03 — Dangerous Execution Freeze (Supertrack C)

Decision: narrowest safe reversible option = rename-to-quarantine + inert guard wrapper (combines macro options B + C). Chosen over a pure DB guard (option A) because a DB view cannot prevent a binary from running; chosen over chmod -x because a wrapper gives a clear operator message and bash <file> cannot bypass it.

Safety basis (verified before applying)

• No cron (root/incomex/cron.d/crontab) references either DOT.
• No systemd unit/timer references either DOT.
• Only composite caller is dot-collection-create, which guards the call with [[ -x ... ]] + 2>/dev/null || true → degrades gracefully (skips) when frozen. No unrelated executor breaks.

What was applied (2026-06-06 ~06:04Z)

Original	Quarantine (byte-identical, md5 verified)	Wrapper	Owner
/opt/incomex/dot/bin/dot-birth-trigger-setup	dot-birth-trigger-setup.stage0-frozen-2026-06-06 (a0b926…)	exit 3, syntax OK	root:root
/opt/incomex/dot/bin/dot-birth-backfill	dot-birth-backfill.stage0-frozen-2026-06-06 (f04cdbf…)	exit 3, syntax OK	incomex:incomex

The pre-existing .bak-s164c backups were not touched. The apply script re-checked md5 before moving (abort on mismatch) and is idempotent (aborts if already frozen).

Verification

• Running either wrapper prints [BIRTH-STAGE0-FROZEN] … Refusing to run. and exits 3.
• Quarantine md5 == original md5 for both (YES/YES).
• Views: v_birth_stage0_execution_freeze_status (2 rows FROZEN_WRAPPER_INSTALLED), v_birth_stage0_freeze_no_go_guard = PASS (2/2, gateway guard PASS).

Reversibility

Full rollback in /opt/incomex/docs/mcp-writes/birth-stage0-2026-06-06/BIRTH_STAGE0_FREEZE_ROLLBACK.md (mv quarantine back + chown/chmod + md5 verify). Do not roll back until Stage 1 makes the DOT reconcile-only.

Completion: dangerous DOTs cannot be run accidentally; the unblock path is explicit and documented.