BIRTH STAGE 2.6A-FIX2 — QT-001 POLICY-COMPLETE / FAIL-CLOSED RULES / EXACT SIGNOFF / AUTHORITY LOCKDOWN

Date: 2026-06-06. Mode: EXECUTION (principal-delegate). Live mutation: YES — additive, reversible, birth-neutral. NO QT-001 apply. NO permit opened. NO trigger/gateway-body change. NO old-DOT unfreeze. MCP read-back: PASS.

Outcome

From STAGE2_6A_FIX_FAIL_HARDCODE_STILL_DANGEROUS (second Codex rejection) to STAGE2_6A_FIX2_POLICY_COMPLETE_FAIL_CLOSED_SIGNOFF_EXACT_AUTHORITY_LOCKED_READY_FOR_CODEX_REAUDIT. This is the SECOND corrective macro for Stage 2.6A. Apply stays BLOCKED. A fresh independent Codex re-audit is required BEFORE Stage 2.6B, any permit, or any apply.

Headline

The repeat offence — parity/divergence formula authorizing tiers, and disguised hardcode in rules/signoff/readiness — is eliminated. Parity is now BLOCK-only (it can demote a tier, never grant one). The rule engine fails closed on missing/unknown/superseded signals and evaluates expected_result. Plan fingerprint is content-addressed over the full 74-collection scope plus rules, engine, signals, signoff, trigger, gateway, watermark and blockers. Signoff is exact (checksum+version+tier+scope+verdict+reviewer+evidence+expiry). Readiness v5 has no literal decisions. The writer now consumes readiness v5 + tier apply_allowed + exact signoff and fails closed for ANY caller, neutralizing the PUBLIC EXECUTE bypass (the REVOKE itself is routed to 2.6B with a no-go guard).

Live result (post-commit, read-back)

must_not_proceed.pass = true · readiness v5 overall_ready = false (SSOT 7/7 green, APPLY 0/5) · codex blocker matrix 13/13 (10 FIXED, 3 ROUTED/CONTAINED to 2.6B) · 0 blockers OPEN. Tier distribution (machine, parity NOT authority): TIER1=0, TIER2=7, TIER3=6, TIER_INELIGIBLE=55, TIER_BLOCKED=6 (null-delta collections now fail-closed, not silently ineligible). Plan PLAN-9bac30375765 v3, 74 rows, composite 9bac30375765c1162d216b2b70a81ef5.

Safety anchors (before == after)

birth_registry 1,210,989 == 1,210,989 (birth-neutral) · qt001-apply-origin 0 · tga 129 (no CREATE TRIGGER / no ALTER TABLE) · apr 42 · gateway all_ok=true · open execute permits 0 · done ledgers 0 · Stage 0 freeze enforced.

Docs in this set

01 codex-fail reproduction · 02 fail-closed rule engine · 03 parity not authority · 04 plan fingerprint v2 · 05 exact signoff binding · 06 readiness v5 · 07 writer authority lockdown · 08 hardcode guard v3 · 09 scale not safe · 10 safety audit · 11 design index update · 12 final summary · 13 GPT MCP-readable checkpoint.

SQL on VPS: /opt/incomex/docs/mcp-writes/birth-stage2-6a-fix2-2026-06-06/ (01a, 01b, 90_verify, 99_rollback).