C1 W7 apply — 04 dot-c1-grant-issue lifecycle proof (NOT EXECUTABLE) 2026-06-23
04 — dot-c1-grant-issue DOT lifecycle proof (STEP 5) — NOT EXECUTABLE
Target (macro §3.3): birth → admit → register (dot_tools/CAT-006) → catalog → DOT-manage ledger →
readback for the reworked dot-c1-grant-issue, which must be a PROPOSER (calls
dot-apr-propose --action-code authorize_build_step), not a direct grant writer.
Reuse-first search (macro §3.3 / new-dot-lifecycle step 1) — COMPLETE
Searched dot_tools (code/name) for c1-grant / grant_issue / dot-c1-* ⇒ 0 rows (fresh-read, file 01 §B).
Prior survey (grant-issuer report 2026-06-23) confirmed no existing DOT mints governance_build_authorization;
the only literal hit DOT_SCHEMA_SYSTEM_ISSUES_ENSURE is a false positive. A new C1-scoped issuer is
necessary — but its lifecycle cannot be completed from this environment.
new-dot-proof-table (macro new-dot-proof-table)
| field | value |
|---|---|
| DOT name | dot-c1-grant-issue (DOT_C1_GRANT_ISSUE) |
| why existing DOT cannot be reused | no DOT mints governance_build_authorization; apr tooling cannot execute the unimplemented authorize_build_step |
| birth DOT/path | NONE — staged script/spec only (…/minimal-lego-patch/staged-artifacts/scripts/dot-c1-grant-issue.reworked); banner LOCAL_STAGING_NOT_SSOT |
| governance/admission DOT/path | NONE — no admission record |
| registration DOT/path | NONE — dot-dot-register is the on-deploy registrar CLI in /opt/incomex/dot/bin (unreachable: cannot read or invoke /dot/bin) |
| catalog / CAT-006 / dot_tools readback | ABSENT — 0 dot-c1-* rows; 0 C1 contracts |
| DOT-manage ledger readback | STAGED ONLY — dot-manage-c1-ledger-update.staged.md (“NOT applied this turn”) |
| rollback / retire path | designed (status=revoked / retire) but not registered |
| orphan check | ORPHANED — script/spec exists, governed lifecycle absent ⇒ hard-stop |
Issuer behavior (design-confirmed, file 06 of minimal-lego-patch)
- ✓ proposer only:
dot-apr-propose --action-code authorize_build_step --proposed-action <C1 payload>. - ✓ does not POST to Directus
governance_build_authorization(it is a raw PG table, not a Directus collection); does not INSERT a grant directly; does not hardcode a grant row; uses no gba columns. - The grant is minted only by the governed handler behind quorum (re-proved by
trg_apr_block_unimplemented).
Result
STEP 5 = NOT EXECUTABLE
Registering the issuer requires the governed DOT registrar (dot-dot-register, on-deploy CLI) + admission +
ledger write — none runnable from the agent env (RO SELECT / allowlisted read / docs-only write / RO docker).
No dot-dot-register was run (and a bare/unfiltered real-run is forbidden regardless). ⇒ lifecycle incomplete;
the reworked issuer is design-complete but not a born/registered DOT.