Stage 2 QT-001 — One-Page Waiting Note

Date: 2026-06-06 · Mode: READ-ONLY + DOCS-ONLY watch · Live mutation: NONE (KB docs only).

1. Current state (live, verified read-only)

• Birth gateway frozen & intact: dangerous DOTs frozen 2/2 (v_birth_stage0_freeze_no_go_guard PASS); gateway fn_birth_registry_auto norm-md5 c022f849 unchanged; no-old-function guard PASS; SSOT drift detector both fns OK; release drift guard 5/5 OK.
• No-worse holds: Stage 1 no-worse proof 5/5, Stage 2 no-worse guard 6/6 (REQUIRED 74 / DEFERRED 58 / EXEMPT 36; QT-002 compat; gateway unchanged; 0 open permits).
• QT-001 apply fail-closed: open_permits=0; backfill ledger status=planned, dry_run=true, applied_rows=0, planned_rows=137; apply no-go guard 4/4 apply_blocked_now=true; qt001_gate = BLOCKED_UNTIL_43_IDENTITIES_RESOLVED_AND_PERMIT_OPENED.
• H11a contained 3/3; birth spike state OK (last_1h ≈ 38, last_6h ≈ 107 — normal provenance trickle, no explosion); birth_registry net-neutral (~1.21M, only KB-upload provenance births).
• trigger_guard_alerts = 129 (unchanged) · apr_approvals = 42 (unchanged).
• OOM safe: postgres up 7 weeks healthy; no signal-9 / restart in logs; all 11 containers healthy.

2. What Codex reviewed — review is COMPLETE

Codex performed the independent (§7 T2) read-only audit of QT-001 apply readiness. Package: knowledge/dev/reports/architecture/codex-stage2-qt001-backfill-apply-readiness-review-2026-06-06/ (00..09).

Verdict: NOT_SAFE_NEEDS_FIX — "do not open permits and do not apply any target."

• Confirmed valid: 5 targets + exact delta 137; zero current cross-collection collision; metadata repairs align 39/39; fn_birth_register current-target compatible.
• Blockers: apply procedure absent / source is non-executable pseudocode that would false-complete the ledger with 0 rows; readiness false-passes while procedure+DOTs absent; permit lacks expiry/max_rows; ledger can't prove one scoped resumable apply; cross-collection collision silently skips; no committed-batch compensation/resume; fn_birth_register not generally fail-closed; one stale gate text.
• Required next macro: BIRTH_STAGE2_QT001_APPLY_DOT_HARDEN_AND_INDEPENDENT_REAUDIT → then a fresh independent review before any apply.

3. What T1 must NOT do (until a fresh independent review passes)

No backfill apply · no permit open · no metadata repair · no function change · no trigger change · no DOT unfreeze · no gateway change · no source-data write · no owner/vote/RP/REALRUN/event/UI deploy. The §12 "ACTION_READY" disposition is superseded by the Codex verdict — it is not an apply authorization.

4. What next actions depend on the Codex decision

The Codex decision is NOT_SAFE → the only forward path is the hardening macro (...APPLY_DOT_HARDEN_AND_INDEPENDENT_REAUDIT): build a real bounded writer + constraints, metadata-driven planning, runtime hash introspection, collision fail-close, stale-gate repair, permit expiry/max_rows + resumable-ledger enforcement, failure/resume rehearsal — then request a fresh independent re-audit. Only if that re-audit passes do owner-permit + T2-confirmed apply become eligible. Apply remains blocked until then; live state already enforces this fail-closed.