Incomex AI Portal
KB-7796

Checkpoint — Birth Stage 2.5 QT-001 Apply DOT Harden + Permit/Ledger + False-Done Prevention

8 min read Revision 1
checkpointbirth-gatewayqt-001stage2.5apply-harden2026-06-06

Checkpoint — Birth Stage 2.5: QT-001 Apply DOT Harden + Permit/Ledger Contract + False-Done Prevention

Date: 2026-06-06 · Status: PASS · Mode: EXECUTION (principal-delegate) · Live mutation: YES — additive + reversible + birth-neutral. No real QT-001 backfill. No permits opened. No trigger/gateway-body/source change. p_execute defaults FALSE. MCP read-back PASS.

Outcome

From QT001_IDENTITY_CLASSIFIED + 137_VALID_DELTA_BUT_NOT_SAFE_TO_APPLY (Codex NOT_SAFE_NEEDS_FIX) to QT001_APPLY_RUNTIME_HARDENED + PERMIT_LEDGER_CONTRACT_SAFE + FALSE_DONE_IMPOSSIBLE + READY_FOR_INDEPENDENT_REAUDIT.

What was applied (live, reversible, birth-neutral) — 4 SQL files in one tx each

  1. Tables: birth_admission_permit_v2 (expires_at/max_rows/expected_delta NOT NULL + mode/status enums + one-use + CHECK max≥expected + partial-unique one-open-execute-per-collection); birth_backfill_ledger_v2 (run_id/batch_id + UNIQUE(run,coll,batch) + FK(permit) + status enum + actual_inserted/skipped/blocked + resume_marker + structural CHECK bbl2_no_false_done: status=done ⇒ actual=expected); qt001_apply_rehearsal_audit; qt001_plan_snapshot.
  2. Functions: fn_dot_birth_qt001_plan_v2(text) (metadata-driven single-collection plan + parity); fn_qt001_plan_all() (whole-scope, no hardcoded list); fn_dot_birth_qt001_apply(...) (REAL fail-closed bounded writer, p_execute default false); fn_qt001_run_rehearsal(text,boolean) (self-rolling-back); fn_qt001_refresh_plan_snapshot().
  3. Procedure: sp_dot_birth_qt001_apply(...) (per-batch COMMIT driver, gated, p_execute default false).
  4. Views: 19 v_qt001_* + 3 v_birth_register_collision_*; repaired v_birth_stage2_qt001_readiness_dashboard (stale gate) and v_birth_qt001_apply_dot_readiness (false-pass).

Committed via ssh contabo → docker exec -i postgres psql (4 apply tx, each -1 -v ON_ERROR_STOP=1). Rollback staged: 99_rollback_harden.sql.

Codex 8 blockers — reproduced live then hardened (v_qt001_codex_blocker_reverification)

B1 apply absent/pseudocode → real writer fn + driver proc. B2 false-done → structural CHECK + writer RAISE + integrity real==counted. B3 readiness false-pass → guard_v2 + dot_readiness patched (no green without runtime+rehearsal+reaudit). B4 permit no expiry/max → permit_v2 NOT NULL + CHECKs. B5 ledger not scoped/resumable → ledger_v2 run/batch UNIQUE + FK + status enum + resume_marker. B6 collision silent skip → writer cross-collection RAISE + staged core patch. B7 no batch compensation → per-batch ledger + COMMIT + failed/rolled_back + idempotent resume. B8 stale gate → recomputed from live unclassified(4).

Rehearsal (Supertrack G) — proven, committed nothing

  • Function rehearsal fn_qt001_run_rehearsal('REHEARSAL-2026-06-06-01'): 5 TIER1 targets applied 67/42/18/6/4 = 137 (each real_delta==expected), rerun_delta 0, false_done_blocked true, rollback_clean true, birth 1,210,898 before==after. Only a birth-neutral audit row persists.
  • Explicit BEGIN..ROLLBACK: executed smallest target (field_type_equivalences=4) → mid-tx +4 → rerun dry 0 → divergent law_dot_enforcement blocked (parity_divergence) → ROLLBACK → restored. Post: permits/ledger empty, done 0.

Headline finding — metadata-driven planner (live evidence > old report)

Reproduces every hardcoded delta exactly (shared-set mismatch 0; validated 5 = 137), but iterating all 74 BIRTH_REQUIRED surfaces 13 eligible / 779 and a parity-divergence hazard the hardcoded 5/137 hid. Tiers (v_qt001_metadata_scope_tiers):

  • TIER1 (Codex-validated, apply_safe): 5 / 137 — dot_domain_rules 67, apr_approvals 42, normative_relations 18, apr_action_types 6, field_type_equivalences 4.
  • TIER2 (metadata-consistent, unvalidated, apply_safe): 2 / 137 — measurement_registry 132, law_catalog 5.
  • TIER3 (parity-divergent, RECLASSIFY): 6 / 505 — law_dot_enforcement 272 (div 272), approval_requests 160 (div 11), law_jurisdiction 43 (div 43), table_registry 20 (div 21), governance_relations 8 (div 8), workflows 2 (div 2). Existing births do NOT reconcile with the classified identity (realtime trigger uses a different code) → a backfill would DUPLICATE. The writer FAIL-CLOSES (parity divergence RAISE) — apply scope stays TIER1 until reaudit; TIER3 needs TG_ARGV re-mirror.

Verification (live, read-back PASS)

  • birth_registry 1,210,898 (DDL + both rehearsals birth-neutral) · tga 129 · apr 42 · gateway norm-md5 c022f849c2c7d57a720c4cc172789d70 unchanged · Stage 0 freeze 5/5 · contract 5/5 all_ok.
  • All-guards rollup 13/13 true: not_safe · cross_layer(9) · apply_runtime_status · apply_runtime_no_go · permit_contract · permit_no_go · ledger_contract_present · false_done_guard · resume_failure_contract · plan_no_go(8) · collision_no_go · rerun_delta0_rehearsal(6) · readiness_hardening(7).
  • v_qt001_apply_readiness_dashboard_v2.apply_gate = BLOCKED_PENDING_INDEPENDENT_REAUDIT_AND_OWNER_PERMIT; hardening 7/7; independent_reaudit_signed_off = false (no self-certify). open_execute_permits 0, done_ledgers 0.

Key facts (carry forward)

  • DDL via ssh contabo → docker exec -i postgres psql -U directus -d directus (host file cat | docker exec -i). query_pg MCP is RO 5s/LIMIT500 — heavy plan/dot_origin scans need the ssh channel (statement_timeout 0).
  • No ALTER TABLE (would bump tga via evt_trigger_guard_ddl): all v2 constraints inline; uniqueness via CREATE [UNIQUE] INDEX. No CREATE TRIGGER.
  • fn_birth_register existence check is entity_code-only → cross-collection collision returns skipped/idempotent silently. Mitigated in the sanctioned writer (pre-check RAISE); core patch staged, NOT applied.
  • The WRITER and fn_dot_birth_qt001_plan_v2 always recompute LIVE; qt001_plan_snapshot only backs DISPLAY/GUARD views (refresh fn_qt001_refresh_plan_snapshot(), ~5s; guards then sub-second). The apply path never trusts the snapshot.
  • Chosen apply origin string STAGE2.5:dot-birth-qt001-apply (count 0 — clean invariant anchor).
  • apr_action_types has NO id column (key action_code); the 4 synthetic targets have id.

Artifacts

Report dir: knowledge/dev/reports/architecture/birth-stage2-qt001-apply-dot-harden-permit-ledger-2026-06-06/00..13. Re-audit packet: knowledge/dev/architecture/BIRTH_STAGE2_QT001_APPLY_REAUDIT_PACKET.md. SQL on VPS: /opt/incomex/docs/mcp-writes/birth-stage2-apply-harden-2026-06-06/{01_apply_harden,02_parity_guard_patch,03_template_dashboard_fix,04_plan_snapshot,99_rollback_harden}.sql.

Next macro

BIRTH_STAGE2_QT001_INDEPENDENT_REAUDIT (external T2/Codex; refresh snapshot then run the reviewer commands in the packet). If PASS → BIRTH_STAGE2_QT001_APPLY_TIER1_IF_READY (owner opens scoped per-collection execute permit; apply; ledger done iff actual==expected; rerun-delta 0; independent reconcile). Parallel: BIRTH_STAGE2_QT001_TIER3_RECLASSIFY (re-mirror TG_ARGV for the 6 divergent) + BIRTH_STAGE2_METADATA_REPAIR_CONTINUE (4 NEEDS_OWNER). Blocker: independent re-audit + owner permit; zero engineering blocker.

Back to Knowledge Hub knowledge/dev/reports/architecture/checkpoint-birth-stage2-qt001-apply-dot-harden-permit-ledger-2026-06-06.md