Incomex AI Portal
KB-2B12

Checkpoint BIRTH Stage2.6A-FIX6 QT-001 Signoff Fixed-Point + Behavioral Proof + Self-Codex-Audit

12 min read Revision 1
checkpointqt001fix6stage2.6afixed-pointsignoffcapabilityreadiness-v9hardcode-v7self-auditpg-nativebirth

Checkpoint — BIRTH Stage 2.6A-FIX6 — QT-001 Signoff Fixed-Point + Behavioral Proof + Self-Codex-Audit

Date: 2026-06-07. Mode: EXECUTION (principal-delegate). Live mutation: YES (additive/reversible/birth-neutral). MCP read-back: PASS. Status: PARTIAL → STAGE2_6A_FIX6_SELF_AUDITED_PG_NATIVE_DRIVEN_READY_FOR_EXTERNAL_CODEX_CONFIRMATION.

What this answered

Codex 5th reject STAGE2_6A_FIX5_FAIL_HARDCODE_OR_BYPASS_STILL_DANGEROUS (10 blockers B1..B10). Critical new discipline this cycle: T1 ran a Codex-style self-audit AFTER implementing and BEFORE reporting, found its own defects, fixed them in-macro, re-ran the self-audit, and additionally ran an INDEPENDENT adversarial read-only auditor (subagent) which returned CONFIRM before reporting. self_audit_pass=true is the gate that was met.

Honest verdict (the core truth)

The system cannot self-certify safe-to-apply in 2.6A and FIX6 does not pretend it can. Three structural facts make apply genuinely BLOCKED and several proofs genuinely impossible to make natively-authoritative within 2.6A:

  1. PostgreSQL records NO function→function call edges in pg_depend (func_to_func=0, verified). A native callgraph can prove VIEW dependencies but NOT what a plpgsql/sql function body calls. So the apply-path "no legacy" guarantee is not natively provablev_qt001_callgraph_unclassified_fail_guard.pass=false (honest BLOCKER), regex demoted to diagnostic-only.
  2. plan_v5 IS a byte-identical clone of plan_v2 (normalized_identical=true). FIX6 does NOT re-author it; it detects+blocks it (full-scan/keyset/perf = NOT_SAFE, routed 2.6B).
  3. The directus app-role owns/DDL-controls the ENTIRE control plane (262 qt001 objects: tables+views+functions). Any PG-hosted guard is rewritable by that role. Surfaced as a hard BLOCKER; REVOKE/owner-role separation routed 2.6B. Therefore verdict = PG_NATIVE_DRIVEN_PARTIAL_BLOCKED (honest), readiness BLOCKED, scale NOT_SAFE. NOT a PASS-to-apply.

Codex B1..B10 — reproduced LIVE then handled (all now_handled=true)

  • B1 callgraph regex/depth<10/name-filter/Directus-registry → native pg_depend/pg_rewrite closure (no depth cap; traversal not name-limited); regex→v_qt001_callgraph_text_scan_diagnostic (diagnostic_only); func-call-edges catalog-invisible → v_qt001_callgraph_unclassified_fail_guard FAILS; v_qt001_callgraph_no_regex_authority_guard proves (native) the 4 authoritative guards don't reach the regex views (authoritative_guards_reaching_regex=0).
  • B2 plan_v5=v2 clone → v_qt001_v2_logic_clone_detector (normalized-md5 + 5 shared signatures) clone_detected=true; v_qt001_current_planner_not_v2_clone_guard.pass=false BLOCKER; v_qt001_plan_facts reads snapshot facts (no rescan).
  • B3 fingerprint/signoff loop → FIXED-POINT: v_qt001_plan_content_hash (pg_depend-proven to reference ONLY snapshot+rule+tier registries, NOT signoff) vs v_qt001_control_state_hash (includes signoff); qt001_plan_content_binding stores stable hash; v_qt001_signoff_target_hash_guard; v_qt001_fixed_point_hash_negative_tests 5/5 pass (content excludes signoff, includes ruleset; control includes signoff; wrong hash→signoff invalid).
  • B4 impossible signoff identity → ADDED FK qt001_signoff_plan_binding_review_fk_fix6 (binding.review_id→independent_review_signoff) + strict CHECK qt001_irs_reviewer_strict_fix6 (reviewer_type IN CODEX,T2_HUMAN; no OTHER/OWNER). fn_qt001_signoff_row_valid_v6/_satisfies_v6 use schema-valid values + bind content_hash + not self-signed + immutable evidence. v_qt001_signoff_identity_constraint_guard.pass=true (fk=1, strict_forbids_other_owner=true); neg tests 3/3.
  • B5 capability regex/false → typed qt001_capability_operational_evidence (EMPTY); real probes v_qt001_{keyset,resume,perf}_behavior_probe (behavior_hint=DIAGNOSTIC, operational_evidence from evidence table); v_qt001_capability_behavior_contract_v6 satisfied=(operational_evidence AND typed_proof), LEFT JOIN so missing probe can't disappear; v_qt001_scale_behavioral_guard_v6 scale_not_safe=true (0/3); v_qt001_capability_false_green_guard FALSIFIABLE (with 0 verified rows NO capability may be satisfied); neg tests 3/3.
  • B6 hardcode_v6 false-pass → v_qt001_hardcode_guard_v7 consumes readiness v9 / scale / directus / no-bypass / callgraph / fixed-point / clone; pass=true ONLY when every risk surfaced/blocking AND system_apply_blocked=true. (OLD v6 now =false for contrast.)
  • B7 no_bypass tautology → v_qt001_no_bypass_proof_v4 explicit STRUCTURAL conditions (each bypass_possible a real check; no IS-NOT-NULL/literal-true); honestly all_blocked=false (directus owner+DML bypass_possible=true; public_execute_uncontained=false via real check that writer enforces in-body v9 gate); v_qt001_no_tautology_guard_v4 uses pg_depend (references_real_controls) + bans IS-NOT-NULL.
  • B8 directus owns control plane → v_qt001_directus_control_plane_mutation_risk (tables+views+functions, 262 objects, owner=directus) + v_qt001_directus_mutation_blocks_readiness_guard.pass=false hard BLOCKER feeding readiness v9.
  • B9 readiness fixed/bool_and-NULL → qt001_readiness_guard_registry_v9 (14 gates, locked/validated) + fn_qt001_eval_guard_bool (dynamic, returns NULL on error) + v_qt001_apply_readiness_guard_v9 NULL-STRICT (overall_ready = required-satisfied-count == required-count; NULL/missing → not ready, never ignored); neg tests 3/3 (incl. demonstrating bool_and(TRUE,NULL)=TRUE pitfall avoided).
  • B10 PG_HOSTED_HARDCODE_REMAINS → v_qt001_fix6_pg_native_driven_scorecard fully COMPUTED (no literal true); verdict=PG_NATIVE_DRIVEN_PARTIAL_BLOCKED.

Self-audit (the report gate)

v_qt001_fix6_self_audit.self_audit_pass=TRUE (13-way AND of independently-derived flags: all_findings_handled, must_not_proceed, hardcode_v7, capability_no_false_green, callgraph_no_regex_authority, no_tautology, signoff_identity, fixed_point, readiness_null_strict, signoff_neg, capability_neg, readiness_blocked, scorecard_verdict='PG_NATIVE_DRIVEN_PARTIAL_BLOCKED'). v_qt001_fix6_codex_failure_reproduction B1..B10 all now_handled=true. v_qt001_fix6_must_not_proceed_guard.pass=true. T1 self-audit found and fixed 2 of its own defects in-macro: (1) no_bypass_v4 awkward AND NOT true literals → replaced with real structural derivations; (2) false_green_guard pass was tautological → made falsifiable. Independent adversarial subagent audit = CONFIRM_SELF_AUDITED_PARTIAL_BLOCKED (all 10 claims PASS, no high/critical defects).

Writer/builder repoint (authoritative in the REAL apply path)

fn_dot_birth_qt001_apply EXECUTE path now consumes (additive/stricter, all fail-closed today): legacy-dep guard (kept) + v_qt001_callgraph_unclassified_fail_guard + v_qt001_apply_readiness_guard_v9 + content-hash binding match (v_qt001_plan_content_hash == qt001_plan_content_binding for CURRENT) + tier apply_allowed + fn_qt001_signoff_satisfies_v6 + gateway + Stage0 + permit. Verified: writer uses_v9/uses_signoff_v6/uses_content_hash/uses_unclassified = all true. Builder fn_qt001_build_plan_registry also populates content binding (forward coherence). Dry-run path unchanged.

Live verification (COMMITTED, MCP/ssh read-back)

self_audit_pass=true; scorecard=PG_NATIVE_DRIVEN_PARTIAL_BLOCKED; readiness v9 overall_ready=false (ssot 4/10, apply 0/4, required_null_or_missing=0, failing=10); hardcode_v7.pass=true; no_tautology_v4.pass=true; no_bypass_v4.all_blocked=false; capability false_green.pass=true (falsifiable) scale_not_safe=true 0/3; directus blocks_readiness.pass=false (owner_ddl=262); signoff identity pass=true (fk=1, strict no OTHER/OWNER); fixed_point 5/5; clone detected=true normalized_identical=true; OLD legacy_dep_guard.pass=true (regression OK). New: 3 functions + 3 tables + content_binding(1 row) + ~38 views; constraints fk+strict CHECK.

Safety (production no-worse)

qt001_origin_births=0, open_permits=0, done_ledgers=0, signoff_bindings=0, tiers_apply_allowed=0, tga=129 (UNCHANGED — ADD CONSTRAINT/FK confirmed tga-neutral), gateway all_ok=true, Stage0 freeze intact. NO apply / NO permit / NO birth write / NO trigger change / NO gateway body change / NO old DOT unfreeze / NO 2.6B. Deprecated v5/v6/v8 stack now red (current_plan_fingerprint_v5/no_v5_plan_hash/hardcode_v6 = false) — EXPECTED & benign: the 3 new qt001_ tables raise the directus-DML inventory count (17→20) which the DEPRECATED fn_qt001_plan_fingerprint_v5 folds into its composite, staling the old v5-composite invariant. The apply path no longer uses fingerprint_v5 (uses content_hash); nothing authoritative reads the deprecated stack. readiness_v8 stays BLOCKED (more red). No-worse holds.

🔴 GOTCHAs (for next layer / re-audit)

  • pg_depend has NO function-body call edges (func_to_func=0). A native callgraph is authoritative for VIEWS only; for FUNCTIONS the honest result is unclassified→FAIL. This is WHY apply stays structurally blocked; the real fix (drop legacy fns / convert planner to views so edges become catalog-visible) is 2.6B.
  • Non-greedy regex .*?; over SQL files BREAKS on semicolons inside string literals (disposition text) — caused an orphaned-fragment bug during patching; fixed by anchored regex + removing internal ; from dispositions. When patching SQL files prefer python literal .replace() on stable anchors.
  • ::regprocedure needs the arg signature; use ::regproc for bare non-overloaded names.
  • CREATE OR REPLACE VIEW cannot change column name/type/order (only append) — refinements kept the same output columns.
  • The 3 new qt001_ tables inflate any guard that counts qt001% relations (directus-DML inventory) → cascades into the deprecated fingerprint_v5 composite. Intended/benign; documented.
  • DDL via ssh contabo → docker exec -i postgres psql -U directus -d directus; host SQL files cat|piped to stdin (container can't see host paths); heavy recursive views need statement_timeout=180000 (MCP query_pg RO 5s/500 cancels them); rehearsed BEGIN..ROLLBACK twice + independent adversarial read-only audit before COMMIT.

NEXT

BIRTH_STAGE2_6A_FIX6_CODEX_REAUDIT → fresh independent external Codex re-audit of FIX6 BEFORE any permit/apply/2.6B. The structurally-blocking 2.6B work (load-bearing): (1) dedicated locked owner role + REVOKE app-role DML/DDL on the control plane (directus ownership is the single highest-leverage future false-green vector); (2) retire/convert legacy functions (drop plan_v2 etc. or planner-as-views) so the native callgraph becomes provable; (3) genuinely re-author plan_v5 off the v2 full-scan algorithm; (4) real keyset/resume/perf with verified operational evidence. Do NOT proceed to 2.6B until external Codex PASS.

Report dir: knowledge/dev/reports/architecture/birth-stage2-6a-fix6-qt001-signoff-fixed-point-behavioral-proof-self-audit-2026-06-07/00..09. SQL + rollback: /opt/incomex/docs/mcp-writes/birth-stage2-6a-fix6-2026-06-07/sql/ (fix6_build.sql, fix6_repoint.sql, fix6_fix_nobypass.sql, fix6_fix_falsegreen.sql, fix6_selfaudit.sql, ROLLBACK_fix6_to_fix5.sql).

Back to Knowledge Hub knowledge/dev/reports/architecture/checkpoint-birth-stage2-6a-fix6-qt001-signoff-fixed-point-behavioral-proof-self-audit-2026-06-07.md