A canonical artifact whose live serving state is not continuously verified against its anchored state is a canonical artifact in name only. Phase B.7 defines the discipline that converts cryptographic anchoring from a moment in time into a continuously enforced contract: every publicly served byte under PBTG sovereignty is bound, by deterministic mechanism, to its anchored canonical state. Drift is detected, not tolerated. Sovereignty is defined by what cannot drift unobserved.
Phase B.7 governs all canonical artifacts registered under /opt/pbtg/canonical/registry/. Each registered artifact has a live serving surface, a canonical residence, a SHA-256 hash, and a Bitcoin OTS receipt. The drift detector continuously verifies that the live serving surface matches the canonical hash. Artifacts not registered are not under Phase B.7 protection.
GREEN: all invariants pass. WARN: I2 fails (transient unreachability). ERROR: I4 fails (missing OTS receipt). CRITICAL: I1, I3, or I5 fails. CRITICAL events trigger fail-closed escalation per Sovereign Law 5.
A registered artifact's canonical hash is immutable. Modification of a live artifact is treated as a new version (v1.0 → v1.1 → v1.2 ...). Each new version requires fresh atomic ratification + OTS anchor. The prior version's anchor remains valid as a historical record. There is no in-place mutation under Phase B.7.
The drift detector runs at minimum every hour. Each cycle produces a JSON drift report and a compact log line. Reports are append-only. The detector itself runs under systemd timer genesis-drift-detector.timer, fail-closed on registry corruption.
Phase B.7 enforces Determinism Supremacy (deterministic hashes), Structural Impossibility (hash collisions are computationally infeasible), Governance Before Mechanism (registry is authoritative), No Runtime Authority Drift (anchored bytes are immutable), Fail Closed Always (any invariant failure halts the cycle and escalates), and Sovereignty By Architecture (Bitcoin chain is the witness, not PBTG-controlled infrastructure).
The canonical registry is published at /.well-known/canonical-registry.json. Any third party can fetch the live surfaces, compute SHA-256, and verify against the registry without PBTG cooperation. The OTS receipts at /opt/pbtg/canonical/<artifact>/anchors/ are independently verifiable against the Bitcoin blockchain.
Tier 1 (Public Lock): self-service, free. Tier 2 (Institutional Lock): managed registry, anchored on behalf of the customer. Tier 3 (Sovereign Lock): full doctrine binding, custom registry, dedicated OTS anchor cadence, cryptographic SLA. Pricing surface forthcoming at /verification-tax.