Incomex AI Portal
KB-784D

Session Handoff — RP paused for Birth / Orphan / Governance Hardening (2026-06-03)

10 min read Revision 1
handoffregistries-pivotbirth-registryorphan-detectiongovernance-onboardingdot-pivot-update2026-06-03

Session Handoff — Registries-Pivot paused for Birth / Orphan / Governance Hardening

Date: 2026-06-03 Prepared by: GPT Council

1. Current stop point

Registries-Pivot work is intentionally paused. The pause is not because RP mapping failed, but because a deeper infrastructure issue was discovered: the system has broad birth row creation, but it does not yet guarantee that every new object is either born automatically or immediately detected as unborn/orphan and then routed into governance onboarding.

The immediate RP/DOT work that is paused:

  • dot-pivot-update registration;
  • deterministic RP cleanup via DOT;
  • RP schema split follow-up;
  • any further RP cleanup execution.

2. Why the pause is necessary

The owner clarified the constitutional requirement:

  1. Every object/entity that appears in the system must be managed by birth.
  2. If the object is created through the right process, birth must happen automatically.
  3. If it is created through the wrong process, an auxiliary/backfill engine must detect it.
  4. If birth is missing, the object must be labelled unborn/orphan/illegal, not silently accepted.
  5. If the object is a governance object, governance onboarding/coverage must detect it after birth.
  6. There must be no path where a file/table/row/entity exists silently outside birth + orphan detection + governance onboarding.
  7. The goal is: even intentional mistakes should have no chance to pass silently.

dot-pivot-update exposed the hole: it exists as an executable filesystem file, but it is not in dot_tools, has no birth row, is not governance-onboarded, and is not caught by a live orphan detector.

3. Latest decisive audit package

Read first in the next session:

knowledge/dev/reports/architecture/birth-governance-orphan-detection-systemic-automation-audit-2026-06-03/

Key docs:

  • 00-readme-first.md
  • 02-live-birth-infrastructure-audit.md
  • 03-live-orphan-unborn-detection-audit.md
  • 04-live-governance-onboarding-audit.md
  • 07-dot-pivot-update-status.md
  • 08-gap-classification-and-severity.md
  • 09-safe-path-forward.md
  • 10-final-go-nogo-for-rp-dot-cleanup.md

GPT analysis doc:

knowledge/dev/reports/architecture/gpt-analysis-birth-governance-audit-hardening-needed-before-rp-dot-continue-2026-06-03.md

4. Key live findings from audit

Birth automation

  • Auto-birth row creation is broad and live.
  • Reported: birth_registry had about 1,116,379 rows across 79 collections during the audit.
  • Many tables have fn_birth_registry_auto triggers.
  • However enforcement is not hard enough:
    • fn_birth_gate defaults to warning;
    • bypass GUC exists;
    • null-code skips exist;
    • privileged roles can bypass.

Orphan/unborn detection

  • Row-level orphan/unborn detection is absent.
  • Existing orphan_count does not mean “missing birth”; it measures metadata completeness such as missing description/category.
  • Smoking example: pivot_definitions reports orphan_count=0 while 22/37 rows were unborn in the audit.
  • No live v_birth_orphan / v_birth_phantom style detector exists.
  • Existing scanners were registered but not effectively scheduled/active for this issue.

Governance onboarding

  • Governance substrate exists, but production onboarding is inert and collection-granular.
  • Current production state in handoff/audit context:
    • ownership=0;
    • gap=210;
    • candidate/ruleset/scan/cursor mostly 0;
    • axis/topic absent;
    • os_proposal_approvals=0.
  • Row-level governance objects such as DOT tools do not automatically enter inventory/gap coverage.

Filesystem DOT blind spot

  • dot-pivot-update is present on disk: /opt/incomex/dot/bin/dot-pivot-update
  • It is executable and has a recorded hash, but:
    • not registered in dot_tools;
    • no birth row;
    • no governance coverage;
    • not detected as orphan by current live mechanisms.
  • Therefore its correct status is: STAGED FILE ARTIFACT, NOT VALID DOT.

5. RP status before pause

RP was making real progress before the pause:

  1. Governance L1 classification was discovered live:
    • taxonomy facets;
    • taxonomy;
    • entity_species;
    • label_rules;
    • entity_labels.
  2. v_rp_classification_governance_map was applied live in production as a read-only, reversible, no-island view.
  3. Base RP tables were not mutated by the view apply.
  4. RP classification cleanup plan exists.
  5. Existing DOT tools could not update the required fields, so dot-pivot-update was authored and rehearsed in rollback, but it is not yet a valid born/governed DOT.

Important RP docs:

  • knowledge/dev/reports/architecture/registries-pivot-classification-cleanup-and-view-apply-2026-06-03/
  • knowledge/dev/reports/architecture/registries-pivot-dot-cleanup-antidrift-ui-api-handoff-2026-06-03/
  • knowledge/dev/reports/architecture/registries-pivot-dot-pivot-update-author-register-cleanup-2026-06-03/
  • knowledge/dev/reports/architecture/gpt-review-rp-dot-pivot-update-partial-tool-deployed-next-register-commit-schema-split-2026-06-03.md

Do not continue those RP cleanup steps until birth/orphan/governance hardening is addressed.

6. Roadmap before returning to RP

P0 — Inventory truth

Build/verify exact coverage matrix:

  • which tables/families have birth triggers;
  • which have birth rows;
  • which have rows but missing birth;
  • which have birth rows but no corresponding entity;
  • focus on dot_tools, pivot_definitions, dot_iu_command_catalog, registries, governance tables, and filesystem DOT scripts.

P1 — Row-level birth orphan / phantom detector

Implement or rehearse:

  • v_birth_orphan;
  • v_birth_phantom;
  • v_birth_coverage_status.

Must detect:

  • entity row exists but no birth row;
  • birth row exists but entity no longer exists;
  • wrong/missing entity_code mapping;
  • collection with rows but no birth coverage.

P2 — Filesystem DOT reconciler

Implement or rehearse a detector that compares:

  • /opt/incomex/dot/bin/*;
  • dot_tools;
  • birth_registry;
  • file hash / executable status / registry status.

Must detect:

  • file exists but no registry row;
  • registry row exists but file missing;
  • file hash drift;
  • executable staged artifact not born/governed.

P3 — Critical birth gate hardening

Do not blindly enable blocking globally. Stage it:

  • report-only full detector;
  • blocking/preflight guard for critical families first: dot_tools, pivot_definitions, registries, governance objects;
  • broader blocking only after legacy backlog is classified.

Must examine:

  • fn_birth_gate warning mode;
  • bypass GUC;
  • null-code skips;
  • role and trigger bypass surface.

P4 — Backfill / auxiliary engine

For already-existing objects:

  • build/verify backfill cursor or static coverage proof;
  • prevent scan-skip and endless rescan;
  • cover pivot_definitions unborn rows, dot_iu_command_catalog, filesystem DOTs, legacy registries.

P5 — Governance onboarding for row-level governance objects

Governance currently works mainly at collection grain. DOT tools are row-level governance objects.

Need bridge/detector:

  • row-level governance inventory;
  • row-level governance gap;
  • candidate state for DOT/tool objects;
  • quarantine status for unowned/unborn governance objects.

P6 — Mandatory scanner/preflight guard

Before any DOT/RP mutation, require guard checks:

  • birth orphan critical count;
  • filesystem DOT orphan count;
  • governance row-gap critical count;
  • L2 rollout status.

If scanners are not scheduled, create a mandatory preflight gate.

P7 — Quarantine states

Define/apply states:

  • STAGED_FILE_ONLY;
  • UNBORN;
  • BORN_NOT_REGISTERED;
  • REGISTERED_NOT_GOVERNED;
  • GOVERNED_READY;
  • QUARANTINED.

dot-pivot-update stays staged until it passes birth + registry + governance.

P8 — Lawful lifecycle for dot-pivot-update

Only after P1/P2 minimum guard exists:

  • bring dot-pivot-update through official birth;
  • register it via governed DOT/Directus path;
  • governance-onboard it;
  • verify owner/gap/candidate state;
  • then and only then execute RP cleanup via DOT.

P9 — Intentional-mistake tests

Prove that bad paths are blocked or detected:

  • file DOT without registry;
  • registry row without birth;
  • pivot row without birth;
  • hash drift;
  • null code;
  • disabled trigger attempt;
  • duplicate birth;
  • direct manual DML attempt.

BIRTH_ORPHAN_DETECTION_AND_DOT_FILESYSTEM_HARDENING

It should be a large macro, not a small investigation, and should aim to build/rehearse the minimum live guardrail needed to safely resume RP.

8. Current GO / NO-GO

GO:

  • Analyze/build/rehearse birth/orphan/filesystem/governance hardening.
  • Read production state.
  • Use rollback-only proofs when safe.
  • Write KB reports.

NO-GO:

  • Register dot-pivot-update.
  • Execute dot-pivot-update cleanup.
  • Manual DML to pivot_definitions, dot_tools, or fake birth rows.
  • Claim file script is valid DOT.
  • Continue RP cleanup before hardening guard is in place.

9. First response to user in next session

Summarize:

“RP is paused at the point where the mapping view is live and dot-pivot-update exists only as a staged file. The next task is not RP cleanup; it is hardening birth/orphan/governance automation so that no object can exist silently outside birth and governance. The first macro should build row-level birth orphan detection + filesystem DOT reconciler + critical guardrails, then classify dot-pivot-update and provide the lawful route back to RP.”

Back to Knowledge Hub knowledge/dev/reports/architecture/session-handoff-rp-paused-for-birth-orphan-governance-hardening-2026-06-03.md