07 — C1 Dry-Run Required DOT Surface Map (2026-06-22)
07 — C1 Dry-Run Required DOT Surface Map
Macro: DOT_MANAGE_LEGO_TRANSITION_SURVEY_FOR_C1_DRYRUN · Date: 2026-06-22 · Read-only.
Answers macro §3.6 — the exact DOT surface required for a TRUE governed C1 dry-run readiness, separated A–F. "Governed dry-run" = dispatch DOT_C1_PREFLIGHT + DOT_C1_VOCAB_BUILD in DRY_RUN through the governed gateway against the registered C1 collection + contracts, producing a no-state plan/verdict (dispatcher never writes; dry_run_only=true is sufficient — REAL_RUN gate flips are NOT required for a dry-run).
C1 recap: governance_canonical_operation_vocab, 14-row canonical operation vocab (carrier C1, protocol_version 1, PK (operation_code,protocol_version), write-once + versioned supersession). All component LOGIC is design-complete and sandbox-proven; zero governed-runtime artifacts exist.
A. Reused DOTs (no change; instance call)
| DOT | role in C1 dry-run |
|---|---|
DOT-120 / DOT_COLLECTION_REGISTER |
create the governance_canonical_operation_vocab collection (governed) |
DOT_SCHEMA_TABLE_REGISTRY_ENSURE |
register the C1 collection in table_registry |
DOT-015 / dot-catalog-sync |
sync new C1 DOTs into dot_tools / CAT-006 |
dot-dot-register (DOT-REGISTER) |
the lawful registrar that binds the C1 contracts (operator creds) |
fn_process_agent_api_dispatch + executor :8090/dispatch |
the dry-run dispatch surface (KG precedent) |
B. Adapted DOTs (extend existing)
| DOT | adaptation |
|---|---|
DOT-062 / dot-rollback |
extend for C1-carrier rollback/check + versioned-supersession validity oracle |
DOT_SCHEMA_*_ENSURE family |
instantiate DOT_C1_SCHEMA_ENSURE (C1 vocab shape, write-once PK) |
(template only) DOT_R2_B2_STAGING_SCHEMA_SHELL + guards |
fork pattern for the future C1 REAL_RUN sandbox lane — not needed for the dry-run |
C. New DOTs required (author + register via Path A; each gets an admission record)
| DOT | mode | purpose |
|---|---|---|
DOT_C1_SCHEMA_ENSURE |
ensure | ensure C1 collection/table + write-once PK |
DOT_C1_VOCAB_BUILD |
producer / DRY_RUN, no_mutation | R_C1 resolver over apr_action_types (own cols; act_type const; status=active; 14 ops; PATCH1 join DROPPED) → cser-v1 canonical manifest + SHA-256 |
DOT_C1_VOCAB_VERIFY |
verifier / VERIFY_ONLY | ~11–13 reject codes; status='active' (NOT granted); single-use CAS consume; exact action-set (no loose superset); carrier/plan/manifest-bound |
DOT_C1_PREFLIGHT |
preflight | 7 readiness checks → READY/NOT_READY |
DOT_C1_BAD_INPUT_HARNESS |
test | 19 cases, all fail-closed, 0 seal; real-run raises C1_PROD_REAL_RUN_BLOCKED |
DOT_C1_EVIDENCE_READBACK |
read-only | before/after readback, orphan check |
D. Runtime wiring required
| wiring | detail |
|---|---|
governance_canonical_operation_vocab collection |
created (A) + table_registry row (A) |
dot_agent_api_contract rows |
bind DOT_C1_VOCAB_BUILD (producer, endpoint_bound) + DOT_C1_VOCAB_VERIFY (verifier) per KG precedent; mode DRY_RUN/VERIFY_ONLY, no_mutation_assertion=true |
| preflight view | v_c1_*_preflight modeled on v_dotkg_realrun_preflight |
| dispatcher route | none new — fn_process_agent_api_dispatch + executor already exist; C1 contracts make them dispatchable |
dot_config execute gates |
NOT required for dry-run (dry_run_only=true suffices); REAL_RUN flips deferred |
E. Governance / authority required
| item | detail |
|---|---|
dot-dot-register admin creds |
operator-supplied (currently absent) |
| Owner Phase-2 open | authorizes the registration act (A4/A9) |
1 scoped governance_build_authorization grant |
carrier=C1, plan=LEGO1-C1-PLAN, manifest_hash-bound, action_set exact, single-use, expiry, rollback_plan_ref (OSPA currently 0) |
governance_object_ownership row for C1 |
currently 0; needed so preflight owner-present gate passes |
| C1 admission records | one per new DOT (anti-orphan) |
F. Tests / evidence required (for dry-run readiness, not REAL_RUN)
| evidence | source |
|---|---|
| preflight = READY | DOT_C1_PREFLIGHT dispatched DRY_RUN |
| dry-run = no-state | before==after==0 (dispatcher never writes); seal sentinel WITHHELD_DRY_RUN |
| bad-input fail-closed | 19/19 fail-closed, 0 seal (proven as logic; must be re-proven on governed surface) |
| manifest determinism | cser-v1 hash reproducible (c9286d3a…ec00; PG sha256 == external shasum) |
| verifier reject coverage | each of the ~11–13 reject codes exercised; single-use consume + reuse→REJECT_AUTH_ALREADY_CONSUMED |
| read-only readback | DOT_C1_EVIDENCE_READBACK: rows/orphans/clean-state |
Critical-path vs deferred (what the dry-run actually needs)
REQUIRED for the governed dry-run (the minimum viable surface):
- C1 collection created +
table_registryrow (A:DOT_COLLECTION_REGISTER+DOT_SCHEMA_TABLE_REGISTRY_ENSURE). DOT_C1_SCHEMA_ENSURE,DOT_C1_VOCAB_BUILD,DOT_C1_VOCAB_VERIFY,DOT_C1_PREFLIGHTauthored + registered (C) + contract-bound (D).- 1 scoped single-use grant + a C1 ownership row (E).
- Dispatch DRY_RUN → preflight READY + no-state evidence (F).
DEFERRED (REAL_RUN only — NOT on the dry-run critical path): execute-gate flips; hardening GAPs 2/3/4 + DOT-executor role; C1 REAL_RUN sandbox schema (Macro-9 fork); apply/seal; write-once enforcement at the live row level.
Net surface count for the dry-run: reuse 5 + extend ≥1 + author ~5 new DOTs + bind 2 contracts + 1 view + 1 grant + 1 ownership row + admission records. Every item travels the existing governed Path A (03); none requires a new birth path or a forbidden lane. The only thing that converts this map from "plan" to "doable" is the operator-only Gate-B write/registration capability (E).