KB-28A8
C1-DRYRUN-EXECUTION 02 — Live Environment & Test/Sandbox Inventory (read-only) — 2026-06-22
5 min read Revision 1
c1-dryrun-executionlive-environmenttest-sandbox-inventoryread-only-safeno-write-channelno-c1-surfaceregistration-hold2026-06-22
C1-DRYRUN-EXECUTION 02 — Live Environment & Test/Sandbox Inventory (read-only) — 2026-06-22
Gate: REGISTRATION_HOLD · CAN_PROCEED = NO · 0 runtime mutations. Every probe below ran through read-only MCP tools (query_pg = read-only role, READ ONLY txn, statement_timeout 5s, LIMIT 500; list_docker read-only). DB = directus on VPS contabo, PostgreSQL 16.
1. Command record (classification + actual output + what it proves)
| # | Command (surface) | Class | Actual output | Proves |
|---|---|---|---|---|
| C0 | list_docker |
READ_ONLY_SAFE | 11 containers incl. incomex-directus, postgres (5432→5432), incomex-agent-api-executor (8090), pg-restore-test-20260520T031054Z (no host port) |
runtime reachable; only main postgres host-exposed |
| C1 | C1 surface existence (information_schema+pg_proc) |
READ_ONLY_SAFE | c1_table=0, c1_views=0, c1_functions=0, c1_prefixed_tables=0, sandbox_functions=0 |
no C1 schema/view/handler; no sandbox executor fn |
| C2 | dispatcher REAL_RUN check (pg_get_functiondef) |
READ_ONLY_SAFE | dispatcher_exists=1, dispatcher_has_realrun_raise=true |
dispatcher raises on REAL_RUN (validate/observe only) |
| C3 | SELECT … FROM dot_agent_api_contract |
READ_ONLY_SAFE | 2 rows: DOT_KG_EXPLAIN (producer/DRY_RUN/endpoint_bound) + DOT_KG_EXPLAIN_VERIFY (verifier/VERIFY_ONLY) |
no DOT_C1_* contract |
| C4 | "dryrun" tables (information_schema.tables) |
READ_ONLY_SAFE | 10 rows, all v_… views: v_birth_qt001_dryrun_{no_go_guard,result,summary}, v_birth_register_dryrun_matrix, v_process_discovery_dryrun_{execution_status,plan_status,readiness}, v_process_discovery_first_dryrun_status, v_rp_ai_orphan_dryrun_{result,summary} |
dry-run infra exists only for other carriers; none for C1; no generic sandbox lane |
| C5 | governance_build_authorization rows + status check |
READ_ONLY_SAFE | auth_total=0; CHECK status ∈ {draft,active,consumed,expired,revoked} |
no grant of any kind; granted not even in domain |
| C6 | resolver namespaces | READ_ONLY_SAFE | apr_total=14, pav_total=12, joined_on_action_code=0 |
resolver join empty (R8 reproduced) |
| C7 | dot_config runtime gates |
READ_ONLY_SAFE | composer_enabled=false, direct_insert_policy=block_after_guard, piece_event_runtime.dry_run_only=true, process_dot_runtime.dry_run_only=true, process_dot_runtime.execute_enabled=false, process_dot_runtime.real_run_enabled=false, queue.lease.reaper_dry_run_only=true |
every execution gate CLOSED |
2. Test/sandbox lane: does one exist for C1?
No. What exists:
- A dry-run view pattern for three unrelated carriers (birth register QT001, process discovery, RP-AI-orphan). These are read-only reporting views, not a writable C1 sandbox, and they belong to other carriers.
- A
pg-restore-test-…postgres container. It has no host port mapping (onlypostgresexposes5432→5432), is not reachable throughquery_pg(which targets named DBs on the main instance), andquery_pgis read-only regardless. Writing a hand-built C1 schema into a throwaway restore would be neither the governed C1 path nor a meaningful dry-run, and is not a channel I can reach.
There is no C1 sandbox table, no C1 dry-run view, no sandbox/test-lane executor function (sandbox_functions=0), and no test-lane build-authorization grant (auth_total=0).
3. Write-channel inventory (what I could actually use)
| Tool | Capability | Usable to create the C1 executable contract? |
|---|---|---|
query_pg |
single read-only SELECT, read-only role, no writes/DDL | No |
pg_schema / directus_read / read_file / list_docker |
read-only | No |
directus_create/update/delete (MCP CRUD) |
item CRUD; 403 on governed/schema per SSOT v1.2; cannot create PG functions or system DOT contracts | No |
write_file |
filesystem text to allowlisted paths (/opt/incomex/docs, /opt/incomex/dot/specs) |
No — a spec file is not a registered executable contract |
| raw SQL DDL/DML | — | Forbidden by macro §4 as an authority path |
governed DOT_C1_SCHEMA_ENSURE |
would be the sanctioned creation primitive | Absent (does not exist; creating it would itself need a write channel) |
Net: there is no available, governed, reachable write channel to create the C1 executable contracts, and therefore none to dispatch a C1 dry-run.
4. Boundary attestation
Read-only inventory only; nothing created, executed, flipped, or written. REGISTRATION_HOLD retained; CAN_PROCEED = NO; 0 runtime mutations.