DOT_R2_B2_STAGING_SCHEMA_SHELL — Birth / Admission Record

Mission: R2-B2-MACRO-9B1-DOT-ARTIFACT-BIRTH-ADMISSION-ANTI-ORPHAN-2026-06-19 Type: KB-only governance admission patch. This record gives birth/admission identity to the 7 Macro-9B artifacts so they are not orphans. It does not register, wire, or run any DOT, and creates no schema/table/collection/owner-row. Date: 2026-06-19. Authorizes nothing. Engineering PASS ≠ Owner authority PASS. Default = HOLD.

---

0. Status

candidate-born / engineering-admitted / REGISTRATION_HOLD / HOLD_FOR_OWNER_REAL_RUN

• Birth state: candidate-born — the entity and its components exist as authored KB artifacts with a stable identity.
• Admission state: engineering-admitted — the package passed local fail-closed validation. Macro-9B2 (2026-06-20) closed all 7 Codex HOLD findings; the validator is now rev2 and the authoritative evidence is dot-r2-b2-validator-test-run-v2.txt (64/64 PASS, 0 fail-open), which SUPERSEDES the rev1 37/37 run (dot-r2-b2-validator-test-run.txt, retained as historical only). Admitted as an engineering artifact, not as runtime authority.
• Runtime registration: REGISTRATION_HOLD — not in dot_tools, no agent-api contract, no runtime gate. Verified fresh 2026-06-19: 0 matching rows in dot_tools (count unchanged at 309).
• Real-run authority: HOLD_FOR_OWNER_REAL_RUN — no Owner real-run grant; runtime execute gates shut.
• Authority state: NOT_OWNER_AUTHORIZED — governance_object_ownership = 0 (fresh, 2026-06-19); Macro-8 P3 owner role granted on paper only.

---

1. Authority basis

This record rests on existing governance/birth doctrine and the DOT-only handbooks — it invents no new runtime registry:

• dot-manage/dot-usage-handbook.md §18 (Missing DOT/Guard Register + 10 manual-block hardening principles) and §15 (NO-GO with existing DOTs).
• collections-manage/collections-usage-handbook.md §16/§19 (no disposable workbench store; missing-capability).
• consolidation/macro8-owner-five-gate-decision-… — SB-4 (separate run-scoped schema in directus DB, delete-fast, abort-on-drift); Macro-9 conditional-GO to author, not to build/run.
• Macro-9B execution report + artifact index (the package this record admits).

This KB record is transitional. Runtime authority remains the existing registries (dot_tools, law_dot_enforcement, dot_config, dot_agent_api_contract, governance_object_ownership). This admission record does not replace them and confers no runtime status.

---

2. Entity identity

Primary DOT:

• DOT_R2_B2_STAGING_SCHEMA_SHELL — one run-scoped, disposable, delete-fast R2-B2 staging schema r2_b2_wb_<run_id> in the directus DB; 6 modes (validate_only, dry_run_plan, verify, teardown_plan, real_run, teardown_real_run); allowlist ^r2_b2_wb_[a-z0-9]+(_[a-z0-9]+)*$ + run_id-embedded; 7 empty shell tables. Design = Option B (1 primary DOT + 4 separable guards via explicit dict contract).

Guard components (4, separable):

• DOT_SCHEMA_WRITE_ALLOWLIST_GUARD — pre-write fail-closed allowlist / protected-target / manual-channel reject.
• DOT_SCHEMA_WRITE_AUDIT_PROOF — audit envelope for every decision (accept or reject).
• DOT_PRODUCTION_UNTOUCHED_VERIFY — read-only before/after structural-inventory + frozen-invariant check; abort-on-drift.
• DOT_STAGING_SCHEMA_DELETE_FAST — teardown via DROP SCHEMA … CASCADE, allowlist re-checked.

---

3. Artifact inventory

All 7 Macro-9B artifacts (AgentData KB). Each carries: identity · purpose · status · owner/authority state · allowed use · forbidden use · evidence_ref.

Artifact 1 — Primary DOT contract

• Path: knowledge/dev/laws-new/newlaws/dot-manage/specs/dot-r2-b2-staging-schema-shell.contract.md (rev1, len 8836)
• Identity: specification of DOT_R2_B2_STAGING_SCHEMA_SHELL (6 modes, allowlist, 7 shell tables, guard composition).
• Purpose: define the missing run-scoped staging-schema DOT path so it can later be registered and (separately, Owner-gated) run.
• Status: candidate-born / engineering-admitted.
• Owner/authority state: NOT_OWNER_AUTHORIZED.
• Allowed use: read as engineering contract; basis for Codex review and a future Owner-authorized registration design.
• Forbidden use: treating it as registration, runtime authority, or permission to build/run.
• Evidence_ref: main report §"NEW DOT PACKAGE"/§"CONTRACT"; validator + test-run (artifacts 3, 5).

Artifact 2 — 4 guard contracts + manual-block assessment

• Path: knowledge/dev/laws-new/newlaws/dot-manage/specs/dot-schema-write-guards.contract.md (rev1, len 8352)
• Identity: contracts for the 4 guards (rows 2–5 of DOT §18) + fresh manual-block hardening assessment (principles 1–10).
• Purpose: make the DOT-only zone enforceable, not just documented; record runtime GAPS 2/3/4 as preconditions.
• Status: candidate-born / engineering-admitted.
• Owner/authority state: NOT_OWNER_AUTHORIZED.
• Allowed use: read as guard/reject spec; precondition checklist for registration.
• Forbidden use: treating GAP-closure (role/grant/policy change) as done — it is not; no grant/revoke was performed.
• Evidence_ref: main report §"MANUAL-BLOCK GUARD ASSESSMENT"; validator (artifact 3).

Artifact 3 — Reference fail-closed validator

• Path: knowledge/dev/laws-new/newlaws/dot-manage/specs/dot-r2-b2-staging-schema-shell.validator.py (rev2 — Macro-9B2 remediation, closes 7 Codex HOLD findings)
• Identity: pure decision function (no DB/network/exec import) implementing the guards + router; rev2 adds required channel/actor, strict full-string/control-char validation, strict-boolean gate, executable Guard 3 enforced before any real-run write, and Guard 4 separability via a shared helper.
• Purpose: prove the contract is fail-closed (default-deny; accept only on empty reject set); emit plans/verdicts as data only.
• Status: candidate-born / engineering-admitted.
• Owner/authority state: NOT_OWNER_AUTHORIZED.
• Allowed use: read/run locally as a validation reference; never as the write-enabled implementation.
• Forbidden use: mistaking it for the DOT that issues real CREATE SCHEMA/DROP SCHEMA … CASCADE (that implementation is not authored).
• Evidence_ref: v2 test-run evidence (artifact 5b), 64/64 PASS, 0 fail-open — supersedes the rev1 37/37 (artifact 5).

Artifact 4 — Bad-input rejection matrix (37 cases)

• Path: knowledge/dev/laws-new/newlaws/dot-manage/specs/dot-r2-b2-bad-input-matrix.md (rev2 — Macro-9B2; 64 cases)
• Identity: 52 bad-input/no-write + 12 real_run simulation adversarial cases + 8 meta-assertions (expanded to cover all Codex HOLD cases).
• Purpose: enumerate the adversarial inputs the validator must reject (protected schema, non-allowlist, SQL-injection, missing run_id/owner-auth, manual channel, prod-data copy, real-run gate).
• Status: candidate-born / engineering-admitted.
• Owner/authority state: NOT_OWNER_AUTHORIZED.
• Allowed use: read as test data; basis for re-running validation before any future registration.
• Forbidden use: treating "validator rejects them" as proof of runtime safety (runtime is unregistered/ungated).
• Evidence_ref: test-run evidence (artifact 5).

Artifact 5 — Validator run evidence (rev1, 37/37) — SUPERSEDED by Artifact 5b (Macro-9B2)

• Path: knowledge/dev/laws-new/newlaws/dot-manage/specs/dot-r2-b2-validator-test-run.txt (rev2 — superseded banner added; historical pre-remediation record only)
• Identity: captured stdout of the local validator run, EXIT=0.
• Purpose: evidence that every invalid input rejects (0 fail-open), accepts produce 0 writes, dry-run = 1 CREATE SCHEMA + 7 CREATE TABLE plan (not a write), real-run modes reject REAL_RUN_GATE_CLOSED.
• Status: candidate-born / engineering-admitted (evidence).
• Owner/authority state: NOT_OWNER_AUTHORIZED.
• Allowed use: cite as engineering validation evidence.
• Forbidden use: citing it as Owner/authority approval or runtime proof.
• Evidence_ref: self (local run, 2026-06-19); reconciled in main report §"BAD-INPUT REJECTION MATRIX". Superseded by Artifact 5b (Macro-9B2).

Artifact 5b — Validator run evidence v2 (64/64 PASS, 0 fail-open) — SUPERSEDING

• Path: knowledge/dev/laws-new/newlaws/dot-manage/specs/dot-r2-b2-validator-test-run-v2.txt (created rev1, Macro-9B2 2026-06-20)
• Identity: captured stdout of the corrected validator (rev2) run, EXIT=0; 52 bad-input/no-write + 12 real_run simulation rows + 8 meta-assertions.
• Purpose: authoritative engineering evidence that all 7 Codex HOLD findings are closed (missing channel/actor; control-char schema/run_id; strict-boolean gate; Guard 3 enforced before real-run; Guard 4 separability); 0 fail-open; write-intent appears iff gate is exactly boolean True AND Guard 3 PASS.
• Status: candidate-born / engineering-admitted (evidence).
• Owner/authority state: NOT_OWNER_AUTHORIZED.
• Allowed use: cite as the current engineering validation evidence (supersedes Artifact 5).
• Forbidden use: citing it as Owner/authority approval or runtime/drift proof — it is local pure-validator evidence only.
• Evidence_ref: self (local run, 2026-06-20).

Artifact 6 — Artifact index

• Path: knowledge/dev/laws-new/newlaws/dot-manage/reports/macro9b-dot-staging-schema-path-artifact-index-2026-06-19.md (rev1, len 2665 → patched by Macro-9B1 to point here)
• Identity: index of the 7-artifact package + component boundary + stop states.
• Purpose: single entry point to the package.
• Status: candidate-born / engineering-admitted.
• Owner/authority state: NOT_OWNER_AUTHORIZED.
• Allowed use: navigation; Macro-9B1 patched it to reference this admission record.
• Forbidden use: treating the index as authority or registration evidence.
• Evidence_ref: points to artifacts 1–5, 7 and (post-patch) this admission record.

Artifact 7 — Main report

• Path: knowledge/dev/laws-new/newlaws/reports/macro9b-dot-staging-schema-path-author-harden-report-2026-06-19.md (rev1, len 16531 → addendum added by Macro-9B1)
• Identity: Macro-9B execution report (STATUS PASS_WITH_CAVEATS · REGISTRATION_HOLD · HOLD_FOR_OWNER_REAL_RUN).
• Purpose: full record of method, existing-DOT insufficiency, contract, bad-input matrix, hardening assessment, authority, non-authorization, self-check, next action.
• Status: candidate-born / engineering-admitted.
• Owner/authority state: NOT_OWNER_AUTHORIZED.
• Allowed use: primary evidence_ref for this admission; Codex review input.
• Forbidden use: reading "Engineering PASS" as Owner authority PASS.
• Evidence_ref: self; Macro-9B1 added an admission-status addendum pointing here.

---

4. Admission table

Entity	Type	Birth state	Admission state	Runtime registration	Real-run authority	Evidence
DOT_R2_B2_STAGING_SCHEMA_SHELL	primary DOT (spec)	candidate-born	engineering-admitted	REGISTRATION_HOLD (0 rows in dot_tools, 2026-06-19)	HOLD_FOR_OWNER_REAL_RUN	report rev1; validator rev2; validator-test-run-v2 (64/64, 0 fail-open) [supersedes rev1 37/37]
DOT_SCHEMA_WRITE_ALLOWLIST_GUARD	guard (spec)	candidate-born	engineering-admitted	REGISTRATION_HOLD	HOLD_FOR_OWNER_REAL_RUN (only via primary DOT)	guards contract rev1; matrix T01–T14, T32–T33
DOT_SCHEMA_WRITE_AUDIT_PROOF	guard (spec)	candidate-born	engineering-admitted	REGISTRATION_HOLD	HOLD_FOR_OWNER_REAL_RUN (only via primary DOT)	guards contract rev1 §"Guard 2"
DOT_PRODUCTION_UNTOUCHED_VERIFY	guard (spec)	candidate-born	engineering-admitted	REGISTRATION_HOLD	HOLD_FOR_OWNER_REAL_RUN (only via primary DOT)	guards contract rev1 §"Guard 3"
DOT_STAGING_SCHEMA_DELETE_FAST	guard (spec)	candidate-born	engineering-admitted	REGISTRATION_HOLD	HOLD_FOR_OWNER_REAL_RUN (only via primary DOT)	guards contract rev1; matrix T31–T32
Primary DOT contract (doc)	spec artifact	candidate-born	engineering-admitted	N/A (KB doc)	N/A	self rev1 (len 8836)
Guards contract (doc)	spec artifact	candidate-born	engineering-admitted	N/A (KB doc)	N/A	self rev1 (len 8352)
Reference validator (code)	code artifact	candidate-born	engineering-admitted	N/A (KB doc; pure fn)	N/A	rev2; test-run-v2 (64/64, 0 fail-open)
Bad-input matrix (doc)	test data	candidate-born	engineering-admitted	N/A (KB doc)	N/A	rev2 (64 cases); test-run-v2
Validator test-run rev1 (txt)	evidence	candidate-born	engineering-admitted	N/A (KB doc)	N/A	self rev1 (EXIT=0) — SUPERSEDED
Validator test-run v2 (txt)	evidence	candidate-born	engineering-admitted	N/A (KB doc)	N/A	self (EXIT=0, 64/64, 0 fail-open) — SUPERSEDING
Artifact index (doc)	index	candidate-born	engineering-admitted	N/A (KB doc)	N/A	self rev1
Main report (doc)	report	candidate-born	engineering-admitted	N/A (KB doc)	N/A	self rev1 (len 16531)

No artifact is orphaned: each appears above and in §3. No entity is marked authorized-active.

---

5. Allowed use

The entity is admitted only as an engineering artifact, usable in these modes/forms:

• validate_only, dry_run_plan, verify, teardown_plan — as plans/verdicts only (the validator proved 0 writes).
• Read/run the reference validator locally; read the contracts, matrix, index, and report.
• Cite as input to Codex adversarial review and to a future Owner-authorized DOT-registration design.

---

6. Forbidden use

Until both an authorized DOT-registration path and explicit Owner authorization exist:

• real_run, teardown_real_run — forbidden (gate closed; would issue CREATE SCHEMA / DROP SCHEMA … CASCADE).
• Runtime registration; dot_tools write (by hand or otherwise); law_dot_enforcement / dot_config / dot_agent_api_contract write.
• Directus mutation; schema/table/collection creation; owner-row creation; any registry write.
• Manual SQL / psql / docker exec psql / Directus generic create — forbidden lanes, rejected by the allowlist guard.

---

7. Registry bridge

Current runtime authority remains, unchanged, in the existing registries — this KB record does not replace them:

Registry	Role	This record's relation
dot_tools	master DOT registry / runtime registration	authority; entity NOT present (0 rows, 2026-06-19); REGISTRATION_HOLD
law_dot_enforcement	DOT enforcement law	authority; unchanged
dot_config	runtime execute gates	authority; gates shut (dry-run only)
dot_agent_api_contract	agent-api binding	authority; entity NOT bound (2 unrelated rows)
governance_object_ownership	owner-of-record	authority; 0 rows (no owner)

Future dot_operator_catalog (DOT §17) remains candidate-on-paper — not created here. collection_operator_catalog (Collections handbook) likewise remains candidate-on-paper.

---

8. Anti-orphan rule

No new DOT / component / schema / collection / workflow may be considered PASS unless it has a birth/admission record. This document is that record for the Macro-9B package. An artifact without an admission record is an orphan and must not be called usable, registered, active, or authorized.

---

9. Next required step

1. Codex adversarial review of the Macro-9B + Macro-9B1 package (contract + guards + validator + matrix + this admission record).
2. Owner decision on the separate DOT-registration path (resolve REGISTRATION_HOLD) — through an authorized DOT-registration path, never by hand.
3. Before any real_run (resolve HOLD_FOR_OWNER_REAL_RUN): close hardening GAPS 2/3/4, open the runtime execute gate explicitly, fresh read-only preflight, prove SB-4 no-prod-touch + delete-fast.
4. Do NOT build the schema, run Macro-9A, or launch Macro-9C automatically.

---

10. Admission Gate for Next Macro

Any later macro that consumes these Macro-9B artifacts must first verify this admission record. Required verification before consumption:

• admission record exists;
• entity identity exists;
• all 7 artifacts are listed;
• birth_state is candidate-born or higher;
• admission_state is engineering-admitted or higher;
• runtime_state is not falsely marked authorized-active;
• evidence_ref points to the Macro-9B report and validator evidence;
• Owner authorization state is explicit (NOT_OWNER_AUTHORIZED until an Owner grant exists);
• registration state is explicit (REGISTRATION_HOLD until an authorized registration path runs);
• next macro scope does not exceed the admitted state.

If any verification fails, the later macro must stop at:

HOLD_ADMISSION_MISSING_OR_INVALID

No later macro may call an artifact usable, registered, active, or authorized unless the admission record supports that state.

---

11. Consumer Checklist

Every future prompt that uses this DOT package must begin with:

1. Read this admission record.
2. Verify artifact identity and the artifact list.
3. Verify no artifact is orphaned.
4. Verify runtime registration state (REGISTRATION_HOLD).
5. Verify Owner authorization state (NOT_OWNER_AUTHORIZED).
6. Verify allowed modes (validate_only / dry_run_plan / verify / teardown_plan — plans only).
7. Verify forbidden modes (real_run / teardown_real_run / registration / manual SQL / Directus generic).
8. Verify next-macro scope does not exceed the admitted state.
9. If missing or inconsistent → HOLD.

---

12. Future governance collections — candidate only

Recorded as future candidates, not created now:

• governance_process_catalog
• governance_artifact_admission
• governance_dot_admission
• governance_collection_catalog
• governance_entity_lifecycle

Purpose — these future governance collections should eventually manage: process/macro definitions; DOT lifecycle; artifact birth/admission; collection/table catalog; ownership/authority state; allowed next-stage transitions; evidence references; retirement/rollback status.

Status: candidate-on-paper only. Do not create manually. Do not create through Directus generic collection create. Do not create through psql / manual SQL. Create only through a future authorized DOT, after a DOT-registration path and Owner authorization exist.

---

13. Anti-forget rule

The anti-orphan rule is not just a sentence for humans — it is a gate for later macros.

• No later macro may consume a new artifact/entity unless it first checks admission.
• No admission check = HOLD.
• Missing admission = HOLD.
• Inconsistent admission = HOLD.
• State overclaim = HOLD.

This addendum does not implement the future collections and does not register anything. It only records the gate and the future governance needs.

---

End of birth/admission record. Macro-9B1 = anti-orphan governance patch. It does not register the DOT, run the DOT, create schema/table/collection, create the future catalogs, or launch Macro-9C. It only gives birth/admission identity to the Macro-9B artifacts. Engineering PASS ≠ Owner authority PASS. Default HOLD.