10 — Decision Matrix & Recommended Next Macro

---

A. The architecture question, answered

Q: Can the system be safely changed from AFTER-the-fact birth detection/backfill to PRE-BIRTH admission control?

A: Yes — incrementally, one clean family at a time — and most of the machinery already exists. But NOT as a global flip, and NOT today. The honest, law-compliant verdict:

• Birth-first is currently POLICY, not ENFORCEMENT. The BEFORE gate (fn_birth_gate, 16 tables) is advisory (warning), kill-switchable, null-code-skipping. ⟹ per the open-goal law, birth-first is NOT achieved.
• It CAN be enforced for one pilot family (dot_tools) soon, because the BEFORE hook, the deferred-finalize pattern (IU layer2), and the permit-ledger pattern (Điều 32 gate-token) already exist — the missing pieces are a permit table, a composite-unique fix, a gate extension, and an owner-approved blocking flip.
• It CANNOT be enforced globally without registry-driven coverage (the 16/166-table lists are hardcoded), identity fixes (collision, format rule, code-less families), a retire mechanism, registrar creds, and OSPA ≥ 1.

B. Model decision matrix

criterion	Opt 1 (extend birth_registry states)	Opt 2 (separate permit table) ✅	Opt 3 (AFTER + scanner)
touches 1.12M-row BORN ledger	yes (migration)	no	no
reuses existing patterns	partial	yes (IU layer2 + Điều 32 ledger)	yes
reversible (one-line rollback)	no	yes (drop table + detach)	n/a
sidesteps entity_code-alone defect	no (bleeds in)	yes (composite at permit layer)	no
enforces "no permit → no insert"	yes	yes	no (after-the-fact)
166-table trigger rewrite needed	yes	no	no
verdict	REJECTED	RECOMMENDED	LEGACY/EMERGENCY ONLY

C. Family readiness (from doc 04)

family	class	pilot
dot_tools	READY_FOR_STRICT	★ PILOT
collection_registry	READY_FOR_STRICT (phase 5)	—
meta_catalog	READY_FOR_STRICT (phase 5, bootstrap care)	—
entity_species	REPORT_ONLY → NEEDS_IDENTITY_FIX	—
pivot_definitions	NEEDS_IDENTITY_FIX (collision + no _dot_origin)	—
pivot_results	NOT_SUITABLE (no code)	—
dot_iu_command_catalog	NEEDS_REGISTRY_ONBOARDING + IDENTITY + GOV_APPROVAL	—
governance tables	NEEDS_GOVERNANCE_APPROVAL	—
filesystem DOT lifecycle	NOT_SUITABLE (no DB hook; registrar+reconciler)	—

D. What must be fixed FIRST (ordered)

1. Composite-unique (entity_code, collection_name) on birth_registry + conflict-target change in fn_birth_registry_auto (unblocks 5 pivots; prerequisite for reliable FINALIZED↔BORN).
2. birth_admission_permit table (empty, reversible) — modeled on iu_gate_transition.
3. Gate extension + DEFERRABLE finalize constraint (report-only globally; blocking for dot_tools only).
4. Registry-driven coverage + STOP-on-mismatch + per-family code rule (kills the hardcoded-list misuse #18; required before expansion).
5. Retire-transition mechanism (the fn_retire_gate_check safety check exists; build the status-transition fn + status vocabulary/CHECK) — needed for the 6 phantoms and the EXPIRED/REVOKED permit states.
6. Function/trigger drift monitor (hash + disabled-trigger detector) — converts superuser bypass from invisible to loud.

E. Absolute blockers (cannot proceed past Phase 1 without)

1. dot-dot-register admin/registrar creds — ABSENT (blocks permit issuance, DOT registration, FS file registration).
2. Owner DDL approval (permit table, composite-unique migration, gate extension, mode flip).
3. Human OSPA ≥ 1 (governance_build_authorization=0 live — blocks governance handoff activation).
4. External scheduler (pg_cron absent — needed for cursor-tail worker + watchdog + scanners).
5. Owner identity decisions for dot_iu_command_catalog (54) and the pivot collisions.

F. Decision summary (one line each)

• Model: Option 2 — separate birth_admission_permit, built from existing IU layered-trigger + Điều 32 gate-token-ledger patterns.
• Pilot: dot_tools.
• Enforce now? No — design + rollback-only rehearsal only; the enforcing flip is owner/OSPA-gated.
• Scope of blocking: one family, after prerequisites; never a global flip.
• Governance: decoupled cursor-tail handoff, 0 new tables, gated by OSPA; never blocks creation/birth.
• Legacy: scanner/backfill retained for pre-cutoff backlog + emergency only; cutoff = a per-family dot_config timestamp.

---

G. Recommended next macro

PRE_BIRTH_PILOT_DOT_TOOLS_PERMIT_AND_COMPOSITE_UNIQUE_ROLLBACK_REHEARSAL

Scope (rollback-only rehearsal, 0 prod mutation, produces an operator-credentialed apply packet):

1. Author the birth_admission_permit DDL + the composite-unique migration + the fn_birth_gate extension + the DEFERRABLE finalize trigger (paste-ready, not applied).
2. Rehearse in one BEGIN…ROLLBACK on prod: composite-unique add (online build dry-run / lock-window measurement), permit issue, dot_tools permit-bound insert → CONSUMED → would-FINALIZE, and a permit-less insert → rejected; then ROLLBACK. Prove entry-hash == exit-hash.
3. Produce the operator apply packet (the 2–3 commands the credentialed operator runs) + rollback script.
4. STOP before any COMMIT; hand off to owner for DDL approval + registrar creds.

Blockers carried into it: registrar creds (absent), owner DDL approval, OSPA (for the later governance phase only — not for the birth-side rehearsal).