00a-SSOT-source-of-truth-classification-2026-06-22.md
00a — Source-of-truth classification (MANDATORY GATE, read-only)
Directive: classify SSOT before any further write-plan work. Local web-test must NOT be treated as governed code proof.
VERDICT
C1_LEGO_PLAN_SSOT_CONFIRMED_LOCAL_STAGING_ONLY
The SSOT map is now proven. Local is staging only; the VPS is code SSOT; AgentData KB is evidence SSOT. Every governed-code claim in this package has been re-grounded in the VPS SSOT (below); none changed — they all held.
The map (proven, not assumed)
VPS /opt/incomex (host vmi3080463) = CODE SSOT
AgentData KB / knowledge tree = report / evidence / DOT-manage knowledge SSOT
/Users/nmhuyen/Documents/.../web-test = LOCAL STAGING ONLY
1. Where is the live VPS DOT code SSOT?
- Host
vmi3080463./opt/incomexis a git repo —git rev-parse HEAD = bbf9c436ce1468cc3cddb231a88216ea8ad8ec88, branchfeat/s177-sprint1-round-a.git remote -v= empty (no readable remote → it is a VPS-local repo, not provably the same origin as local web-test). - DOT code SSOT dir:
/opt/incomex/dot/bin/= 209 non-bakdot-*scripts.
2. Where is the live executor source / deploy path?
- Runtime: container
incomex-agent-api-executor, imageagent-api-executor-local:v1, no bind mounts. - Source SSOT:
/opt/incomex/deploy/agent-api-executor/(Dockerfile,main.py,verifier.py,llm_client.py,requirements.txt,fixtures/,secrets/). - Proof it is authoritative: host
…/main.pysha25609cdd867…64022== container/app/main.pysha25609cdd867…64022(identical). The image was built from this dir. Deploy path for the C1 patch = edit this dir → rebuild via itsDockerfile→ redeploy. - Contract precedent (for G3a operator-migration option):
/opt/incomex/docs/mcp-writes/dot-agent-api-contract-2026-06-04/{v5_apply.sql, v5_rollback.sql}(how the 2 KG contracts were created; has rollback).
3. Does local web-test match the VPS repo/commit? — NO
| Dim | LOCAL web-test | VPS /opt/incomex |
|---|---|---|
| repo/remote | github.com/Huyen1974/web-test.git |
git repo, no readable remote |
| branch | main |
feat/s177-sprint1-round-a |
| HEAD | 5b9eb23b… |
bbf9c436… |
| dot-* scripts | 163 | 209 (local is a divergent subset) |
dot-dot-register sha256 |
9c594efd…286a (5774 B) |
31d5cf15…583f (5813 B) — differ |
knowledge/dev/ (this package) |
untracked (?? knowledge/dev/) |
n/a |
Local and VPS are on different branches, different commits, with different file contents even for the registrar. Local is a working/staging copy, NOT a mirror of the SSOT.
4. What are the staged scripts intended for?
All artifacts under …/web-test/knowledge/dev/laws-new/reports/c1-lego-dryrun-plan-hardening-no-prod-write/staged-artifacts/ are:
- local proposal + KB evidence + later operator-applied patch (against the VPS SSOT) —
- NOT a direct VPS deploy artifact, NOT registry proof, NOT dry-run-ready proof.
They therefore carry the mandated classification:
LOCAL_STAGING_NOT_SSOT
NOT_GOVERNED_RUNTIME
NOT_DEPLOYED
NOT_REGISTRY_PROOF
NOT_DRYRUN_READY_PROOF
(applied as a banner in staged-artifacts/_SSOT-CLASSIFICATION.md and in each script header).
5. Re-grounding: every governed-code claim re-verified on the VPS SSOT
| Claim (was grepped on local) | VPS SSOT result | Status |
|---|---|---|
Registrar 287-bug mechanism (matcher grep -qF line 135) |
VPS registrar diff vs local = only 3 PG-env-default lines; matcher/write-site lines 121/128/135/157/184 byte-identical | CONFIRMED on SSOT |
| 287 false-new behavior | reproduced over real VPS disk(287)/registered(228); matches live --dry-run |
CONFIRMED |
Only governed creator of dot_tools = dot-dot-register |
VPS: items/dot_tools writers = dot-dot-register, dot-fill-tool-descriptions(upd), dot-registry-diff(read), dot-update-tool-categories-vn(upd) |
CONFIRMED |
No DOT writes dot_agent_api_contract |
VPS grep count = 0 | CONFIRMED (G3a gap real) |
| No DOT issues grants | VPS grep authorize_build_step|governance_build_authorization = 0 |
CONFIRMED (G3c gap real) |
dot-collection-create has no --dry-run |
VPS hits = 0; register=6, table-registry-ensure=8 | CONFIRMED (W3 correction holds) |
| Lifecycle DOTs present | all present on VPS bin | CONFIRMED |
| Executor generic/fixture-keyed, no-mutation | read from container + host source (identical) | CONFIRMED |
6. Consequence for the package
No claim is withdrawn — but the basis is corrected from "local dot/bin" to "VPS /opt/incomex SSOT". The earlier local greps were a faithful (if partial) mirror; the authoritative facts are the VPS ones above. The hardened plan stands, now SSOT-grounded. No overclaim survives ⇒ …REJECT_LOCAL_STAGING_OVERCLAIM does not fire; …HOLD_CODE_SSOT_UNCLEAR does not fire (map is clear).