01 — Before snapshot (T2 macro: APPLY C1 W7 handler prerequisite only) — 2026-06-23

Macro: C1_APPLY_AUTHORIZE_BUILD_STEP_HANDLER_ONLY (T2 / operator-apply attempt). This file is the fresh-read live state captured before any mutation (macro §0 before-live, vps). 0 production writes were performed by this macro (RO probes + this evidence package only).

A. SSOT confirmation (macro §0 ssot)

• CODE SSOT = VPS /opt/incomex (host vmi3080463). Handler code lives at /opt/incomex/dot/bin/dot-apr-execute.
• EVIDENCE / DOT-manage SSOT = AgentData KB (incomex-agent-data, this package uploaded there).
• LOCAL web-test = staging only (branch main); no local file treated as governed proof.

B. Live DB before-snapshot (db=directus, fresh-read 2026-06-23)

metric	value	source query
authorize_build_step.handler_ref	unimplemented	SELECT … FROM apr_action_types WHERE action_code='authorize_build_step'
authorize_build_step risk / status / origin	high / active / PG:sb1-gov-vocab (created 2026-06-02)	same
apr_action_types total	14	count
apr_action_types unimplemented (handler_ref='unimplemented')	10	count
governance_build_authorization grants	0	count
approval_requests total	230	count
approval_requests where proposed_action_code='authorize_build_step'	0	count
dot_tools total	309	count
dot_tools rows for dot-c1-grant-issue / dot-c1-*	0 / 0	count
dot_agent_api_contract total	2 (DOT_KG_EXPLAIN pair only)	count
table_registry total	21	count
directus_collections total	164	count

This baseline is identical to the predecessor apply-attempt (file …minimal-lego-patch/12, 2026-06-23).

C. Implemented APR handlers (fresh-read — the deploy vehicle exists server-side)

action_code	handler_ref	risk	_dot_origin
add_field	dot-apr-execute:add_field	medium	MIGRATION
create_item	dot-apr-execute:create	low	MIGRATION
patch_ops_code	dot-apr-execute:patch_ops	high	MIGRATION
update_item	dot-apr-execute:update	low	MIGRATION

patch_ops_code (the file-04 deploy vehicle) is implemented on the VPS. The blocker is not that the vehicle is missing — it is that this environment has no channel to propose / approve / execute an APR through it (see §E and file 02).

D. VPS code-SSOT read attempt (macro §0 vps)

• read_file('/opt/incomex/dot/bin/dot-apr-execute') → [DENIED] path is outside the allowlist.
• The read_file allowlist is /opt/incomex/docs, /opt/incomex/dot/specs, /var/log/nginx — it does not include /opt/incomex/dot/bin. The single denial establishes the boundary for the whole bin tree, so dot-apr-execute, dot-apr-propose, dot-apr-health, dot-dot-register and /opt/incomex/deploy/agent-api-executor are all unreadable from here — let alone patchable.

E. Container / dispatch reachability

• incomex-agent-api-executor = Up 2 weeks (healthy), 8090->8090/tcp. But there is no HTTP / dispatch tool in this environment to reach it, and it is contract-bound to DOT_KG_EXPLAIN only (refuses REAL_RUN; authorize_build_step has no contract there). 11 containers total, all healthy.

F. Capability inventory (the only tools available this turn)

tool	capability	can it apply the W7 prerequisite?
query_pg	read-only SELECT (AST-validated, READ ONLY txn, 5s timeout, LIMIT 500)	NO
pg_schema	read-only information_schema introspection	NO
read_file	allowlist read (docs, dot/specs, nginx); DENIED on dot/bin	NO
write_file	docs-only /opt/incomex/docs/mcp-writes	NO (docs only)
list_docker / docker_logs	read-only	NO
directus_create/update/delete	Directus item writes (write-allowlist restricted)	NO — using these for governance rows = forbidden manual Directus / bypass
directus_trigger_flow	trigger a Directus flow	NO — no flow proposes+approves+executes a high-risk APR with quorum; triggering to mint/bind = bypass
agent-data KB	document store	NO (evidence only)

No tool in this environment can: propose an APR, approve an APR, cast a quorum / president vote, execute / dispatch an APR, run a governed migration, register a DOT, or invoke any /opt/incomex/dot/bin/dot-* script. ⇒ the W7 prerequisite cannot be applied here. Per-step results in files 02–04.