Checkpoint — Birth Stage 2: QT-001 Identity Classification + Metadata Backfill Repair

Date: 2026-06-06 · Status: PARTIAL · Mode: EXECUTION (principal-delegate) · Live mutation: YES — additive + reversible + birth-neutral. Macro net births to birth_registry = 0. No gateway/trigger/function-body change. No real backfill committed.

Outcome

From BIRTH_GATEWAY_SSOT_RUNTIME_CONTRACT_LIVE + SHARED_POLICY_IDENTITY_REGISTER_FOUNDATION_READY to QT001_IDENTITY_CLASSIFIED (70/74) + METADATA_PREFLIGHT_READY + PLAN_APPLY_DOT_SOURCE_READY + BACKFILL_DRYRUN_PROVEN (137) + SAFE_APPLY_DECISION_MADE (ACTION_READY pending T2 + owner permit).

What was applied (live, reversible, birth-neutral)

1. Identity classification of 39 of 43 blockers on collection_registry.birth_code_* — by mirroring each live birth trigger's TG_ARGV (7 column, 32 synthetic_id), source inferred_from_existing_trigger. Resolvable identity 31 → 70 of 74.
2. 5 birth_backfill_ledger PLAN rows (status=planned, dry_run=true) for the 5 non-zero-delta collections.
3. 25 additive views (Supertracks A–I): dependency/no-worse guards, identity blocker inventory/classification/fix-priority, metadata repair plan/status/no-go, required preflight/gap/no-go, qt001 plan/apply readiness + no-go + permit + ledger status, dryrun result/summary/no-go, apply decision/result/rerun-delta guard, cross-layer + rp-object-truth guards.

Committed via ssh contabo → docker exec psql. Classification ran inside a self-guarding DO block that aborts on any birth. Rehearsed BEGIN..ROLLBACK before commit.

What was deliberately NOT done (kept for T2 / owner)

• No real backfill of the 137 births. Proven safe via rehearsal (committed nothing). Blocked by packet section 7 (no self-certify → independent T2) + no OPEN permit. All 5 targets are governed.
• 4 NEEDS_OWNER blockers left unclassified + action-packed: apr_request_types, binding_registry, nrm_doc_type_config (no-id + no-arg trigger → realtime-divergent), nrm_approval_rules (composite PK).
• 2 no-table REQUIRED (iu_staging_payload, iu_staging_record) — create-or-reclassify is owner/QT-003R scope.
• Apply DOT not deployed live — sp_dot_birth_qt001_apply is source-only (no apply-capable fn added to prod). fn_dot_birth_qt001_plan also source-only.
• Old dot-birth-backfill + dot-birth-trigger-setup remain FROZEN.

Dry-run (full, 39 eligible)

5 collections with non-zero delta = 137 expected new births, all governed: dot_domain_rules 67, apr_approvals 42, normative_relations 18, apr_action_types 6, field_type_equivalences 4. 34 others already covered (delta 0) or empty. Zero duplicate risk (keys unique). Cross-checked vs fn_birth_register dry-run on real rows.

Apply rehearsal (BEGIN..ROLLBACK, committed nothing)

Pass-1 real fn_birth_register(...,false) over 5 collections → applied_delta = 137. Pass-2 rerun → reg=0, rerun_delta = 0 (idempotent). ROLLBACK → birth restored to 1,210,868 (0 leaked).

Verification (live, read-back PASS)

birth_registry 1,210,868 (macro net 0) · tga 129 · apr 42 · open_permits 0 · ledger planned 5 / done 0. Guards: stage0 5/5, gateway no_go 4/4, contract all_ok, dependency 6/6, no_worse 6/6, metadata_no_go 5/5, required_no_go 5/5, dryrun_no_go 4/4, cross_layer 7/7, rp_object_truth 4/4. Authority P1 8/8, quorum 7/7.

Key facts (carry forward)

• Live gateway fn_birth_registry_auto: entity_code = TG_ARGV[0] value else collection::id; it does NOT read birth_code_* → identity classification is invisible to QT-002.
• birth_registry.entity_code is NOT NULL → no-arg trigger on a no-id table yields NULL → would fail; that is why the 4 no-id collections have 0 births and are NEEDS_OWNER (do NOT fix triggers here — forbidden).
• collection_registry UPDATE of birth_code_* fires only the statement-level count-refresh trigger (birth-neutral); soft-gate/desc/label/birth triggers fire only on INSERT or on UPDATE OF other columns.
• The container cannot see host paths — psql \i of a host file fails; assemble SQL on host and pipe cat | docker exec -i psql.
• KB WAF blocks fenced code → prose + tables + inline backticks; each KB upload births 1 knowledge_documents provenance row.

Artifacts

Report dir: knowledge/dev/reports/architecture/birth-stage2-qt001-identity-metadata-backfill-repair-2026-06-06/00..13. SQL on VPS: /opt/incomex/docs/mcp-writes/birth-stage2-2026-06-06/ (01_classify, 02_views, 02b_fix_guard_aliases, 03_apply_rehearsal, 04_dot_birth_qt001_plan_SOURCE, 05_dot_birth_qt001_apply_SOURCE, 10_dryrun_numbers, 99_rollback_stage2).

Next macro

T2_REVIEW_STAGE2_BEFORE_APPLY → BIRTH_STAGE2_QT001_APPLY_IF_READY (deploy apply source, owner opens permits, batched apply, rerun-delta=0). Parallel: BIRTH_STAGE2_METADATA_REPAIR_CONTINUE (4 needs-owner + 2 no-table). Blocker: independent T2 + owner permit; zero eng blocker.