04 — Ledger Contract Hardening (Supertrack D)

The v1 ledger cannot prove one scoped resumable apply and cannot prevent fake done. A hardened birth_backfill_ledger_v2 was created (inline constraints, no ALTER TABLE).

birth_backfill_ledger_v2 contract

• run_id NOT NULL · batch_id NOT NULL · permit_id FK→birth_admission_permit_v2(id) · collection_name NOT NULL
• expected_delta · actual_inserted · actual_skipped · actual_blocked (all NOT NULL, CHECK≥0) · real_delta
• status CHECK IN (planned,running,done,failed,rolled_back) · resume_marker · error_message · dot_origin · started_at/finished_at
• UNIQUE (run_id, collection_name, batch_id) — provable scoped/resumable run identity.
• STRUCTURAL false-done CHECK bbl2_no_false_done: status <> 'done' OR actual_inserted = expected_delta. A done row whose actual ≠ expected is rejected by the database engine itself.

Guards

• v_qt001_ledger_contract_status — every required column present + UNIQUE + FK + status-CHECK + false-done CHECK (all present).
• v_qt001_false_done_guard — structural CHECK present; no v2 done-with-mismatch; no v1 done ledger; writer raises on mismatch; writer integrity real-vs-counted (all pass).
• v_qt001_resume_failure_contract — status enum supports failed/rolled_back; run/batch unique; resume_marker column; idempotent resume via fn_birth_register ON CONFLICT (entity_code); driver commits per batch; error_message column (all pass).

Resume / failure semantics

Each batch writes its own ledger row (run_id, collection, batch_id). On failure the writer sets status='failed' with error_message. Re-running is idempotent (anti-join + ON CONFLICT), so a resumed run only registers the rows still missing; resume_marker records progress. The production driver sp_dot_birth_qt001_apply COMMITs per batch so a crash leaves committed batches intact and the remainder resumable.