Date 2026-06-07. Status PARTIAL. Decision STAGE2_6A_FIX4_AUTHORITATIVE_PATH_REPOINTED_NO_LEGACY_BYPASS_READY_FOR_CODEX_REAUDIT. Mode EXECUTION (principal-delegate). Live mutation YES — additive/reversible/birth-neutral. NO QT-001 apply. NO permit. NO trigger/gateway-body/old-DOT change. MCP read-back PASS.

ROOT CAUSE (answers why Codex kept catching hardcode across FIX/FIX2/FIX3). Each prior fix built newer safe layers (v2 then v3/v6) but the REAL authoritative callers kept calling the OLD layers, so the new controls were decorative. Codex audits from the writer backward along the live call graph; the prior fixes graded the new guards in isolation. FIX4 repoints every authoritative caller to a single v4 family and installs a machine guard that reproduces Codex's call-graph audit so any future regression is caught automatically.

LIVE REPRODUCTION (all 11 Codex FIX3 blockers reproduced against live source BEFORE fixing). Writer fn_dot_birth_qt001_apply read v_qt001_apply_readiness_guard_v5 and old fn_qt001_signoff_satisfies. Builder fn_qt001_build_plan_registry emitted fn_qt001_plan_fingerprint_v2 (RULE_ENGINE_V2). CURRENT plan hash was the v2 composite 9bac30375765. machine_tier_v3 -> eval_rule_v3 -> collection_signals_v2 -> OLD signoff_satisfies (tier signal from old signoff). machine_tier_v3 BLOCK clause fired only on '=BLOCK_FIRED' so a governance-invalid BLOCK returning NOT_PARTICIPATING_GOVERNANCE was ignored (fail-open). signoff_row_valid_v3/rule_governance_ok accepted any non-empty approver/reviewer/plan_id/evidence. fingerprint_v3 COALESCEd NULL to 0 (6 snapshot rows) and embedded per-binding signoff content (self-invalidating cycle). qt001_capability_contract.satisfied trusted free-text proof_object. PUBLIC EXECUTE 28 (writer/builder 4) and Directus DML open.

FIX4 (one transaction, rehearsed BEGIN..ROLLBACK twice incl. full apply->rollback reversibility, then COMMIT). New v4 family, all authoritative callers repointed, legacy retained only as inert sentinels:

• fn_qt001_rule_governance_ok_v2: approver must be a controlled qt001_authority_identity_registry APPROVER (active, authority_lock) bound to an immutable qt001_evidence_registry row — not a non-empty string.
• fn_qt001_signoff_row_valid_v4 / fn_qt001_signoff_satisfies_v4: reviewer must be a controlled REVIEWER identity (matching reviewer_type); plan_id+version must exist in qt001_plan_registry; evidence must be a registered immutable path. NO REVIEWER seeded => no signoff can validate in 2.6A (fail-closed).
• fn_qt001_machine_tier_v4: FAIL-CLOSED BLOCK — a BLOCK rule blocks the tier unless it returns exactly 'BLOCK_CLEAR'; governance-invalid BLOCK (NOT_PARTICIPATING_GOVERNANCE) now BLOCKS.
• fn_qt001_plan_fingerprint_v4: ACYCLIC (per-binding signoff content removed; replaced by controlled-identity-registry content hash), NULL-STRICT (NULL emitted as 'NULL' token, never 0; null_component_rows surfaced), engine/signal hashes over v4 functions.
• fn_qt001_collection_signals_v4 / fn_qt001_eval_rule_v4: independent_validation signal uses signoff v4 only.
• fn_qt001_machine_tier wrapper repointed -> v4; builder emits fingerprint v4 + signals v4 + RULE_ENGINE_V4; CURRENT plan rebuilt so its hash IS the v4 composite 32a807b7a438cd515fbc1054983ebb64.
• writer repointed: reads v_qt001_apply_readiness_guard_v7 + fn_qt001_signoff_satisfies_v4 + fn_qt001_machine_tier(v4) + verifies CURRENT hash == fingerprint v4 composite + requires v_qt001_writer_no_legacy_dependency_guard.pass; fails closed; never reads v5/old signoff.

SELF-ENFORCING NO-LEGACY GUARD (the loop-closer). v_qt001_authoritative_path_dependency_map scans pg_get_functiondef of all 12 authoritative objects for legacy tokens (fingerprint_v2/v3, collection_signals_v2, eval_rule_v2/v3, machine_tier_v2/v3, signoff_satisfies/_v3, signoff_row_valid/_v3, rule_governance_ok(v1), readiness_guard_v5/v6, RULE_ENGINE_V2). v_qt001_writer_no_legacy_dependency_guard.pass=true (0 offenders) and is consumed by readiness v7, hardcode guard v5, and the writer body itself — so any future repoint back to a legacy object fails the writer closed and turns readiness BLOCKED automatically.

GUARDS (live committed read-back, all green). v_qt001_writer_no_legacy_dependency_guard pass true 0 offenders; v_qt001_writer_authoritative_repoint_status pass true; v_qt001_current_plan_fingerprint_authority_status current_is_v4 true (hash 32a807b7a438); v_qt001_no_v2_plan_hash_guard pass true; v_qt001_null_fingerprint_component_guard pass true (0 eligible NULL rows; 6 NULL rows are ineligible collections); v_qt001_tier_signal_v3_only_guard pass true; v_qt001_block_rule_governance_error_guard pass true; v_qt001_controlled_identity_guard pass true (0 uncontrolled approvers); v_qt001_authority_string_spoof_negative_tests 5/5; v_qt001_capability_contract_guard_v2 4/4 satisfied_by_evidence=false; v_qt001_scale_blocking_guard_v4 scale_not_safe true; v_qt001_fake_capability_proof_negative_tests 3/3; v_qt001_hardcode_guard_v5 pass true (all 11 sub-guards true); v_qt001_26a_fix4_codex_failure_matrix 11/11 now_safe (9 FIXED + 2 ROUTED_2_6B); v_qt001_26a_fix4_must_not_proceed_guard pass true; v_qt001_apply_readiness_guard_v7 overall_ready false (SSOT 10/12, APPLY 0/4, BLOCKED_STAGE2.6A_FIX4_6_GATES_RED); v_qt001_readiness_v7_negative_tests 3/3; v_qt001_26a_fix4_no_bypass_proof 11/11 blocked.

ROUTED TO 2.6B (kept structurally blocking, not actually remediated). CODEX10 runtime full-scan/row-by-row/no keyset/resume/literal limit 1000000 — scale stays NOT_SAFE; capability satisfied only by real verifier+behavioral/perf evidence (none exist), free-text proof_object is now diagnostic only. CODEX11 PUBLIC EXECUTE (4 writer/builder) + Directus DML — readiness SSOT gates public_execute_blocking/directus_dml_blocking remain red (the 2 SSOT red gates) keeping readiness BLOCKED; actual REVOKE + owner/role separation routed 2.6B.

MACHINE TIER (reproduces FIX3 exactly through the v4 authoritative path). TIER2=7, TIER3=6, TIER_BLOCKED=6, TIER_INELIGIBLE=55, TIER1=0. All qt001_tier_registry.apply_allowed=false.

SAFETY ANCHORS (before == after). birth_registry 1,211,064 == 1,211,064 (delta 0); qt001-origin births 0; trigger_guard_alerts 129 == 129 (no trigger DDL); fn_birth_registry_auto unchanged, gateway contract all_ok true; open execute permits 0; done ledgers 0; apr_approved 2; dangerous DOT freeze PASS 2/2. 2 new tables, 8 new functions, 4 repointed functions (writer/builder/machine_tier/machine_blocked_reason), ~21 new views, 1 plan rebuild (v2->v4 CURRENT, additive+superseded). Zero ALTER TABLE, zero CREATE TRIGGER, zero gateway/DOT change.

GOTCHAS. CREATE OR REPLACE cannot drop existing parameter defaults — builder p_plan_id and writer p_permit_id/p_expected_delta/p_max_rows/p_batch_size/p_dry_run/p_execute/p_dot_origin defaults must be re-declared. View dependency order: must_not_proceed_guard references readiness_guard_v7 so it must be created after it. SQL-language functions resolve referents at CREATE time (row_valid_v4->; fingerprint_v4 before signoff_satisfies_v4 before collection_signals_v4 before eval_rule_v4); plpgsql late-binds so machine_tier_v4/fingerprint_v4/writer can precede their callees. fn_qt001_rule_governance_ok_v2 reads tables so it is STABLE not IMMUTABLE. null_fingerprint guard must filter eligible rows (ineligible collections legitimately have NULL metrics; the danger is NULL on an apply candidate). Execute path: ssh contabo -> docker exec -i postgres psql -U directus -d directus (DB is 'directus', public schema; allowed DBs directus/incomex_metadata/workflow; query_pg MCP is RO 5s/500). SQL staged at /opt/incomex/docs/mcp-writes/birth-stage2-6a-fix4-2026-06-07/ (01_fix4, 90_verify, 99_rollback). Rollback restores v5/v2 bodies + rebuilds v2 plan + drops v4 objects/registries (rehearsed clean).

NEXT MACRO. BIRTH_STAGE2_6B_QT001_PERMIT_RUN_KEYSET_RESUME_AND_AUTHORITY_REVOKE — implement real keyset/watermark/resume + auto-refresh + representative perf gate recorded into qt001_capability_contract as verifier+behavioral evidence (flip scale to safe by proof); REVOKE PUBLIC EXECUTE on writer/builder + Directus owner/role separation; replace sp_dot_birth_qt001_apply integer counters + literal 1000000 runaway with bounded keyset driver. Then a fresh independent Codex re-audit of FIX4 BEFORE any 2.6B permit or apply. Blocker: independent re-audit + 2.6B layers + owner permit; zero engineering blocker. Apply stays BLOCKED by design.

Report dir knowledge/dev/reports/architecture/birth-stage2-6a-fix4-qt001-authoritative-path-repoint-no-legacy-bypass-2026-06-07/00..14. Index BIRTH_GATEWAY_DESIGN_INDEX.md rev19. Continues checkpoint-birth-stage2-6a-fix3-qt001-exact-control-contract-authority-lockdown-2026-06-06.