07 — Workstream F: Sequential DOT Entrypoint Spec (AUTHOR-MODE)

This is an author-mode specification + operator packet. No production DOT is registered by this macro. The goal: an operator should never have to remember the birth steps — a single governed DOT runs them in order and stops at the exact point any precondition fails.

DOT name (proposed)

dot-birth-admit (domain: birth; operation: admit-create-finalize; paired with the existing governed registrar dot-dot-register).

State machine

resolve (1) → REQUESTED (2) → RESERVED (3) → CONSUMED (4,5) → FINALIZED (6) → handoff (7) → post-guard (8)
failure at any step → (9) permit → FAILED/EXPIRED/CANCELLED; transaction rolled back

Required step sequence (with stop conditions)

Step	Action	STOP-before-next condition
1	Resolve family policy + code rule from collection_registry / per-family rule table	STOP if family has no policy row, or birth_admission_required flag missing
2	Create permit (REQUESTED) with idempotency_key	STOP if an active permit already exists for (collection, code) — return existing permit_id
3	Pre-create validation (fn_pre_birth_check + registry-driven code rule, not hardcoded regex)	STOP if any check fails → permit FAILED with failure_reason
4	Target INSERT — BEFORE gate consumes permit (RESERVED→CONSUMED)	STOP if no valid permit / expired (gate raises)
5	Object row created in target collection	STOP on any constraint error (txn aborts)
6	Deferred finalize at commit (CONSUMED→FINALIZED, birth confirmed)	STOP if row vanished / no consumed permit (finalize raises)
7	Governance handoff: emit-or-capture handoff.object_born → event_pending + governance_candidate_state dirty	Never blocks creation. Capture-only while event active=false
8	Post-create guard (fn_assert_safe_for_dot_action) + coverage check	Reports; blocks governed activation only where policy requires coverage

Idempotency

idempotency_key = deterministic hash of (collection_name, entity_code, requested_by_dot, policy_snapshot_ref). Re-running with the same inputs returns the same permit (unique index) rather than creating a duplicate — safe retries.

Retry policy

• Steps 1–3 side-effect-light, freely retryable.
• Step 4+ run in one transaction; any failure rolls back the whole txn and moves the permit to FAILED (or lets it expire). Retry = new DOT invocation with the same idempotency key.
• A scheduled expiry sweep moves stale REQUESTED/RESERVED permits past expires_at to EXPIRED.

Rollback behavior

The entire admit→create→finalize is a single transaction: either the object is born + permit FINALIZED, or nothing is created and the permit is non-FINALIZED. No partial births.

Actor / role restrictions

• Only the governed registrar identity (dot-dot-register / requested_by_dot) may create permits in production.
• requested_by_actor recorded for audit. Superuser direct insert bypasses this — detect-only (doc 09).

Break-glass path

A CANCELLED transition + an explicit app.birth_admission_break_glass GUC (logged to fn_dot_iu_command_log) allows an authorized operator to create an object without a permit in an emergency. Every use is recorded and surfaces in the drift monitor and a system_issue. This is the controlled escape hatch, not the normal path.

Surfacing failed permits

Views v_birth_admission_pending (active not-expired), v_birth_admission_failed (FAILED/EXPIRED), v_birth_admission_stuck (CONSUMED but not FINALIZED — crash between consume and commit) make every non-happy permit visible. Read-only, additive.

Log locations

• Permit lifecycle: birth_admission_permit rows.
• Command/gate events: fn_dot_iu_command_log(...) ledger.
• Changelog tail: registry_changelog (70,434 rows) for the BORN tail.

Operator packet (for the future apply macro)

1. dot-birth-admit --collection dot_tools --code <CODE> --actor <id> [--dry-run] → returns permit_id + plan; --dry-run does BEGIN…ROLLBACK.
2. --commit executes the single transaction.
3. Requires dot-dot-register credentials (ABSENT today) to register the DOT itself.