Birth Stage 2.6A — QT-001 Plan/Tier/Signoff Registry SSOT + Hardcode Elimination

Date: 2026-06-06 · Status: PASS · Mode: EXECUTION (principal-delegate) · Live mutation: YES — additive + reversible + birth-neutral. No QT-001 apply. No permits opened. No trigger/gateway-body change. No writer execute-path enablement. MCP read-back PASS.

What this macro is

This is the first (deepest) layer of the Codex-required next-macro class BIRTH_STAGE2_6_QT001_AUTHORITY_TIER_GATE_KEYSET_RESUME_AND_HARDCODE_ELIMINATION. It is Stage 2.6A only: it builds the Plan / Tier / Independent-Review-Signoff registries as a single source of truth, moves the dangerous hardcode off the authority path into governed data, and makes the readiness guard consume the registries while staying BLOCKED. It does not attempt to fix every Codex finding — keyset/resume, permit lifecycle, trigger reconciliation, and the parity-invariant separation are explicitly later layers.

Outcome

From QT001_APPLY_RUNTIME_EXISTS_BUT_NOT_SAFE_SCALE_NOT_SAFE (Codex NOT_SAFE_NEEDS_FIX + SCALE_NOT_SAFE) to QT001_PLAN_TIER_REVIEW_SSOT_LIVE + DANGEROUS_HARDCODE_CLASSIFIED_OR_REMOVED + WRITER_REMAINS_BLOCKED_UNTIL_NEXT_LAYERS.

Headline result

The registry-driven plan derives tiers from data (parity + the validated-collection registry), with the 5-collection Tier1 membership taken from a recorded Codex review row rather than a code IN-list — and it reproduces the prior hardcoded tiers exactly: TIER1 5/137, TIER2 2/137, TIER3 6/505. Readiness v3 cannot false-green: every apply-permitting gate is derived from registry data, and they are RED by design (signoff NOT_SAFE, no permit, scale not safe, no apply-allowed tier, writer not yet wired).

Live posture (unchanged, fail-closed)

birth_registry 1,210,928 (DDL birth-neutral) · tga 129 · apr 42 · open execute permits 0 · done ledgers 0 · qt001-apply-origin births 0 · gateway norm-md5 c022f849 · Stage 0 freeze PASS 2/2.

Document map

• 01 — hardcode inventory (11 findings classified)
• 02 — plan registry SSOT
• 03 — tier registry SSOT
• 04 — independent review signoff registry
• 05 — readiness guard v3
• 06 — writer remains blocked + enforcement contract
• 07 — scale risk annotation
• 08 — design/index update
• 09 — safety audit
• 10 — final summary
• 11 — GPT/MCP-readable checkpoint

Next macro

BIRTH_STAGE2_6B_QT001_PERMIT_RUN_KEYSET_RESUME (or whatever the router selects): permit/run lifecycle binding plan checksum + watermark, keyset/range resume, set-based plan, paired executor/scanner DOTs, parity-invariant separation. A fresh independent Codex re-audit is required after each layer. No apply until those are structurally enforced and re-audited.