Checkpoint — Authority P1 Hardening / Back-audit Ratification / Scanner-Apply Control

Date: 2026-06-06. Status: PASS (PARTIAL on owner/president-blocked ratification). Mode: EXECUTION, principal-delegate. Live mutation: YES — 2 reversible CREATE OR REPLACE function patches + 1 refreshed guard view + 18 additive views. Birth-neutral: birth_registry 1,210,801 before == 1,210,801 after DDL. trigger_guard_alerts: 129 == 129 (no new trigger). apr_approvals: 42 == 42 (no fake votes). OOM: SAFE (no signal-9).

Headline

AUTHORITY_BYPASS_CONTAINED (P0) → AUTHORITY_P1_HARDENED + SCANNER_APPLY_CONTROLLED + APPLY_TIME_QUORUM_GUARDED + BACKAUDIT_RATIFICATION_ACTION_READY. Both P1 gaps closed live, reversibly, with no fake authority.

P0 reverify — still contained

fn_auto_approve_add keeps action=add pending (no NEW.status := 'approved' at INSERT); trg_apr_auto_approve preserved+enabled. v_authority_p0_still_contained_guard 3/3 PASS.

P1a scanner auto-apply — CONTROLLED (applied, reversible)

Live path: host cron auto_apply_approval() daily 04h30 CEST applied pending dot-orphan-scanner/dot-misclass-scanner rows (proposed_action_code NULL) with zero vote. Loaded-but-idle today (returns 0; last scanner rows 2026-03-28). FIX (option D, narrowest): CREATE OR REPLACE auto_apply_approval to skip any row where quorum_passed(rec.code) is false (audit skip-note, no side effects). Scanners/cron/binaries untouched. v_scanner_apply_control_status = CONTROLLED; no-go 3/3.

P1b apply-time quorum re-proof — IMPLEMENTED (applied, reversible)

Gap proven live (BEGIN..ROLLBACK): a null-action 0-vote row reached applied (only quorum gate was pending→approved; apply guard checked only handler_ref and returned early on null action). FIX: extended existing apply-guard fn fn_apr_block_unimplemented_handler (fires approved→applied) to call quorum_passed(NEW.code) BEFORE the null-action early-return; raises if false. Reused the live-ready quorum_passed primitive (no rewrite). No new trigger → trigger_guard_alerts stayed 129. v_apply_time_quorum_reproof_status = IMPLEMENTED (before-null, trigger enabled); no-go 4/4. Prior guard v_authority_lifecycle_failclosed_guard.apply_quorum_reproof_present refreshed live → PASS+blocking; v_authority_quorum_regression_guard.scanner_autoapply_quorum_gated auto-flipped → PASS.

Rehearsal teeth (BEGIN..ROLLBACK, birth+tga neutral)

T1 add stays pending PASS; T2 pending→approved high 0-vote blocked PASS; T3 null-action 0-vote approved→applied GAP-CONFIRMED(pre-fix); T4 same blocked post-fix PASS; T5 quorumed low-risk applies PASS; T6 rejected→applied blocked PASS; T7 scanner gate skips no-vote row returns 0 PASS. Post-apply committed-state LIVE-NEG blocked + LIVE-POS applies.

Back-audit ratification — machine-visible, action-ready

Bypass ledger 26 rows (reviewed_by sentinels: system_auto_approve=insert-path, auto-apply-function=scanner), all quorum_would_pass_now=false. Split: 21 ratify (applied_live_effect: 3 insert + 18 scanner, benign governance metadata) / 1 reconcile (APR-0234) / 4 none (inert rejected/expired). Packets: v_authority_backaudit_ratification_packet (21), v_authority_backaudit_reconcile_packet, v_authority_backaudit_principal_queue. Honesty: the by-source 160 splits into auto-apply-function 18 + orchestrator-s142b 142 (sanctioned batch, separate basis) — exposed not hidden. No ratification executed (no real authority); no fake votes.

APR-0234 reconcile — concrete

approved, action=add, proposed_action_code NULL, reviewed_by=system_auto_approve, target dot_tools/dot-ops-silent-fail-scan, 0 votes. The 4 target DOTs (silent-fail scan/test/propose/propose-test) are already live+active → effect already realized. Plan (v_apr_0234_reconcile_plan): president retroactive-ratify then reject-as-superseded (clean), or apply-with-president-vote (noop via ON CONFLICT). Apply-time guard blocks any auto-apply. Not mutated (no authority).

Regression guard with teeth

v_authority_p1_regression_guard 8/8 PASS, live-derived (trips if either fn patch reverts): T1 add-pending, T2 quorum-on-approve, T3 apply-reproof-before-null, T4 scanner-gated, T5 terminal-immutable, T6/T7 president-identity (human+%president% in both quorum fns), T8 P0 sentinel. v_authority_p1_teeth_tests records rehearsal outcomes. 0 blocking failures across 6 guard families.

Control-plane router v2

Dashboard lanes: oom/p0/scanner/apply_time/birth GREEN; backaudit/trigger_registry/function_permission AMBER; rp_production_api RED. v_control_plane_next_macro_router_v2: next = RP_PRODUCTION_API_OPERATOR_FIX (1 RED, 3 AMBER, 5 GREEN); pending_authority = ratify 21 + APR-0234 (president/owner); posture MONITOR_WITH_GUARDS.

Safety audit — all PASS

birth before==after; apr_approvals 42 (no fake votes); axis_assignment active 0 (no owner mutation); apr_status unchanged (applied 176/approved 2/expired 19/pending 19/rejected 14, no lifecycle mutation); no IU/UI/deploy; no REAL_RUN; no event activation; trigger_guard_alerts 129; OOM safe; rollback staged; historical rows preserved; population exposed not hidden.

Gotchas (2026-06-06)

• NEW trigger trips fn_evt_trigger_guard ([TRIGGER-GUARD] DDL detected) → use CREATE OR REPLACE on existing apply-guard fn to keep trigger_guard_alerts=129.
• quorum_passed returns false for null action_code/risk → apply-time guard fail-closes legacy/scanner null-action rows (intended).
• Classify scanner applies by reviewed_by not source: auto-apply-function 18 (bypass) vs orchestrator-s142b 142 (sanctioned).
• DDL channel: ssh contabo → cat /opt/incomex/docs/mcp-writes/...sql | docker exec -i postgres psql -U directus -d directus (host file piped to container stdin); query_pg RO 5s/LIMIT 500; pg_get_functiondef on aggregates errors (filter prokind='f').
• pg_cron NOT installed; auto-apply scheduling is host crontab; dot-apr-execute 5-min cron failing on curl localhost:8055.
• KB upload prose+tables (no fenced SQL); each upload births 1 knowledge_documents (provenance).

Artifacts

SQL: /opt/incomex/docs/mcp-writes/authority-p1-2026-06-06/ (00_rehearsal v1 superseded, 00b_rehearsal v2 chosen, 01_apply, 02_verify, 99_rollback). Report: knowledge/dev/reports/architecture/authority-p1-hardening-backaudit-ratification-scanner-apply-control-2026-06-06/00..11.

Next macro

RP_PRODUCTION_API_OPERATOR_FIX (only RED lane: /api/registries/index 404, /api/registry/matrix 500, pivot missing), parallel with collecting president/owner authority to execute the ratification queue (21 ratify + APR-0234 reconcile). All blockers human/operator; no engineering blocker. Continues the authority/birth/truth control-plane line from checkpoint-authority-birth-truth-control-plane-p0-remediation-2026-06-06.