Checkpoint — Authority / Birth / Truth Control-Plane P0 Remediation

Date: 2026-06-06 Status: PASS (PARTIAL on owner/operator-blocked apply items) Mode: EXECUTION, principal-delegate. Live mutation: YES (1 reversible function patch + 26 additive views). Birth-neutral: every DDL before==after; ambient session drift +2 (1,210,783 → 1,210,785). OOM: OOM_SAFE (0 landmines, 0 signal-9 last 2h).

Headline

PRODUCTION READINESS FAIL → AUTHORITY_BYPASS_CONTAINED + BIRTH_POLICY_GUARDED + CONTROL_PLANE_P0_ACTION_READY/APPLIED.

P0 authority bypass — CONTAINED (applied, reversible, fail-closed)

Root cause (live DDL): trg_apr_auto_approve (BEFORE INSERT → fn_auto_approve_add) flipped action='add' rows pending→approved at INSERT, so the quorum guard trg_apr_quorum_check (UPDATE pending→approved only) never fired. Fix: fn_auto_approve_add replaced so add rows stay pending (must transit pending→approved → quorum enforced); trigger preserved (no global disable). Rehearsed in BEGIN…ROLLBACK (reproduced bypass → applied → closure → fail-closed raise), applied birth-neutral (1,210,783==1,210,783), verified no_longer_approves=true. Rollback: 99_rollback_authority_containment.sql. Affected & preserved: 8 insert-bypass (3 applied, 1 approved-undisposed APR-0234, 4 inert smoke-tests) + 18 scanner-applied-without-vote; all 0 votes.

Back-audit — benign, nothing quarantined, nothing deleted

Live effects of the applied bypass rows are substantively-correct governance metadata (5 Directus collections registered, 6+ DOTs, 17 junction reclassifications→observed, 1 meta_catalog). Recommendation: ratify=21, reconcile=1 (APR-0234 object live but APR=approved), none=4. any_quarantine=false. Compensation = retroactive ratification + lifecycle reconcile (needs owner/president votes).

Regression — machine-visible with proven teeth

8 live teeth tests (rolled back): containment, zero-vote-high blocked, AI-only-high blocked, self-approve excluded, reject blocks, +2 positive controls approved, terminal immutability. Guards: v_authority_quorum_regression_guard (6 blocking P0 pass; 1 P1 fail = scanner ungated) + v_authority_lifecycle_failclosed_guard (5 blocking P0 pass; 1 P1 fail = no apply-time quorum re-proof). All blocking assertions pass.

Birth policy — GUARDED

BIRTH_POLICY_GUARDED: H11a CONTAINED (detect_only, auto_fix_action NULL), fn_birth_registry_auto EXEMPT-skip + fn_log_issue idempotency present, 8/8 post-fix cycles CLEAN_NO_RECURSION (entity_labels=0 each). Contradictions: required_missing=5, exempt_active=29, duplicate=18, deferred_active=50. Duplicate-trigger cleanup HELD (OPERATOR_OWNER_PACKET_READY; TG_ARGV parity differs → blind dedup unsafe); no trigger DROP applied.

Object/raw truth — clean

raw=1,210,783 = managed 2,929 + provenance 6,610 + log_noise 974,243 + dup_noise 224,075 + unknown 2,926 (sum exact); 98.97% noise, fully accounted. No RP SSOT view uses raw as object truth; only one operator-UI conditional repoint outstanding (no DB change). Count-semantics guard 5/5.

Trigger registry — visible + queued

408 live / 107 registered / 301 candidate. P1_unmanaged_mutating=83 (enabled, app/unknown); birth_governed=197 (managed by birth policy, not registry). Candidate packet only; no auto-register; no_go 4/4 (teeth: no_registry_rows_added_this_session).

Function permission — staged

598 funcs / 570 PUBLIC EXEC / 60 SECDEF / 38 SECDEF+PUBLIC. Risk: 2 P1 (birth onboarding, iu_auto_instantiate_from_event) + 33 P2 → 35 staged REVOKEs, none applied. No-go 4/4 (realrun not publicly callable).

RP production API/UI — API_BROKEN (do-not-deploy)

Page 200; broken: /api/registries/index 404, /api/registry/matrix 500 (~23s), /api/registry/pivot-query 500; PIVOT_MISSING=14 nodes. ui_readiness_class=API_BROKEN. Live deltas vs prior: 4×404→1×404+2×500; pivot 139→14 (live wins). No UI deploy.

Control-plane router

Dashboard v_control_plane_p0_status_dashboard: 1 RED (rp_api), 3 AMBER (authority/trigger/permission), 3 GREEN (oom/birth/object). Router v_control_plane_next_macro_router: next = AUTHORITY_P1_HARDENING_AND_BACKAUDIT_RATIFICATION; top_operator = TRIGGER_REGISTRY_REGISTRATION_OWNER_PACKET; posture MONITOR_WITH_GUARDS.

Safety audit — all PASS

birth before==after; apr_approvals=42 unchanged (no fake votes); no IU edit; no REAL_RUN; no event activation; trigger_guard_alerts=129 unchanged; OOM safe; rollbacks staged; historical rows preserved; raw pollution exposed not hidden; no UI deploy / no broad revoke.

26 new views

Authority: bypass_inventory, bypass_affected_requests, bypass_no_go_guard, back_audit_ledger, quarantine_recommendation, compensation_plan, quorum_regression_guard, lifecycle_failclosed_guard. Birth: policy_control_plane_status, trigger_reconciliation_priority, trigger_apply_readiness. Object: rp_object_truth_control_plane, rp_raw_vs_clean_count_guard, rp_count_semantics_regression_guard. Trigger: trigger_registry_gap_inventory, registration_packet, no_go_guard. Permission: function_permission_risk_inventory, hardening_plan, no_go_guard. RP-API: rp_production_api_truth_status, rp_ui_operator_fix_packet, rp_ui_readiness_no_go_guard, rp_ui_readiness_classification. Control-plane: control_plane_p0_status_dashboard, control_plane_next_macro_router.

Gotchas (2026-06-06)

• query_pg RO (context_pack_readonly, 5s, LIMIT 500); DDL/rehearsal/heavy reads via ssh contabo → docker exec -i postgres psql (statement_timeout=0 for heavy).
• approval_requests: date_created/date_updated (no created_at); chk_apr_target_collection requires target_collection NOT NULL; code auto-generated by fn_approval_auto_code; AFTER-insert births via fn_birth_registry_auto.
• apr_approvals: (apr_id, approver, approver_type∈{human,ai_council}, decision∈{approve,reject,abstain}, rationale) all NOT NULL; president = approver_type='human' AND approver ILIKE '%president%'.
• pg_schema MCP $1 bug → information_schema.columns; birth_registry has no source_table (use collection_name/born_at); event_type_registry has no status col.
• KB upload prose+tables only (WAF blocks fenced SQL); each upload births 1 knowledge_documents (provenance).
• control_plane router view ~25s → read via ssh statement_timeout=0.
• RP host vps.incomexsaigoncorp.vn; RP APIs under /api/registry/* and /api/registries-pivot/*.

Artifacts

SQL: /opt/incomex/docs/mcp-writes/authority-birth-truth-cp-2026-06-06/ (00 rehearsal, 01 apply, 02 verify, 03–12 views, 99 rollbacks). Reports: knowledge/dev/reports/architecture/authority-birth-truth-control-plane-p0-remediation-2026-06-06/00..12.

Next macro

AUTHORITY_P1_HARDENING_AND_BACKAUDIT_RATIFICATION (gate auto_apply_approval behind vote; add apply-time quorum re-proof; ratify 21 + reconcile APR-0234 — owner/president votes). Parallel: RP_PRODUCTION_API_OPERATOR_FIX (404/500 + pivot refresh), trigger/permission migration packets. All blockers are human authority / owner / operator / dev — no engineering blocker.