KB-62F1
00 — Readme First: Authority/Birth/Truth Control-Plane P0 Remediation
3 min read Revision 1
Authority / Birth / Truth Control-Plane — P0 Remediation (2026-06-06)
Mode: EXECUTION, principal-delegate. Live mutation: YES — one narrow reversible behavioral patch (authority containment) + 26 additive read-only views. Birth-neutral: every DDL/preview before==after; ambient drift +2 over the session from the live system.
Headline
Moved from PRODUCTION READINESS FAIL to AUTHORITY_BYPASS_CONTAINED + BIRTH_POLICY_GUARDED + CONTROL_PLANE_P0_ACTION_READY.
- P0 authority bypass: CONTAINED (live fix applied, rehearsed, rollback staged, fail-closed proven).
- Historical bypass rows: inventoried, classified, preserved (nothing deleted; no harmful pollution found).
- Authority regression guard: machine-visible with proven teeth (8 live bad/good-path tests, all blocking assertions pass).
- Birth policy: GUARDED (8/8 clean post-fix cycles, H11a contained).
- Object truth: clean (managed SSOT distinct from raw; 98.97% noise fully accounted, not hidden).
- Trigger registry, function permission: visible + action-ready (candidate/migration packets, nothing auto-applied).
- RP production API/UI: truthfully API_BROKEN (cannot be falsely green).
The 10 supertracks (A–J) — doc map
| Doc | Supertrack | Outcome |
|---|---|---|
| 01 | A — Authority bypass root cause + containment | CONTAINED (applied) |
| 02 | B — Back-audit + quarantine | benign; ratify 21 / reconcile 1 / none 4 |
| 03 | C — Regression + fail-closed | teeth proven; blocking all pass |
| 04 | D — Birth policy control plane | BIRTH_POLICY_GUARDED |
| 05 | E — Object truth / RP managed count | managed SSOT clean |
| 06 | F — Trigger registry truth | 408 live / 107 reg / 301 candidate |
| 07 | G — Function permission exposure | 35 staged REVOKEs (none applied) |
| 08 | H — RP production API/UI truth | API_BROKEN (do-not-deploy) |
| 09 | I — Control-plane dashboard + router | next = authority P1 hardening |
| 10 | J — Safety audit | all clean |
| 11 | — Final summary | — |
| 12 | — GPT MCP-readable checkpoint | — |
Where the artifacts live
- SQL (rehearsal/apply/rollback/views): VPS
/opt/incomex/docs/mcp-writes/authority-birth-truth-cp-2026-06-06/(files 00–12, 99 rollbacks). - 26 new views: all
v_authority_*,v_control_plane_*, plus birth/object/trigger/permission/rp-api control-plane views (see each doc). - Behavioral patch + rollback:
01_apply_authority_containment.sql/99_rollback_authority_containment.sql.
Read-first ground truth
Old reports are evidence, not authority. Every number here was re-derived live on 2026-06-06 (PG16, role context_pack_readonly for reads; ssh contabo → docker exec psql for DDL/rehearsals). Where live differed from prior snapshots (e.g. PIVOT_MISSING 139→14; API "4×404" → 1×404 + 2×500), live wins and the delta is stated in the relevant doc.