171, the scoring is mechanical, the deficiency conversion is mechanical, and the mock-to-real gate prevents quietly-rolling-forward into a real submission window with an unresolved issue.

You also gained an audit surface (mock_audit_log + mock_audit_deficiency_ticket) that retros (Lesson 160) consume as input for "which dimensions keep going red" trend analysis - the recurrence histogram that tells you whether to spend the next sprint on Lesson 167 hardening, Lesson 170 owner-route tuning, or somewhere else.

Most importantly, the team enters Q3 2026 cert windows with rehearsed muscle memory for the full packet, not with a runbook page open in another tab.

Next lesson teaser

The next lesson (Lesson 173: Mock Audit Deficiency Recurrence Trend Board and Sprint Hardening Budget (2026)) is the trend consumer for everything you just built. It aggregates mock_audit_log plus deficiency-ticket rows across cert windows into a rolling 12-window recurrence histogram, classifies dimensions as stable / improving / hot / structural-red on deterministic thresholds, and converts the classification into a sprint hardening budget allocator that mechanically routes next sprint's hardening hours across Lessons 162-171. The board exists specifically so Q4 2026 partner readbacks (which now ask for cross-window deficiency class trends, not single-tabletop snapshots) have a defensible answer.

Run two mock-audit rehearsals per Q3 2026 cert window, then ship Lesson 173 immediately so the rehearsal investment compounds into hardened governance instead of evaporating into next sprint's feature work.

Continuity

  • Paired Unity guide chapter: Unity 6.6 LTS OpenXR Governance Q3 2026 Submission Intake Mock Audit Scoring Rubric Preflight - editor-side Governance/Mock Audit Rubric and Governance/Mock Audit Deficiency Ticket ScriptableObject groups, BI-side bind contract on the seven-dimension scoring view, and the rubric runbook attached to the cert-week calendar item.
  • Help article: OpenXR Governance Partner SLA Snapshot vs Leadership Dashboard Rollup Mismatch (Quest) Fix - the rollup-mismatch failure mode dimension 1 catches in the rubric.
  • Lesson 171 - Tuple Drift Automatic Block on Dashboard Publish Pipeline (2026) - the publish gate dimension 7 reads from, plus the mock_audit_open_deficiency block reason this lesson installs.
  • Lesson 170 - Executive Readback Redlines Versus Partner Annex FAQ Discipline (2026) - the FAQ-bound readback dimension 6 scores against.
  • Lesson 169 - Freeze Lift Rehearsal Dry Run Coupling to Dashboard Snapshot Tuples (2026) - the dry-run rehearsal that runs immediately before the mock-audit gate in the real cert-week cadence.
  • Lesson 167 - Synthetic Replay Diff Gate (2026) - the epsilon policy dimension 5 scores against.
  • Lesson 166 - Weekly SLA Snapshot Reconciliation Job (2026) - the reconciliation green dimension 4 scores against.
  • Lesson 165 - Governance Packet Footer Metadata Schema Semver (2026) - the footer-schema registry dimension 3 scores against.
  • Lesson 164 - Leadership Partner SLA Dashboard Sync (2026) - the dictionary-bound dimension 1 scores against.
  • Lesson 163 - Governance Freeze Bypass Audit Trails (2026) - the carve-out annex dimension 2 scores against; also the override lane for mock-audit-blocked publishes.
  • Lesson 162 - Governance SLA Breach Forecasting Cert-Window Freeze Gates (2026) - the upstream gate the cert-window mock audits live downstream of.
  • Lesson 160 - Governance Post-Incident Retros (2026) - retros consume mock_audit_log recurrence histograms as input.

A mock audit is a controlled rehearsal of the failure mode that will happen anyway. Run it twice per Q3 2026 cert window and the real window becomes mechanical.