04 — P2 C1 Collection/Schema/Table-Registry Ensure Proof — 2026-06-22
04 — P2 C1 Collection / Schema / Table-Registry Ensure — 2026-06-22
Target governed surface
governance_canonical_operation_vocab (C1 canonical operation vocabulary), PK (operation_code, protocol_version), write-once, plus its table_registry record.
Current state (live, read-only)
| probe | result |
|---|---|
governance_canonical_operation_vocab table exists |
0 (absent) |
schema c1 exists |
0 (absent) |
dot_tools rows DOT_C1% |
0 |
dot_agent_api_contract C1 rows |
0 |
Lawful path (reused, operator-run): DID NOT EXECUTE — no channel
The governed way to create this surface is the ensure/register DOT family:
DOT_SCHEMA_ENSURE → DOT_SCHEMA_TABLE_REGISTRY_ENSURE → DOT_COLLECTION_REGISTER, all /opt/incomex/dot/bin/dot-* CLI scripts. None could be invoked from this environment (file 02 E2): no command-execution channel exists. So P2 could not be completed via the lawful path here.
Manual route: ATTEMPTED, correctly DENIED (route-level proof)
To prove every write route was probed (not assumed), one live attempt was made via the governed-API surface:
directus_create(collection="governance_canonical_operation_vocab", data={...})→[DENIED] governance_canonical_operation_vocab is not in the write allowlist; refusing to execute.
Additional manual routes (all unavailable / forbidden):
query_pg— read-only role, READ ONLY transaction, no DDL/DML.mcp__directus__directus_create_item— item CRUD only; system/protected collections denied; cannot create a collection or define fields.write_file— docs-only (/opt/incomex/docs/mcp-writes); cannot create governed schema.- DB guard triggers (
block_after_guard, canonical-writer marker,fn_assert_safe_for_dot_action) would reject a bypass write even with PG-superuser creds.
Result
P2 = C1 surface not created. Not because creation is impossible in principle, but because the lawful creator (ensure/register CLI) has no execution channel here, and the manual creator is forbidden and DENIED. No surface was fabricated; no sandbox SQL was passed off as governed. ⇒ contributes C1_DRYRUN_CAPABILITY_LOCKED_OPERATOR_ACTION_REQUIRED (precise sub-cause that would otherwise read as C1_DRYRUN_HOLD_C1_SURFACE_CREATION_FAILED).