KB-4907
13-prewrite-gate-w1-w9-and-three-gaps-2026-06-22.md
7 min read Revision 1
c1-legoprewrite-gate
13 — Pre-write gate: W1→W9 DOT-100% + three gaps + registrar defect (macro §3.2/§3.3/§3.4)
A. W1→W9 DOT-100% gate (each step audited)
Legend: SSOT = where it runs · DOT? = DOT-100% path · manual? = uses manual SQL/Directus POST/registry insert.
| W | runs on | DOT path | manual? | rollback/retire | LEGO-small | executable now? |
|---|---|---|---|---|---|---|
| W1 registrar patch + stage scripts | VPS /opt/incomex |
patch_ops_code (dot-apr-execute:patch_ops) + scp |
no | restore v1.0.0 ops-code; rm files | yes (1 patch + file stage) | yes |
| W2 birth/admission | VPS + KB | dot-species-register+dot-birth-backfill; ledger→KB |
no | dot-entity-retire; ledger supersede |
yes | yes |
| W3 surface (collection+registry) | VPS | dot-collection-create+-register+-table-registry-ensure |
no | de-register/drop empty; archive rows | yes | yes |
| W4 tool registration | VPS | patched governed registrar --only-prefix dot-c1- + dot-catalog-sync |
no (not manual POST) | status-flip retired on 8 codes |
yes | yes (after W1) |
| W5 contract binding | VPS | dot-c1-contract-register DOT |
no | contract_status=retired |
yes | yes (after W2/W4 birth+reg of the DOT) |
| W6 endpoint deploy | VPS /opt/incomex/deploy/agent-api-executor |
operator image rebuild (DOT-approved deploy) | no | redeploy :v1 |
yes (3 additive changes) | operator step — see G3b |
| W7 grant/ownership | VPS | dot-c1-grant-issue (authorize_build_step) |
no | PATCH status=revoked |
yes | NO — see G3c (BLOCKER) |
| W8 preflight+bad-input | VPS | 3 Cấp-A check DOTs | no (read-only) | n/a | yes | yes (after W6) |
| W9 evidence/readback | KB | governed KB write | no | supersede entry | yes | yes |
Result: No W step uses manual SQL, manual Directus POST, or manual registry insert. Every step is DOT-100% or DOT-approved deploy, LEGO-small, with a rollback/retire. W7 is not executable because its governed action is unimplemented (below).
B. Registrar duplicate-defect gate (macro §3.4) — RESOLVED
- bare
dot-dot-registerreal-run remains forbidden: YES — OLD matcher = 287 false-new (evidence/runA), and even a correct basename+code matcher = 15 backlog rows (evidence/runB) ⇒ never bare. - patched/filtered dry-run only sees DOT_C1 named rows: YES —
--only-prefix dot-c1-→ today 0 (runC1), post-W1 exactly 7 DOT_C1_ rows* (runC2), exit 0. - backlog 15 not inserted / 287 avoided: YES — filter +
--max-newabort (exit 3) on unexpected bulk. - idempotency guard exists: YES — basename + derived-code, ×2.
- rollback/retire exists: YES — status-flip
retiredon the named codes. - Matcher VPS-SSOT-confirmed (diff vs local = 3 PG-env lines; matcher byte-identical).
…HOLD_REGISTRAR_DEFECT_UNRESOLVEDdoes not fire.
C. Three engineering gaps — executable OR HOLD (macro §3.3)
G3a — contract-register: PATH PROVEN, executable in-sequence
- source/path: staged DOT
staged-artifacts/scripts/dot-c1-contract-register(VPS confirms 0 existing contract-writers). - exact command:
dot-c1-contract-register --cloud --dry-runthen real (W5). - staged patch: the DOT +
payloads/dot_agent_api_contract_rows.json(mirrors live KG pair). - readback/health:
SELECT dot_code … WHERE dot_code LIKE 'DOT_C1_%'= 2. - rollback:
contract_status=retired. - precedent located on VPS:
/opt/incomex/docs/mcp-writes/dot-agent-api-contract-2026-06-04/{v5_apply.sql,v5_rollback.sql}. - executable next step? Yes, after the DOT is born+registered in W2/W4. Not conceptual.
…HOLD_CONTRACT_REGISTER_PATH_UNPROVENdoes not fire.
G3b — C1 endpoint deploy: PATH PROVEN (concrete patch + located source), operator rebuild
- source/path:
/opt/incomex/deploy/agent-api-executor/(hostmain.pysha09cdd867…== running container — authoritative). - exact command: apply
patches/executor-main-py-c1.additive-design.md(FIXTURE_MAP +1,_produce_c1_vocabread-only,check_c1_vocab_output, shipc1_vocab_fixture_v1.json) →docker buildnew image → redeploy. - staged patch: yes (concrete 3-change additive design against the real source).
- health-check:
GET /healthz(writes_db:false) +DOT_C1_VOCAB_BUILD PLAN_ONLY→{validated:true, writes_db:false}+ KG regression unchanged. - rollback: redeploy
agent-api-executor-local:v1. - executable next step? Yes by operator (image rebuild); concrete, not "only conceptual" →
…HOLD_C1_ENDPOINT_DEPLOY_PATH_UNPROVENdoes not fire. (It is the one non-CLI step — disclosed.)
G3c — grant/ownership issuer: HOLD — handler unimplemented (BINDING BLOCKER)
- live fact (re-confirmed):
apr_action_types.authorize_build_step.handler_ref = unimplemented;governance_build_authorizationgrants = 0; 0 issuer DOTs on the VPS SSOT. - staged:
staged-artifacts/scripts/dot-c1-grant-issue(scope-locked, single-use, manifest-bound, reject matrix) — but it isLOCAL_STAGING_NOT_SSOT, unborn, unregistered, and it implements a governed action whose governed handler is deliberately unimplemented. - macro §5 exception requires "minimal C1-scoped issuer with full lifecycle proof" (born+admitted+registered+runnable). That cannot be produced this turn without production writes (forbidden). So the exception is not satisfied.
- executable next step? NO. ⇒
C1_LEGO_PREWRITE_HOLD_GRANT_ISSUER_UNIMPLEMENTED.
D. DOT-manage ledger path (macro §2.12) — included, not merely local
Ledger payload staged-artifacts/dot-manage/dot-manage-c1-ledger-update.staged.md is in the AgentData KB (file 12 manifest, MATCH) and W2/W9 apply it on the governed SoR (KB), interleaved so no DOT_C1 is registered without its ledger row (armed HOLD …LEDGER_NOT_UPDATED). …HOLD_DOT_MANAGE_LEDGER_PATH_UNPROVEN does not fire.
Gate conclusion
KB ✓ · registrar defect ✓ · W1–W6/W8/W9 DOT-100% & executable ✓ · G3a ✓ · G3b ✓ · G3c = HOLD (unimplemented grant issuer). The single binding blocker to owner-approved W1→W9 is the grant issuer handler.