01 — Live Verification: Current Birth / Governance State

Date: 2026-06-03 Channel: query_pg (read-only role, READ ONLY tx, 5 s timeout, LIMIT 500) against production database directus. Mutations performed: ZERO. Every query in this document is a SELECT / catalog introspection. SSOT used: the two checkpoints (checkpoint-safety-net-pass-2026-06-03.md, checkpoint-backlog-remediation-stage2-2026-06-03.md) + KB laws/design docs (digested). Live evidence below supersedes any older report where they disagree.

0. Headline — what live reality actually shows

The "AFTER-the-fact birth + scanner" framing is only half the picture. Pre-birth admission scaffolding already exists in production and was not assembled by this macro:

Capability	Exists live?	Object
BEFORE-INSERT validation gate	YES (advisory)	`fn_birth_gate()` on 16 tables
Layered admission w/ deferred finalize	YES (one family)	`information_unit`: `fn_iu_birth_gate_layer1` (BEFORE) + `fn_iu_birth_gate_layer2` (DEFERRABLE CONSTRAINT TRIGGER) + `fn_iu_gateway_write_guard`
TTL'd, approval-bound, audited gate-token ledger	YES	`fn_iu_gate_open/close/watchdog` + `iu_gate_transition` + `fn_dot_iu_command_log` (Điều 32)
Retire reference-safety pre-check	YES	`fn_retire_gate_check(collection, id)` (FK + `universal_edges`)
Pure pre-birth validator	YES	`fn_pre_birth_check(collection, code, name, dot_origin)` → 5 checks
Birth→governance handoff substrate	YES (inert, registered)	`event_type_registry` governance types (active=false), `event_pending`, `governance_candidate_state`, `gov_worker_cursor`, `registry_changelog` (70,313 rows), `queue_heartbeat` (3)
A permit/reservation object created BEFORE insert	NO	— none —
`fn_birth_first()`	NO (planned only)	absent from `pg_proc`
Enforcement (blocking) of birth-first	NO	gate mode defaults `'warning'`

Therefore: birth-first is presently POLICY, not ENFORCEMENT. Per the open-goal law ("do not claim birth-first is achieved unless a BEFORE/admission guard actually enforces it"), the honest classification is: the hooks for pre-birth admission exist; the enforcement and the permit object do not.

1. `birth_registry` — schema, constraints, lifecycle

1.1 Columns (22)

id (PK, serial) · sort · user_created/date_created/user_updated/date_updated (Directus std) · entity_code varchar NOT NULL · collection_name varchar NOT NULL · species_code varchar · composition_level varchar · dot_origin varchar · born_at timestamptz DEFAULT CURRENT_TIMESTAMP · governance_role varchar · inspect_pen / inspect_stamp / inspect_gate timestamptz · certified boolean NOT NULL DEFAULT false / certified_at · status varchar DEFAULT 'born' (nullable, NO CHECK) · canonical_address text · owner text · jsonb_profile jsonb NOT NULL DEFAULT '{}'.

The inspect_pen/stamp/gate + certified/certified_at + canonical_address + jsonb_profile columns are a latent lifecycle/inspection scaffold — proof the schema anticipated a multi-stage lifecycle, but only certified is exercised (1,402 of 1,121,537).

1.2 Constraints

birth_registry_pkey PRIMARY KEY (id)
birth_registry_entity_code_unique UNIQUE (entity_code) — on entity_code ALONE. ⟵ the structural defect.
No CHECK constraint on status. Any string is valid; lifecycle is unenforced.

1.3 Indexes (5)

pkey, entity_code_unique, idx_birth_uncertified (born_at DESC) WHERE certified=false, idx_birth_species (species_code) WHERE governance_role='governed', idx_birth_collection (collection_name).

1.4 Row counts / status distribution (LIVE)

status='born'  →  1,121,537 rows   (certified: 1,402)
(no other status value exists)

All rows 'born'. There is no live row in any other state — consistent with "no retire/permit mechanism transitions status."

1.5 Triggers on `birth_registry`

trigger	timing	fn	enabled
`trg_birth_auto_certify`	BEFORE UPDATE ROW	`fn_birth_auto_certify`	O (enabled)
`trg_birth_change_flag_matrix`	AFTER INS/DEL/UPD STMT	`fn_birth_change_flag_matrix`	O (enabled)
`trg_count_birth_registry`	AFTER INS/DEL STMT	`update_record_count`	D (disabled)

2. The two birth pathways (verified bodies)

2.1 AFTER-INSERT auto-birth — `fn_birth_registry_auto()` — "sinh rồi mới khai"

Fires AFTER INSERT on 166 tables (plus fn_birth_registry_auto_id on 3 more: governance_relations, law_dot_enforcement, law_jurisdiction). Verified logic:

entity_code := NEW->>TG_ARGV[0] (code field); fallback synthetic TG_TABLE_NAME || '::' || id when null/empty.
Skip if (entity_code, collection_name) already registered.
dot_origin := NEW->>'_dot_origin' else 'PG:trg_birth_<table>'.
species via species_collection_map(is_primary)→entity_species; governance_role via collection_registry (default 'excluded').
INSERT … **ON CONFLICT (entity_code) DO NOTHING**.

Defect confirmed: because the unique key is entity_code ALONE and the conflict target is (entity_code), a code already present for a different collection silently swallows the birth (DO NOTHING). This is the mechanism behind the 5 unbornable pivots (PIV-101/103/104/105/106 — codes owned by pivot_results). A composite unique (entity_code, collection_name) + matching conflict target is the prerequisite fix.

2.2 BEFORE-INSERT validation gate — `fn_birth_gate()` (advisory)

Fires BEFORE INSERT ROW on 16 tables: agents, checkpoint_instances, checkpoint_sets, checkpoint_types, collection_registry, dot_tools, entity_dependencies, meta_catalog, modules, table_proposals, tasks, taxonomy, trigger_registry, ui_pages, workflow_change_requests, workflow_steps. Verified logic:

KILL SWITCH: current_setting('app.bypass_birth_gate', true) ∈ {true,1} → RETURN NEW.
Extract code/name/_dot_origin from NEW.
NULL-code skip: IF code IS NULL OR '' → RETURN NEW.
Run fn_pre_birth_check(TG_TABLE_NAME, code, name, origin) (5 checks).
On any fail: mode := current_setting('app.birth_gate_mode', true) default 'warning'. 'blocking' → RAISE EXCEPTION; else RAISE WARNING (insert proceeds).

fn_pre_birth_check 5 checks: (1) collection ∈ meta_catalog identity_class='managed'; (2) _dot_origin non-empty; (3) code ~ '^[A-Z]+-[0-9]+$'; (4) name not duplicate; (5) code not duplicate.

Live GUC state: pg_db_role_setting = 0 rows for any app.*. current_setting('app.*') is denied by the query_pg safety layer, but the absence of any persisted db/role setting + the function default proves the effective mode is warning for every ordinary connection. ⟹ the gate never blocks in production today.

This gate VALIDATES ROW SHAPE; it does NOT CONSUME A PERMIT. It checks "is this row well-formed against meta_catalog," not "was a reservation issued for this entity before the insert." That distinction is the entire gap between today and the target model.

3. The mature precedent — `information_unit` layered admission

This family is the template for pre-birth admission and must be reused, not reinvented:

fn_iu_birth_gate_layer1() — BEFORE INSERT, HARD RAISE EXCEPTION on missing required fields (canonical_address, unit_kind, lifecycle_status, owner_ref, conformance_status) and vocab membership checks against dot_config (vocab.unit_kind.*, vocab.section_type.*, vocab.publication_type.*). Note: it carries explicit RAISE WARNING … 'PILOT-ONLY: … production sẽ BLOCK' lines — IU is itself running a staged warning→blocking rollout, exactly the pattern this macro recommends.
fn_iu_birth_gate_layer2() — CREATE CONSTRAINT TRIGGER … AFTER INSERT OR UPDATE … DEFERRABLE INITIALLY DEFERRED = finalize-at-commit. A deferred constraint trigger CANNOT be skipped by a kill-switch GUC and fires at COMMIT, making it the right place to assert "a permit was consumed / the birth was finalized" with no partial state surviving.
fn_iu_gateway_write_guard() — BEFORE INS/UPD on information_unit + unit_version.

4. The permit-ledger precedent — `fn_iu_gate_open` (Điều 32)

Verified signature fn_iu_gate_open(gate_key text, approval_id uuid, actor text, reason text DEFAULT NULL, ttl_seconds int DEFAULT 300) → jsonb. Behavior:

fail-closed deny unless gate_key ∈ c_governable allow-list; c_never_flip array hard-refuses (Điều 32).
requires approval_id (uuid), non-empty actor, ttl ∈ (0,3600].
flips dot_config[gate_key]='true', writes a ledger row to iu_gate_transition (prev/new value, approval_id, ttl, expires_at, actor, reason), logs via fn_dot_iu_command_log(...), returns the transition.
companions fn_iu_gate_close, fn_iu_gate_verify_closed, fn_iu_gate_watchdog(actor) (TTL expiry).

This is, structurally, the birth-admission-permit pattern already implemented for runtime feature gates: issue with approval + TTL → record in a ledger → auto-expire via watchdog → full command audit. The recommended permit model (doc 02) mirrors this 1:1.

5. Retire scaffolding — `fn_retire_gate_check(collection, entity_id)`

Returns blockers: Layer 1 HARD = native FK references into the collection that still point at the entity; Layer 2 SOFT = universal_edges where target=(collection,id) and status='active'. This is a retire safety pre-check — the hard part of a retire mechanism already exists. What is missing: a transition function that, when blockers=∅, sets birth_registry.status='retired', plus the status vocabulary/CHECK. (Consistent with checkpoint: "no lawful birth-retirement mechanism" — the transition is absent, the safety check is not.)

6. Onboarding handoff — `fn_collection_onboarding_soft_gate()`

AFTER INS/UPD on collection_registry (of governance_role, coverage_status, coverage_scope_status, coverage_exemption_reason, coverage_review_owner). Advisory ("soft gate must NEVER raise" — single EXCEPTION WHEN OTHERS → RETURN NEW). Emits 11 onboarding-gap types to system_issues via fn_b3f1_log_collection_onboarding_gap. Notably registry-driven: it reads sibling-trigger policy from dot_config['policy.birth_trigger.accepted_sibling_scope'] and resolves contract fns by OID (good anti-hardcode pattern). Structural limit: it checks a collection has a birth trigger, never per-row birth → invisible to the 22 historically-unborn pivots / 283 phantoms.

7. Identity quality per critical family (LIVE)

family	rows	null code	dup code	code `~ '^[A-Z]+-[0-9]+$'`	has BEFORE gate?	usable pre-insert code?
`dot_tools`	309	0	0	163 / 309 (53%)	YES (`fn_birth_gate`)	YES (real `code`, e.g. DOT-NNN; ~47% non-standard)
`collection_registry`	168	0	0	166 / 168 (99%)	YES	YES (COL-NNN)
`meta_catalog`	169	0	0	159 / 169 (94%)	YES	YES (CAT-NNN)
`entity_species`	42	0	0	0 / 42 (0%)	NO	code exists but alpha-suffix (SPE-CAT…) — format rule rejects all
`pivot_definitions`	37	0	0	34 / 37 (92%)	NO	code yes (PIV-NNN), no `_dot_origin` col, collision defect
`pivot_results`	126+	—	—	— (no `code` col)	NO	NO code at all (derived/cache)
`dot_iu_command_catalog`	54	n/a	0	0 (no `code` col)	NO	PK = `command_name` free-text, triple-absent

Anti-hardcode signal: the ^[A-Z]+-[0-9]+$ rule baked into fn_pre_birth_check fits collection_registry/meta_catalog/pivot_definitions but rejects 100% of entity_species and 47% of dot_tools. A single hardcoded format cannot serve all families (doc 08).

8. Current BLOCK dimensions — LIVE counts (via existing safety-net views)

The existing safety net answers every BLOCK question; no new view was needed.

dimension	view	live count	breakdown
birth_orphan_critical_active	`v_birth_orphan` (active ∧ critical_family)	59	`dot_iu_command_catalog` 54 + `pivot_definitions` 5
birth_phantom	`v_birth_phantom`	289	REAL_MISSING 6 + SYNTHETIC_TEST 283
fs_dot_file_no_registry	`v_dot_fs_reconciliation`	16	(+ OK_REGISTERED_BORN 193, BACKUP 76, NON_DOT 2)
dot_pivot_update_not_governed	`v_dot_pivot_update_status`	1	`STAGED_FILE_ONLY / UNBORN / NOT_VALID_DOT`

These match the SSOT checkpoint exactly (59 / 6 / 16 / 1). Live evidence confirms the checkpoint. The fail-closed guard fn_assert_safe_for_dot_action() and fn_preflight_guard remain live; _preflight_accepted_exceptions, _recon_dot_fs_inventory present. RP cleanup remains NO-GO, enforced.

9. Governance handoff substrate — LIVE state

component	live	meaning
`governance_object_ownership`	0	no ownership seeded
`governance_candidate_object` / `_state`	0 / 0	no candidates
`candidate_scan_run`	0	scanner never ran
`governance_ruleset`	0	no ruleset
`gov_worker_cursor`	0	handoff worker not running
`event_pending`	0	no captured signals yet
`governance_build_authorization` (OSPA)	0	OSPA = 0 ⇒ rollout NO-GO
`governance_responsibility_scope`	6	scopes defined
`governance_registry`	9	seam
`event_outbox` WHERE domain='governance'	0	register-before-emit holds — nothing emitted
`event_type_registry` domain='governance'	5, all active=false	`backfill.sweep_completed`, `candidate.scan_completed`, `coverage.scan_completed`, `handoff.object_born`, `input.untrusted_source` — register step DONE, emit gated
`registry_changelog`	70,313	CDC tail source live & populated
`queue_heartbeat`	3	silent-gap substrate live

Advance vs the 2026-06-03 audit: the governance event types are now registered (active=false), including handoff.object_born. The register-before-emit precondition for the birth→governance handoff is satisfied; what remains is OSPA≥1, a ruleset, and starting the cursor-tail worker. 0 new tables required for the handoff (SB-11 reuse-first holds live).

10. What this verification establishes for the design

The BEFORE hook exists (fn_birth_gate, 16 tables incl. dot_tools/collection_registry/meta_catalog) — extendable into a permit-consumption gate.
The finalize-at-commit pattern exists (IU layer2 deferred constraint trigger) — reuse for "no permit → no committed birth."
The permit ledger pattern exists (iu_gate_transition + fn_iu_gate_open + command log) — reuse for the permit table.
The retire safety check exists (fn_retire_gate_check) — only the status transition + vocabulary are missing.
The handoff substrate exists and is partly staged — 0 new tables; gated by OSPA.
The blockers are identity + enforcement + approval, not absence of machinery: UNIQUE(entity_code) defect, advisory gate, hardcoded format/family lists, absent registrar creds, OSPA=0, no scheduler (pg_cron absent).
No production mutation is possible or needed to answer the architecture question — read-only catalog + view evidence is decisive.