09 — Safe Path Forward

Path selection

The findings span three of the mission's paths; the governing one is Path E (automation partially live but bypassable), compounded by Path C (row-level orphan/unborn detection missing) and Path D (filesystem artifact invisible). It is not Path A (not fully enforced) and not purely Path B (birth is live; the missing piece is detection+enforcement, not just onboarding).

What is true (so we don't over-correct)

• Auto-birth row creation on registered/triggered collections is genuinely live (G0). Do not rebuild it.
• The lawful registration path for a DOT (dot-dot-register → APR → dot_tools INSERT → auto-birth) works. The problem is the system does not force objects onto it or detect when they skip it.

Hardening (ordered; each is its own gated step)

1. Row-level orphan view (G2) — create v_birth_orphan = every governed entity LEFT JOIN birth_registry … WHERE birth IS NULL, plus v_birth_phantom for the inverse (283 phantom dot rows). Read-only DDL; no base mutation. This is the single highest-value patch.
2. Filesystem reconciler (G4) — a scheduled scanner diffing /opt/incomex/dot/bin/dot-* (excluding .bak) against dot_tools.file_path/name, emitting system_issues for both file-orphans (e.g. dot-pivot-update) and registry rows missing files (81 with no file_path).
3. Schedule the existing scanners (G8) — give DOT-115 (orphan), DOT-116 (misclass) real cron (OS-cron, since pg_cron absent); add a freshness alert when last_scan_date is stale.
4. Flip the gate to blocking on the core governed set (G1) — ALTER DATABASE directus SET app.birth_gate_mode='blocking' after verifying it won't break legitimate inserts; restrict the kill-switch.
5. Register the blind-spot table (G2/G4) — bring dot_iu_command_catalog into collection_registry + species_collection_map + a birth trigger (54 rows backfilled), OR formally mark it BIRTH_EXEMPT_* with a reason so the onboarding scan accounts for it.
6. Backfill pivots (G5) — dot-birth-backfill --collection=pivot_definitions to close the 22 unborn.
7. Fix fn_rule_birth_violations (G6) — repair the empty-CASE builder.
8. Ownership hygiene (G7) — move table ownership off the app role; remove owner ability to silently disable birth triggers.
9. Governance onboarding (G3/G9) — only post-ratification (ospa≥1); first decide whether a DOT is governed at row or collection granularity (the live model is collection-only).

Temporary guardrails (until the above lands)

• RP DOT cleanup PAUSED (dot-pivot-update registration + apply_composition_fixes.sh not run).
• No manual DML on dot_tools/pivot_definitions; reviewer sign-off on any governed write.
• Before any "all objects are managed" claim, run the doc-02/03 diffs by hand.
• Treat dot-pivot-update as a staged file only; do not execute it as a DOT.

Next macro

BIRTH_ORPHAN_DETECTION_HARDENING_ROW_LEVEL_AND_FILESYSTEM — deliver patches 1–3 (row-level orphan/phantom views + filesystem reconciler + scanner scheduling) as read-only/inert additive DDL with rollback, clone-rehearsed, then owner-gated apply. Patches 4–9 follow as separate gated steps. Only after patch 1 (row-level orphan detection) is live does continuing RP DOT cleanup become reconsiderable.

Blockers

• Hardening apply = owner-go (additive DDL on prod).
• Governance onboarding activation = human L2/L4 ratification (ospa≥1) — unchanged, blocks only the governance layer.