KB-1E48

RS3C-05 — Rerun: Dual-Writer Boundary (Source-Aware) — 2026-06-21

4 min read Revision 1

rs3cdual-writerrerunsource-awaredot_toolsmeta_catalog2026-06-21

RS3C-05 — Rerun: Dual-Writer Boundary, Source-Aware — 2026-06-21

Macro: RS3C (Mục tiêu C, reruns RS3B-02) · Deliverable: 05 of 13 Inputs: RS3C-03 (registrar), RS3C-04 (catalog-sync), both source-derived & hash-verified. Date: 2026-06-21 · read-only · 0 mutations Codex correction applied: RS3B-02 had to say "potential dual-writer, not two proven writers." Source now resolves it.

1. Prior vs source-aware

Item	RS3B-02 (no source)	RS3C-05 (source-aware)	Evidence
Registrar writes `dot_tools`	asserted from metadata	PROVEN	RS3C-03 B10 (L156 POST `/items/dot_tools`)
Catalog-sync writes `dot_tools`	"potential" / fenced	DISPROVEN	RS3C-04 C6 (no `/items/dot_tools` write in 264 lines)
Catalog-sync is read-only	hypothesis	PARTIALLY WRONG	RS3C-04 C5 (it PATCHes `meta_catalog.record_count`, L68)
Two writers overlap on registry	uncertain	NO OVERLAP	disjoint sinks (below)

2. The boundary, proven by source

                 scan source: /opt/incomex/dot/bin/dot-*
                 ┌───────────────┴────────────────┐
        dot-dot-register                    dot-catalog-sync
        (DOT-REGISTER)                       (DOT-015)
            │ WRITE                              │ WRITE
            ▼                                    ▼
        dot_tools  ◄── (read for dedup)     meta_catalog.record_count
        (registry rows)                      (aggregate count cache)

dot_tools writer set = { dot-dot-register } — sole registry writer.
meta_catalog.record_count writer set = { dot-catalog-sync } (for CAT-006/007/008 and, under --all, CAT-000/001/003/004/005/009).
Read-only on dot_tools: catalog-sync only finds dot/bin/dot-* and counts (RS3C-04 C9). Registrar reads dot_tools.file_path for dedup (RS3C-03 B7).
Shared input, disjoint output: both scan the same directory; neither writes the other's table.

3. Conclusions

DUAL_WRITER_ON_REGISTRY = DISPROVEN_BY_SOURCE. There is exactly one writer to dot_tools (the registrar). No fencing against catalog-sync registry writes is required because catalog-sync performs none.
Residual cross-effect (reporting drift, not mutation): catalog-sync's CAT-006 record_count is a cached count that can disagree with live dot_tools if either changes between syncs. This is a stale-count reporting risk, not a registry-integrity risk. Hardening note: treat meta_catalog.record_count as advisory, never as the registry source-of-truth.
The real registry-write risk is intra-registrar, not inter-tool: the dangerous behavior is the registrar's own mass-scan / no-txn / status-active / fail-open path (RS3C-03 §4), not a second writer.
Boundary target (unchanged, now source-justified): registrar-only registration writes to dot_tools; catalog-sync stays read/diff/report + meta_catalog.record_count-only. Any future catalog-sync write to dot_tools would require an independently governed write contract — but none exists today.

4. Status

Deliverable: DUAL_WRITER_BOUNDARY_RESOLVED_BY_SOURCE (not RS3C_HOLD_DUAL_WRITER_BOUNDARY_UNPROVEN).
No CATALOG_SYNC_SOURCE_CONTRADICTS_BOUNDARY finding: catalog-sync's actual writes (meta_catalog counts) are consistent with a read/report role and do not breach the registry boundary.
Registration gate unchanged: REGISTRATION_HOLD · CAN_PROCEED = NO.