03 — DOT/APR Capability Proof

Read-only. --help only. No propose / execute / register / dry-run was run (hard-lock honored).

Git / SSOT state (VPS /opt/incomex)

Field	Value
git toplevel	/opt/incomex
branch	feat/s177-sprint1-round-a
HEAD	bbf9c436ce1468cc3cddb231a88216ea8ad8ec88
working tree	DIRTY — 80 git status --short lines (modified configs, dot/bin, lark-client, tests; several ?? untracked backups)

Note for apply-time: the SSOT working tree is dirty. An operator apply via patch_ops_code should account for this (the handler takes its own .bak-{session} backup and uses atomic mv, but the dirty tree should be reviewed before any W7 STEP1).

DOT/APR tool capability (all responded to --help)

Tool	Version	Level	Notes
dot-apr-health	v1.0.0	Cấp A	APR integrity check, 4 checks, read side-engine
dot-apr-propose	v2.0.2	Cấp A	Creates approval proposals; DB-driven validation via apr_request_types/apr_action_types; unknown code → REJECT + log (no silent-fail)
dot-apr-execute	v2.2.0	Cấp B	Dispatch by apr_action_types.handler_ref; requires SYNC_SECRET; --dry-run supported; unimplemented handler → SKIP + log warn
dot-dot-register	v1.0.0	Cấp B	Scans /opt/incomex/dot/bin/dot-*, registers untracked files in dot_tools

dot-apr-execute Cấp B gate (verified by script read, value never accessed)

• line 459: if [[ -z "${SYNC_SECRET:-}" ]]; then
• line 460: log_err "SYNC_SECRET is required. This is a Cấp B tool."

SYNC_SECRET is read from the environment, supplied by the operator at invocation.

W7-relevant capability facts

• The toolchain to drive a W7 apply is present and invocable from this terminal (propose at Cấp A, execute at Cấp B, register at Cấp B).
• authorize_build_step is still handler_ref='unimplemented' (see file 04) → dot-apr-execute would SKIP it today. Implementing/binding that handler is the W7 prerequisite — explicitly NOT performed in this preflight.

Criteria status (this file)

• invoke DOT scripts: YES (all four respond; --help only, no state change)