Incomex AI Portal
KB-79AF

13 — Final Decision (2026-06-22)

7 min read Revision 1

13 — Final Decision — 2026-06-22

LABELS: LOCAL_DISPOSABLE_SANDBOX_DOT_EMULATOR · NOT_GOVERNED_RUNTIME · NOT_PRODUCTION · NOT_DIRECTUS_GOVERNED_WRITE · NOT_A_SUBSTITUTE_FOR_DOT_C1_REGISTRATION

VERDICT

C1_LOCAL_SANDBOX_DRYRUN_LOGIC_PROVEN_GOVERNED_DOT_RUNTIME_NOT_READY Governed-runtime sub-stop: C1_DRYRUN_CAPABILITY_LOCKED_OPERATOR_ACTION_REQUIRED

  • ready for Codex confirmation: YES (of A; and of the B/C gap statement)
  • ready for governed dry-run: NO
  • ready for production: NO
  • REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · P2 CLOSED · no named lane · 0 governed-runtime mutations · NO subagents

The broad target C1_DRYRUN_EXECUTED_AND_PROVEN_READY_FOR_CODEX_CONFIRMATION is not asserted: only sandbox logic (A) is proven; governed DOT runtime (B) is not ready.

A. LOCAL SANDBOX PROOF — PROVEN

Disposable cluster (PG 14.17, /tmp/c1_sandbox_2026_06_22, port 55432). Proven: C1 contract logic; manifest/hash recompute (cross-tool shasum match, c9286d3a…ec00); resolver R_C1 (14 ops from frozen apr_action_types); verifier (11 reject codes, single-use); preflight READY; dry-run (no state, seal withheld); 19/19 bad-input fail-closed (no seal); valid apply (14 rows, seal b343316525…); single-use consume; write-once; rollback/dismantle/clean-state (orphan 0, audit retained). This proves logic/shape ONLY.

B. GOVERNED DOT RUNTIME READINESS — NOT READY

  • governance_canonical_operation_vocab absent from governed runtime (count 0; not among 352 collections).
  • No DOT_C1_* registered in governed dot_agent_api_contract (only the DOT_KG_EXPLAIN pair).
  • governance_build_authorization grants = 0 (no C1 grant, no Gate-B, no Chairman authority).
  • No connected tool can create governed DOT artifacts: query_pg read-only; directus_create allowlist-DENIED; generic Directus MCP item-CRUD-only (no DDL); docker daemon down / VPS socket read-only; no migration runner/CLI/CI; write_file docs-only. (file 02)
  • DOT-only rule forbids any non-DOT write to governed runtime regardless.

C. REMAINING GOVERNED DOT GAP — exact operator action required

No need permission hand-wave. The one irreducible external action:

WHAT is missing: a governed write/DDL/registration capability to (1) create the governed collection/table governance_canonical_operation_vocab and (2) register the C1 producer/verifier contracts and (3) mint a scoped C1 build grant — none of which any connected tool can perform.

EXACT action (reuse-first, per file 04b):

  1. Via the governed DOT path (the same mechanism that created the existing Created by DOT schema ensure collections), run a C1 schema-ensure that reuses the DOT_SCHEMA_*_ENSURE family pattern (cf. DOT_SCHEMA_TABLE_REGISTRY_ENSURE) to create governance_canonical_operation_vocab (+ register it in table_registry).
  2. Register a producer/verifier pair DOT_C1_VOCAB_BUILD / DOT_C1_VOCAB_BUILD_VERIFY in governed dot_agent_api_contract, following the DOT_KG_EXPLAIN/DOT_KG_EXPLAIN_VERIFY precedent; record them in dot_tools / CAT-006 via dot-catalog-sync (extend DOT-062 dot-rollback for the rollback step rather than minting net-new).
  3. Mint one scoped governance_build_authorization row: carrier=C1, plan=LEGO1-C1-PLAN, manifest_hash bound, action_set exact, expiry set, single-use, rollback_plan_ref set.

WHERE it must be run: on the VPS governed stack (Directus admin / DOT migration runner on incomex-directus + postgres), by the human operator/owner holding migration + sovereign-grant authority.

WHY Claude cannot do it: every connected tool is read-only, item-CRUD-only (no DDL/collection creation), allowlist-denied, or docs-only; there is no governed DDL channel, no DOT migration-execution tool, and no governed-registration tool exposed; and the DOT-only rule forbids non-DOT governed writes.

WHAT it unlocks: once the governed collection + DOT_C1_* contracts + scoped grant exist, the governed dry-run can run against the real DOT dispatcher (mirroring the sandbox dry-run already proven), and Codex can confirm governed-runtime evidence.

NEXT command after operator completes it: re-run this macro pointed at governed runtime — pg_schema(directus,'public','governance_canonical_operation_vocab') (exists), directus_read('dot_agent_api_contract', filter DOT_C1_*) (present), query_pg(directus,'select count(*) from governance_build_authorization where status=active') (≥1) → then dispatch DOT_C1_PREFLIGHT + DOT_C1_VOCAB_BUILD in DRY_RUN via the governed DOT gateway.

DOT registry conclusion (A/B/C/D/E — file 04b)

A reused-pattern: schema-ensure family + producer/verifier pairing. B rejected: generic DOT_SCHEMA_ENSURE, DOT-062, *_VERIFY family (reasons logged). C new: 7 C1 DOTs sandbox-only. D registry update: N/A — no governed DOT created (so C1_DRYRUN_HOLD_DOT_REGISTRY_NOT_UPDATED does not fire). E: all DOT_C1_* are labeled sandbox emulators, not governed, no masquerade, no orphan.

Self-check (all answered)

  1. Surveyed every route incl. write? Yes (16). 2. Created/selected sandbox? Yes (created). 3. C1 contracts created/verified? Yes (sandbox). 4. Wiring created/verified? Yes (sandbox); governed absent (disclosed). 5. Manifest/hash? Yes, recomputable. 6. Auth/grant path? Yes (sandbox, non-prod). 7. Preflight ready? Yes (sandbox). 8. Dry-run routed? Yes (real dispatcher path). 9. Bad inputs executed? Yes (19). 10. Invalid inputs fail closed? Yes (0 fail-open). 11. Rollback/dismantle/clean-state? Yes. 12. Runtime + KB readback? Yes. 13. Internal Codex review pass? Yes (for narrow verdict). 14. Exact operator action (not vague)? Yes (above).

Final report fields

  • verdict: C1_LOCAL_SANDBOX_DRYRUN_LOGIC_PROVEN_GOVERNED_DOT_RUNTIME_NOT_READY (+ C1_DRYRUN_CAPABILITY_LOCKED_OPERATOR_ACTION_REQUIRED)
  • stop state: governed runtime locked pending operator capability
  • capability matrix: complete (16 routes; only sandbox-creation route exists)
  • sandbox status: created, disposable, exercised, destroyable
  • items created: sandbox C1 surface (6 tables, 11 funcs, 7 sandbox DOT contracts, 4 registry rows)
  • items verified: preflight READY, dry-run, 19 bad-inputs, apply, rollback, hashes
  • dry-run cmd/output: file 08
  • bad-input result: 19/19 fail-closed (file 09)
  • rollback/clean-state: proven (file 10)
  • evidence readback: sandbox + KB (file 11)
  • internal Codex: PASS for narrow verdict (file 12)
  • ready for Codex confirmation: YES · ready for dry-run (governed): NO · ready for production: NO
  • operator action: §C above
  • REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED=NO · P2 CLOSED · no named lane
Back to Knowledge Hub knowledge/dev/laws-new/reports/c1-dryrun-capability-and-execution/13-final-decision-2026-06-22.md