07 — Reject matrix + fail-closed proof plan

Every row fails CLOSED by design (no grant minted, no PASS/seal/digest emitted). Enforcement points: H = handler execute_authorize_build_step (file 03); D = DB (trg_apr_block_unimplemented / constraints / quorum_passed); P = propose/governance layer; I = reworked issuer preflight.

#	request	reject code / outcome	where	proof basis
1	missing manifest	SKIP:missing_manifest_hash (H); issuer exit 2 (I)	H/I	Gate C / input lock
2	wrong manifest (binds hash X, later build hash Y)	grant carries X; downstream consumer rejects manifest_not_authorized	H+consumer	grant approval_ref.manifest_hash/evidence.manifest_hash are immutable post-mint
3	wrong plan (missing plan_ref)	SKIP:missing_plan_ref	H	Gate C
4	wrong carrier (missing rollback_plan_ref)	SKIP:missing_rollback_plan_ref	H	Gate C; column is NOT NULL anyway
5	non-C1 scope (ns/axis/target ≠ allowlist)	FAIL:reject_scope_not_c1_dryrun	H	Gate A allowlist
6	generic grant (any proposed_action_code != authorize_build_step)	SKIP:reject_action_superset	H	Gate 0; this fn only runs for this action
7	duplicate request (same APR re-applied)	idempotent: ON CONFLICT (auth_code) DO NOTHING, readback still OK, no 2nd row	H	deterministic PK
7b	second concurrent C1 grant	SKIP:active_grant_exists	H	Gate E single-active
8	expired request	chk_expiry (expires_at>granted_at) blocks bad TTL; ttl<60 → FAIL:reject_ttl_out_of_range	H/D	Gate C + CHECK
9	revoked request	revoked grant has status='revoked'; consumer/quorum won't honor it	H/consumer	status CHECK + revocation SQL
10	REAL_RUN (commit_allowed=true)	FAIL:reject_real_run_commit_not_allowed; even if bypassed, handler writes literal false	H	Gate B + hard-coded column
11	production target (target not DOT_C1_VOCAB_BUILD)	FAIL:reject_scope_not_c1_dryrun	H	Gate A allowlist
12	C2/C3/…/C7 target	FAIL:reject_scope_not_c1_dryrun (axis≠dot:c1:vocab)	H	Gate A allowlist
13	AI/delegated actor attempts the authority step	no human president vote ⇒ quorum_passed=false ⇒ Gate D FAIL:reject_quorum_not_satisfied at handler AND RAISE at apply	H+D	quorum_passed high-risk requires human president; trg_apr_block_unimplemented
14	sovereign request (risk='sovereign' or requires_sovereign_esign)	FAIL:reject_risk_out_of_scope; esign hard-false	H	Gate B
15	invalid request tries to emit PASS/digest/seal	impossible: handler emits only OK/SKIP/FAIL; no digest/seal surface in this LEGO	H	output protocol
16	handler unbound (pre-deploy)	SKIP:handler=unimplemented (or handler_unknown); apply RAISE	A+D	dispatcher default + trigger
17	APR absent / bad request_ref	FK request_ref → approval_requests(code) violation ⇒ INSERT fails ⇒ FAIL:grant_not_visible_after_insert	D	FK constraint

Fail-closed proof plan (NO-WRITE, to be RUN later by owner/operator after deploy)

Because there is no governed write/exec channel from the agent env, these are a static plan, not executed this turn (no overclaim):

1. Feed each negative fixture (#1,#3..#6,#8,#10..#14) to execute_authorize_build_step in a disposable harness; assert exact SKIP:/FAIL: string and count(gba) unchanged.
2. Positive fixture: valid C1 payload + simulated quorum → exactly 1 row; re-run → still 1 (idem).
3. #13: real high-risk quorum with NO human president → quorum_passed=false → no mint.
4. #16: bind handler_ref=unimplemented → confirm SKIP + apply RAISE. Until run, the matrix is design-proven, not runtime-proven ⇒ reject matrix is COMPLETE (all 14 required rows from §3.6 covered) ⇒ C1_AUTH_HANDLER_HOLD_REJECT_MATRIX_INCOMPLETE does not fire; runtime fail-closed proof is deferred to file 09's runbook.

§3.6 required coverage check: missing manifest(1) ✓, wrong manifest(2) ✓, wrong plan(3) ✓, wrong carrier(4) ✓, non-C1(5) ✓, generic(6) ✓, duplicate(7) ✓, expired(8) ✓, revoked(9) ✓, REAL_RUN(10) ✓, production(11) ✓, C2/C3(12) ✓, AI/delegated actor(13) ✓, invalid emits PASS(15) ✓. 14/14.