C1 authorize_build_step handler minimal LEGO patch — INDEX (staged for owner review) 2026-06-23
00 — Index · C1_AUTHORIZE_BUILD_STEP_HANDLER_MINIMAL_LEGO_PATCH (2026-06-23)
VERDICT
C1_AUTHORIZE_BUILD_STEP_HANDLER_PATCH_STAGED_FOR_OWNER_REVIEW
A minimal, C1-scoped, DOT-approved handler patch is staged and proven sufficient to unblock W7. It is not applied, not dry-run-ready, not Codex-ready. 0 production writes this macro.
- ready for prewrite gate: NO (until handler deployed + bound + re-gated by owner)
- ready for Codex final confirmation: NO
- ready for governed dry-run: NO
- ready for production: NO
One LEGO piece only
authorize_build_step → a single minimal C1 dry-run grant domain handler
(execute_authorize_build_step inside the existing dot-apr-execute dispatcher).
No generic authorization system, no mega framework, no new table, no C2..C7, no executor change.
Baseline (live VPS SSOT directus, fresh-read 2026-06-23) — before==after
| surface | value |
|---|---|
| governance_build_authorization grants | 0 |
| apr_action_types rows / unimplemented | 14 / 10 (incl. authorize_build_step) |
authorize_build_step handler_ref |
unimplemented (risk=high, status=active, origin=PG:sb1-gov-vocab) |
existing authorize_build_step APRs |
0 |
dot_tools total / dot-c1-* |
309 / 0 |
| gba is a Directus collection? | NO (raw PG table; to_regclass present) |
| apr_action_types is a Directus collection? | YES (but 0 registered directus_fields) |
Files
| # | file | content |
|---|---|---|
| 00 | this index | verdict, baseline, map |
| 01 | current-authorize-build-step-and-handler-state | dispatcher architecture proof (VPS SSOT) |
| 02 | governance-build-authorization-live-schema | exact live columns + constraints + payload mapping |
| 03 | minimal-handler-design-c1-scope-only | the handler: name/scope/IO/insert/idempotency/TTL/reject |
| 04 | vps-code-ssot-patch-plan | where it lands, what changes, what must NOT change |
| 05 | dot-approved-handler-binding-plan | how handler_ref gets bound without manual-SQL bypass |
| 06 | reworked-dot-c1-grant-issue-contract | issuer redesigned to the governed propose path |
| 07 | reject-matrix-and-fail-closed-proof-plan | full reject matrix, all fail-closed by design |
| 08 | rollback-retire-and-ledger-plan | reverse every step + DOT-manage ledger |
| 09 | owner-apply-runbook-and-readback-checklist | exact later operator steps + readbacks |
| 10 | internal-codex-negative-review | adversarial self-attack |
| 11 | final-decision | verdict + self-check + remaining blockers |
Staged artifacts (design-only; not applied)
staged-artifacts/patches/dot-apr-execute-authorize_build_step.handler.additive-design.mdstaged-artifacts/migration/bind-authorize_build_step-handler.staged.sqlstaged-artifacts/scripts/dot-c1-grant-issue.reworkedstaged-artifacts/payloads/authorize_build_step_apr_proposed_action.jsonstaged-artifacts/payloads/governance_build_authorization_grant.live-schema.json
What this advances
Closes the root blocker named in c1-grant-issuer-dot-gap-closure/00 and c1-lego-…/13,15
(C1_LEGO_PREWRITE_HOLD_GRANT_ISSUER_UNIMPLEMENTED / …HANDLER_BINDING_NOT_DOT_APPROVED) by
designing the smallest DOT-approved path to implement+bind authorize_build_step. Execution is
owner/operator-gated and intentionally deferred.
staged≠applied · design≠deployed · staged≠dry-run-ready · authorization≠capability.