01 — Live Channel, Safety Net & Checkpoint Confirmation
01 — Live Channel, Safety Net & Checkpoint Confirmation
Checkpoint confirmed
knowledge/dev/reports/architecture/checkpoint-safety-net-pass-2026-06-03.md read. It asserts
PASS_CONFIRMED, 16 KB docs, 10 live safety-net objects, zero business mutations from the prior apply,
RP NO-GO fail-closed, and 4 BLOCK dimensions (80 / 6 / 16 / 1). All re-verified live below.
Execution channel (live-verified 2026-06-03)
| Check | Result |
|---|---|
| ssh root works | ✅ uid=0(root) |
docker exec postgres works |
✅ container present |
| psql user | workflow_admin |
rolsuper |
✅ t (superuser) |
transaction_read_only |
off (read-write) |
| temp create/insert/drop inside rollback txn | ✅ succeeded then ROLLBACK clean |
Classification: EXECUTION_MODE.
Existing safety net (all 10 objects live)
Views: v_birth_orphan, v_birth_phantom, v_birth_coverage_status, v_dot_fs_reconciliation,
v_dot_registry_no_file, v_dot_pivot_update_status — all present and returning data.
Tables: _recon_dot_fs_inventory (287 rows, last collected 2026-06-03 08:27:30+00),
_preflight_accepted_exceptions (1 seed). Functions: fn_preflight_guard(),
fn_assert_safe_for_dot_action() — both present.
Current BLOCK counts — BEFORE (live, pre-remediation)
| check_name | cnt | status |
|---|---|---|
| birth_orphan_critical_active | 80 | BLOCK |
| birth_phantom_real | 6 | BLOCK |
| fs_dot_file_no_registry | 16 | BLOCK |
| dot_pivot_update_not_governed | 1 | BLOCK |
| fs_snapshot_present | 287 | PASS |
| governance_owner_gap | 210 | WARN |
| governance_gate_ospa | 0 | CLOSED |
| birth_phantom_investigate | 0 | WARN |
Decomposition: orphan_critical_active 80 = 54 dot_iu_command_catalog + 26 active pivot_definitions
(27 total pivot unborn, 1 inactive). Phantom: 283 SYNTHETIC_TEST + 6 REAL_MISSING.
Guard fail-closed (BEFORE) — proven
SELECT fn_assert_safe_for_dot_action() →
ERROR: PREFLIGHT BLOCKED — resolve before any DOT/RP mutation: birth_orphan_critical_active=80, birth_phantom_real=6, fs_dot_file_no_registry=16, dot_pivot_update_not_governed=1.
Birth machinery learned (drives all remediation)
fn_birth_registry_auto(code_field): AFTER INSERT trigger. entity_code =NEW.<code_field>(synthetictable::idfallback). Looks up species fromspecies_collection_map(is_primary) →entity_species.composition_level, governance_role fromcollection_registry. Inserts withON CONFLICT (entity_code) DO NOTHING.birth_registryUNIQUE is onentity_codeALONE (birth_registry_entity_code_unique), not composite withcollection_name. This is the root of the 5-pivot collision (doc 03).- birth_registry triggers:
trg_birth_auto_certify(BEFORE UPDATE only — does not fire on INSERT),trg_birth_change_flag_matrix(AFTER stmt → flipspivot_results.needs_refresh),trg_count_birth_registry(AFTER stmt →update_record_counton meta_catalog). All are designed maintenance; they fire on every birth.