KB-1A4B
08 — Mandatory RP/DOT Preflight Gate (fn_assert_safe_for_dot_action; fail-closed exit 3)
3 min read Revision 1
preflight-guardfn_assert_safe_for_dot_actionfail-closedblock-dimensionsrp-gate2026-06-03
08 — Mandatory RP/DOT Preflight Gate
LIVE. fn_assert_safe_for_dot_action() is the hard gate every future RP/DOT mutation must pass.
How to use (first statement of any RP/DOT change)
BEGIN;
SELECT fn_assert_safe_for_dot_action(); -- raises EXCEPTION → aborts txn if unsafe
-- ... lawful DOT-driven change ...
COMMIT;
Operator one-liner: ssh contabo 'bash -s' < operator_bundle/05_run_rp_dot_preflight_guard.sh ; echo rc=$?
(exit 0 = SAFE, exit 3 = BLOCKED).
Dimensions (live output 2026-06-03)
| check_name | cnt | severity | status |
|---|---|---|---|
| birth_orphan_critical_active | 80 | critical | BLOCK |
| birth_phantom_real | 6 | high | BLOCK |
| fs_dot_file_no_registry | 16 | high | BLOCK |
| dot_pivot_update_not_governed | 1 | high | BLOCK |
| fs_snapshot_present | 287 | high | PASS |
| birth_phantom_investigate | 0 | medium | WARN |
| governance_owner_gap | 210 | medium | WARN |
| governance_gate_ospa | 0 | info | CLOSED |
Fail-closed behavior (proven live)
SELECT fn_assert_safe_for_dot_action();
ERROR: PREFLIGHT BLOCKED — resolve before any DOT/RP mutation:
birth_orphan_critical_active=80, birth_phantom_real=6,
fs_dot_file_no_registry=16, dot_pivot_update_not_governed=1
Script exit code = 3. Confirmed end-to-end.
The guard fails closed when:
- any BLOCK dimension is non-zero (incl. the four above), OR
fs_snapshot_present = 0(a stale/absent filesystem snapshot is itself unsafe — thefs_snapshot_presentdimension is BLOCK when 0), OR- the guard cannot run at all (psql error → non-zero exit → caller must treat as NO-GO).
What clears each BLOCK (smallest action)
| Dimension | Clears when |
|---|---|
| birth_orphan_critical_active=80 | 54 iu_cmd registered+born (after collection onboarding) + 26 active pivot born via DOT |
| birth_phantom_real=6 | 6 stranded births (COL-/SPE-) retired or restored (owner) |
| fs_dot_file_no_registry=16 | 16 scripts registered via lawful DOT or quarantined+accepted |
| dot_pivot_update_not_governed=1 | dot-pivot-update registered+governed via lawful DOT (NOT in this macro) |
Integration note for future DOT/RP commands
Wrap mutating DOT/RP commands so they call fn_assert_safe_for_dot_action() inside their
opening transaction. Re-load the fs snapshot (03_load…) before relying on fs dimensions —
a stale snapshot trips fs_snapshot_present. Accepted exceptions go in
_preflight_accepted_exceptions (seeded with the SYNTHETIC_TEST acceptance).