Phase-1 Read-Only Runtime Blocker Verification

Run date: 2026-06-17 · Verification window: ~10:12–10:33 UTC · Mode: READ-ONLY runtime truth-finding · Revision: rev1 Non-authorizing. This document VERIFIES; it does NOT resolve any blocker, adopt any draft, change any law, or authorize any technical design or implementation. Engineering verification ≠ Authority approval.

0. Status

STATUS: PARTIAL

All five blocker surfaces were checked against the live PostgreSQL substrate with first-hand, read-only SQL evidence (this is the first run to do so — every prior law-revision report explicitly recorded "no live DB/runtime query; all reads were AgentData KB reads", E0 §15). The run is engineering-complete for all five surfaces.

It is marked PARTIAL — not PASS because: (a) the live value of the GUC app.bypass_birth_gate could not be read (the query_pg harness denies current_setting() outside a safe-parameter allowlist); (b) DOT execution telemetry (dot_tools.last_executed) is ambiguous (stale since 2026-03-31, yet other heartbeats show today-activity); (c) the local checkout is ~7 weeks stale and contains none of the governed substrate; and (d) several surfaces carry HIGH/CRITICAL-relevant findings that keep technical design gated. No blocker is marked resolved. PASS here would be an engineering-verification statement only, never an authority PASS.

The live runtime materially diverges from the documentary law-revision layer on four surfaces — generally in the safer direction (containments and substrate that the KB-only reports could not see). These divergences are documentary lag, not runtime defects, and are reported as findings; the documentary layer is not edited (Owner-gated).

1. Executive summary

Surface	Documentary claim (KB layer)	Live runtime finding (2026-06-17)	Verdict
RISK-BYPASS	open: `fn_auto_approve_add` 160 unvoted applies + warn-mode birth gate + kill-switch	`fn_auto_approve_add` neutered 2026-06-06; two layered fail-closed quorum guards enabled; 170 historical unvoted-`applied` rows persist; birth-gate warn-mode + latent kill-switch GUC	PARTIAL
HOLD-1 `iu_staging_*`	liveness unproven / documentary	Tables+views+functions exist; pilot-exercised with full `pending→approved→consumed` lifecycle (2026-05-25→27); idle since; downstream gated dry-run	LIVE (pilot)
HOLD-2 atomic promote	"no real transaction"	`fn_iu_enact` is atomic + fail-closed + post-write-verified; plan/apply/verify/rollback family exists; BUT literal `BIRTH_STAMP/PROMOTE_STAMP` absent; birth-certify pipeline stalled since 2026-03-21 (1,402 certified / 1,211,549 uncertified)	PARTIAL
Điều 39 KG runtime	enacted but runtime-EMPTY (0 exec, owner unregistered)	36 KG DOTs, 0 executed; `universal_edges`=2199 with 0 provenance; `kg_quality_log`=0; `GOV-KG-SYS` registered & active (contradicts "unregistered"); fail-closed auto-approve config; CUT flight-test prepped 2026-05-27 then gated off	REGISTERED_NOT_EXECUTED
Điều 35 production-readiness	"PRODUCTION READINESS FAIL"	Confirmed NOT production-ready: 259/309 (83.8%) NULL operation; 148 tier-B unpaired; 218,876 open critical issues; §10 warn→block config absent; health executor did run today 10:01	NOT_PRODUCTION_READY

Headline: No active authority bypass is confirmed in the current approval path (it was contained on 2026-06-06 with layered, fail-closed quorum enforcement that I read first-hand). The substrate is far more built-out than the KB-only documentary layer assumed. The remaining real problems are: (1) historical bypass residue not reverted, (2) Điều 39 KG never executed and provenance-invariant unmet, (3) Điều 35 metadata health failing at scale, (4) a stalled birth-certification pipeline. These keep technical design gated. The DB harness (query_pg) is robustly fail-closed (write/DDL/malformed/unsafe-GUC all rejected).

2. Scope and non-authorization

In scope: read-only verification of 5 runtime surfaces (RISK-BYPASS, HOLD-1, HOLD-2, Điều 39 runtime, Điều 35 production-readiness) against the live VPS PostgreSQL and the governed KB.
Evidence sources used: KB reads (agent-data MCP); read-only SQL SELECT + catalog introspection (query_pg, AST-validated READ ONLY transaction, read-only role); Docker container listing (read-only); local source/grep reads.
Not done (forbidden / out of scope): no INSERT/UPDATE/DELETE/DDL/DROP/TRUNCATE/GRANT; no materialization; no DOT/KG/promote/birth/repair execution; no blocker resolution; no draft adoption; no law/draft/note edits; no technical design; no v0.1/v0.2/authority change. The only artifact created is this report.
Authority note: a PASS on any engineering check is not an Owner/authority PASS. No blocker is closed. Technical design remains gated for every surface carrying a HIGH/CRITICAL or BLOCKED verdict.

3. Sources read

3.1 KB documents read (via agent-data MCP, full text)

All read first-hand this run (verbatim extraction). Navigation + notes (7 docs, one batch): LAW_READING_INDEX.md (rev2, "53/53 records mapped"), consolidation/current-understanding-pointer-layer-2026-06-17.md, and compatibility notes for Điều 35 / Điều 39 / Điều 32 / Điều 4 / Constitution. Source laws (10): constitution.md, dieu32-approval-law.md, dieu35-dot-governance-law.md, dieu39-knowledge-graph-law.md, law-04-birth-process.md, law-22-self-healing.md, dieu33-postgresql-law.md, dieu38-normative-document-law.md, architecture/birth-registry-law.md, ssot/operating-rules.md. Law-revision artifacts (9): 5 amendment drafts (Đ22/Đ33/Đ36/L4/Đ38), rewrites/dieu37-..., source-recovery-..., consolidation/...planning-packet..., reports/workstream-e0-...audit....

Reading-rule confirmed (LAW_READING_INDEX rev2 §4): "Điều39 is enacted but runtime-EMPTY … Enacted ≠ implemented ≠ live"; "Live Điều35 substrate reads PRODUCTION READINESS FAIL with a confirmed authority bypass (fn_auto_approve_add, 160 unvoted applies = RISK-BYPASS)."
Critical caveat confirmed (E0 §15, verbatim): "no live DB/runtime query (no query_pg, pg_schema, Directus, or VPS access); all reads were AgentData KB reads." → This run is the first to verify these claims against live runtime.
D0 §11 / E0 §14 confirmed: a scoped read-only Phase-1 (Batch D) "verifies; it does not resolve"; resolution is a further Owner-gated step. This run honors that boundary.

3.2 Not unavailable

No required KB source was unreadable. (Adversarial bad-path probe on a nonexistent KB key correctly returned not_found — see §11.)

4. Runtime / project root and access

Local project root: /Users/nmhuyen/Documents/Manual Deploy/agent-data-langroid — present; git repo HEAD 4468bd3 (last commit 2026-04-25, ~7 weeks before run). Finding: the local tree contains no governance/DOT/KG SQL artifacts and no .sql files (grep verified with positive control); it is the langroid application layer, not the home of the governed substrate. The governed substrate lives only on the VPS PostgreSQL → the live DB is ground truth; local code is not authoritative for these blockers.
Live runtime (Docker, read-only listing): 11 containers; relevant: postgres (postgres:16, Up 2 months, healthy, 5432), incomex-agent-data (Up 4 weeks healthy), incomex-agent-api-executor (Up 13 days healthy, 8090), incomex-directus (Up 5 weeks healthy), incomex-qdrant, incomex-claude-kb, pg-restore-test-20260520T031054Z.
DB access (query_pg): allowed databases = directus, incomex_metadata, workflow; postgres denied. Governance/DOT/KG/approval/birth/IU tables live in directus.public (+ schema iu_core). Connection is read-only role, READ ONLY transaction, statement_timeout 5s, hard LIMIT 500, AST-validated.
Access gaps: cannot read live current_setting('app.bypass_birth_gate') (harness safe-param allowlist); cannot enumerate triggers via information_schema.triggers under the read-only role (used pg_catalog.pg_trigger instead — succeeded).

5. Command evidence ledger

All commands read-only. query_pg = single SELECT/catalog read against directus unless noted. Times are within the 10:12–10:33 UTC window (Bash date -u stamps captured at 10:12:20, 10:19:55, 10:21:42, 10:24:38, 10:32:32).

ID	Command / Query (abbrev)	Read-only?	Result status	Key output
K1	agent-data `batch_read` 7 nav+note docs (full)	yes	ok (94,240 chars)	rev2 index; runtime claims extracted verbatim
K2–K4	agent-data reads of 10 source laws + 9 revision docs (via sub-agents)	yes	ok	verbatim identifiers + claims
D0	`list_docker`	yes	ok	11 containers; postgres healthy 2mo
D1	`SELECT datname FROM pg_database …` (db=postgres)	yes	DENIED (db not allowed)	allowed: directus, incomex_metadata, workflow
D2	`pg_proc` regex fn inventory (directus)	yes	ok (17 rows)	`fn_auto_approve_add`, `fn_birth_gate`, `fn_birth_register`, `fn_iu_birth_gate_layer1/2`, … exist
D3	`information_schema.tables` regex (directus)	yes	ok (73)	`iu_core.iu_staging_record/payload`, 8 `kg_`, `universal_edges`, governance_ …
D4	`current_setting('app.bypass_birth_gate', true) …`	yes	DENIED (safe-param allowlist)	could not read live GUC value
D5	`pg_db_role_setting` join	yes	ok (0 rows)	no persisted role/db GUC default (no persisted bypass)
D6	`information_schema.tables` regex (incomex_metadata)	yes	ok (1)	only `dot_config` (FOREIGN) — substrate not here
F1	`pg_get_functiondef` ×4 (auto_approve, birth_gate, birth_register, birth_auto_certify)	yes	ok	bodies captured (see §6,§8)
F2	`pg_get_functiondef` ×4 (iu_birth_gate_l1/l2, desc_guard, admin_fallback_overdue)	yes	ok	bodies captured
F3	`pg_proc` regex (grace/quorum/paired/enforce/certify)	yes	ok (9)	`fn_apr_quorum_check`, `quorum_passed`, `fn_enforce_apr_lifecycle` exist; no `fn_is_in_grace_period`/`fn_dot_enforce_paired`
F4	`SELECT * FROM dot_config`	yes	ok (119)	fail-closed kill-switches mostly OFF/dry-run; `hc_executor_last_run=2026-06-17T10:01:27`
F5	`information_schema.columns` for 13 tables	yes	ok (202)	column types for data queries
T1	`pg_trigger` join (approval_requests, birth_registry, key fns)	yes	ok (216)	enforcement triggers enabled (see §6)
Q1	`pg_get_functiondef` ×3 quorum fns	yes	ok	fail-closed quorum logic (see §6)
Q2	approval_requests status×action + no-vote + review times	yes	ok (10)	146 applied/add + 24 applied/modify = no recorded vote
Q3	iu_staging_record breakdown	yes	ok (8)	15 rows, 4 `consumed`, 2026-05-25→27
Q4	universal_edges breakdown	yes	ok (1)	2199 active, 0 provenance, last 2026-04-21
Q5	dot_tools health/exec/KG stats	yes	ok (1)	259 null op; 148 tierB unpaired; 36 KG / 0 KG exec; last_exec 2026-03-31
Q6	system_health_checks list	yes	ok (31)	30 active, detect-only (1 detect_and_fix)
Q7	system_issues status	yes	ok (3)	open 223,460 / resolved 674 / archived 20
Q8	governance_registry dump	yes	ok (9)	`GOV-KG-SYS` active; all `health_dot` null
Q9	kg_auto_approve_rules dump	yes	ok (6)	TBox=human-always; only edge_weight_update auto
Q10	admin_fallback_log breakdown	yes	ok (2)	21 documented + 1 applied w/o retro APR
Q11	system_issues severity	yes	ok (3)	critical 218,876 / warning 4,583 / info 2
Q12	system_issues by source (open)	yes	ok (25)	216,378 = heal_description_basic
Q13	birth_registry certified breakdown	yes	ok (2)	1,402 certified (to 2026-03-21) / 1,211,549 uncertified
Q14	iu/promote/cut fn inventory	yes	ok (32)	`fn_iu_enact`, `fn_iu_op_cut`, `fn_iu_structure_op_apply/rollback/verify`, `fn_cut_*`
Q15	`fn_iu_enact` body	yes	ok	atomic + fail-closed + post-write-verified (see §8)
Q16	`fn_apr_block_unimplemented_handler` + `fn_iu_structure_op_rollback` bodies	yes	ok	apply-time quorum re-proof; gated rollback (see §6,§8)
A1	`CREATE TEMP TABLE cc_probe_ro_check (n int)`	adversarial	DENIED "only SELECT queries allowed, got Create"	fail-closed ✓
A2	`UPDATE dot_config SET value=value WHERE 1=0`	adversarial	DENIED "only SELECT queries allowed, got Update"	fail-closed ✓
A3	`SELECT * FROM` (malformed)	adversarial	DENIED "unparseable SQL"	fail-closed ✓
A4	`current_setting('app.bypass_birth_gate', true)`	adversarial/probe	DENIED safe-param allowlist	fail-closed ✓
A5	agent-data `batch_read` nonexistent KB path	adversarial	`{"error":"not_found"}`	no fabrication ✓
A6	local grep positive control `'postgres'` vs blocker terms	adversarial	8 hits vs 0	harness works; absence genuine ✓

6. RISK-BYPASS verification

Question: is there a real runtime authority-bypass path (fn_auto_approve_add, fn_birth_gate warn-mode, app.bypass_birth_gate, unvoted auto-approval, Owner/Đ32 bypass, any fail-open approval)?

Verdict: PARTIAL (Confidence: High). No active authority bypass confirmed in the current approval path; historical residue + a latent kill-switch + a warn-mode quality gate are real. NOT marked resolved.

6.1 `fn_auto_approve_add` — NEUTERED (live body, verbatim)

-- P0 authority-bypass containment (2026-06-06): action='add' no longer auto-approved at INSERT.
-- Closes the INSERT-path quorum bypass. Rows remain 'pending'; quorum enforced on pending->approved UPDATE.
IF NEW.action='add' AND NEW.status='pending' THEN NEW.review_note := … '[AUTO-APPROVE DISABLED 2026-06-06 …]'; END IF;
RETURN NEW;

The function still exists and its trigger trg_apr_auto_approve is enabled, but the body never sets status='approved' anymore — it only annotates. The INSERT-path auto-approve vector is closed.

6.2 Layered fail-closed quorum enforcement (live, all triggers ENABLED on `approval_requests`)

trg_apr_quorum_check → fn_apr_quorum_check (pending→approved): RAISES EXCEPTION if any reject vote, if self-approve, or if quorum unmet — high: ≥1 president + ≥2 ai_council; medium: ≥1 president; low: ≥1 approve. (Gap: returns NEW — skips — when proposed_action_code/risk_level is NULL.)
trg_apr_block_unimplemented → fn_apr_block_unimplemented_handler: apply-time quorum re-proof (2026-06-06) — verbatim: "a request may reach 'applied' only if live votes currently satisfy quorum. Placed BEFORE the null-action early-return so scanner/legacy null-action rows can no longer slip through. Fail-closed." → IF NOT public.quorum_passed(NEW.code) THEN RAISE EXCEPTION. This closes the §6.2 null-action gap at apply-time. Also blocks handler_ref='unimplemented'.
trg_apr_lifecycle → fn_enforce_apr_lifecycle: enforces the state machine (pending→approved/rejected/expired; approved→applied/rejected; terminal states locked) with RAISE EXCEPTION.
quorum_passed(code) (STABLE helper): same rule with self-exclusion (approver <> proposer).

→ The approval authority path under current (2026-06-06) code is fail-closed and layered.

6.3 Historical residue — CONFIRMED (Q2)

approval_requests (n=230): 146 applied/add rows with ZERO apr_approvals votes, plus 24 applied/modify unvoted — reviewed 2026-03-28 → 2026-04-20 (pre-containment). These match the documentary "~160 unvoted applies." They are not reverted/re-voted; they persist in the ledger as applied-without-quorum records. Current pending=19; only 1 approved/add is currently no-vote (legacy, not yet applied).

6.4 Birth gate + kill-switch (live body, verbatim)

fn_birth_gate (enabled on ~15 governed tables): contains -- KILL SWITCH reading current_setting('app.bypass_birth_gate', true) → RETURN NEW if 'true'/'1'; mode from current_setting('app.birth_gate_mode', true) default 'warning' → only 'blocking' raises; otherwise RAISE WARNING. So the birth gate is warn-mode (fail-open) by default + a latent kill-switch GUC. pg_db_role_setting=0 rows → no persisted bypass default; live session value of the GUC could not be read (harness restriction). fn_description_birth_guard is likewise warn-mode (dot_config.description_enforcement_mode='warn').

6.5 Net

Active authority bypass = not confirmed (contained + layered fail-closed). Real residual exposure = the 170 historical unvoted-applied records + a warn-mode birth/description gate + a latent app.bypass_birth_gate kill-switch. Marked PARTIAL; not resolved.

7. HOLD-1 `iu_staging_*` liveness verification

Question: do iu_staging_* (or equivalent staging) structures exist and are they live/used vs declared?

Verdict: LIVE (pilot-exercised) (Confidence: High).

Exist (D3, F5): iu_core.iu_staging_record (BASE TABLE, 26 cols incl lifecycle_status, approved_at/by, consumed_at, consumed_by_run_id, expires_at, cleaned_at, content_hash, idempotency_key), iu_core.iu_staging_payload (11 cols incl payload_json, blob_ref, byte_len, content_hash), + views v_iu_staging_record, v_iu_staging_payload_observability. Gateway/governing functions exist (fn_iu_create, fn_iu_cut_from_manifest, fn_iu_op_cut, fn_cut_*).
Used, not merely declared (Q3): 15 records / 32 payloads. Lifecycle distribution includes 4 mark_manifest rows that reached consumed (approved_n=4, consumed_n=4) — a full pending → approved → consumed lifecycle executed end-to-end. Also approved, pending_review, rejected, pending states present.
Recency / liveness window: all rows created 2026-05-25 → 2026-05-27 (the Điều 39 CUT flight-test window; dot_config iu_core.composer_enabled note references cut_request_id/manifest_staging_record_id dated 2026-05-27). Idle since 2026-05-27.
Posture: downstream gated dry-run/fail-closed — iu_core.delivery_enabled=false ("Fail-closed: absent/non-true => delivery refused"), iu_core.operator_runtime_enabled=false, iu_core.structure_ops_enabled=false; iu_core.routes_master_enabled=true but "routes stay dry_run=true regardless".
Birth gates on the IU table are fail-closed for required fields: fn_iu_birth_gate_layer1/2 (enabled on information_unit) RAISE EXCEPTION on missing canonical_address/unit_kind/lifecycle_status/owner_ref/conformance_status, vocab mismatches, and version-anchor mismatch at COMMIT — except two publication_* checks that are PILOT-ONLY RAISE WARNING ("production sẽ BLOCK").

→ Far beyond "liveness unproven": the staging substrate exists and was exercised through a real lifecycle. It is pilot-scale and currently idle. Not marked resolved.

8. HOLD-2 atomic promote verification

Question: is there an actual atomic promote path (transaction boundary, rollback, fail-closed checker, atomic stamp write, no partial-write)?

Verdict: PARTIAL (Confidence: High). A real atomic, fail-closed, post-verified promote EXISTS for the IU lineage — contradicting "no real transaction" — but the named F4 stamps are absent and the birth-certification "promote" is stalled.

8.1 `fn_iu_enact` — atomic + fail-closed + post-write-verified (live body, Q15)

Pre-gates (all return without writing on failure): required p_review_decision_id ("Enactment must reference a cutter_governance.review_decision row"); target validated against iu_lifecycle_vocab; SELECT … FOR UPDATE row lock; FSM transition check (fsm_denied otherwise); fn_iu_verify_invariants → invariant_failed REFUSES enactment (fail-closed checker); review_decision row existence checked; dry_run returns plan_ok with no writes.
Atomic write (single plpgsql txn): pg_advisory_xact_lock; UPDATE information_unit; UPDATE unit_version (enacted_at=now()); INSERT iu_lifecycle_log.
Post-write verification: re-reads IU + UV; RAISE EXCEPTION on any post-write mismatch (e.g. status mismatch, or enacted with NULL enacted_at) → whole transaction rolls back. No partial-write path.
fn_iu_structure_op_apply/verify/rollback family exists; fn_iu_structure_op_rollback is a true inverse-op (restore lifecycle, retire edges, soft-delete minted pieces) gated fail-closed (structure-op gate closed — rollback refused, ERRCODE insufficient_privilege).

8.2 Birth/Đ0-G canonical lineage — mechanism atomic, pipeline STALLED (Q13, F1)

fn_birth_register(…, p_dry_run boolean DEFAULT true, …): dry-run by default; live path is a single idempotent INSERT … ON CONFLICT (entity_code) DO NOTHING with certified=false. Not a multi-table promote.
fn_birth_auto_certify (trigger trg_birth_auto_certify, enabled): atomically sets certified=true, certified_at=now() when inspect_pen/inspect_stamp/inspect_gate are all set.
Live state: certified=true for 1,402 rows (ALL with pen/stamp/gate/cert_at set) but only born 2026-02-17 → 2026-03-21. Since 2026-03-21, 1,211,549 births are uncertified with inspect_pen/stamp/gate all NULL (0 set) — last birth 2026-06-17 10:30 (births fire live today across 150+ tables, but certification does not follow). → The certify "promote" demonstrably ran atomically (1,402 proofs) then stalled ~3 months ago (0.1% certified).

8.3 Named stamps

Literal BIRTH_STAMP / PROMOTE_STAMP / OWNER_STAMP / GOV_STAMP tokens (F4 vocabulary) do not exist as DB artifacts. The live system uses lifecycle_status/enacted_at/iu_lifecycle_log (IU) and certified/certified_at/inspect_* (birth) instead.

→ "Atomic promote has no real transaction" is outdated for the IU lineage; HOLD-2 nonetheless remains open because the named-stamp canonical-birth construct is unbuilt and the birth-certify pipeline is stalled. Not resolved.

9. Điều 39 runtime verification

Question: is Điều 39 only enacted/documented, or actually live?

Verdict: REGISTERED_NOT_EXECUTED (≈ runtime-EMPTY for execution) (Confidence: High).

KG tables exist (D3): 8 kg_* base tables (kg_signal_config, kg_thresholds, kg_constraint_config, kg_acl_config, kg_auto_approve_rules, kg_source_authority, kg_priority_templates, kg_quality_log) + views (kg_quality_latest, kg_evolution_latest, v_kg_edges_all, v_dotkg_realrun_preflight). The C9 self-learning tables (kg_weight_snapshots, kg_model_versions, kg_evolution_snapshots, scaffold_dependency_map) are absent (not yet built).
DOT-KG registered, NOT executed (Q5): 36 KG DOTs in dot_tools; kg_executed = 0 (none has a non-null last_executed). kg_quality_log = 0 rows (no KG quality run ever logged).
Edges not Điều-39-compliant (Q4): universal_edges = 2199, all status=active, is_auto_managed=true, with_provenance = 0 while Điều 39 mandates "Edge PHẢI có provenance. Không provenance = quarantine." The provenance/valid_time/version columns exist (schema extended) but are unused; last edge created 2026-04-21. → the provenance-or-quarantine invariant is unenforced/unmet.
Owner registration — CONTRADICTS documentary (Q8): governance_registry.GOV-KG-SYS ("Hệ thống Knowledge Graph", created_by_law=NRM-LAW-39) is status=active, not "unregistered." However health_dot=NULL and primary_collection=NULL → registered but inert.
Auto-approve posture is fail-closed (Q9): 6 active kg_auto_approve_rules — scaffold_modify & species_create (TBox) requires_human=always; edge_delete always; edge_create/link_merge human above threshold; only edge_weight_update (ABox weight) auto_approve=true @0.9. Matches Điều 39 "ABox only, never TBox." But since KG never executes, these rules have never fired.
Flight test: dot_config iu_core.composer_enabled=false records a dieu39_flight_test_enable_composer_gate prepped 2026-05-27 then restored/aborted (gated off).

→ Registered and partially scaffolded (and owner active, contradicting "unregistered"), but zero productive execution; provenance invariant unmet. Rollout not authorized. Not resolved.

10. Điều 35 production-readiness verification

Question: is the Điều 35 DOT-governance substrate production-ready?

Verdict: NOT_PRODUCTION_READY (Confidence: High). Confirms the documentary "PRODUCTION READINESS FAIL."

Metadata health failing at scale (Q5): dot_tools n=309; operation NULL on 259 (83.8%) — the "POST trước, cron sửa sau" disease the law flags; §10 wants 100% 11/11 fields NOT NULL. 148 tier-B DOTs lack paired_dot and no fn_dot_enforce_paired function exists (F3) → paired-DOT enforcement is not active (law mandates 100% paired + a trigger).
Open critical backlog (Q7, Q11, Q12): system_issues open = 223,460; critical = 218,876. §10 requires "0 new critical for 3 consecutive days" → grossly unmet. Nature: 216,378 (97%) come from heal_description_basic (description-quality auto-heal), then dot-context-pack-verify (3,063), dot-dot-health (2,640) — i.e., predominantly description/quality debt, not authority breaches. (Resolved 674 / archived 20.)
§10 config substrate absent (F4): the law's dot_config keys birth_gate_mode, grace_period_days, law_v5_1_enacted_at, stale_threshold_days are not present; birth-gate mode is a GUC defaulting 'warning'; the fail-open fn_is_in_grace_period the law warns about does not exist in live (F3). The §10 warn→block hard-criteria machinery is not wired as described.
Health checks (Q6): system_health_checks n=31 (30 active, H11 inactive); families NRM-LAW-35-V5P2 DOT-H1..DOT-H14 + DOT-BIRTH-ONBOARD-FULLSCAN-HC, NRM-LAW-43 H1..H11b, LAW-22 HC-TRIGGER, LAW-36 HC-REG/HC-SCHEMA. All detect_only except HC-TRIGGER (detect_and_fix) → scanners are list-only (consistent with law). DOT-H10..H14 are critical.
Execution telemetry — ambiguous (Q5, F4): dot_tools.last_executed is stale (max 2026-03-31, 0 in 7d) — but dot_config.hc_executor_last_run=2026-06-17T10:01:27 (health executor ran today, ~23 min before query) and births fire live today. → last_executed appears unmaintained rather than proving total inactivity; flagged as ambiguity, not asserted as "nothing runs."
Sanctioned-bypass accountability (Q10): admin_fallback_log n=22 — 21 retroactive_documented (all with retro APR), 1 applied with NO retroactive_apr_id (2026-04-19), not flipped to audit_overdue → a 1-of-22 Đ35 §6.5 accountability gap.
Risk/blast-radius (GOV-016/017): no risk/blast-radius calculator function found; quorum uses a static apr_action_types.risk_level lookup, not computed risk → "fail-closed-on-uncomputable-risk" remains absent. Carried.

→ Enacted ≠ production-certified. Not production-ready; not resolved.

11. Adversarial bad-input checks

Each non-mutating tool/harness used was probed with invalid/dangerous input; all rejected fail-closed; none returned PASS/digest on bad input.

Target	Bad input	Result	Verdict
`query_pg` (write/DDL)	`CREATE TEMP TABLE cc_probe_ro_check (n int)`	`[DENIED] only SELECT queries allowed, got Create`	rejected ✓
`query_pg` (write/DML)	`UPDATE dot_config SET value=value WHERE 1=0` (inert)	`[DENIED] only SELECT queries allowed, got Update`	rejected ✓
`query_pg` (malformed)	`SELECT * FROM`	`[DENIED] unparseable SQL: Expected table name…`	rejected ✓
`query_pg` (unsafe GUC read)	`current_setting('app.bypass_birth_gate', true)`	`[DENIED] current_setting() only allowed for a safe parameter list`	rejected ✓
`query_pg` (db scope)	connect db `postgres`	`[DENIED] database not allowed`	rejected ✓
agent-data `batch_read`	nonexistent KB path	`{"error":"not_found"}` (no content)	no fabrication ✓
local `grep` harness	positive control `'postgres'` vs blocker terms	8 hits vs 0	discriminates; absence genuine ✓

No FAIL_OPEN observed. The query_pg harness is double-guarded (AST validation + read-only role + READ ONLY transaction); the inert write probes (WHERE 1=0, TEMP) were safe even in the impossible case a guard had failed. No mutation occurred on any probe.

12. Findings register

Severity: CRITICAL (active mutation/authority bypass) · HIGH (unsafe fail-open / TD unsafe without fixing) · MEDIUM (runtime missing/partial, carry with caveat) · LOW · INFO. patch_now: no for every finding (read-only mission; all fixes are separate Owner-gated work).

id	surface	sev	evidence	why it matters	blocks TD?	blocks impl?	next action
PH1-F1	RISK-BYPASS	HIGH	Đ39 `universal_edges` 2199 rows, 0 provenance (Q4) vs "no provenance = quarantine"	KG provenance-or-quarantine invariant currently unenforced/unmet on the live edge store	Yes (Đ39)	Yes (Đ39)	design provenance backfill + quarantine gate before any KG build
PH1-F2	RISK-BYPASS	MEDIUM	170 `applied` rows with 0 votes (146 add + 24 modify), 2026-03-28→04-20 (Q2)	historical authority-bypass residue not reverted; pollutes the applied-change ledger	No (carry as caveat)	Owner decision	Owner decides whether to audit/annotate/quarantine residue; do NOT auto-revert
PH1-F3	HOLD-2 / Đ0-G	MEDIUM/HIGH	1,211,549 uncertified births (99.9%) since 2026-03-21, 0 inspect stamps (Q13)	birth-certification "promote" pipeline stalled; any design assuming certified births is unsafe	Yes (birth-dependent TD)	Yes	verify/restart inspect→certify DOTs (dot-inspect-pen/stamp/gate) under Owner gate
PH1-F4	Đ35	MEDIUM	259/309 NULL `operation`; 148 tier-B unpaired; no `fn_dot_enforce_paired` (Q5,F3)	core Đ35 §10 success metrics unmet; paired-DOT enforcement not active	Yes (Đ35 TD)	Yes	treat Đ35 substrate as not-certified; fix metadata + paired enforcement first
PH1-F5	Đ35	MEDIUM	218,876 open critical issues, 97% `heal_description_basic` (Q11,Q12)	§10 "0 critical 3 days" grossly unmet; large unresolved (mostly quality) backlog	Yes (Đ35 TD)	No (mostly quality)	drive description-heal backlog down; reclassify severity if non-authority
PH1-F6	RISK-BYPASS	LOW	`fn_apr_quorum_check` skips on NULL `proposed_action_code`/`risk_level`; mitigated apply-time by `fn_apr_block_unimplemented_handler` (§6)	approved-state reachable w/o quorum for null-action, but apply is fail-closed	No	No	optionally tighten approve-time gate to match apply-time re-proof
PH1-F7	RISK-BYPASS	MEDIUM	`fn_birth_gate` warn-mode default + `app.bypass_birth_gate` kill-switch; live value unreadable (D4,F4)	governed-table birth/desc gates do not block by default; latent bypass primitive exists	No	Owner decision	confirm GUC value out-of-band; decide warn→block criteria (Owner)
PH1-F8	Đ35	LOW	1 `admin_fallback_log` `applied` w/o `retroactive_apr_id`, not `audit_overdue` (Q10)	1-of-22 Đ35 §6.5 retroactive-APR accountability gap	No	No	Owner reconcile the 1 undocumented admin-fallback
PH1-F9	Đ35/all	INFO	`dot_tools.last_executed` stale 2026-03-31 yet `hc_executor` ran today + births live (Q5,F4,Q13)	execution telemetry unreliable → liveness must be judged by heartbeats, not `last_executed`	No	No	do not infer "dead" from `last_executed`; instrument real run telemetry
PH1-F10	scope	INFO	local repo HEAD 2026-04-25, 0 governed-substrate artifacts, 0 `.sql` (A6)	local working tree is not authoritative for these blockers; VPS PG is SoT	No	No	run future verifications against live PG, not local checkout
PH1-C1	RISK-BYPASS	INFO	docs say "open active bypass"; live = neutered 2026-06-06 + layered fail-closed (§6)	documentary lag (KB-only reports never queried live)	No	No	Owner refresh documentary runtime claims (separate, gated)
PH1-C2	Đ39	INFO	docs say "owner unregistered"; live `GOV-KG-SYS` active (Q8)	documentary lag	No	No	Owner refresh
PH1-C3	HOLD-1	INFO	docs say "liveness unproven"; live = pilot-exercised (§7)	documentary understatement	No	No	Owner refresh
PH1-C4	HOLD-2	INFO	docs say "no atomic promote"; live `fn_iu_enact` atomic+fail-closed (§8)	documentary understatement for IU lineage	No	No	Owner refresh

No CRITICAL finding (no active mutation/authority bypass confirmed; no forbidden mutation occurred). HIGH = PH1-F1 (KG provenance invariant). New findings discovered this run: PH1-F3, PH1-F6, PH1-F8, PH1-F9, PH1-F10.

13. Verdict matrix

Surface	Verdict	Confidence	Primary evidence
RISK-BYPASS	PARTIAL — no active authority bypass (contained 2026-06-06, layered fail-closed quorum); historical residue (170) + warn-mode gate + latent kill-switch remain	High	F1, T1, Q1, Q2, Q16, F4, D5
HOLD-1 `iu_staging_*`	LIVE (pilot-exercised, idle since 2026-05-27)	High	D3, F5, Q3, F2
HOLD-2 atomic promote	PARTIAL — atomic fail-closed promote EXISTS (`fn_iu_enact`); named F4 stamps absent; birth-certify stalled	High	Q15, Q16, Q14, Q13, F1
Điều 39 runtime	REGISTERED_NOT_EXECUTED (runtime-EMPTY for execution; owner registered)	High	Q5, Q4, Q7(kg_quality_log=0), Q8, Q9, F4
Điều 35 production-readiness	NOT_PRODUCTION_READY	High	Q5, Q7, Q11, Q12, Q6, F3, F4, Q10

No blocker is marked resolved. Each verdict is a runtime-truth finding, not a closure.

14. What remains blocked / partial / not checked

Could not read live value of app.bypass_birth_gate / app.birth_gate_mode (harness safe-param allowlist) → kill-switch latent state inferred from body + zero persisted defaults, not directly observed. (BLOCKED sub-item.)
Ambiguous: DOT execution liveness — dot_tools.last_executed stale vs today-heartbeats; the field appears unmaintained. True DOT-run telemetry not establishable read-only this run.
Not read (bounded): full bodies of every governed function (read the decisive ~12: auto_approve, birth_gate, birth_register, birth_auto_certify, iu_birth_gate_l1/l2, desc_guard, admin_fallback_overdue, apr_quorum_check, enforce_apr_lifecycle, quorum_passed, apr_block_unimplemented, iu_enact, iu_structure_op_rollback). fn_iu_verify_invariants body not read (existence + gate-effect confirmed via fn_iu_enact).
Not done by design: no Phase-1 resolution, no execution of any DOT/KG/promote/birth/repair, no schema/trigger enumeration via privileged views, no write probes beyond inert adversarial rejections.
Local code path: stale (2026-04-25) and substrate-free; not authoritative.

15. Recommended next actions

GPT reviews this report, then Codex adversarial control review (target: confirm no overclaim, especially the RISK-BYPASS "contained" and HOLD-2 "atomic exists" findings, against the raw evidence).
Refresh the documentary runtime claims (LAW_READING_INDEX rev2 §4 items #5/#6/#10, pointer-layer §9, notes) to match live truth — as a separate Owner-gated doc step (not done here): RISK-BYPASS contained 2026-06-06; GOV-KG-SYS registered active; iu_staging pilot-exercised; fn_iu_enact atomic. The blockers stay open (residue/empty/not-ready), but the evidence basis changes.
Technical design remains gated for: Điều 39 (HIGH: provenance invariant unmet + 0 execution), Điều 35 (NOT production-ready), HOLD-2/birth-certify (stalled pipeline), HOLD-1 (pilot-only).
Owner-gated remediation workstreams (each separate): (a) decide disposition of the 170 unvoted-applied residue; (b) confirm app.bypass_birth_gate out-of-band + set warn→block criteria; (c) restart/verify inspect→certify pipeline; (d) Điều 35 metadata + paired-DOT fix; (e) reconcile the 1 undocumented admin-fallback.
Any fix requires a separate Owner-authorized, write-enabled workstream — this run authorizes none.

16. Self-check

Check	Result
SC1 Read current LAW_READING_INDEX rev2 + D1 pointer layer	Yes (verbatim, §3.1)
SC2 Distinguished documentary vs live runtime evidence	Yes (every surface separates "claim" vs "live")
SC3 Ran actual read-only commands	Yes (40+ live SELECT/catalog reads, §5)
SC4 Captured command text + timestamp + status	Yes (§5 ledger; window 10:12–10:33 UTC)
SC5 Avoided all writes/DDL/DML	Yes (only SELECT/catalog; write probes DENIED by harness)
SC6 No edits to source/draft/note/report except this report	Yes (one artifact created)
SC7 Adversarial bad input for each tool/harness used	Yes (§11: query_pg ×5, batch_read, grep)
SC8 Invalid input rejected	Yes (all DENIED / not_found; none returned PASS)
SC9 No blocker marked resolved	Yes (all verdicts are findings, not closures)
SC10 Engineering-PASS distinguished from authority-PASS	Yes (§0, §2)
SC11 Stated exactly what remains blocked/partial	Yes (§14)
SC12 Only the allowed report path created	Yes
SC13 Re-read final report after writing	Yes

Engineering verification: complete for 5/5 surfaces. Authority status: HOLD — no blocker resolved; technical design remains gated. PASS≠Owner-authorization.