KB-418C
02 — Capability Matrix: All Routes Surveyed (2026-06-22)
5 min read Revision 1
02 — Capability Matrix: All Routes Surveyed — 2026-06-22
LABELS: LOCAL_DISPOSABLE_SANDBOX_DOT_EMULATOR · NOT_GOVERNED_RUNTIME · NOT_PRODUCTION · NOT_DIRECTUS_GOVERNED_WRITE · NOT_A_SUBSTITUTE_FOR_DOT_C1_REGISTRATION
Every route surveyed — did not stop at first denial. Fields: route · command/tool tested · result · can-create-C1-governed-surface · can-create-sandbox-only · risk · evidence · closure action.
| # | Route | Command/tool tested | Result | C1 governed surface? | Sandbox only? | Risk | Closure action |
|---|---|---|---|---|---|---|---|
| 1 | Directus admin collection+field (DDL) | no admin/DDL tool exposed; generic MCP has no create-collection | NO DDL CHANNEL | No | No | n/a | governed DDL must be DOT-only via operator |
| 2 | Directus item CRUD (generic mcp__directus__) |
directus_health ok; directus_list_collections (352) |
item-CRUD over existing collections only; governance_canonical_operation_vocab absent → nothing to write into; forbidden for governed registration (non-DOT) |
No | No | would be non-DOT write — NOT attempted | DOT-only; needs collection to exist first |
| 3 | MCP Directus write (Incomex_VPS.directus_create) |
create into governance_canonical_operation_vocab |
[DENIED] not in the write allowlist |
No | No | none (denied) | allowlist + DOT-only |
| 4 | query_pg |
create table c1_sandbox_probe(i int) |
[DENIED] only SELECT queries allowed, got Create |
No | No | none | read-only by design |
| 5 | DOT gateway | no DOT_C1_* contract registered (prod dot_agent_api_contract) |
nothing to dispatch | No | No | n/a | register DOT_C1_* via DOT (operator) |
| 6 | dispatcher/executor | prior: fn_process_agent_api_dispatch RAISES on REAL_RUN |
undispatchable for C1 | No | No | n/a | needs contract + grant |
| 7 | repo migration path | local cwd not a git repo; no VPS repo access | unavailable | No | No | n/a | operator runs governed migration |
| 8 | container/docker local sandbox | docker info → daemon down; VPS list_docker socket read-only |
cannot create container sandbox | No | No (here) | n/a | use native pg cluster instead (route 14) |
| 9 | migration runner / npm / directus CLI | alembic/knex MISSING; no governed project; no directus CLI |
unavailable for governed | No | No | n/a | operator-side tool |
| 10 | Git branch + CI/deploy | not a git repo; no CI access | unavailable | No | No | n/a | operator pipeline |
| 11 | Postgres admin / psql in container | no exec into VPS containers; local psql/initdb/postgres present |
LOCAL cluster only | No | Yes | low (disposable) | used → file 03 |
| 12 | GCP / Secret Manager credential | not in scope; not attempted | unavailable | No | No | would need operator creds | operator provisions |
| 13 | existing test lane / sandbox schema | prior: schemas {public, iu_core}; "test" objects = QT001 negative-test VIEWS; pg-restore-test container = prod data, not C1-only |
none usable | No | No | reuse would risk corpus | none |
| 14 | local disposable DB clone | initdb fresh cluster, port 55432, socket /tmp/c1_sandbox_2026_06_22 |
SUCCESS | No | Yes | low (disposable, destroyable) | used → file 03 |
| 15 | write_file docs-only channel |
prior: /opt/incomex/docs/mcp-writes, text ≤1 MiB |
docs-only; cannot create runtime artifacts; NOT used this pass (keep governed surface untouched) | No | No | none | docs only |
| 16 | any tool creating governed runtime artifacts | exhaustive across 1–15 | NONE found | No | (14 = sandbox) | n/a | operator action (file 13) |
Conclusion
- Sandbox-creation route exists (routes 11 + 14, local native Postgres). Used.
- Governed-DOT-surface-creation route does NOT exist in any connected tool. Confirmed by survey, not assumed.
- Therefore the package can prove A (sandbox logic) but cannot prove B (governed runtime). The gap C is real and requires operator action.