09 — One-Shot Execution Plan to Make C1 Governed Dry-Run Ready

Macro: DOT_MANAGE_LEGO_TRANSITION_SURVEY_FOR_C1_DRYRUN · Date: 2026-06-22.

Answers macro §3.8. This is the NEXT-macro plan. It is specific enough that the next run proceeds without rediscovering basics, and it closes all prerequisites to a TRUE governed C1 dry-run (not lắt nhắt — no "do one DOT then stop").

Scope of "ready": a governed DRY_RUN dispatch of DOT_C1_PREFLIGHT + DOT_C1_VOCAB_BUILD that returns READY + a no-state plan/verdict on the governed runtime. REAL_RUN (apply/seal, gate flips, hardening GAPs 2/3/4, REAL_RUN sandbox schema) is explicitly OUT of this plan's "dry-run ready" target and listed as the follow-on.

Actor legend: [OP] operator/owner on the VPS governed stack (admin creds + sovereign-grant authority) · [CL] Claude/next-agent (authoring KB specs; read-only verification) · [DOT] action performed through a governed DOT, never by hand.

Hard rules carried: DOT-only (no manual SQL/psql/Directus generic create/manual INSERT INTO dot_tools/token-mint); reuse-first; no frozen/forbidden DOT; every new DOT gets an admission record (anti-orphan); authorization ≠ capability; sandbox-logic ≠ governed-ready.

PHASE 0 — Authorize the capability (unblocks B1; without this nothing else runs)

0.1 [OP] Grant a separately-authorized Gate-B build-prep registration capability: supply dot-dot-register admin creds (config/credentials.local.json / DIRECTUS_ADMIN_TOKEN) and issue the Owner Phase-2 open for C1. Stop-if-missing: HOLD — no governed write channel (current state).
0.2 [OP] Confirm the capability is scoped to C1 build-prep only (collection-create + contract-register + grant-mint), NOT REAL_RUN execution.

PHASE 1 — Author the C1 DOT specs + admission records (no runtime writes)

1.1 [CL] Author specs for the new C1 DOTs (most logic already proven in the C1 sandbox; port it to governed-contract form): DOT_C1_SCHEMA_ENSURE, DOT_C1_VOCAB_BUILD (incl. R_C1 resolver over apr_action_types own columns — act_type const, status=active, 14 ops; PATCH1 join to process_axis_action_vocabulary stays DROPPED; cser-v1 canonical manifest + SHA-256), DOT_C1_VOCAB_VERIFY (~11–13 reject codes; status='active' not granted; single-use CAS consume; exact action-set), DOT_C1_PREFLIGHT (7 checks), DOT_C1_BAD_INPUT_HARNESS (19 cases), DOT_C1_EVIDENCE_READBACK.
1.2 [CL] Author the extension spec for DOT-062 / dot-rollback → C1-carrier rollback/check + versioned-supersession oracle (extend, do not clone).
1.3 [CL] Author one birth/admission record per new C1 DOT (anti-orphan; pattern = the Macro-9B1 admission record). Stop-if-skipped: HOLD_ADMISSION_MISSING_OR_INVALID.
1.4 [CL] (Optional, REAL_RUN-prep only) Fork DOT_R2_B2_STAGING_SCHEMA_SHELL + 4 guards into a C1 variant spec for the future REAL_RUN sandbox — NOT required for the dry-run.

PHASE 2 — Create the C1 collection surface (governed, via existing DOTs)

2.1 [OP][DOT] Run DOT-120 / DOT_COLLECTION_REGISTER to create the governance_canonical_operation_vocab collection with C1 fields (PK (operation_code,protocol_version), write-once semantics). Reuse — no new DOT.
2.2 [OP][DOT] Run DOT_SCHEMA_TABLE_REGISTRY_ENSURE to register the collection in table_registry (currently 0 of 21 C1 rows). Reuse.
2.3 [CL] Read-only verify: pg_schema(directus,'public','governance_canonical_operation_vocab') exists; directus_read('table_registry', filter c1) present. Stop-if-fail: HOLD — collection not created.

PHASE 3 — Register the C1 DOTs + contracts (governed, via the lawful registrar)

3.1 [OP][DOT] Deploy the C1 DOT executables to /opt/incomex/dot/bin/; run dot-dot-register (DOT-REGISTER) to register them into dot_tools (NEVER by hand). Reuse the lawful registrar.
3.2 [OP][DOT] Bind the producer/verifier pair in dot_agent_api_contract following the DOT_KG_EXPLAIN/_VERIFY precedent: DOT_C1_VOCAB_BUILD (producer, mode DRY_RUN, no_mutation_assertion=true) + DOT_C1_VOCAB_VERIFY (verifier, VERIFY_ONLY).
3.3 [OP][DOT] Run DOT-015 / dot-catalog-sync (on-deploy) to update dot_tools / CAT-006; reconcile the CAT-006 309↔163 drift.
3.4 [OP][DOT] Apply the DOT-062 C1 extension (3.1.2).
3.5 [CL] Read-only verify: dot_agent_api_contract has DOT_C1_VOCAB_BUILD + _VERIFY; dot_tools has the C1 DOTs; CAT-006 count updated. Stop-if-fail: HOLD — contracts not registered.

PHASE 4 — Authority + ownership (governed)

4.1 [OP][DOT] Mint 1 scoped single-use governance_build_authorization grant: carrier=C1, plan=LEGO1-C1-PLAN, manifest_hash bound, action_set exact, expiry set, rollback_plan_ref set. (OSPA currently 0.)
4.2 [OP][DOT] Create a governance_object_ownership row for C1 (currently 0; needed so preflight owner-present gate passes).
4.3 [CL] Read-only verify: count(governance_build_authorization where status='active' and carrier='C1') >= 1; ownership present. Stop-if-fail: HOLD — no grant/ownership.

PHASE 5 — Wire preflight view (governed)

5.1 [OP][DOT] Create v_c1_*_preflight modeled on v_dotkg_realrun_preflight (read-only view; 7 checks; gate on dry_run_only=true being sufficient for dry-run).
5.2 [CL] Read-only verify the view returns a DRY_RUN-READY verdict (not the KG REALRUN_BLOCKED_MULTI_GATE, which is a REAL_RUN gate — a dry-run must not be blocked by REAL_RUN-only gates).

PHASE 6 — Governed DRY_RUN + evidence (the actual readiness proof)

6.1 [CL/OP][DOT] Dispatch DOT_C1_PREFLIGHT in DRY_RUN via fn_process_agent_api_dispatch / executor :8090/dispatch → expect READY.
6.2 [CL/OP][DOT] Dispatch DOT_C1_VOCAB_BUILD in DRY_RUN → expect: 14 ops resolved; cser-v1 manifest hash reproducible (c9286d3a…ec00; PG sha256 == external shasum); seal sentinel WITHHELD_DRY_RUN; before==after==0 (dispatcher never writes).
6.3 [CL/OP][DOT] Run DOT_C1_VOCAB_VERIFY against the single-use grant → consume once; reuse → REJECT_AUTH_ALREADY_CONSUMED; exercise the ~11–13 reject codes.
6.4 [CL/OP][DOT] Run DOT_C1_BAD_INPUT_HARNESS → 19/19 fail-closed, 0 seal; attempted REAL_RUN raises C1_PROD_REAL_RUN_BLOCKED.
6.5 [CL/OP][DOT] Run DOT_C1_EVIDENCE_READBACK (read-only) → rows/orphans/clean-state captured.
6.6 [CL] Assemble the dry-run evidence package (no-state proof, manifest determinism, reject coverage, bad-input fail-closed, readback).

PHASE 7 — Codex review (the final target of the dry-run-ready macro)

7.1 [CL] Produce a Codex review packet asserting: governed dry-run EXECUTED, no-state, fail-closed, manifest-deterministic, reuse-first honored, no forbidden/frozen DOT, every new DOT admitted. Target verdict: Codex confirms C1_GOVERNED_DRYRUN_READY (Codex confirms, does not discover).
7.2 [Owner] Only after Codex confirmation does any REAL_RUN authorization conversation begin (separate macro).

Follow-on (NOT part of "dry-run ready") — C1 REAL_RUN readiness

Deferred prerequisites, recorded so they are not forgotten and not mistaken for dry-run blockers: execute-gate flips (real_run_enabled/execute_enabled); close hardening GAPs 2/3/4 (revoke generic directus schema-create; isolated minimal-privilege DOT-executor role; policy-block generic Directus create); build the C1 REAL_RUN sandbox schema by forking DOT_R2_B2_STAGING_SCHEMA_SHELL; apply/seal + live write-once enforcement; fresh no-prod-touch/delete-fast proof; Owner real-run grant.

Completeness assertion (anti-lắt-nhắt)

This plan closes every prerequisite to a governed C1 dry-run: capability (P0), specs+admission (P1), collection (P2), registration (P3), authority (P4), preflight wiring (P5), the dry-run + evidence (P6), and the review target (P7). It does not stop at the first missing item, and it does not create an orphan DOT (P1.3) or bypass the birth/governance path (all registration via dot-dot-register). The single gating dependency is P0 (operator-only). Next step after this survey is therefore the EXECUTION macro starting at P0, not further survey.