11 — Final Summary

Macro: PRE_BIRTH_ADMISSION_CONTROL_AND_SEQUENTIAL_DOT_WORKFLOW_DECISION Date: 2026-06-03 Final status: PARTIAL (live checks complete; design complete; remaining decision is human/owner approval + structural migration + absent creds). Execution mode: read-only verification (query_pg). Live mutation: NONE.

---

The answer in five sentences

1. The system is much closer to pre-birth admission than the "AFTER-trigger + scanner" framing suggests: a BEFORE-insert gate, a deferred-finalize constraint-trigger pattern, a TTL'd approval-bound permit ledger, and a retire safety-check already exist in production (information_unit family + Điều 32 gate-token mechanism).
2. But birth-first is presently policy, not enforcement — fn_birth_gate is advisory (warning default), kill-switchable, and skips null-code rows — so per the open-goal law it is not achieved, and this macro does not (and is forbidden to) flip it.
3. The recommended model is Option 2: a separate, reversible birth_admission_permit table composed from the existing IU layered-trigger + gate-token-ledger patterns, with a composite-unique (entity_code, collection_name) fix on birth_registry as a hard prerequisite (the current UNIQUE(entity_code)-alone defect silently drops births and would poison Option 1).
4. dot_tools is the pilot — it already has the BEFORE gate, is orphan-clean, is created via a governed DOT path, and making DOT creation permit-first is maximally on-strategy; enforcement is applied for that one family only, after the permit table + composite-unique fix land under owner approval — never a global flip.
5. The governance "second birth" is a decoupled cursor-tail handoff with 0 new tables (the substrate is live and the handoff.object_born event type is already registered active=false), gated by OSPA ≥ 1, and it never blocks creation or birth — only governed activation where policy requires coverage.

What live evidence established (and confirmed the SSOT)

• BLOCK dimensions 59 / 6 / 16 / 1 — confirmed live, matching the checkpoint exactly.
• birth_registry: 1,121,537 rows all status='born', UNIQUE(entity_code) alone, no status CHECK, latent lifecycle columns (inspect_*, certified, canonical_address, jsonb_profile).
• fn_birth_registry_auto on 166 tables (ON CONFLICT (entity_code) DO NOTHING — the defect); fn_birth_gate on 16 (advisory).
• Governance fully inert (OSPA=0) but substrate live: registry_changelog=70,313, queue_heartbeat=3, 5 governance event types registered active=false.
• Identity quality: the hardcoded ^[A-Z]+-[0-9]+$ rule fits collection_registry (166/168) but rejects 100% of entity_species and 47% of dot_tools — a concrete anti-hardcode finding.

Honest limits (no fake PASS)

• No absolute prevention against a superuser (workflow_admin is superuser; tables owned by directus): pre-birth admission is absolute for ordinary roles, detect-only for privileged roles — answered with drift hashes + break-glass audit, not a false claim of prevention.
• No production DOT, no permit table, no constraint, no flip was created — all forbidden; everything here is design + a rehearsal plan.
• Critical-path blockers are human/structural: registrar creds (absent), owner DDL approval, OSPA≥1, external scheduler (pg_cron absent), identity decisions.

Deliverables

• 13 report docs (00–12) + this summary + an MCP-readable checkpoint.
• Recommended model, pilot, family-readiness table, sequential DOT state machine, decoupled handoff design, 20-vector misuse analysis, 10-item anti-hardcode audit, 7-phase rollout (~4–7 weeks gated), and the next macro.

Next macro

PRE_BIRTH_PILOT_DOT_TOOLS_PERMIT_AND_COMPOSITE_UNIQUE_ROLLBACK_REHEARSAL — author the permit table + composite-unique migration + gate extension + deferred finalize trigger; rehearse in one BEGIN…ROLLBACK on prod (0 mutation); produce an operator-credentialed apply packet; STOP for owner DDL approval + registrar creds.