MCP-Readable Checkpoint — Authority/Birth/Truth Control-Plane P0 (2026-06-06)

status: PASS (PARTIAL on owner/operator-blocked apply items) mode: EXECUTION / principal-delegate live_mutation: YES (1 function patch + 26 additive views) birth_neutral: YES (each DDL before==after; ambient session drift +2) oom: OOM_SAFE (0 landmines, 0 signal-9 last 2h)

authority_bypass

• root_cause: trg_apr_auto_approve (BEFORE INSERT, fn_auto_approve_add) flips action=add pending->approved at INSERT; trg_apr_quorum_check only fires on UPDATE pending->approved => quorum bypassed
• containment: APPLIED — fn_auto_approve_add no longer approves at INSERT (rows stay pending); trigger preserved; rollback=99_rollback_authority_containment.sql
• verify: containment_live=true; rolled-back live insert of action=add now lands pending
• affected: 8 insert-bypass (3 applied, 1 approved-undisposed=APR-0234, 4 inert) + 18 scanner-applied-without-vote; all 0 votes; all preserved
• no_go_guard: v_authority_bypass_no_go_guard 6/6 pass
• regression: v_authority_quorum_regression_guard (6 blocking pass, 1 P1 fail=scanner ungated) + v_authority_lifecycle_failclosed_guard (5 blocking pass, 1 P1 fail=no apply-reproof); 8 live teeth tests all pass (rolled back)

back_audit

• live_effect: yes but benign (governance metadata, substantively correct); quarantine=NONE
• recommendation: ratify=21, reconcile=1 (APR-0234 object live but APR=approved), none=4
• views: v_authority_back_audit_ledger / _quarantine_recommendation / _compensation_plan

birth_policy

• verdict: BIRTH_POLICY_GUARDED; h11a=CONTAINED detect_only; 8/8 clean cycles entity_labels=0
• contradictions: required_missing=5, exempt_active=29, duplicate=18, deferred_active=50
• dup_trigger_cleanup: HELD (OPERATOR_OWNER_PACKET_READY; TG_ARGV parity => blind dedup unsafe); no DROP applied
• views: v_birth_policy_control_plane_status / v_birth_trigger_reconciliation_priority / v_birth_trigger_apply_readiness

object_truth

• raw=1,210,783 managed=2,929 provenance=6,610 noise=1,198,318 (98.97%) unknown=2,926; decomposition complete
• no RP SSOT view uses raw as object truth; only operator-UI conditional repoint outstanding (no DB change)
• views: v_rp_object_truth_control_plane / v_rp_raw_vs_clean_count_guard / v_rp_count_semantics_regression_guard (5/5)

trigger_registry

• live=408 registered=107 unregistered=301; P1_unmanaged_mutating=83; birth_governed=197
• packet candidate-only; no auto-register; no_go 4/4 pass (teeth: no_registry_rows_added_this_session)
• views: v_trigger_registry_gap_inventory / _registration_packet / _no_go_guard

function_permission

• total=598 pub_exec=570 secdef=60 secdef_public=38; P1=2 P2=33 staged REVOKEs (none applied)
• no_go 4/4 pass; views: v_function_permission_risk_inventory / _hardening_plan / _no_go_guard

rp_api_ui

• page=200; 404=/api/registries/index; 500=/api/registry/matrix(~23s),/api/registry/pivot-query; pivot_missing=14
• class=API_BROKEN do_not_deploy=true; views: v_rp_production_api_truth_status / v_rp_ui_operator_fix_packet / v_rp_ui_readiness_no_go_guard / v_rp_ui_readiness_classification
• deltas_vs_prior: 4x404 -> 1x404+2x500; pivot 139 -> 14 (live wins)

control_plane

• dashboard: v_control_plane_p0_status_dashboard (1 RED rp_api, 3 AMBER authority/trigger/permission, 3 GREEN oom/birth/object)
• router: v_control_plane_next_macro_router => next=AUTHORITY_P1_HARDENING_AND_BACKAUDIT_RATIFICATION; top_operator=TRIGGER_REGISTRY_REGISTRATION_OWNER_PACKET; posture=MONITOR_WITH_GUARDS

safety

• no fake owner/vote (apr_approvals=42 unchanged); no IU edit; no REAL_RUN; no event activation; trigger_guard_alerts=129 unchanged; historical rows preserved; rollbacks staged

gotchas (2026-06-06)

• query_pg is RO (role context_pack_readonly, 5s timeout, LIMIT 500); use ssh contabo -> docker exec -i postgres psql for DDL/rehearsals and heavy reads (statement_timeout=0)
• approval_requests uses date_created/date_updated (no created_at); chk_apr_target_collection requires target_collection NOT NULL
• pg_schema MCP $1-ambiguity bug -> use information_schema.columns
• birth_registry has no source_table col (use collection_name/born_at)
• KB upload: prose+markdown tables only (Cloudflare WAF blocks fenced SQL); each upload births 1 knowledge_documents (provenance)
• control-plane router view ~25s -> read via ssh statement_timeout=0
• SQL artifacts: /opt/incomex/docs/mcp-writes/authority-birth-truth-cp-2026-06-06/

blockers

• human authority (ratify/reconcile votes), owner/operator (trigger register, permission revoke + impact proof), operator/dev (RP API repair, pivot refresh), platform (dup-trigger TG_ARGV). No engineering blocker.

next

AUTHORITY_P1_HARDENING_AND_BACKAUDIT_RATIFICATION (agent-doable P1 + owner ratification), parallel RP_PRODUCTION_API_OPERATOR_FIX.