KB-7595
06 — Birth Gate Critical-Family Readiness (no gate change; staged map)
4 min read Revision 1
birth-gatefn_birth_gatecritical-familystaged-activationadvisory2026-06-03
06 — Birth Gate Critical-Family Readiness
No gate change was made (P3 forbidden in scope). This is the staged readiness map only.
Current fn_birth_gate behavior (verified live, source read)
- KILL SWITCH: app.bypass_birth_gate IN ('true','1') → RETURN NEW (bypass)
- Skips if NEW.code IS NULL or '' (null-code skip)
- Runs fn_pre_birth_check() 5 checks
- Mode: app.birth_gate_mode default 'warning' → RAISE WARNING (advisory)
only 'blocking' → RAISE EXCEPTION (blocks)
So today the gate is advisory: bypassable (GUC), skippable (null code), and non-blocking by default.
fn_pre_birth_check 5 checks
- collection ∈
meta_catalogwithidentity_class='managed' _dot_originnon-empty- code matches
^[A-Z]+-[0-9]+$ - name not duplicate (if table has
name) - code not duplicate
Gate trigger coverage (live)
| table | birth-auto trigger | gate trigger |
|---|---|---|
dot_tools |
yes | yes |
collection_registry |
yes | yes |
pivot_definitions |
yes | NO |
dot_iu_command_catalog |
NO | NO |
Bypass risk: dot_tools/pivot/birth tables owned by app-role directus; workflow_admin is superuser → SET app.bypass_birth_gate, ALTER TABLE … DISABLE TRIGGER, direct DML all possible.
Staged activation matrix
| Stage | Action | Safe now? | Precondition |
|---|---|---|---|
| 1 report-only | keep warning; rely on fn_preflight_guard for visibility |
✅ yes (done) | none |
| 2 block critical families | app.birth_gate_mode='blocking' for dot_tools+collection_registry only |
⚠️ not yet | backlog of those families triaged to zero unknowns; gate trigger present (it is) |
| 3 broader rollout | add gate trigger to pivot_definitions, dot_iu_command_catalog; enable blocking globally |
❌ no | see per-family blockers below |
Per-family readiness
| Family | Gate present | Ready to block? | "Do not enable yet because…" |
|---|---|---|---|
dot_tools |
yes | partial | 16 fs FILE_NO_REGISTRY + 45 dup names unresolved; new inserts already gate-checked |
collection_registry |
yes | partial | 3 REAL_MISSING (COL-*) births stranded; 25 BIRTH_REQUIRED zero-birth |
pivot_definitions |
no | no | no gate trigger; 27 unborn rows would all fail check-1/3 if gated; lawful path = DOT |
dot_iu_command_catalog |
no | no | triple-absent: not in meta_catalog(check-1 fails), command_name not PREFIX-NNN(check-3 fails), no trigger. Must register collection + add meta + define code strategy FIRST |
| registry tables | n/a | n/a | covered by collection_registry |
| filesystem DOT lifecycle | n/a | no | birth is DB-row only; fs has no gate — needs reconciler-driven onboarding |
"Can enable Stage 2 after…"
- The 16 FILE_NO_REGISTRY are registered (lawful DOT) or quarantined.
- The 6 REAL_MISSING births are retired/restored.
- Rollback of a blocking flip is proven (it is trivial:
SET app.birth_gate_mode='warning'). dot_iu_command_catalogis registered before it is ever gated (else every insert blocks).
This macro does not enable blocking. Legacy backlog is still unknown/untriaged at row grain.