12 — GPT / MCP-Readable Checkpoint (in-package copy)

Macro: PRE_BIRTH_ADMISSION_CONTROL_AND_SEQUENTIAL_DOT_WORKFLOW_DECISION · Date: 2026-06-03 Status: PARTIAL · Execution mode: read-only (query_pg) · Live mutation: NONE

Recommended model

Option 2 — separate birth_admission_permit table, composed from existing live patterns: IU layered triggers (fn_iu_birth_gate_layer1 BEFORE + fn_iu_birth_gate_layer2 DEFERRABLE CONSTRAINT) and the Điều 32 gate-token ledger (fn_iu_gate_open + iu_gate_transition + fn_dot_iu_command_log). Option 1 (overload birth_registry with states) REJECTED. Option 3 (AFTER-trigger + scanner) kept for legacy/backfill/emergency only.

Pilot family

dot_tools — already has the BEFORE gate (fn_birth_gate), orphan-clean (0 unborn), governed DOT creation path, controlled volume.

Can birth-first be enforced NOW?

NO. Today it is POLICY, not ENFORCEMENT: fn_birth_gate is advisory (warning default), kill-switchable (app.bypass_birth_gate), skips null-code rows. It CAN be enforced for the dot_tools pilot after prerequisites + owner approval; it CANNOT be flipped globally. This macro performed no flip (forbidden).

What must be fixed first (ordered)

1. Composite-unique (entity_code, collection_name) on birth_registry (+ conflict-target change in fn_birth_registry_auto) — unblocks 5 pivots; prerequisite for FINALIZED↔BORN.
2. birth_admission_permit table (empty, reversible).
3. Gate extension (consume permit) + DEFERRABLE finalize constraint (report-only globally; blocking for dot_tools only).
4. Registry-driven coverage + STOP-on-mismatch + per-family code rule (the ^[A-Z]+-[0-9]+$ rule rejects 100% of entity_species, 47% of dot_tools).
5. Retire-transition mechanism (safety check fn_retire_gate_check exists; transition fn + status vocab/CHECK missing) — for 6 phantoms + EXPIRED/REVOKED permit states.
6. Function/trigger drift monitor (hash + disabled-trigger detector) — superuser bypass is detect-only.

Governance handoff decision

Decoupled cursor-tail / CDC over birth_registry BORN tail + registry_changelog (70,313 live); upsert governance_candidate_state dirty=true; emit-or-capture handoff.object_born (registered live, active=false → captured to event_pending). 0 new tables. Never blocks creation/birth; may block governed activation where policy requires coverage. Gated by OSPA ≥ 1 (governance_build_authorization=0 live).

Estimated rollout

7 phases. P0 done; P1 design+rehearsal (1–2 d); P2 pilot enforce (3–5 d); P3 sequential DOT (3–5 d); P4 gov handoff (5–8 d); P5 stage-2 expansion+anti-hardcode (5–8 d); P6 cutoff (3–5 d); P7 RP return (gated). ≈ 20–33 engineering-days (~4–7 weeks), dominated by human/owner/creds gates.

Remaining absolute blockers

1. dot-dot-register registrar creds — ABSENT.
2. Owner DDL approval (permit table, composite-unique, gate extension, flip).
3. Human OSPA ≥ 1 — governance activation.
4. External scheduler — pg_cron absent.
5. Owner identity decisions — dot_iu_command_catalog (54), pivot collisions.
6. No in-DB absolute prevention against superuser (workflow_admin) — detect-only.

Live BLOCK dimensions (confirmed, unchanged)

orphan_critical_active 59 (54 dot_iu_command_catalog + 5 pivot) · phantom_real 6 (+283 synthetic) · fs_file_no_registry 16 · dot_pivot_update 1 (STAGED/UNBORN/NOT_VALID). RP cleanup NO-GO, enforced.

Next macro

PRE_BIRTH_PILOT_DOT_TOOLS_PERMIT_AND_COMPOSITE_UNIQUE_ROLLBACK_REHEARSAL — author DDL + rehearse in one BEGIN…ROLLBACK on prod (0 mutation) + operator apply packet; STOP for owner DDL approval + registrar creds.

Report path

knowledge/dev/reports/architecture/pre-birth-admission-control-and-sequential-dot-workflow-2026-06-03/ (docs 00–12).