01 — Stage 1 Reverify + No-Worse Guard (Supertrack A)

All Stage 0/1 foundations re-verified LIVE before any QT-001 work. Stage 0/1 NOT broken → proceeded.

Live reverify (2026-06-06)

Check	Result
Stage 0 still-enforced guard	5/5 PASS (old-fn guard, drift, exempt guard, danger DOTs frozen 2/2, regression 10 tests)
Gateway contract integrity	5 tracked / 5 ok / 0 drift / all_ok=true
Gateway no-go guard	4/4 (norm_md5 unchanged, exempt guard, does NOT call stage1 fns, contract drift ok)
Release drift guard	5/5 fns OK (live norm_sha256 == approved)
Stage 1 shared fns	fn_birth_policy_decision, fn_birth_resolve_identity, fn_birth_register all present
H11a / H11b	both detect_only, auto_fix_action NULL (contained)
Authority P1 / quorum regression	8/8 / 7/7 PASS
Stage 1 no-worse proof	5/5 PASS
Stage 1 QT compatibility	8/8 PASS
Anchors	birth 1,210,866→868 (background realtime), tga 129, apr 42, permits 0, ledger 0

Decisive fact for safety

gateway_does_not_call_stage1_fns = true, and the live gateway source (fn_birth_registry_auto) reads only collection_registry.coverage_status + TG_ARGV — it does not read birth_code_strategy / birth_code_column. Therefore identity classification (the Stage 2 metadata write) is invisible to the live QT-002 path and cannot change realtime birth behavior.

New guards built

v_birth_stage2_dependency_guard (6/6: stage1 fns, release registry, permit+ledger, contract all_ok, stage0 intact, gateway no-go) and v_birth_stage2_no_worse_guard (6/6: required 74 / deferred 58 / exempt 36 unchanged, qt002 compat holds, gateway unchanged, apply fail-closed no open permit). Both live, all PASS.