C1_GRANT_ISSUER_DOT_GAP_CLOSURE — evidence + decision (2026-06-23)

VERDICT

C1_GRANT_ISSUER_HOLD_DOT_LIFECYCLE_INCOMPLETE

Contributing/root sub-holds (all true, same turn):

• C1_GRANT_ISSUER_HOLD_HANDLER_BINDING_NOT_DOT_APPROVED (root cause)
• C1_LEGO_PREWRITE_HOLD_GRANT_ISSUER_UNIMPLEMENTED (carried, unchanged)

Per the HARD ADDENDUM hard-stop: dot-c1-grant-issue has a staged script/spec but lacks governed birth / admission / registration / catalog / ledger / readback ⇒ the mandated final verdict is C1_GRANT_ISSUER_HOLD_DOT_LIFECYCLE_INCOMPLETE. Did NOT proceed to W1→W9. Did NOT mark pre-write gate ready. Did NOT send Codex.

• ready for Codex final confirmation: NO
• ready for governed dry-run: NO
• ready for production: NO
• production writes this macro: 0 (read-only probes + this KB evidence file only)

0. Baseline (live, VPS SSOT directus DB, fresh-read 2026-06-23) — before==after

surface	value
dot_tools	309
dot_agent_api_contract	2 (DOT_KG_EXPLAIN pair only; 0 DOT_C1, 0 grant/authz)
governance_build_authorization grants	0
apr_action_types unimplemented handlers	10 (incl. authorize_build_step)
governance_canonical_operation_vocab table	absent (to_regclass=null)
dot_tools rows matching dot-c1-* / *GRANT_ISSUE*	0 (registration readback = absent)

1. Reuse-first survey (macro §3.1) — COMPLETE

Searched dot_tools (code/name/file_path/operation) for grant|authoriz|authz|issue|build_step:

• Only literal-substring hit: DOT_SCHEMA_SYSTEM_ISSUES_ENSURE — false positive (matched "issue"; a schema-ensure DOT, mints no grant). REJECT for reuse.
• APR tooling present: DOT-309 dot-apr-propose, DOT-310 dot-apr-execute, DOT-311 dot-apr-health, dot-apr-types-register (status NULL), dot-apr-types-register-audit (status NULL).
  • None mints a governance_build_authorization row. dot-apr-execute only implements add_field/create/patch_ops/update verbs; authorize_build_step is unimplemented so it cannot be executed through this path either.
• Conclusion: no existing DOT can safely issue the C1 grant. A new C1-scoped issuer IS necessary — but it cannot be lifecycle-completed this turn (below). No frozen/forbidden DOT reused.

2. Handler-binding proof (macro §3.3) — NOT DOT-APPROVED THIS TURN

Live apr_action_types:

• 4 implemented handlers all = dot-apr-execute:<verb>, _dot_origin=MIGRATION: add_field, create_item, patch_ops_code, update_item.
• 10 unimplemented (handler_ref='unimplemented', high-risk, mostly _dot_origin=PG:sb1-gov-vocab = reserve-only by design): activate_event_type, amend_law, assign_axis_owner, assign_governance_owner, authorize_build_step, delegate_authority, enact_nrm, grant_governance_exception, register_axis, register_topic_node.
• authorize_build_step: handler_ref=unimplemented, risk_level=high, status=active, _dot_origin=PG:sb1-gov-vocab, created 2026-06-02.

DB-enforced guards (fail-closed) found via pg_get_functiondef:

• fn_apr_block_unimplemented_handler (trigger): (a) apply-time quorum re-proof quorum_passed(NEW.code) must hold or RAISE EXCEPTION; (b) if proposed action's handler_ref='unimplemented' → RAISE EXCEPTION 'Action % has handler_ref=unimplemented. Reserve-only, cannot execute.'
• fn_process_axis_execute_guarded_action (dispatcher): Gate A — president-required action can never be executed by AI/delegated actor (p_actor_type<>'human'); Gate B — handler must be implemented; Gate C — high-risk needs a human president approve vote; even on full pass it writes no canon ("no domain handler exists yet ⇒ EXECUTED-NOOP").

To make authorize_build_step runnable requires BOTH:

1. change apr_action_types.handler_ref from unimplemented → an implemented domain handler, AND
2. implement that domain handler (code that writes the governance_build_authorization grant) — which does not exist anywhere (dispatcher confirms).

Path (1) via dot-apr-types-register or generic update_item touches the authority table, but binding a high-risk governance handler is not a mechanical DOT op; path (2) is a code deploy (like the W6/G3b executor rebuild), an operator step. Neither is DOT-registrable/runnable from the agent environment. Doing it by raw SQL/migration ⇒ C1_GRANT_ISSUER_HOLD_HANDLER_BINDING_NOT_DOT_APPROVED.

3. Staged dot-c1-grant-issue is DEFECTIVE against live SSOT (new findings)

• Wrong write channel: script does curl POST {DIRECTUS_URL}/items/governance_build_authorization, but governance_build_authorization is NOT a Directus collection (absent from directus_collections; it is a raw PG table). The /items/... REST endpoint does not exist for it ⇒ the script cannot mint anything even if run.
• Wrong schema: staged payload posts grant_id, action, scope(string), build_step, single_use, lease_ttl, manifest_bound_hash, owner, revocable, plan_ref, reject_on. Live table columns are auth_code, request_ref, approval_ref, step_name, scope(jsonb), risk_level, commit_allowed, requires_sovereign_esign, sovereign_esign_ref, rollback_plan_ref, granted_by, granted_at, expires_at, consumed_at, consumed_by, revoked_at, revoked_by, revoked_reason, status, evidence, created_by, created_at. None of the posted fields except scope/status exist; scope type differs (string vs jsonb).
• Bypass: a direct REST POST to the grant table would bypass authorize_build_step, quorum, president vote, and the unimplemented-handler trigger ⇒ that design pattern is GOVERNED_C1_DRYRUN_REJECT_GRANT_BYPASS. It is inert only because the endpoint+schema are wrong.

4. new-dot-proof-table (HARD ADDENDUM) — dot-c1-grant-issue

field	value
DOT name	dot-c1-grant-issue (DOT_C1_GRANT_ISSUE)
why existing DOT cannot be reused	no DOT mints governance_build_authorization; apr tooling can't execute the unimplemented authorize_build_step
birth DOT/path used	NONE — staged skeleton only, banner LOCAL_STAGING_NOT_SSOT
governance/admission DOT/path used	NONE — no admission record
registration DOT/path used	NONE — absent from dot_tools (readback=0)
catalog/registry readback	ABSENT — CAT-006/dot_tools has 0 dot-c1-*; contracts 0 C1
ledger/handbook readback	STAGED ONLY — dot-manage-c1-ledger-update.staged.md "NOT applied this turn"
rollback/retire path	designed (PATCH status=revoked / status-flip retired) but not registered
orphan check result	ORPHANED — script/spec exists, governed lifecycle absent ⇒ hard-stop

5. Reject matrix (macro §3.5) — DESIGN-PRESENT, NOT runtime fail-closed-proven

The staged reject_on list (no_authorization, grant_scope_too_broad, grant_scope_mismatch, authorization_expired, authorization_revoked, REJECT_AUTH_ALREADY_CONSUMED, manifest_not_authorized, action_superset) is downstream/design-only. The script's own runtime guards (--manifest-hash required→exit2; single-active guard→exit3) cannot be exercised because the write endpoint/schema are invalid. ⇒ reject matrix is NOT proven fail-closed at runtime (would require a runnable governed issuer). No overclaim.

6. Pre-write gate re-run (macro §3.6) — STILL HOLD on W7

W1–W6/W8/W9 remain DOT-100% / LEGO-small / rollback-equipped (unchanged from file 13/15). W7 (grant) remains not executable. Incorporating W7's actual state does not flip the gate to ready. Gate result = HOLD.

7. Self-check (macro §7)

1. searched existing grant/authz DOTs — YES (none reusable).
2. avoided manual SQL/Directus/registry — YES (read-only + 1 KB evidence file).
3. issuer DOT scoped only to C1 — YES by design (but unborn).
4. avoided generic authorization system — YES.
5. handler binding DOT-approved — NO (needs authority change + domain-handler code; not DOT-runnable here).
6. birth/admission/governance/catalog/ledger complete — NO (all absent/staged).
7. rollback/retire complete — designed, NOT registered.
8. reject tests failed closed — NOT PROVEN (no runnable issuer).
9. KB evidence read back — YES (this file).
10. pre-write gate W1→W9 passed after W7 — NO (W7 still blocked).
11. avoided claiming Codex-ready / dry-run-ready — YES.

8. Remaining blockers

1. (binding) authorize_build_step handler unimplemented + reserve-only DB guard; no domain handler exists; binding it is an operator authority-change + code deploy, not a DOT op runnable from the agent env.
2. (capability) No governed registrar/exec channel from the agent environment (dot-dot-register is the on-deploy CLI on the VPS). Agent tools = read-only SELECT, allowlisted read, docs-only write, read-only docker. Cannot birth/admit/register a DOT this turn.
3. (artifact defect) Staged dot-c1-grant-issue must be reworked to the real governance_build_authorization schema AND must mint via the governed authorize_build_step path (not a direct REST POST to a non-Directus table).

9. Recommended next step (owner)

Owner decides how to close the grant-issuer gap:

• (A) authorize an operator governed migration to (i) implement an authorize_build_step domain handler that writes one single-use, manifest-bound, TTL, C1-scoped grant, and (ii) bind apr_action_types.handler_ref; then rework dot-c1-grant-issue to call the governed action (not REST POST); OR
• (B) grant the agent a governed write/registrar/exec capability so the DOT lifecycle (birth→admit→register→catalog→ledger→readback) can run DOT-100%. Then re-run the pre-write gate. Until then W7 cannot run DOT-100%.

staged≠born · script/spec≠registered DOT · local-staging≠SSOT · authorization≠capability · credential/table-present≠lawful-runnable-path · handler reserve-only≠implemented.