Incomex AI Portal
KB-8B4C

Pre-Birth Admission Control — 05 Legacy/Backfill Boundary & Cutoff

6 min read Revision 1
pre-birth-admissionarchitecture2026-06-03

05 — Legacy / Backfill Boundary & Cutoff

Goal: separate the normal path (permit required) from legacy remediation (scanner/backfill), and make the backfill mechanism structurally unable to become the normal workflow. Design only.

0. The four paths

path when mechanism who approves
Normal object created after a family's cutoff dot-birth-admit → permit required (blocking for enforced families) registrar issues permit under approval
Legacy backfill pre-cutoff backlog only the existing AFTER-trigger + the doc-31 bounded cursored sweep one-time, owner-authorized; never perpetual
Migration window declared bulk-load window a reason='migration' permit + approval_id, TTL-bounded owner; window explicitly opened/closed
Emergency / break-glass incident recovery logged break-glass (replaces silent app.bypass_birth_gate) logged actor + post-hoc review; auto-expires

1. The cutoff — how "after" is defined

  • Per-family cutoff timestamp stored in dot_config, e.g. policy.birth_admission.cutoff.dot_tools = '2026-06-10T00:00:00Z'. (Reusing dot_config — the same store the IU gate vocab and sibling policy already use.)
  • Legacy = birth_registry.born_at < cutoff(family) → grandfathered; never requires a permit retroactively.
  • Normal = born_at ≥ cutoff(family) for an enforced family → MUST have a matching FINALIZED permit.
  • A family with no cutoff set is not yet enforced (report-only). Setting the cutoff is the deliberate, owner-approved act that "turns on" birth-first for that family.

This makes the legacy/normal boundary a single, auditable config value per family — not a code change, not a global flip. Rollback = unset the cutoff.

2. Detecting a post-cutoff object created without a permit

New read-only view (design):

v_birth_admission_violation  =
  born rows  b
  JOIN dot_config policy ON policy.key = 'policy.birth_admission.cutoff.' || b.collection_name
  WHERE b.born_at >= policy.value::timestamptz                       -- after cutoff
    AND b.collection_name IN (enforced families)
    AND NOT EXISTS (permit p WHERE p.collection_name=b.collection_name
                              AND p.entity_code=b.entity_code
                              AND p.status='FINALIZED')               -- no consumed permit
  • Report-only first (a finding per violation → system_issues + heartbeat).
  • Blocking later: the same predicate is what the BEFORE gate + deferred constraint enforce for an enforced family, so once the family is clean and the cutoff is set, post-cutoff permit-less inserts simply cannot commit. The view then reports 0 by construction (its only rows would be legacy/grandfathered, which are excluded by the cutoff predicate).

3. Preventing backfill from becoming the normal mechanism

The structural guarantees (not procedural reminders):

  1. The AFTER-trigger refuses to silently birth post-cutoff rows for enforced families. Design: the AFTER fn_birth_registry_auto is extended (for enforced families only) to check "was a permit consumed for this insert?" If not, it logs a birth_admission_violation finding instead of relying on the cutoff view. (For non-enforced families it behaves exactly as today — zero change.)
  2. Backfill sweep is phase-bounded (seeding → reconciling → incremental) and cursored (doc 31): it never re-scans the full 1.12M-row spine; it advances a keyset cursor and stops. There is no "run forever" mode.
  3. Backfill writes are tagged dot_origin='BACKFILL:<macro>' (already the convention — the 22 pivot births used BACKFILL:birth-orphan-remediation-2026-06-03). A born row tagged BACKFILL with born_at ≥ cutoff is itself a violation (backfill used as a shortcut after cutoff).
  4. Migration window is explicit and TTL'd: a migration permit must carry reason='migration' + approval_id + expires_at; when the window closes, the migration permits expire and normal permit-first resumes automatically (no "forgot to turn it back on").

4. Break-glass replaces the silent kill-switch

Today app.bypass_birth_gate='true' silently disables the gate with no audit. Recommended replacement (design):

  • fn_birth_break_glass_open(family, approval_id, actor, reason, ttl) — mirrors fn_iu_gate_open: writes an iu_gate_transition-style ledger row, flips a scoped, TTL'd bypass for one family, auto-expires via watchdog, and emits a loud finding.
  • The raw app.bypass_birth_gate GUC remains as the last-resort superuser escape (cannot be removed — superuser can always SET), but its use is detectable (doc 07): a born row during a window where no break-glass ledger row exists = an unaudited bypass → critical finding.

5. Cutoff lifecycle (per family)

not-enforced (no cutoff)  →  report-only (cutoff set, mode=warning, violations logged)
   →  enforced (mode=blocking for family)  →  [rollback any time: unset cutoff / mode→warning]

The cutoff is set only after the family is backlog-clean (orphans=0 for that family) and owner-approved. For dot_tools (pilot), orphans are already 0; the gate is present; so it is the first eligible family — but the cutoff is still an explicit, approved act, never automatic.

6. Interaction with the four current BLOCK dimensions

  • The legacy backlog (54 iu_cmd + 5 pivot orphans, 6 phantoms, 16 FS files, dot-pivot-update) lives entirely before any cutoff → it is the legacy path's responsibility and does NOT block setting a dot_tools cutoff (dot_tools has 0 orphans).
  • RP cleanup remains gated by the existing fn_assert_safe_for_dot_action until all four dims reach 0 — unchanged by this design. Pre-birth admission for dot_tools and RP cleanup are independent: the pilot can proceed without RP being unblocked.
Back to Knowledge Hub knowledge/dev/reports/architecture/pre-birth-admission-control-and-sequential-dot-workflow-2026-06-03/05-legacy-backfill-boundary-and-cutoff.md