Checkpoint — Birth P0 Stage 0: Dangerous DOT Freeze + Gateway SSOT Guard

Date: 2026-06-06 · Status: PASS · Mode: EXECUTION (principal-delegate) · Live mutation: YES, fully reversible.

Outcome

Moved from BIRTH_GATEWAY_DESIGN_READY_BUT_RUNTIME_CAN_BE_OVERRIDDEN to DANGEROUS_BIRTH_DOT_EXECUTION_FROZEN + GATEWAY_SSOT_DRIFT_DETECTABLE + QT001_QT002_IMPLEMENTATION_READY_FOR_NEXT_STAGE.

Root risk (live-confirmed)

dot-birth-trigger-setup (DOT-119) line 113 embeds CREATE OR REPLACE FUNCTION fn_birth_registry_auto() with PRE-FIX logic that looks up governance_role only and has 0 occurrences of coverage_status / BIRTH_EXEMPT. Running it reverts the live guarded gateway across 166 triggers / 148 tables and reopens the birth/object-pollution P0 for 36 EXEMPT + 58 DEFERRED collections. dot-birth-backfill (DOT-118) does direct INSERT INTO birth_registry (incompatible 22/36 governed).

What was applied (reversible)

1. Freeze — dot-birth-trigger-setup + dot-birth-backfill reversibly quarantined (*.stage0-frozen-2026-06-06, byte-identical, md5 verified) with an inert guard wrapper (exit 3). Safe: no cron/systemd caller; composite caller dot-collection-create degrades gracefully ([[ -x ]] + 2>/dev/null || true). .bak-s164c untouched.
2. 12 additive guard views (all DROP-able): gateway runtime_contract / ssot_drift_detector / no_old_function_guard; dangerous_dot_inventory / risk_classification; stage0_execution_freeze_status / freeze_no_go_guard; qt_path_preservation_status / qt_stage0_block_reason; global_preflight_dashboard / no_go_guard; stage0_regression_guard.

Verification (live)

• Gateway guard v_birth_gateway_no_old_function_guard = PASS; drift detector = OK (both functions).
• Freeze v_birth_stage0_freeze_no_go_guard = PASS (2/2).
• Regression v_birth_stage0_regression_guard = 10/10 ALL_PASS.
• Teeth proven: the embedded old fn has 0 guard markers → if installed, guard flips FAIL_OLD_GATEWAY_DETECTED.
• Birth-neutral: 1,210,834 → 1,210,839 (before==after each DDL; +5 = normal realtime). tga 129 unchanged (CREATE VIEW does not trip the event-trigger guard); apr 42 unchanged; gateway triggers 166.
• OOM safe (postgres 50-day uptime, 0 restarts, no session OOM).

Baseline (live)

coverage_status: BIRTH_REQUIRED 74 / BIRTH_DEFERRED_NEEDS_REVIEW 58 / BIRTH_EXEMPT_* 36. Identity birth_identity_source='unclassified' 43. Native status col 54/74. BIRTH_REQUIRED missing trigger 2 (iu_staging_payload, iu_staging_record — no PG table). orphans 59 / phantoms 289. Live gateway fn_birth_registry_auto GUARDED, norm-md5 c022f849c2c7d57a720c4cc172789d70.

Design SSOT (published + read-back PASS)

• knowledge/dev/architecture/birth-gateway-ssot-qt001-repair-design-2026-06-06.md
• knowledge/dev/architecture/BIRTH_GATEWAY_DESIGN_INDEX.md
• Codex docs 01..10 never existed → reconstructed from checkpoint + 00-readme + 11-final-summary + live verification.

Artifacts

• SQL/rollback on VPS: /opt/incomex/docs/mcp-writes/birth-stage0-2026-06-06/ — 01_apply_views.sql, 02_apply_regression_guard.sql, 99_rollback_views.sql, BIRTH_STAGE0_FREEZE_ROLLBACK.md.
• Report dir: knowledge/dev/reports/architecture/birth-p0-stage0-dangerous-dot-freeze-gateway-ssot-guard-2026-06-06/00..09.
• Stage 1 packet: knowledge/dev/architecture/BIRTH_STAGE1_GATEWAY_SSOT_IMPLEMENTATION_PACKET.md.

Next macro

BIRTH_STAGE1_GATEWAY_SSOT_IMPLEMENTATION (immutable gateway release + runtime semantic contract registry + reconcile-only setup DOT + birth admission permit/backfill ledger; resolve 43 unclassified identities before QT-001 apply).

Exact blocker

None technical. Birth onboarding/backfill intentionally BLOCKED_UNTIL_STAGE_1_5 by design.

Gotchas

DDL via ssh contabo → docker exec -i postgres psql -U directus -d directus (query_pg is RO 5s/LIMIT500). write_file only to /opt/incomex/docs/mcp-writes. KB = prose + tables (no fenced SQL). CREATE OR REPLACE VIEW is birth-neutral and does NOT bump tga. collection_registry has BOTH governance_role AND coverage_status. The danger DOT's composite caller dot-collection-create self-degrades when the binary is frozen.