Date 2026-06-06. Mode EXECUTION (principal-delegate). Live mutation YES — additive/reversible/birth-neutral. NO QT-001 apply. NO permit. NO trigger/gateway-body/old-DOT change. MCP read-back PASS.

Status: PARTIAL — STAGE2_6A_FIX3_EXACT_CONTROL_CONTRACT_MACHINE_ENFORCED_READY_FOR_CODEX_REAUDIT. PARTIAL (not PASS) because actual REVOCATION of PUBLIC EXECUTE and Directus app-role DML on the QT-001 control plane must wait for Stage 2.6B; those risks are STRUCTURALLY BLOCKING now (they force readiness BLOCKED and the writer fails closed), but the privilege change itself is not yet executed. Everything else demanded by the FIX3 completion contract is machine-enforced and negative-tested.

This is the THIRD corrective macro for Stage 2.6A. It answers the Codex verdict STAGE2_6A_FIX2_FAIL_HARDCODE_STILL_DANGEROUS, whose twelve blockers were reproduced LIVE (not trusted from prior reports) and then fixed or structurally contained.

Headline outcomes (live, committed, MCP-verified):

• Rule governance is now MACHINE-ENFORCED. The authoritative tier function fn_qt001_machine_tier was repointed to fn_qt001_machine_tier_v3, which evaluates rules through fn_qt001_eval_rule_v3. That evaluator calls fn_qt001_rule_governance_ok, which fails a rule closed unless authority_lock=true, provenance present, rule_checksum present AND equal to the recomputed canonical checksum (fn_qt001_rule_checksum), rule_version present and >=1, approved_by present, approval_status=APPROVED, active, not superseded. Any missing/NULL/unknown field => the rule does not participate. The eleven governed rules were checksum-synced to canonical so they remain participating with VERIFIED (not decorative) checksums. Machine tiers reproduce exactly: TIER2=7, TIER3=6, TIER_BLOCKED=6, TIER_INELIGIBLE=55, TIER1=0.
• Plan fingerprint v3 (fn_qt001_plan_fingerprint_v3, composite cb7f062ed3becb1d71ff70917ec5b105) is content-addressed over ALL control inputs: scope, rules WITH governance fields, engine v3, signal, per-rule governance state, signoff WITH reviewer identity/evidence/expiry, trigger fingerprint, ACTUAL gateway release hashes, DOT-freeze status, structural guard states, policy/identity, watermark, blockers. Thirteen behavioral negative tests prove every component is content-sensitive.
• Exact signoff v3 (fn_qt001_signoff_row_valid_v3) binds plan_id, plan_version, the fingerprint composite (content-addressed), scope, tier, an ALLOWLIST of reviewer types (OTHER/self/machine rejected), reviewer identity, evidence, and a strict non-null future expiry. Fifteen negative tests prove each defect flips to false.
• Readiness v6 has NO regex / function-name / source-text capability proof. Keyset/resume/refresh/perf is a data contract (qt001_capability_contract, default UNSATISFIED). Readiness is BLOCKED (SSOT 5/7 green; the two red SSOT gates are public_execute_blocking and directus_dml_blocking; APPLY 0/4).
• Hardcode guard v4 (v_qt001_hardcode_guard_v4) derives PASS/FAIL from structural control state and BEHAVIORAL function invocations. The manual inventory is demoted to diagnostic only (v_qt001_hardcode_diagnostic_inventory_v4). Status PASS_WITH_ROUTED_2_6B (core enforcement sound; public/directus revocation routed).
• End-to-end no-bypass proof (v_qt001_26a_fix3_no_bypass_proof): all 11 preconditions blocked; there is no path from current state to apply eligibility.

Live safety anchors (before == after the commit): birth_registry 1,211,019 == 1,211,019; trigger_guard_alerts 129 == 129 (no trigger DDL); gateway fn_birth_registry_auto norm-md5 c022f849c2c7d57a720c4cc172789d70 unchanged; gateway integrity all_ok true; open execute permits 0; done ledgers 0; dangerous DOT freeze PASS 2/2; apr_approved 2. Twenty new FIX3 views; zero ALTER TABLE; zero CREATE TRIGGER.

Forbidden actions all honored: no apply, no permit, no birth write except KB docs, no trigger change, no gateway body change, no old DOT unfreeze, no owner/vote/RP/REALRUN/UI mutation, no proceed to 2.6B, no regex/source-text as primary guard, no manual inventory as primary guard, no readiness on function existence, no reviewer OTHER, no signoff without exact binding, no rule participation without governance, no PASS without negative tests.

SQL on VPS: /opt/incomex/docs/mcp-writes/birth-stage2-6a-fix3-2026-06-06/ (00_fp_first.sql, 01_fix3.sql, 02_patch.sql, 90_verify.sql, 99_rollback.sql). Rollback rehearsed inside a transaction: all FIX3 objects drop, fn_qt001_machine_tier restored to v2, FIX2 guards restored, checksums restored.

Next macro: BIRTH_STAGE2_6B_QT001_PERMIT_RUN_KEYSET_RESUME_AND_AUTHORITY_REVOKE. A FRESH independent Codex re-audit of FIX3 is required BEFORE any 2.6B work, permit, or apply.