14 — GPT / MCP-Readable Checkpoint (mirror)

This mirrors checkpoint-pre-birth-pilot-rehearsal-2026-06-03.md. It may be used as SSOT for the next macro. No raw SQL/shell.

• Macro: PRE_BIRTH_PILOT_DOT_TOOLS_PERMIT_AND_COMPOSITE_UNIQUE_ROLLBACK_REHEARSAL
• Date: 2026-06-03
• Final status: PASS
• Execution mode: EXECUTION_MODE (root ssh → docker postgres → psql workflow_admin, superuser, read-write capable)
• Live mutation: NONE. All rehearsal inside BEGIN…ROLLBACK (temp objects + one OID-stable CREATE OR REPLACE rolled back).
• Entry hash == exit hash: YES. fn_birth_registry_auto 1f729b35…, fn_birth_gate b6700aa8…, birth_registry constraints, dot_tools triggers — all identical entry/exit; permit table ABSENT after rollback.

Rehearsal verdicts

• Permit table birth_admission_permit: PROVEN. Additive/reversible; 7 statuses; CHECK + idempotency-unique + single-active partial-unique; expiry & consumed-reuse validated.
• Composite unique (entity_code, collection_name): COMPOSITE_READY. Already unique over all 1,126,728 rows; 0 FK deps; 0 null collections. One-way door: dropping UNIQUE(entity_code) is irreversible once a 2nd-collection code is born → sequence pivot births separately.
• fn_birth_registry_auto patch: PROVEN. CREATE OR REPLACE keeps OID 39232; 166 triggers stay bound; rollback restores exact md5. Same patch needed on fn_birth_registry_auto_id.
• dot_tools permit gate: PROVEN (on exact temp clone). No-permit blocked, expired blocked, valid succeeds + consumes. Does NOT modify fn_birth_gate; recommend registry-flag (policy-driven) form, not hardcoded family.
• Finalize-at-commit: PROVEN. DEFERRABLE constraint trigger (reuses live trg_iu_birth_gate_layer2 pattern); CONSUMED→FINALIZED at boundary; vanished row fails finalize. Recommend marking existing birth row finalized, not inserting a new one.

Designs delivered

• Sequential DOT dot-birth-admit: state machine REQUESTED→RESERVED→CONSUMED→FINALIZED→handoff→post-guard; idempotency key; retry = single txn; break-glass via GUC + ledger; failed-permit views.
• Governance handoff: decoupled cursor-tail/CDC over birth_registry BORN tail + registry_changelog (70,434); upsert governance_candidate_state dirty; emit-or-capture handoff.object_born (active=false → event_pending). 0 new tables. Birth never blocks; activation gated by OSPA ≥ 1 (currently 0).
• Drift monitor: DETECT_ONLY + fail-closed. 5 baselines (function hash, trigger binding, constraint/index, bypass-GUC log, FS reconciler freshness) + break-glass ledger; new gate_drift BLOCK dim in fn_assert_safe_for_dot_action. A DDL-guard event trigger already fires in prod (substrate exists).

Recommended decision

APPLY (owner-gated). dot_tools pilot is feasible. Permit table = approve. Composite unique = approve (acknowledge one-way door). Finalize trigger = approve (dot_tools-only/flagged). No global flip.

Exact blockers (authority, not engineering)

1. Owner DDL approval for the apply packet (doc 10).
2. dot-dot-register registrar credentials — ABSENT (to register the DOT + 15 FS scripts).
3. External scheduler — pg_cron absent (expiry sweep / drift comparator / handoff consumer).
4. Human OSPA ≥ 1 — governance ACTIVATION only (not birth).
5. Owner identity decision for dot_iu_command_catalog (54) + 6 REAL_MISSING phantoms (needs a retire mechanism — none exists).

Live BLOCK dims (unchanged)

orphan_critical 59 · phantom_real 6 · fs_no_registry 16 · dot_pivot_update 1. RP cleanup NO-GO (enforced by fn_assert_safe_for_dot_action).

Next macro

PRE_BIRTH_PILOT_DOT_TOOLS_APPLY_PERMIT_AND_COMPOSITE_OWNER_GATED — apply doc-10 packet in order, STOP before dropping single-col unique, birth 5 pivots separately (orphan 59→54), then pilot gate + finalize + registry-driven code rule.

Reports

Full set: knowledge/dev/reports/architecture/pre-birth-pilot-dot-tools-permit-composite-rehearsal-2026-06-03/ (docs 00–14).