09 — Safe Patch Plan

Apply-ready design only. Not applied.

1. Containment: through approved DOT/config, temporarily switch H11a from detect-and-fix to detect-only or suppress only heal_description_basic. Keep the wider executor running.
2. Semantic issue idempotency: generate stable key from source + entity_type + entity_code + issue_type; upsert; one active issue per key; repeats update last_seen_at, occurrence_count, run_id, evidence.
3. Birth policy enforcement: update fn_birth_registry_auto() through reviewed migration to fail closed/skip for BIRTH_EXEMPT% and BIRTH_DEFERRED%.
4. Trigger reconciliation through DOT: remove birth_trigger_entity_labels, birth_trigger_registry_changelog, and one duplicate system_issues birth trigger.
5. Preserve history: do not delete existing births/issues/labels/changelog; classify historical invalid births through views/flags.
6. Monitoring: no exempt births, no trigger-policy contradictions, no duplicate active semantic issues, birth-rate/top-source guards.

No-go if approved DOT/migration, backup/rollback proof, semantic-key review, or rehearsal verification is missing.

Rollback restores prior function/index/trigger definitions captured before apply. Production PASS requires one approved H11a cycle plus one scheduled 3-hour cycle with zero new births for unchanged findings and zero births from exempt collections.