KB-335C
RS3C-03 — Registrar Code Behavior Reconstruction (dot-dot-register) — 2026-06-21
10 min read Revision 1
rs3cregistrarbehavior-reconstructionsource-awareunsafe-behavior2026-06-21
RS3C-03 — Registrar Code Behavior Reconstruction (dot-dot-register) — 2026-06-21
Macro: RS3C (Mục tiêu B) · Deliverable: 03 of 13 · source-aware, line-cited
Source-of-record: RS3C-02 §2, operational dot-dot-register sha256 31d5cf15… (193 lines), proven byte-identical to deployed OPERATIONAL.
Date: 2026-06-21 · read-only · 0 mutations
Rule: every claim cites a source line/fragment. RP-03 prose is not used; where source contradicts RP-03, source wins.
Headline: the operational registrar is a bash mass-scan auto-registrar with no transaction, no authority binding, no artifact hash, status:"active" hardcoded, and fail-open success logging. It contradicts the RS3B-03 single-artifact contract target. Result feeds verdict component SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIOR.
1. Identity / shape
- Language: bash (
#!/usr/bin/env bash, L1),set -euo pipefail(L13). Not TypeScript despitedot_tools.file_path = bin/dot/dot-dot-register.ts— the metadata.tssuffix is wrong; the deployed artifact is a bash executable (file→ "Bourne-Again shell script"). Finding: registry metadata mis-describes the artifact type. - Header:
dot-dot-register — Auto-register new DOT files (Cấp B, on-deploy),VERSION 1.0.0, changelogv1.0.0 (2026-03-31): Scan bin/dot-* → register missing in dot_tools(L3–7).
2. Behavior reconstruction table (claim → line → confidence → risk → hardening implication)
| # | Claim (code-derived) | Source line/fragment | Confidence | Risk | Hardening implication |
|---|---|---|---|---|---|
| B1 | Entrypoint = main "$@" |
L193 main "$@" |
HIGH | — | single entry; hardened wrapper can intercept |
| B2 | Args: --help/-h, --dry-run, plus --cloud/--local (env) |
L95–100, L27, usage L10 | HIGH | low | no --one/target arg exists → cannot register a single named DOT |
| B3 | Modes: real vs dry-run; writes occur only when DRY_RUN==false |
L27, L98, L155 if [[ "$DRY_RUN" == false ]] |
HIGH | — | dry-run is the only safety toggle; default is real-run |
| B4 | Scan = mass glob of every dot-* on disk |
L121 DISK_FILES=$(run_remote "ls -1 ${DOT_BIN_DIR}/dot-* 2>/dev/null"), DOT_BIN_DIR=/opt/incomex/dot/bin (L25) |
HIGH | HIGH | mass-scan is the exact behavior RS3B-03 must reject — confirmed present |
| B5 | Mass registration loop over all scanned files | L131 while IFS= read -r filepath … done <<< "$DISK_FILES" (L184) |
HIGH | HIGH | one invocation can create many rows → MASS_REGISTRATION_ATTEMPTED is real, not hypothetical |
| B6 | One artifact per registration: NO — no single-target argument | absence across L95–100; loop L131 | HIGH | HIGH | contradicts single-artifact contract (RS3C-06) |
| B7 | Untracked discovery = grep registered file_paths | L128 REGISTERED=$(run_pg "SELECT file_path FROM dot_tools WHERE file_path IS NOT NULL;"); L135 `if echo "$REGISTERED" |
grep -qF "$filepath"` | HIGH | HIGH |
| B8 | Dedup is defective (path-format mismatch) | disk path = absolute /opt/incomex/dot/bin/dot-foo (L121); stored compared values include relative bin/dot/... and are trigger-normalized (fn_normalize_dot_filepath, RS3C-09); grep -qF of absolute against normalized never matches |
HIGH | HIGH | re-run will treat already-registered tools as NEW → duplicates; idempotency fail-open (RS3C-07) |
| B9 | No DB-level dedup backstop | dot_tools constraints = only dot_tools_pkey PRIMARY KEY (id); no UNIQUE(code) / UNIQUE(file_path) (pg_constraint) |
HIGH | HIGH | DB will accept duplicate code/file_path → registrar is the sole (broken) guard |
| B10 | dot_tools rows created via Directus REST POST | L156 curl -sS --globoff -k -X POST "${BASE_URL}/items/dot_tools" |
HIGH | med | write path = app layer (Directus), not raw SQL; -k skips TLS verify |
| B11 | Reads via raw psql (docker exec / ssh root) | L46–53 run_pg → docker exec -i postgres psql -U directus -d directus or ssh -i $VPS_KEY root@$VPS_HOST |
HIGH | HIGH | reads bypass Directus permission layer; root SSH used when docker not local |
| B12 | status hardcoded "active" |
L173 status: "active" |
HIGH | HIGH | registers active, not inert/pending → violates closed-at-registration; fires activation trigger (B17) |
| B13 | code derivation = uppercase + -→_ |
L143 `CODE=$(echo "$BASENAME" | tr '[:lower:]' '[:upper:]' | tr '-' '_')→dot-foo→DOT_FOO` |
HIGH |
| B14 | tier/domain = heuristic pattern match | classify_tier L65–73 (A if -health/-scan/-report/-audit/-check/-verify/-integrity/-coverage, else B); classify_domain L75–92 |
HIGH | med | metadata derived by filename heuristics, not by contract; mis-tier risk |
| B15 | Pairing: tier B → paired_dot="DOT-HEALTH-DOT" as a field on the single row |
L148–151, L166/L174 paired_dot: $paired |
HIGH | low | confirms Codex C2: one primary row, paired_dot is a text reference to an existing DOT, no second row created (RS3C-08) |
| B16 | No transaction / no rollback | independent curl POST per iteration inside while (L131–184); no BEGIN/COMMIT anywhere |
HIGH | HIGH | partial-batch failure leaves committed rows; set -e mid-loop = partial state, no compensation → fail-closed required (RS3C-06) |
| B17 | Activation side-effect on insert | status=active insert fires trg_context_pack_dot_register AFTER INSERT → fn_context_pack_on_dot_register → pg_notify (RS3C-09) |
HIGH | HIGH | mass active inserts = mass activation notifications (G7) |
| B18 | Fail-open success logging | L156 curl has no -f/--fail and > /dev/null 2>&1; L176 if [[ $? -eq 0 ]] checks curl exit, which is 0 on HTTP 4xx/5xx |
HIGH | HIGH | logs Registered: $CODE even when Directus rejected the POST → false success; no readback/verify |
| B19 | No authority/Owner/APR/gate check | nothing in L94–191 reads ownership, approvals, APR, or any registration gate before POST | HIGH | HIGH | registrar has zero authorization binding (G2 owner blocker stands; authority is not in the source) |
| B20 | No deployed-artifact hash carried | POST body L167–174 sends {code,name,file_path,tier,domain,status,paired_dot} only; dot_tools has 0 hash columns |
HIGH | HIGH | interface-F artifact-hash carrier absent in source (RS3B-04 unchanged); cannot bind row to a specific artifact |
| B21 | Credentials: DOT_TOKEN via dot-auth + SSH root key |
L112–117 source "${SCRIPT_DIR}/dot-auth"; L21 VPS_KEY="${HOME}/.ssh/contabo_vps", L20 VPS_HOST="38.242.240.89" |
HIGH | HIGH | hardcoded VPS IP + SSH root key path; REST token scope not provable from this file (dot-auth not read) — "ADMIN" claim only partially supported (root SSH gives psql superuser-equiv reads) |
| B22 | Audit/changelog: none written by the script itself | no audit write in L94–191; any registry_changelog entry is a DB-side effect of the Directus flow/triggers, not the registrar |
HIGH | med | durable failure audit must be added externally (RS3C/RS3B-06); registrar provides none |
| B23 | Catalog-sync interaction: none in code | registrar never calls dot-catalog-sync; they only share the scan source dir |
HIGH | low | no in-process coupling (RS3C-05 boundary) |
3. Confirmed/contradicted vs RP-03 prose and RS3B criteria
| Prior claim (RP-03 / RS2-PATCH1 / RS3B) | Source verdict | Evidence |
|---|---|---|
"registers ALL untracked bin/dot-*" (mass) |
CONFIRMED | B4, B5 |
| "Directus REST / app-layer" | CONFIRMED for writes; reads are raw psql | B10, B11 |
| "ADMIN creds" | PARTIAL — root SSH for reads proven; REST token scope unproven | B11, B21 |
| "no deployed-artifact hash" | CONFIRMED | B20 |
| "heuristic metadata" | CONFIRMED | B13, B14 |
| RS3B-03 single-artifact target | CONTRADICTED by source (registrar is multi-artifact) | B6 → RS3C-06 |
| "atomic registration boundary" (RS2-PATCH1 design) | ABSENT in source (no txn) | B16 |
| "closed-at-registration / inert status" | VIOLATED (status:"active") |
B12 |
4. Source-derived defect list (the unsafe-behavior basis)
- Mass scan + mass register (B4–B6) — no single-artifact path.
- No transaction / rollback / compensation (B16) — partial state on failure.
status:"active"hardcoded (B12) — no inert state, fires activation (B17).- Fail-open success logging (B18) — HTTP errors reported as success.
- Defective dedup (B8) + no DB UNIQUE (B9) — duplicate rows on re-run.
- No authority/Owner/APR/gate binding (B19).
- No artifact-hash binding (B20).
- Hardcoded infra creds/IP,
-kTLS-skip, root SSH (B21, B10). - Heuristic, possibly-overridden metadata (B13, B14; gen_code/normalize triggers).
5. Status
- Behavior reconstruction:
COMPLETE_SOURCE_DERIVED(wasHELDin RS3B-01). - Source finding:
SOURCE_CONFIRMS_UNSAFE_REGISTRAR_BEHAVIORfor hardened governed registration. - Codex C2 input: confirmed (one row +
paired_dotfield, B15) → RS3C-08. - Registration gate unchanged:
REGISTRATION_HOLD·CAN_PROCEED = NO.