Pre-Birth Pilot Rehearsal — 09 Superuser Drift/Bypass Monitor
09 — Workstream H: Superuser Drift / Bypass Monitor Design
Classification: DETECT_ONLY + fail-closed at next guard. A superuser (and workflow_admin is superuser) cannot be absolutely prevented from inside the database. The honest, defensible posture is fast, visible detection plus fail-closed consequences at the next guard — never a claim of prevention.
Confirmed during this rehearsal
A live event trigger emitted WARNING: [TRIGGER-GUARD] DDL detected: CREATE TRIGGER on … when temp triggers were created. A DDL-capturing event trigger substrate already exists and can be extended rather than built from scratch.
Bypass vectors (a superuser can do all of these)
| Vector | Effect |
|---|---|
SET app.bypass_birth_gate=true / SET app.birth_gate_mode |
neutralizes the advisory gate per session |
ALTER TABLE … DISABLE TRIGGER |
disables the permit gate / birth trigger |
CREATE OR REPLACE FUNCTION |
rewrites fn_birth_registry_auto / fn_birth_gate / permit gate body |
DROP TRIGGER / DROP CONSTRAINT |
removes the gate, finalize, or composite unique |
direct INSERT INTO birth_registry / birth_admission_permit |
forges a birth or a permit |
direct filesystem file creation under /opt/incomex/dot/bin |
creates an object with no DB row (the FS blind spot) |
Drift monitor design (baselines + deltas)
- Function-hash baseline —
md5(pg_get_functiondef(oid))forfn_birth_registry_auto(1f729b35…),fn_birth_gate(b6700aa8…),fn_birth_registry_auto_id(3f3515de…), the permit gate, the finalize fn. Drift = body rewritten. - Trigger binding/hash baseline —
(tgname, tgfoid, tgenabled, pg_get_triggerdef)for the gate, finalize, and the 166 birth triggers. Drift = disabled / dropped / re-pointed. - Constraint / index baseline — presence + def of
birth_registry_code_collection_uq, the permit unique indexes. Drift = constraint dropped. - Bypass-GUC usage log — record any session where
app.bypass_birth_gate/app.birth_gate_modeis set away from default. - Filesystem reconciler freshness —
_recon_dot_fs_inventory/v_dot_fs_reconciliationrefreshed within a freshness window; FILE_NO_REGISTRY > 0 already a BLOCK dim (16 today). - Break-glass ledger — every break-glass permit-skip recorded via
fn_dot_iu_command_logwith actor + reason + TTL.
Fail-closed consequences (the teeth)
Drift detection cannot prevent the superuser action, so its power is at the next guard:
- RP/DOT preflight fails closed —
fn_assert_safe_for_dot_actiongains agate_driftBLOCK dimension: any drifted baseline (1–5) → guard RAISEs, RP cleanup / DOT mutation blocked. - Permit creation blocked — if the gate or composite constraint has drifted,
dot-birth-admitrefuses new permits. - Alert / system_issue — drift raises a
system_issuerow and (when the event is active) emits an alert on the governance lane.
Honesty constraints (do NOT overclaim)
- This is DETECT_ONLY. We do not claim a superuser is prevented.
- We claim: drift is detected quickly, logged, surfaced, and fails the next guard closed so drift cannot silently become "covered."
- Filesystem direct creation remains detectable only via the reconciler (the 16 FILE_NO_REGISTRY are live proof this path is real and watched).
Decision
DRIFT_MONITOR = design-complete, DETECT_ONLY. Extends an already-present DDL event-trigger substrate, adds five baselines + a break-glass ledger, wires a gate_drift BLOCK dimension into the existing fail-closed guard. No prevention promised.