02 — Real Apply Procedure (Supertrack B)

Pseudocode replaced by a real, fail-closed, bounded writer. Live: fn_dot_birth_qt001_apply(p_collection,p_run_id,p_permit_id,p_expected_delta,p_max_rows,p_batch_size,p_dry_run,p_execute,p_dot_origin) plus the production driver sp_dot_birth_qt001_apply(...). Status views: v_qt001_apply_runtime_status (all true), v_qt001_apply_runtime_no_go_guard (all pass).

Fail-closed behavior (in order)

1. p_execute DEFAULT false; p_dry_run supported. Dry-run is pure read (no write, no ledger).
2. Eligibility: policy must be BIRTH_REQUIRED and identity ELIGIBLE_* (else RAISE on execute).
3. COLLISION fail-close: any candidate entity_code already owned by a DIFFERENT collection ⇒ RAISE (never silent skip).
4. PARITY fail-close: refuse if existing_births ≠ src_rows − expected_delta − unresolvable (a backfill would duplicate). See doc 05.
5. Runtime hash introspection: v_birth_gateway_contract_integrity_dashboard.all_ok must hold and v_birth_stage0_still_enforced_guard must be all-pass (else RAISE).
6. Permit: requires a valid OPEN execute permit in birth_admission_permit_v2 scoped to the collection, unexpired, with max_rows. Permit table is empty ⇒ execute is structurally impossible now (fail-closed by construction).
7. Expected binding: p_expected_delta must equal the freshly computed target LEAST(computed_delta, p_max_rows) (else "stale" RAISE). p_max_rows required and ≤ permit.max_rows; cumulative ≤ permit.max_rows.
8. Bounded writer: scans source rows, resolves identity via fn_birth_resolve_identity (writer-consistent), registers via fn_birth_register(...,p_dry_run:=false), counts actual_inserted/skipped/blocked, stops at the bounded target, updates the ledger resume_marker each batch.
9. FALSE-DONE prevention (three layers): (a) expected-delta pre-binding; (b) post-write integrity real_delta(measured) == counted_inserts AND actual_inserted == target else status failed + RAISE; (c) structural ledger CHECK bbl2_no_false_done.
10. Success: consume one-use permit; ledger status='done' only when actual==expected.

Why false-done is impossible

A writer that inserts 0 while claiming 137 yields actual_inserted(0) ≠ target(137) ⇒ status failed + RAISE; and the ledger CHECK rejects any status='done' row whose actual_inserted ≠ expected_delta at the database level. Proven in rehearsal: false_done_blocked = true (doc 07).

Production driver

sp_dot_birth_qt001_apply loops batches of p_batch, delegating each to the writer and COMMIT-ing per batch (resume-safe by idempotency). p_execute DEFAULT false. NOT executed in this macro.

Live evidence

v_qt001_apply_runtime_status: writer_fn_exists, driver_proc_exists, plan_fn_exists, writer_calls_fn_birth_register, writer_has_false_done_guard, writer_has_collision_failclose, writer_has_parity_failclose, writer_no_pseudocode, execute_defaults_false, false_done_check_constraint — all true.