01 — Current state & source readback (fresh live probe, read-only)

Macro: C1_LEGO_DRYRUN_PLAN_HARDENING_NO_PROD_WRITE · Mode: read-only probes + offline simulation. 0 production writes. Date: 2026-06-22 · DB: directus · VPS: Contabo 38.242.240.89 · GCP: github-chatgpt-ggcloud Rule honored: fresh-read; do not rely on prior prose. Every number below is from a live read-only probe this turn, not carried from memory.

0. Macro read-first paths — actual on-disk status (correction)

Path the macro asked me to read	On disk?
reports/c1-governed-dryrun-ready-proof-execution/	PRESENT (13 md + staged-artifacts) — read back in full
reports/governed-c1-dryrun-readiness-capability-first/operator-runbook-…	ABSENT — directory does not exist in this checkout
newlaws/dot-manage/	ABSENT — newlaws/ has no dot-manage/; whole subtree missing

laws-new/ contains exactly two report dirs: c1-governed-dryrun-ready-proof-execution and codex. The operator-runbook and dot-manage stores described in memory are not on disk here. The hardening therefore rests on the live system + the one present package, not on the missing docs.

1. Capability (this laptop) — re-confirmed live

Probe	Result
gcloud auth	nmhuyen@gmail.com active, project github-chatgpt-ggcloud
~/.ssh/contabo_vps	present (399 B)
SSH root@38.242.240.89 read-only	works — ls /opt/incomex/dot/bin/dot-* returned 287
local dot/bin/	163 non-bak dot-* scripts incl. all lifecycle registrars
Secret Manager DIRECTUS_ADMIN_TOKEN	retrievable (not accessed this turn; not needed for read-only)

Capability is proven (consistent with the prior package). This turn deliberately used only read-only SSH SELECT/ls/cat/docker inspect + offline simulation — no registrar run against prod, no secret access, no write.

2. Live governed baseline (read-only SELECT/ls) — C1 fully absent

Surface	Value	C1?
dot_tools total	309 (228 with file_path)	DOT_C1* = 0
dot_agent_api_contract	2 (DOT_KG_EXPLAIN producer/endpoint_bound; DOT_KG_EXPLAIN_VERIFY verifier/contract_ready)	DOT_C1* = 0
table_registry	21	C1 row = 0
directus_collections	164	governance_canonical_operation_vocab = 0
governance_build_authorization	table exists, 0 grants	—
apr_action_types (active)	14	authority set for R_C1
schema c1 / vocab table	0 / 0	absent
executor incomex-agent-api-executor	agent-api-executor-local:v1, Up 2 weeks (healthy), 8090	no C1 route
runtime gates process_dot_runtime.*	execute=false, real_run=false, dry_run_only=true	already dry-run-only ⇒ no gate-flip needed for a dry-run

Baseline is identical to the prior package's carried figures (309/2/21/164/0/14). No drift caused by this audit.

3. Three fresh corrections to the prior package (fresh-probe wins)

1. Stored file_path format is NOT "missing a leading slash." Live distribution of dot_tools.file_path prefixes: bin/… = 163, opt/… = 63, dot/… = 2. Three incompatible relative conventions, none with a leading slash. Prior report 02 sampled only an opt/… value and inferred a slash bug; the real defect is multi-format path divergence (detail in report 02).
2. dot_tools.code uses two schemes — sequential DOT-001…DOT-NNN for core DOTs and filename-derived DOT_KG_EXPLAIN-style for the KG family (which carry NULL file_path). The registrar's derived code never dedupes against the DOT-NNN rows.
3. The executor is generic and fixture-keyed — /app/main.py header: "keyed by dot_code; not hardwired to dot:kg. Add a fixture + contract row to support another agent_api DOT." This makes the C1 endpoint a small additive patch, not a net-new service (report 05).

4. Zero-write attestation (this turn)

Operations performed: ssh ls, ssh docker exec postgres psql -c "SELECT …" (read-only), ssh docker exec … cat (executor source), docker inspect, local Read/grep, and a fully offline simulation reading file snapshots. No --dry-run registrar run against prod, no INSERT/UPDATE/DELETE, no directus_create, no write_file to prod, no secret value read. before == after on all counters in §2.