Checkpoint — Birth Stage 2.6A: QT-001 Plan/Tier/Signoff Registry SSOT + Hardcode Elimination

Date: 2026-06-06 · Status: PASS · Mode: EXECUTION (principal-delegate) · Live mutation: YES — additive + reversible + birth-neutral. No QT-001 apply. No permits. No trigger/gateway-body/writer-execute change. MCP read-back PASS.

Outcome

From QT001_APPLY_RUNTIME_EXISTS_BUT_NOT_SAFE_SCALE_NOT_SAFE (Codex NOT_SAFE_NEEDS_FIX + SCALE_NOT_SAFE) to QT001_PLAN_TIER_REVIEW_SSOT_LIVE + DANGEROUS_HARDCODE_CLASSIFIED_OR_REMOVED + WRITER_REMAINS_BLOCKED_UNTIL_NEXT_LAYERS. This is Stage 2.6A only — the deepest first layer (plan/tier/signoff SSOT + hardcode elimination) of the Codex-required BIRTH_STAGE2_6 class. Apply stays blocked.

What was applied (live, reversible, birth-neutral) — one tx, apply order 01,02,04,03,07,06,05

• Tables: qt001_hardcode_inventory (11 findings); qt001_plan_registry (plan as first-class object: plan_id/version/source_metadata_hash/checksum/tier/parity/validation/blocked_reason/status); qt001_tier_registry (4 tiers, all apply_allowed=false); qt001_independent_review_signoff + qt001_review_validated_collection (Codex NOT_SAFE as data; the validated-collection DATA replaces the code IN-list).
• Function: fn_qt001_build_plan_registry(text) — metadata-driven (refresh snapshot over collection_registry → hash → version → supersede prior → insert). Generated PLAN-20260606-093413 v1 hash f8d2272f, 13 rows.
• Views (18): hardcode (inventory/risk_classification/no_go_guard); plan (current/diff_vs_hardcoded/no_go_guard); tier (current/gate_status/no_go_guard); signoff (status/no_go_guard); readiness v3 (guard_v3/dashboard_v3/readiness_v3_no_go_guard); writer (registry_enforcement_contract/must_remain_blocked_guard); scale (risk_annotation/scale_not_safe_guard).
• Committed via ssh contabo → docker exec -i postgres psql -U directus -d directus -1 -v ON_ERROR_STOP=1. Rehearsed first as BEGIN..ROLLBACK (birth before==after 1,210,928, no error). Rollback staged 99_rollback.sql.

Hardcode elimination (SUPERTRACK A) — reproduced live then classified

11 findings, nothing unclassified. SUPERSEDED_BY_REGISTRY: HC-01 (tier1 5-collection IN-list in fn_qt001_refresh_plan_snapshot), HC-02 (literal independent_reaudit_signed_off=false in readiness_v2), HC-03 (39-collection UNION dryrun), HC-06 (permit template literal tiers), HC-10 (false-pass snapshot freshness count>0). OPEN_NEXT_LAYER (routed): HC-04 (double-colon vs single-colon resolver), HC-05 (conservation-invalid parity formula — demoted to signal-only in v3), HC-07 (inferred trigger metadata not reconciled), HC-11 (conserved-history vs identity-mismatch invariant gap). TEMPORARY_SENTINEL_OK: HC-08 (137/5/8/42/129/md5 drift pins). METADATA_DRIVEN_OK: HC-09 (planner discovery from collection_registry). v_qt001_hardcode_no_go_guard.pass=true.

Headline — tiering is now data-driven and reproduces hardcode exactly

tier_code derived from parity (divergence) + validated-collection registry (recorded Codex review), NOT a code IN-list. Reproduces prior classification exactly: TIER1 5/137 (apr_action_types, apr_approvals, dot_domain_rules, field_type_equivalences, normative_relations) · TIER2 2/137 (law_catalog, measurement_registry) · TIER3 6/505 (approval_requests, governance_relations, law_dot_enforcement, law_jurisdiction, table_registry, workflows).

Readiness v3 cannot false-green

v_qt001_apply_readiness_dashboard_v3: SSOT gates 4/4 green (plan_current, hardcode_eliminated, tier_present, signoff_present); APPLY gates green 1/6 (only existing ledger_contract); overall_ready=false; apply_gate=BLOCKED_STAGE2.6A_SSOT_ONLY_PENDING_NEXT_LAYERS_AND_REAUDIT; blocking gates: independent_signoff_safe, owner_execute_permit_valid, scale_safe, tier_permits_apply, writer_enforcement_wired. Every apply gate is registry-derived; no literal can flip it.

Writer remains blocked (SUPERTRACK F)

Writer NOT modified. v_qt001_writer_registry_enforcement_contract defines 5 preconditions (plan_bound_and_current / tier_apply_allowed / independent_signoff_safe / owner_execute_permit_bound / scale_safe) all with enforced_in_writer=false (next-layer wiring). v_qt001_writer_must_remain_blocked_guard.pass=true (0 open permits, no apply-allowed tier, signoff not safe, 0 apply-origin births, p_execute default false).

Scale (SUPERTRACK G)

v_qt001_scale_risk_annotation per collection (band + full_rescan_risk=true + keyset_resume_present=false + missing_index_risk=false: birth_registry has unique(entity_code)+index(collection_name), so the break is row-by-row probing + no keyset/watermark, not a missing index). v_qt001_scale_not_safe_guard.scale_not_safe=true (Codex 08: 5.079s/223,952 rows; 4.942s/74 collections).

Safety audit (SUPERTRACK I) — all anchors hold

birth_registry 1,210,937 = baseline 1,210,928 +9 authorized KB report births only (DDL/DML birth-neutral) · qt001-apply-origin births 0 · Tier1 target births 8 (unchanged) · open execute permits 0 · done ledgers 0 · tga 129 (no CREATE TRIGGER / no ALTER TABLE) · apr 42 · gateway norm-md5 c022f849 (unchanged) · Stage 0 freeze PASS 2/2. No REALRUN/event/UI/permission/owner mutation. No "mark safe" literal.

Key facts (carry forward)

• DDL via ssh contabo → docker exec -i postgres psql -U directus -d directus (host file cat | docker exec -i). query_pg MCP is RO 5s/LIMIT500 — the plan builder (~5s snapshot refresh) needs the ssh channel.
• No ALTER TABLE (would bump tga via evt_trigger_guard_ddl): all constraints/PK/FK inline in CREATE TABLE; no CREATE TRIGGER. CREATE TABLE/FN/VIEW are safe.
• Apply order matters: 04 (plan registry table) before 03 (tier_gate_status view references it); 07/06 before 05 (readiness references scale + writer contract). Committed order 01,02,04,03,07,06,05.
• The plan builder derives tier from DATA; old hardcoded objects (snapshot fn, dryrun_result, readiness_v2, permit_template) are retained but are no longer the authority path.
• birth_registry origin column is dot_origin; timestamp born_at. KB uploads each birth 1 knowledge_documents row (provenance).
• KB WAF blocks fenced code blocks — reports are prose + tables only.

Artifacts

Report dir: knowledge/dev/reports/architecture/birth-stage2-6a-qt001-plan-tier-registry-ssot-hardcode-elimination-2026-06-06/00..11. Packet: knowledge/dev/architecture/BIRTH_STAGE2_6A_QT001_SSOT_PACKET.md. Index: BIRTH_GATEWAY_DESIGN_INDEX.md rev 12. SQL on VPS: /opt/incomex/docs/mcp-writes/birth-stage2-6a-2026-06-06/.

Next macro

BIRTH_STAGE2_6B_QT001_PERMIT_RUN_KEYSET_RESUME (router-selected): permit/run lifecycle binding plan checksum + watermark + exact delta; keyset/range resume + set-based plan; wire writer to registries (stricter, rollback-safe); parity-invariant separation (HC-05/HC-11); legacy resolver fix (HC-04) + TG_ARGV scanner (HC-07); duplicate-trigger reconciliation; paired executor/scanner DOTs + revoke PUBLIC EXECUTE; representative-volume perf gates. Then a fresh independent Codex re-audit BEFORE any apply. Blocker: independent re-audit + next layers + owner permit; zero engineering blocker.