Checkpoint — Birth Stage 2.6A-FIX QT-001 Machine-Enforced Tier/Plan/Signoff + Hardcode Guards

Date: 2026-06-06. Status: PASS. Mode: EXECUTION (principal-delegate). Live mutation: YES — additive + reversible + birth-neutral. NO QT-001 apply. NO permits. NO trigger/gateway-body/writer-execute change. MCP read-back PASS.

Outcome

From STAGE2_6A_FAIL_HARDCODE_STILL_DANGEROUS (Codex independent audit) to STAGE2_6A_MACHINE_ENFORCED_PLAN_TIER_SIGNOFF_LAYER_READY_FOR_INDEPENDENT_REAUDIT. Corrective macro for Stage 2.6A only. Apply stays BLOCKED. A fresh independent Codex re-audit is required BEFORE Stage 2.6B, any permit, or any apply.

What was applied (one tx, psql -1, rehearsed BEGIN..ROLLBACK first)

• Tables: qt001_tier_rule_registry (11 machine-readable predicate rules; apply_allowed CHECK=false so it cannot be true in this layer); qt001_signoff_plan_binding (binds a review to plan_id/version/checksum/scope/tier/verdict/valid_until; 0 rows today by design).
• Functions: fn_qt001_eval_tier_predicate (pure operator interpreter — eq/ne/gt/gte/lt/lte/bool_true/bool_false/in_set/not_in_set; unknown -> false fail-closed); fn_qt001_collection_signals (single signal source); fn_qt001_machine_tier (lowest-rank tier whose active rules all pass); fn_qt001_machine_blocked_reason (per-row blockers).
• Rewrote fn_qt001_refresh_plan_snapshot (removed the hardcoded 5-collection IN-list; snapshot.tier now machine-derived) and fn_qt001_build_plan_registry (removed the CASE tier derivation and the single literal blocked_reason; both now machine/computed). Regenerated CURRENT plan (13 rows, checksum f8d2272f).
• 23 new v_qt001_* views across SUPERTRACKS A–I.
• Inventory: HC-01 marked ELIMINATED; HC-05/HC-11 CONTAINED-but-still-OPEN; added HC-12/HC-13 SUPERSEDED for completeness.

Headline — tiering is machine-enforced and reveals the prior hardcode was wrong

tier_code is derived by predicate rules over data, NOT a CASE. Because TIER1 now requires a signoff BOUND to the current plan checksum (none exists — both Codex reviews have NULL checksum), the five collections previously hard-listed as TIER1 are correctly DEMOTED to TIER2. Machine result: TIER1=0 (apr_action_types/apr_approvals/dot_domain_rules/field_type_equivalences/normative_relations now TIER2), TIER2=7 (those 5 + law_catalog + measurement_registry), TIER3=6 (approval_requests/governance_relations/law_dot_enforcement/law_jurisdiction/table_registry/workflows). All apply_allowed=false. Change a rule row or add a plan-bound binding and the engine re-derives — no CASE edit.

Guards (live, read-back)

tier_rule_no_go_guard.pass=true (13/13 assigned, 0 apply_allowed); blocked_reason_not_literal_guard.pass=true (7 distinct, 0 empty); parity_conservation_guard.pass=true (0 apply-allowed tiers, parity SIGNAL_ONLY; parity_formula_still_open=true honest); hardcode_guard_v2.status=FAIL (dangerous_authority_open=1 HC-05, dangerous_open=2, unknown_open=2); plan_bound_signoff_status.plan_bound_safe=false (active_not_safe=1, 0 bindings); readiness_v4 overall_ready=false (SSOT 3/4 — hardcode gate fails; APPLY 0/6); writer_bypass_must_block_guard.pass=true; must_not_proceed.pass=true. All 9 Codex findings show fixed after-state in v_qt001_26a_codex_failure_reverification.

Safety anchors (baseline == post-commit)

birth_registry 1,210,956 (DDL/DML birth-neutral; KB report uploads add provenance births only) · qt001-apply-origin 0 · open execute permits 0 · done ledgers 0 · tga 129 (no CREATE TRIGGER / no ALTER TABLE — inline CHECK + CREATE UNIQUE INDEX did not trip evt_trigger_guard) · apr 42 · gateway contract all_ok=true, norm-md5 c022f849 present · Stage 0 freeze 5/5 (dangerous DOTs frozen). No REALRUN/event/UI/permission/owner/vote mutation. No writer enablement.

Key facts (carry forward)

• These qt001 tables have NO pre-existing PK/FK/UNIQUE constraints, so FK to them is impossible without ALTER (forbidden — bumps tga). New tables get uniqueness via CREATE UNIQUE INDEX; referential integrity enforced by guard views. Inline CHECK in CREATE TABLE is safe (no tga bump).
• qt001_plan_registry CHECK constraints: parity_status in (CONSISTENT,DIVERGENT,NA); validation_status in (CODEX_DATA_VALIDATED,UNVALIDATED); status in (CURRENT,SUPERSEDED). Builder must use these enum values; SIGNAL_ONLY semantics live in v_qt001_parity_signal_status, not the enum column.
• The operator interpreter CASE (fn_qt001_eval_tier_predicate) is mechanism, not policy — it contains no tier names; policy is qt001_tier_rule_registry rows. This is the line between an evaluator and hardcode.
• The writer (fn_dot_birth_qt001_apply) is fail-closed: execute path raises without a valid OPEN execute permit (0 exist) + gateway-integrity + stage0 + expected_delta/max_rows binds. PUBLIC EXECUTE remains (revoke deferred 2.6B) but cannot be exercised.
• DDL via ssh contabo -> docker exec -i postgres psql; query_pg MCP is RO 5s/LIMIT500.

Artifacts

Report dir: knowledge/dev/reports/architecture/birth-stage2-6a-fix-qt001-machine-enforced-tier-plan-signoff-hardcode-guards-2026-06-06/00..12. SQL on VPS: /opt/incomex/docs/mcp-writes/birth-stage2-6a-fix-2026-06-06/ (incl. 99_rollback.sql).

Next macro

BIRTH_STAGE2_6B_QT001_PERMIT_RUN_KEYSET_RESUME: permit/run/keyset/watermark lifecycle bound to plan checksum + exact delta; wire writer to registries + revoke PUBLIC EXECUTE; resolve HC-05/HC-11 parity-invariant separation, HC-04 resolver, HC-07 TG_ARGV scanner; duplicate-trigger reconciliation; representative-volume perf gates. Then fresh independent Codex re-audit BEFORE apply. Blocker: independent re-audit + next layers + owner permit; zero engineering blocker.