Final status: PARTIAL — STAGE2_6A_FIX3_EXACT_CONTROL_CONTRACT_MACHINE_ENFORCED_READY_FOR_CODEX_REAUDIT. PARTIAL solely because PUBLIC EXECUTE and Directus app-role DML revocation on the QT-001 control plane is routed to Stage 2.6B; those risks are structurally blocking now. Every other FIX3 completion-contract requirement is met and negative-tested.

What changed (live, committed, reversible, birth-neutral): rule governance is machine-enforced in the authoritative tier path (fn_qt001_machine_tier repointed to v3, which fails a rule closed unless authority_lock/provenance/checksum/version/approver are all valid and the stored checksum equals the recomputed canonical checksum); the eleven rules were checksum-synced so checksums are verified not decorative. Plan fingerprint v3 is content-addressed over scope, rules-with-governance, engine, signal, governance-state, signoff-with-identity, trigger, actual gateway hash, DOT-freeze, guard states, policy/identity, watermark, blockers — thirteen components, all proven sensitive. Exact signoff v3 binds plan_id/version/fingerprint/scope/tier/reviewer-identity with a reviewer allowlist (OTHER rejected) and strict expiry — fifteen negative tests. Readiness v6 has no regex/function-existence proof; capability is a data contract. Hardcode guard v4 is structural and behavioral, inventory demoted to diagnostic. No-bypass proof: eleven preconditions all blocked.

Twelve Codex FIX2 blockers: ten fixed, two (public/directus revoke, keyset/resume scale) structurally blocking and routed to 2.6B.

Safety: birth 1,211,019 neutral; tga 129; gateway c022f849 unchanged; permits 0; done 0; DOT freeze 2/2; apr_approved 2. Twenty new views, zero ALTER TABLE, zero CREATE TRIGGER.

Exact blocker to progress: a fresh independent Codex re-audit of FIX3 must return PASS, and the owner must authorise Stage 2.6B (permit/run/keyset/resume lifecycle plus actual REVOKE of PUBLIC EXECUTE and Directus DML with owner/role separation). No engineering blocker remains in the current layer; apply stays BLOCKED by design.

Next macro: BIRTH_STAGE2_6B_QT001_PERMIT_RUN_KEYSET_RESUME_AND_AUTHORITY_REVOKE.