KB-6148
11 — Before/After Evidence Readback Proof — 2026-06-22
3 min read Revision 1
c1-dryrun-true-readinessevidencereadbackhold2026-06-22
11 — BEFORE / AFTER / READBACK EVIDENCE — 2026-06-22
1. Live evidence ledger (read-only, db=directus, VPS=contabo, 2026-06-22)
- E1 — Dispatcher.
fn_process_agent_api_dispatch:raises_realrun=true,cannot_exec=true("cannot execute a DOT"),never_writes=true. Validation-only; refuses REAL_RUN. - E2 — C1 surface. 0 C1 tables/views/routines. Present:
table_registry(generic) + non-C1 preflight views (v_birth_*,v_dotkg_realrun_preflight,v_rp_authority_execution_preflight). - E3 — DOT contracts. total=2 (
DOT_KG_EXPLAINproducer DRY_RUN endpoint_bound;DOT_KG_EXPLAIN_VERIFYverifier VERIFY_ONLY contract_ready); c1_contracts=0. - E4 — Command catalog. 54 cmds; collection primitive =
dot_iu_create_collection→fn_iu_collection_create(writesiu_piece_collection, not Directus DDL); no schema-ensure/DDL/table-registry primitive. - E5 — Authorization.
governance_build_authorizationstatus CHECK ={draft,active,consumed,expired,revoked}(grantedunsatisfiable); grants=0;dot_iu_runtime_lease=0;governance_object_ownership=0. - E6 — Runtime gates.
process_dot_runtime.execute_enabled=false,.real_run_enabled=false,.dry_run_only=true,iu_core.operator_runtime_enabled=false,iu_create.gateway.direct_insert_policy=block_after_guard,iu_create.gateway.mode=enforced. - E7 — Governed write channel.
directus_create('governance_canonical_operation_vocab', …)→[DENIED] not in the write allowlist; refusing to execute.directus_create('dot_agent_api_contract', …)→[DENIED] not in the write allowlist; refusing to execute. - E8 — Sandbox lane. schemas = {
public,iu_core}; no sandbox/test schema/DB; "test"-named objects are QT001 negative-test VIEWS. - E9 — Filesystem write.
write_file→/opt/incomex/docs/mcp-writes/c1-dryrun-true-readiness-channel-probe-2026-06-22.mdSUCCESS (486 bytes); docs-only. - E10 — Capability surface.
query_pgread-only (no writes/DDL); no command-exec/migration tool;mcp__directus__= item CRUD + read + flow-trigger only (no DDL/collection/field/function creation).
2. Before / after diff
| Surface | Before | After | Diff |
|---|---|---|---|
| C1 contracts | 0 | 0 | ∅ |
| C1 tables/views/routines | 0 | 0 | ∅ |
| governance_build_authorization | 0 | 0 | ∅ |
| dot_iu_runtime_lease | 0 | 0 | ∅ |
| governance_object_ownership | 0 | 0 | ∅ |
| dot_config gates | all closed | all closed | ∅ |
| docs/mcp-writes (non-governed) | (n/a) | 1 probe file (486B) | +1 inert doc (disclosed) |
Governed-surface diff = ∅. The only change anywhere is one inert docs file, disclosed.
3. Readback
- KB readback: all 16 package files created (revision 1) and listed in the index.
- Runtime readback: re-queries return identical baseline (no governed mutation).
4. Status
Evidence/readback: complete. Confirms 0 governed mutations and the absence of every C1 dry-run prerequisite.