08 — Step 6: SB-1 Build Results — COMMITTED (F-83-1 fix + governance action-type vocabulary)

sql/sb1_ddl.sql, sql/sb1_rollback.sql. Source: hardening doc 03 §3.3/§3.6 + live trigger analysis. The one production-touching change in this mission.

8.1 F-83-1 trigger fix (mandatory, applied FIRST)

Re-pointed the apr_action_types birth trigger from argless fn_birth_registry_auto() to fn_birth_registry_auto('action_code') via atomic CREATE OR REPLACE TRIGGER (PG16) — no drop-window, no sql_drop guard row, and the shared function is not modified (it already supports TG_ARGV[0]). This re-points only this one trigger; all other tables' birth triggers are untouched. The fix is a genuine repair of a latent production bug (any apr_action_types INSERT previously failed with a NULL entity_code violation).

8.2 Phase-A proof that F-83-1 was real

Before applying the fix, a probe INSERT under the live argless trigger raised not_null_violation (NULL entity_code → birth_registry), caught as PASS — confirming the hazard the fix repairs.

8.3 8 governance action-type rows committed

All handler_ref='unimplemented', risk_level='high', status='active', _dot_origin='PG:sb1-gov-vocab', descriptions ≥30 chars: authorize_build_step, activate_event_type, register_axis, register_topic_node, assign_governance_owner, grant_governance_exception, delegate_authority, assign_axis_owner.

Fail-closed: handler_ref='unimplemented' ⇒ fn_apr_block_unimplemented_handler blocks any APR that tries to apply these (vocabulary exists so quorum can pass, but apply is blocked until a Phase-B handler is authored). No approval_requests rows created by SB-1 (mission rule honored).

8.4 Birth correctness (F-83-1 fix working)

The fixed trigger birthed all 8 rows with entity_code = action_code (NOT NULL): birth_apr=8, birth_null_codes=0, all certified=f.

8.5 Expected benign side-effect (transparency)

The DDL event-trigger evt_trigger_guard_ddl logged the CREATE OR REPLACE TRIGGER as 1 audit row in trigger_guard_alerts (128→129) — an internal DDL-audit log (no triggers on it, no downstream emit; NOT event_outbox, NOT a notification, NOT a law change). This is the system correctly auditing the authorized trigger re-wire. Documented here and in doc 09's out-of-scope check.

8.6 Rehearsal + commit + verify

Rehearsal (BEGIN..ROLLBACK): Phase-A F-83-1 proof PASS; Phase-B fix + 8 inserts → 14/8/0; no approval/e-sign write; post-rollback 6 + argless trigger restored (entry==exit). COMMIT: in-txn 14/8/0. Independent verify: apr_action_types=14, sb1_vocab=8, trigger def shows 'action_code', birth_null=0, appr=211/votes=42/osprop=0/event_outbox=188,847 unchanged, trigger_guard_alerts=129.

8.7 Verdict

SB-1 = BUILT + VERIFIED. F-83-1 permanently fixed; 8 governance action-types live and fail-closed.