RS3C-01 — Source Access Recovery Proof — 2026-06-21
RS3C-01 — Source Access Recovery Proof — 2026-06-21
Macro: RS3C — SOURCE RECOVERY + RS3B AFFECTED RERUN (Mục tiêu A)
Deliverable: 01 of 13 · Source access recovery
Date: 2026-06-21
Mode: read-only · 0 DB/domain/runtime mutations · 0 operational config changes · no allowlist patch · no service restart
Result: SOURCE_ACCESS_RECOVERED via Method 3 (read-only local code channel) + VPS snapshot hash cross-check. Method 1 (allowlist patch) was not used and not required.
1. Outcome
Both required source files were recovered and proven byte-identical to the currently-deployed VPS files by sha256 cross-check against the live wf_fs_dot_bin_snapshot table (observed 2026-06-21 02:10:14+00, the same day). No operational mutation, allowlist change, or service restart was performed — Method 3 succeeded first, which is the lowest-footprint channel.
| Source | Operational? | Recovered | Fidelity |
|---|---|---|---|
dot-dot-register (registrar, DOT-REGISTER) |
YES (live 31d5cf15…) |
YES | sha256 EXACT MATCH to deployed OPERATIONAL |
dot-catalog-sync (DOT-015) |
YES (live 7dd84cda…) |
YES | sha256 EXACT MATCH to deployed OPERATIONAL |
2. Method evaluation (in macro priority order)
Method 1 — Extend read_file allowlist minimally: NOT ATTEMPTED, NOT NEEDED, and NOT REACHABLE with available tools.
The VPS read_file allowlist (/opt/incomex/docs, /opt/incomex/dot/specs, /var/log/nginx) is enforced inside the MCP server, not in a file I can edit through any available tool. The only write surface, write_file, is itself confined to /opt/incomex/docs/mcp-writes (it cannot reach an MCP config), there is no shell/SSH/docker-exec/service-restart tool, and the local Bash runs on the Mac, not the VPS. So the allowlist could not have been patched even if desired. This is recorded as a channel limitation, not a refusal — and it is moot, because Method 3 recovered the source cleanly.
Method 3 — Read-only local code channel: SUCCESS. A read-only filesystem search of the operator workstation located faithful copies of both files, and each was verified against the live VPS deployment hash.
Method 2 — KB source mirror: superseded (Method 3 succeeded). The recovered, hash-verified source is mirrored into KB at RS3C-02 to make the behavior reconstruction independently auditable by Codex.
3. Source access proof table
| Step | Command / action | Result | Evidence | Consequence |
|---|---|---|---|---|
| 1 | query_pg schema of wf_fs_dot_bin_snapshot |
15 cols incl. path_or_ref, hash(text), status, observed_at |
column list returned | snapshot stores per-file sha256 of /opt/incomex/dot/bin/* → usable as deployed-source integrity oracle |
| 2 | local find /Users/nmhuyen … -name 'dot-dot-register*' -o -name 'dot-catalog-sync*' |
3 hits | …/web-test/dot/bin/dot-catalog-sync, …/web-test/dot/bin/dot-dot-register, …/tmp/fix21-docs/dot-dot-register |
candidate source copies on operator workstation |
| 3 | shasum -a 256 of each local copy |
computed | catalog-sync 7dd84cda…; web-test register 9c594efd…; tmp/fix21-docs register 31d5cf15… |
per-file content hashes |
| 4 | query_pg wf_fs_dot_bin_snapshot WHERE path_or_ref ILIKE '%dot-dot-register%' OR '%dot-catalog-sync%' |
3 rows (observed 2026-06-21 02:10:14+00) | see §4 | live deployed hashes for both files (+ a backup) |
| 5 | Cross-check catalog-sync | local 7dd84cda… == deployed OPERATIONAL 7dd84cda… (id 5963, DOT-015) |
EXACT MATCH | catalog-sync mirror is faithful to live deploy |
| 6 | Cross-check registrar (web-test copy) | local 9c594efd… == deployed BACKUP dot-dot-register.bak-s164c (id 5909, NOISE_BACKUP), NOT operational |
MISMATCH vs operational | web-test checkout (commit 5b9eb23, 2026-05-16) holds the prior registrar; rejected as operational source |
| 7 | Hunt for operational hash 31d5cf15… across workstation + git history |
found …/tmp/fix21-docs/dot-dot-register 31d5cf15… == deployed OPERATIONAL (id 6022, OPERATIONAL) |
EXACT MATCH | operational registrar source recovered & proven faithful |
| 8 | Self-test read dot-dot-register (operational) |
193 lines / 5813 bytes read | bash shebang, dot-dot-register — Auto-register new DOT files (Cấp B, on-deploy) v1.0.0 |
line-level source available → behavior reconstruction unblocked (RS3C-03) |
| 9 | Self-test read dot-catalog-sync |
264 lines / 7134 bytes read | bash shebang, dot-catalog-sync — Scan external sources and report catalog discrepancies v1.0.0 |
line-level source available → behavior reconstruction unblocked (RS3C-04) |
4. Deployed-snapshot cross-check (the fidelity oracle)
From wf_fs_dot_bin_snapshot (read-only, observed 2026-06-21 02:10:14+00):
| id | object_key | path_or_ref | status | snapshot sha256 | matches local |
|---|---|---|---|---|---|
| 6022 | dot-dot-register |
/opt/incomex/dot/bin/dot-dot-register |
OPERATIONAL | 31d5cf1508c7950cc30a2a6abb46d7cee868e1cbf951a6095ff0aee7ba48583f |
…/tmp/fix21-docs/dot-dot-register ✅ |
| 5909 | dot-dot-register.bak-s164c |
/opt/incomex/dot/bin/dot-dot-register.bak-s164c |
NOISE_BACKUP | 9c594efdd81c4cfe372a1801637b31762e9020e04a2322b6e1f61ed31906286a |
…/web-test/dot/bin/dot-dot-register (prior, NOT used) |
| 5963 | dot-catalog-sync |
/opt/incomex/dot/bin/dot-catalog-sync |
OPERATIONAL | 7dd84cda6d1e220fc7f54419bf40ec9ad05a952b6a402360df73f0af3fa355cd |
…/web-test/dot/bin/dot-catalog-sync ✅ |
Why this is stronger than an allowlist read: the recovered files are validated against an independent live integrity record produced on the VPS itself the same day. The match is exact to the OPERATIONAL rows (not the backup), so behavior claims in RS3C-03/04 are about the currently deployed registrar/catalog-sync, not a stale copy.
5. Backup / diff / restart / rollback
- Backup: N/A — no config or source file was modified anywhere (VPS or workstation). Source was read only.
- Diff: N/A — no change applied.
- Restart / reload: N/A — no service touched.
- Rollback plan: N/A — nothing to roll back; zero mutations.
- Health check: N/A.
This deliverable performed read-only operations exclusively: query_pg (read-only role), local find/shasum/wc/git log/git show/git hash-object (no fetch, no checkout, no write), and file reads.
6. Status block
- Deliverable status:
SOURCE_ACCESS_RECOVERED(Method 3 + snapshot hash cross-check) - Registrar (operational):
RECOVERED_HASH_VERIFIED(31d5cf15…) - Catalog-sync (operational):
RECOVERED_HASH_VERIFIED(7dd84cda…) - Allowlist patch:
NOT_PERFORMED(not required; not reachable with available tools) - Mutations: 0. RP-03 prose superseded by source. Registration gate unchanged:
REGISTRATION_HOLD·CAN_PROCEED = NO.