READY-TO-ASSEMBLE-LEGO1-PATCH2 10 — Evidence / Readback & Blast-Radius Proof (B9/B10) — 2026-06-22
READY-TO-ASSEMBLE-LEGO1-PATCH2 10 — Evidence / Readback & Blast-Radius Proof (B9/B10) — 2026-06-22
Closes Codex 5.9/5.10. Gate: REGISTRATION_HOLD · CAN_PROCEED = NO · 0 runtime mutations.
1. Codex residuals (reproduced)
5.9: no executable C1 before/after/readback packet; birth-register views don't understand the absent C1 contract. 5.10: PATCH1 retracted "zero" but omitted the need to create/register the C1 contract, schema DOT, harness, auth-transition handler, and C1 preflight; config flips may touch shared DOT_KG runtime. Confirmed real.
2. Executable evidence/readback packet (read-only; runnable now)
| Phase | Query (read-only) | Today's value |
|---|---|---|
| BEFORE schema | SELECT count(*) FROM information_schema.tables WHERE table_name='governance_canonical_operation_vocab' |
0 |
| BEFORE values | SELECT count(*) FROM governance_canonical_operation_vocab (post-create) |
n/a (table absent) |
| AFTER/readback | SELECT operation_code,protocol_version,vocab_id,status FROM governance_canonical_operation_vocab ORDER BY operation_code |
(post-build) |
| manifest readback | recompute cser-v1 manifest_digest over rows = grant scope->>'manifest_digest' |
(post-build) |
| audit | SELECT … FROM <governed command-log> WHERE idempotency_root=:root |
(post-build) |
| consume evidence | SELECT status,consumed_at,consumed_by FROM governance_build_authorization WHERE auth_code=:auth |
(post-build) |
| regression | SELECT count(*) FROM governance_object_ownership |
0 (must stay 0) |
The BEFORE/regression queries are runnable today and confirm the empty baseline; AFTER/audit/consume queries are defined and become runnable once B1 artifacts exist.
3. Truthful blast-radius / dependency map
Must be created/registered (absent today): governance_canonical_operation_vocab table + Directus metadata; table_registry row; DOT_C1_SCHEMA_ENSURE; DOT_C1_VOCAB_BUILD(+_VERIFY) in dot_tools+dot_agent_api_contract; DOT_C1_VALUE_ADMIT; DOT_C1_AUTH_RESERVE_CONSUME + fn_verify_sovereign_esign; c1_build_run table + transition/compensation handlers; DOT_C1_TEST_HARNESS_RUN/fn_c1_vocab_harness_run; v_c1_realrun_preflight; the audit/evidence rows.
Touched at runtime: governance_build_authorization (one grant consumed); approval_requests (one approved request); governed command-log/audit; the external executor (…:8090/dispatch).
Shared-config caveat (honest): process_dot_runtime.execute_enabled/real_run_enabled/dry_run_only are global flips, not C1-scoped; flipping them for a C1 real-run affects the shared DOT runtime (incl. DOT_KG). This widens the real-run blast radius beyond C1 and is a Gate-B authority consideration. No "blast radius zero" is claimed.
C2 consumer: no proven live C2 orphan edge today; C1→C2 is a future edge (per accepted design). Stated as bounded, not zero.
4. Honest status & boundary
Classification: CLOSED (evidence packet executable read-only; blast-radius truthful incl. absent artifacts + shared-config caveat). The capture of AFTER evidence depends on B1 artifacts existing (that dependency is B1, not B9). Design-only; nothing written. REGISTRATION_HOLD retained; CAN_PROCEED = NO; 0 runtime mutations.