Incomex AI Portal
KB-BBB1

DOT-100 Addendum Compliance

4 min read Revision 1

01 — DOT-100 ADDENDUM COMPLIANCE

What the addendum corrected

The initial macro said "Manual SQL is allowed only inside the disposable staging schema/table namespace." The owner paused and overrode this:

Manual SQL is NOT freely allowed, even inside staging. Staging is lighter than official runtime, but it is still governed by DOT-100 at the operation level.

Forbidden (now explicit):

  • raw CREATE SCHEMA by hand without a DOT-approved primitive
  • raw CREATE TABLE by hand without a DOT-approved primitive
  • raw INSERT/UPDATE into staging tables by hand unless executed by a DOT-approved staging runner
  • calling manual SQL "safe" merely because it is in staging

Allowed only:

  1. use an existing DOT-approved staging primitive if available;
  2. use an existing DOT-approved schema/table/create/drop runner if available;
  3. if none exists, create/stage the smallest missing DOT primitive(s), each carrying a full lifecycle. Temporary staging may use simplified/auto approval — but not ungoverned manual SQL.

What I was about to do wrong (and stopped)

I had drafted a single SSH command that would have run, by hand against PostgreSQL: DROP DATABASE IF EXISTS … ; CREATE DATABASE c1_staging_20260623_0559 ; then a raw CREATE TABLE canonical_operation …, raw INSERTs for valid cases, and a raw bad-input harness. This is exactly the ungoverned manual SQL the addendum forbids. The command was rejected by the owner before execution — it never ran. I did not retry it.

What I did instead (this session)

  • Stopped the manual-SQL path entirely.
  • Verified no accidental artifact from my two earlier buggy (stdin-truncated) runs: 0 databases matching c1_staging_% or %sandbox% exist. Nothing to retract.
  • Ran a reuse-first discovery (read-only): scanned all 290 dot-* scripts on the VPS, searched dot_tools (120 schema/registry/collection/verify rows returned), and searched 191 governance tables — see 02-reuse-first-proof.md.
  • Concluded the 6 named staging primitives are genuinely missing, and the existing schema/collection runners are official-runtime tools (would breach the boundary).
  • Staged the 6 missing primitives with full 8-facet lifecycle (docs 03–06), via side-effect-free authoring only.

Channels used (all read-only / authoring)

  • query_pg — read-only SELECT (AST-validated, READ ONLY txn). Used for baseline + discovery.
  • SSH root@vmi3080463 + docker exec postgres psql -c/-tAc — used only for read-only SELECT/\dt-style introspection and ls of dot/bin. No DDL/DML executed.
  • AgentData KB upload_document — authoring this evidence package (allowed).

Note on the earlier truncation bug (transparency)

My first two SSH attempts used docker exec -i whose open stdin consumed the rest of the heredoc, truncating output. The first attempt's DROP DATABASE IF EXISTS did run (target did not exist → no-op); its CREATE DATABASE did not materialize (confirmed: 0 staging DBs). No state changed. The third (manual-SQL) attempt was rejected before running.