06 — Legacy-to-LEGO Transition Gap Map
Macro: DOT_MANAGE_LEGO_TRANSITION_SURVEY_FOR_C1_DRYRUN · Date: 2026-06-22 · Read-only.
Answers macro §3.5 — every relevant artifact classified into exactly one bucket. No vague classification.
Buckets: REUSE_AS_IS · REUSE_WITH_LEGO_ADAPTER · REPAIR_BEFORE_REUSE · FROZEN_DO_NOT_USE · FORBIDDEN_DO_NOT_USE · MISSING_BUT_BIRTH_PATH_EXISTS · MISSING_AND_OPERATOR_ACTION_REQUIRED.
REUSE_AS_IS
| artifact |
evidence |
note |
DOT-015 / dot-catalog-sync |
CAT-006 active, on-deploy |
catalog update path; runs after registration |
DOT-120 / DOT_COLLECTION_REGISTER |
active, domain=collection |
governed Directus collection-create primitive for the C1 collection |
DOT_SCHEMA_TABLE_REGISTRY_ENSURE |
active |
registration-step pattern for the C1 table_registry row |
DOT-112 dot-entity-retire / DOT-314 dot-matrix-retire / DOT_NRM_RETIRE |
active/published |
retire/supersede for C1 versions when needed |
fn_process_agent_api_dispatch |
exists; raises on REAL_RUN |
dispatcher; correct fail-closed behavior for dry-run |
DOT_KG_EXPLAIN / _VERIFY + v_dotkg_realrun_preflight |
2 contracts; preflight view |
the producer/verifier + preflight PRECEDENT to copy |
fn_birth_register (dry-run default) |
live, net-0 proven |
dry-run register primitive pattern |
REUSE_WITH_LEGO_ADAPTER
| artifact |
evidence |
adapter required |
DOT_R2_B2_STAGING_SCHEMA_SHELL + 4 guards + validator |
authored/admitted, REGISTRATION_HOLD |
C1 variant (dot_code, allowlist prefix, shell tables, Guard-3 surfaces) + write-enabled body + registration; template for future C1 REAL_RUN sandbox, not a C1 dry-run prerequisite (see 04) |
DOT_SCHEMA_ENSURE (generic family) |
75 active rows |
author DOT_C1_SCHEMA_ENSURE instance (C1 vocab shape, write-once PK) |
DOT-062 / dot-rollback |
active, coverage=partial |
extend (not clone) for C1-carrier rollback + versioned-supersession oracle |
dot-dot-register (DOT-REGISTER) |
present in dot_tools; creds absent |
"adapter" = operator supplies admin creds + Owner Phase-2 open; then it registers C1 DOTs unchanged |
REPAIR_BEFORE_REUSE
| artifact |
defect |
repair |
Live dot_tools frozen-status flag |
KB §13 classifies dot-birth-trigger-setup (CRITICAL/FROZEN), dot-birth-backfill (HIGH/FROZEN), dot-schema-birth-registry-ensure (MEDIUM/MONITORED) — but live rows are status=active, extra_metadata={} with no enforced freeze flag |
governed update so the registry reflects the handbook (status/flag), so agents reading the registry alone cannot reuse a frozen DOT. Operator/governed action (see 08) |
| CAT-006 record_count (309) vs actual_count (163) |
pre-existing catalog drift |
reconcile via dot-catalog-sync; not C1-blocking but should be closed before relying on catalog counts |
birth_registry_entity_code_unique (single-column) |
structural defect noted in birth-stage1 |
out of C1 scope; recorded so a future C1 REAL_RUN does not inherit it |
FROZEN_DO_NOT_USE (KB-classified; see REPAIR note — flag not live-enforced)
| artifact |
class |
why |
dot-birth-trigger-setup |
DANGEROUS_CAN_REDEFINE_GATEWAY (CRITICAL) |
CREATE OR REPLACE fn_birth_registry_auto with old logic — reopens birth pollution gateway |
dot-birth-backfill |
DANGEROUS_CAN_BACKFILL_BROKEN (HIGH) |
direct INSERT INTO birth_registry via docker exec psql |
dot-schema-birth-registry-ensure |
MONITORED_NOT_FROZEN (MEDIUM) |
redefines fn_birth_auto_certify; restricted |
FORBIDDEN_DO_NOT_USE (lanes, not DOTs)
| lane |
source |
manual INSERT INTO dot_tools |
RP-03 ("ungoverned registration path; forbidden") |
psql / docker exec -i postgres psql / hand-written DDL-DML on directus.public |
handbook §3 ("legacy RW lane now forbidden for this zone") |
| Directus generic collection-create for schema/table work |
README + handbook §3 (DOT-only) |
| minting/borrowing a Directus admin token from the DB |
RP-03 ("self-authorization; against the forbidden list") |
| any REAL_RUN of a process-DOT while the runtime gate is shut |
handbook §13 (fn_process_agent_api_dispatch refuses by design — do not bypass) |
| raw SQL DDL as an authority path (even in a labeled sandbox) |
C1 packages ("SQL-in-sandbox ≠ governed registration") |
MISSING_BUT_BIRTH_PATH_EXISTS (author new C1 DOT, register via existing Path A)
| missing |
birth path |
DOT_C1_SCHEMA_ENSURE |
A1 spec → A2 admission → A4 dot-dot-register |
DOT_C1_VOCAB_BUILD (incl. R_C1 resolver + cser-v1 manifest) |
A1→A2→A4; contract bound at A7 (KG precedent) |
DOT_C1_VOCAB_VERIFY |
A1→A2→A4; verifier mode |
DOT_C1_PREFLIGHT (+ v_c1_*_preflight) |
A1→A4 + view |
DOT_C1_BAD_INPUT_HARNESS |
A1→A4 |
DOT_C1_EVIDENCE_READBACK |
A1→A4 |
| C1 admission records (one per new DOT) |
A2 (anti-orphan) |
| missing |
why operator-only |
| Governed write/DDL/registration capability (ROOT, B1) |
every connected tool is read-only / item-CRUD-only / allowlist-denied / docs-only; directus_create DENIES C1 collection AND dot_agent_api_contract |
governance_canonical_operation_vocab collection/table |
needs governed collection-create (operator runs DOT_COLLECTION_REGISTER + schema-ensure with admin creds) |
DOT_C1_* rows in governed dot_agent_api_contract |
needs lawful registrar with admin creds (Owner Phase-2) |
1 scoped single-use governance_build_authorization grant |
OSPA=0; sovereign-grant authority required |
dot-dot-register admin creds |
config/credentials.local.json absent; operator-supplied |
execute-gate flips (real_run_enabled etc.) |
Owner-only dot_config flips — only for REAL_RUN, not the dry-run |
| close hardening GAPs 2/3/4 (DOT-executor role; revoke generic schema-create; policy-block Directus create) |
role/grant/policy writes — Owner; preconditions for REAL_RUN sandbox |
reflect KB §13 freeze status into live dot_tools |
governed update to registry rows (operator/governed DOT) |
The one transition truth
Almost nothing is genuinely missing-with-no-path: the engineering is designed, the registration PATH exists and is lawful, and the reuse candidates are identified. The transition is blocked at a single irreducible point — the operator-only governed write/registration capability (B1) — plus one integrity repair (freeze flag not enforced in the live registry). Everything else is either reusable, adaptable, or a new C1 DOT that travels the existing birth path. No forbidden/frozen DOT is proposed for reuse anywhere in this package.