Incomex AI Portal
KB-3BDF

Stage 1 Report 02 — Gateway Release Registry

3 min read Revision 1
birth-gatewaystage1reportrelease-registry2026-06-06

Stage 1 — 02 Gateway SSOT Release Registry (Supertrack B)

Goal achieved

There is now ONE live, runtime-visible place to check which gateway contract is current, with machine-detectable, fail-closed semantic drift.

Table: birth_gateway_release_registry (append-only by convention)

Columns: id, release_version, fn_name, source_kind, git_ref, norm_md5, norm_sha256 (semantic SHA-256 of normalized source), full_md5, policy_version, install_status, requires_exempt_guard, approved_by, approved_at, verified_at, notes.

Normalization (identical to the Stage 0 drift detector): md5(regexp_replace(lower(src),'\s+',' ','g')) and encode(sha256(convert_to(normalized,'UTF8')),'hex'). Large source blobs are NOT stored — only normalized semantic hashes + metadata.

Seed (release v1-stage1-2026-06-06, 5 rows, INSERT 0 5)

Tracks fn_birth_policy_decision, fn_birth_resolve_identity, fn_birth_register, fn_birth_registry_auto, fn_birth_registry_auto_id. requires_exempt_guard=true only for fn_birth_registry_auto. Seeded from live capture at apply time; idempotent (guarded by NOT EXISTS on release_version).

Views

  • v_birth_gateway_release_current — DISTINCT ON (fn_name) latest live row per fn.
  • v_birth_gateway_release_drift_guard — recomputes the live normalized SHA-256 per fn and compares to the approved row. drift_status ∈ {OK, MISSING_LIVE_FN, DRIFT_GUARD_MISSING (exempt markers gone), DRIFT_HASH_CHANGED}.
  • v_birth_gateway_contract_integrity_dashboard — one-row roll-up.

Live result

Metric Value
tracked_fns 5
ok_fns 5
drift_fns 0
all_ok true

Per-fn drift_status: all 5 = OK. fn_birth_registry_auto requires_exempt_guard=t, has_cov=t, has_exempt=t.

Teeth

The Stage 0 drift detector (baked-constant approved hashes) is retained; this registry-backed guard supersedes it by reading the approved hash from the append-only table — so a future approved release rotates the contract without editing a view. Any live function whose normalized source diverges from the approved row, or that loses the coverage_status/BIRTH_EXEMPT markers, flips drift_status non-OK and all_ok=false (fail-closed). This is the same mechanism that would catch a re-installed old gateway from the (frozen) DOT.

Also created (Supertrack B scaffolding)

  • birth_admission_permit — QT-001 apply (Stage 2) requires status=open; empty now ⇒ fail-closed.
  • birth_backfill_ledger — one row per planned/applied backfill batch; empty now.
Back to Knowledge Hub knowledge/dev/reports/architecture/birth-stage1-gateway-ssot-runtime-contract-foundation-2026-06-06/02-gateway-release-registry.md