Birth Gateway Design Index
Birth Gateway Design Index
Status: ACTIVE — Stage 1 PASS (2026-06-06); Stage 2 PARTIAL; QT-001 apply BLOCKED by independent review (Codex 2026-06-06 = NOT_SAFE_NEEDS_FIX) — a hardening + fresh re-audit macro is required before any backfill. This index is the canonical entry point for the Birth Gateway SSOT repair program.
Stage 1 result (live 2026-06-06): Gateway SSOT runtime contract is LIVE — birth_gateway_release_registry (semantic SHA-256 + normalized-md5 per gateway fn) with v_birth_gateway_release_drift_guard / v_birth_gateway_contract_integrity_dashboard (all OK, 5 fns tracked). Shared foundation functions fn_birth_policy_decision, fn_birth_resolve_identity, fn_birth_register are live (deterministic, no-write / dry-run-default, fail-closed). birth_admission_permit + birth_backfill_ledger created and empty (fail-closed). Live fn_birth_registry_auto was NOT changed (integration Option A = parity-guard-only; norm-md5 c022f849 preserved; tga 129; birth before==after). QT-002 live path not worsened; QT-001 stays blocked until Stage 2. Report: knowledge/dev/reports/architecture/birth-stage1-gateway-ssot-runtime-contract-foundation-2026-06-06/; checkpoint checkpoint-birth-stage1-gateway-ssot-runtime-contract-foundation-2026-06-06.md.
Canonical design (read this first)
knowledge/dev/architecture/birth-gateway-ssot-qt001-repair-design-2026-06-06.md— the reconstructed official executable design: gateway SSOT decision, shared policy/identity/register functions, the rule thatdot-birth-trigger-setupmust never redefine the gateway, the Stage 0..5 rollout, forbidden DOTs, rollback / no-go, and next macro.
Source design package (Codex, 2026-06-06)
knowledge/dev/reports/architecture/codex-birth-gateway-ssot-qt001-design-plan-2026-06-06/00-readme-first.mdknowledge/dev/reports/architecture/codex-birth-gateway-ssot-qt001-design-plan-2026-06-06/11-final-summary.mdknowledge/dev/reports/architecture/checkpoint-codex-birth-gateway-ssot-qt001-design-plan-2026-06-06.md- NOTE: detailed design docs
01..10were never authored. The canonical design reconstructs one executable design from the checkpoint + readme + final summary, cross-checked against live production (2026-06-06). No unknown implementation details were invented. - Side-door risk source:
knowledge/dev/reports/architecture/checkpoint-codex-birth-first-side-door-compatibility-audit-2026-06-06.md
Foundational laws / procedures
knowledge/dev/architecture/birth-registry-law.md— Điều 0-G (Birth Registry Law).knowledge/dev/architecture/birth-procedures.md— QT-001..QT-006 v3.1.knowledge/ops/processes/birth-process-v1.md— birth-first / backfill quy trình v1.0.
Implementation macros (staged)
| Stage | Macro | Status |
|---|---|---|
| 0 | BIRTH_P0_STAGE0_DANGEROUS_DOT_EXECUTION_FREEZE_AND_GATEWAY_SSOT_GUARD | PASS 2026-06-06 — report dir birth-p0-stage0-dangerous-dot-freeze-gateway-ssot-guard-2026-06-06 |
| 1 | BIRTH_STAGE1_GATEWAY_SSOT_IMPLEMENTATION | PASS 2026-06-06 — runtime contract registry + shared policy/identity/register fns live; report dir birth-stage1-gateway-ssot-runtime-contract-foundation-2026-06-06 |
| 2 | QT-001 identity classification + metadata backfill repair | PARTIAL 2026-06-06 — 70/74 identity-resolvable (39 of 43 blockers classified by mirroring live trigger TG_ARGV; 4 needs-owner; 2 no-table); full dry-run = 137 expected births across 5 governed collections; apply rehearsed (BEGIN..ROLLBACK, +137, rerun-delta=0, committed nothing); apply BLOCKED by independent review (Codex 2026-06-06 = NOT_SAFE_NEEDS_FIX) — plan/apply DOT source authored but flagged non-executable pseudocode (NOT deployed); old DOTs still frozen. Report dir birth-stage2-qt001-identity-metadata-backfill-repair-2026-06-06; checkpoint checkpoint-birth-stage2-qt001-identity-metadata-backfill-repair-2026-06-06.md; independent review dir codex-stage2-qt001-backfill-apply-readiness-review-2026-06-06 (00..09, NOT_SAFE_NEEDS_FIX) |
| 2.5 | BIRTH_STAGE2_QT001_APPLY_DOT_HARDEN_AND_INDEPENDENT_REAUDIT | REQUIRED — not started 2026-06-06 — gate raised by Codex independent review (NOT_SAFE_NEEDS_FIX): build a real bounded writer + constraints, metadata-driven planning, runtime hash introspection, cross-collection collision fail-close, stale-gate repair, permit expiry/max_rows + ledger resumable-scope enforcement, and failure/resume rehearsal — then a fresh independent re-audit BEFORE any apply/permit |
| 3 | QT-003 / QT-003R first-row hard gate | Designed, not implemented |
| 4 | QT-005 governance transition | Designed, not implemented |
| 5 | QT-006 universal lifecycle / death | Separate approved program |
Live gateway facts (verified 2026-06-06)
- Gateway function:
fn_birth_registry_auto()— GUARDED (containscoverage_status+BIRTH_EXEMPTpolicy skip); 166 triggers across 148 tables. - Secondary variant:
fn_birth_registry_auto_id()— no exempt guard; serves 3 BIRTH_REQUIRED tables only. - Danger DOTs:
dot-birth-trigger-setup(DOT-119 — embedsCREATE OR REPLACE FUNCTION fn_birth_registry_auto()with OLD logic lacking the exempt guard);dot-birth-backfill(DOT-118 — directINSERT INTO birth_registry). collection_registry.coverage_status: BIRTH_REQUIRED 74 / BIRTH_DEFERRED_NEEDS_REVIEW 58 / BIRTH_EXEMPT_* 36.birth_registryrow count anchor: 1,210,834 (Stage 1 close 1,210,851; birth-neutral across all Stage 1 DDL).- Stage 1 runtime contract objects (live 2026-06-06):
birth_gateway_release_registry(releasev1-stage1-2026-06-06, 5 fns tracked),fn_birth_policy_decision/fn_birth_resolve_identity/fn_birth_register(dry-run default),birth_admission_permit,birth_backfill_ledger. Registry-backed companion drift guardv_birth_gateway_release_drift_guard; Stage 0v_birth_gateway_ssot_drift_detectorretained. SQL on VPS:/opt/incomex/docs/mcp-writes/birth-stage1-2026-06-06/{01_apply_stage1,99_rollback_stage1}.sql. - Identity readiness (BIRTH_REQUIRED 74): 27
column+ 4 synthetic = 31 resolvable; 43unclassifiedblocked (classify in Stage 2). Birth-trigger gap = 2 (no PG table:iu_staging_payload,iu_staging_record). Nativestatuscol 54/74.