00 — README First

Macro: BIRTH_ORPHAN_BACKLOG_REMEDIATION_GATE_STAGE2_AND_RP_RETURN_READINESS Date: 2026-06-03 Final status: PARTIAL (all safe branches completed; remaining branches are owner/credential/structural-gated with exact next actions) Execution mode: EXECUTION_MODE (root ssh → docker postgres → psql workflow_admin, superuser, read-write; temp-in-rollback proven)

Headline

The previous macro installed the alarm system. This macro began clearing the alarms lawfully. One lawful, reversible, in-scope remediation was applied to production: 22 pivot_definitions rows were born through the proven birth mapping. birth_orphan_critical_active dropped 80 → 59. Every other BLOCK dimension is gated by something I am forbidden to fabricate (owner decision, admin credentials, or a structural schema migration), and each now carries an exact owner/operator action.

What changed live (production directus)

• +22 birth_registry rows for pivot_definitions (PIV-001..019, 021, 020, 102), via a backfill that exactly replicates fn_birth_registry_auto('code') (species=catalog, composition=atom, governance_role=governed), tagged dot_origin='BACKFILL:birth-orphan-remediation-2026-06-03'.
• Designed maintenance side-effects (fired by existing statement-level triggers, as on every birth): 27 pivot_results.needs_refresh flags set true; meta_catalog record_count updated.
• No business CONTENT was mutated. No row deleted/hidden. No exception added to game the guard.

What stayed report-only / blocked (with exact reason)

Dimension	Before	After	Why not cleared
birth_orphan_critical_active	80	59	54 iu_cmd (owner identity decision) + 5 pivot (entity_code-unique collision, structural)
birth_phantom_real	6	6	No lawful retirement mechanism exists; retire-vs-restore is an owner decision
fs_dot_file_no_registry	16	16	Governed registrar dot-dot-register needs admin creds (absent); files are live tools (no blind quarantine)
dot_pivot_update_not_governed	1	1	Full lawful birth+registry+governance path incomplete; kept blocked by design

RP decision

RP cleanup = NO-GO, enforced by the live fail-closed guard fn_assert_safe_for_dot_action() (still raises on 4 BLOCK dimensions). This is correct and acceptable: blockers were reduced and classified, not bypassed.

Document map

• 01 — live channel, safety-net, checkpoint confirmation
• 02 — Workstream A: dot_iu_command_catalog onboarding (BLOCKED_WITH_EXACT_REASON + packet)
• 03 — Workstream B: pivot_definitions backfill (22 born) + 5-collision structural defect
• 04 — Workstream C: 6 REAL_MISSING phantoms (classified; no retire mechanism → owner packet)
• 05 — Workstream D: 16 FILE_NO_REGISTRY (per-file classification; registrar-creds-gated)
• 06 — Workstream E: dot-pivot-update lawful route (stays blocked)
• 07 — Workstream F: governance row bridge + OSPA packet (bridge deferred; OSPA human-gated)
• 08 — Workstream G: Stage-2 birth gate readiness (no family clean → no activation)
• 09 — Workstream H: RP/DOT preflight before/after + decision
• 10 — remaining blockers & owner decisions (consolidated)
• 11 — rollback & disable package
• 12 — next macro / RP-return handoff
• 13 — final summary
• 14 — GPT MCP-readable checkpoint (also at the canonical checkpoint path)

SSOT note

The law file knowledge/dev/laws/prompt-muc-tieu-mo-for-claude-code.md was not present on local disk this session (the knowledge/dev/laws/ directory does not exist locally). The checkpoint checkpoint-safety-net-pass-2026-06-03.md was read and confirmed and is the operative SSOT; all counts were re-derived from live production, which is the final authority.