Incomex AI Portal
KB-1ADB

01 — Source Register, Secret Manager & Authority Scope — 2026-06-22

3 min read Revision 1
governed-dot-c1-dryrun-p0-p6secret-managerauthority-scoperedacted2026-06-22

01 — Source Register · Secret Manager Discovery · Authority Scope — 2026-06-22

A. Sources read (KB + live runtime)

  • DOT-manage control addendum: knowledge/dev/laws-new/newlaws/dot-manage/dot-manage-c1-dryrun-execution-control-addendum-2026-06-22.md — establishes: Directus/DOT credentials may be retrieved from Secret Manager; secret values must never be printed; all governed runtime writes remain DOT-only; credentials are capability to run lawful DOT paths, not permission for manual schema creation.
  • Transition survey + prior HOLD packages (c1-dryrun-execution / -true-readiness / -capability-and-execution / dot-manage-lego-transition) — reconstructed via KB search.
  • Live runtime: db directus on VPS (contabo); read-only query_pg, directus_read, pg_schema, list_docker, docker_logs.

B. Secret Manager discovery (P0 — ACCESS SUCCEEDED)

Project: github-chatgpt-ggcloud. Command run: gcloud secrets list --project github-chatgpt-ggcloud --format="value(name)" → succeeded. Active gcloud identity: nmhuyen@gmail.com (plus chatgpt-deployer@…, gemini-service-account@… credentialed).

Relevant secret NAMES present (values NOT accessed):

  • DIRECTUS_ADMIN_TOKEN, DIRECTUS_TAC_ADMIN_TOKEN, DIRECTUS_KEY, DIRECTUS_SECRET
  • PG_HOST, PG_PORT, PG_USER, PG_PASSWORD, PG_DATABASE
  • POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB
  • MCP_REMOTE_AUTH_TOKEN, MCP_REMOTE_PATH_SECRET, MCP_UPSTREAM_KEY, MCP_KB_CLAUDE_PATH_SECRET

Decision: secret VALUES were deliberately NOT accessed. Per the addendum, credentials are capability for lawful DOT paths only. As proven in files 02/04/05, no lawful path in this environment consumes these credentials (the registrar is an on-deploy CLI with no reachable execution channel, and manual use is forbidden). Accessing a secret value would therefore serve only a forbidden manual-write attempt. No fingerprint/hash was needed. This satisfies the security rule: logs may show secret names and access success only.

C. Authority scope for this macro

Dimension Scope
Tier C1 only
Mode test/sandbox dry-run only — NO real-run, NO prod, NO activation
Governed writes DOT-approved paths only (no manual SQL/Directus/registry mutation)
Forbidden production mutation/registration/activation, current-corpus adoption, C2–C7, broad P2 opening, mega-registry/graph/birth
Credential use run lawful DOT paths only; never manual schema creation; never printed

D. Result

P0 capability discovery succeeded (Secret Manager reachable, admin credentials exist). P0 capability unlock into a lawful path did not succeed — see file 02. This is the pivot of the entire macro.

Back to Knowledge Hub knowledge/dev/laws-new/reports/governed-dot-c1-dryrun-p0-p6/01-source-register-secret-manager-and-authority-scope-2026-06-22.md