02 — Live Birth Infrastructure Audit (read-only)

1. birth_registry core

total rows            1,116,379
distinct collections  79
null entity_code      0
null species_code     0
certified             1,402
uncertified           1,114,977   ← 99.87% never inspected

Finding B-1: birth row creation is broad and clean (0 null codes). But the inspection/certification layer is effectively dormant — only 0.13% certified. The "certified sticker" surveillance the law describes is not operating at scale.

2. Birth functions (20 present)

fn_birth_registry_auto (+_auto_id), fn_birth_gate, fn_pre_birth_check(text,text,text,text), fn_birth_auto_certify, fn_birth_change_flag_matrix, fn_birth_onboarding_full_scan (+_hc(jsonb)), fn_description_birth_guard, fn_iu_birth_gate_layer1/2, fn_tac_birth_gate_lu/uv, fn_rule_birth_violations, fn_refresh_orphan_col/dot/species (+ 3 trg_fn_refresh_orphan_*).

2a. fn_birth_registry_auto (the real auto-birth; AFTER INSERT)

• Reads code from TG_ARGV[0]; synthetic fallback TG_TABLE_NAME || '::' || id when code null/empty → so triggered tables get near-total coverage even without a code column.
• Resolves species via species_collection_map(is_primary) + governance_role via collection_registry (defaults 'excluded').
• INSERT ... ON CONFLICT (entity_code) DO NOTHING.
• Implication: the gap is never "a triggered table missed a row"; the gap is tables without the trigger and rows inserted before the trigger existed.

2b. fn_birth_gate (BEFORE INSERT; the "enforcement")

bypass := current_setting('app.bypass_birth_gate') ∈ {true,1} → RETURN NEW   -- KILL SWITCH
code NULL/empty → RETURN NEW                                                 -- skip
run 5 × fn_pre_birth_check; on fail:
  mode := current_setting('app.birth_gate_mode') default 'warning'
  if mode='blocking' → RAISE EXCEPTION  else → RAISE WARNING (insert proceeds)

• fn_pre_birth_check = 5 checks: (1) collection ∈ meta_catalog managed; (2) _dot_origin non-empty; (3) code ^[A-Z]+-[0-9]+$; (4) name not duplicate; (5) code not duplicate.
• Finding B-2 (CRITICAL): the gate defaults to warning (non-blocking). No persistent blocking config exists: pg_db_role_setting = 0 rows for app.birth%; pg_settings = 0 rows. So a row failing all checks is logged, not blocked. Plus the explicit kill-switch GUC. → birth-first is policy, not enforcement (G1).

3. Trigger topology

• 216 birth/orphan trigger rows. Legacy birth_trigger_<t> + newer trg_birth_<t> (both → fn_birth_registry_auto, second is ON-CONFLICT no-op) coexist on many tables.
• fn_birth_gate (BEFORE) present on ~16 core tables: agents, checkpoint_, collection_registry, dot_tools, entity_dependencies, meta_catalog, modules, table_proposals, tasks, taxonomy, trigger_registry, ui_pages, workflow_*.
• trg_refresh_orphan_* on exactly 3 tables: dot_tools, collection_registry, entity_species.
• pivot_definitions / pivot_results: have trg_birth_* (auto-birth) but no gate and no orphan-refresh.

4. Coverage of the mission-critical families

dot_tools:              309 rows | 592 birth rows | 0 without birth | 283 PHANTOM (birth w/o live DOT)
pivot_definitions:       37 rows | 22 WITHOUT birth (59%) | 15 born
pivot_results:            5 birth rows
dot_iu_command_catalog:  54 rows | NO trigger | 0 birth  ← (see doc 03/blind spot)
collection_registry:    171 birth | entity_species: 45 | meta_catalog: 191 | governance_registry: 9

• Finding B-3: dot_tools has 283 phantom birth rows (592 birth − 309 live). Phantom detection is not live (orphan_count metric ≠ phantom).
• Finding B-4: pivot_definitions has 22/37 unborn rows — the auto-trigger only covers inserts after it was created; the QT-001 backfill (dot-birth-backfill) was never run for this collection (G5).
• Finding B-5: dot_iu_command_catalog columns = command_name, category, mutating, reversible, target_functions, registered_at — no code, no birth trigger, 0 birth rows. 54 entirely unborn rows.

5. dot-pivot-update birth status

• Not in dot_tools (only DOT-113 dot-pivot-declare, DOT-114 dot-pivot-health, DOT-307 dot-pivot-virtual-create, DOT-308 dot-cron-pivot-setup exist). → no birth row possible (birth is DB-row-triggered). See doc 07.

6. File-only artifacts vs birth

• Birth fires on DB row INSERT only. A file on disk creates no row → no birth, by construction. /opt/incomex/dot/bin holds 209 live dot- scripts + 76 backup artifacts; dot_tools has 309 rows (228 with file_path). No live filesystem↔registry reconciler. (G4 — doc 03/05.)

SQL artifacts (representative)

-- coverage
SELECT (SELECT count(*) FROM dot_tools) , (SELECT count(*) FROM birth_registry WHERE collection_name='dot_tools'),
       (SELECT count(*) FROM dot_tools d LEFT JOIN birth_registry b ON b.entity_code=d.code WHERE b.id IS NULL);
SELECT count(*) FROM pivot_definitions p LEFT JOIN birth_registry b ON b.entity_code=p.code WHERE b.id IS NULL; -- 22
-- gate config
SELECT * FROM pg_db_role_setting s WHERE EXISTS (SELECT 1 FROM unnest(s.setconfig) c WHERE c ILIKE 'app.%birth%'); -- 0 rows