C1-W7 APR Packet — 03 APR Proposal Proof (Phase C)
03 — Phase C: Governed APR proposal proof (NOT executed)
Channel
Governed dot-apr-propose v2.0.2 (Cấp A — proposal tier), --cloud, run on the VPS.
Authenticated via the owner's own DIRECTUS_ADMIN_EMAIL/PASSWORD from /opt/incomex/docker/.env
(values never printed). This is the tool's intended production use — it is not a manual
Directus write; the tool performs DB-driven validation and a single POST /items/approval_requests.
Command (effective)
dot-apr-propose --cloud \
--request-type fix_repair_dot \
--action modify \
--action-code patch_ops_code \
--target-collection dot_tools \
--target-entity DOT-310 \
--title "C1-W7: implement authorize_build_step handler in dot-apr-execute (additive v2.3.0, bash -n verified)" \
--priority high \
--source "dot-c1-w7-authorize-build-step-handler-proposal" \
--evidence "C1 W7 prerequisite … bash -n PASS … binds no handler_ref, mints no grant, registers no DOT …" \
--source-context <provenance json with hashes> \
--proposed-action <full patch_ops_code payload, base64 of patched dot-apr-execute>
Result
[OK] Created: APR-0415 (status=pending)
{ "code":"APR-0415", "id":415, "status":"pending",
"request_type_code":"fix_repair_dot", "proposed_action_code":"patch_ops_code" }
exit=0
Recorded fields (read back via query_pg)
| field | value |
|---|---|
| code / id | APR-0415 / 415 |
| status | pending |
| request_type_code | fix_repair_dot |
| proposed_action_code | patch_ops_code (risk high) |
| target_collection / target_entity | dot_tools / DOT-310 |
| priority | high |
| source (proposer) | dot-c1-w7-authorize-build-step-handler-proposal |
| proposed_action.file_path | /opt/incomex/dot/bin/dot-apr-execute |
| proposed_action.patch_mode | full_replace |
End-to-end payload integrity
DB-stored proposed_action->>'new_content_base64': len 46672, md5 3aa36821a66127ca9e3d93e6c2f3d987
== local base64 md5 3aa36821a66127ca9e3d93e6c2f3d987 → MATCH. The APR carries exactly the
bash -n-clean patched file proven in file 02.
Before == After (the only delta is the intended +1 APR)
| metric | before | after |
|---|---|---|
approval_requests total |
230 | 231 |
patch_ops_code APRs |
19 | 20 |
authorize_build_step handler_ref |
unimplemented | unimplemented (unchanged) |
governance_build_authorization grants |
0 | 0 (unchanged) |
apr_action_types total |
14 | 14 |
Two earlier attempts (transparency — both fail-closed, created nothing)
- First run: auth failed (admin creds not exported in bare shell) → exit before POST. No row.
- Second run: INSERT rejected by DB CHECK
chk_apr_target_collection(target_collection NOT NULL) because--target-collectionwas omitted → atomic rejection. No row.approval_requestsstayed 230. - Third run (above):
--target-collection dot_toolsadded → APR-0415 created.
No approval cast · no execution · no system_issues logged by these attempts.
⇒ C1_W7_APR_PACKET_HOLD_PROPOSAL_NOT_SAFE did not fire; proposal succeeded cleanly.