Incomex AI Portal
KB-20C3

Implementation Package DOT v0.1 — Gap-only Scope Spec (read/report-only, DESIGN ONLY, 2026-06-09)

33 min read Revision 1
tool-kiem-thuimplementation-package-dotgap-only-scope-specv0.1read-report-onlydesign-onlyauthority-contractbcdgh-sealeddenominatordual-reportfail-closed2026-06-09

Implementation Package DOT v0.1 — Gap-only Scope Spec

Nature: the read/report-only scope spec for the future Implementation Package DOT v0.1 (a.k.a. Tool-Kiem-Thu v0.1). It defines what the inspector is, what it is not, the read-only inputs it may consume, the report/JSON it may emit, its verdict vocabulary, its failure modes and fail-closed rules, and the wall of prohibited overlaps. It is a gap-only spec: it specs only the read/report-only gap surface and carves out every execution-dependent capability behind future contracts. This is NOT a tool, NOT an implementation, NOT a schema, NOT a runner, NOT a law. It builds nothing and reopens no sealed decision. Date: 2026-06-09 Production mutation: NO. No install, no PG/Directus/registry/filesystem mutation, no system_issues write, no tool/schema/runner created, no FIX7 resumed, no filesystem DOT invoked, no IU command invoked, no detector executed, no command run, no denominator collapsed, no Codex-sealed decision reopened, no fresh live read taken. Governing authority (binding, in precedence order): contracts/authority-contract-v0-1-2026-06-09.{md,json} (AUTHORITY_CONTRACT_V0_1_READY_FOR_GPT_REVIEW) over the Codex seal reviews/codex-seal-authority-matrix-bcdgh-2026-06-09.md (BCDGH_SEALED), the Reuse Extraction Map reports/reuse-extraction-map-v0-1-2026-06-09.md (REUSE_EXTRACTION_MAP_READY_FOR_GPT_REVIEW, PARTIAL_READY), the fresh-read closure reports/authority-matrix-fresh-read-closure-bcdgh-2026-06-09.md (FRESH_READ_CLOSURE_PARTIAL), and the baseline ledger reports/dot-registry-directus-text-as-code-baseline-reconciliation-2026-06-09.{md,json} (live read 2026-06-09 07:11 UTC, role context_pack_readonly, READ ONLY). Evidence discipline: every count is dated evidence carrying surface + denominator + observation timestamp + match key + population + confidence — never an invariant, never collapsed into one canonical DOT number. No fresh live read was taken for this spec; the sealed 2026-06-09 baseline stands as the evidence base. Anything not re-confirmed is carried at the sealed baseline's confidence or marked UNVERIFIED ("Không chắc đúng = sai").

1. Final verdict

GAP_ONLY_SCOPE_SPEC_v0_1_READY_FOR_CODEX_CHECKPOINT

The spec is internally consistent, obeys Authority Contract v0.1, scopes every read/report-only capability to a named sealed surface or a read-only/file-report-only adapter, walls off every prohibited overlap, and carves out every execution-dependent gap behind a named future contract. It decides nothing sealed and builds nothing. It is routed (with the FIX7 read/report pilot design) to one Codex checkpoint before any MVP implementation is greenlit.

This spec is READY for the read/report-only surface and explicitly DEFERRED for the execution-dependent surface — i.e. it inherits and preserves the Reuse Extraction Map's honest PARTIAL_READY.

2. Track 1 — Input audit / consistency review

Read: Authority Contract v0.1 (md+json), Codex Seal B/C/D/G/H, Reuse Extraction Map v0.1 (md), fresh-read closure, baseline ledger, 00-index. Result of the cross-check:

2.1 Accepted constraints (carried verbatim, not reopened)

  • v0.1 is read/report only and MUST make no calls (Codex C, option 5).
  • Filesystem-DOT "can run" is NOT AVAILABLE; filesystem DOTs MUST NOT be invoked (Codex B, option 5).
  • No new runner/dispatcher, registry, logger/sink, graph/duplicate/orphan/canonical-id resolver, or TAC/IU corpus authority (parallel-authority risk = all NO).
  • No mutation of PG, Directus, registry, filesystem, or system_issues.
  • Canonical current registry→FS diff = latest code-keyed v_dot_reconciliation_reliability over wf_fs_dot_bin_snapshot; name-keyed v_dot_registry_no_file (41) is a separate dated diagnostic only (Codex D, option 1).
  • TAC and IU are dual-reported only; no choose/merge/reconcile/bridge/canonical (Codex H).
  • Existing Đ19/Đ23/Đ39 graph/orphan/duplicate/dependency/reconciliation surfaces are the only permitted authorities; presence of a view/function does not authorize executing a detector or writing findings (Codex G).
  • 7 denominators stay separate; a single collapsed DOT count = disguised hardcode (Authority Contract §3).
  • File-report-only evidence under knowledge/dev/laws/tool-kiem-thu/ (Domains F/I/J).
  • No prose-only PASS (Authority Contract §5).

2.2 Accepted reuse candidates (from Reuse Extraction Map §4/§5 — read-only)

  • 15 REUSE_AS_IS read surfaces (registry listing, canonical reconciliation view, presence mirror, command-catalog/run/lease, graph/edges/dependencies, Đ19 orphan result surfaces, duplicate-engine result views, Đ43 context pack, IU+TAC corpora, Directus flows read, system_issues read, 7-denominator contract, KB document_id/revision, report+JSON+checkpoint pattern).
  • 7 REUSE_WITH_ADAPTER read-only/file-report-only adapters (declared-artifact existence resolver, claim-inventory extractor existence half, registry↔FS reconciliation report, dual-corpus reporter, provenance report writer, FIX7 read/report pilot, flow/command-catalog reporters) + the read-only dead-link report (gap #5 read-only half).

2.3 Accepted prohibited overlaps (from Reuse Extraction Map §7 — 13 items)

Carried verbatim into the §16 wall: no 2nd runner/invoker; no FS-DOT invocation; no IU command invocation; no new registry/fork; no new logger/system_issues write; no new graph/duplicate/orphan/canonical-id resolver; no executing detector functions / writing findings; no TAC↔IU bridge/merge/canonical choice; no Directus CRUD; no registry cleanup/reconciliation mutation; no 3rd cut/verify/manifest authority; no collapsed counts; no prose-only PASS.

2.4 True gaps that belong in v0.1 (read/report-only halves only)

  • Declared-artifact existence reporting (does a declared reference resolve, read-only?) — reusable now via adapter.
  • Claim-inventory existence reporting (does each declared claim have a resolvable evidence artifact?) — reusable now via adapter; the run/pass binding is deferred.
  • Read-only dead-link report over v_kg_edges_all — reusable now; the persistent audit_dead_links() engine + sink is deferred.

2.5 Deferred gaps (carved out behind future contracts — NOT in v0.1)

  • Command-runner that captures exit codes (gap #8.1) → Call Contract.
  • Run/pass half of the claim↔test binder (gap #8.2) → Call Contract.
  • Generic package_manifest envelope + schema (gap #8.3) → iu_corecutter_governance owner lineage decision + Codex schema review.
  • --selftest N/N counter + module_sha256 self-pin (gap #8.4) → post-spec build.
  • audit_dead_links() persistent engine + system_issues sink (gap #8.5) → system_issues write contract.

2.6 Contradictions found

  • None blocking. One sequencing note: the Reuse Extraction Map's "minimal next step" is GPT review of the map before drafting this spec. This spec is therefore issued in READY_FOR_CODEX_CHECKPOINT (draft-for-review) status, not "approved"; the macro consolidates the map review and the spec/pilot review into a single Codex checkpoint packet (deliverable #7). Producing the draft does not pre-empt that review — it makes the review concrete. No sealed decision is altered.

2.7 Unverified items that MUST NOT enter design (held out)

Carried from Reuse Extraction Map §9; none may be used as a planning input or a denominator:

  • actual_count = 163 (CAT-006) filter — UNVERIFIABLE/UNSAFE.
  • Direct live OS listing of /opt/incomex/dot/bin and /opt/incomex/scripts — permanently unreachable read-only; the PG mirror is the canonical-available FS evidence.
  • Runnability ("can run") of any filesystem DOT — NOT AVAILABLE in v0.1.
  • Directus 100%-DOT-control — PARTIAL_EVIDENCE_ONLY.
  • Doc-level canonical-id / duplicate-authority gap — UNPROVEN; not yet a true gap.
  • iu_corecutter_governance canonical lineage — owner decision, unresolved.
  • TAC↔IU corpus authority + any bridge — unresolved by design.
  • /opt/incomex/scripts "42" — separate non-DOT surface; out of scope.

Consistency verdict: inputs are mutually consistent; the spec can be written for the read/report-only surface with all execution gaps carved out. ✅

3. What v0.1 IS / IS NOT

3.1 v0.1 IS

  • A read/report-only inspector layer that ingests an implementation/testing dossier (a KB package: blueprint docs, reports, checkpoints) and produces a timestamped evidence report about whether the dossier's declared artifacts resolve and whether its executable claims are backed by referenced evidence artifacts — strictly at the read/evidence-presence level.
  • A consumer of named, sealed, deployed read surfaces (Reuse Extraction Map §4) and a small set of read-only, file-report-only adapters (§5).
  • An evidence/provenance discipline enforcer: every count it prints carries full provenance; bare counts are refused.
  • A dual-corpus reporter for TAC and IU (never joined).
  • A carve-out engine: it explicitly labels every execution-dependent question as DEFERRED to a named future contract rather than answering it.

3.2 v0.1 IS NOT

  • Not a runner / dispatcher. It invokes nothing — no filesystem DOT, no IU command, no detector function.
  • Not a registry / catalog authority. It does not replace or fork dot_tools.
  • Not a logger / sink. It does not write system_issues or create any parallel sink.
  • Not a graph / duplicate / orphan / canonical-id resolver. It reads existing result surfaces; it builds no engine.
  • Not a TAC/IU bridge or corpus authority. It cannot choose, merge, reconcile, or bridge.
  • Not a proof-of-run. It can never emit a verdict asserting that a declared executable actually ran. The strongest positive it can emit is "evidence artifact present and self-consistent at read level — NOT proof-of-run."
  • Not a mutation path of any kind.
  • Not the FIX7 verifier and not a FIX7 resume. It pilots a read/report inspection of the FIX7 dossier only.

4. Allowed read-only inputs (named surfaces)

All inputs are read-only; reads are always live SELECT/KB-read, never a baked constant. (Surface → Reuse Extraction Map capability #.)

Input class Named surface(s) Allowed use Sealed denominator binding
Dossier identity KB document_id + path + revision (agent-data MCP) Native package/dossier id; revision anchor
Registry listing dot_tools = meta_catalog CAT-006 = PIV-007 = PIV-104 (309, frozen 2026-04-02); pivot_results Catalog of record listing only Denom 1 (309 = listing only)
Registry↔FS current diff v_dot_reconciliation_reliability over wf_fs_dot_bin_snapshot (code-key, all 309) Canonical current diff Denom 3 base (186/100/19/4)
FS-diff diagnostic v_dot_registry_no_file (41, name-key, stale 06-03), v_dot_fs_reconciliation Separate dated diagnostic only — MUST NOT override canonical
FS presence wf_fs_dot_bin_snapshot (289 total / 214 OPERATIONAL / 186 mapped) Presence only; never "can run" Denom 2 (214 operational)
Command layer dot_iu_command_catalog (54: 15 mutating=false), dot_iu_command_run (55), dot_iu_runtime_lease (0) Read-only reporting only; the 15 = candidate future set, NOT a call set Denom 5 (54 command-catalog)
Graph / impact universal_edges (2199), v_kg_edges_all (2259), entity_dependencies (142) Read result surfaces only
Orphan results wf_orphan_digest_v2 (6), wf_orphan_remediation_queue (145), v_birth_orphan, v_workflow_orphan_v2 Read outputs only; do not execute detectors
Duplicate results v_birth_duplicate_issue_guard, v_rp_dedup_signature_gap, v_system_issue_semantic_duplicate_dashboard, v_system_issue_idempotency_guard Read only
Context pack v_context_pack_latest, context_pack_manifest.health_status, v_entity_full_classification, rendered LAWS_INDEX/DOT_REGISTRY/RED_ZONES (Đ43) Resolve approved-SSOT/scope
Corpora information_unit (219) and tac_logical_unit (102); 0 joining views Dual-report only, never joined Denom 7 (219/102 separate)
Directus flows directus_flows (128 total / 111 active / 36 DOT-named) Read-only observe only; no CRUD Denom 6 (128/36)
Issue sink (read) system_issues (open 223,313) Read-only; the write sink fn_tac_log_checker_issue is named but not written in v0.1
Denominator discipline Authority Contract §3 7-denominator contract + baseline ledger Count discipline, reused verbatim All 7

Hard rule: any count derived from these is dated evidence; it is never an invariant and never collapsed.

5. Allowed outputs — report contract + JSON summary contract

5.1 Output surface

  • File-report-only, written under knowledge/dev/laws/tool-kiem-thu/ (KB, agent-data MCP). No other write target exists for v0.1.
  • Per inspection: a triplet — …/reports/<inspection>-<date>.md (human) + …/reports/<inspection>-<date>.json (machine) + …/checkpoints/checkpoint-<inspection>-<date>.md. (This is the deployed report+JSON+checkpoint pattern, Domain I.)

5.2 Report contract (markdown report.md — required sections, in order)

  1. Header — nature; date; Production mutation: NO; governing-authority refs; evidence-discipline line.
  2. Verdict — one of the §6 vocabulary values + a one-line readiness sentence.
  3. Dossier identitydocument_id / path / revision / blueprint_ref; READ_REPORT_BLOCKED if any are missing.
  4. Denominator ledger — every count with full provenance (§10); denominators stay separate (§8).
  5. Claim/evidence inventory — table of declared claims → evidence-artifact resolution (§9).
  6. Declared-artifact existence report — each declared reference → {reference, resolves?, surface, observation_ts}.
  7. Registry↔FS reconciliation report — canonical code-keyed diff + name-keyed diagnostic shown separately, both-direction diffs (§12).
  8. Graph / orphan / dead-link read report — read-only result-surface reads (§13).
  9. Dual-corpus report — IU (219) and TAC (102) side-by-side, never joined (§11).
  10. Unverified / stale section — items held out (§14), each marked and reasoned.
  11. Deferred carve-outs — every execution-dependent question this inspection did NOT answer, each routed to its named future contract (§17, Track 7).
  12. Cross-references — governing-authority docs + the JSON mirror + the checkpoint.

5.3 JSON summary contract (machine report.json — required keys)

tool, version ("v0.1"), mode ("read_report_only"), production_mutation (false), inspection_id, observation_window_utc, authority_contract_ref, verdict, verdict_is_proof_of_run (always false), dossier_identity{document_id,path,revision,blueprint_ref}, denominator_ledger[] (each: surface,denominator,query,observation_ts,match_key,population,confidence), claim_evidence_inventory[] (each: claim,claim_kind,evidence_artifact_ref,resolves,verdict,is_proof_of_run:false), declared_artifact_existence[], reconciliation{canonical_base,diagnostic_base,both_direction_diffs,provenance}, graph_orphan_deadlink[], dual_corpus{iu:{count,surface,observation_ts}, tac:{count,surface,observation_ts}, joined:false}, unverified[], deferred_carveouts[] (each: capability,future_contract,reason), prohibited_overlaps_respected[], cross_references[].

The report.json is a read-only evidence artifact, NOT a runtime manifest the tool consumes and NOT a schema deployed anywhere. (The spec's own machine mirror — deliverable #2 — is likewise a design artifact, not a runtime schema.)

6. Verdict vocabulary

Because v0.1 invokes nothing, it can never emit a verdict that means "an executable ran." The vocabulary is therefore evidence-presence, not run-status. (P11E checker_run_status ran_clean|ran_with_drift|not_ready|error_running is adopted as reference-only vocabulary for the future run-half, NOT as v0.1 output — see Reuse Extraction Map §6.2.)

6.1 Per-dossier verdict (overall)

  • READ_REPORT_PASS — dossier identity present; every declared artifact resolves read-only; every executable claim has a referenced, resolvable evidence artifact; provenance complete; denominators separate. This is NOT proof-of-run and is always emitted with verdict_is_proof_of_run:false.
  • READ_REPORT_FLAG — one or more executable claims lack a resolvable evidence artifact, or a declared artifact does not resolve, or a count lacks provenance, or a prose-only PASS is detected.
  • READ_REPORT_BLOCKED — the dossier cannot be inspected at all (missing identity / blueprint_ref / revision anchor), or a structural prohibition is hit (denominator collapse, an attempted call/mutation in the dossier's own design).
  • NOT_APPLICABLE — no executable claims and no declared artifacts in scope.

6.2 Per-claim / per-artifact verdict

  • RESOLVED — declared reference exists on a named read surface.
  • UNRESOLVED — declared reference does not exist on any read surface.
  • AMBIGUOUS — reference matches >1 surface/id, or path/reference is ambiguous, or the match key is undefined.
  • EVIDENCE_PRESENT — an executable claim references a resolvable evidence artifact (a log / exit-code record / hash artifact that exists as a referenced object). NOT proof-of-run.
  • EVIDENCE_ABSENT — an executable claim has no referenced evidence artifact (the FIX7/Article-14 class).
  • EVIDENCE_UNVERIFIED — an evidence artifact is referenced but cannot be confirmed read-only (held out per §14).

6.3 Iron rule

The strongest positive v0.1 can emit for an executable claim is EVIDENCE_PRESENT, always carrying is_proof_of_run:false. "Can run" / "ran / PASS" is NOT AVAILABLE in v0.1 and is deferred to the Call Contract.

7. Failure modes + fail-closed rules

# Failure mode Detected by Verdict Fail-closed behavior
F1 Missing dossier identity / blueprint_ref / revision identity read READ_REPORT_BLOCKED Stop inspection; emit blocked report; never PASS.
F2 Bare count printed without provenance provenance writer READ_REPORT_FLAG Refuse to print the bare count; flag.
F3 Collapsed denominator (one canonical DOT number) denominator ledger check READ_REPORT_BLOCKED Structurally prevented; if a code path would collapse, fail closed.
F4 Executable claim without evidence artifact claim/evidence inventory EVIDENCE_ABSENTREAD_REPORT_FLAG Flag the claim; never infer PASS.
F5 Prose-only PASS (claim asserts success, no evidence) claim/evidence inventory READ_REPORT_FLAG Never echo the PASS; flag the unbacked claim.
F6 Declared artifact does not resolve existence resolver UNRESOLVEDREAD_REPORT_FLAG Report unresolved with surface+ts.
F7 Path/reference ambiguity (multi-match / undefined key) existence resolver AMBIGUOUSREAD_REPORT_FLAG Report ambiguity; do not pick a winner.
F8 TAC/IU would be joined/chosen/merged dual-corpus reporter READ_REPORT_BLOCKED Structurally incapable of joining; if attempted, fail closed.
F9 Reconciliation diagnostic (41) would override canonical (4) reconciliation report READ_REPORT_FLAG Always show both separately; never let stale override canonical.
F10 Attempt to invoke FS DOT / IU command / detector (design guard) READ_REPORT_BLOCKED No such capability exists in the module's allowed-operation set; design-level refusal.
F11 Attempt to write system_issues / mutate PG/Directus/registry/FS (design guard) READ_REPORT_BLOCKED No write capability exists; design-level refusal.
F12 Evidence artifact referenced but unconfirmable read-only existence resolver EVIDENCE_UNVERIFIED Mark unverified (§14); never assume present.

Master fail-closed principle: when in doubt, flag or block, never pass. Absence of evidence is EVIDENCE_ABSENT/FLAG, never silent PASS. ("Không chắc đúng = sai.")

8. Denominator separation rules

  • The 7 denominators are distinct queries against distinct surfaces at distinct dates and MUST NOT be collapsed into a single canonical DOT number (= disguised hardcode). Carried verbatim from Authority Contract §3: 309 registry (listing only) ≠ 214 operational-FS (presence) ≠ 186 mapped/confirmed (reconciliation diagnostic; the 186 ∩ command-catalog formula is WITHDRAWN, join=0) ≠ 163 CAT-006 actual_count (UNSAFE) ≠ 54 command-catalog ≠ 128/36 Directus flows ≠ 219/102 IU/TAC (dual-report).
  • Every count emitted carries surface + denominator + query + observation timestamp + match key + population + confidence (§10).
  • A load-bearing set is always a runtime query against a named surface, never a literal constant or hand-maintained list. A single DOT number anywhere = disguised hardcode → BLOCKED.

9. Claim / evidence inventory rules

This is the heart of the FIX7/Article-14 capability — at read/report level.

  • Enumerate declared claims in the dossier prose: every assertion that an executable, test, selftest, canonicalizer, hash, or command "exists / runs / passes / exits 0 / produces hash X".
  • For each claim, classify claim_kind ∈ {executable_exists, command_run, selftest_pass, exit_code, hash_match, artifact_reference}.
  • For each claim, check only whether a referenced evidence artifact resolves (existence, read-only): a log file, an exit-code record, a hash artifact, a referenced document_id. Emit EVIDENCE_PRESENT / EVIDENCE_ABSENT / EVIDENCE_UNVERIFIED.
  • The tool NEVER runs the claim. It does not execute the canonicalizer, does not re-compute a hash, does not run a selftest. The run/pass binding is DEFERRED (gap #8.2 → Call Contract).
  • Prose-only PASS rule: a claim of success with no resolvable evidence artifact is EVIDENCE_ABSENTREAD_REPORT_FLAG. The tool never re-asserts the prose claim as truth.
  • A claim with an evidence artifact that does resolve is EVIDENCE_PRESENT — explicitly not proof-of-run.

10. Provenance requirements

For every count or evidence row emitted, the report MUST attach:

  1. source surface (named DB object / view / KB path),
  2. denominator (which of the 7, or "other carried"),
  3. query (the live SELECT/read that produced it, in text),
  4. observation timestamp (UTC),
  5. match key (code-key / name-key / id),
  6. population (the row universe queried),
  7. confidence (and UNVERIFIED marker where applicable),
  8. for reconciliation rows: both-direction diffs.

The provenance report writer refuses to print a bare count. A bare count is failure mode F2.

11. TAC / IU dual-report rules

  • IU (information_unit, 219) and TAC (tac_logical_unit, 102) are two separate corpora; 0 joining views/functions exist in the sealed snapshot.
  • The dual-corpus reporter emits them side-by-side with independent provenance, and is structurally incapable of joining/choosing/merging/bridging (Domain H). joined:false is always present in the JSON.
  • The tool MUST NOT choose either as canonical, MUST NOT reconcile them, MUST NOT create a bridge, and MUST NOT call mutating fn_iu_*.
  • "No bridge" and both counts are runtime-read evidence, never hardcoded. Any attempt to join → F8 → BLOCKED.
  • Corpus authority remains unresolved by design; the resolver is a deferred owner+Codex contract (Track 7).

12. Registry ↔ filesystem diff read/report rules

  • Canonical current diff base = latest code-keyed v_dot_reconciliation_reliability over wf_fs_dot_bin_snapshot (all 309: 186 CONFIRMED / 100 REGISTERED / 19 HELPER / 4 MISSING_FILE).
  • Name-keyed v_dot_registry_no_file (41, stale 2026-06-03 _recon, restricted population) is shown as a separately labelled dated diagnostic and MUST NOT override the canonical diff. The 41-vs-4 divergence is reported, with its base/key/population explanation, never reconciled away.
  • Every reconciliation row exposes source, observation timestamp, match key, population, and both-direction diffs.
  • Unmatched entries are NON-CALLABLE and are reported as such — never "reborn", cleaned, or mutated. Reconciliation is read-only reporting only (no registry/reconciliation mutation).

13. Graph / orphan / reference read/report rules

  • Read result tables/views only: universal_edges (2199), v_kg_edges_all (2259), entity_dependencies (142); Đ19 orphan result surfaces (wf_orphan_digest_v2, wf_orphan_remediation_queue, etc.); duplicate-engine result views.
  • Do NOT execute detector functions (e.g. fn_dot_wf_orphan_detector(_v2)), do NOT write findings, do NOT build a new graph/duplicate/orphan/canonical-id resolver (Domain G).
  • The read-only dead-link report (declared references → resolve? over v_kg_edges_all) is in scope. The persistent audit_dead_links() engine + system_issues sink is DEFERRED (Track 7).
  • The doc-level canonical-id / duplicate-authority gap is UNPROVEN — it is NOT treated as a true gap and NOT built; proving it requires a separately authorized read-only gap proof against existing engines.

14. Stale / unverified handling

  • Every item in §2.7 (and Reuse Extraction Map §9) is held out of design and, where it appears in a dossier, is reported as EVIDENCE_UNVERIFIED or in the explicit Unverified/stale section — never used as a planning input or denominator.
  • actual_count=163 is never a denominator. Direct OS listings are unreachable; the PG mirror is the canonical-available FS evidence and is labelled as such.
  • Any source older than its surface's canonical observation, or carrying a stale _recon base, is shown with its date and marked stale — never silently promoted.
  • Rule: "Không chắc đúng = sai" — unverified is treated as not-true for verdict purposes (fail-closed), never as a soft PASS.

15. File-report-only evidence storage

  • All evidence lives as KB documents under knowledge/dev/laws/tool-kiem-thu/ (reports/, checkpoints/, designs/, planning/, reviews/, contracts/).
  • No evidence is written to system_issues, Directus tables, the registry, or the filesystem in v0.1.
  • The report+JSON+checkpoint triplet is the only evidence shape. The escalation path to system_issues via fn_tac_log_checker_issue is named but deferred (Domain F) until a successor is approved to mutate (Track 7).

16. Explicit non-goals / prohibited-overlap wall (Track 3)

v0.1 MUST NOT do any of the following. Each would create parallel authority or break a sealed boundary.

  1. No runner / dispatcher of any kind.
  2. No filesystem DOT invocation — "can run" is NOT AVAILABLE for filesystem DOT in v0.1.
  3. No IU command invocation — the 15 mutating=false commands are a candidate future set, not a v0.1 call set.
  4. No Directus mutation (CRUD) — read-only observe only.
  5. No PG mutation.
  6. No registry mutation / forking dot_tools.
  7. No system_issues write (no escalation, no logging).
  8. No new logger / sink.
  9. No new graph / duplicate / orphan / canonical-id resolver.
  10. No executing detector functions / writing findings — presence of a view/function does not authorize running it.
  11. No TAC↔IU merge / bridge / reconciliation / canonical choice — dual-report only.
  12. No reconciliation cleanup / rebirth of unmatched registry/FS entries.
  13. No 3rd cut/verify/manifest authority — building on neither iu_core nor cutter_governance = a 3rd lineage; blocked on owner decision.
  14. No OPA / Conftest / Squawk / CI / Git hooks — all deferred behind future contracts.
  15. No proof-of-run semantics — the tool cannot emit "ran/PASS".
  16. No Directus 100%-DOT-control proof — PARTIAL_EVIDENCE_ONLY; no claim, no write path.
  17. No prose-only PASS.
  18. No collapsed counts / single canonical DOT number.
  19. No package/schema/tool build before this spec is reviewed and approved.
  20. No FIX7 resume and no running the FIX7 declared executables.

17. In-scope capability set vs deferred carve-outs

17.1 In scope for v0.1 (read/report-only)

The eight read-only adapters (each a candidate module in the MVP plan, deliverable #4):

  1. Declared-artifact existence resolver (R1) — {reference, resolves?, surface, observation_ts}.
  2. Claim-inventory extractor — existence half (R2) — declared claims → evidence-artifact resolution; never runs.
  3. Registry↔FS reconciliation report (R3) — canonical + diagnostic, both-direction diffs.
  4. Dual-corpus reporter (R4) — IU + TAC side-by-side, never joined.
  5. Provenance report writer (R5) — full provenance per count; refuses bare counts.
  6. Read-only dead-link report (R6a) — declared refs over v_kg_edges_all.
  7. FIX7 read/report pilot (R7) — see deliverable #3.
  8. Flow / command-catalog reporters (R8) — directus_flows + the 15 candidate commands, read-only.

17.2 Carved out (DEFERRED — NOT in v0.1)

Carve-out Future contract Why deferred
Command-runner with exit codes Call Contract Sealed B/C: v0.1 calls nothing.
Run/pass half of claim↔test binder Call Contract Requires execution.
Generic package_manifest schema iu_corecutter_governance lineage decision + Codex schema review 3rd-lineage prohibition; owner decision.
--selftest N/N + module_sha256 self-pin Post-spec build Property of built code.
audit_dead_links() engine + system_issues sink system_issues write contract No new graph engine / no v0.1 sink write.
Directus 100%-DOT-control proof + write path Directus DOT-control proof contract PARTIAL_EVIDENCE_ONLY.
TAC↔IU bridge/resolver TAC↔IU bridge contract (owner+Codex) Corpus authority unresolved by design.
OPA/Conftest/Squawk/CI/Git hooks CI/policy-gate integration contract Out of v0.1 envelope.

18. Gap-only spec verdict

GAP_ONLY_SCOPE_SPEC_v0_1_READY_FOR_CODEX_CHECKPOINTREADY for the read/report-only surface; DEFERRED for the execution surface (inherits PARTIAL_READY). Internally consistent, obeys Authority Contract v0.1, all prohibited overlaps walled, all execution gaps carved out. Routed to one Codex checkpoint (deliverable #7) before any MVP greenlight.

Cross-references

  • Authority Contract: contracts/authority-contract-v0-1-2026-06-09.{md,json}
  • Codex seal: reviews/codex-seal-authority-matrix-bcdgh-2026-06-09.md (BCDGH_SEALED)
  • Reuse Extraction Map: reports/reuse-extraction-map-v0-1-2026-06-09.{md,json} (PARTIAL_READY)
  • Fresh-read closure: reports/authority-matrix-fresh-read-closure-bcdgh-2026-06-09.{md,json}
  • Baseline ledger: reports/dot-registry-directus-text-as-code-baseline-reconciliation-2026-06-09.{md,json}
  • Machine mirror of this spec: designs/implementation-package-dot-v0-1-gap-only-scope-spec-2026-06-09.json
  • FIX7 read/report pilot design: designs/fix7-read-report-pilot-design-for-implementation-package-dot-v0-1-2026-06-09.md
  • MVP implementation plan (no code): planning/mvp-read-report-inspector-implementation-plan-no-code-2026-06-09.md
  • Acceptance test matrix: designs/acceptance-test-matrix-implementation-package-dot-v0-1-2026-06-09.md
  • Future contracts queue: planning/future-contracts-queue-after-v0-1-2026-06-09.md
  • Codex checkpoint packet: reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-2026-06-09.md
  • Action-ready blockers: checkpoints/action-ready-blockers-after-gap-only-spec-2026-06-09.md
  • This spec's checkpoint: checkpoints/checkpoint-gap-only-spec-and-fix7-pilot-design-2026-06-09.md
Back to Knowledge Hub knowledge/dev/laws/tool-kiem-thu/designs/implementation-package-dot-v0-1-gap-only-scope-spec-2026-06-09.md