RS-TKT-1-PATCH1C · 08 — Adversarial DOT-Bound Dry-Run Probe Results

NON_EXECUTABLE_DESIGN_DOC
DOT_BOUND_DRYRUN_READINESS_PROOF_ONLY
NOT_IMPLEMENTED
NOT_AUTHORIZED_FOR_RUNTIME

Lane: RS-TKT-1 — Phase 1 TKT Base · PATCH1C Date: 2026-06-22 Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations Authority: NON_AUTHORITY · may_gate=false · decision_effect=NONE

Self-break first (Codex standard: "Codex confirms, does not discover"). Each bad path must be rejected by the design. All probes must be safe = YES.

---

1. Probe table

probe_id	bad path	expected rejection	actual design response	safe	fix applied
PB-1	Can dry-run run without DOT?	NO — Owner mandate requires 100% DOT	bound to DOT_TKT_DRYRUN_READ_REPORT_INSPECTOR (02 §1); running without it is undefined ⇒ HOLD_NO_EXEC_SURFACE	YES	none
PB-2	Can dry-run use manual SQL?	forbidden	02 §4 forbids manual SQL/psql/docker exec; handbook §3/§13	YES	none
PB-3	Can dry-run use generic Directus mutation?	forbidden	02 §4 forbids generic Directus schema/collection mutation; handbook §3	YES	none
PB-4	Can the bound DOT mutate PG/Directus/registry?	NO — read-only	02 §1 Read(no_mutation); handbook §19 forbidden row; KB-zone only (§12)	YES	none
PB-5	Can the bound DOT create multiple artifacts?	NO — exactly one	04 §3 cardinality rule = 1; 02 §2	YES	none
PB-6	Can it write result.json/result.md separately?	NO	04 §3,4 superseded to embedded sections; counts=0 (07)	YES	none
PB-7	Can unresolved DR-12/13/14 still block launch?	NO — they are resolved	03 resolves all three + counted in 07; §8 measure = 0	YES	none
PB-8	Can Phase 2 open automatically?	NO	05 §2: GATE-3 = explicit Owner command; INVARIANTs hold; no auto-open	YES	none
PB-9	Can the one Markdown report be read as authority PASS?	NO	04 §2(7) non-authority disclaimer; aggregate ADVISORY (02 §3); authority_effect=NONE	YES	none
PB-10	Can engineering PASS become authority PASS?	NO	every file: authority_effect=NONE / registration_effect=NONE; advisory-only	YES	none
PB-11	Can NVSZ root be invented?	NO	02 §4 forbids NVSZ/NON_VECTOR_ROOT designation; DR-15 deferred (Phase 3)	YES	none
PB-12	Can raw logs be written (to vector KB)?	NO	02 §4 forbids raw-log write; one report only	YES	none
PB-13	Can subject-under-test runtime be invoked?	NO	02 §4 no SUT; L1 stops at HOLD_RUNTIME_SURFACE_REQUIRED	YES	none
PB-14	Can "handbook §19 admission" be read as "DOT registered"?	NO	06 §1,3 + §19 banner: SPEC/ADMISSION ONLY; dot_tools unchanged (309); REGISTRATION_HOLD	YES	none
PB-15	Can GATE-3 hide a GATE-4 (e.g. registration as a separate silent step)?	NO	05 §3 makes GATE-3 a single compound Owner act with 3a/3b/3c named explicitly; "THERE IS NO GATE-4"	YES	none
PB-16	Can READY be claimed while the DOT is unregistered, implying it can run now?	NO — READY = design/preflight complete, not "runnable now"	05 §1,3,4 + 09 verdict scope: READY = no design gap; running still needs GATE-1/2/3	YES	none
PB-17	Can the doc-only handbook edit be mistaken for a runtime/registry mutation?	NO	06 §3: handbook edit is KB-zone (§12); dot_tools untouched; 0 runtime mutations	YES	none

2. Self-break findings and fixes

SB-1 (potential false-READY): an earlier draft of 05 listed GATE-3 as "Owner opens Phase 2" without naming the DOT-registration sub-act,
     which could let a reviewer find a hidden GATE-4 (registration). FIXED: 05 §3 names 3a/3b/3c explicitly and states "THERE IS NO GATE-4."
SB-2 (potential overclaim): "READY" could be misread as "the dry-run can run now." FIXED: PB-16 + 05 §4 + 09 scope READY to design/preflight completeness;
     the bound DOT is explicitly NOT registered (REGISTRATION_HOLD).
SB-3 (Codex FIX-4 trap): resist re-narrowing the count. FIXED: 03 RESOLVES DR-12/13/14 and 07 counts them; no definition change.
⇒ found-and-fixed ambiguities = 3 ; unresolved-after-fix = 0 ; safe=NO count = 0.

3. Result

all probes safe = YES (17/17). safe=NO count = 0. No runtime/authority/registration escalation found. No manual-bypass path survives.