08 — Hardcode Guard v3 + Disguised Hardcode Detector

Inventory updates

HC-05 (flawed parity formula) -> SUPERSEDED_BY_REGISTRY (parity is now BLOCK-only; the divergence formula remains a diagnostic signal that never grants). New findings: HC-14 not_in_set fail-open -> superseded by eval_predicate_v2; HC-15 expected_result ignored -> superseded by eval_rule_core; HC-16 incomplete plan hash -> superseded by fingerprint_v2; HC-17 spoofable signoff -> superseded by exact signoff; HC-18 readiness literal gate -> superseded by readiness v5; HC-19 parity-grants-tier -> superseded by registry_v2; HC-20 writer PUBLIC EXECUTE -> OPEN_NEXT_LAYER, is_authority_gate=false (authority contained in-body, REVOKE routed 2.6B); HC-21 Directus full DML -> OPEN_NEXT_LAYER, is_authority_gate=false (role separation routed 2.6B).

Guard v3 (v_qt001_hardcode_guard_v3)

Live: unclassified=0, dangerous_authority_open=0, dangerous_authority_retained=0, superseded_eliminated=14, nonauthority_open_routed=5, status=PASS_WITH_ROUTED_2_6B, pass=true. No dangerous authority hardcode is left open or retained; the remaining open items are non-authority and routed to 2.6B (HC-04 resolver, HC-07 trigger metadata, HC-11 conservation gap, HC-20, HC-21).

Disguised hardcode detector (v_qt001_disguised_hardcode_detector)

9 structural checks, all passed: parity not in any grant; machine_tier delegates v2; interpreter fail-closed on missing; expected_result evaluated; superseded/inactive excluded; fingerprint covers full scope; signoff binding exact (tier+checksum); readiness v5 keyset gate derived (not literal); writer governance wired. This detects, not merely asserts: each check reads live function/view source or registry data.