One-Roof Clone Axis/Topic — 06 Issue/Event/Log Boundary (Obj E, PASS, fail-closed)
06 — Objective E: Issue / Event / Log Boundary for Axis Findings
Verdict: PASS — fail-closed. SQL: sql/E_issue_event_boundary_clone.sql. Persistent part = two read-only projection views; all event_outbox interaction was rollback-only and rejected.
Persistent (committed) — read-only projections only
v_axis_issue_payload— shapes each axis finding into a governance event payload:event_domain='governance', a mappedevent_type, the registry'sevent_stream/delivery_lane/default_severity,canonical_address(object_type:object_ref),actor_ref='gov:axis-scanner',source_system='axis_substrate_clone', asafe_payloadjsonb, and cruciallytype_active(carried from the registry). 34 payloads shaped.v_axis_topic_parentage_conflict— detects a topic object assigned across more than one root domain (root_domain = parent_value_codeif set else the value itself). Baseline: 0 conflicts.
Both are pure projections — they read findings/assignments and emit shaped JSON. They do not write to event_outbox, system_issues, or any log, and they trigger no dispatch.
Finding → event-type mapping (the payload contract)
| finding_type | governance event_type | stream | lane | type_active |
|---|---|---|---|---|
| missing_owner | coverage.scan_completed | health | delayed | false |
| missing_assignment | coverage.scan_completed | health | delayed | false |
| low_confidence | input.untrusted_source | alert | delayed | false |
| quarantine | input.untrusted_source | alert | delayed | false |
| stale_topic | candidate.scan_completed | — | — | false |
type_active=false for every mapped type — so a consumer can see at the projection layer that none of these would actually emit.
Fail-closed proof (rollback-only, 5/5 PASS)
| # | attempt / check | result |
|---|---|---|
| E1 | insert event_outbox with unknown type axis.missing_owner |
REJECTED — fn_event_type_validate: "unknown (governance, axis.missing_owner)" |
| E2 | insert event_outbox with registered-but-inactive coverage.scan_completed |
REJECTED — "...is inactive" |
| E3 | count of emittable axis events (type_active=true) |
0 |
| E4 | live parentage conflict: assign agents to a 2nd root domain (workflow) while it holds ai-ops (root governance) |
detected = 1 (governance vs workflow) |
| E5 | event_outbox governance rows after all attempts |
0 (inert) |
The whole fail-closed transaction was rolled back — event_outbox was never written; the parentage-conflict row was a transient in-txn probe.
What the trigger actually enforces (accuracy note)
The live event_outbox BEFORE trigger trg_event_outbox_type_validate (function fn_event_type_validate) fail-closes on exactly four conditions: unknown (domain,type), inactive type, event_stream mismatch, delivery_lane mismatch. It does not enforce non-null canonical_address/actor_ref/source_system (those columns are nullable). Prior memory described a "mandatory provenance" fail-close; on this clone that is not trigger-enforced — only the type/stream/lane checks are. The payload contract supplies provenance by convention (the view always populates it), but the database guarantee is the type/stream/lane gate. This is stated precisely so no rollout assumes a guarantee that isn't there.
Net boundary
Axis findings can be shaped into governance events and would route the central spine (correct domain/stream/lane), but cannot be dispatched while the governance event types are inactive — and activating them is itself a governed change. The boundary is therefore correct: visible, shaped, routed-on-paper, and inert until governance turns the lane on.