01 — Source Register & Readback (DOT Manage → LEGO Transition for C1 Dry-Run, 2026-06-22)
01 — Source Register & Readback
Macro: DOT_MANAGE_LEGO_TRANSITION_SURVEY_FOR_C1_DRYRUN
Date: 2026-06-22 · Type: transition survey + planning (NOT execution).
Live mutation: NONE on governed runtime (every live call read-only). KB doc writes for this package + 1 additive DOT-manage addendum + 1 README pointer = KB_DOC_UPDATE_ALLOWED.
Posture: REGISTRATION_HOLD ACTIVE · REGISTRATION_CAN_PROCEED=NO · P2/named-lane = CLOSED (not opened by this macro).
This file registers every source read and every command run, with a readback that proves the sources were actually consulted (not assumed). Per macro §0.5 every command is logged with: command · target · risk-label · output summary · evidence · what it proves.
A. KB sources read (DOT manage core)
| document_id | rev observed | what it gave | readback proof |
|---|---|---|---|
…/dot-manage/README.md |
1 | Canonical folder rules; "Directus/Postgres/schema is DOT-only"; "No confirmed authorized DOT exists for run-scoped disposable staging schema"; "Default HOLD" | content_length 1047, read in full |
…/dot-manage/dot-usage-handbook.md |
KB rev 12 / body rev4 | First human-usable map of every DOT; §5.3 = 309-row inventory; §13 frozen/forbidden DOTs; §17 future dot_operator_catalog; §18 missing-DOT register; §19 SPEC/ADMISSION-only note |
STATUS PASS_WITH_CAVEATS; "grants nothing, enacts nothing" |
…/operations/dot-usage-handbook.md |
KB rev 6 / body rev2 | Legacy/back-compat copy; ends at §17; lacks §18/§19 + REGISTRATION_HOLD language | Premise correction: this file EXISTS (it is not a missing stub) |
…/dot-manage/reports/macro9a0-dot-usage-handbook-execution-report-2026-06-19.md |
1 | Read-only authoring of the handbook; 0 substrate mutation | PASS_WITH_CAVEATS |
…/dot-manage/reports/macro9a0-…-full-row-inventory-supplement-report-2026-06-19.md |
2 | §5.3 patched to all 309 rows; frozen/forbidden tally (4 frozen + 2 monitored) | per-row attributes inferred, not executed |
B. KB sources read (DOT birth / governance / registration path)
| document_id (prefix) | what it gave |
|---|---|
…/architecture/pre-birth-admission-control-and-sequential-dot-workflow-2026-06-03/ |
Pre-birth admission permit model; sequential-DOT workflow design; live verification ("birth-first is POLICY, not ENFORCEMENT"); §9 "Do not build a production DOT yet — registrar creds ABSENT and OSPA=0" |
…/architecture/pre-birth-pilot-dot-tools-permit-composite-rehearsal-2026-06-03/ |
dot-birth-admit entrypoint spec (author-mode); operator packet; permit lifecycle views |
…/architecture/birth-stage1-gateway-ssot-runtime-contract-foundation-2026-06-06/ |
fn_birth_register (dry-run-default, fail-closed); birth gate advisory (warning-mode); structural single-column-unique defect; governance handoff gated (OSPA=0) |
…/registries-pivot-…-2026-06-03/03-dot-registration-or-staging.md |
RP-03: dot-dot-register = the ONLY governed registrar (Directus REST API); creds ABSENT; manual INSERT INTO dot_tools / token-minting explicitly forbidden |
C. KB sources read (Macro-9 staging-schema path)
…/dot-manage/specs/dot-r2-b2-staging-schema-shell.contract.md (rev2) · …/specs/dot-schema-write-guards.contract.md (rev2) · …/specs/dot-r2-b2-staging-schema-shell.validator.py (rev2, pure, no DB I/O) · …/specs/dot-r2-b2-bad-input-matrix.md (rev2, 64 cases) · …/specs/dot-r2-b2-validator-test-run-v2.txt (64/64 PASS) · …/specs/dot-r2-b2-validator-test-run.txt · …/admission/dot-r2-b2-staging-schema-shell-birth-admission-2026-06-19.md (rev9) · …/dot-manage/reports/macro9b-dot-staging-schema-path-artifact-index-2026-06-19.md (rev4) · …/reports/macro9b-dot-staging-schema-path-author-harden-report-2026-06-19.md · …/reports/macro9b0-…, …/reports/macro9b2-… · …/reports/codex/codex-rereview-macro9b2-… (PASS_WITH_CAVEATS).
D. KB sources read (C1 dry-run recent packages)
…/reports/c1-dryrun-execution/ · …/reports/c1-dryrun-true-readiness/ · …/reports/c1-dryrun-capability-and-execution/ · …/reports/ready-to-assemble-lego1-patch2/ · …/reports/codex/codex-review-ready-to-assemble-lego1-patch1-dry-run-auth-readiness-2026-06-22.md. (Index + decision/final + gap/operator-action files read in full per package.)
E. LIVE READ-ONLY COMMAND LOG (Incomex VPS, db=directus, 2026-06-22)
All probes executed via query_pg (read-only role, READ ONLY tx, 5 s timeout, hard LIMIT 500, SELECT-only) and directus_list_collections (HTTP GET). Zero writes/DDL/DML. (Tool note: pg_schema has a parameter-binding bug AmbiguousParameter; substituted information_schema.columns via query_pg — no result affected.)
| command | target | risk | output summary | evidence | proves |
|---|---|---|---|---|---|
SELECT count(*) FROM dot_tools |
dot_tools | READ_ONLY_SAFE | registry size | 309 | DOT registry intact (= CAT-006) |
dot_tools … ILIKE schema/table_registry/directus/create_collection/ensure |
dot_tools | READ_ONLY_SAFE | schema-ensure family | 75 rows, all active | schema-ensure family exists + active |
dot_tools … ILIKE birth/admit/register/catalog/rollback/retire/supersede |
dot_tools | READ_ONLY_SAFE | lifecycle DOTs | 28 rows, all active/published | birth/register/rollback DOTs exist |
dot_tools WHERE code IN (birth set) … extra_metadata ILIKE frozen/forbidden |
dot_tools | READ_ONLY_SAFE | frozen-flag check | 0 flagged; 6 rows all status=active, extra_metadata={} | frozen status NOT live-enforced (KB-only) |
SELECT count(*) FROM dot_agent_api_contract + dump |
dot_agent_api_contract | READ_ONLY_SAFE | contracts | 2 = DOT_KG_EXPLAIN + _VERIFY | only KG pair bound; DOT_C1_* = 0 |
SELECT count(*) FROM table_registry + c1/vocab match |
table_registry | READ_ONLY_SAFE | registry | 21 rows; 0 C1/vocab | no C1 table registered |
information_schema.tables ILIKE canonical_operation/governance_canonical/c1/vocab |
all schemas | READ_ONLY_SAFE | physical tables | *11 unrelated vocab; 0 governance_canonical_operation_vocab | C1 table ABSENT in Postgres |
SELECT * FROM meta_catalog WHERE code='CAT-006' |
meta_catalog | READ_ONLY_SAFE | catalog record | record_count=309, actual_count=163, sync=dot-catalog-sync/on-deploy, status=active, layer=5 | CAT-006 active (+ pre-existing 309↔163 drift) |
information_schema.routines ILIKE dispatch |
routines | READ_ONLY_SAFE | dispatcher | public.fn_process_agent_api_dispatch |
dispatcher exists (raises on REAL_RUN by design) |
directus_list_collections |
Directus API | READ_ONLY_SAFE | collections | 352 total (325 user); no C1/vocab governance collection | C1 collection ABSENT in Directus |
dot_config … real_run/execute/dry_run/gate/block |
dot_config | READ_ONLY_SAFE | gates | real_run_enabled=false, execute_enabled=false, dry_run_only=true; iu_core.operator_runtime_enabled=false; direct_insert_policy=block_after_guard | execution gates CLOSED |
SELECT * FROM v_dotkg_realrun_preflight |
view | READ_ONLY_SAFE | KG preflight | REALRUN_BLOCKED_MULTI_GATE (5 BLOCK / 4 GO) |
the one bound DOT family is itself real-run NO_GO |
count governance_build_authorization / governance_object_ownership |
both | READ_ONLY_SAFE | authority | gba=0, goo=0 | no build-authorization / ownership grants |
F. KB WRITES PERFORMED BY THIS MACRO (allowed)
| path | risk | nature |
|---|---|---|
…/reports/dot-manage-lego-transition-for-c1-dryrun/* (13 files) |
KB_DOC_UPDATE_ALLOWED | this survey/plan package (additive, new docs) |
…/reports/macro-dot-manage-lego-transition-for-c1-dryrun-2026-06-22.md |
KB_DOC_UPDATE_ALLOWED | macro rollup (additive, new) |
…/dot-manage/dot-manage-lego-transition-status-c1-2026-06-22.md |
KB_DOC_UPDATE_ALLOWED | DOT-manage status addendum / LEGO transition note (additive, new) |
…/dot-manage/README.md |
KB_DOC_UPDATE_ALLOWED | additive pointer to the transition note + package (no content removed) |
G. NOT RUN (recorded, deliberately not executed)
| would-be command | risk | why not run |
|---|---|---|
directus_create into governance_canonical_operation_vocab / dot_agent_api_contract |
WRITE_RISK_NOT_RUN | governed write allowlist DENIES both (proven by prior packages); DOT-only rule; out of survey scope |
any CREATE TABLE/FUNCTION/SCHEMA |
WRITE_RISK_NOT_RUN | query_pg read-only; raw DDL forbidden as authority path |
INSERT INTO dot_tools / mint grant |
WRITE_RISK_NOT_RUN | forbidden ungoverned registration path (RP-03); operator/Owner Gate-B action |
| handbook §20 inline rewrite (full-body replace of rev12) | UNKNOWN_RISK_NOT_RUN | large canonical doc; chose additive standalone note + README pointer instead (lower corruption risk) |
Readback verdict: all four source streams were read (KB revisions and live counts observed above), and the live state was captured by read-only probes only. No source was assumed. Survey can proceed on evidence.