R1a — KG Runner / Log / Provenance Source Root-Cause Study

Date: 2026-06-18 · Workstream: R1a (read-only runner/cron/log root-cause study, run ∥ R2a, after accepted R1/R2 read-only scoping baseline + Codex PASS_WITH_CAVEATS) · Revision: rev1 Class: read-only root-cause study / runtime-evidence / Owner-decision-prep READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NOT remediation · NOT technical design · NOT implementation · NO blocker resolved · NO restart · NO job/DOT/KG execution.

0. Status and non-authorization

STATUS: PASS — the R1a root cause is identified with direct, first-hand read-only evidence at the runner / scheduler / config layer that R1 left as its PARTIAL gap. R1's open question ("why have 0/36 KG DOTs ever executed; where would provenance come from") is now answered from the live PostgreSQL catalog plus the deployed runner-contract substrate and the host-crontab snapshot.

PASS here is an engineering root-cause statement only. It is not an Owner authorization to remediate. This run did not run, restart, enable, trigger, or execute any DOT/KG/runner/job; it did not write the DB; it did not patch source or any prior report; it created only the three allowed reports. Engineering verification ≠ Authority approval. Every blocker remains OPEN.

Non-authorization (explicit). This report does not and cannot: run any write/DDL/DML; restart/reload any container or service; run any worker/cron/job; trigger DOT / KG / promote / birth / certify / repair execution; flip any dot_config gate; assign a process owner; promote any agent-api contract DRY_RUN→REAL_RUN; backfill provenance; quarantine edges; build/wire any runner; materialize KG / provenance / cell_id / dot_role / canonical_fields; patch source / law / draft / note / prior report; create a current corpus; write technical design; change authority order (CONS-004); change the v0.1 baseline; promote v0.2-hardening.

1. Sources read

KB / report baseline (read first-hand this run):

#	Source	Status
1	`consolidation/phase1b-runtime-truth-blocker-decision-packet-2026-06-17.md` (via R1/R2 carry)	READ (baseline)
2	`reports/r1-d39-kg-provenance-quarantine-execution-readiness-scope-2026-06-17.md` (rev1)	READ (full)
3	`reports/r2-birth-certify-canonical-stamp-readiness-scope-2026-06-17.md` (rev1)	READ (full)
4	`reports/r1-r2-parallel-readonly-scoping-execution-report-2026-06-17.md` (rev1)	READ (full)
5	`reports/phase1-readonly-runtime-blocker-verification-2026-06-17.md` (rev1)	READ (full)
6	`reports/codex/codex-review-r1-r2-parallel-readonly-remediation-scoping-2026-06-18.md` (Codex `PASS_WITH_CAVEATS`)	READ (full, local)
7	`.claude/skills/incomex-rules.md` (3 tuyên ngôn + non-mutation guard) + project `CLAUDE.md`	READ
8	R1 anchors carried: `notes/dieu39-knowledge-graph-compatibility-note.md`, `laws/dieu39-knowledge-graph-law.md` (v2.3)	READ via R1 carry

Codex caveat honored: Codex recommended exactly this — "a second read-only runner/cron/log root-cause macro first … R1 needs read-only KG runner/preflight/log and provenance source-of-truth study." This run executes that recommendation read-only.

Deployed source read first-hand (synced local mirror of the deployed /opt/incomex runtime — see §3): web-test/dot/bin/dot-inspect-pen, web-test/dot/bin/dot-birth-backfill (R2a-shared; confirm the manual-CLI runner pattern). No KG-provenance bin script exists (KG DOTs are pg_function/agent_api/hybrid, not shell — consistent with extra_metadata.execution_engine).

2. Commands and evidence ledger

Read-only proof. All SQL ran against database directus via the query_pg MCP tool: AST-validated, executed in a READ ONLY transaction as a read-only role, statement_timeout 5s, hard LIMIT 500, no writes/DDL. Docker access was list/tail-only (list_docker, docker_logs, both read-only; Docker socket mounted read-only). Local reads were Read/ls/find/wc only. Session window 2026-06-17 23:49 → 2026-06-18 01:30 UTC. No write/DDL/DML/execution/restart was made or prepared.

Tool-boundary note (contingency). The available VPS surface is list_docker, docker_logs (allowlisted containers only), query_pg (directus/incomex_metadata/workflow), read_file (allowlist /opt/incomex/docs, /opt/incomex/dot/specs, /var/log/nginx), and Directus reads. There is no docker exec / docker inspect / docker compose / crontab -l / systemctl tool. Host-level cron/systemd was therefore inspected via the read-only wf_host_crontab_snapshot table (a DB-captured host-crontab snapshot) rather than a shell — see §4/§6 of R2a. docker_logs for incomex-agent-api-executor (the KG dispatch runner) is DENIED (not in allowlist) → the executor's process logs are an EVIDENCE_GAP; the runner's state is instead established from its DB contract + preflight gates.

ID	Command (abbrev.)	Target	Read-only?	Exit	Used for
D0	`list_docker`	VPS Docker	yes	ok (11)	§3
Q1	`SELECT … FROM pg_extension`	directus	yes	ok (4)	§4 (no pg_cron)
Q2	`information_schema.columns` for `dot_tools`	directus	yes	ok (28)	§5
Q3	`dot_tools` KG-DOT detail (5 codes)	directus	yes	ok (5)	§5
Q5	run/exec/job/queue/sched table inventory	directus	yes	ok (68)	§4
Q6	`dot_tools` trigger_type distribution	directus	yes	ok (7)	§5
Q8	columns for 12 runner/queue/log tables	directus	yes	ok (154)	§4,§7
Q9	`dot_config` runner/queue/kg keys	directus	yes	ok (19)	§4,§6
Q11	`v_process_discovery_runner_status`	directus	yes	ok (17)	§4,§5
Q13	`queue_heartbeat`	directus	yes	ok (3)	§4,§7
Q14	recency/count union across 9 run/log tables	directus	yes	ok (9)	§7
Q15	`v_dotkg_realrun_preflight` (gate rows)	directus	yes	ok (10)	§6
Q16	`pg_get_viewdef('v_dotkg_realrun_preflight')`	directus	yes	ok (1)	§6
Q17	`dot_agent_api_contract`	directus	yes	ok (2)	§5
Q18	`process_run_observation`	directus	yes	ok (6)	§7
Q19	`dot_config` `process_dot_runtime.*`	directus	yes	ok (5)	§4
Q20	`governance_object_ownership`	directus	yes	ok (0)	§6
Q21	`event_outbox` breakdown	directus	yes	ok (8)	§7
Q24	`universal_edges` GROUP BY `_dot_origin`,`edge_type`	directus	yes	ok (5)	§9,§10
G1–G3	`docker_logs` postgres / directus / agent-data (tail 5)	VPS	yes	ok	liveness baseline
G4	`docker_logs incomex-agent-api-executor`	VPS	yes	DENIED (allowlist)	EVIDENCE_GAP (§2 note)
E1–E8	local `date`/`ls`/`find`/`wc`/`Read` (deployed source)	local mirror	yes	ok	§3,§5

3. Container / service inventory for KG/DOT execution

list_docker (D0) — 11 containers; KG/DOT-relevant:

Container	Image	Status	Role for KG
`incomex-agent-api-executor`	`agent-api-executor-local:v1`	Up 13 days (healthy), `:8090`	The KG/agent dispatch runner — endpoint `http://incomex-agent-api-executor:8090/dispatch` (bound in `dot_agent_api_contract`, Q17)
`postgres`	`postgres:16`	Up 2 months (healthy), `:5432`	hosts `directus` DB = governed substrate (`dot_tools`, `universal_edges`, `kg_*`, runner tables)
`incomex-agent-data`	`agent-data-local:latest`	Up 4 weeks (healthy)	KB / RAG service
`incomex-qdrant`	`qdrant/qdrant:latest`	Up 3 months (healthy)	vector store (see §11)
`incomex-directus`	`directus/directus:11.5`	Up 5 weeks (healthy)	CMS over `directus` DB; structural-edge source (§9)

Deployed runtime root = /opt/incomex on the VPS (38.242.240.89): containers under /opt/incomex/docker, operator DOT CLIs under /opt/incomex/dot/bin, deploy tree /opt/incomex/deploys/web-test (per host crontab, R2a §6). The local web-test/ tree is the synced source of those DOT bin scripts (matches dot_tools.file_path opt/incomex/dot/bin/… and the dot_origin tokens in §9). The local agent-data-langroid/ tree is the langroid application layer and is substrate-free (per Phase-1 PH1-F10) — not the KG-runner home. An actual KG runner therefore exists and is healthy (incomex-agent-api-executor); the question is whether KG work is routed to it and enabled (it is not — §5/§6).

4. Runner / scheduler / worker discovery

The directus DB contains a full job/queue/runner substrate (Q5, Q8): job_queue, job_dead_letter, event_outbox, queue_heartbeat, dot_iu_command_run, dot_iu_runtime_lease, candidate_scan_run, process_run_observation, wf_scanner_run_log, wf_adapter_run_log, wf_host_crontab_snapshot, universal_rule_runs, plus discovery views v_process_discovery_runner_status/_runtime_observed/_runtime_gaps.

Master execution switches are OFF (Q9, Q19):

`dot_config` key	value	since
`process_dot_runtime.real_run_enabled`	false	2026-06-04
`process_dot_runtime.execute_enabled`	false	2026-06-04
`process_dot_runtime.dry_run_only`	true	2026-06-04
`queue.worker.enabled`	false	2026-05-26
`queue.job_substrate.enabled`	false	2026-05-26
`queue.lease.reaper_enabled`	false / `reaper_dry_run_only=true`	2026-05-26
`queue.dlq.replay_enabled` / `queue.notify.enabled`	false	2026-05-26
`iu_core.composer_enabled`	false (Đ39 flight-test aborted)	2026-05-27
`queue.heartbeat.enabled`	true	2026-05-26
`iu_core.route_worker_enabled`	true	2026-05-21
`hc_executor_last_run`	2026-06-18T01:01:24 (today)	live

Runner classification (Q11, v_process_discovery_runner_status): of the DOT process-candidate families, PROC-CAND:dot:kg (36 members) = runner_kind = mixed_engine_partial_runner, dryrun_capability = requires_agent_api_contract (engine split agent_api 12 / hybrid 10 / pg_function 14). Every other dot:* family is engine_unclassified / requires_runner. Only PROC-CAND:job:cut (job_queue) has external_queue_runner (dryrun_runner_exists), and wf:WF-001/002 have workflow_engine.

Queue liveness (Q13, queue_heartbeat): 3 executors only — cut_pipeline_operator (external_worker, last tick 2026-05-26, 1 tick), dieu45_phase3_pilot (external_worker, 2026-05-26, 2 ticks), iu_outbound_default (PG_worker, 2026-05-22, status warn, 0 ticks). No queue executor has ticked since 2026-05-26.

Reading. A KG runner endpoint exists and is healthy (:8090/dispatch), but the generic DOT/job execution runtime is disabled by config and the queue worker has been idle since 2026-05-26. The only live "runners" are host-cron maintenance/scanner DOTs and the hc_executor health loop (ran today) — none of which touch KG. KG is therefore not routed to a running scheduler.

5. KG DOT wiring check

dot_tools (Q2 columns; Q3, Q6) wires DOTs via trigger_type, cron_schedule, script_path/file_path, and extra_metadata.execution_engine.

KG DOT detail (Q3):

code	tier	domain	trigger_type	cron	execution_engine	last_executed
`DOT_KG_PROVENANCE_TAG`	B	kg.governance	on-demand	—	hybrid	NULL
`DOT_KG_PROVENANCE_AUDIT`	A	kg.governance	cron	`0 /6 * *`	pg_function	NULL
`DOT_KG_HEALTH`	A	kg.quality	cron	`0 /6 * *`	pg_function	NULL
`DOT_KG_ORPHAN`	A	kg.quality	cron	`0 /6 * *`	pg_function	NULL
`DOT_KG_EXPLAIN`	B	kg.explain	on-demand	—	agent_api	NULL

Execution by trigger_type (Q6) — the smoking gun:

trigger_type	DOTs	executed
(NULL, legacy)	205	157 (all stamped `2026-03-31 08:08:57` = one backfill)
cron	42	0
on-demand	44	0
dual	6	0
event	5	0
on-deploy	4	0
manual	3	0

Every DOT carrying a real trigger (cron/on-demand/dual/event/on-deploy/manual = 104) has executed=0. Only legacy NULL-trigger DOTs show a single uniform 2026-03-31 backfill stamp (PH1-F9 — not live telemetry). The KG cron DOTs (0 */6 * * *) sit in the "cron: 42 / 0 executed" bucket.

Agent-api contract coverage (Q17, dot_agent_api_contract) — only 2 rows, both the EXPLAIN pilot pair:

DOT_KG_EXPLAIN — mode=DRY_RUN, endpoint_ref=http://incomex-agent-api-executor:8090/dispatch, contract_status=endpoint_bound, observation_write_policy=SIMULATED_DRY_RUN_ONLY_UNTIL_ENDPOINT, error_behavior=fail_closed_no_mutation, source_macro=DOT_AGENT_API_CONTRACT_DISPATCHER_2026_06_04.
DOT_KG_EXPLAIN_VERIFY — mode=VERIFY_ONLY, endpoint_ref=NULL, contract_status=contract_ready.

→ 35 of 36 KG DOTs — including both provenance DOTs — have NO agent-api contract and no runner binding at all. DOT_KG_PROVENANCE_TAG/AUDIT are routed neither to host cron (§6 of R2a: not present) nor to pg_cron (none, Q1) nor to an agent-api endpoint. Only the EXPLAIN pair was wired, as a 2026-06-04 dry-run pilot.

Is kg.* routed to a runner? Partially and only in dry-run: 1 of 36 DOTs (DOT_KG_EXPLAIN) is endpoint-bound in DRY_RUN; the rest are unrouted registrations.

6. v_dotkg_realrun_preflight usage check

v_dotkg_realrun_preflight is the KG real-run gate (Q15 content + Q16 definition). It reads dot_config (process_dot_runtime.*), governance_object_ownership, dot_agent_api_contract (for DOT_KG_EXPLAIN), and process_run_observation and emits a multi-gate verdict:

gate	current value	status	unblock action
`gate_real_run_enabled`	false	BLOCK	owner-authorized `dot_config` flip
`gate_execute_enabled`	false	BLOCK	owner-authorized `dot_config` flip
`gate_dry_run_only_cleared`	dry_run_only=true	BLOCK	set `process_dot_runtime.dry_run_only=false`
`gate_dotkg_owner_present`	0	BLOCK	`PROC-OWN-04` assign `dot:kg` family governance owner
`gate_contract_realrun_mode`	DRY_RUN	BLOCK	promote `DOT_KG_EXPLAIN` contract `DRY_RUN→REAL_RUN` (governed)
`precond_endpoint_bound`	1	GO	already bound (`executor:8090/dispatch`)
`boundary_no_mutation_assertion`	1	GO	controlled-mutation boundary held; `fail_closed_no_mutation`
`precond_dry_run_evidence`	2	GO	satisfied (2 correlated DRY_RUN)
`invariant_real_run_count_zero`	0	GO	must remain 0 until every gate GO + executor health + president authority
OVERALL_VERDICT	REALRUN_BLOCKED_MULTI_GATE	NO_GO	requires owner (config + `PROC-OWN-04`) + contract promotion + external executor health

governance_object_ownership (Q20) is empty (0 rows) → gate_dotkg_owner_present=0 (no process family has any assigned governance owner).

Reading. The preflight view is the live, used KG-runner gate, and it is deliberately, fail-closed NO_GO. The runner endpoint is bound and dry-run evidence exists; real KG execution is held behind five owner-authorized gates (two config flips, clearing dry-run-only, assigning a dot:kg owner, and promoting the agent-api contract to REAL_RUN). This is the Điều-39 "AI ĐƯỢC ĐỀ XUẤT, KHÔNG ĐƯỢC TỰ BAN HÀNH" fail-closed posture expressed at the runtime gate — intentional gating, not a broken or missing runner.

7. KG logs / execution attempts / skips

process_run_observation (Q18) — all KG "runs" ever: 6 rows, all process_candidate_code=PROC-CAND:dot:kg, all on 2026-06-04 (05:52 → 08:49 UTC). evidence_type: 4 × SIMULATED_DRY_RUN, 2 × DRY_RUN. source_system progression: dry_run_harness → dryrun_prepare_runner → agent_api_dispatch_planonly → agent_api_dispatch_correlated_pair. Zero REAL_RUN. Every KG "execution" in history = the 2026-06-04 EXPLAIN dry-run pilot; no provenance/health/audit/orphan DOT ran even in dry-run.
Runner-log recency (Q14): candidate_scan_run=0 rows; dot_iu_command_run=55 (last 2026-05-28); job_queue=13 (last 2026-05-26); job_dead_letter=0; event_outbox=215,588 (last 2026-06-18 01:00, dominated by system/issue_opened); process_run_observation=6 (last 2026-06-04); wf_scanner_run_log/wf_adapter_run_log last 2026-06-17 02:11 (the daily crontab/scanner snapshot). No KG-specific execution log exists beyond the 6 dry-run observations.
kg_quality_log (R1 §6 carry, Q14 pattern): 0 rows — see §8.
Executor process logs: docker_logs incomex-agent-api-executor = DENIED (G4) → KG dispatch attempt/skip/disabled-state at the process level is an EVIDENCE_GAP; however the DB-side dispatch ledger (process_run_observation = dry-run only) and the preflight NO_GO make the runtime conclusion unambiguous.

8. kg_quality_log writer path

kg_quality_log = 0 rows (R1 §6). The intended writers are the kg.quality DOTs — DOT_KG_HEALTH, DOT_KG_ORPHAN, and correction/consistency DOTs — all pg_function, all cron '0 */6 * * *', all last_executed=NULL (§5). With those DOTs never dispatched (no host cron entry, no pg_cron, no agent-api contract, real-run gate NO_GO), no code path has ever written kg_quality_log. The Điều-39 C7 precondition ("không giải thích = không thực thi") is unmet not because a writer is broken but because the quality DOTs have never been allowed to run. No non-DOT writer of kg_quality_log was found.

9. universal_edges provenance writer path

Intended writer: DOT_KG_PROVENANCE_TAG (kg.governance, tier B, on-demand, execution_engine=hybrid) — registered, no agent-api contract, never executed (§5). Its auditor pair DOT_KG_PROVENANCE_AUDIT (cron, pg_function) likewise never ran.
Only edges+provenance toucher in pg_proc (R1 §9 carry): fn_iu_kg_edge_audit — an audit/read function, not a provenance writer/backfiller. No fn_kg_quarantine, no provenance-tag writer function.
Who actually created the 2199 edges (Q24):

`_dot_origin`	edge_type	n	with_provenance	created
`LEGACY	S167H	2026-03-26`	USES	1486
`LEGACY	S167H	2026-03-26`	BELONGS_TO	351
`LEGACY	S167H	2026-03-26`	CONTAINS	202
`DIRECTUS`	BELONGS_TO	80	0	2026-03-28→04-21
`DIRECTUS`	CONTAINS	80	0	2026-03-28→04-21

→ The edge store was populated by a legacy seed (S167H, 2026-03-19) (2039 edges) and a Directus structural sync (160 BELONGS_TO/CONTAINS edges). Neither path wrote provenance, and the dedicated provenance-tag DOT never ran. So no provenance writer has ever executed against universal_edges — the 0/2199 provenance state is original, not a regression.

10. Provenance source-of-truth candidates

There is no provenance source-of-truth in the substrate for the 2199 edges. The edges are structural/lineage edges (USES/BELONGS_TO/CONTAINS) emitted by a seed manifest (S167H) and Directus relation definitions, not knowledge-claims carrying a document/section/authority origin. Điều-39 provenance ("provenance + source_authority + freshness; không provenance = quarantine") would have to be derived:

for DIRECTUS edges — from the Directus relation/collection definitions that generated them (structural truth, low controversy);
for LEGACY|S167H edges — from the S167H seed source/manifest (not present in the catalog; would need source recovery).

No mapping from edge → originating document/section/authority exists, and DOT_KG_PROVENANCE_TAG (the component that would assert it) has never been contracted or run. A provenance backfill is therefore not derivable read-only and remains a separate, Owner-gated design+write workstream — NOT authorized here.

11. Qdrant / entity_embeddings relevance

incomex-qdrant (Up 3 months, healthy) is the vector / semantic-search substrate; entity_embeddings is a vector collection used for similarity/RAG retrieval. It was not queried (no Qdrant tool in the available read-only surface; PG-only run). On the merits, the 2199 edges are structural (USES/BELONGS_TO/CONTAINS); Điều-39 provenance is a governance attribute (who asserted the edge, from which document/section, with what source_authority and freshness), not a vector. Therefore Qdrant/entity_embeddings is relevant to vector/search, NOT a provenance source-of-truth for KG edges. Treating embeddings as provenance would be a category error; provenance must come from the source documents/relations (§10).

12. Root-cause verdict

Verdict: KG runtime is REGISTERED_NOT_EXECUTED because KG real-run is deliberately fail-closed behind a multi-gate, owner-authorized preflight — not because the runner is missing or broken. Provenance is 0/2199 because the edges were seeded/synced without provenance and the provenance-tag DOT has never been contracted or run; no provenance source-of-truth exists in the substrate. (Confidence: High.)

Precisely:

Is there an actual KG runner? Yes — incomex-agent-api-executor (agent-api-executor-local:v1, healthy, :8090/dispatch), bound in dot_agent_api_contract and accepted by v_dotkg_realrun_preflight.precond_endpoint_bound=GO.
Is it enabled (for KG real-run)? No — process_dot_runtime.real_run_enabled=false, execute_enabled=false, dry_run_only=true (since 2026-06-04); queue.worker.enabled=false; queue idle since 2026-05-26.
Is kg.* routed to it? Only the EXPLAIN pilot, in DRY_RUN. 1/36 KG DOTs is endpoint-bound; the 35 others (incl. both provenance DOTs) have no contract, no host-cron entry, no pg_cron.
Why have 36 KG DOTs never executed? Five fail-closed gates (real_run_enabled/execute_enabled/dry_run_only/dotkg_owner_present=0/contract DRY_RUN) ⇒ OVERALL_VERDICT=REALRUN_BLOCKED_MULTI_GATE (NO_GO); plus no scheduler dispatches the cron KG DOTs (no pg_cron; KG not in host cron). Only 6 dry-run observations (2026-06-04 EXPLAIN pilot) exist.
Is there any provenance source-of-truth? No — edges seeded by S167H legacy + Directus structural sync, 0 provenance; writer DOT never ran; no edge→source mapping exists.
Is Qdrant relevant to provenance? No — vector/search only; provenance is a governance attribute, not an embedding.
What must happen before write-enabled R1? See §15.

This is consistent with — and sharpens — R1's REGISTERED_NOT_EXECUTED and Phase-1B. No contradiction.

13. Findings

ID	Severity	Summary	Blocks write-enabled remediation?
R1a-F1	HIGH	KG real-run is fail-closed NO_GO: `v_dotkg_realrun_preflight=REALRUN_BLOCKED_MULTI_GATE` (5 BLOCK gates incl. `execute_enabled=false`, `dry_run_only=true`, `dotkg_owner_present=0`, contract `DRY_RUN`). 0 REAL_RUN ever.	Yes — write-enabled R1 must clear these gates under Owner authority first
R1a-F2	HIGH	Only 1/36 KG DOTs (`DOT_KG_EXPLAIN`) has an agent-api contract; `DOT_KG_PROVENANCE_TAG/AUDIT` + 33 others are unrouted registrations (no contract, no host cron, no pg_cron).	Yes — provenance/health DOTs have no runner binding to build on
R1a-F3	HIGH	No provenance source-of-truth: 2199 edges seeded by `LEGACY	S167H`(2039) +`DIRECTUS`(160), 0 provenance;`fn_iu_kg_edge_audit` only audits; provenance-tag DOT never ran.
R1a-F4	MEDIUM	DOT execution runtime disabled at the master switch (`process_dot_runtime.*`=false/dry-run) and queue worker idle since 2026-05-26; the only live runners are host-cron maintenance/scanner DOTs + `hc_executor`.	Yes (for any DOT-runtime-dependent remediation)
R1a-F5	LOW/INFO (asset)	A real KG runner endpoint exists and is healthy (`executor:8090/dispatch`), with a fail-closed `no_mutation_assertion` boundary and 2 correlated dry-run proofs — a readiness asset, untested for real-run.	No
R1a-F6	INFO	`kg_quality_log`=0 is a downstream consequence of the quality DOTs never being dispatched (no writer is broken); `pg_cron` is not installed (only btree_gist/pgcrypto/plpgsql/postgres_fdw).	No
R1a-G1	INFO (gap)	`docker_logs incomex-agent-api-executor` DENIED → executor process logs not inspectable via available tools; conclusion rests on DB dispatch ledger + preflight.	No (does not change verdict)

No CRITICAL. No active mutation, bypass, or KG execution observed. No finding marked resolved.

14. What remains blocked

Every blocker stays OPEN. Điều-39 surface remains REGISTERED_NOT_EXECUTED; R1-F1/F2/F3 (HIGH) carry forward. Technical design for any KG build/rollout remains GATED. Forbidden until the Owner opens a write-enabled R1 workstream: flipping process_dot_runtime.* gates; assigning a dot:kg governance owner; promoting any agent-api contract to REAL_RUN; KG DOT execution; edge writes / provenance materialization / backfill; edge quarantine; kg_* schema change; TBox mutation. CONS-002/003 + CELL-003/004/007 remain Owner prerequisites to any R1 materialization.

15. Owner decisions required

R1a-OD-1 (carried from R1-OD-a, now answered → decision): the read-only KG-runner/preflight study is complete. The runner exists and KG real-run is fail-closed NO_GO by design. The Owner decides whether to keep KG read-only/dry-run or open a write-enabled R1 that (in a separate, governed, write workstream) clears the five preflight gates — none of which this run is authorized to touch.
R1a-OD-2 (provenance source-of-truth): authorize — or not — a read-only/design study of how Điều-39 provenance would be derived for the two edge origins (DIRECTUS structural relations vs LEGACY|S167H seed manifest, incl. seed-source recovery). No backfill; design only; separately gated.
R1a-OD-3 (runner-contract coverage): decide whether the agent-api-contract + dispatcher pattern (currently only the EXPLAIN pilot) should be extended to the provenance/quality DOTs — to be designed, not built, only after the package opens.
OD-8 (carried): confirm CONS-002/003 + CELL-003/004/007 remain prerequisites to any R1 materialization.

Backfill / quarantine / KG DOT real-run / gate flips / owner assignment / contract promotion = later, separate, write-enabled Owner workstreams. Engineering/Codex PASS ≠ Owner authorization.

16. Next recommended action

GPT reviews this R1a report (with R2a and the combined execution report).
If accepted, Codex adversarial control review.
Owner decides R1a-OD-1/2/3 + OD-8: open write-enabled R1 (clear preflight gates under governance), keep KG read-only/dry-run, or authorize the further read-only provenance-source design study.

Default disposition: HOLD. PASS = engineering root cause identified; it is not Owner authorization. No blocker resolved; no KG/provenance materialization; no gate flipped; TD remains gated.