DOT Manage — C1 Dry-Run Execution Control Addendum

Date: 2026-06-22
Purpose: Keep DOT manage current before the next C1 dry-run execution macro. This addendum records the operational decision that Directus/DOT credentials may be retrieved from Secret Manager, but all governed runtime writes remain DOT-only.

Status before next macro

• DOT manage survey for C1 dry-run is complete.
• dot_tools / CAT-006 are the DOT management SSOT surfaces.
• Existing DOT manage path must be reused first; do not invent a new DOT birth path.
• dot-dot-register / DOT-REGISTER is the lawful registrar path to be used if executable credentials are available.
• Macro-9 staging schema path is authored/admitted under REGISTRATION_HOLD; it is not the C1 dry-run path by itself.
• Local sandbox C1 logic has been proven, but local sandbox is not governed runtime readiness.
• Governed runtime C1 dry-run is not ready until the DOT-managed C1 executable surface is registered and verified.

Secret Manager instruction

All required Directus/DOT/admin credentials should be discovered through Google Secret Manager under the project:

github-chatgpt-ggcloud

Claude/Codex agents must never print secret values in reports. Reports may record only:

secret name;
secret purpose inferred from name/metadata;
access success/failure;
redacted fingerprint if needed;
which command used the secret, with value redacted.

Secret values may be exported into the local shell/runtime only for the immediate governed operation and must be redacted from logs.

DOT-only rule

Directus/admin credentials are not permission to manually create collections, fields, tables, functions, or registry rows.

They are capability to run the lawful DOT-managed path, such as:

DOT birth/admission if applicable
DOT-REGISTER / dot-dot-register
DOT_COLLECTION_REGISTER
DOT_SCHEMA_TABLE_REGISTRY_ENSURE
CAT-006 / dot_tools catalog update through governed path
dot_agent_api_contract registration through governed path
DOT_C1_* preflight/build/verify/harness/evidence/rollback through governed path

Manual Directus schema creation or manual SQL DDL/DML on governed runtime remains forbidden unless the action is executed by a DOT-approved migration/write path and recorded as such.

Next execution posture

The next macro should start at P0 and run through P6 in one pass:

P0 retrieve scoped credentials/capability via Secret Manager and verify lawful DOT registration path;
P1 author/admit C1 DOT specs if missing;
P2 reuse existing DOTs for collection/table-registry/schema ensure;
P3 register DOT_C1_* through dot-dot-register / DOT-REGISTER and update dot_tools/CAT-006/handbook ledger;
P4 mint scoped single-use C1 test/dry-run grant and ownership/binding;
P5 run C1 preflight and verify DOT dispatchability;
P6 run governed C1 dry-run + bad-input + rollback/no-state + evidence readback.

Required final distinction

Final reports must distinguish:

A. Local sandbox logic proof;
B. Governed DOT runtime registration proof;
C. Governed C1 dry-run execution proof;
D. Remaining operator action, if any.

Do not report C1 governed dry-run readiness unless B and C are proven from actual governed runtime evidence.