TD — Pack 2A Trigger Registry Sync Tooling SSH Key Dependency

Date: 2026-05-04 Source report: knowledge/dev/laws/dieu44-trien-khai/reports/iu0-pack2a-dot-governance-registration-report.md Severity: Medium Blocking: Not blocking Pack 2A core; must be resolved before relying on trigger_registry completeness for IU triggers.

Issue

During Pack 2A Phase 5, dot-schema-trigger-registry-ensure --cloud failed with:

Warning: Identity file /root/.ssh/contabo_vps not accessible: No such file or directory.
root@38.242.240.89: Permission denied (publickey).

Agent correctly stopped and did not workaround with raw SQL or tool edits.

Where this sits in the process

This is not the birth/registration step itself. It is a post-registration scan/sync step for trigger governance:

• Pack 2A Phase 1–4: collection registration + birth chain + collection health — PASS.
• Pack 2A Phase 5: trigger_registry sync/scan — STOP due to tooling dependency.

Analogy: the birth certificate was filed and stamped; the follow-up scanner that indexes fingerprints/trigger metadata had a broken key.

Impact

No evidence that this breaks the completed Pack 2A core registration:

• information_unit registered as COL-176.
• unit_version registered as COL-177.
• birth_registry rows for COL-176/COL-177 were auto-created.
• dot-collection-health had no IU-specific findings.

Known remaining gap:

• IU triggers are not reflected in trigger_registry yet.
• information_unit has duplicate trg_iu_birth_gate_layer2 listed by report.
• unit_version has no birth_gate triggers yet; this depends on future IU data-row birth path design.

Recommended handling

Defer as a separate tooling repair/cleanup task. Do not let it distract from the main roadmap unless Pack 2B requires trigger_registry completeness.

Future task should:

1. Inspect dot-schema-trigger-registry-ensure source and SSH assumptions.
2. Determine whether --cloud should SSH from VPS to itself or run local PG directly.
3. Fix key/path/config through DOT/tool governance, not ad hoc shell workaround.
4. Re-run trigger registry sync.
5. Verify IU triggers in trigger_registry.
6. Address duplicate trigger only through a reviewed cleanup design.

Closure criteria

• dot-schema-trigger-registry-ensure --cloud runs without SSH key failure.
• IU triggers are registered or intentionally excluded with reason.
• Duplicate trg_iu_birth_gate_layer2 disposition is documented.
• No raw SQL registry writes are used to bypass the DOT tool.