02 — Gateway SSOT Drift Detector (Supertrack B)

Goal: make it machine-visible if the live gateway diverges from the approved SSOT. Views: v_birth_gateway_runtime_contract, v_birth_gateway_ssot_drift_detector, v_birth_gateway_no_old_function_guard.

Live contract captured (2026-06-06)

function	src_len	coverage_status	BIRTH_EXEMPT	ON CONFLICT	norm-md5
fn_birth_registry_auto	1754	true	true	true	c022f849c2c7d57a720c4cc172789d70
fn_birth_registry_auto_id	1202	false	false	true	5d5c07212bcec75b682842f97d662d23

fn_birth_registry_auto is the GUARDED (patched) gateway; fn_birth_registry_auto_id serves only 3 BIRTH_REQUIRED tables (governance_relations, law_dot_enforcement, law_jurisdiction) so it legitimately needs no exempt guard (requires_exempt_guard=false).

DOT-embedded source (the drift source)

The body inside dot-birth-trigger-setup (and its quarantined copy) is the OLD fn_birth_registry_auto: it looks up governance_role only — coverage_status occurrences = 0, BIRTH_EXEMPT occurrences = 0 (verified on the file). If installed, the live function loses both markers.

Drift logic + teeth

• v_birth_gateway_no_old_function_guard = PASS iff live fn_birth_registry_auto has coverage_status AND BIRTH_EXEMPT AND ON CONFLICT. Currently PASS.
• v_birth_gateway_ssot_drift_detector per fn: DRIFT_GUARD_MISSING if the required exempt guard markers are absent; DRIFT_HASH_CHANGED if the normalized hash != approved; else OK. Currently both OK.
• Teeth proven: because the embedded body has 0 occurrences of the guard markers, installing it forces has_coverage_status=false → guard flips to FAIL_OLD_GATEWAY_DETECTED and drift to DRIFT_GUARD_MISSING. The guard is not cosmetic.

Completion: if the old gateway reappears, the guard fails. Stage 1 upgrades the baked baseline to an append-only contract registry.