Deployed to /opt/incomex/dot/bin/dot-pivot-update (chmod +x). sha256 3313c057caaf1c72e30465354ee9cff0866e0dc3e7205a2c84c3c849284effc5. Đ26 §II-QUINQUIES.

#!/usr/bin/env bash
# CHECKED-NO-DUPLICATE: [searched dot/bin for dot-pivot-update / pivot classification update — none.
#   dot-pivot-declare(DOT-113)=INSERT-only; dot-matrix-update(DOT-313)=matrix_spec/name only;
#   dot-matrix-retire(DOT-314)=retire only. No tool updates composition_level/species/registry_group
#   on an existing pivot_definitions row. This fills that gap.]
# =============================================================================
# dot-pivot-update — Lawful UPDATE of governed classification fields on an
#                    existing pivot_definitions row.
# =============================================================================
# VERSION: 1.0.0
# Điều 26 v4.0 §II-QUINQUIES — pivot mutation via DOT only ("KHÔNG INSERT tay").
# Điều 35  DOT Governance v5.2 — Cấp B executor; paired health = dot-pivot-health.
# Điều  3  Metadata — this tool carries a description (registration requirement).
#
# ALLOWLISTED FIELDS (every other field is rejected):
#   composition_level | species | registry_group | description
#   (matrix_spec is intentionally EXCLUDED — that is dot-matrix-update's domain.)
#
# Usage:
#   dot-pivot-update --code PIV-001 --field composition_level --auto-from-species
#   dot-pivot-update --code PIV-001 --field composition_level --value atom [--commit]
#   dot-pivot-update --show --code PIV-001
# =============================================================================
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
if [[ -f "${SCRIPT_DIR}/../config/environment.sh" ]]; then source "${SCRIPT_DIR}/../config/environment.sh"; fi
VERSION="1.0.0"; VPS_HOST="38.242.240.89"; VPS_KEY="${HOME}/.ssh/contabo_vps"
PG_CONTAINER="${PG_CONTAINER:-postgres}"; PG_USER="${PG_USER:-directus}"; PG_DB="${PG_DB:-directus}"
ALLOWED_FIELDS=" composition_level species registry_group description "
log_info() { echo "[INFO] $1"; }; log_ok() { echo "[OK]   $1"; }; log_warn() { echo "[WARN] $1"; }; log_err() { echo "[ERR]  $1" >&2; }
pg_sql() {
  local _on_vps=false
  { docker ps --format '{{.Names}}' 2>/dev/null | grep -q "^${PG_CONTAINER}$"; } && _on_vps=true
  if [[ "$_on_vps" == "true" ]]; then
    docker exec -i "${PG_CONTAINER}" psql -U "${PG_USER}" -d "${PG_DB}" -t -A -v ON_ERROR_STOP=1 <<< "$1"
  else
    ssh -i "$VPS_KEY" -o ConnectTimeout=10 -o StrictHostKeyChecking=no "root@${VPS_HOST}" \
      "docker exec -i ${PG_CONTAINER} psql -U ${PG_USER} -d ${PG_DB} -t -A -v ON_ERROR_STOP=1" <<< "$1"
  fi
}
esc() { printf '%s' "$1" | sed "s/'/''/g"; }
# ... [arg parsing: --code --field --value --reason --auto-from-species --commit --allow-noop --show --help]
# Validation: field allowlist; species∈entity_species; composition_level==governed-species-comp
#   (deterministic guard) else ∈ derived-known-set; registry_group∈in-use∪FAC-02; active-row only; no-op guard.
# DRY-RUN (default): BEGIN; UPDATE ... updated_at=NOW(); SELECT AFTER_FIELD + mapping-view composition_status; ROLLBACK.
# COMMIT (--commit): UPDATE; verify NEW==value; print mapping-view composition_status.

Full 293-line source is in the local package artifacts/dot-pivot-update (this excerpt shows the contract + header; the deployed file is the authoritative copy). The inactive-row guard uses CASE WHEN is_active THEN 'active' ELSE 'inactive' (boolean-cast fix from rehearsal).