R1-K Block Contract Packet — LEGO Design-Only

Date: 2026-06-18 · Workstream: R1-K-R2-B-BLOCK-CONTRACT-PACKETS-LEGO-2026-06-18 (R1-K half — KG / provenance / quarantine / KG gates, Điều 39 surface) · Editorial revision: rev1 Class: design-only / block-contract scoping / decision-support · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NOT remediation · NOT technical design · NOT implementation · NO blocker resolved.

Metadata convention. This body pins no volatile AgentData storage revision/content_length. Editorial revision (rev1) only. AgentData storage revision and content_length are authoritative in AgentData metadata at read time.

Separation lock. This is the R1-K packet only. It is a separate document from the R2-B Block Contract Packet (consolidation/r2-b-block-contract-packet-lego-2026-06-18.md). The two packets are not merged and share zero write surface at the design tier (see §10/§12). There is no fifth combined packet.

0. Status and non-authorization

STATUS: PASS (engineering / design-only). This packet expands the seven K-blocks of the accepted R1/R2 Modular LEGO Architecture Scoping into a deeper, per-block contract set for the KG / provenance / quarantine lane: a full contract per block, isolation/replaceability/rollback per block, and — the distinctive addition of this packet — a bad-input / invalid-state rejection matrix proving each block's contract is fail-closed at the conceptual level, plus a design-only Codex-style adversarial reconstruction. It builds nothing, mutates nothing, authorizes nothing.

Engineering PASS ≠ authority PASS. A PASS here is a statement that the K-block contracts are complete and fail-closed on paper. It is not an Owner authorization to design-in-detail, to write technical design, or to remediate. Default disposition: HOLD.

Pipeline position.

Accepted R1a/R2a root-cause baseline (+ Codex PASS_WITH_CAVEATS) → Owner Decision Packet matrices (Option D recommended) → Modular LEGO Architecture Scoping (block map) → this R1-K design-only block-contract packet → (only if separately authorized) a narrower design-only TD-prep package → (only if separately authorized again) write-enabled remediation.

Non-authorization (explicit). This document does not, and cannot: run any DB write / DDL / DML; restart or reload any container or service; run any worker / cron / job; trigger DOT / KG / birth / certify / promote / repair execution; backfill provenance; quarantine edges; set inspect_pen / inspect_stamp / inspect_gate; set certified=true; flip any dot_config gate (incl. the five KG preflight gates); assign a governance owner; promote any agent-api contract DRY_RUN→REAL_RUN; write env / config files; patch source code; patch any source law / draft / note / prior report; create a current corpus; write technical design; implement; resolve any blocker; materialize KG / provenance / cell_id / dot_role / canonical_fields; change authority order (CONS-004); change the v0.1 baseline; promote v0.2-hardening.

Evidence basis — INHERITED_EVIDENCE. Every runtime fact below is inherited from prior accepted read-only runs (R1a root-cause study rev1 PASS; R1 readiness scope rev1 PARTIAL; Phase-1B rev1; all carried by the Modular LEGO Scoping rev1 + Owner Decision Packet rev1, each PASS_WITH_CAVEATS at the Codex tier). No runtime was queried, executed, or mutated in producing this packet. No claim of fresh runtime verification is made. The VPS PostgreSQL directus DB is the sole substrate-of-truth in those prior runs; the local repo is substrate-free/stale.

1. Purpose

Convert the R1 (Knowledge Graph / provenance / quarantine / KG gates) problem space into seven isolated LEGO blocks (K1–K7), each with an explicit contract, each testable / replaceable / deletable in isolation, integrating only through named data-contract studs, and each provably fail-closed against bad input — as design direction, not as a build.

This packet answers, for each K-block:

What is the block responsible for (one narrow task)?
What does it take as input / produce as output (the contract surface)?
What evidence proves the block worked?
What must it not depend on?
What is its safe failure mode?
Where does the Owner gate apply, and where must materialization remain blocked?
How can the block be replaced / deleted / rolled back without breaking the rest?
How does the block reject bad input fail-closed (conceptually)?

It references the shared governance gates (S1, S2, S5, S6, S7, S8) only as external contracts — it does not redesign them (§12).

2. Sources read

All read first-hand this run via read-only AgentData batch_read (full content), then decoded and read in full. None SOURCE_NOT_READ. Cited by name + editorial revision; AgentData metadata authoritative at read time.

Cluster	Source	Status	Used for
LEGO map	`consolidation/r1-r2-modular-lego-architecture-scoping-2026-06-18.md` (rev1)	READ (full)	K1–K7 block map, contracts, AC-rules, integration studs
LEGO map	`reports/r1-r2-modular-lego-architecture-scoping-execution-report-2026-06-18.md` (rev1)	READ (full)	non-authorization posture, design-only altitude
LEGO map	`reports/codex/codex-review-r1-r2-modular-lego-architecture-scoping-2026-06-18.md`	READ (full)	adversarial-control framing
Owner decision	`consolidation/owner-decision-packet-r1a-r2a-root-cause-2026-06-18.md` (rev1)	READ (full)	R1-D1..D7 matrix, Option D, gate-clear order, CAV-1/2
Owner decision	`reports/owner-decision-packet-r1a-r2a-root-cause-execution-report-2026-06-18.md` (rev1)	READ (full)	caveat cross-map, non-authorization
Owner decision	`reports/codex/codex-review-owner-decision-packet-r1a-r2a-root-cause-2026-06-18.md`	READ (full)	acceptance, anti-automation condition
R1 root cause	`reports/r1a-kg-runner-log-provenance-source-root-cause-2026-06-18.md` (rev1)	READ (full)	5 gates, runner, 1/36 contract, 2199 edges 0-prov, SoT absence
R1/R2 exec	`reports/r1a-r2a-runner-cron-log-root-cause-execution-report-2026-06-18.md` (rev2)	READ (full)	combined posture, CAV-6 metadata note
R1/R2 codex	`reports/codex/codex-review-r1a-r2a-runner-cron-log-root-cause-2026-06-18.md` (`PASS_WITH_CAVEATS`)	READ (full)	the 6 caveats verbatim, per-check verdicts
Phase-1B	`consolidation/phase1b-runtime-truth-blocker-decision-packet-2026-06-17.md` (rev1)	READ (full)	blocker bundle, R1 macro, OD-8
R1 scope	`reports/r1-d39-kg-provenance-quarantine-execution-readiness-scope-2026-06-17.md` (rev1)	READ (full)	kg_* inventory, quarantine ABSENT, kg_auto_approve_rules
R1/R2 scope exec	`reports/r1-r2-parallel-readonly-scoping-execution-report-2026-06-17.md` (rev1)	READ (full)	design-only/materialization split
Anchor	`notes/dieu39-knowledge-graph-compatibility-note.md` (rev1)	READ (full)	golden rule, missing-stamp→quarantine, scanner=list-only
Anchor	`laws/dieu39-knowledge-graph-law.md` (v2.3 BAN HÀNH)	READ (full)	trust_score survival rule, A8 no-provenance=quarantine, NT1/NT11 no-parallel-SSOT
Anchor	`notes/dieu32-approval-owner-gate-compatibility-note.md` (rev1)	READ (full)	Owner gate / Mức-3 / ESCALATE_L3
Anchor	`laws/dieu32-approval-law.md` (v1.1 BAN HÀNH)	READ (full)	quorum-by-risk, anti-bypass, unimplemented-handler gate
Anchor	`notes/dieu35-dot-governance-compatibility-note.md` (rev1)	READ (full)	reuse-pattern-not-turnkey, scanner=list-only
Anchor	`ssot/operating-rules.md` (v7.58)	READ (full)	Assembly First, fail-closed default, AP-CLOSE evidence

3. Accepted R1 root-cause baseline (carried, not re-derived)

Carried verbatim in substance from R1a (Codex PASS_WITH_CAVEATS). The headline: R1 is not a broken runner — it is a healthy KG runner held deliberately fail-closed, with no provenance source-of-truth and no built quarantine. The fix is net-new governed build/design, not a restart.

A KG runner exists and is healthy: incomex-agent-api-executor (agent-api-executor-local:v1, up 13 days, healthy), endpoint :8090/dispatch, bound in dot_agent_api_contract; v_dotkg_realrun_preflight.precond_endpoint_bound=GO. (CAV-1: proven at the DB-contract / preflight layer, not the executor process-log layer — docker_logs for the executor was DENIED.)
KG real-run is deliberately fail-closed NO_GO: v_dotkg_realrun_preflight = REALRUN_BLOCKED_MULTI_GATE over five BLOCK gates — gate_real_run_enabled=false, gate_execute_enabled=false, gate_dry_run_only_cleared (dry_run_only=true), gate_dotkg_owner_present=0 (governance_object_ownership empty), gate_contract_realrun_mode=DRY_RUN. GO preconditions held: precond_endpoint_bound=1, boundary_no_mutation_assertion=1, precond_dry_run_evidence=2, invariant_real_run_count_zero=0. 0 REAL_RUN ever.
Only 1 of 36 KG DOTs is contracted: DOT_KG_EXPLAIN (DRY_RUN pilot, 2026-06-04; error_behavior=fail_closed_no_mutation). The other 35 — including both provenance DOTs DOT_KG_PROVENANCE_TAG (kg.governance, B, on-demand, hybrid) and DOT_KG_PROVENANCE_AUDIT (kg.governance, A, cron 0 */6 * * *, pg_function) — have no agent-api contract, no host-cron entry, no pg_cron binding.
No provenance source-of-truth in the inspected substrate: the 2199 universal_edges were created by a legacy seed LEGACY|S167H (2039 edges, USES 1486 / BELONGS_TO 351 / CONTAINS 202, @ 2026-03-19) + a DIRECTUS structural sync (160 BELONGS_TO/CONTAINS, @ 2026-03-28→04-21); 0 carry provenance; 0 ever quarantined; edge creation stopped 2026-04-21. The intended writer DOT_KG_PROVENANCE_TAG never ran; only fn_iu_kg_edge_audit touches edges+provenance and it only audits. (CAV-2: "no SoT" is substrate-scoped, not "never recoverable".)
Supporting truth: pg_cron not installed; generic DOT/queue runtime disabled at the master switch (process_dot_runtime.*=false, dry_run_only=true), queue idle since 2026-05-26; kg_quality_log=0 rows; GOV-KG-SYS registered+active but inert (health_dot=NULL, primary_collection=NULL); quarantine mechanism ABSENT (only fn_preflight_guard references the word). The config layer is Điều-39-aligned and fail-closed but untested: kg_auto_approve_rules 6 rows (all TBox changes + deletes auto_approve=false, requires_human=always; only ABox edge_weight_update auto at conf ≥0.9); kg_source_authority 5-tier (regulation1.0 > report0.7 > api0.6 > manual0.5 > chat0.3). Qdrant entity_embeddings is vector/search, not a provenance SoT.

Findings carried (accepted, all OPEN): R1a-F1 HIGH (5-gate NO_GO), R1a-F2 HIGH (1/36 contracted), R1a-F3 HIGH (no provenance SoT — PASS_WITH_CAVEAT per CAV-2), R1a-F4 MEDIUM (DOT runtime disabled), R1a-F5 LOW/asset (healthy endpoint), R1a-F6 INFO (no pg_cron / downstream), R1a-G1 INFO gap (executor log denied). 0 CRITICAL; no active mutation/bypass/execution.

4. Caveats carried

All six Codex caveats are carried verbatim in substance and constrain the K-block contracts. They are carried, not resolved. (CAV-3/CAV-4 are R2-lane caveats, carried here for completeness because the two packets share the same caveat set; they bind R2-B's B2/B5, not the K-blocks.)

Caveat	Statement (carried)	Constrains which K-blocks
CAV-1	R1a has no executor process-log proof (`docker_logs incomex-agent-api-executor` DENIED). R1 is proven at the DB-contract / preflight / config layer, not the process-log layer. No claim of direct executor process-log behavior.	K1 (runner gate), K2 (DOT contract)
CAV-2	"No provenance source-of-truth" = no SoT in the inspected substrate — it does not mean provenance can never be recovered via a future S167H / Directus source-recovery effort.	K3 (source recovery), K4 (tagging) — and external S6
CAV-3	R2a "manual one-shot bootstrap" supported by DB `dot_origin` + synced local script, not by the unavailable 2026-03-21 container logs.	(R2-lane — does not bind K-blocks)
CAV-4	R2a producer scripts read from the synced local mirror, not live `/opt/incomex/dot/bin`; no byte-for-byte live-file claim.	(R2-lane — does not bind K-blocks)
CAV-5	The GUC conclusion is limited to no persisted bypass/default; the transient session state is unreadable.	(R2-lane — binds R2-B's B7)
CAV-6	The combined R1a/R2a exec report has a non-material metadata typo (body `rev1`/`14799` vs AgentData `rev2`/`14798`; metadata wins). A cosmetic patch is a separate Owner-gated decision, not done here (patching a prior report is forbidden).	documentary only — no K-block; not patched here

5. LEGO invariant for R1-K

The invariant (above all detail): build the KG lane like LEGO — each block isolated, with a clear contract, testable alone, replaceable/deletable alone, integrating only through named studs, fail-closed by default. If a block's design is wrong, remove it and rebuild it without cascading damage.

Why the KG evidence makes this the right filter:

The gate is already a good block — build around it, do not remove it. The five-gate v_dotkg_realrun_preflight (K1) is a correct fail-closed brake: it refuses real-run until a provenance SoT, an owner, and a promoted contract exist. The wrong move (mega-shortcut) is to clear the gates to "make KG run." The LEGO move is to build the missing blocks (K3 source recovery → K4 tagging, S2 owner, K2 contract) so the gates clear one at a time, in the R1-D2 order, each independently verifiable.
No mega-graph. KG stays recovery (K3) ▸ tag (K4) ▸ quarantine (K5) plus gate (K1) ▸ contract (K2), each one narrow task (Điều 39 DOT-một-việc-hẹp) — never one engine that reasons + tags + quarantines + certifies in a single body (AC-12).
No mega-registry / no parallel SSOT. Extend universal_edges / kg_* / existing ledgers (Assembly First; Điều 39 NT1/NT11) — no second graph store (NT8 "PG→AGE→Neo4j NEVER"), no parallel provenance store.

The design filter applied to every K-block (reject on any failure): (1) one narrow responsibility; (2) explicit contract surface only; (3) testable alone; (4) replaceable/deletable alone; (5) fail-closed default ("Không chắc đúng = sai"; golden rule "AI đề xuất, không tự ban hành"); (6) Assembly First (extend, don't fork an SSOT); (7) propose-never-self-enact anything canonical/TBox/system-impacting → route to S1/Điều 32 (Mức 3).

The studs (KG lane). Blocks connect only through data contracts: the provenance JSONB shape {source_doc_id, section_id, extraction_method, confidence, timestamp}; the status='quarantine' lane; the v_dotkg_realrun_preflight per-gate verdict; the dot_agent_api_contract mode (DRY_RUN/REAL_RUN); the kg_quality_log explanation record; and the external S1 approval_requests record. No K-block calls another K-block's body; no K-block shares mutable internal state.

6. K-block inventory

Seven isolated blocks. No mega-block. Build-state legend (read-only observation carried from R1a, not a build plan): [EXISTS] present & healthy · [PARTIAL] present but incomplete/inert · [MISSING] not built (the gap) · [CONCEPT] target with no artifact.

ID	Block	Build-state	One narrow responsibility
K1	KG runner gate	[EXISTS]	Emit the 5-gate fail-closed real-run preflight verdict (gate, do not execute)
K2	KG DOT contract	[PARTIAL — 1/36]	Bind/mode a KG DOT to the dispatch endpoint (`DRY_RUN`/`REAL_RUN`)
K3	Provenance source recovery	[MISSING — core R1 gap]	Establish the provenance source-of-truth for edges (2 origins)
K4	Edge provenance tagging	[MISSING]	Write `provenance` JSONB onto edges from K3's SoT (idempotent)
K5	Quarantine decision	[MISSING — absent today]	Decide "no provenance ⇒ quarantine" + threshold gate
K6	KG quality / explainability log	[PARTIAL — table, 0 rows]	Record explanation/quality (report-only, list-only)
K7	Qdrant / vector separation	[EXISTS]	Hold the boundary: vector search is never a provenance source

Soft boundary kept split on purpose: K3 (provenance-specific recovery) vs external S6 (general out-of-band recovery) are kept separate — the LEGO rule is when in doubt, split, don't merge. K3 consumes S6 for the S167H origin; it is not S6.

7. K-block contract table

Eleven contract fields per block are carried here (split 7A/7B for readability); the remaining two fields — bad input / invalid state and expected rejection behavior — are in §9. Together §7 + §9 give all thirteen required fields per block. "Mutate runtime?" — No = design-only by the block's nature; Future-gated = only after a separate Owner gate.

7A — Responsibility · Input contract · Output contract · Authority/Owner gate · Mutate runtime?

ID	Responsibility	Input contract	Output contract	Authority / Owner gate	Mutate runtime?
K1	Gate real-run behind 5 fail-closed gates	`dot_config` (`process_dot_runtime.*`) + `governance_object_ownership` + contract mode	Per-gate GO/BLOCK + `OVERALL_VERDICT` (NO_GO until all GO)	Each gate-clear = a write via S1/Điều 32, in R1-D2 order	Future-gated (gates stay shut)
K2	Bind/mode a KG DOT to dispatch	KG DOT code + endpoint (`:8090/dispatch`)	`dot_agent_api_contract` row + `DRY_RUN`/`REAL_RUN` mode	S1/Điều 32 to promote mode	Future-gated
K3	Establish provenance SoT (2 origins)	Directus relation/collection defs (DIRECTUS); S167H seed manifest (via external S6)	A provenance source-of-truth (manifest/derivation), read-only	S1/Điều 32; S6 for S167H (out-of-band)	Future-gated (study/design now)
K4	Stamp `provenance` onto edges from SoT	K3 SoT + target edges	`provenance` JSONB on edges (idempotent, OCC-safe)	S1/Điều 32 + external S5 to backfill	Future-gated
K5	Decide "no provenance ⇒ quarantine" + threshold	`provenance` presence + `kg_thresholds` (`trust_score` survival rule)	A `status='quarantine'` decision (not a mutation)	S1/Điều 32 to mutate any edge	Future-gated (design now)
K6	Record explanation/quality (report-only)	KG DOT outputs / explanation paths	`kg_quality_log` rows (no action taken)	Report-only (no enact)	Future-gated (wiring)
K7	Hold vector≠provenance separation	(guard — no data input)	A stated, enforced boundary	n/a (a design statement)	No (boundary guard)

7B — Evidence required · Depends on · Must NOT depend on · Replacement boundary

ID	Evidence required	Depends on	Must NOT depend on	Replacement boundary
K1	Per-gate GO/BLOCK verdict rows; `OVERALL_VERDICT`	external S2 owner, K2 contract, K3/K4 provenance existence	executor process-log claims (CAV-1)	Gate set re-definable; contract = fail-closed multi-gate verdict; never auto-clears
K2	Contract rows, mode, `error_behavior=fail_closed_no_mutation`	K1 ordering, dispatch endpoint	provenance/quarantine logic	Binding swappable; reuse the proven EXPLAIN dispatch pattern (Assembly First)
K3	SoT manifest/derivation per origin; recovery provenance	external S6 (S167H), Directus defs	K1/K4 reasoning output (AC-4); inventing a SoT	DIRECTUS vs S167H sub-paths independently replaceable
K4	Edges tagged, idempotency key, OCC version basis	K3 SoT	creating the SoT (AC-4); blind-update of `universal_edges`	Tagger swappable; contract = write `provenance` from SoT only, OCC-safe
K5	Quarantine decisions + threshold basis (`kg_thresholds`)	K4 provenance presence, `kg_thresholds`	mutating edges without Điều 32 (AC-6)	Quarantine lane swappable; contract = decide from provenance/threshold
K6	`kg_quality_log` rows (counts, ids, timestamps)	KG DOT outputs	acting on its own findings (AC-10, report-only)	Log/scanner swappable; report-only contract
K7	The stated separation (boundary statement)	—	being used as a provenance source (AC-8)	Boundary statement; vector store swappable behind it

8. K-block isolation / replaceability / rollback table

Safe failure modes drawn from the menu: fail-closed · quarantine · no-op · pending-Owner-approval · read-only report only · KG DOT remains DRY_RUN.

ID	Tested alone?	Deleted / rebuilt alone?	Rollback boundary	Must NOT be coupled to	Invalid-design smell	Safe failure mode
K1	Yes (evaluate preflight verdict on sample config)	Yes (redefine the gate set)	Per-gate config flip (each reversible)	executor process-log claims	clearing gates to "make it run"	NO_GO (fail-closed)
K2	Yes (bind one DOT in DRY_RUN)	Yes (reuse EXPLAIN pattern)	One contract row	provenance/quarantine	contract deciding provenance	KG DOT remains DRY_RUN
K3	Yes per origin (Directus / S167H)	Yes (per sub-path)	One source derivation	K1/K4 reasoning output	recovery writing edges	read-only report only
K4	Yes (tag a sample from SoT)	Yes (rebuild tagger)	One idempotent tag batch (OCC)	creating the SoT	tagger inventing provenance	no-op (untagged ⇒ quarantine via K5)
K5	Yes (decide on a sample)	Yes (redefine the lane)	One status decision (no mutation)	mutating edges w/o Điều 32	quarantine auto-mutating edges	quarantine (the safe state itself)
K6	Yes (write a log row)	Yes (rebuild scanner)	Append-only rows	acting on its findings	log auto-fixing	read-only report only
K7	Yes (assert the separation)	Yes (swap vector store behind it)	A boundary statement	being a provenance source	vector treated as provenance	no-op (provenance absent ⇒ quarantine)

Delete-and-rebuild discipline (S8 referenced). Each K-block's rollback unit is bounded above: K1 = per-gate config (reverse a single flip); K2 = one contract row (revert to DRY_RUN); K3 = one source derivation (discard); K4 = one idempotent tag batch (OCC-keyed, re-runnable/undoable per Điều 39's mandatory pre-batch snapshot for any ABox write); K5 = one status decision (no edge mutation to undo while design-only); K6 = append-only (no state to roll back); K7 = a statement. No concrete rollback script is written here (forbidden) — only the per-block rollback unit is defined.

9. K-block bad-input / invalid-state rejection matrix

Conceptual contract check only — NOT run against runtime. Each row states a bad-input / invalid-state scenario and the expected fail-closed rejection behavior the block's contract must guarantee. Where the rejection contract is not yet fully determinable from the accepted baseline, it is marked BAD_INPUT_BEHAVIOR_UNCLEAR and the expected rejection contract is defined conceptually — no tested runtime result is claimed (INHERITED_EVIDENCE). The fail-closed test (point 6 of §13.A): if invalid input would still produce a PASS / provenance / real-run / digest, the contract is fail-open and must be rejected.

ID	Bad input / invalid state	Expected rejection behavior (fail-closed)	Grounding
K1	Owner missing (`gate_dotkg_owner_present=0`) / contract still `DRY_RUN` / `execute_enabled=false` — i.e. any unmet gate	`OVERALL_VERDICT` stays `REALRUN_BLOCKED_MULTI_GATE` (NO_GO); the block never auto-clears a gate; a gate clears only by an explicit S1/Điều 32-authorized write in R1-D2 order. `invariant_real_run_count_zero` must remain 0.	R1a §6; R1-D2; Điều 39 golden rule
K2	DOT has no `dot_agent_api_contract` row / invalid or unknown mode value / endpoint unbound	Reject contract promotion; remain `DRY_RUN` (or `contract_ready` with no endpoint). `error_behavior=fail_closed_no_mutation`. No REAL_RUN dispatch.	R1a §5 (1/36; EXPLAIN pilot); Điều 32 unimplemented-handler gate
K3	S167H seed manifest absent / Directus relation unverifiable / asked to "produce" a SoT that does not exist	Emit `SOURCE_RECOVERY_REQUIRED`; produce no provenance SoT; invent none. Defer S167H to external S6 (out-of-band). CAV-2: do not claim recoverability either way.	R1a §10; CAV-2; AC-4
K4	Provenance SoT absent/unvalidated / OCC version conflict / asked to backfill from nothing	No tagging; no invented provenance (no-op). On OCC conflict, reject the blind-update ("Agent CẤM blind-update universal_edges"); untagged edges flow to K5 (quarantine).	R1a §9; Điều 39 concurrency/idempotency; AC-4/AC-5
K5	Edge lacks provenance / any mandatory `trust_score` component missing/invalid/below `kg_thresholds`	Quarantine decision only (`status='quarantine'`, `trust_score=0`); no edge mutation without an Owner-gated write package (Điều 32). Quarantine is the safe state, not an action that needs justifying.	Điều 39 A8 + survival rule; R1 scope §9 (quarantine ABSENT); AC-6
K6	No explainability evidence / missing `explanation_path` for a decision	Read-only finding only; record the gap in `kg_quality_log`; no auto-fix ("không giải thích = không thực thi"; scanner = list-only).	Điều 39 C7; Điều 35 note; AC-10
K7	Vector similarity / `entity_embeddings` offered as a provenance source	Reject as a category error — embeddings are vector/search, never governance provenance. The separation holds; no provenance derived from vectors.	R1a §11; AC-8

No fail-open path found in the K-lane design. Every K-block's worst-case input degrades to a fail-closed state (NO_GO / DRY_RUN / SOURCE_RECOVERY_REQUIRED / no-op / quarantine / read-only / category-error-reject). The one residual fail-open risk in the current substrate is structural and external, not a K-block behavior: the generic auto-approve bypass fn_auto_approve_add (RISK-BYPASS) belongs to the S1 lane and is a violation to close, never imitate (AC-11) — no K-block may route a write around S1.

10. R1-K integration boundaries

K-blocks integrate ONLY through named contract surfaces (studs). No K-block calls another's body; no K-block shares mutable internal state.

K3 → K4 via a provenance source-of-truth record. Recovery produces the SoT; tagging reads it. K3's two origins (Directus structural defs, S167H seed manifest) are two independent sub-studs — replaceable separately.
K4 → K5 via the provenance JSONB on edges. Tagging writes provenance; quarantine reads presence/threshold. Absence of the stud is itself the trigger ("no provenance ⇒ quarantine").
K1 gates K2 gates execution. The five-gate preflight verdict is the stud; contract-mode promotion is the next stud; both are fail-closed and ordered (R1-D2: owner → contract coverage → promote → clear dry_run_only → master switches last).
K6 is the explainability stud ("no explanation = no execution") — read-only; it never feeds back as an action.
K7 is a boundary guard, not a pipeline stage — it sits beside the lane to reject any attempt to source provenance from vectors.

External convergence (referenced, not redesigned — see §12): every write-enabled move (gate-clear, owner-assign, contract-promote, backfill) routes through S1/Điều 32; any materialization (K4 backfill, cell_id/dot_role/canonical_fields) checks the S5 gate first; S167H recovery flows in via S6; all run-evidence appends to S7; per-block rollback discipline follows S8.

Cross-package isolation (coordination statement). The R1-K (K) blocks and the R2-B (B) blocks share zero write surface at the design tier. They touch only the shared S-blocks, and only at two convergence gates: S1 (Điều 32/37 Owner authorization) for any write-enabled clear/build, and S5 + S6 (CONS/CELL + source-recovery) for any materialization. Neither convergence is reached by a design-only package. R1-K is therefore safely designable in isolation from R2-B; this packet redesigns no B-block and no S-block.

11. R1-K anti-coupling rules

The KG-lane subset of the twelve anti-coupling rules. All are MUST-NOT.

Rule	Statement	Evidence it guards against
AC-4	KG runner (K1) / tagger (K4) must not create the provenance source-of-truth (K3).	No SoT exists; a runner inventing one = ungoverned provenance.
AC-5	Provenance recovery (K3 / external S6) must not directly backfill edges (K4).	Recovery is read-only/design; backfill is a separate Owner-gated write.
AC-6	Quarantine decision (K5) must not mutate edges without an Owner-gated write package.	Quarantine is absent today; arming it as auto-mutate skips Điều 32.
AC-8	Qdrant/vector search (K7) must not be treated as provenance.	Category error: embeddings ≠ governance provenance.
AC-10	No K-block may auto-fix another block (K6 records, never acts).	Scanner = list-only (Điều 39/Điều 35); auto-fix → proposal via Điều 32.
AC-11	No report PASS may become Owner authorization; no K-block routes a write around S1.	`PASS_WITH_CAVEATS` ≠ authorization; `fn_auto_approve_add` bypass = violation to close.
AC-12	No mega-graph / mega-registry / one-engine.	The "one KG engine that reasons+tags+quarantines+certifies" is the prohibited shape.

Anti-mega-system rules (structural, KG lane). No mega-graph (recovery/tag/quarantine + gate/contract stay separate narrow blocks); no mega-registry / no second SSOT (extend universal_edges/kg_*; NT1/NT8/NT11 — no parallel graph store, no parallel provenance store); no hidden coupling KG ↔ registry ↔ pivot ↔ automation (they meet only at the shared S-blocks, only through named studs, only behind Điều 32 for writes).

12. Shared gates referenced, not redesigned

R1-K references the following shared governance gates only as external contracts. It does not redesign, weaken, or materialize them; each remains owned by the shared-governance layer (and by the Modular LEGO Scoping's S-block map). The K-lane only consumes their contracts.

Shared gate	External contract R1-K relies on (referenced only)	K-blocks that touch it
S1 — Owner / Điều 32 approval	The single quorum approval lane (high: ≥1 `president` + ≥2 `ai_council` + 0 reject; medium: ≥1 `president`; low: ≥1 approve / valid auto-rule). Fail-closed, verdict-only, ESCALATE_L3 on canonical/kernel. Must not be bypassed (RISK-BYPASS = violation to close).	K1 (every gate-clear), K2 (mode promote), K4 (backfill), K5 (edge mutation)
S2 — `dot:kg` owner assignment	Assign the KG governance owner (`governance_object_ownership`=0 today; clears K1 gate-4 via `PROC-OWN-04`), via Điều 37 authority map → Điều 32. Decide who; do not write it here.	K1 (gate-4), K2
S5 — CONS/CELL dependency	The materialization-prerequisite gate (CONS-002 thin IO contract; CONS-003 6-vs-7 composition; CELL-003/004/007 `cell_id` unmaterialized). Read-only design may proceed; materialization may not until resolved.	K4 (backfill), and any `cell_id`/`canonical` materialization
S6 — Source-recovery	Out-of-band, Owner-controlled recovery of the `LEGACY	S167H`seed manifest (absent from the substrate).`SOURCE_RECOVERY_REQUIRED`; CAV-2 (no overclaim of recoverability).
S7 — Evidence / audit log	The append-only evidence trail (`kg_quality_log`, `governance_audit_log`, `event_outbox`; AP-CLOSE per-run counts/ids/timestamps/hashes). Records, never decides.	every K-block's "evidence required" appends here
S8 — Rollback / delete-rebuild boundary	The per-block snapshot/rollback discipline (Điều 39 mandatory pre-batch snapshot for ABox writes; `fn_iu_enact` atomic/post-verify pattern). A discipline/contract, not a script.	K4 (tag batch), K5 (decision)

Not redesigned here: S1 quorum mechanics, S2 ownership authority order, S5 composition model, S6 recovery mechanics, S7 schema, S8 rollback scripts. R1-K touches none of S3 (registry/pivot identity) or S4 (canonical address) — those are R2-lane / structural surfaces, referenced by R2-B, not by the KG lane.

13. Owner-gated future writes

Every action below is still forbidden now (OWNER_GATE_REQUIRED). Listing is scoping, not authorization. Each becomes possible only after a separate Owner gate (and, where noted, CONS/CELL + source recovery).

Future action	K-block	Gate required	Still forbidden now?
Assign the `dot:kg` governance owner (`PROC-OWN-04`)	external S2 / K1 gate-4	Điều 37 → Điều 32	Yes
Promote `DOT_KG_*` contract `DRY_RUN→REAL_RUN`	K2	Điều 32	Yes
Build/extend agent-api contracts for provenance/quality DOTs	K2	Điều 32	Yes
Clear any of the 5 KG preflight gates (config flips)	K1	Điều 32, in R1-D2 order, master switches last	Yes
Recover the `LEGACY	S167H` seed manifest	external S6 / K3	Owner out-of-band (CAV-2)
Backfill edge `provenance`	K4	Điều 32 + external S5 + K3 SoT present	Yes
Build the quarantine lane / quarantine any edge	K5	Điều 32 (+ design after K3/K4)	Yes
Wire KG quality/explanation writers	K6	Điều 32	Yes
Materialize `cell_id`/`dot_role`/`canonical_fields` for KG	external S5	CONS-002/003 + CELL-003/004/007 resolved + Điều 32	Yes

FUTURE_TECHNICAL_DESIGN_REQUIRED (moved out of this packet, not written here): producer/dispatcher build mechanics, contract-wiring mechanics, provenance-tagging mechanics, quarantine-lane mechanics, any schema/DDL/function/migration/rollback-script. These belong to a later, separately-authorized package.

Codex-style adversarial reconstruction (design-only)

Applied as a conceptual contract check — not run against runtime. No bad-input test was executed; nothing was dispatched, flipped, or mutated.

Do not trust the report; look for actual governed surfaces. The K-block contracts are reconstructed from first-hand KB reads (R1a rev1, Owner Decision Packet rev1, Modular LEGO Scoping rev1, Điều 39 v2.3 / note rev1, Điều 32 v1.1, OR v7.58), not from memory or local prose. Exact governed identifiers are cited: v_dotkg_realrun_preflight (5 BLOCK gates), dot_agent_api_contract (1/36), universal_edges (2199, LEGACY|S167H 2039 + DIRECTUS 160, 0 provenance), DOT_KG_PROVENANCE_TAG/AUDIT, fn_iu_kg_edge_audit, fn_preflight_guard, governance_object_ownership (0), kg_quality_log (0), kg_thresholds, kg_source_authority 5-tier, kg_auto_approve_rules 6-row.
Fresh-reconstruct from KB, not local prose. The local repo is substrate-free/stale; the VPS PostgreSQL directus DB is the sole substrate-of-truth in the prior accepted read-only runs. All facts are INHERITED from those runs; AgentData storage revision/content_length are authoritative in AgentData metadata at read time (this body pins none).
Use actual readback metadata and exact paths. Every source in §2 is cited by exact KB path + editorial revision; runtime identifiers are quoted verbatim from R1a's read-only catalog observations.
Create bad-input scenarios conceptually outside the happy path. §9 constructs, per block, the invalid-input/invalid-state cases (owner-missing, no-contract, no-SoT, SoT-absent, no-provenance, no-explanation, vector-as-provenance) that a happy-path harness would skip.
Check whether each contract rejects bad input fail-closed. §9 confirms each block degrades to a fail-closed state: K1→NO_GO, K2→DRY_RUN, K3→SOURCE_RECOVERY_REQUIRED, K4→no-op/blind-update-reject, K5→quarantine, K6→read-only finding, K7→category-error reject.
Fail-open ⇒ reject. Tested against "would invalid input still create a PASS / provenance / real-run?": no K-block does. The only fail-open residue is the external fn_auto_approve_add (RISK-BYPASS) in the S1 lane — flagged as a violation to close (AC-11), explicitly not a K-block behavior and never to be routed around. K1's warn-equivalent (master switches off) is fail-closed (NO_GO), not fail-open.
Distinguish engineering PASS from authority PASS. This packet's PASS is an engineering/design statement that the K-contracts are complete and fail-closed on paper. It is not Owner authorization. Default HOLD; every blocker OPEN.

14. What remains unresolved

SOURCE_RECOVERY_REQUIRED — K3 (S167H). The LEGACY|S167H seed manifest is not in the inspected substrate; recovery is out-of-band via external S6. Per CAV-2, this packet asserts neither recoverability nor unrecoverability — only absence from the inspected substrate.
BAD_INPUT_BEHAVIOR_UNCLEAR (bounded). For K3/K4/K5, the built rejection behavior cannot be runtime-verified (the blocks are MISSING; INHERITED_EVIDENCE only). §9 therefore defines the expected rejection contract conceptually; no tested runtime result is claimed. This is a contract specification, not a verification.
OWNER_GATE_REQUIRED — every write in §13, plus the external S2 dot:kg ownership assignment. None authorized.
Blockers stay OPEN: CONS-002, CONS-003, CELL-003/004/007, HOLD-1, HOLD-2, RISK-BYPASS, GOV-016/017, GOV-REUSE-001, Điều 39 runtime-EMPTY (0-provenance), Điều 35 production-readiness FAIL. None resolved here.
FUTURE_TECHNICAL_DESIGN_REQUIRED: all build mechanics (per §13). Explicitly not written here.
NOT_LEGO_COMPATIBLE: none. All seven K-blocks isolate cleanly; the one soft boundary (K3/S6) is resolved by keeping the blocks separate, not merging.

15. Next R1-K package recommendation

This packet opens no next package. It recommends:

NP-1 — GPT review of this R1-K packet (alongside the R2-B packet and both execution reports).
NP-2 — Codex adversarial control review (after GPT).
NP-3 — Owner chooses whether to proceed to a narrower design-only TD-prep package for one or more K-blocks (e.g. K3 provenance source-recovery study; K2 contract-coverage extension design; K5 quarantine semantics design) — design-only, behind a further Owner gate.
NP-4 — Write-enabled remediation remains forbidden until, in order: a design-only TD-prep package → Codex review → Owner approval → a rollback plan → a runtime-verification plan. No automatic TD. No automatic write-enabled remediation.

R1-K and R2-B remain separate packages throughout; opening one does not open the other.

16. Ready for GPT/Codex review

Yes. This R1-K packet is a complete design-only block-contract set: seven isolated K-blocks (K1–K7); a thirteen-field contract per block (§7 + §9); isolation/replaceability/rollback per block (§8); a bad-input/invalid-state fail-closed rejection matrix (§9); a design-only Codex-style adversarial reconstruction; KG-lane anti-coupling rules (§11); shared gates referenced not redesigned (§12); a fully Owner-gated future-write list (§13); all six caveats carried; all blockers OPEN; nothing built, mutated, or authorized; R1-K kept separate from R2-B.

Core rule, kept above all detail: Do not design a complex interlocked machine. Design small LEGO blocks with explicit contracts. If one block is wrong, it must be removable and rebuildable without breaking the rest. Engineering PASS is not authority PASS. No PASS authorizes writes.

Default disposition: HOLD.