07 - Updated Fail-Closed Guards (recheck-6)

Load-bearing copy: doc 06 (guard table + guard-quality rules). Guards 54 → 58; guard-quality rule 11 added. All four are PG-native TEST/VERIFICATION guards (not readiness gates); 27/11/14/7 unchanged.

The four new guards

guard	fails when
G-CANONICAL-FIELD-REJECT	any field value violates the REJECT-not-escape policy — fails its whitelist grammar, or contains TAB/LF/CR/NUL/backslash or a reserved structural token, or is null/empty → CANONICAL_FIELD_RESERVED_TOKEN_REJECTED / _VALUE_GRAMMAR_REJECTED / _NULL_REJECTED / _EMPTY_REJECTED
G-ACTIVE-SCOPE-EXTRACTOR	active scope/fence/section are not produced solely by the deterministic extractor, or any ambiguity arises → ACTIVE_SCOPE_MARKER_MISSING/_DUPLICATE, FENCE_UNBALANCED/_NESTED_UNSUPPORTED, ACTIVE_SUPERSEDED_OVERLAP, SECTION_ID/_RANGE_MISMATCH, EXCLUDE_REGION_UNBALANCED, MARKER_REGISTRY_MISMATCH
G-RECORD-ENCODING-CLOSED	a load-bearing digest uses a record outside its closed schema, or an envelope key is outside the closed key-classification schema, or a class is wrong / a key is unknown/extra/missing
G-SEAL-HASH-GRAPH-ACYCLIC	the seal hash node/edge list is not a DAG; a load-bearing hash transitively depends on itself; the manifest binds a checkpoint revision/content hash or N8; the seal binds itself or its checkpoint content; N9 is consumed by something → SEAL_HASH_GRAPH_CYCLE

Rebinding of existing guards

G-CANONICAL-ENCODING-CONTRACT, G-ENVELOPE-MANIFEST-AUTHORITY-COMPLETE, G-CODEX-DETACHED-SEAL-ANCHOR, G-ACTIVE-AUTHORITY-HASH-MATCH / -REVISION-MATCH / -CHANGE-FAIL-CLOSED, G-NO-SUPERSEDED-CONSUMPTION, G-LEGACY-NO-DISPOSITION-AUTHORITY now depend on the REJECT field policy + the deterministic extractor + the closed record & key-classification schemas + the acyclic seal hash graph (not loose YAML/prose). G-CODEX-DETACHED-SEAL-ANCHOR is rebound to the out-of-band revision + read-back anchor (no checkpoint self-hash).

Guard-quality rule 11 (the generalization of this pass)

A load-bearing digest is NOT valid merely because "it has a SHA-256." It must additionally have: (a) a reserved-token REJECTION (not escape) contract; (b) one deterministic extractor for active scope/fence/section with a fail-closed status for every ambiguity; (c) a closed per-record + envelope-key schema; and (d) an acyclic hash dependency graph — no load-bearing hash may include a value that transitively depends on itself, an "immutable anchor" must never require any artifact to hash itself, and the checkpoint is anchored out-of-band by platform revision + read-back. A prose-only digest, a best-effort extractor, a record needing human interpretation, or a mutual/self hash dependency is a disguised mutable-authority path. The reviewer should only have to confirm the result, not discover byte-level ambiguity or a cycle.

Fail-closed status union (recheck-6)

CANONICAL_FIELD_RESERVED_TOKEN_REJECTED, CANONICAL_FIELD_VALUE_GRAMMAR_REJECTED, CANONICAL_FIELD_NULL_REJECTED, CANONICAL_FIELD_EMPTY_REJECTED, ACTIVE_SCOPE_MARKER_MISSING, ACTIVE_SCOPE_MARKER_DUPLICATE, FENCE_UNBALANCED, FENCE_NESTED_UNSUPPORTED, ACTIVE_SUPERSEDED_OVERLAP, SECTION_ID_MISMATCH, SECTION_RANGE_MISMATCH, EXCLUDE_REGION_UNBALANCED, MARKER_REGISTRY_MISMATCH, SEAL_HASH_GRAPH_CYCLE — each STOPs authoring and requires a fresh Codex recheck.