DOT Manage C1 LEGO Dry-Run Lessons Addendum 2026-06-23
DOT Manage — C1 LEGO Dry-Run Lessons Addendum
Date: 2026-06-23
Scope: C1 first LEGO governed dry-run readiness
Status: ADDITIVE DOT-manage lesson/update
Purpose: Prevent future agents from repeating stale assumptions or creating orphan DOTs while preparing C1 dry-run readiness.
1. Current operating truth
C1 is not yet dry-run-ready.
Current state to preserve:
READY_FOR_CODEX_FINAL_CONFIRMATION = NO
READY_FOR_GOVERNED_DRY_RUN = NO
READY_FOR_PRODUCTION = NO
REGISTRATION_HOLD = ACTIVE
REGISTRATION_CAN_PROCEED = NO until owner-approved staged write path passes
The goal remains narrow:
First LEGO C1 governed dry-run readiness only.
No C2-C7.
No broad P2.
No mega-registry.
No mega-graph.
No mega-birth pipeline.
2. SSOT classification
Use this classification for all future work:
VPS /opt/incomex = code/runtime SSOT.
VPS /opt/incomex/dot/bin = DOT runnable code SSOT.
VPS /opt/incomex/deploy/agent-api-executor = executor source/deploy SSOT.
AgentData KB = report/evidence/DOT-manage knowledge SSOT.
Local /Users/nmhuyen/Documents/Manual Deploy/web-test = LOCAL STAGING ONLY.
Local staged files are not governed proof unless uploaded/read back from AgentData KB and clearly marked as staging.
Required labels for local artifacts:
LOCAL_STAGING_NOT_SSOT
NOT_GOVERNED_RUNTIME
NOT_DEPLOYED
NOT_REGISTRY_PROOF
NOT_DRYRUN_READY_PROOF
3. DOT 100% hard rule
DOT 100% applies to all governed actions, including the actions that create and govern DOTs.
DOT birth is DOT.
DOT governance/admission is DOT or DOT-approved lifecycle.
DOT registration is DOT.
dot_tools / CAT-006 / dot_agent_api_contract update is DOT.
DOT manage handbook/ledger update must be captured as governed evidence.
Schema / table / Directus collection / table_registry is DOT.
Grant / ownership / authorization is DOT-approved governance path.
Forbidden:
manual SQL DDL/DML on governed runtime;
manual Directus schema/registry write;
manual registry row insertion;
using Secret Manager credentials to bypass DOT;
report-only DOT birth;
local-only DOT script treated as governed DOT;
DOT registered without ledger/readback;
DOT without rollback/retire path.
4. Registrar defect discovered during C1 preparation
Do not run bare dot-dot-register real-run for C1 until the registrar path issue is mitigated.
Observed dry-run defect:
Stored dot_tools.file_path prefixes differ from disk scan paths.
Stored examples include: bin/..., opt/..., dot/...
Disk scan uses absolute /opt/incomex/dot/bin/...
Old matching logic causes false-new rows.
Bare dry-run reported 287 new rows.
Even improved matcher without C1 filter still sees backlog rows.
Required mitigation before any registrar write:
Use C1-only include filter / named DOT_C1 whitelist.
Use idempotent check by DOT code, not raw file_path only.
Dry-run expected diff must be exactly the named DOT_C1 rows and nothing else.
Backlog rows must not be inserted.
Readback must prove no duplicate DOT rows.
If registrar dry-run still reports broad new rows, stop:
C1_LEGO_PLAN_HOLD_REGISTRAR_DUPLICATE_DEFECT_UNRESOLVED
5. Targeted registration must not bypass DOT
Earlier staged plan had a problematic idea: targeted Directus POST into dot_tools.
That is not acceptable unless it is executed by a governed registrar/DOT-approved path.
Correct rule:
Targeted registration must be a patched governed registrar / DOT-approved registration path.
It must not be a manual Directus POST.
It must not be a manual SQL insert.
If targeted registration is direct POST/SQL outside DOT, stop:
GOVERNED_C1_DRYRUN_REJECT_DOT_BYPASS
6. Current C1 state
Current live state repeatedly confirmed:
No c1 schema.
No governance_canonical_operation_vocab table/collection.
No DOT_C1 tools in dot_tools.
No DOT_C1 contracts in dot_agent_api_contract.
No C1 grants.
No C1 endpoint route.
Preflight = NO_GO until W1-W9 execute.
This is expected until owner-approved W1-W9 writes are applied.
7. W1-W9 staged LEGO write sequence
The staged plan is LEGO-small and must remain that way.
W1 registrar mitigation/stage only;
W2 DOT_C1 birth/admission/governance;
W3 C1 surface via schema/table_registry/collection DOTs;
W4 DOT_C1 tool registration/catalog/ledger;
W5 dot_agent_api_contract C1 binding;
W6 C1 no-mutation endpoint deploy;
W7 C1 grant/ownership;
W8 preflight + bad-input route-level readiness;
W9 evidence/readback package.
Each W step must have:
exact command;
DOT path;
payload path;
expected mutation;
readback command;
rollback/retire command;
blast radius;
stop condition;
Codex-style attack.
Do not combine unrelated domains into one write.
8. Current root blocker: authorize_build_step handler
The current blocker behind W7 is not merely the staged dot-c1-grant-issue script.
Root fact:
authorize_build_step.handler_ref = unimplemented
governance_build_authorization is a raw PG table, not a Directus collection. The old staged script that posted to a Directus endpoint was invalid and would have been a governance bypass if it worked.
Correct direction:
Implement the smallest C1-scoped authorize_build_step domain handler.
Rework dot-c1-grant-issue so it proposes authorize_build_step APR.
The grant is minted only by the governed handler after the required authority path.
Do not manually insert grants.
Do not build a generic authorization system.
The handler must be C1-only and dry-run/build-prep only.
9. Minimal handler constraints
The minimal handler must:
write only to the live governance_build_authorization schema;
create at most one C1-scoped grant per approved APR;
bind manifest hash;
bind plan/ref;
set expiry/TTL;
support revocation/consumption semantics;
reject REAL_RUN;
reject production/current corpus;
reject C2-C7;
not grant sovereign or production authority;
be idempotent;
have rollback/retire path.
It must not:
create a generic authorization framework;
accept arbitrary action_code;
hardcode live grant values;
write outside the C1 dry-run scope;
produce PASS/digest/seal for invalid input.
10. New DOT lifecycle table requirement
Every new DOT must carry this proof table:
DOT name;
why existing DOT cannot be reused;
birth DOT/path used;
governance/admission DOT/path used;
registration DOT/path used;
catalog/registry readback;
ledger/handbook readback;
rollback/retire path;
orphan check result.
This applies to:
dot-c1-grant-issue;
dot-c1-contract-register;
DOT_C1_VOCAB_BUILD;
DOT_C1_VOCAB_VERIFY;
DOT_C1_PREFLIGHT;
DOT_C1_BAD_INPUT_HARNESS;
DOT_C1_EVIDENCE_READBACK;
DOT_C1_ROLLBACK_CHECK.
If a new DOT has script/spec but lacks governed birth/admission/registration/catalog/ledger/readback, stop:
C1_GRANT_ISSUER_HOLD_DOT_LIFECYCLE_INCOMPLETE
11. Internal Codex stance required
Before any READY claim, re-check from the Codex stance:
I do not trust the report.
I find actual governed files.
I fresh-reconstruct from KB/runtime.
I run commands in the correct order.
I create my own bad inputs.
I check fail-closed behavior.
If invalid input emits PASS/digest/seal, I REJECT.
I distinguish engineering PASS from authority PASS.
12. Current next step
Current next step is not Codex review and not dry-run.
Current next step:
Apply or stage for owner/operator application the minimal authorize_build_step handler prerequisite only.
Then register/re-check dot-c1-grant-issue through DOT lifecycle.
Then re-run W1-W9 prewrite gate.
Only after W1-W9 executes and C1 readiness is proven should Codex final confirmation be requested.
Allowed intermediate target:
C1_AUTHORIZE_BUILD_STEP_HANDLER_PATCH_STAGED_FOR_OWNER_REVIEW
Future target after owner/operator apply:
C1_LEGO_PREWRITE_GATE_READY_FOR_OWNER_APPROVED_W1_W9
Codex target only after W1-W9 and full re-verification:
GOVERNED_C1_DRYRUN_READY_FOR_CODEX_FINAL_CONFIRMATION