KB-B2B9

Checkpoint — Birth Stage 1 Gateway SSOT Runtime Contract Foundation

6 min read Revision 1

checkpointbirth-gatewaystage1ssotruntime-contract2026-06-06

Checkpoint — Birth Stage 1: Gateway SSOT Runtime Contract Foundation

Date: 2026-06-06 · Status: PASS · Mode: EXECUTION (principal-delegate) · Live mutation: YES — additive + reversible only. birth_registry NOT mutated; fn_birth_registry_auto NOT changed.

Outcome

Moved from DANGEROUS_BIRTH_DOT_EXECUTION_FROZEN + GATEWAY_SSOT_DRIFT_DETECTABLE + QT001_QT002_IMPLEMENTATION_READY to BIRTH_GATEWAY_SSOT_RUNTIME_CONTRACT_LIVE + SHARED_POLICY_IDENTITY_REGISTER_FOUNDATION_READY_FOR_QT001_QT002.

What was applied (live, reversible)

Runtime contract / release registry — birth_gateway_release_registry (append-only by convention; release v1-stage1-2026-06-06; normalized-md5 + semantic SHA-256 for 5 fns). Views v_birth_gateway_release_current / _release_drift_guard / _contract_integrity_dashboard — one live, fail-closed place to verify the current gateway contract.
Shared foundation functions — fn_birth_policy_decision(text) (EXEMPT→skip / REQUIRED→birth / DEFERRED→defer / else UNKNOWN_BLOCK; STABLE, no-write, fail-closed); fn_birth_resolve_identity(text,jsonb) (reads birth_code_*/birth_identity_source; NULL-row=preflight; never invents identity; no-write); fn_birth_register(text,jsonb,boolean,text) (policy→identity→idempotent ON CONFLICT (entity_code); p_dry_run defaults TRUE; single-row, not bulk).
Fail-closed scaffolding — birth_admission_permit + birth_backfill_ledger (empty).
16 guard/foundation views across Supertracks A–H (drift, policy/identity/register matrices + regression guards, parity/no-go, qt-compat/no-worse, stage2 readiness, stage0-still-enforced, dependency-impact).

Total live DDL: 3 functions, 3 tables (+5 seed rows), 19 views. SQL + rollback on VPS: /opt/incomex/docs/mcp-writes/birth-stage1-2026-06-06/01_apply_stage1.sql, 99_rollback_stage1.sql.

Integration decision (Supertrack F)

fn_birth_registry_auto left byte-identical — Option A = PARITY_GUARD_ONLY. Parity: EXEMPT MATCH, REQUIRED MATCH; DEFERRED + UNREGISTERED the contract is stricter (defers/blocks where live still births) ⇒ contract births ≤ live (no-worse). Full thin-wrapper integration (Option C) + setup-DOT CREATE OR REPLACE FUNCTION strip deferred to Stage 2 under T2/operator review. norm-md5 c022f849c2c7d57a720c4cc172789d70 unchanged.

Verification (live)

birth-neutral: apply transaction start==end==1,210,851; BEGIN..ROLLBACK register rehearsal +1→ROLLBACK→1,210,851 (0 leaked). Close 1,210,864 = 1,210,851 + 13 KB-upload provenance births (knowledge_documents). No birth_registry DDL mutation.
tga 129 unchanged (event-guard tags CREATE/ALTER/DROP TRIGGER never hit; Stage 1 = fn/table/view only). apr 42 unchanged.
Guards: stage0_still_enforced 5/5 · contract_integrity all_ok · gateway_no_go 4/4 · policy 6/6 · identity 5/5 · register 7/7 · qt_compat 8/8 · no_worse 5/5. Authority P0 3/3, P1 8/8, quorum 7/7 (re-verified).
Stage 0 freeze intact: both danger DOTs inert wrappers (md5 753dd26f, exit 3, 0 CREATE OR REPLACE); byte-identical frozen backups a0b926d3 / f04cdbf5.
OOM safe: PostgreSQL 16.13, container up 7 weeks (healthy), 50-day uptime, 0 restarts; apply = metadata DDL only (no heavy scan).

Baseline (live)

BIRTH_REQUIRED 74 / DEFERRED 58 / EXEMPT 36; governed 36 (35 REQUIRED + 1 EXEMPT). Identity (REQUIRED 74): 31 resolvable (column 27 + synthetic 4) / 43 unclassified. Native status col 54/74. Birth-trigger gap = 2 (no PG table: iu_staging_payload, iu_staging_record; prior docs said 5 — live recomputation = 2). 43 unclassified = 34 observed / 6 governed / 3 locked.

Design SSOT (updated, read-back PASS)

knowledge/dev/architecture/BIRTH_GATEWAY_DESIGN_INDEX.md (rev 4) — Stage 0/1 PASS, Stage 2 packet ready, Stage 1 runtime objects + identity readiness.
knowledge/dev/architecture/birth-gateway-ssot-qt001-repair-design-2026-06-06.md (rev 2) — appended §11 Stage 1 result; sections 0–10 untouched.
Stage 2 packet: knowledge/dev/architecture/BIRTH_STAGE2_QT001_METADATA_BACKFILL_REPAIR_PACKET.md.
Report dir: knowledge/dev/reports/architecture/birth-stage1-gateway-ssot-runtime-contract-foundation-2026-06-06/00..12.

Next macro

BIRTH_STAGE2_QT001_IDENTITY_CLASSIFICATION_AND_METADATA_BACKFILL — classify the 43 unclassified identities, resolve the 2 no-table REQUIRED, build paired plan/apply DOTs over fn_birth_register, open per-collection permits, dry-run→batched-apply→rerun-delta=0. Optionally integrate the live gateway (Option C) under T2 review.

Exact blocker

None technical. QT-001 backfill intentionally BLOCKED by design until Stage 2 (43 identities + permit). Gateway Option C awaits T2/operator review.

Gotchas (carry forward)

DDL via ssh contabo → docker exec -i postgres psql -U directus -d directus (query_pg MCP is RO 5s/LIMIT500). Pipe host SQL files via cat … | docker exec -i.
write_file only to /opt/incomex/docs/mcp-writes; mkdir + chmod 2777 the subdir first (write_file refuses if parent missing).
KB blocks fenced code (WAF) → prose + tables + inline backticks only; each KB upload births 1 knowledge_documents provenance row.
Event-trigger guard evt_trigger_guard_ddl fires only on {CREATE TRIGGER, ALTER TABLE}; evt_trigger_guard_drop only on {DROP TRIGGER}. CREATE TABLE/FUNCTION/VIEW + DROP VIEW/TABLE/FUNCTION are safe (no tga bump). Avoid ALTER TABLE — define constraints inline in CREATE TABLE.
check is a reserved word — quote or rename when used as a column alias.
birth_registry conflict key = UNIQUE(entity_code); columns include collection_name, species_code, composition_level, dot_origin, governance_role, certified, status, jsonb_profile (NOT NULL '{}').
Live gateway skips ONLY BIRTH_EXEMPT% — it still births DEFERRED + unregistered collections (the Stage 1 contract is stricter; that divergence is the Stage 2/Option-C decision).