03 — Permit Contract Hardening (Supertrack C)

The v1 permit (birth_admission_permit) has max_rows/expires_at but both nullable and unenforced, and lacks expected_delta/mode/revoked_at/reason/checksum. ALTER TABLE is avoided (it would trip evt_trigger_guard_ddl and bump tga). A hardened birth_admission_permit_v2 was created with all constraints inline.

birth_admission_permit_v2 enforced contract

• collection_name NOT NULL · expected_delta NOT NULL CHECK≥0 · max_rows NOT NULL CHECK≥0
• mode CHECK IN (dry_run,execute) · status CHECK IN (draft,open,consumed,revoked,expired,closed)
• approved_by NOT NULL · principal_ref · owner_ref · reason NOT NULL · plan_checksum
• expires_at NOT NULL · created_at · revoked_at · consumed_at · consumed_run_id · one_use (default true)
• CHECK max_rows ≥ expected_delta · CHECK expires_at > created_at
• Partial UNIQUE INDEX bap2_one_open_execute_per_collection on (collection_name) WHERE status='open' AND mode='execute' — at most one open execute permit per collection (scoped one-use semantics).

Guards

• v_qt001_permit_contract_status — every required column present + NOT-NULL where required (all pass).
• v_qt001_permit_no_go_guard — no open execute permit; expiry/max_rows/expected enforced NOT NULL; max≥expected CHECK present; one-open-execute unique present (all pass).
• v_qt001_permit_template — the apply-safe TIER1+TIER2 collections rendered as permit TEMPLATES (collection, expected_delta, max_rows, mode=execute, draft status, placeholders for approver/expiry). No real permit is opened. TIER3 divergent collections are deliberately excluded.

Why execute is impossible now

birth_admission_permit_v2 is empty. The writer's execute path requires a matching OPEN execute permit (unexpired, scoped, max_rows). With zero permits, every execute attempt RAISEs — fail-closed by construction. open_execute_permits = 0.