READY-TO-ASSEMBLE-LEGO1-PATCH1 07 — [P1-4] Preflight Exact & Truthful — 2026-06-22

Closes Codex P1-4. Gate: REGISTRATION_HOLD · CAN_PROCEED = NO · 0 runtime mutations. All checks READ_ONLY_SAFE.

---

1. Defect (reconstructed)

PF7 was "not tailed; available" yet files 12/13 claimed discovery complete; PF8 proved denial on the non-allowlisted postgres DB (not that writes are blocked on directus/the DOT path); PF5 was conceptual, not an exact executable verifier. SUPERSEDED.

2. PF5 — exact executable authorization verifier

PF5 now is the exact verifier query of file 05 §2 (jsonb scope + status domain + esign + digests + expiry + revocation + executor + action set), requiring exactly one row. Today it returns 0 rows (governance_build_authorization empty) ⇒ PF5 = FAIL/BLOCK (expected: no grant yet).

3. PF7 — run now against the governed real-run preflight (v_dotkg_realrun_preflight)

Read live, read-only at 2026-06-22 (this is the governed guard, not an untailed log):

gate	current_value	gate_status
boundary_no_mutation_assertion	1	GO
gate_contract_realrun_mode	DRY_RUN	BLOCK
gate_dotkg_owner_present	0	BLOCK
gate_dry_run_only_cleared	true	BLOCK
gate_execute_enabled	false	BLOCK
gate_real_run_enabled	false	BLOCK
invariant_real_run_count_zero	0	GO (must remain 0)
precond_dry_run_evidence	2	GO
precond_endpoint_bound	1	GO (executor:8090/dispatch)
OVERALL_VERDICT	REALRUN_BLOCKED_MULTI_GATE	NO_GO

This is the C1 build's governing preflight for the apply (REAL_RUN) phase: real-run is governed-blocked today by config (dry_run_only=true, execute_enabled=false, real_run_enabled=false), missing owner, and unpromoted contract mode. The C1 build inherits these gates (its DOT_C1_VOCAB_BUILD contract starts DRY_RUN; promotion to REAL_RUN requires the same governed flips). PF7 is therefore run and truthful, not "available".

4. PF8 — truthful write-fence scope

The write-fence that matters is not "the postgres database is denied." The actual, citable fences are:

1. DOT-only schema rule (SSOT v1.2): schema changes via dot-schema-* only; MCP CRUD → 403.
2. Direct-insert block: dot_config.iu_create.gateway.direct_insert_policy = block_after_guard.
3. Dry-run-only posture: dot_config.process_dot_runtime.dry_run_only = true; real-run gates BLOCK (PF7).
4. This session's query_pg is read-only on all allowed DBs (directus included), AST-validated, READ ONLY transaction — it cannot write to directus either.

PF8 is restated as: "writes to directus are fenced by DOT-only/403 + block_after_guard + dry-run-only gates; this review's query_pg is read-only on directus." The prior "postgres DB denied" claim is corrected (it proved DB-allowlisting, not the write path).

5. Full preflight set (re-run live immediately before assembly)

#	Check	Now	Build-time expectation
PF1	C1 collection absent (directus_collections/information_schema)	absent	absent (clean create)
PF2	canonical_operation vocab REQUIRED_NOT_PRESENT	true	unchanged
PF3	ownership baseline (governance_object_ownership)	0	record baseline
PF4	approval baseline (approval_requests)	230	record baseline
PF5	exact authorization verifier (§2)	0 rows ⇒ BLOCK	exactly 1 valid grant
PF6	no register_dot in apr_action_types/dot_operations	absent	absent
PF7	v_dotkg_realrun_preflight OVERALL_VERDICT	NO_GO	GO (all gates GO)
PF8	write-fence truthful (§4)	held	held
PF9	R_C1 manifest resolves + digest stable (file 04/09)	resolves (14 candidates)	resolves; digest matches grant
PF-SCHEMA-DOT	authorized schema DOT (dot_iu_create_collection/dot-schema-*) applicable+authorized for C1 collection	exists (catalog) but not authorized	authorized for this collection
PF-LEASE	dot_iu_runtime_lease('lego1-c1-build') free	free	acquirable

6. Preflight PASS/FAIL

• PASS only when PF1–PF4, PF6, PF8, PF9 hold and PF5=1 grant and PF7 OVERALL_VERDICT=GO and PF-SCHEMA-DOT authorized and PF-LEASE free.
• Today: FAIL/NO_GO (PF5=0, PF7=REALRUN_BLOCKED_MULTI_GATE, PF-SCHEMA-DOT unauthorized) — exactly the expected pre-authority state.

7. Boundary attestation

Read-only preflight; PF7 run live; no write. REGISTRATION_HOLD retained; CAN_PROCEED = NO; 0 runtime mutations. Supersedes prior file-09 PF5/PF7/PF8.