04 — Birth Gateway Policy Enforcement

Problem

fn_birth_registry_auto() (called by 166 birth triggers across 148 tables) never consulted birth policy. It births any insert unless already registered, defaulting governance_role='excluded'. So entity_labels (BIRTH_EXEMPT_STRUCTURAL_JUNCTION) and registry_changelog (BIRTH_EXEMPT_SYSTEM_LOG_OR_AUDIT) births occurred despite policy exemption — the ARCHITECTURE_GAP.

Policy source

collection_registry.coverage_status: BIRTH_REQUIRED 74, BIRTH_DEFERRED_NEEDS_REVIEW 58, BIRTH_EXEMPT_STRUCTURAL_JUNCTION 20, BIRTH_EXEMPT_SYSTEM_LOG_OR_AUDIT 12, BIRTH_EXEMPT_DERIVED_CACHE 4.

Patch applied (fail-closed, reversible)

Added near the top of fn_birth_registry_auto: if a collection_registry row exists with coverage_status LIKE 'BIRTH_EXEMPT%' for TG_TABLE_NAME, RETURN NEW (skip birth). Everything else byte-identical. Fail-closed: unknown/REQUIRED/DEFERRED collections proceed exactly as before (no row → NULL → not LIKE EXEMPT → births).

Scope decision

Applied for BIRTH_EXEMPT% only. DEFERRED (50 collections) deliberately NOT skipped — flipping them could suppress births RP currently counts; that is an owner decision (STAGED). EXEMPT is the unambiguously-correct subset.

Rehearsal (live BEGIN..ROLLBACK)

Insert into entity_labels (EXEMPT) → births before==after, exempt_birth_leak=0. Apply (CREATE OR REPLACE) before==after 1,210,724.

Views

v_birth_gateway_policy_enforcement_status (enforces=true; 36 exempt / 74 required / 58 deferred), v_birth_gateway_no_go_guard 3/3 pass (skips EXEMPT; still births REQUIRED; no recursive gateway on birth_registry), v_birth_gateway_policy_patch_plan (APPLIED).