Incomex AI Portal
KB-5566

DOT-Manage — Governed C1 Dry-Run P0–P6 Status — 2026-06-22

3 min read Revision 1
dot-managec1dryrunp0-p6capability-locked-operator-action-requiredstatus2026-06-22

DOT-Manage — Governed C1 Dry-Run P0→P6 Status — 2026-06-22

Purpose: Keep DOT-manage current after the GOVERNED_DOT_C1_DRYRUN_P0_TO_P6 execution macro. Supersedes the open question in the C1 dry-run execution control addendum ("creds may be retrieved from Secret Manager").

Outcome

  • Verdict: C1_DRYRUN_CAPABILITY_LOCKED_OPERATOR_ACTION_REQUIRED.
  • Secret Manager access succeeded; Directus/PG admin credentials exist — the "creds absent/staged" premise is now resolved (creds present).
  • Lawful registration path = on-deploy DOT CLI (DOT-REGISTER bin/dot/dot-dot-register.ts; /opt/incomex/dot/bin/dot-*) — no execution channel from the agent environment ⇒ unrunnable here.
  • DB dispatcher fn_process_agent_api_dispatch validates only (cannot execute/register); no governed registrar function; no registrar Flow (only [DOT-REG] -> AD CDC syncs).
  • Manual use of creds = forbidden (macro) + guard-blocked (runtime block_after_guard / canonical-writer marker / preflight / birth gate).

Registry state (live, unchanged — 0 governed mutations)

dot_tools=309 · dot_agent_api_contract=2 (DOT_KG_EXPLAIN pair) · table_registry=21 · DOT_C1_*=0 · governance_canonical_operation_vocab=absent · gates dry-run-only (execute=false/real=false/dry_only=true).

Reuse-first (recorded; nothing authored to runtime)

Reuse as-is (operator-run): DOT-REGISTER, DOT_COLLECTION_REGISTER, DOT_COLLECTION_CREATE, DOT_SCHEMA_ENSURE, DOT_SCHEMA_TABLE_REGISTRY_ENSURE, [DOT-REG] flows. New via Path A at deploy: DOT_C1_VOCAB_BUILD/_VERIFY (+C1 preflight/rollback bindings). No orphan DOT. No frozen DOT reused.

Operator action (to advance)

  1. Run on-deploy registrar → create governance_canonical_operation_vocab + table_registry row + register Directus collection.
  2. Deploy C1 no-mutation endpoint on incomex-agent-api-executor:8090.
  3. Register DOT_C1_* into dot_tools+dot_agent_api_contract (DRYRUN-NS namespace, endpoint-bound).
  4. Mint one C1-scoped single-use dry-run grant + ownership binding.
  5. Re-run GOVERNED_DOT_C1_DRYRUN_P0_TO_P6 ⇒ genuine governed dry-run. Alternative: grant a governed command-execution capability for /opt/incomex/dot/bin/*.

Evidence package

knowledge/dev/laws-new/reports/governed-dot-c1-dryrun-p0-p6/ (index + 01–14 + codex-review-packet) · rollup …/reports/macro-governed-dot-c1-dryrun-p0-p6-2026-06-22.md.

Back to Knowledge Hub knowledge/dev/laws-new/newlaws/dot-manage/dot-manage-governed-c1-dryrun-p0-p6-status-2026-06-22.md