KB-69C3
Authority P1 Hardening — 09 Safety Audit
3 min read Revision 1
safetyaudit2026-06-06
09 — Safety Audit
All invariants verified live against production.
| Invariant | Result |
|---|---|
| birth before == after (DDL apply) | 1,210,801 == 1,210,801 (birth-neutral) |
| birth-neutral on every rehearsal | rehearsal 1,210,800 == 1,210,800 after ROLLBACK |
| apr_approvals unchanged (no fake votes) | 42 == 42 |
| no owner mutation | axis_assignment active = 0 (unchanged) |
| no lifecycle apply/reject executed | apr_status unchanged: applied 176, approved 2, expired 19, pending 19, rejected 14 |
| no source IU edit | only PG functions + views changed |
| no REAL_RUN | none performed |
| no event activation | none performed |
| trigger_guard_alerts unchanged | 129 == 129 (CREATE OR REPLACE, no new trigger) |
| OOM safe | no signal-9 in postgres logs; checkpoints normal |
| rollback staged | /opt/incomex/docs/mcp-writes/authority-p1-2026-06-06/99_rollback.sql |
| historical bypass rows preserved | 26 ledger rows intact; 170 applied-without-vote intact; none deleted/hidden |
| raw pollution / population not hidden | full reviewed_by breakdown exposed (orchestrator-s142b 142 vs auto-apply-function 18) |
| no UI deploy / no broad revoke | none performed |
Mutation surface (exactly what changed)
- CREATE OR REPLACE FUNCTION
fn_apr_block_unimplemented_handler— added quorum_passed re-proof before null-action early return. - CREATE OR REPLACE FUNCTION
auto_apply_approval— added per-row quorum_passed gate (skip without proven quorum). - CREATE OR REPLACE VIEW
v_authority_lifecycle_failclosed_guard— made apply_quorum_reproof_present assertion live-derived. - 18 new additive views (CREATE OR REPLACE VIEW), read-only, no data writes.
Nothing else. No DML against approval_requests, apr_approvals, dot_tools, collection_registry, axis_assignment, or any governance table.
Reversibility proof
Both function patches and the guard view are restored byte-for-functionality by 99_rollback.sql; the 18 new views are dropped there. The change was rehearsed in BEGIN..ROLLBACK before apply and re-tested in committed state after apply (LIVE-NEG/LIVE-POS), both birth-neutral.
Notes (pre-existing, not regressions)
- 04h30
fn_log_issue"value too long for varchar(50)" errors are the known H11a/title-variance coalesce_key leak (detect-only context-pack-verify cron), unrelated to this macro. dot-apr-execute5-min cron failing oncurl localhost:8055is pre-existing (Directus path down on that route).