KB-79FD
Stage 0 — 01 Dangerous DOT Inventory
3 min read Revision 1
birth-gatewaystage0dot-inventory2026-06-06
01 — Dangerous Birth DOT Inventory + Risk Classification (Supertrack A)
Method: grep-swept all of /opt/incomex/dot/bin (excl .bak) for CREATE OR REPLACE FUNCTION fn_birth*, INSERT INTO birth_registry, and fn_birth_registry_auto; cross-checked against dot_tools (8 birth rows). All 15 birth/collection/species DOTs were source-resolved → 0 UNKNOWN_BLOCKED. Views: v_birth_dangerous_dot_inventory, v_birth_dangerous_dot_risk_classification.
Classification result (live)
| risk_class | severity | disposition | count |
|---|---|---|---|
| DANGEROUS_CAN_REDEFINE_GATEWAY | CRITICAL | FROZEN | 1 |
| DANGEROUS_CAN_BACKFILL_BROKEN | HIGH | FROZEN | 1 |
| DANGEROUS_CAN_REDEFINE_GATEWAY | MEDIUM | MONITORED_NOT_FROZEN | 1 |
| SAFE_RECONCILE_ONLY | LOW | DEGRADES_GRACEFULLY | 1 |
| SAFE_RECONCILE_ONLY | NONE | NO_ACTION | 11 |
The dangerous set (evidence)
- dot-birth-trigger-setup (DOT-119; md5 a0b926d3fd373b8995aea2f4e8136e01) — CRITICAL. Line 113
CREATE OR REPLACE FUNCTION fn_birth_registry_auto()(OLD logic: looks upgovernance_roleonly; NOcoverage_status/BIRTH_EXEMPT); lines 224-227 DROP/CREATE TRIGGER. Running it reverts the live guarded gateway across 166 triggers / 148 tables → reopens birth/object pollution for 36 EXEMPT + 58 DEFERRED collections. FROZEN. - dot-birth-backfill (DOT-118; md5 f04cdbf5363a67cd837fdad9d649df2a) — HIGH. Line 124
INSERT INTO birth_registry, executed via docker psql line 191; nocoverage_statusfilter; incompatible with 22/36 governed collections (per side-door audit) → can partially execute. FROZEN. - dot-schema-birth-registry-ensure (DOT-133; md5 961de373ffbe885e7869726fcccfaea6) — MEDIUM. Line 491
CREATE OR REPLACE FUNCTION fn_birth_auto_certify()— an auxiliary auto-certify function, NOT the pollution gateway, and it does not redeploy triggers; schema/meta only. MONITORED, not frozen (no pollution path). Fix in Stage 1 (move fn to release).
Degrades-gracefully
- dot-collection-create — invokes
dot-birth-trigger-setupat lines 351-352 behind[[ -x ... ]]with2>/dev/null || true. With trigger-setup frozen, it runs the inert wrapper (exit 3), swallows it, and continues — the dangerous gateway-redefine step is skipped. No break.
Safe (grep-swept clean of fn_birth* redefine + birth INSERT)
dot-collection-register, dot-collection-field-sync, dot-collection-health, dot-coverage-inspector, dot-inspect-pen, dot-nrm-lifecycle, dot-schema-registry-collections-ensure, dot-schema-species-ensure, dot-schema-species-tree-ensure, dot-species-map, dot-species-register.
Completion: No dangerous birth DOT remains unknown (0 UNKNOWN_BLOCKED).