Date 2026-06-06. Status PARTIAL. Decision STAGE2_6A_FIX3_EXACT_CONTROL_CONTRACT_MACHINE_ENFORCED_READY_FOR_CODEX_REAUDIT. Mode EXECUTION (principal-delegate). Live mutation YES — additive/reversible/birth-neutral. NO QT-001 apply. NO permit. NO trigger/gateway-body/old-DOT change. MCP read-back PASS.

Outcome. Third corrective macro for Stage 2.6A, answering Codex STAGE2_6A_FIX2_FAIL_HARDCODE_STILL_DANGEROUS. All twelve FIX2 blockers were reproduced against LIVE source first, then ten were fixed and two (PUBLIC EXECUTE / Directus DML revocation; keyset/resume scale) were made structurally blocking and routed to Stage 2.6B — hence PARTIAL. Apply stays BLOCKED; a fresh independent Codex re-audit of FIX3 is required before any 2.6B work, permit, or apply.

Root-cause fix (not cosmetic). The authoritative tier function fn_qt001_machine_tier was repointed to fn_qt001_machine_tier_v3, which routes rules through fn_qt001_eval_rule_v3 -> fn_qt001_rule_governance_ok. A rule does not participate unless authority_lock=true, provenance present, rule_version>=1, approved_by present, approval_status=APPROVED, active, not superseded, AND rule_checksum equals the recomputed canonical fn_qt001_rule_checksum. The eleven rules were checksum-synced so checksums are verified, not decorative. Machine tiers reproduce: TIER2=7, TIER3=6, TIER_BLOCKED=6, TIER_INELIGIBLE=55, TIER1=0.

Guards (live read-back, all green). v_qt001_rule_governance_enforcement_guard pass true (11/11 active gov_ok, 0 violations); v_qt001_rule_governance_negative_tests 10/10; fn_qt001_plan_fingerprint_v3 composite cb7f062ed3becb1d71ff70917ec5b105 with v_qt001_plan_fingerprint_v3_negative_tests 13/13; v_qt001_exact_signoff_v3_guard pass true, current_apply_signoff_safe false, v_qt001_exact_signoff_v3_negative_tests 15/15; v_qt001_disguised_hardcode_structural_detector 11/11 behavioral; v_qt001_hardcode_guard_v4 pass true status PASS_WITH_ROUTED_2_6B; v_qt001_apply_readiness_guard_v6 overall_ready false (SSOT 5/7, APPLY 0/4, BLOCKED); v_qt001_readiness_v6_negative_tests 5/5; v_qt001_scale_blocking_guard_v3 scale_not_safe true (0/4 capabilities); v_qt001_26a_fix3_no_bypass_proof all 11 blocked; v_qt001_26a_fix3_must_not_proceed_guard pass true; v_qt001_26a_fix3_codex_blocker_matrix 12 total = 10 fixed + 2 routed.

Lockdown. v_qt001_public_execute_no_go_guard public_execute_open 28 / writer_builder_public_open 4 / pass false; v_qt001_directus_dml_no_go_guard app_role_dml_open 11 / pass false; v_qt001_control_plane_authority_lockdown_status status STRUCTURALLY_BLOCKING_REVOCATION_ROUTED_2_6B, writer_fail_closed_in_body true. These feed readiness v6 SSOT red gates and hardcode v4 disposition. Actual REVOKE routed 2.6B.

Safety anchors (before == after). birth_registry 1,211,019 == 1,211,019; trigger_guard_alerts 129 == 129 (no trigger DDL); gateway fn_birth_registry_auto norm-md5 c022f849c2c7d57a720c4cc172789d70 unchanged; gateway integrity all_ok; open execute permits 0; done ledgers 0; dangerous DOT freeze PASS 2/2; apr_approved 2. 20 new views, 8 new functions, 1 new table, 1 repointed fn, 2 patched FIX2 guards, 1 UPDATE of 11 rows. Zero ALTER TABLE, zero CREATE TRIGGER.

Gotchas carried forward. The event-trigger guard reacts only to trigger DDL (object_type='trigger'); CREATE TABLE/FUNCTION/VIEW and UPDATE are tga-neutral. SQL-language functions resolve referenced functions at CREATE time — fn_qt001_plan_fingerprint_v3 had to be defined before the SQL-language fn_qt001_signoff_satisfies_v3 (handled via the 00_fp_first prelude; plpgsql late-binds its view refs). Repointing machine_tier to v3 broke two FIX2 source-text guards (body LIKE %machine_tier_v2%); they were patched to accept v2-or-v3, and the FIX3 authority path was kept free of source-text. The KB WAF rejects fenced code; the write allowlist is /opt/incomex/docs/mcp-writes and subdirs need mkdir+chmod first; container cannot see host paths so SQL is cat-piped into docker exec psql; MCP query_pg is read-only 5s/500-row.

Artifacts. Report dir birth-stage2-6a-fix3-qt001-exact-control-contract-authority-lockdown-2026-06-06/00..13. SQL /opt/incomex/docs/mcp-writes/birth-stage2-6a-fix3-2026-06-06/ (00_fp_first, 01_fix3, 02_patch, 90_verify, 99_rollback). Index BIRTH_GATEWAY_DESIGN_INDEX.md rev17.

Next macro: BIRTH_STAGE2_6B_QT001_PERMIT_RUN_KEYSET_RESUME_AND_AUTHORITY_REVOKE (permit/run/keyset/watermark resume lifecycle; REVOKE PUBLIC EXECUTE + Directus owner/role separation; HC-04 resolver, HC-07 TG_ARGV scanner, HC-11 conservation invariant; representative-volume perf gate recorded into qt001_capability_contract). Then a fresh independent Codex re-audit of FIX3 BEFORE any permit or apply. Blocker: independent re-audit + 2.6B layers + owner permit; zero engineering blocker.