06 — FIX 4: P6 EVIDENCE FALSE-PASS PREVENTION

Root cause (Codex A10)

Rev-1 P6 computed the digest first, then a CASE that returned a verdict STRING (non-fatal). It did not prove P4 ran, did not require the exact P5 matrix, and its orphan scan (tables only) could not block the verdict. P6_DONE printed on psql exit 0 regardless.

Fix — FATAL gate BEFORE digest/PASS

After defining c1_digest() (and registering it), a DO block runs and RAISES on any failure. With ON_ERROR_STOP=1 a RAISE aborts psql, so the digest SELECT, the evidence ledger row, and the C1_STAGING_FAST_DRY_RUN_PASS verdict that follow are unreachable on failure.

Gate conditions (all must hold):

P3_DONE  = EXISTS ledger op 'c1_vocab_build'
P4_DONE  = EXISTS ledger op 'c1_verify'
P5_DONE  = EXISTS ledger op 'c1_bad_input_harness'
canonical_operation count = 3
canonical_operation validated = 3            (proves P4 actually validated)
bad-input total = 9, passed = 9, failed = 0, accepted = 0
official-write isolation proof: case_no=8 rejected AND sqlstate='42P01' AND pass  (=1)
orphan objects = 0 across public TABLES + FUNCTIONS + TRIGGERS (extended beyond rev-1 tables-only)

Only after the gate passes does P6 record the evidence ledger row and emit the digest (computed from the verified canonical_operation rows) and the PASS verdict.

Why it cannot false-PASS

• No P6_DONE on partial upstream: missing P3/P4/P5 ledger → RAISE.
• No digest on partial success: the gate precedes the digest SELECT; a RAISE stops psql first.
• No PASS from digest existence: the verdict line is after the gate and only printed if psql reached it.

sha256 sql/p6-evidence-readback.sql = 189b9bcbff741efe00943880f716087b4aa597df95e2a15289b747d0d4bdbda6. Balance: f$=2, g$=2, BEGIN=2/COMMIT=2 (digest-define txn + post-gate evidence txn).