14 — Final Decision — 2026-06-22
14 — Final Decision — 2026-06-22
Verdict
C1_DRYRUN_CAPABILITY_LOCKED_OPERATOR_ACTION_REQUIRED
Precise mechanism (sub-cause): C1_DRYRUN_HOLD_DOT_REGISTRAR_NOT_EXECUTABLE — the lawful registrar exists but has no execution channel from this environment.
READY criteria (1–17) — adjudication
| # | Criterion | Met? |
|---|---|---|
| 1 | Secret Manager access succeeded / runtime capability available | YES (access OK; creds exist) |
| 2 | All governed writes via DOT-approved paths | YES (because 0 governed writes occurred) |
| 3 | No manual SQL DDL/DML | YES |
| 4 | No manual Directus schema/registry mutation | YES (attempt DENIED; nothing forced) |
| 5 | Reuse-first search completed | YES (file 03) |
| 6 | New DOT_C1 born/admitted/registered via governed lifecycle | NO — not registrable here (no channel) |
| 7 | dot_tools/CAT-006/contract registry/handbook updated+read back | NO — operator-only; read back unchanged |
| 8 | C1 governed collection/table exists + reads back | NO — absent |
| 9 | DOT_C1_* contracts exist + read back | NO — 0 |
| 10 | C1 grant/ownership/authority binding exists | NO — 0 |
| 11 | C1 preflight returns READY | NO — NO_GO (correct, fail-closed) |
| 12 | C1 dry-run executed / route exercised | PARTIAL — route exercised + fail-closed; full C1 dry-run not run |
| 13 | Bad-input tests executed against governed DOT | YES (live, file 09) |
| 14 | Invalid inputs reject fail-closed, no PASS/digest/seal | YES |
| 15 | Rollback/no-state/clean proven | YES (file 10) |
| 16 | Internal Codex negative review passes | YES (HOLD upheld, file 13) |
| 17 | No prod / current-corpus / C2-C3 / broad P2 | YES |
Items 6–11 are false ⇒ READY is not granted (correctly). The macro requires HOLD/REJECT when any item is false; this is a HOLD (capability-locked), not a REJECT (no fail-open, no bypass, no overclaim occurred).
Posture
REGISTRATION_HOLD= ACTIVE ·REGISTRATION_CAN_PROCEED= NO · P2/named lane = CLOSED- ready-for-Codex-confirmation = YES · ready-for-governed-dry-run = NO · ready-for-prod = NO
- 0 governed mutations · 0 subagents
Exact operator action (the single blocker)
The governed registrar pipeline must be run by the operator/deploy channel. Concretely:
- Run the on-deploy registrar to create the C1 surface:
DOT_SCHEMA_ENSURE/DOT_SCHEMA_TABLE_REGISTRY_ENSURE→ creategovernance_canonical_operation_vocab(+ write-once trigger) and itstable_registryrow.DOT_COLLECTION_REGISTER/DOT_COLLECTION_CREATE→ register the Directus collection.- Command surface:
/opt/incomex/dot/bin/dot-schema-table-registry-ensure,…/dot-collection-register; registrarbin/dot/dot-dot-register.ts(trigger_type=on-deploy).
- Deploy a C1 no-mutation endpoint on
incomex-agent-api-executor:8090(so a C1 contract can have non-NULLendpoint_ref). - Register
DOT_C1_*intodot_tools+dot_agent_api_contract(fixture_ref,output_namespace='DRYRUN-NS:c1:vocab',no_mutation_assertion=true, endpoint bound) viaDOT-REGISTER. - Mint one C1-scoped, single-use, manifest-bound dry-run grant + ownership binding.
- Then re-run this macro: P5 preflight → READY, P6 dispatch
DOT_C1_VOCAB_BUILDDRY_RUN → real no-mutation dry-run.
Alternative unlock: provision a governed command-execution capability that can drive /opt/incomex/dot/bin/* under DOT governance (then Claude could run the registrar within governance, still no manual DDL).
What unlocks each blocked item
Items 6–11 all unblock the moment step (1)–(4) above complete; nothing else is missing (gates are already dry-run-only; dispatcher route is already live and fail-closed).
Residual
If the operator completes the above, residual review ⇒ GOVERNED-DOT-C1-DRYRUN-P0-P6-PATCH1 (confirm registered surface + run the genuine governed dry-run). Until then, re-running reproduces this exact HOLD.