RS3B-01 — Registrar Source Recovery and Behavior Reconstruction — 2026-06-21
RS3B-01 — Registrar Source Recovery and Behavior Reconstruction — 2026-06-21
Macro: RS3B-REGISTRAR-HARDENING-DESIGN (read-only / KB-design)
Deliverable: 01 of 10 · Source recovery (Mục tiêu A)
Date: 2026-06-21
Mode: read-only · 0 mutations · no DDL/DML · no code/schema/registration change
Live read tier: CLAUDE_READ_ONLY_PACKET (query_pg read-only role + VPS read_file allowlist + AgentData KB), 2026-06-21. NO_CODEX_LIVE_READ.
Deliverable status: SOURCE_NOT_READ → drives package controlling verdict RS3B_HOLD_REGISTRAR_SOURCE_NOT_READ.
1. Purpose
Mục tiêu A requires recovering and reading the actual implementation source of the existing registrar (bin/dot/dot-dot-register.ts) and its sibling dot-catalog-sync, then reconstructing behavior from code, not from prose. Per the macro §0.5 and Codex RS3-PATCH2 gate deliverable #1: if the source cannot be read, produce an exact source-recovery proof and stop at HOLD_REGISTRAR_SOURCE_NOT_READ — do not infer code-level behavior from RP-03 prose (must-not-do #34) and do not declare PASS (must-not-do #35).
2. Source-recovery proof (exhaustive)
The only file-read channel available is the VPS read_file MCP tool, which is allowlisted to exactly three path prefixes: /opt/incomex/docs, /opt/incomex/dot/specs, /var/log/nginx. It is symlink-resolved, rejects binaries, denies a secret denylist, and caps at ≤50KB / ≤10000 lines. There is no shell, no git, no docker exec, no cat available — list_docker is metadata-only and read-only. Therefore the registrar .ts can be reached only if it physically lives under one of the three allowlisted prefixes.
The live dot_tools row DOT-REGISTER has file_path = bin/dot/dot-dot-register.ts; DOT-015 has file_path = bin/dot/dot-catalog-sync (script_path = dot/bin/dot-catalog-sync). bin/dot/... is not under /opt/incomex/docs, /opt/incomex/dot/specs, or /var/log/nginx.
| # | Source | Expected path | Access method | Read status | Evidence (verbatim tool result) | Consequence |
|---|---|---|---|---|---|---|
| 1 | registrar | bin/dot/dot-dot-register.ts |
VPS read_file | DENIED | [DENIED] path is outside the allowlist |
not under allowlist prefix |
| 2 | registrar | /opt/incomex/bin/dot/dot-dot-register.ts |
VPS read_file | DENIED | [DENIED] path is outside the allowlist |
/opt/incomex/bin not allowlisted |
| 3 | registrar | /opt/incomex/app/bin/dot/dot-dot-register.ts |
VPS read_file | DENIED | [DENIED] path is outside the allowlist |
not allowlisted |
| 4 | registrar | /opt/incomex/dot/specs/dot-dot-register.ts |
VPS read_file | NOT A FILE | [DENIED] not a regular file |
inside allowlist, no such regular file |
| 5 | registrar | /opt/incomex/docs/dot-dot-register.ts |
VPS read_file | NOT A FILE | [DENIED] not a regular file |
inside allowlist, absent |
| 6 | catalog-sync | bin/dot/dot-catalog-sync.ts |
VPS read_file | DENIED | [DENIED] path is outside the allowlist |
not allowlisted |
| 7 | catalog-sync | /opt/incomex/bin/dot/dot-catalog-sync.ts |
VPS read_file | DENIED | [DENIED] path is outside the allowlist |
not allowlisted |
| 8 | catalog-sync | /opt/incomex/dot/specs/dot-catalog-sync.ts |
VPS read_file | NOT A FILE | [DENIED] not a regular file |
inside allowlist, absent |
| 9 | spec probe | /opt/incomex/dot/specs/{README,index,dot-dot-register,dot-dot-register.spec,dot-catalog-sync}.md |
VPS read_file | NOT A FILE (all) | [DENIED] not a regular file |
no readable regular file at any probed name |
| 10 | spec probe | /opt/incomex/dot/specs/dot-r2-b2-staging-schema-shell.contract.md |
VPS read_file | NOT A FILE | [DENIED] not a regular file |
the governed contract lives in KB, not on this FS path |
| 11 | docs probe | /opt/incomex/docs/{README,index,dot-dot-register,dot-r2-b2-...contract}.md |
VPS read_file | NOT A FILE (all) | [DENIED] not a regular file |
no readable regular file at any probed name |
| 12 | dir probe | /opt/incomex/docs, /opt/incomex/dot/specs (dirs) |
VPS read_file | NOT A FILE | [DENIED] not a regular file |
directories not enumerable via read_file (no listing primitive) |
| 13 | log probe | /var/log/nginx/{access,error}.log |
VPS read_file | NOT A FILE | [DENIED] not a regular file |
even nginx logs not materialized at probed names |
| 14 | KB mirror | any AgentData doc containing registrar .ts source |
search_knowledge ×4 + list_documents | NO SOURCE COPY | only prose/registry-metadata hits | see §3 |
The tool collapses three distinct conditions (missing file / directory / permission) into one string [DENIED] not a regular file, so #4–#13 cannot be further resolved. What is provable: (a) the registrar/catalog-sync .ts paths are outside the allowlist (deterministic outside the allowlist string), and (b) zero bytes of any file were returned by any of the ~22 probes.
Source-recovery verdict: SOURCE_NOT_RECOVERABLE_VIA_VPS_READ. There is no available tool path to the registrar implementation source.
3. KB source-copy search
search_knowledge (4 query variants, TS-keyword-laden) + list_documents("knowledge/dev/laws-new/") returned no document containing actual registrar source code (no import statements, no function bodies, no async/await of dot-dot-register). Every hit is one of: (a) prose behavioral reconstruction — knowledge/dev/reports/architecture/registries-pivot-.../03-dot-registration-or-staging.md (the "RP-03" prose), and the RS2-PATCH1 reuse report; (b) registry metadata — registries/meta_catalog/CAT-006 (names Sync Script: dot-catalog-sync, Sync Frequency: on-deploy, Source: File:dot/bin/, Record Count 309), tbl_registry_dot_tools; (c) usage inventory — dot-usage-handbook.md; (d) a different register package — knowledge/dev/laws/dieu38-trien-khai/P9-e7-dot-register-package.md ("dot-register v2" registering 19 DOT-TAC-* tools) which is about using a register routine, not its source.
KB-copy verdict: NO_KB_SOURCE_COPY. The registrar source-of-record remains unread.
4. Behavior reconstruction — HELD
Per must-not-do #34 and the Codex gate, behavior must be reconstructed from code, not prose. Because no code is available, code-level behavior reconstruction is HELD. The table below records only what is observable from runtime metadata (source-fact tier) versus what prior prose claims (UNVERIFIED tier). The UNVERIFIED column is carried only to scope the future read; it is explicitly not adopted as behavior.
| Aspect | Metadata-observed fact (source tier: runtime row / registry) | Prior-prose claim (UNVERIFIED — RP-03 / RS2-PATCH1, do not adopt) |
|---|---|---|
| registrar identity | DOT-REGISTER / name dot-dot-register, operation=register, file_path=bin/dot/dot-dot-register.ts, status=active, domain=monitoring.dot, paired_dot=DOT-HEALTH-DOT, tier=B, trigger_type=on-deploy, coverage_status=complete |
"only governed registrar; registers all untracked bin/dot-*" |
| write path | registry_changelog rows for dot_tools.items.create carry changed_by = directus_flow (app/REST layer, not raw SQL) |
"Directus REST / app-layer, ADMIN creds" |
| target table | dot_tools (309 rows, no hash/artifact_hash column) |
"registers into dot_tools, heuristic metadata" |
| scan behavior | dot_config.context_pack_scan_paths = ["/opt/incomex/dot/bin","/opt/incomex/web/app","/opt/incomex/deploy","/opt/incomex/scripts"] (context-pack scanner config, not proven to be the registrar's own scan) |
"mass-registers ALL untracked bin/dot-*" — mass-scan is exactly the behavior RS3B must reject; cannot confirm or deny without source |
| artifact selection | unknown from metadata | "heuristic metadata, no deployed-artifact hash" |
| transaction / rollback | unknown from metadata | unknown |
| idempotency | unknown from metadata | unknown |
| catalog-sync interaction | DOT-015 is a separate DOT (domain=sync, paired_dot=NULL); see RS3B-02 |
"catalog-sync is separate (DOT-015), domain sync" |
| audit/changelog side-effect | every dot_tools insert is logged to registry_changelog (87,746 rows) via directus_flow; tier∈{A,B,C}+status=active also emits pg_notify('context_pack_event') (see RS3B-08) |
not in prose |
Behavior-reconstruction status: BEHAVIOR_RECONSTRUCTION_HELD_SOURCE_NOT_READ. No code-derived behavior is asserted. The metadata column is fact; the prose column is an UNVERIFIED scope list for the future read.
5. Exact missing access (for the future read)
To lift this HOLD, one of the following must become available (none authorized/performed here):
read_fileallowlist extended to include the directory that physically holdsbin/dot/dot-dot-register.tsandbin/dot/dot-catalog-sync(e.g./opt/incomex/dot/binor the deploy root), or- a faithful, line-level KB mirror of the registrar + catalog-sync source admitted at a citable KB path, or
- an equivalent read-only code channel (git read, repository browse) over the registrar module and its importers/callers.
Until then, deliverables that require code-level facts (behavior reconstruction, exact transaction/rollback semantics, exact scan logic, exact clobber behavior) remain HELD; all other RS3B deliverables proceed at design/criteria level against runtime metadata + the governed contract package.
6. Status block
- Deliverable status:
SOURCE_NOT_READ·SOURCE_NOT_RECOVERABLE_VIA_VPS_READ·NO_KB_SOURCE_COPY·BEHAVIOR_RECONSTRUCTION_HELD_SOURCE_NOT_READ - Controlling package verdict:
RS3B_HOLD_REGISTRAR_SOURCE_NOT_READ - Registration gate:
REGISTRATION_HOLD·REGISTRATION_CAN_PROCEED = NO - Mutations: 0. RP-03 prose not adopted as behavior. PASS not declared.