KB-3C1D
C1 W7 pre-apply remediation — 01 dirty SSOT classification (100% classified) 2026-06-23
9 min read Revision 1
c1w7preapply-remediationdirty-ssota2classification
01 — A2 · Dirty VPS SSOT Classification (read-only)
Result: EVERY dirty entry is classified → A2 is NOT ..._HOLD_DIRTY_SSOT_UNCLASSIFIED.
No file change was made: no stash, no commit, no restore, no ignore. Classification only.
Tree state (RO SSH root@vmi3080463, db reads governed)
- toplevel
/opt/incomex; branchfeat/s177-sprint1-round-a; HEADbbf9c436ce1468cc3cddb231a88216ea8ad8ec88. git status --short= 80 entries = 17 modified (M) + 63 untracked paths (??).git ls-files --others --exclude-standardexpands those 63 untracked paths to 1999 files (untracked directories collapse to one??line instatus; both numbers reconcile).- W7 apply binaries are CLEAN:
dot-apr-execute,dot-apr-propose,dot-dot-register→ allstatus=clean. The W7 handler host filedot/bin/dot-apr-execute(whereexecute_authorize_build_stepwould be added) is itself unmodified.patch_ops_codeis a verb insidedot-apr-execute, not a separate file. - No dirty path touches the C1/W7 apply surface. A grep of the full dirty set for
c1 / authorize_build / grant_issue / governance_build / apr_action / dot-c1returns only: one agent-authored docdocs/mcp-writes/c1-dryrun-true-readiness-channel-probe-2026-06-22.md(documentation, additive) and threelark-backups/.../table_tbljmz4PLeohInc1/*files (substringInc1false-positive — Larkbase backup data). None is apply code.
A. Modified tracked files (17) — per file
Columns: file · status · ±lines · rel_C1_W7 · rel_DOT-birth/gov · safe_to_patch_over · recommended_action · reason · rollback
| file | st | ±lines | C1_W7 | DOT/gov | safe_to_patch_over | action | reason | rollback |
|---|---|---|---|---|---|---|---|---|
| claude-kb/docker-compose.claude-kb.yml | M | +7/-1 | NO | NO | OWNER_DECISION | commit/stash | KB-stack compose tweak (S177 infra) | git restore; .pre-docker-incomex-attach-* backup exists |
| docker/docker-compose.yml | M | +32/-0 | NO | NO | OWNER_DECISION | commit/stash | adds services (executor/KB, S177 infra) | git restore; 4× docker-compose.yml.pre-* backups present |
| docker/nginx/conf.d/default.conf | M | +57/-0 | NO | NO | OWNER_DECISION | commit/stash | nginx routing additions (S177) | git restore; 4× default.conf.pre-*/.rp-backup-* present |
| dot/bin/dot-birth-backfill | M | +10/-210 | NO | YES | OWNER_DECISION | commit/stash/triage | gutted to 11-line stub (whole body removed) | restore from untracked dot-birth-backfill.stage0-frozen-2026-06-06 or git restore |
| dot/bin/dot-birth-trigger-setup | M | +10/-274 | NO | YES | OWNER_DECISION | commit/stash/triage | gutted to 11-line stub | restore from untracked dot-birth-trigger-setup.stage0-frozen-2026-06-06 or git restore |
| lark-client/lark_client/approval.py | M | +51/-0 | NO | partial (lark approval provider; NOT APR quorum) | OWNER_DECISION | commit/stash | S177 approval-provider additions | git restore |
| lark-client/lark_client/backup_gate.py | M | +285/-54 | NO | partial (backup-gating policy) | OWNER_DECISION | commit/stash | S177 6000x backup-policy hardening | git restore |
| lark-client/lark_client/mcp_adapter/adapter.py | M | +66/-39 | NO | NO | OWNER_DECISION | commit/stash | S177 MCP adapter | git restore |
| lark-client/lark_client/mcp_adapter/server.py | M | +1/-1 | NO | NO | YES | commit/stash | trivial | git restore |
| lark-client/lark_client/service.py | M | +8/-2 | NO | NO | YES | commit/stash | minor service edit | git restore |
| lark-client/tests/test_mcp_adapter.py | M | +10/-1 | NO | NO | YES | commit/stash | test | git restore |
| lark-client/tests/test_mcp_remote.py | M | +9/-1 | NO | NO | YES | commit/stash | test | git restore |
| lark-client/tests/test_s177_4000x_surface.py | M | +18/-2 | NO | NO | YES | commit/stash | test | git restore |
| lark-client/tests/test_s177_5000x_surface.py | M | +12/-3 | NO | NO | YES | commit/stash | test | git restore |
| lark-client/tests/test_s177_6000x_backup_policy.py | M | +114/-15 | NO | NO | YES | commit/stash | test | git restore |
| scripts/smoke-test.sh | M | +36/-0 | NO | NO | YES | commit/stash | smoke test | git restore |
| scripts/test-mcp-connectivity.sh | M | +38/-0 | NO | NO | YES | commit/stash | connectivity test | git restore |
Modified totals: +764 / -603. Net theme: S177 sprint-1-round-a work (lark-client app + tests + infra) plus two DOT-birth tooling files reduced to stubs (originals preserved as .stage0-frozen-2026-06-06). None is the W7 apply target.
B. Untracked files (1999) — by classified bucket (100% covered)
Columns: bucket (count) · C1_W7 · DOT/gov · safe_to_patch_over · action · reason · rollback
| bucket (count) | C1_W7 | DOT/gov | safe | action | reason | rollback |
|---|---|---|---|---|---|---|
lark-backups/** (972: daily 956, bin 8, archives 5, lib 2, config 1) |
NO | NO | YES | ignore (gitignore candidate) | daily Larkbase backup artifacts (data) | regenerable |
docs/mcp-writes/** (385) |
NO | NO | YES | keep/ignore | agent-authored docs via mcp-writes channel (incl. prior evidence notes) | mirrored in KB / regenerable |
docs/lark/** (7) |
NO | NO | YES | keep | S177 evidence docs | regenerable |
dot/iu-cutter* (≈300: v0.6 92, v0.6-o8a-staging 92, o7-sidecar 37, iu-cutter 30, o8c 11, o8b-blocked-reports 10, o8-sidecar 10, agent-sandbox 8, o8-sidecar 10, o8b-deploy-staging 3) |
NO | partial (DOT iu-cutter tooling, staging/sidecar copies, not registered bin) | OWNER_DECISION | triage (commit-or-clean) | iu-cutter v0.6 staging + sidecars | staging copies; regenerable |
dot/bin/** (7) |
NO | YES | OWNER_DECISION | triage (see note) | 4 new utility scripts (apply_composition_fixes.sh, dot-context-pack-retention-cleanup, dot-pivot-update, dot-search-canary) + 2 frozen birth originals (dot-birth-*.stage0-frozen-2026-06-06) + 1 .bak (dot-dot-health.bak.*) |
frozen files ARE the rollback for the two gutted M files |
dot/specs (2), dot/scanners (2), dot/o8b-deploy-staging (3) |
NO | partial | OWNER_DECISION | keep/triage | DOT specs/scanners/staging | regenerable |
docker/nginx/** (199: static/ui-preview + .pre-* backups) |
NO | NO | YES | ignore backups / triage ui-preview | nginx static preview + conf backups | backups are themselves recovery |
docker/** other (compose .pre-* backups, dieu44_v0_5_constmarker_amend_prod_* 2 incl. a prod-directus-preamend-*.sql.gz dump, ROLLBACK-executor-docker-run.sh, dot-iu-cutter-v0.4-connenv-exec.sh) |
NO | NO | OWNER_DECISION | secure/triage (see §sensitive) | infra backups + one prod DB dump | backups |
data/** (69: tac 62, trigger-guard 7) |
NO | NO | YES | ignore (data dir) | runtime data | regenerable |
tmp/** (33: dieu44_v0_4_cred_* dryrun/prod/stage) |
NO | partial | OWNER_DECISION | review & clean (see §sensitive) | dieu44 credential staging/dryrun temp artifacts | temp; regenerable |
scripts/** (14: new guard/check scripts + .pre-* backups) |
NO | NO | OWNER_DECISION | triage | pg-dump/route guards + script backups | backups present |
claude-mcp/** (4: RUNBOOK.md, 2 guard .sh, 1 .deploy-secrets.pre-rotate-* backup) |
NO | NO | OWNER_DECISION | secure (see §sensitive) | mcp-writes perms tooling + a secrets backup | n/a |
claude-kb/** (1: compose .pre-* backup) |
NO | NO | YES | ignore | compose backup | n/a |
Coverage check: 972+385+7+≈300+7+7+199+~+69+33+14+4+1 = 1999 untracked files, all assigned to a classified bucket. 0 unclassified.
Classification conclusion
- The entire dirty tree is S177 sprint work + accumulated operational backups/staging/data. Nothing in it is the W7 apply target or any C1/APR governance code.
- Therefore the dirty tree does not technically collide with a W7 apply (the apply touches
dot-apr-execute(clean) + a migration + the grant-issuer registration). - BUT certifying 1999 untracked + 17 modified (incl. mid-edit governance stubs + a prod DB dump + a secrets backup) as "safe to patch over" is an owner decision, not an agent self-certification. See
02-dirty-ssot-owner-options.md.