C1-W7 APR Packet — 02 W7 Patch Payload Proof (Phase B)
02 — Phase B: W7 patch payload reconstruction & proof
Source of truth for the patch
Two additive hunks extracted programmatically (no retyping) from the staged design:
reports/c1-authorize-build-step-handler-minimal-lego-patch/staged-artifacts/patches/dot-apr-execute-authorize_build_step.handler.additive-design.md
- CHANGE 1 = one
casearm"dot-apr-execute:authorize_build_step")→execute_authorize_build_step "$APR" - CHANGE 2 = one new function
execute_authorize_build_step()(C1 dry-run grant domain handler)
Reconstruction (against the VPS SSOT file, not the local staging copy)
- Pulled live
/opt/incomex/dot/bin/dot-apr-execute(v2.2.0) read-only. - Inserted CHANGE 1 immediately before the
*)default arm indispatch_handler(). - Inserted CHANGE 2 at top level beside the patch_ops section (before the Dispatch comment block).
- Bumped
VERSION="2.2.0"→"2.3.0"+ header comment + changelog entry.
Hashes
| artifact | value |
|---|---|
live dot-apr-execute v2.2.0 sha256 |
06211e6dc4d90ec4fbac26c521c146bef32c73ec97c0081783fa2986c0cbb8cc (27116 B) |
| patched v2.3.0 sha256 | a5f79847f6d08552c25779ca249dd9c2859b5c3ad2ef45a3204ddc3f94ef7fca (35002 B) |
| new_content_base64 sha256 | 54afb0daf92096c1604c13b1c4d1d71cb2168b98ab43b6445e78e95f9d226c1e |
| new_content_base64 md5 / len | 3aa36821a66127ca9e3d93e6c2f3d987 / 46672 |
| canonical proposed_action sha256 | 3d28987204ed90c63bb00bd0f2affac96649ada0d62fa5d8bbe76c16f1d3472c |
Syntax / additive / scope proofs
| proof | result |
|---|---|
bash -n on VPS bash 5.2.21 (authoritative target) |
PASS |
bash -n on macOS bash (sanity) |
PASS |
| transmitted-to-VPS sha256 == local patched sha256 | a5f79847… == a5f79847… ✓ |
| diff: added lines / removed lines | 144 / 2 (the 2 removed = only the VERSION string swaps) |
| new arm count / new function count | 1 / 1 |
existing handlers intact (create/update/add_field/patch_ops/unimplemented/*) default) |
all present (=1 each) |
| delta lines | +142 |
What the payload is (W7-only) and is NOT (anti-scope)
IS: add execute_authorize_build_step to dot-apr-execute only. dot_code=DOT-310,
file_path=/opt/incomex/dot/bin/dot-apr-execute, patch_mode=full_replace,
session_code=S-C1-W7-ABS-20260623, test_plan (bash -n + arm/function presence + regress),
verify_callback="bash -n /opt/incomex/dot/bin/dot-apr-execute" (post-apply syntax recheck).
IS NOT: does not bind handler_ref (separate migration, STEP 4) · does not insert a grant ·
does not register dot-c1-grant-issue · does not touch C2–C7 · does not run W1–W9 ·
does not run a dry-run · does not touch production / current corpus.
The deployed handler itself is scope-locked (Gate 0/A/B/C/D/E: C1 dry-run scope only,
commit_allowed hard-false, sovereign refused) — but that only matters after a future
approved execution, which this macro does not perform.
⇒ C1_W7_APR_PACKET_HOLD_PAYLOAD_RECONSTRUCTION_FAILED does not fire. Payload is faithful,
syntactically valid on the target shell, additive-only, and W7-scoped.