02 — Handler deploy proof (STEP 1) — NOT EXECUTABLE

Target (macro §scope): deploy execute_authorize_build_step into /opt/incomex/dot/bin/dot-apr-execute (v2.2.0 → v2.3.0) via the governed patch_ops_code APR path (NOT a manual file edit).

Required governed channel (file 09 STEP 1 + file 04 §C)

1. Build patched dot-apr-execute (add case arm + execute_authorize_build_step fn).
2. Propose a patch_ops_code APR (request_type=fix_repair_dot, action_code=patch_ops_code, proposed_action={dot_code:"DOT-310", file_path:"/opt/incomex/dot/bin/dot-apr-execute", patch_mode:"full_replace", new_content_base64:<…>, session_code:…, test_plan:…}).
3. Approve to high-risk quorum = 1 human president + 2 ai_council (proposer excluded, no rejects).
4. dot-apr-execute self-patches (execute_patch_ops_code: flock → backup .bak → base64 decode → bash -n syntax gate → atomic mv → vps_deploy_log).

Availability in this environment

sub-step	channel needed	available here?
build patched file	n/a (authoring)	partial — but cannot read the SSOT source (read_file DENIED on /dot/bin) to produce a faithful full_replace
propose patch_ops_code APR	a governed APR-propose tool (dot-apr-propose) or write into approval_requests via governed path	NO
approve + high-risk quorum	president + 2 ai_council vote-cast channel	NO (no owner auth, no quorum participants reachable)
execute self-patch	dot-apr-execute invocation (governed exec channel)	NO (cannot invoke /dot/bin; no shell/dispatch)

Result

STEP 1 = NOT EXECUTABLE

• exact command run: none (no APR proposed, no file written, no deploy).
• DOT/APR path used: none reachable.
• APR code: none (could not be proposed).
• quorum / owner evidence: none available (no owner authorization; high-risk quorum participants not reachable from agent env).
• file path: /opt/incomex/dot/bin/dot-apr-execute — unreadable ([DENIED] path is outside the allowlist).
• old hash / new hash / version: unobtainable (cannot read the file).
• backup path / rollback command: n/a (nothing deployed).
• readback from VPS: handler still absent; authorize_build_step.handler_ref='unimplemented' (file 06 after-snapshot).

patch_ops_code governance check (no manual edit substituted)

The deploy vehicle patch_ops_code is implemented on the VPS (handler_ref dot-apr-execute:patch_ops, risk=high, origin=MIGRATION — file 01 §C). It is the correct DOT-100% path. But it can only be driven by a governed propose → approve(quorum) → execute sequence, none of which is reachable here. A manual file edit / scp / raw write was not substituted (that would violate the macro HARD LOCK forbidden-operator).

⇒ This is the first and binding blocker. Verdict (file 07): C1_W7_OPERATOR_HOLD_PATCH_OPS_CODE_NOT_EXECUTABLE.