09 — Owner-approved per-write execution plan W1→W9 (LEGO-small, hardened)

Not executed. Each step is one small reversible write for the next "approve each write" turn. Sequence follows macro §3.7. Every step lists: goal · exact command · DOT path · payload · expected mutation · readback · rollback/retire · blast radius · stop condition · Codex-style attack. No step combines unrelated domains. No gate-flip is required for the dry-run (runtime is already dry_run_only=true).

W1 — Registrar mitigation + stage C1 scripts (no `dot_tools` write yet)

Goal: make the governed registrar surgical-safe; place the 8 dot-c1-* scripts on VPS bin.
Command: apply registrar patch via dot-apr-execute patch_ops_code (v1.0.0→v1.1.0-c1-hardened); scp staged-artifacts/scripts/dot-c1-* root@VPS:/opt/incomex/dot/bin/.
DOT path: patch_ops_code (handler dot-apr-execute:patch_ops); file placement is pre-registration staging.
Payload: staged-artifacts/scripts/dot-dot-register-c1-hardened + 8 dot-c1-* skeletons.
Expected mutation: registrar ops-code replaced; 8 files on bin. No dot_tools row yet.
Readback: ssh … "ls /opt/incomex/dot/bin/dot-c1-*" = 8; dot-dot-register-c1-hardened --cloud --only-prefix dot-c1- --dry-run → GENUINE NEW = 8, exit 0 (live confirmation of report-02 Run C2).
Rollback/retire: restore registrar v1.0.0 ops-code; rm staged files.
Blast radius: registrar script + filesystem only.
STOP if: the dry-run reports any non-dot-c1-* candidate, or NEW≠8.
Codex attack: "patched registrar still mass-inserts" → refuted by the --only-prefix dry-run = 8 and --max-new abort guard.

W2 — DOT_C1 birth / admission / governance (no registration yet)

Goal: born + admitted, before any dot_tools/contract write.
Command: dot-species-register (species gov-canonical-op-vocab); dot-birth-backfill; apply ledger rows (report 07 §5) on the governed SoR.
DOT path: dot-species-register + dot-birth-backfill (reused); ledger = governed handbook write.
Expected mutation: species/birth rows; ledger rows for 8 DOTs.
Readback: dot-species-map shows the species; ledger lists 8 DOT_C1.
Rollback/retire: dot-entity-retire species; ledger supersession entry.
Blast radius: species/birth + docs.
STOP if: species collides with an existing one, or any DOT_C1 lacks a ledger row.
Codex attack: "registered before born" → ordering enforces birth first; W4 readback re-checks.

W3 — C1 surface (collection + table_registry)

Goal: create governance_canonical_operation_vocab + registry rows.
Command: read-only precheck SELECT … information_schema.tables WHERE table_name='governance_canonical_operation_vocab' (=0); dot-collection-create --collection-name governance_canonical_operation_vocab --group REGISTRY --governance-role governed --species-code <…> --cloud; dot-collection-register … --migration_state pilot --cloud (supports --dry-run); dot-schema-table-registry-ensure --cloud --dry-run then real.
DOT path: dot-collection-create + dot-collection-register + dot-schema-table-registry-ensure (all reused).
Expected mutation: collections 164→165; collection_registry +1 (COL-NNN); table_registry 21→22.
Readback: collection present; registry rows present; status=active.
Rollback/retire: governed de-register/drop empty collection; archive registry rows.
Blast radius: one additive collection + 2 registry rows.
STOP if: precheck shows the table already exists (creator also self-guards, exits 1), or table_registry delta≠1.
Codex attack: "preview via --dry-run on dot-collection-create" → corrected: it has NO --dry-run; safety = read-only precheck + the creator's built-in "already exists" guard.

W4 — DOT_C1 tool registration + catalog + ledger

Goal: register the 8 DOT_C1_* rows.
Command: dot-dot-register-c1-hardened --cloud --only-prefix dot-c1- (real); dot-catalog-sync --cloud; interleave ledger rows.
DOT path: patched governed registrar (report 03) — not a manual POST.
Expected mutation: dot_tools 309→317 (+8); CAT-006 synced.
Readback: SELECT code FROM dot_tools WHERE code LIKE 'DOT_C1_%' = 8; ledger lists 8.
Rollback/retire: status-flip retired on the 8 codes.
Blast radius: exactly the 8 named codes (filter + --max-new enforce).
STOP if: delta≠8, or any non-C1 code appears, or a code lacks its ledger row (→ C1_LEGO_PLAN_HOLD_DOT_MANAGEMENT_LEDGER_NOT_UPDATED).
Codex attack: "287/15 backlog inserted" → refuted by report 02 Run C2 + abort guard.

W5 — `dot_agent_api_contract` C1 binding

Goal: register the producer + verifier contracts.
Command: dot-c1-contract-register --cloud --dry-run then real.
DOT path: dot-c1-contract-register (report 04), born+registered in W2/W4.
Payload: payloads/dot_agent_api_contract_rows.json (mirrors KG pair).
Expected mutation: dot_agent_api_contract 2→4.
Readback: WHERE dot_code LIKE 'DOT_C1_%' = 2; KG rows untouched.
Rollback/retire: contract_status=retired on the 2 rows.
Blast radius: 2 rows; KG rows untouched.
STOP if: contract-register DOT not born+registered first; or KG rows change.
Codex attack: "manual contract insert" → refuted; insert is via the DOT with idempotency pre-check.

W6 — C1 no-mutation endpoint deploy

Goal: add the C1 handler branch + fixture to the executor.
Command: apply patches/executor-main-py-c1.additive-design.md (FIXTURE_MAP+1, _produce_c1_vocab, check_c1_vocab_output, ship fixture) → rebuild agent-api-executor-local → redeploy.
DOT path: operator/deploy-pipeline (DOT-approved deploy; not a dot-* CLI) — the one irreducible non-CLI step.
Expected mutation: new image; C1 branch live; KG path unchanged.
Readback: GET /healthz writes_db:false; dispatch DOT_C1_VOCAB_BUILD PLAN_ONLY → {validated:true, writes_db:false}; KG PLAN_ONLY regression == pre-deploy.
Rollback/retire: redeploy agent-api-executor-local:v1.
Blast radius: executor app (additive); KG must remain unchanged.
STOP if: KG dispatch regresses, or C1 branch can open a writable transaction.
Codex attack: "endpoint can write" → refuted by read-only role + writes_db:false + REAL_RUN 403.

W7 — C1 grant / ownership

Goal: mint one single-use, manifest-bound grant.
Command: run DOT_C1_VOCAB_BUILD dry-run → capture manifest_hash; dot-c1-grant-issue --manifest-hash <hash> --owner <principal> --cloud --dry-run then real; assign ownership.
DOT path: dot-c1-grant-issue (report 06), scope-locked.
Payload: payloads/governance_build_authorization_grant.json.
Expected mutation: governance_build_authorization 0→1 (status=draft).
Readback: 1 row, scope == DOT_C1_VOCAB_BUILD@DRYRUN-NS:dot:c1:vocab, single_use=true, bound to the hash.
Rollback/retire: PATCH status=revoked.
Blast radius: one grant row.
STOP if: scope broader than the C1 scope; or a draft/active grant already exists; or hash unbound.
Codex attack: "grant too broad / reusable" → refuted by scope lock + single-active guard + single-use CAS.

W8 — Preflight + bad-input route-level readiness (READ-ONLY)

Goal: prove readiness without running the gated dry-run.
Command: dot-c1-preflight --cloud (expect READY 8/8); dot-c1-bad-input-harness --cloud (24 cases fail-closed, 0 PASS/seal); dot-c1-evidence-readback --cloud.
DOT path: the 3 Cấp-A check DOTs.
Expected mutation: none (read-only checks).
Readback: preflight READY; every bad-input case refused; before==after on governance_canonical_operation_vocab (0 rows).
Rollback/retire: n/a (read-only).
Blast radius: none.
STOP if: any invalid input emits PASS/digest/seal, or any check writes.
Codex attack: "fail-open" → 24-case harness asserts each fail-closed.

W9 — Evidence / readback package

Goal: capture before/after + all readbacks.
Command: dot-c1-evidence-readback; write the evidence package to KB.
DOT path: governed KB write.
Expected mutation: documentation only.
Readback: package lists every W-step's before/after.
Rollback/retire: supersession entry.
Blast radius: docs only.
STOP if: any counter drifted beyond the planned deltas.

Sequencing & HALT

W1→W2→(W3,W4 + ledger)→W5→W6→W7→W8→W9 → HALT for Codex final confirmation + explicit Owner dry-run authorization. The actual governed dry-run (the gated DOT_C1_VOCAB_BUILD real dispatch consuming the grant) is NOT part of W1–W9 — it runs only after the HALT gate.

Net planned deltas (so any over-write is caught)

dot_tools +8 (317) · contracts +2 (4) · collections +1 (165) · collection_registry +1 · table_registry +1 (22) · grants +1 · executor image +1 rebuild. Everything else unchanged.