CODEX REVIEW PACKET — C1_DRYRUN_TRUE_READINESS — 2026-06-22

For Codex final confirmation only. Codex was not used to find defects; all defect-finding was internal (file 12).

Claim under review

C1_DRYRUN_HOLD_NO_GOVERNED_WRITE_CHANNEL — C1 dry-run cannot be made genuinely ready in this session because every governed write/DDL channel needed to create the C1 executable-contract surface is absent or denied, and no isolated sandbox lane exists. Macro outcome B (irreducible external-capability HOLD). 0 governed-DB/runtime mutations.

What changed vs the prior dry-run HOLD

The prior macro stopped at "read-only / 403". This one probed every write route with an actual call:

• governed directus_create → C1 collection: DENIED (write allowlist)
• governed directus_create → dot_agent_api_contract: DENIED (write allowlist)
• sandbox-lane search: none (schemas = public, iu_core)
• write_file: SUCCESS but docs-only
• mcp__directus__ item API: no DDL/collection/function creation capability
• query_pg: read-only; no DDL/exec/migration tool

Decisive live evidence (read-only, db=directus, 2026-06-22)

• Dispatcher fn_process_agent_api_dispatch: raises_realrun=true, cannot_exec=true, never_writes=true.
• DOT contracts total=2 (DOT_KG pair); c1_contracts=0.
• Catalog=54; collection primitive dot_iu_create_collection→fn_iu_collection_create (IU records, not Directus DDL); no schema-ensure/DDL primitive.
• Auth status domain {draft,active,consumed,expired,revoked}; grants=0, leases=0, ownership=0.
• Gates: execute_enabled=false, real_run_enabled=false, dry_run_only=true, operator_runtime_enabled=false.
• No C1 table/view/routine; no C1 preflight; the only realrun preflight (v_dotkg_realrun_preflight) = NO_GO and DOT_KG-specific.

Verification checklist for Codex

1. Confirm the two governed-write denials reproduce (C1 collection + contract registry).
2. Confirm no sandbox schema/DB exists.
3. Confirm c1_contracts=0 and no DOT_C1_* rows.
4. Confirm DDL is impossible via every exposed tool (no CREATE FUNCTION/TABLE path).
5. Confirm no invalid input can emit PASS/digest/seal (no emitter exists) ⇒ no fail-open ⇒ HOLD not REJECT.
6. Confirm the only non-governed write is the disclosed inert docs file.

Boundaries

REGISTRATION_HOLD ACTIVE · CAN_PROCEED=NO · P2/named lane CLOSED · no production/registration/activation/corpus · no C2–C7 · no mega-registry/graph/birth · DO NOT IMPLEMENT.

Next gate (not requested here)

A separately-authorized governed Gate-B build-prep registration capability: a write/DDL path that can create the C1 table + target functions and register the DOT_C1_* contract set, OR an isolated sandbox lane. Until it exists, the C1 dry-run is undispatchable and a re-attempt reproduces this HOLD. This packet does not request dry-run authorization, P2, a named lane, or C1 registration/activation.