01 — CONTEXT READBACK

Step 0 — foundations read directly in main process

No background agent was used.

• knowledge/dev/ssot/operating-rules.md — v7.58, revision 51
• knowledge/dev/ssot/vps/vps-operating-rules.md — v1.0, revision 2
• knowledge/dev/ssot/vps/vps-architecture.md — v2.0, revision 4
• knowledge/dev/laws/constitution.md — v4.6.3 BAN HÀNH
• knowledge/dev/laws/law-01-foundation-principles.md — v3.3, revision 12
• knowledge/dev/ssot/anti-patterns.md — revision 9
• knowledge/dev/laws-new/workflow-manage/workflow-list/WF-draft/06-staging-lane-simplified-approval-policy-draft.md — revision 1
• knowledge/dev/laws-new/newlaws/dot-manage/dot-manage-c1-lego-dryrun-lessons-addendum-2026-06-23.md — revision 1
• all 9 files in c1-staging-lite-admission-ready-for-codex/
• all 9 available files in c1-staging-fast-dry-run/; requested names differed, so the listed nearest/current equivalents were read.

The required semantic searches were executed directly: operating rules SSOT, hiến pháp v4.0 constitution, and mission-specific C1 staging/DOT/TTL/isolation terms.

Three declarations

1. Vĩnh viễn: approval is withheld until the gates fail closed by construction: exact expected error matching, fatal assertions, prerequisite proof, safe SBX capture, and enforceable cleanup. This fixes the mechanism rather than accepting a one-run observation.
2. Nhầm được không: official and staging targets are separated by database, strict sandbox naming, staging-only registry, and fresh official-runtime queries. Remaining command/argument ambiguity must be removed before execution.
3. 100% tự động: not yet. TTL is text only and requires a human to run P2; assertion failures are printed, not enforced. A scanner/cron safety trigger and machine-fatal gates are required.

Four-step checkpoint

1. Goal: decide whether the six primitives may execute the first fast C1 staging dry-run.
2. Method: evidence readback + deployed-file inspection + static attack review + fresh production read-only snapshot.
3. Prerequisites: six runners and SQL payloads exist; official isolation exists; but fail-closed verification, exact SBX capture, and automatic TTL cleanup are incomplete.
4. Roadmap: HOLD execution; fix primitives and plan; redeploy through the staging lane; rerun static review; only then request Codex review again.

Assembly gate

PG-native disposable DB isolation is appropriate. No Directus/Nuxt/open-source addition is needed. The blocker is correctness of existing bash/SQL gate logic, not missing architecture.