00 — README FIRST — Birth/Orphan/DOT-Filesystem Hardening Macro

Date: 2026-06-03 · Status: PARTIAL · Execution mode: AUTHOR_MODE_ONLY + OPERATOR_HANDOFF · Prod mutations: 0

What this macro did

Continues the prior birth-governance-orphan-detection-systemic-automation-audit (which was a PARTIAL audit) by building the minimum safety-net package that makes silent unbirth/orphan/phantom/filesystem-DOT drift detectable, and classifies the staged dot-pivot-update artifact. All findings re-verified live against prod directus (read-only query_pg); old reports treated as evidence, live wins.

Headline live numbers (2026-06-03, prod directus)

• birth_registry = 1,121,469 rows / 79 collections / 0 null code (grew from 1,116,379 → system is live).
• Critical unborn (row exists, no birth): pivot_definitions 26, dot_iu_command_catalog 54, dot_tools 0 → 80 critical unborn.
• Critical phantom (birth exists, entity gone): dot_tools 283 — overwhelmingly SYNTHETIC_TEST (CHAOS-R3-CDX-E2-*, dot_origin DOT-001|codex), 0 real-missing sampled.
• Collection grain: 82 of 147 managed collections have ZERO birth rows.
• dot_iu_command_catalog is triple-absent: not in collection_registry, not in meta_catalog, no birth trigger → fully outside the system (the smoking gun, confirmed).
• Birth gate (fn_birth_gate) present only on collection_registry + dot_tools; default mode warning (advisory); kill-switch GUC app.bypass_birth_gate; null-code skip. All birth-governed tables owned by app-role directus (bypass surface).
• Governance: ownership 0, ospa=0 (gate CLOSED), inventory 35 (collection-grain, 1 object_type), owner_gap 210, candidates 0, rulesets 0, no scan_run/cursor tables, pg_cron NOT installed.
• dot-pivot-update: 0 rows in dot_tools → not registered; filesystem dir /opt/incomex/dot/bin unreadable from Agent channel (read_file allowlist denies).

dot-pivot-update final classification

STAGED_FILE_ONLY / UNBORN / NOT_VALID_DOT. Must not be registered/executed/used for RP cleanup.

Deliverables (all AUTHOR_MODE — nothing applied live)

SQL package: …/birth-orphan-dot-filesystem-hardening-macro-2026-06-03/sql/ (local). All read-only views + dedicated staging/ledger tables, each with exact rollback. See report 12 for hashes.

• 01_detector_views.sql → v_birth_orphan, v_birth_phantom, v_birth_coverage_status (P1)
• 02_filesystem_reconciler.sql + collect_dot_bin_inventory.sh (P2)
• 03_birth_gate_hardening.sql (P3, staged, per-collection policy)
• 04_backfill_engine.sql (P4, ledger+cursor, label-before-write)
• 05_governance_row_bridge.sql (P5, row-grain inventory/gap)
• 06_preflight_guard.sql (P6, fn_assert_safe_for_dot_action)
• 99_rollback_all.sql

Reading order

01 (contract+mode) → 02 (coverage matrix) → 03 (detector) → 04 (FS reconciler) → 05 (gate hardening) → 06 (backfill) → 07 (gov row bridge) → 08 (preflight/scheduler) → 09 (quarantine + dot-pivot-update) → 10 (mistake-test matrix) → 11 (GO/NO-GO) → 12 (final summary).

Bottom line

RP cleanup remains NO-GO. The safety net is fully authored with exact apply/rollback + operator handoff, but not live (Agent channel is read-only; no DDL/filesystem write). Returning to RP requires an owner to apply 01/02/06 (safe, read-only views) and confirm preflight before any DOT/RP write.