KB-51B9
01 — Source Register & Current Blocker Reconstruction (2026-06-22)
3 min read Revision 1
01 — Source Register & Current Blocker Reconstruction — 2026-06-22
LABELS: LOCAL_DISPOSABLE_SANDBOX_DOT_EMULATOR · NOT_GOVERNED_RUNTIME · NOT_PRODUCTION · NOT_DIRECTUS_GOVERNED_WRITE · NOT_A_SUBSTITUTE_FOR_DOT_C1_REGISTRATION
Controlling evidence read (not report prose)
| Source | What it established | Carried forward |
|---|---|---|
Codex HOLD …/codex/codex-review-ready-to-assemble-lego1-patch1-dry-run-auth-readiness… |
dry-run-auth readiness requires the executable contract to EXIST, not just a spec | B-gap is "executable governed contract absent" |
PATCH2 self-HOLD (…/ready-to-assemble-lego1-patch2/) |
12 findings reproduced; READY withheld because executable contracts absent and registration = DML/DDL forbidden under HOLD | DOT-only registration discipline |
Failed dry-run execution (…/c1-dryrun-execution/) |
dispatcher RAISES on REAL_RUN; no DOT_C1_* to dispatch; 0 grants; no write channel |
governed dispatch undispatchable |
True-readiness HOLD (…/c1-dryrun-true-readiness/) |
every write route probed with an ACTUAL call → governed write DENIED ×2; schemas {public, iu_core}; no sandbox; only write channel docs-only | no governed write channel |
Current blocker (reconstructed)
C1 dry-run was not ready because no governed write/test-sandbox capability existed to create: C1 executable contracts; DOT_C1_*; C1 Directus/DOT/table_registry wiring; C1 preflight; C1 harness; C1 evidence/readback; C1 rollback/dismantle checks.
How this pass attacks the blocker (and what changed)
Prior passes stopped at "no governed write channel." This pass adds the route prior passes did not exercise: a newly created isolated local/disposable sandbox DB, explicitly authorized by the operator for raw DDL/DML off any governed surface.
- The sandbox lets us prove C1 contract LOGIC + manifest/hash + fail-closed + rollback + evidence shape end-to-end (file 03–11).
- It does not, and is labeled never to, prove governed DOT registration, Directus writability, a production/test-lane write path, Gate B/Chairman authority, or a governed real dry-run (per operator constraint).
Fresh re-confirmation of the governed blocker (2026-06-22, live, read-only)
query_pg(directus, "create table …")→[DENIED] only SELECT queries allowed, got Create(read-only role).directus_create(governance_canonical_operation_vocab,…)→[DENIED] … not in the write allowlist.governance_canonical_operation_vocabpresent in governed runtime = 0 (information_schema) and absent from the 352-collection Directus listing.governance_build_authorizationgrants = 0 (active = 0).
The blocker is therefore unchanged on governed runtime; only the sandbox dimension advanced.