11 — Before/After Runtime & KB Readback Evidence — 2026-06-22

A. Runtime readback (live, read-only)

Identical before and after the entire macro run (see file 10): dot_tools=309, dot_agent_api_contract=2, table_registry=21, DOT_C1_*=0, governance_canonical_operation_vocab=absent, schema c1=absent, C1 grants/ownership=0. Gates: execute_enabled=false, real_run_enabled=false, dry_run_only=true. Executor incomex-agent-api-executor:8090 = Up (healthy), serving DOT_KG_EXPLAIN only.

B. Write-route survey readback (every route probed, not assumed)

Route	Probe	Result
Secret Manager	gcloud secrets list	SUCCESS (names listed; values not accessed)
query_pg	read-only role	no DDL/DML
directus_create (VPS)	governance_canonical_operation_vocab	[DENIED] not in write allowlist
mcp__directus__ create_item	—	item CRUD only; system collections denied
write_file (VPS)	—	docs-only /opt/incomex/docs/mcp-writes
DB function registrar	scan for contract/DOT insert	none (only auto_apply_approval flags dot_tools)
Directus Flow registrar	100 flows	only CDC [DOT-REG] -> AD syncs; no creator
DOT CLI registrar	DOT-REGISTER etc.	on-deploy scripts; no execution channel
docker	list_docker/docker_logs	read-only; socket RO; no exec

C. KB readback (this package)

Target dir knowledge/dev/laws-new/reports/governed-dot-c1-dryrun-p0-p6/ was empty before (pre-write=0). Files created this run (17): index, 01–14, codex-review-packet. Plus rollup …/reports/macro-governed-dot-c1-dryrun-p0-p6-2026-06-22.md and DOT-manage status …/newlaws/dot-manage/dot-manage-governed-c1-dryrun-p0-p6-status-2026-06-22.md. All readable via list_documents / search_knowledge.

Result

Readback = complete and consistent. Runtime unchanged (0 mutations); KB package present.