READY-TO-ASSEMBLE-LEGO1 02 — Read-Only Repo/Schema/Test/Evidence Inventory — 2026-06-22
READY-TO-ASSEMBLE-LEGO1 02 — Read-Only Repo/Schema/Test/Evidence Inventory — 2026-06-22
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations.
Method: every command below is categorized READ_ONLY_SAFE / WRITE_RISK_NOT_RUN / UNKNOWN_RISK_NOT_RUN. No command that could mutate state was run. The query_pg surface is AST-validated, executes in a READ ONLY transaction as a read-only role (statement_timeout 5s, hard LIMIT 500, no writes/DDL); pg_schema, list_docker, docker_logs, read_file are read-only by construction.
1. Repo / worktree
- Primary working directory
/Users/nmhuyen— not a git repository (harness environment fact). There is no local source tree to enumerate; the authoritative runtime surface is the livedirectusPostgres governance schema (introspected read-only below) plus the AgentData KB reports namespace (the authoring surface). READ_ONLY_SAFE: nogit/find/lsover a repo was applicable; recorded as N/A — no local repo.
2. Runtime topology (list_docker) — READ_ONLY_SAFE
11 containers; relevant: postgres (postgres:16, healthy, 5432), incomex-directus (directus 11.5), incomex-agent-data, incomex-qdrant, incomex-nuxt, incomex-nginx, plus pg-restore-test-… (a restore-test instance). Governance data lives in the postgres container, database directus.
3. Database surface (query_pg) — READ_ONLY_SAFE
Allowed databases: directus, incomex_metadata, workflow (others DENIED by the read-only proxy — confirms write-fencing). Governance tables are in directus.public.
3.1 Command ledger
| # | Command (db) | Class | Output summary | Risk note |
|---|---|---|---|---|
| 1 | list_docker |
READ_ONLY_SAFE | 11 containers | socket mounted read-only |
| 2 | SELECT datname FROM pg_database … (postgres) |
READ_ONLY_SAFE | DENIED → revealed allowlist directus/incomex_metadata/workflow |
confirms DB allowlist |
| 3 | information_schema.tables LIKE governance/dot/apr/owner/scope/… (directus) |
READ_ONLY_SAFE | 99 matching tables/views | — |
| 4 | information_schema.tables (incomex_metadata) |
READ_ONLY_SAFE | 12 tables (KB store; no governance carrier) | — |
| 5 | counts of 9 governance tables (directus) | READ_ONLY_SAFE | see §3.2 | — |
| 6 | information_schema.columns LIKE canonical_operation/effect_identity/… (directus) |
READ_ONLY_SAFE | 0 rows | key negative result |
| 7 | apr_action_types.action_code (directus) |
READ_ONLY_SAFE | 14 codes; no register_dot | — |
| 8 | governance_build_authorization columns (directus) |
READ_ONLY_SAFE | 22 columns (see §3.4) | — |
| 9 | dot_operations / apr_action_types ILIKE %register% (directus) |
READ_ONLY_SAFE | register op + register_axis/register_topic_node actions; no register_dot |
— |
| 10 | column shapes of 5 core tables (directus) | READ_ONLY_SAFE | see §3.3 | — |
| 11 | governance_registry values (directus) |
READ_ONLY_SAFE | 9 heads (see §3.5) | — |
| 12 | governance_responsibility_scope values (directus) |
READ_ONLY_SAFE | 6 scopes (see §3.6) | — |
| 13 | dot_operations.code values (directus) |
READ_ONLY_SAFE | 20 op verbs | — |
| 14 | read_file /opt/incomex/dot/specs/README.md |
READ_ONLY_SAFE | DENIED "not a regular file" (no content) | allowlisted path; no file there |
Not run (deliberately): any INSERT/UPDATE/DELETE/DDL, any directus_create/update/delete, any write_file, any handler invocation, any register_dot — all classified WRITE_RISK_NOT_RUN and listed as planned-only in file 06.
3.2 Key counts (live)
| Table | Rows | Meaning |
|---|---|---|
governance_object_ownership |
0 | No owner-of-record exists → BOOTSTRAP_AUTHORITY_UNRESOLVED holds (C5) |
governance_build_authorization |
0 | No build/Chairman authorization token exists |
governance_candidate_object |
0 | No candidate objects staged |
governance_responsibility_scope |
6 | Scope vocabulary present (active) |
governance_registry |
9 | Head/principal candidates |
governance_audit_log |
1 | Audit sink present, near-empty |
apr_action_types |
14 | APR action vocabulary (distinct from canonical_operation) |
approval_requests |
230 | APR runtime history present |
dot_operations |
20 | Operational verb catalog (distinct from canonical_operation) |
3.3 Core table shapes (live)
governance_object_ownership(C3 surface):id, object_type, object_ref, scope, owner_kind, owner_gov_code, is_inherited_anchor, effective_from, effective_to, lifecycle_status, approval_ref, audit_ref, rollback_ref, source_law_ref, source_design_ref, supersedes_id, created_at/by, updated_at/by— already carriesrollback_ref,supersedes_id,approval_ref,audit_ref(supersession + audit + rollback affordances). 0 rows.governance_registry:code, name, gov_type, gov_group, output_target, domain, primary_collection, created_by_law, health_dot, status, capability(jsonb).governance_responsibility_scope:scope_code, description, default_owner_hint, status.dot_operations:code, name, description.apr_action_types: keyed byaction_code.
3.4 governance_build_authorization surface (live, EMPTY)
Columns: auth_code, request_ref, approval_ref(jsonb), step_name, scope(jsonb), risk_level, commit_allowed(bool), requires_sovereign_esign(bool), sovereign_esign_ref, rollback_plan_ref(NOT NULL), granted_by, granted_at, expires_at, consumed_at, consumed_by, revoked_at, revoked_by, revoked_reason, status, evidence(jsonb), created_by, created_at.
Significance: the runtime already contains a structurally-complete, empty exact-scoped build/Chairman-authorization surface with sovereign e-sign (requires_sovereign_esign + sovereign_esign_ref), explicit scope (jsonb), mandatory rollback_plan_ref, expiry (expires_at), single-use (consumed_at/by), and revocation (revoked_at/by/reason). File 11 maps the Gate-B Chairman authorization template onto these columns. It is empty ⇒ no Chairman/build authorization exists.
3.5 governance_registry heads (9, live)
GOV-COUNCIL (council, active — "Hội đồng Kiến trúc"), GOV-DOT (system, active), GOV-KG-SYS (system, active), GOV-NRM-SYS (system, active), GOV-SIV (system, active — "Toàn vẹn Hệ thống"), GOV-MOIT/MOT/MOUT/MOW (factory/mother, draft). No president/GOV-PRESIDENT head exists → the C7 quorum's "≥1 president" principal surface is not present (consistent with carried CANONICAL_PRINCIPAL_SURFACE_REQUIRED_NOT_PRESENT / PRESIDENT_ROLE_UNRESOLVED).
3.6 governance_responsibility_scope (6, live, all active)
approval→GOV-COUNCIL, audit→GOV-SIV, execution→GOV-DOT, health→GOV-SIV, policy→GOV-COUNCIL, render→GOV-MOUT.
4. canonical_operation vocabulary — REQUIRED_NOT_PRESENT (confirmed live)
- No table named
canonical_operation*exists (table search §3 row 3). The closest existing vocabularies —apr_action_types(action_code: 14),dot_operations(code: 20),process_axis_action_vocabulary,wf_candidate_action_vocabulary— are related-but-distinct governed surfaces, none of which is thecanonical_operationvocabulary thateffect_identityrequires. - No column named
canonical_operationexists anywhere (§3 row 6 → 0 rows). - No
register_dotvalue exists in eitherapr_action_typesordot_operations.
⇒ CANONICAL_OPERATION_VOCABULARY_REQUIRED_NOT_PRESENT is live-confirmed. This is the genuine gap that LEGO #1 (C1) fills. No rows are invented by this package.
5. C2 / authority digest surfaces — NOT PRESENT (confirmed live)
effect_identity, authorization_binding_digest, artifact_hash, founding_authority, canonical_principal, authorization_nonce columns: 0 anywhere in directus.public (§3 row 6). C2/C4/C6/C7 digest surfaces are design-only; no runtime carrier exists. This corroborates the accepted closeout state and the "0 mutations" attestation at read time.
6. Test / evidence surface
- Test surface: there is no executed test harness for the carriers in runtime; the accepted packages define design fixtures (XBI-, BI-E, OP-BI-*) marked
DEFINED_NOT_EXECUTED(caveat C3). The runtime does expose guard views (v_birth_register_*,v_authority_quorum_regression_guard,v_apply_time_quorum_*,v_qt001_*) that a future build can read read-only as regression guards (file 07 references these). - Evidence/audit surface:
governance_audit_log(1 row) and the per-rowaudit_ref/rollback_refcolumns ongovernance_object_ownershipare the runtime audit conventions;governance_build_authorization.evidence(jsonb)is the authorization evidence sink. File 10 builds the C1 evidence plan on these conventions. - Logs:
docker_logsavailable read-only (not tailed; not needed for preparation;READ_ONLY_SAFEif used later).
7. Unknowns (classified)
| Unknown | Classification | Resolution |
|---|---|---|
Exact filenames under /opt/incomex/dot/specs |
READ_ONLY_SAFE (probe DENIED, no enumeration tool) |
Not required for C1 preparation; authoritative surface is live PG schema + KB |
| Exact future C1 table DDL | n/a — design decision in build (file 06) | Not a preparation gap; schema shape specified in file 04/06 |
The authoritative set of canonical_operation values |
execution input (governed per-value) | Not invented here; admission contract prepared (file 04); values added under Gate-B build, each its own governed entry |
8. Boundary attestation
This file performed read-only discovery only. No runtime state was changed; no row created/updated/deleted; no DDL/DML; no register_dot; no directus_create/update/delete; no write_file. REGISTRATION_HOLD retained; REGISTRATION_CAN_PROCEED = NO; 0 runtime mutations.