08 — Gap Classification & Severity

Per the mission taxonomy. Severity: CRITICAL / HIGH / MEDIUM / LOW. "Continue dot-pivot-update?" = does this gap, by itself, block continuing RP DOT cleanup.

ID	Gap	Severity	Example (live)	Affected family	Fix	Continue?	Temporary guardrail
G0	No gap — auto-birth row creation on registered/triggered collections is live & broad	— (PASS)	1.1M birth rows / 79 colls; dot_tools 0-without-birth	all triggered collections	keep	n/a	n/a
G1	Policy-only, bypassable — birth gate defaults to warning, kill-switch GUC, skips null-code	HIGH	fn_birth_gate mode default 'warning'; no blocking config in pg_db_role_setting	all ~16 gated tables	set app.birth_gate_mode='blocking' (ALTER DATABASE) on core tables; remove/guard kill-switch	NO	treat birth-first as manual discipline; reviewer sign-off on any dot_tools/pivot write
G2	Birth exists but orphan (missing-birth) detection missing — live metric measures metadata not birth	HIGH	pivot_definitions 22 unborn, orphan_count=0	pivots, any pre-trigger rows, unregistered tables	build v_birth_orphan (governed entity LEFT JOIN birth_registry); schedule it	NO	run the manual diff in doc 02/03 before any cleanup
G3	Birth works but governance onboarding inert + collection-granular	HIGH (known/gated)	ospa=0, ownership=0, candidates=0; inventory is collections only	governance objects	activate onboarding only post-ratification (ospa≥1); decide DOT-as-object granularity	NO (for governance-object claims)	do not claim DOT governance coverage; banner "L2 onboarding INERT"
G4	Filesystem artifacts invisible to birth; no scheduled FS↔registry reconciler	HIGH	dot-pivot-update on disk, unregistered; 209 live + 76 .bak files vs 309 rows	DOT scripts, any file	build a scheduled FS-vs-dot_tools scanner (orphan files + missing files)	NO	manual ls vs dot_tools diff before trusting "all DOTs managed"
G5	Backfill/auxiliary not run — QT-001 backfill + birth→governance handoff worker not live	MEDIUM	pivot_definitions 22 unborn (never backfilled); cursor=0	pivots; onboarding pipeline	run dot-birth-backfill --collection=pivot_definitions; activate handoff worker post-gate	partial	document the 22 as known-unborn
G6	Trigger/detector bug — fn_rule_birth_violations throws (empty CASE)	MEDIUM	syntax error on dot_domain_rules	provenance-violation detection	fix the CASE builder (emit CASE WHEN false THEN NULL ELSE NULL END guard)	partial	don't rely on this detector
G7	Privileged role bypass — dot_tools/pivot/birth owned by directus; workflow_admin superuser	HIGH	owner can DISABLE TRIGGER / SET bypass GUC / direct INSERT	all governed tables	move ownership off the app role; revoke trigger-disable; gate via SECURITY DEFINER fn	NO	policy: no manual DML; audit DDL on these tables
G8	Scanner exists but not scheduled/active — orphan/misclass scanners cron NULL; onboarding scan idle 9d; no pg_cron	HIGH	DOT-115/116 cron NULL; last onboarding gap 2026-05-25	orphan/schema/misclass/onboarding	schedule scanners (OS-cron or pg_cron); add freshness alert on last_scan_date	NO	run scans on-demand before cleanup; verify last_scan_date
G9	Clone/design/packaged, not prod-live — candidate pipeline (docs 31/32/34), scheduled scanners	MEDIUM	candidate_state exists but 0 rows; design "apply NO-GO"	onboarding automation	implement+activate per design after gate	partial	label as design-only in any status report

Most decisive

G2 + G4 co-instantiated by dot_iu_command_catalog (54 rows, 0 on every axis) and by dot-pivot-update (file, 0 on every axis) are the direct, live proof that an object can exist outside birth + orphan + onboarding. These are the load-bearing findings; G1/G7/G8 explain why the holes persist (no hard enforcement, owner bypass, scanners idle).

Aggregate

• PASS: G0 (birth row creation).
• HIGH, blocks continuation: G1, G2, G3, G4, G7, G8.
• MEDIUM: G5, G6, G9.
• The system does NOT satisfy "cố ý làm nhầm cũng không có cơ hội".