F3 — IO Contract + Formula + Assembly Machine / DOT — Reuse Survey Packet

Ngày: 2026-06-16 · Soạn: Claude Code CLI (read-only AgentData KB) · Track: knowledge/dev/laws-new/ Control basis: technical-slice-framework.md rev56 §6c (F3 = D6 + D7: D6 IO Contract / Formula / Layer Contract; D7 Assembly Machine / DOT / Wrapper), §6.2/§6.3, §6b rows 1/2/4/7, §5, §18 ca 14/15/17/18, §19. Concept basis: de-bai-cai-tien.md rev33 §II.1, §III.6/§III.7, §IV.3, §V.5, §VI (Lego Protocol §VI.1/§VI.3/§VI.5). Catalog basis: cau-hoi-khi-tai-cau-truc.md rev82 Nhóm G (Formula), Nhóm H (IO Contract, REUSE-015), Nhóm J + §12b (DOT / Máy lắp ráp + DOT Capability), Nhóm 0 (REUSE-004/012/015), Nhóm R (RISK-*). Evidence basis: reports/f2/f2-owner-decision-record-2026-06-16.md rev1 (F2 gate CLOSED) + F2 execution report rev1 + F2 packet rev1 + F1/F0 decision records. Layer: F3 — IO Contract + Formula + Assembly Machine / DOT (one layer above F2 in the §6c build/dependency order; sits below F4 — Stamp Lifecycle + Checker / Promote / Rollback, where canonical birth is the output at promote).

STATUS: PREPARATION PACKET — NON-AUTHORIZING. This is a read-only program package that prepares the F3 layer. It is not an F3 execution authorization on its own (the F3 read-only execution in this Program Macro runs only if the internal safety gate in §10 passes), not a Phase-1 survey, not an implementation authorization. It performs no live DB / runtime query, mutates nothing, creates no schema/table/registry/DOT/checker/scanner, runs no formula and builds no assembly machine, and writes no canonical birth. It is structured around the same 3 reuse-first Owner questions as F0/F1/F2 and is intended for GPT → Codex → Owner review.

Boundary invariants (carried from rev56 §6c + F2 decision record):

F3 ≠ canonical birth. Canonical birth + BIRTH_STAMP are OUTPUT at the promote boundary → F4 (framework D10 canonical-output; de-bai §V.5/§V.10), never F3.
IO Contract is thin — NOT Module Contract First. The IO Contract is the 5-field boundary nhận · trả · schema_min · fail · rollback (de-bai §III.6/§VI.3; framework §6b row 1, D6). It is không phải Module Contract First; DOT-check and evidence/stamp are the execution/verification layer that travels with it, not stuffed inside it (de-bai §III.6).
Formula = documentary pattern, not an engine. No formula registry, no formula engine, no per-layer formula design at v0.1 (framework D6 Forbidden; catalog FORMULA-001/003/006 ANSWERED = "KHÔNG registry/engine/0 DOT assemble"; FORMULA-REUSE-002 BLOCKER-if-propose-new).
Assembly Machine = documentary position, not a runtime machine. "Machine per layer chưa designed" (framework D7); DOT is only a possible machine/check/wrapper.
DOT / dot_tools = documentary candidate, wrapper-only. dot_tools ~309 rows is DOCUMENTARY_ONLY and reportedly lacks dot_role / cell_id columns; adding them is a read-only feasibility hypothesis, Owner-gated, out of this packet (framework D7 / §4 / REUSE-013; catalog REG-REUSE-004, DOT-Q06). No DOT registration, no DOT run, no DOT-per-layer / DOT-capability system, no full DOT registry.
No cell_id / dot_role materialization. CONS-003 + CELL-003/004/007 stay unresolved; cell context stays pending (de-bai §VI.2; framework §6.3, §19 schema-change STOP).
Documentary ≠ live proof · Prior-session ≠ current proof · Engineering PASS ≠ Authority PASS · Reuse-now ≠ live-proven.

2. Owner View — 3 câu hỏi reuse-first

Đọc riêng mục này là đủ để Owner/GPT thấy F3 định khảo sát cái gì để dùng lại — chưa làm gì chạm hệ thống. Chi tiết kỹ thuật ở §4–§12. Mục này không ủy quyền bất cứ điều gì.

Q1 — Cái gì đang có và (giả thuyết) dùng lại được ngay? (reuse-now — documentary candidates)

Tất cả mục dưới là ứng viên documentary (framework rev56 §4 / D6 / D7 = DOCUMENTARY_ONLY / GAP), chưa live-proven. F3 execution phải pin bằng chứng cho từng dòng; nếu bằng chứng yếu thì rớt xuống Q2.

IO Contract 5-field boundary — nhận · trả · schema_min · fail · rollback (de-bai §III.6/§VI.3; framework §6b row 1 / D6; catalog REUSE-015, IO-REUSE-002/003). Reuse-now như concept cho "cách một brick giao tiếp", KHÔNG Module Contract First.
Smart Brick shape inherited from F2 — minimal brick = input · output · IO Contract · DOT xử lý/kiểm · rollback · trạng thái promote (de-bai §VI.1); workspace-minimal = cell_id (hoặc pending) · input_refs · output_schema tối thiểu · IO Contract · rollback (de-bai §VI.2; framework D4). Documentary shape hypothesis only.
Candidate packet as view/projection — packet = view/binding logic trên staging metadata/payload (candidate_id + packet_hash), read by a verdict-only checker; không store/registry mới (de-bai §V.13; catalog STG-REUSE-002). Documentary only.
Formula concept — "công thức / khuôn / quy trình" mô tả cách lắp một object từ đầu vào trực tiếp của tầng đó (de-bai §II.1, §III.7, §VI.5 "scale bằng công thức, không bằng macro"). Documentary pattern, KHÔNG implemented formula / engine / registry.
Assembly Machine concept — "máy lắp / DOT / khung chạy" thực thi, kiểm, promote hoặc rollback (de-bai §II.1; framework D7). Documentary pattern, KHÔNG runtime machine ("machine per layer chưa designed").
DOT / wrapper concept + dot_tools candidate — DOT làm một việc hẹp (bổ sung/kiểm chứng một mảnh thông tin governance), ví dụ DOT_CELL_MAP / DOT_IO_CHECK / DOT_VALIDATE / DOT_ROLLBACK_PROOF (de-bai §IV.3, §V.5); dot_tools ~309 dòng (Đ35 paired-DOT) là ứng viên đăng ký, wrapper-only (framework D7 / §4; catalog REUSE-013, DOT-REUSE-001/002). Documentary candidate, không patch schema.
fn_iu_cut_from_manifest — ~70% reusable (framework D4; catalog REUSE-004 wrapper, FORMULA-REUSE-001 = khai cut-pipeline là formula.v0.1). Reuse via wrapper hypothesis only.
fn_iu_staging_create / fn_iu_staging_cleanup — documentary support only (carried from F2; STG-012 cleanup scheduler unproven). Relevant to delete-fast/rollback path, không primary F3 asset.
Rollback / delete-fast path — ROLLBACK_STAMP + delete-fast principle (de-bai §VI.4 "sai thì xóa", §V.5/§V.7; framework §6.2). Documentary boundary the brick must satisfy.
F0/F1/F2 accepted source/evidence baseline and decisions — 12 frozen sources + CONS-004 working precedence + CONS-005 KB-only baseline + F1 birth boundary + F2 Smart Brick boundary. Reuse-now as authority/evidence basis.

Q2 — Cái gì đang có nhưng cần sửa / kiểm chứng mới dùng lại được? (repair / verify-before-reuse)

IO Contract examples / templates = GAP / documentary — framework §6c D6 ("selected-slice examples chưa biết") + §6b row 1 + §18 ca 14 (REJECT "IO Contract đã đủ rõ để implement") + Known-GAP table. The 5-field boundary is documentary; real IO examples/templates for a selected slice are not yet identified (catalog IO-001 web-test file UNKNOWN; IO-004/005 proven KHÔNG for KB-object/candidate contracts). CONS-002 (5-field vs DOT/evidence/owner — which source wins?) is a BLOCKER.
Formula per layer = GAP / documentary — framework D6 (formula = GAP/DOCUMENTARY_ONLY, mapped only as a reuse concern, no registry) + §18 ca 15 (REJECT "existing formula per layer đã biết"). Catalog: no formula registry / engine / 0 DOT assemble (FORMULA-001/003/006 ANSWERED Mức 3); formula.v0.1 deferred (FORMULA-007 DEFER); FORMULA-017 (whether cut-from-manifest must be labeled formula.v0.1) = TODO.
Assembly Machine not implemented — framework D7 ("machine per layer chưa designed") + §18 ca 17 (REJECT "mỗi layer đã có assembly machine sẵn"). DOT_FORMULA_ASSEMBLE = deferred (Bảng 14; DOT-Q04 / DOT-REUSE-005); FORMULA-006 = "0 DOT assemble".
DOT coverage matrix = GAP / documentary — framework D7 ("DOT Coverage Matrix later") + §18 ca 18 (REJECT "dot_tools list đã đủ để biết DOT registration/stamp/scan coverage"). Catalog has only "Bảng 14 DOT (reference, provisional)" + DOT-Q01..Q12 (PARTIAL) + DOT-CAP-001/004/006/010 (BLOCKER); there is no complete DOT coverage matrix.
dot_tools lacks dot_role / cell_id; no schema patch — framework D7 / §4 (reported no dot_role/cell_id); catalog DOT-Q06 (ANSWERED Mức 3 = "thiếu cell_id/dot_role"), REG-REUSE-004 ("thiếu dot_role + cell_id"), DOT-REUSE-006. Adding the 2 fields = schema change, Owner-gated detailed design (framework §19 STOP, §6.3), NOT done at F3.
Checker / verdict-only boundary not executable live — framework D9 / §6.4 (promote-checker-v0.1-spec rev11 read, chưa viết/selftest); catalog DOT-006 = the L5 promote checker, the L5 BLOCKER, not yet built. Belongs to F4, kept as a documentary boundary at F3.
Candidate packet binding depends on STG-015 packet_hash — whether packet_hash covers cell_id + stamps is undefined (catalog STG-015 PARTIAL/BLOCKER); tamper-binding of the packet unproven.
Temp-store live substrate depends on HOLD-1 — iu_staging_* (where the brick, candidate packet, and any DOT/formula output would live) is UNKNOWN→likely-LIVE CONFLICT; Phase-1-gated (framework §18 ca 16).
Cell context depends on CONS-003 / CELL-* — cell_id dimension sources unresolved; F3 may not treat the brick's cell as solved (catalog CELL-003/004/007 BLOCKER; CONS-003 BLOCKER).
Rollback / delete-fast depends on STG-012 cleanup scheduler — who calls fn_iu_staging_cleanup is unknown (no pg_cron); RISK-GC blob_ref orphan unverified.
Runtime / checkout sync not proven (CONS-005 caveat) — baseline covers KB only; runtime state not inferable.
No Module Contract First; keep IO thin — framework §6b row 1 Forbidden + §5 IO row + de-bai §III.6/§VI.3 + catalog IO-REUSE-002/003. Any drift toward a module-contract registry is a no-new gate violation.

Q3 — Cái gì thật sự phải làm thêm (chỉ khi reuse không đủ)? (add-later — future Owner-gated)

Nothing here is authorized. Each is future Owner-gated, and only if the reuse survey proves reuse is insufficient. Default for all = NO.

F3 read-only execution report — produced in this macro only if the internal gate (§10) passes.
IO example / template library — only after a selected slice proves the 5-field boundary insufficient (framework §19 detailed-design STOP); never a Module Contract First / contract registry.
Formula wrapper — only after source proof that an existing function (e.g. fn_iu_cut_from_manifest relabeled formula.v0.1) is insufficient (catalog FORMULA-REUSE-001/002); no formula engine/registry.
Assembly wrapper — only after proof that reuse via a thin DOT wrapper is insufficient; no DOT-per-layer / machine-per-layer system (framework D7 Forbidden).
DOT wrapper / mapping — only after proof; declared minimally on existing dot_tools (dot_role + cell_id + minimal capability), never a full DOT registry / DOT-capability system (catalog DOT-REUSE-006, DOT-CAP gate).
Checker / scanner integration — later, not F3 implementation (D9 = F4; scanner = F5; de-bai §V.6/§17 list-only).
Schema / materialization (incl. dot_role / cell_id on dot_tools, cell_id on the brick) — only after reuse-insufficiency proof + Owner-gated detailed design (framework §19 STOP).
No runtime DOT registration / build by default — DOT registration, DOT execution, formula execution, assembly build are all forbidden at F3.
No canonical birth / promote write — F4 only.

3. F3 scope and non-scope

In-scope (read-only, when the §10 gate passes)

Confirm and pin the documentary state of (a) the IO Contract 5-field boundary, (b) the Formula concept, (c) the Assembly Machine concept, (d) the DOT / wrapper concept + dot_tools candidate + DOT coverage matrix gap, (e) fn_iu_cut_from_manifest (and fn_iu_staging_create/cleanup as documentary support), (f) the candidate-packet-as-view, (g) the inherited Smart Brick shape + TEMP_ID / candidate_id, (h) the pending cell_id context, (i) the stamp path and checker/verdict-only boundary as documentary boundaries, and (j) the rollback / delete-fast path — from KB sources only (framework §4/§5/§6.2/§6.3/§6b/§6c D6/D7; de-bai §II/§III/§IV/§V/§VI; catalog Nhóm G/H/J/0/R) — unless Owner separately authorizes a Phase-1 read-only DB survey.
Classify each candidate asset into Q1 reuse-now / Q2 repair-verify / Q3 add-later with an evidence pin and a clear "documentary vs live" label.
Restate the F3 boundary: IO Contract thin (not Module Contract First); formula/assembly/DOT documentary; dot_tools wrapper-only; no cell_id/dot_role materialization; no canonical birth.
Carry the open conflicts/risks that gate F3 (CONS-003; CELL-003/004/007; HOLD-1; HOLD-2; STG-012; STG-015; STG-REUSE-001/003; RISK-GC; RISK-CAP; RISK-BYPASS; CONS-002 IO-source; DOT-CAP BLOCKERs) as obligations, not resolutions.

Non-scope (forbidden at F3 by default)

❌ Canonical birth write / BIRTH_STAMP close (F4 output at promote).
❌ Treating iu_staging_* / dot_tools row counts / reported-LIVE as proven-live; any live DB / runtime / Directus / PG read (Phase-1 separately Owner-gated).
❌ Creating a DOT, registering a DOT, running a DOT; building an assembly machine; running a formula; creating a formula registry/engine.
❌ Turning the IO Contract into Module Contract First; creating an IO library / module-contract / contract registry system.
❌ cell_id / dot_role materialization; adding columns to dot_tools; resolving CONS-003 / CELL-003/004/007.
❌ Creating a checker / scanner; writing the promote checker (DOT-006); selecting a pilot slice; writing detailed design / implementation.
❌ Creating a new registry / table / index / packet store / source-manifest.

4. Reuse-now inventory template (Q1 detail)

F3 execution fills Reuse verdict + Evidence pin (this-pass). Until then every row is a documentary candidate, not a reuse decision. Status quotes framework rev56 §6c D6/D7 / §6b / §4 and catalog rev82.

Asset	Documentary status (rev56)	Documentary detail	Reuse-now hypothesis	Catalog reuse Q	Reuse verdict (fills)	Evidence pin (fills)
IO Contract 5-field	DOCUMENTARY_ONLY (D6 / §6b r1)	`nhận·trả·schema_min·fail·rollback`; not Module Contract First	brick-to-brick boundary	`REUSE-015` / `IO-REUSE-002/003`	TODO	TODO
Smart Brick shape (inherited F2)	DOCUMENTARY_ONLY (D4)	minimal brick fields; cell pending	shape hypothesis the IO/formula/DOT wrap around	F2 report §4	TODO	TODO
Candidate packet (view/projection)	DOCUMENTARY (de-bai §V.13)	bind `candidate_id` + `packet_hash`; verdict-only	packet = view logic, no new store	`STG-REUSE-002/003` (BLOCKER if create)	TODO	TODO
Formula concept	GAP / DOCUMENTARY_ONLY (D6)	"công thức/khuôn"; no registry/engine; 0 DOT assemble	documentary pattern only	`FORMULA-REUSE-001/002`; FORMULA-001/003/006	TODO	TODO
Assembly Machine concept	DOCUMENTARY_ONLY / GAP (D7)	"machine per layer chưa designed"	documentary pattern only	Nhóm J; FORMULA-006	TODO	TODO
DOT / wrapper concept	DOCUMENTARY_ONLY (D7; de-bai §IV.3)	DOT = narrow info-completion machine; PEN/STAMP/GATE	wrapper around existing DOT	`REUSE-013` / `DOT-REUSE-001/002`	TODO	TODO
DOT coverage matrix / `dot_tools`	DOCUMENTARY_ONLY (D7 / §4)	~309 rows; no `dot_role`/`cell_id`; "matrix later"	registration candidate, wrapper-only	`REG-REUSE-004` / `DOT-Q06` / DOT-CAP gate	TODO	TODO
`fn_iu_cut_from_manifest`	DOCUMENTARY (~70% reusable, D4)	cut IU from manifest	reuse via wrapper; maybe `formula.v0.1`	`REUSE-004` / `FORMULA-REUSE-001`	TODO	TODO
`fn_iu_staging_create` / `cleanup`	DOCUMENTARY (STG-010/011 old survey)	create binds `content_hash`; cleanup 3-pass + dry-run	documentary support for rollback/delete-fast	`STG-REUSE-004/005`; STG-012	TODO	TODO
`TEMP_ID` / `candidate_id` (inherited F1/F2)	documentary (concept; in-scope root)	`TEMP_ID_STAMP` / `candidate_id` / `workspace_id`	identity the brick stands on (no canonical birth)	F1 report §7 / F2 §6	TODO	TODO
Rollback / delete-fast path	DOCUMENTARY (de-bai §VI.4)	`ROLLBACK_STAMP`; "sai thì xóa"; TTL	boundary the brick must satisfy	`STG-REUSE-005`; RISK-GC	TODO	TODO
Stamp path / checker-verdict boundary	DOCUMENTARY_ONLY (D8 / D9)	`IO_STAMP`/`VALIDATION_STAMP`/`ROLLBACK_STAMP`; checker verdict-only	documentary boundary only (F4 owns it)	— (F4)	TODO	TODO
`cell_id` pending context (inherited)	DOCUMENTARY_ONLY (concept; CONS-003 unresolved)	`tầng×loài×kho×miền`; pending	pending coordinate only	`CELL-REUSE-001/002` (BLOCKER)	TODO	TODO
F0/F1/F2 baseline + decisions	accepted (Owner)	CONS-004 precedence; CONS-005 KB-only; F1/F2 boundaries	authority / evidence basis	F0/F1/F2 decision records	TODO	TODO

Reuse-first gate (catalog §2c) — recorded, not executed: before proposing anything new, F3 must answer Decision Rule 1→7 and prove all 5 no-new-creation conditions: (1) existing IO/contract substrate insufficient · (2) existing formula/fn_iu_cut_from_manifest insufficient · (3) existing DOT (dot_tools/wrapper) insufficient · (4) scanner/report insufficient · (5) reuse slower than new. Material priority order (de-bai §IV.5): metadata/jsonb hiện có → staging payload → DOT nhẹ/wrapper → stamp xác nhận → (chỉ khi bất khả kháng) sửa core / tạo registry mới. No new-creation proposed by this packet.

5. Repair / verify-before-reuse inventory template (Q2 detail)

Item	Why not reuse-now	Verification needed (Owner-gated; NOT done at F3)	Conflict/HOLD/risk ref
IO Contract examples/templates	only the 5-field boundary is documentary; no slice examples	identify real IO examples for a selected slice (+ resolve which source wins)	framework D6/§6b GAP; §18 ca 14; CONS-002 BLOCKER
Formula per layer	no registry/engine; 0 DOT assemble; `formula.v0.1` deferred	identify reusable formula/wrapper for a slice; decide cut-as-formula label	framework D6 GAP; §18 ca 15; FORMULA-007/017
Assembly Machine	"machine per layer chưa designed"	map DOT-as-machine for a selected slice	framework D7 GAP; §18 ca 17; FORMULA-006
DOT coverage matrix	only a provisional "Bảng 14"; no complete matrix	build a DOT Coverage Matrix for a selected slice (later)	framework D7; §18 ca 18; DOT-Q01..Q12
`dot_tools` `dot_role`/`cell_id`	reported absent; adding = schema change	resolve cell sources, then Owner-gated detailed design (no patch)	framework §6.3/§19; DOT-Q06; REG-REUSE-004; DOT-CAP-001/004/006/010 BLOCKER
Checker / verdict-only boundary	`promote-checker-v0.1-spec` rev11 not written/selftested	F4 builds verdict-only checker (DOT-006); fail-closed + selftest	framework D9/§6.4; HOLD-2 (atomic)
Candidate packet binding	`packet_hash` coverage undefined	define whether it covers `cell_id`+stamps + computation	`STG-015` BLOCKER
Temp-store live substrate	`iu_staging_*` UNKNOWN→likely-LIVE CONFLICT	Phase-1 read-only verify schema/lifecycle/TTL/`candidate_id`/`blob_ref`	HOLD-1; framework §18 ca 16
Cell context	concept only; dimension sources unresolved	resolve dimension sources read-only; no schema change	CELL-003/004/007; CONS-003
Rollback / delete-fast	cleanup scheduler unknown; `blob_ref` orphan risk	identify cron/flow/worker or prove manual; verify blob cleanup	`STG-012` BLOCKER; RISK-GC / RISK-CAP
Runtime / checkout sync	baseline covers KB only	not provable without runtime read (Owner-gated)	CONS-005 caveat
No Module Contract First	anti-pattern the frame must block	keep IO Contract thin (5 field); no contract registry	framework §6b r1 Forbidden; IO-REUSE-002/003
Governance in birth/brick P0	anti-pattern the frame must block	keep governance/canonical-birth at promote boundary	framework D2 / hostile ca 23

6. Add-later-only-if-needed template (Q3 detail)

Nothing here is authorized. Each is future Owner-gated, and only if the reuse survey proves reuse is insufficient. Default for all = NO.

Possible future item	Precondition to even propose	Default
F3 read-only execution report	This packet passes the §10 internal gate	produced in-macro only if gate passes
IO example / template library	Selected-slice survey proves the 5-field boundary insufficient	NO by default; never Module Contract First
Formula wrapper (e.g. cut-as-formula.v0.1)	Source proof existing function insufficient (FORMULA-REUSE-001/002)	NO by default; no engine/registry
Assembly wrapper	Proof a thin DOT wrapper is insufficient	NO by default; no machine-per-layer
DOT wrapper / mapping	Proof + minimal declaration on existing `dot_tools`	NO by default; no full DOT registry / DOT-CAP system
Checker / scanner integration	F4 (checker) / F5 (scanner) phase, Owner-authorized	NO at F3
Schema / materialization (`dot_role`/`cell_id`)	Reuse-insufficiency proof + Owner-gated design (§19 STOP)	NO by default
Runtime DOT registration / build	Owner-gated implementation phase	NO by default
Canonical birth write / `BIRTH_STAMP`	n/a — belongs to F4 (promote boundary)	NEVER at F3

7. F3 evidence obligations

F3 execution (when the gate passes) must produce, for the deep layer, evidence covering sources · evidence · authority · conflict · runtime · provenance · safety lock:

Sources — pin each F3 asset to its KB source (framework §6c D6/D7 / §6b / §5 / §4 row · de-bai §II/§III/§IV/§V/§VI · catalog Nhóm G/H/J/0/R row), with rev + this-pass currency.
Evidence — per-asset documentary-vs-live label; IO = DOCUMENTARY_ONLY, formula = GAP/DOCUMENTARY_ONLY, assembly = GAP/DOCUMENTARY_ONLY, dot_tools row counts marked [GR] documentary; "ANSWERED" catalog rows kept documentary; reported-LIVE not promoted.
Authority — apply the F0-decided CONS-004 working precedence (KB practical authority for laws-new docs; enacted principles higher; VPS=SSOT runtime; PG/Directus=truth data); flag any cross-class overlap to Owner; note CONS-002 (IO-source) as unresolved.
Conflict — carry CONS-003, CELL-003/004/007, HOLD-1, HOLD-2, STG-012, STG-015, STG-REUSE-001/003, RISK-GC, RISK-CAP, RISK-BYPASS, CONS-002, DOT-CAP-001/004/006/010 as unresolved obligations, not decisions.
Runtime — record what is NOT proven without Phase-1 (live dot_tools columns; live formula/assembly behavior; staging schema/lifecycle/cleanup); do not infer runtime from documentary.
Provenance — distinguish current-pass vs prior-session ("old survey" rows); carry the F0/F1/F2 decision lineage.
Safety lock — restate the F3 boundary (IO thin / not Module Contract First; formula/assembly/DOT documentary; dot_tools wrapper-only; no cell_id/dot_role materialization; no canonical birth; no DOT/formula/assembly execution); state where execution must STOP.

8. Known risks / stop conditions

HOLD-1 (iu_staging_*) — UNKNOWN→likely-LIVE CONFLICT; the live home for any IO/formula/DOT/packet output. F3 must not query or assume live (framework §18 ca 16).
CONS-003 (6-vs-7 tầng) + CELL-003/004/007 — block cell placement; cell_id stays pending; dot_role/cell_id on dot_tools cannot be materialized.
CONS-002 (IO Contract 5-field vs DOT/evidence/owner — which source wins?) — BLOCKER; keep IO thin until Owner resolves.
DOT-CAP-001 / 004 / 006 / 010 — DOT capability contract / no-mutation flag / bad-input tests / read-vs-mutate classification all BLOCKER before any DOT is trusted.
STG-012 / STG-015 / STG-REUSE-001 / STG-REUSE-003 — staging cleanup scheduler, packet_hash coverage, shared-store sufficiency, no-new-store gate all open.
RISK-GC / RISK-CAP — blob_ref orphan/cleanup; payload CASCADE + 10 MiB cap.
RISK-BYPASS — fn_birth_gate warning + app.bypass_birth_gate (inherited F1; relevant at the promote boundary = F4).
HOLD-2 (atomic promote) — BLOCKED, no transaction; the reason canonical birth stays at F4.

Stop conditions (F3 must STOP and report BLOCKED / Owner-decision-needed):

if any step would require a live DB/runtime read (→ Phase-1, separate Owner gate);
if any step would run a formula, register or run a DOT, or build an assembly machine;
if any step would materialize cell_id/dot_role as a column, or create a DOT / checker / scanner / formula registry / contract registry / packet store (→ schema change / implementation, Owner-gated);
if any step would write canonical birth or BIRTH_STAMP (→ F4 only);
if resolving CONS-003 / CELL-003/004/007 / CONS-002 is required to proceed;
if the IO Contract would have to expand into Module Contract First to classify an asset;
if an asset cannot be classified honestly into Q1/Q2/Q3 from available KB evidence.

9. Bad-input / adversarial checks

F3 execution must reject (fail-closed) the following bad assumptions — each must resolve to "rejected", not to a PASS-to-act:

"The IO Contract is fully specified, so implement it." → REJECT (framework §18 ca 14 → DOCUMENTARY_ONLY; only the 5-field boundary is documentary; examples = GAP).
"IO Contract should become Module Contract First / a contract registry." → REJECT (framework §6b r1 Forbidden; de-bai §III.6/§VI.3; IO-REUSE-002/003: keep exactly 5 field).
"Formula per layer is already known/implemented." → REJECT (framework §18 ca 15 → GAP; FORMULA-001/003/006 = no registry/engine/0 assemble).
"Build a formula registry / formula engine at v0.1." → REJECT (FORMULA-REUSE-002 BLOCKER-if-propose; framework D6 Forbidden).
"Each layer already has an assembly machine ready." → REJECT (framework §18 ca 17 → DOCUMENTARY_ONLY/GAP; "machine per layer chưa designed").
"dot_tools already proves DOT registration/stamp/scan coverage." → REJECT (framework §18 ca 18 → DOCUMENTARY_ONLY/GAP; DOT Coverage Matrix later).
"Add dot_role / cell_id to dot_tools now." → REJECT (framework §19 schema-change STOP; §6.3; Owner-gated detailed design).
"Register a DOT / run a DOT / run the formula / build the machine." → REJECT (no DOT registration/run, no formula run, no assembly build at F3).
"Write the promote checker / verdict here." → REJECT (D9 = F4; promote-checker-v0.1-spec not written; verdict-only boundary documentary).
"cell_id is solved, place the brick and stamp CELL_STAMP." → REJECT (CONS-003 + CELL-003/004/007 BLOCKER; cell pending only).
"Documentary row counts / 'ANSWERED' catalog rows prove live." → REJECT (documentary ≠ live; framework §4; §18 ca 13).
"The candidate packet needs a new store/ledger." → REJECT (STG-REUSE-002/003; de-bai §V.13: view logic on existing metadata).
"Reading dot_tools / iu_staging_* schema live is fine because it's read-only." → REJECT (Phase-1 separately Owner-gated).
"Write canonical birth / BIRTH_STAMP once the brick assembles." → REJECT (canonical birth = F4 output at promote; de-bai §V.10).

Pass criterion: no bad assumption leads to a PASS-to-act or a forbidden action → F3 is not fail-open.

10. Internal gate — when to proceed from packet to F3 execution

This Program Macro authorizes the read-only F3 execution report (Document 3) only if every gate item below is GREEN. If any item is RED, the macro STOPS at PARTIAL/BLOCKED and Document 3 is not created.

#	Gate item	Pass condition
G1	Mandatory sources readable	F3-critical sources read this pass: F2 report rev1, F2 packet rev1, F2 decision rev1, framework rev56 (§6c D6/D7 + §6b + §4 + §18 + §19), de-bai rev33, catalog rev82 (Nhóm G/H/J/0/R); F1/F0 records + constitution rev44 + OR rev51 carried-pinned from F0/F1/F2
G2	F2 gate closed first	`reports/f2/f2-owner-decision-record-2026-06-16.md` exists and accepts F2 (rev1)
G3	Every F3 asset classifiable honestly	each Q1/Q2/Q3 row maps to a KB evidence pin without inventing live proof
G4	No live DB/runtime/Phase-1 needed	classification is documentary-only; `iu_staging_*` / `dot_tools` untouched
G5	No conflict resolution needed	CONS-003 / CELL-003/004/007 / CONS-002 carried, not resolved
G6	No schema/design/implementation needed	no `cell_id`/`dot_role` materialization; no DOT/checker/scanner/formula registry; no formula/DOT/assembly execution
G7	Boundary held	IO thin (not Module Contract First); formula/assembly/DOT documentary; `dot_tools` wrapper-only; no canonical birth / `BIRTH_STAMP`
G8	3 Owner questions preserved	Q1/Q2/Q3 present in the execution report

If all GREEN → run the read-only F3 survey from KB/documentary evidence only and emit Document 3 (STATUS honest — PARTIAL is acceptable and expected where every candidate is documentary-only/GAP/Owner-gated).

11. Expected F3 execution report format

When the §10 gate passes, the F3 execution report should mirror the F0/F1/F2 report shape:

§0 STATUS (one line): PASS / PARTIAL / BLOCKED, honest.
§1 Status / boundary confirmation (incl. internal gate result).
§2 Owner View — the 3 reuse-first questions (Q1/Q2/Q3) answered at the control surface.
§3 F3 asset classification table — Q1/Q2/Q3 with verdict + evidence pin + documentary/live label per row.
§4 IO Contract 5-field analysis (thin boundary; not Module Contract First; examples GAP).
§5 Formula analysis (documentary pattern; no registry/engine; cut-as-formula candidate).
§6 Assembly Machine / DOT analysis (documentary; dot_tools wrapper-only; coverage matrix GAP; no registration/run).
§7 Candidate packet / TEMP_ID / cell context handling (view-only; inherited identity; pending cell).
§8 Rollback / fail / delete-fast handling (documentary boundary; STG-012 dependency).
§9 Evidence currency table (sources/evidence/authority/conflict/runtime/provenance/safety-lock; documentary vs live).
§10 Conflict / HOLD log — CONS-003, CELL-003/004/007, CONS-002, HOLD-1, HOLD-2, STG-012/015, STG-REUSE-001/003, RISK-GC/CAP/BYPASS, DOT-CAP carried.
§11 Adversarial check — §9 bad-input results (all rejected).
§12 Non-authorization confirmation + self-check.
§13 F4 handoff / next-gate recommendation.

PARTIAL is acceptable and honest where evidence is documentary-only or a verification is Owner-gated. Engineering PASS ≠ Authority PASS.

12. How F3 feeds F4

F4 in the §6c order = Stamp Lifecycle + Checker / Promote / Rollback (= D8 + D9 + the canonical-output of D10; canonical birth + BIRTH_STAMP close at promote). F3 hands F4:

the IO Contract 5-field boundary (nhận·trả·schema_min·fail·rollback) as the brick-to-brick contract the checker/stamp lifecycle reads — without Module Contract First;
the Formula and Assembly Machine / DOT documentary patterns (formula = how a brick is built from direct inputs; DOT = the narrow machine/check/wrapper; dot_tools wrapper-only) — none implemented, all DOCUMENTARY_ONLY/GAP;
the candidate-packet-as-view binding (candidate_id + packet_hash) the verdict-only checker (DOT-006) will read — with STG-015 packet_hash coverage pinned as an open obligation;
the stamp path (IO_STAMP / VALIDATION_STAMP / ROLLBACK_STAMP pre-promote; BIRTH_STAMP / PROMOTE_STAMP post-promote) and the checker / verdict-only / Atomic Promote Contract boundary as the F4 subject — F3 only marks them documentary boundaries, never implements;
the carried conflicts (CONS-003, CELL-003/004/007, CONS-002) and risks (HOLD-1, HOLD-2, STG-012/015, STG-REUSE-001/003, RISK-GC/CAP/BYPASS, DOT-CAP) as explicit obligations F4 must respect, not inherit as solved.

F3 preparation and execution must again preserve the 3 reuse-first Owner questions and remain non-authorizing until its own GPT → Codex → Owner gate. The Program Macro bundling (packet + internal-gated execution in one task) is an Owner choice already exercised for this F3 run; it does not open F4, Phase-1, or any design/implementation.

13. Self-check (packet discipline)

Preserved the 3 Owner questions (Q1 reuse-now / Q2 repair-verify / Q3 add-later) — ✅
Kept F3 as IO Contract + Formula + Assembly Machine / DOT (D6 + D7) only — ✅
No live DB / runtime / Phase-1 touched; iu_staging_* / dot_tools untouched — ✅
No canonical birth write / BIRTH_STAMP (deferred to F4) — ✅
IO Contract kept thin (5 field); no Module Contract First — ✅
Formula / assembly / DOT kept documentary; no registry/engine/machine; no execution — ✅
dot_tools kept documentary / wrapper-only; no dot_role/cell_id materialization — ✅
CONS-003 / CELL-003/004/007 / CONS-002 carried, not resolved — ✅
Documentary vs live proof distinguished throughout — ✅
Internal gate (§10) defined as the precondition for the F3 execution report — ✅
Owner/GPT kept as the only phase authority; Codex review is the next gate — ✅

F3 — IO Contract + Formula + Assembly Machine / DOT — Reuse Survey Packet | 2026-06-16 | PREPARATION PACKET, NON-AUTHORIZING. F3 = D6 + D7. IO Contract thin (5 field, not Module Contract First). Formula / Assembly Machine / DOT = documentary only (no registry/engine/machine; no execution). dot_tools wrapper-only (no dot_role/cell_id patch). cell_id pending. Canonical birth = F4. CONS-003 / CELL-003/004/007 / CONS-002 carried. Documentary ≠ live proof. Engineering PASS ≠ Authority PASS.