DOT Usage Handbook

Living operations manual — Macro-9A0. First practical, human-usable map of every DOT (Declarative/Directus Operation Tool) on the Incomex substrate. Engineering artifact, read-only evidence. Engineering PASS ≠ Owner authority PASS. Default posture = HOLD.

---

0. Status / scope / update rule

Field	Value
Mission	R2-B2-MACRO-9A0-DOT-USAGE-HANDBOOK-2026-06-19
Type	Read-only DOT inventory + operator handbook (inserted before Macro-9A build gate)
Evidence date	2026-06-19 (fresh query_pg READ ONLY + list_docker + KB; 0 mutating calls)
Substrate	DB directus, schema public (the DOT-only zone). Other DBs: directus_gov_test_20260602, incomex_metadata, workflow, postgres
Master registry	dot_tools = 309 rows (the canonical DOT denominator)
Status	PASS_WITH_CAVEATS — inventory is useful immediately; per-tool call/Read-Write semantics for all 309 are inferred from registry columns + runtime gates, not individually executed (nothing was executed)
Authority	This file records evidence and recommendations only. It grants nothing, enacts nothing, and selects no channel/owner.

Update rule. This is a living manual. It may be hand-edited later. To refresh, re-run the read-only queries in §16 against directus.public and bump the Update Log. Do not trust this file's numbers blindly after the evidence date — dot_tools is the SSOT; re-query before acting.

Hard scope locks honored when authoring: no DB write · no DDL/DML · no schema/table/corpus creation · no Directus create/update/delete · no DOT execution · no psql/manual SQL · no SQL staged for human run · no source/law patch · no runtime-config flip · no channel wiring · no owner row · no KG write · no birth/certify/promote/backlog · no bad-input test · no B2 logic · no actual B2 TD. Only output = this file + its execution report.

---

1. How to use this handbook quickly

1. You want to DO something to Directus/Postgres/schema? → Read §3 first (it's a DOT-only zone), then §6 (schema DOTs) and §15 (is there a schema-shell DOT?). Short answer: manual SQL/psql is forbidden; and there is no confirmed run-scoped staging-schema DOT yet.
2. You want to find a DOT by job? → §4 summary-by-group → jump to the group section (§6–§12).
3. You want every DOT code? → §5.2 complete roster (all 309, grouped by category).
4. You want to call something safely right now? → only read-only / dry-run DOTs are runnable; the whole execute substrate is dry-run-gated (see §2.4). Mutating DOTs refuse until an Owner opens the gate.
5. Is a DOT dangerous? → §13. Three DOTs are FROZEN/MONITORED; do not call them.
6. Can't classify a DOT? → §14 UNKNOWN / NEED TRIAGE. Don't guess.

Cách gọi (how to call) is written concisely: tool/bin name, endpoint+method, fn_*() SQL function, or unknown — need triage. No secrets appear here; where a call needs credentials we write "requires authorized runtime credential."

---

2. DOT taxonomy

A "DOT" is not one thing. On this substrate the word covers four distinct surfaces. Knowing which surface you're touching is the whole game.

2.1 Registry tables (where DOTs are declared) — directus.public

Registry	Rows	What it holds
dot_tools	309	Master tool registry. Columns: code, name, name_en, description, classification, owner, script_path, file_path, token_type, category, domain, operation, paired_dot, tier, trigger_type, cron_schedule, coverage_status, usage_count, _dot_origin, extra_metadata
dot_config	119	Config keys, runtime gates, env-var DOTs, vocab. Columns: key, value, description, updated_at
dot_operations	20	Operation verbs (audit, backfill, classify, create, delete, ensure, execute, health, import, refresh, register, report, restore, seed, snapshot, sync, update, verify, CONTEXT_PACK_BUILD/VERIFY)
dot_domains	46	Domain vocabulary (code, name, parent_domain)
dot_domain_rules	67	pattern → target_domain routing rules
dot_coverage_required	11	Required coverage matrix (domain, operation, tier)
dot_iu_command_catalog	54	Callable IU operator commands (command_name, category, mutating, reversible, target_functions[])
dot_iu_command_run	55	IU command run-log
dot_iu_runtime_lease	0	IU runtime lease holder (empty = no live lease)
dot_agent_api_contract	2	agent-api executor contracts (dot_code, mode, no_mutation_assertion, endpoint_ref…)
law_dot_enforcement	272	Law→DOT enforcement bindings
_recon_dot_fs_inventory	287	DB↔filesystem reconciliation snapshot
wf_fs_dot_bin_snapshot	289	Snapshot of /opt/incomex/dot/bin/* on the host

2.2 Reporting views (where DOTs are observed)

v_dot_iu_command_registry (54, command health) · v_birth_dangerous_dot_inventory (15) · v_birth_dangerous_dot_risk_classification (15) · v_pivot_dot_by_category (25) · v_dot_process_type1_projection (104, runnable processes + reliability) · v_process_dot_wrapper_status · v_dot_fs_reconciliation · v_dot_registry_no_file · v_dotkg_realrun_preflight · v_process_discovery_agent_api_contract_status · v_process_discovery_agent_api_endpoint_status · v_dot_reconciliation_reliability · v_pivot_dot_by_category.

2.3 SQL functions (the DOT machinery) — 32 *dot* routines + the dispatcher

Safety/guards: fn_assert_safe_for_dot_action, fn_enforcement_validate_dot, fn_validate_dot_origin, fn_gov_validate_health_dot, fn_normalize_dot_filepath. IU runtime: fn_dot_iu_command_log, fn_dot_iu_operator_runtime_enabled (bool gate), fn_dot_iu_runtime_lease_acquire/release. WF DOT runner: fn_dot_wf_run_all(_v2), fn_dot_wf_universal_census(_v2), fn_dot_wf_orphan_detector(_v2), fn_dot_wf_classification_drift(_v2), fn_dot_wf_source_adapter_health(_v2), fn_dot_wf_rp_visibility_proof(_v2), fn_dot_wf_map_host_objects, fn_dot_wf_build_remediation_queue. Birth qt001: fn_dot_birth_qt001_apply, fn_dot_birth_qt001_plan_v2, sp_dot_birth_qt001_apply (PROCEDURE). Dispatcher: fn_process_agent_api_dispatch(p_dot_code, p_correlation_id, p_actor, p_mode, p_write_observation, p_idempotency_root) → jsonb — generic, fail-closed, cannot execute a DOT.

2.4 Invocation channels (how a DOT is called) — and their current gate state

Channel	Mechanism	Current state (2026-06-19)
Process-DOT runner	Registered Type-1 process (cron/on-demand) → process runtime	DRY-RUN-ONLY. process_dot_runtime.dry_run_only=true, execute_enabled=false, real_run_enabled=false
IU operator command runner	command_name → target_functions (fn_iu_*)	GATE OFF. iu_core.operator_runtime_enabled=false → mutating IU commands refuse
agent-api executor	POST http://incomex-agent-api-executor:8090/dispatch via fn_process_agent_api_dispatch	Healthy (Up, :8090), but DRY_RUN/PLAN_ONLY only; REAL_RUN refused outright; 2 contracts bound
Host bin	/opt/incomex/dot/bin/<name> (shell executables; 289 snapshotted)	Implementations only. Not a standing manual path — host exec / docker exec psql is the forbidden manual lane for the DOT-only zone (§3)

Operator takeaway: today, only read-only / dry-run / verify DOTs actually do anything; every mutating path is gated shut and fails closed. That is by design.

---

3. Critical rule: Directus / Postgres / schema is DOT-only

Directus, Postgres, and schema are a DOT-only zone. If a DOT cannot do it, it must not be done.

• ❌ No manual SQL. ❌ No psql. ❌ No docker exec -i postgres psql. ❌ No hand-written DDL/DML against directus.public.
• ❌ No Directus generic collection/table create for schema purposes (the Directus API write tools are not an authorized schema-creation path here).
• ✅ The only authorized way to change Directus/Postgres/schema is an authorized DOT, invoked through its governed channel (§2.4), with the runtime gate opened by the Owner.
• The legacy execution note "RW = ssh contabo → docker exec -i postgres psql -U directus" seen in older macro reports is the exact manual lane now forbidden for this zone. It is not a standing operator path.
• DDL is authored as artifacts and reviewed; it is not executed by hand (governed pattern observed in dot-iu-cutter work: ddl_executed=FALSE, no_psql_run=TRUE, production_artifact_MUST_NOT_create_schema=true).

This rule is why this handbook exists: before building any staging schema (Macro-9A), we must know which DOT — if any — is allowed to touch schema. See §15.

---

4. Summary by group

Groups A–L (taxonomy from the mission). Counts are by best-fit from dot_tools.category + domain + the IU catalog; a DOT can serve more than one group, so columns are indicative, not a partition.

Grp	Group	Confirmed surfaces	Write-capable	Safe/usable now	Need triage
A	Schema / Postgres / Directus	~92 (collection=51 + infrastructure.schema=41) + 30 DOT_SCHEMA_*	most (DDL)	0 for run-scoped staging schema (read/verify subset only)	high — see §6/§15
B	Birth / B2 / PEN-STAMP-GATE	~7 (birth.*, Vòng đời thực thể)	yes	inspect/read only (dot-inspect-pen)	2 FROZEN (§13)
C	KG / universal_edges / provenance	~36 (kg.*) + DOT_KG_* family	partial	read/explain/verify subset	many NEEDS_RECONCILE
D	Matrix / Stamp / Approval / Governance	~27 (pivot=8, governance*=21)	partial	matrix-health (verify)	some
E	IO / Cell / Context / Candidate / Staging	54 IU commands + context.pack=2	37 of 54 IU	17 read-only IU + dry-run	gate OFF
F	Scanner / Heartbeat / Monitor	~50 (monitoring.*=29 + health/scanner cats)	few	yes (read-only scanners, HC executor)	—
G	Agent API / Executor / Contracts	2 contracts	0 (no_mutation)	dry-run/verify	endpoint pending
H	AgentData / KB / MCP	~16 (kb=6, kết_nối_mcp=4, KB DOTs)	some	read/verify	—
I	Directus API generic	(Directus connector)	n/a	forbidden for schema (§3)	—
J	Maintenance / Backup / Restore	~4 (infrastructure.backup, snapshot/restore)	yes	snapshot read	owner-gated
K	Deprecated / dangerous / forbidden	3 dangerous (FROZEN/MONITORED) of 15 audited	yes (that's the risk)	none — do not call	§13
L	Unknown / need triage	142 uncategorized + 103 no-coverage + 205 no-trigger	unknown	unknown	§14

Distribution snapshot (all 309 in dot_tools):

• Tier: B = 230 · A = 60 · (none) = 19
• Coverage: partial = 177 · (none) = 103 · complete = 29
• Trigger: (none/library) = 205 · on-demand = 44 · cron = 42 · dual = 6 · event = 5 · on-deploy = 4 · manual = 3
• Status: active = 291 · published = 16 · (none) = 2
• By category: uncategorized 142, cấu_trúc_dữ_liệu 37, vận_hành 21, quản_lý_danh_mục 10, tích_hợp_ai 10, kiểm_tra_lỗi 9, pivot 8, Giám sát hệ thống 7, tri_thức 7, Vòng đời thực thể 7, governance 6, kiểm_tra_sức_khoẻ 6, nội_dung 6, tự_động_hoá 6, kết_nối_mcp 4, phân_quyền 4, quản_lý_ai 4, biến_môi_trường 3, dữ_liệu_mô_tả 3, đăng_ký 2, khởi_tạo 2, monitoring 2, đồng_bộ 1, scanner 1, xác_thực 1.

---

5. Main DOT inventory table

High-value / callable / notable DOTs. For the complete 309 enumeration see §5.2. Surface = which registry/channel. Authority = who may run it. Status: DRY_RUN_GATED = runnable only in dry-run today; OWNER_GATED = needs Owner to open gate; FROZEN = do not call.

STT	Tên DOT/tool	Nhóm	Sử dụng khi	Cách gọi	Read/Write	Surface	Authority	Status	Ghi chú
1	DOT-COL-CREATE / dot-collection-create	A	Tạo collection mới (CREATE TABLE + Directus register)	host bin / process runner (on-demand)	Write (DDL)	dot_tools (B, cov=complete)	OWNER_GATED	DRY_RUN_GATED	Multi-step v2.0.0; targets public schema; LOW-risk dangerous (calls birth-trigger-setup, guarded) — §13
2	DOT_SCHEMA_APPLY / dot-schema-apply (DOT-063)	A	Áp dụng schema definitions (tables/fields/constraints) idempotent vào Postgres	host bin / runner	Write (DDL)	dot_tools (B, partial)	OWNER_GATED	DRY_RUN_GATED	Applies to public; not run-scoped/disposable
3	DOT_SCHEMA_ENSURE	A	Ensure toàn bộ schema core tồn tại	runner	Write (DDL)	dot_tools (B)	OWNER_GATED	DRY_RUN_GATED	Wrapper over the *_ENSURE family
4	DOT_SCHEMA_SNAPSHOT	A/J	Chụp snapshot toàn bộ schema để recovery/so sánh	runner	Read (export)	dot_tools (B)	Operator (read)	DRY_RUN_GATED	Snapshot only
5	DOT_SCHEMA_DIFF	A	So sánh schema hiện tại vs định nghĩa, báo cáo diff	runner	Read	dot_tools (B)	Operator (read)	DRY_RUN_GATED	Reporting
6	DOT-TAC-SCHEMA-ENSURE	A	Ensure tac_* tables tồn tại trong public	on-deploy	Write (DDL)	dot_tools	OWNER_GATED	NEEDS_RECONCILE	Paired DOT-TAC-SCHEMA-VERIFY
7	DOT-TAC-SCHEMA-VERIFY	A/F	Verify tac_* tables khớp P5 schema	cron 0 7 * * *	Read	dot_tools (A)	Operator (read)	NEEDS_RECONCILE	Paired verifier
8	DOT-312 / dot-matrix-declare	D	Khai báo matrix 2D pivot (validate source in collection_registry)	manual	Write (metadata)	dot_tools (A, complete)	OWNER_GATED	ADVISORY	Pivot declaration
9	DOT-313 / dot-matrix-update	D	Cập nhật matrix definition	manual	Write (metadata)	dot_tools (A)	OWNER_GATED	ADVISORY
10	DOT-314 / dot-matrix-retire	D	Gỡ matrix definition	manual	Write (metadata)	dot_tools (A)	OWNER_GATED	ADVISORY
11	DOT-315 / dot-matrix-health	D/F	Theo dõi sức khoẻ matrix	cron	Read	dot_tools	Operator (read)	CANDIDATE (fs-confirmed)	Type-1 process ready
12	DOT-316 / dot-trigger-guard	F	Canh giữ trigger drift	cron 15 3 * * *	Read	dot_tools	Operator (read)	CANDIDATE
13	DOT-317 / dot-sync-orphan-scan	F	Quét orphan trong sync	dual, cron 0 5 * * *	Read	dot_tools	Operator (read)	CANDIDATE
14	DOT-CONTEXT-PACK-BUILD	E/F	Sinh context pack (8 sections)	cron 0 */3 * * *	Write (files)	dot_tools	Operator	CANDIDATE	Output → /opt/incomex/context-pack
15	DOT-CONTEXT-PACK-VERIFY	E/F	Kiểm stale/drift/checksum của context pack	cron 30 */3 * * *	Read	dot_tools	Operator (read)	CANDIDATE
16	DOT-FIX-REPAIR-DETECT	F	Phát hiện cần sửa	cron */15 * * * *	Read	dot_tools	Operator (read)	CANDIDATE	Paired DETECT/PROPOSE/VERIFY chain
17	DOT-FIX-REPAIR-PROPOSE	F	Đề xuất APR scaffold	event	Write (proposal)	dot_tools	Operator	CANDIDATE	Proposal only
18	DOT-HC-EXECUTOR	F	Phòng giám sát trung tâm (health-check executor)	dual, cron 0 */3 * * *	Read/heal	dot_tools (monitoring)	Operator	CANDIDATE	Active — last run 2026-06-19T07:01:38Z
19	DOT-HC-EXECUTOR-VERIFY	F	Paired verify cho HC executor (NT12)	dual, cron 30 */3 * * *	Read	dot_tools	Operator (read)	CANDIDATE
20	dot-ops-silent-fail-scan	F	Scanner lỗi-im-lặng (Đ22 §4.2)	cron 30 3 * * *	Read	dot_tools	Operator (read)	CANDIDATE	Paired with -propose
21	DOT_KG_EXPLAIN	C/G	Giải thích KG edge (producer)	POST :8090/dispatch mode=DRY_RUN	Read (no_mutation)	dot_agent_api_contract	Operator (dry-run)	DRY_RUN_GATED	endpoint_bound; SIMULATED_DRY_RUN_ONLY_UNTIL_ENDPOINT
22	DOT_KG_EXPLAIN_VERIFY	C/G	Verify KG explain output	dispatch mode=VERIFY_ONLY	Read	dot_agent_api_contract	Operator (verify)	contract_ready	Paired verifier; no endpoint yet
23	DOT_KG_VALIDATE	C	Validate KG	cron 0 */6 * * * (dual)	Read	dot_tools	Operator (read)	NEEDS_RECONCILE	fs not confirmed
24	DOT_KG_PROVENANCE_AUDIT	C	Audit KG provenance	cron 0 */6 * * *	Read	dot_tools	Operator (read)	NEEDS_RECONCILE	Đ39 provenance
25	DOT_KG_PROVENANCE_TAG	C	Gắn provenance tag lên edge	on-demand	Write (KG)	dot_tools	OWNER_GATED	ADVISORY	KG write — gated
26	DOT_KG_LINK	C	Tạo KG link/edge	on-demand	Write (KG)	dot_tools	OWNER_GATED	ADVISORY	KG write — gated
27	dot_iu_validate_collection	E	Validate IU collection	IU runner → fn_iu_collection_validate	Read	dot_iu_command_catalog	Operator (read)	usable (verified)	non-mutating
28	dot_iu_healthcheck	E/F	Health-check IU collection	IU runner → fn_iu_collection_healthcheck	Read	dot_iu_command_catalog	Operator (read)	usable (verified)	non-mutating
29	dot_iu_subtree / dot_iu_render_file / dot_iu_reconstruct_source	E	Đọc/triển khai IU content	IU runner → fn_iu_*	Read	dot_iu_command_catalog	Operator (read)	usable	non-mutating reads
30	dot_iu_staging_create	E	Tạo IU content staging row (KHÔNG phải schema)	IU runner → fn_iu_staging_create	Write	dot_iu_command_catalog	OWNER_GATED	gate OFF (refuses)	⚠️ IU content staging, not a Postgres schema — see §15
31	dot_iu_cut_from_manifest	E	Cắt IU piece từ manifest	IU runner → fn_iu_cut_from_manifest;fn_iu_create	Write	dot_iu_command_catalog	OWNER_GATED	gate OFF (3 applied/3 refused historically)	reversible
32	dot_iu_mark_article	E	Tạo mark manifest cho article	IU runner → fn_iu_mark_create_manifest	Write	dot_iu_command_catalog	OWNER_GATED	8 applied historically	not reversible
33	DOT_GOV_VERIFY	D	Verify governance seed	cron 0 5 * * *	Read	dot_tools	Operator (read)	ADVISORY
34	DOT_GOV_SEED	D	Seed governance config	on-demand	Write	dot_tools	OWNER_GATED	ADVISORY
35	DOT_KB_VERIFY	H	Verify KB integrity	cron	Read	dot_tools (kb)	Operator (read)	NEEDS_RECONCILE
36	DOT_KB_PROTECT	H	Bảo vệ KB (event)	event	Write	dot_tools (kb)	OWNER_GATED	NEEDS_RECONCILE
37	DOT_KB_RESTORE	H/J	Khôi phục KB	on-demand	Write	dot_tools (kb)	OWNER_GATED	ADVISORY
38	DOT-311 (scanner)	F	Scanner (category=scanner)	—	Read	dot_tools	Operator (read)	triage	single scanner-cat DOT
39	dot-birth-trigger-setup	K	—	—	Write (redefines gateway fn)	host bin	FORBIDDEN	FROZEN / CRITICAL	§13 — redefines fn_birth_registry_auto
40	dot-birth-backfill	K	—	—	Write (direct birth INSERT)	host bin	FORBIDDEN	FROZEN / HIGH	§13 — direct INSERT via docker psql
41	dot-schema-birth-registry-ensure	K	—	—	Write (redefines certify fn)	host bin	Restricted	MONITORED / MEDIUM	§13 — redefines fn_birth_auto_certify

5.2 Complete code roster (all 309 in dot_tools, by category)

Every confirmed DOT code, grouped by dot_tools.category. (Codes only; richer detail for the operationally significant ones is in §5 and the group sections. uncategorized = needs naming/triage, see §14.)

• biến_môi_trường (3): DOT-025, DOT-026, DOT-088
• cấu_trúc_dữ_liệu (37): DOT-063…DOT-081 (schema-*-ensure family: apply, blog, checkpoints, comments, diff, ensure, feedback, knowledge, meta-catalog, navigation, redirects, registry-collections, snapshot, table-proposals, table-registry, tasks, workflow-categories, workflow-governance, workflows), DOT-097, DOT-105, DOT-107, DOT-127, DOT-128, DOT-129, DOT-133, DOT-134, DOT-135, DOT-136, DOT-137, DOT-138, DOT-139, DOT-140, DOT-141, DOT-142, DOT-143, DOT-144
• đăng_ký (2): DOT-061, DOT-120
• đồng_bộ (1): DOT-086
• dữ_liệu_mô_tả (3): DOT-055, DOT-056, DOT-099
• Giám sát hệ thống (7): DOT-109, DOT-110, DOT-115, DOT-116, DOT-122, DOT-124, DOT-152
• governance (6): DOT-309, DOT-310, DOT-316, DOT-317, DOT-IU-CUTTER, DOT-IU-CUTTER-VERIFY
• kết_nối_mcp (4): DOT-051, DOT-052, DOT-053, DOT-054
• khởi_tạo (2): DOT-082, DOT-083
• kiểm_tra_lỗi (9): DOT-012, DOT-023, DOT-027, DOT-089, DOT-090, DOT-095, DOT-096, DOT-117, DOT-121
• kiểm_tra_sức_khoẻ (6): DOT-024, DOT-037, DOT-084, DOT-087, DOT-091, DOT-092
• monitoring (2): DOT-HC-EXECUTOR, DOT-HC-EXECUTOR-VERIFY
• nội_dung (6): DOT-018, DOT-019, DOT-020, DOT-021, DOT-022, DOT-057
• phân_quyền (4): DOT-029, DOT-030, DOT-059, DOT-060
• pivot (8): DOT-113, DOT-114, DOT-307, DOT-308, DOT-312, DOT-313, DOT-314, DOT-315
• quản_lý_ai (4): DOT-001, DOT-002, DOT-003, DOT-016
• quản_lý_danh_mục (10): DOT-015, DOT-098, DOT-101, DOT-102, DOT-103, DOT-104, DOT-106, DOT-130, DOT-131, DOT-132
• scanner (1): DOT-311
• tích_hợp_ai (10): DOT-004, DOT-005, DOT-006, DOT-007, DOT-008, DOT-009, DOT-010, DOT-034, DOT-035, DOT-036
• tri_thức (7): DOT-039, DOT-040, DOT-041, DOT-042, DOT-043, DOT-044, DOT-045
• tự_động_hoá (6): DOT-031, DOT-032, DOT-033, DOT-094, DOT-100, DOT-108
• vận_hành (21): DOT-011, DOT-014, DOT-017, DOT-028, DOT-038, DOT-046, DOT-047, DOT-048, DOT-049, DOT-050, DOT-058, DOT-062, DOT-085, DOT-093, DOT-125, DOT-126, DOT-147, DOT-148, DOT-149, DOT-150, DOT-151
• Vòng đời thực thể (7): DOT-111, DOT-112, DOT-118, DOT-119, DOT-123, DOT-145, DOT-146
• xác_thực (1): DOT-013
• uncategorized (142): DOT_API_HEALTH, dot-apr-types-register, dot-apr-types-register-audit, DOT_BIRTH_BACKFILL, DOT_BIRTH_TRIGGER_SETUP, DOT-COL-CREATE, DOT-COL-HEALTH, DOT_COLLECTION_CREATE, DOT_COLLECTION_FIELD_SYNC, DOT_COLLECTION_HEALTH, DOT_COLLECTION_REGISTER, DOT-COL-SYNC, DOT-CONTEXT-PACK-BUILD, DOT-CONTEXT-PACK-VERIFY, DOT-COVERAGE, DOT_DOC_GENERATE, DOT_DOC_PARTITION, DOT_DOC_RENDER, DOT_FIELD_DUPLICATE_CHECK, DOT-FIX-REPAIR-DETECT(/-TEST), DOT-FIX-REPAIR-PROPOSE(/-TEST), DOT-FIX-REPAIR-VERIFY(/-TEST), DOT_GOV_SEED, DOT_GOV_VERIFY, DOT-HEALTH-DOT, DOT_KB_PROTECT, DOT_KB_RESTORE, DOT_KB_VERIFY, DOT_KG_* (CLASSIFY, COMPLETENESS, CONSISTENCY, CONSTRAINT_CHECK, CONVERSE_EXTRACT, CONVERSE_VERIFY, CORRECT, DISCOVER_PROPOSE, EVICT_SCAN, EVICT_VERIFY, EXPLAIN, EXPLAIN_VERIFY, EXTRACT, FEEDBACK, HEALTH, INTENT_CAPTURE, INTENT_RECALC, JOURNEY_UPDATE, LINK, ORPHAN, OVERRIDE_AUDIT, OVERRIDE_LOG, PRIORITY_DECOMPOSE, PRIORITY_RECALC, PROVENANCE_AUDIT, PROVENANCE_TAG, RECOMMEND, SCAFFOLD_BUILD, SCAFFOLD_VALIDATE, SCOPE_PROJECT, SCOPE_VERIFY, SELF_LEARN, SELF_SCORE, SIMILARITY, TIMELINESS, VALIDATE), DOT_MIGRATION_S127D_LEGACY_ORIGIN, DOT_MIGRATION_S128B_DEAD_LINKS, DOT_MIGRATION_S155_P1B, DOT_NRM_* (AMEND, BINDING, CONFIG, DISCOVER, DRAFT, ENACT, IMPACT, LIFECYCLE, RETIRE, SYNC, VERIFY), dot-ops-silent-fail-propose(/-test), dot-ops-silent-fail-scan(/-test), DOT-REGISTER, DOT_SCHEMA_* (APPLY, BIRTH_REGISTRY_ENSURE, BLOG_ENSURE, CHECKPOINT_NODE_IDENTITY, CHECKPOINTS_ENSURE, COMMENTS_ENSURE, COMMENTS_EXTEND, DIFF, DOT_ORIGIN_ENSURE, ENSURE, ENTITY_DEPENDENCIES_ENSURE, FEEDBACK_ENSURE, KNOWLEDGE_ENSURE, META_CATALOG_ADD_ATOM_GROUP, META_CATALOG_ADD_BASELINE, META_CATALOG_ADD_COMPOSITION, META_CATALOG_ENSURE, NAVIGATION_ENSURE, REDIRECTS_ENSURE, REGISTRY_CHANGELOG_ENSURE, REGISTRY_COLLECTIONS_ENSURE, SNAPSHOT, SPECIES_ENSURE, SPECIES_TREE_ENSURE, SYSTEM_ISSUES_ENSURE, TABLE_PROPOSALS_ENSURE, TABLE_REGISTRY_ENSURE, TASKS_ENSURE, TAXONOMY_ENSURE, TAXONOMY_PG_APPLY, TRIGGER_REGISTRY_ENSURE, WORKFLOW_CATEGORIES_ENSURE, WORKFLOW_GOVERNANCE_ENSURE, WORKFLOWS_ENSURE), DOT_SCRIPT_LINT, DOT_SEED_AGENCY_OS, DOT_SYNC_CHECK, DOT-TAC-* (BIRTH-GATE, BIRTH-VERIFY, COLLECTION-REGISTER, COLLECTION-VERIFY, DAILY-INVARIANT, ENACT-GATE, HASH-DRIFT, LABEL-FACET-VERIFY, LABEL-FORMAT-VERIFY, LABEL-SYNC, LABEL-VERIFY, ROLE-ENSURE, ROLE-VERIFY, SCHEMA-ENSURE, SCHEMA-VERIFY, SEGMENTER, SEG-VERIFY, VECTOR-SYNC, VECTOR-VERIFY)

---

5.3 Full row-level DOT inventory table — 309 confirmed DOTs

One row per dot_tools row (all 309), grouped A–L. This is the operator appendix the Owner asked for ("mấy trăm dòng, mỗi DOT một dòng, chia nhóm").

How these values were produced (read this). Cách gọi, Read/Write, Authority, Status, and Nhóm are inferred deterministically from registry columns (operation, name, category, domain, trigger_type, coverage_status) + the dangerous-DOT classification, via a single read-only SQL projection. Nothing was executed. Treat inferred values as a starting map, not proof — confirm before acting. Rows marked Unknown / needs-triage had no clear signal (see §14).

Legend. Read/Write: Read = read/verify/audit/report · Write = mutate (DDL/DML/KG/registry/sync) · Unknown = no signal → triage. Authority: Operator-read = read-only, runnable now · Owner-gated = mutating, needs Owner to open the runtime gate · Forbidden = dangerous (§13) · Unknown = triage. Status: usable-read = read-only runnable now · dry-run-gated = mutating but the runtime gate is shut (refuses real run, §2.4) · frozen/monitored = dangerous (§13) · needs-triage = semantics unconfirmed. Cách gọi: shows script_path/file_path where present (host bin under /opt/incomex/dot/bin/…), else runner(<trigger>) for process DOTs, else host bin/runner-triage. Surface = dot_tools for all of these (the callable IU-command surface is in §10; agent-api contracts in §5/§G). Reminder: every Group A row writes the existing prod public schema — none is a run-scoped staging-schema builder (§15); Forbidden/frozen rows must not be called (§13).

STT	Tên DOT/tool	Nhóm	Sử dụng khi	Cách gọi	Read/Write	Surface	Authority	Status	Ghi chú
1	DOT-011 / dot-apply	A	infrastructure.schema	dot/bin/dot-apply	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
2	DOT-061 / dot-registry-populate	A	collection	dot/bin/dot-registry-populate	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
3	DOT-063 / dot-schema-apply	A	infrastructure.schema	dot/bin/dot-schema-apply	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
4	DOT-064 / dot-schema-blog-ensure	A	infrastructure.schema	dot/bin/dot-schema-blog-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
5	DOT-065 / dot-schema-checkpoints-ensure	A	infrastructure.schema	dot/bin/dot-schema-checkpoints-ensure	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
6	DOT-066 / dot-schema-comments-extend	A	infrastructure.schema	dot/bin/dot-schema-comments-extend	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
7	DOT-067 / dot-schema-diff	A	infrastructure.schema	dot/bin/dot-schema-diff	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
8	DOT-068 / dot-schema-ensure	A	infrastructure.schema	dot/bin/dot-schema-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
9	DOT-069 / dot-schema-feedback-ensure	A	infrastructure.schema	dot/bin/dot-schema-feedback-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
10	DOT-070 / dot-schema-knowledge-ensure	A	infrastructure.schema	dot/bin/dot-schema-knowledge-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
11	DOT-071 / dot-schema-meta-catalog-ensure	A	infrastructure.schema	dot/bin/dot-schema-meta-catalog-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
12	DOT-072 / dot-schema-navigation-ensure	A	infrastructure.schema	dot/bin/dot-schema-navigation-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
13	DOT-073 / dot-schema-redirects-ensure	A	infrastructure.schema	dot/bin/dot-schema-redirects-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
14	DOT-074 / dot-schema-registry-collections-en	A	infrastructure.schema	dot/bin/dot-schema-registry-collections-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
15	DOT-075 / dot-schema-snapshot	A	infrastructure.schema	dot/bin/dot-schema-snapshot	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
16	DOT-076 / dot-schema-table-proposals-ensure	A	infrastructure.schema	dot/bin/dot-schema-table-proposals-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
17	DOT-077 / dot-schema-table-registry-ensure	A	infrastructure.schema	dot/bin/dot-schema-table-registry-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
18	DOT-078 / dot-schema-tasks-ensure	A	infrastructure.schema	dot/bin/dot-schema-tasks-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
19	DOT-079 / dot-schema-workflow-categories-ens	A	infrastructure.schema	dot/bin/dot-schema-workflow-categories-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
20	DOT-080 / dot-schema-workflow-governance-ens	A	infrastructure.schema	dot/bin/dot-schema-workflow-governance-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
21	DOT-081 / dot-schema-workflows-ensure	A	infrastructure.schema	dot/bin/dot-schema-workflows-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
22	DOT-096 / dot-registry-diff	A	collection	bin/dot/dot-registry-diff	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
23	DOT-097 / dot-schema-checkpoint-node-identit	A	infrastructure.schema	bin/dot/dot-schema-checkpoint-node-identity	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
24	DOT-103 / dot-registry-count-refresh	A	collection	dot/bin/dot-registry-count-refresh	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
25	DOT-105 / dot-schema-entity-dependencies-ens	A	infrastructure.schema	dot/bin/dot-schema-entity-dependencies-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
26	DOT-107 / dot-schema-registry-changelog-ensu	A	infrastructure.schema	dot/bin/dot-schema-registry-changelog-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
27	DOT-120 / dot-collection-register	A	collection	bin/dot/dot-collection-register	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
28	DOT-127 / dot-pg-audit-ensure	A	infrastructure.schema	bin/dot/dot-pg-audit-ensure	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
29	DOT-128 / dot-pg-triggers-ensure	A	infrastructure.schema	bin/dot/dot-pg-triggers-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
30	DOT-129 / dot-pg-views-ensure	A	infrastructure.schema	bin/dot/dot-pg-views-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
31	DOT-130 / dot-registry-baseline-set	A	collection	bin/dot/dot-registry-baseline-set	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
32	DOT-131 / dot-registry-crosscheck	A	collection	bin/dot/dot-registry-crosscheck	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
33	DOT-132 / dot-registry-set-atom-groups	A	collection	bin/dot/dot-registry-set-atom-groups	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
34	DOT-134 / dot-schema-comments-ensure	A	infrastructure.schema	bin/dot/dot-schema-comments-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
35	DOT-135 / dot-schema-dot-origin-ensure	A	infrastructure.schema	bin/dot/dot-schema-dot-origin-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
36	DOT-136 / dot-schema-meta-catalog-add-atom-g	A	infrastructure.schema	bin/dot/dot-schema-meta-catalog-add-atom-group	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
37	DOT-137 / dot-schema-meta-catalog-add-baseli	A	infrastructure.schema	bin/dot/dot-schema-meta-catalog-add-baseline	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
38	DOT-138 / dot-schema-meta-catalog-add-compos	A	infrastructure.schema	bin/dot/dot-schema-meta-catalog-add-compositio	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
39	DOT-139 / dot-schema-species-ensure	A	infrastructure.schema	bin/dot/dot-schema-species-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
40	DOT-140 / dot-schema-species-tree-ensure	A	infrastructure.schema	bin/dot/dot-schema-species-tree-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
41	DOT-141 / dot-schema-system-issues-ensure	A	infrastructure.schema	bin/dot/dot-schema-system-issues-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
42	DOT-142 / dot-schema-taxonomy-ensure	A	infrastructure.schema	bin/dot/dot-schema-taxonomy-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
43	DOT-143 / dot-schema-taxonomy-pg-apply	A	infrastructure.schema	bin/dot/dot-schema-taxonomy-pg-apply	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
44	DOT-144 / dot-schema-trigger-registry-ensure	A	infrastructure.schema	bin/dot/dot-schema-trigger-registry-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; writes prod public-NOT run-scoped schema
45	dot-apr-types-register / APR Types Register	A	infrastructure.schema · regist	opt/incomex/dot/bin/dot-apr-types-register	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; writes prod public-NOT run-scoped schema
46	DOT-COL-CREATE / dot-collection-create	A	collection · create	bin/dot/dot-collection-create.ts	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; writes prod public-NOT run-scoped schema
47	DOT-COL-HEALTH / dot-collection-health	A	collection · health	bin/dot/dot-collection-health.ts	Read	dot_tools	Operator-read	usable-read	uncategorized; writes prod public-NOT run-scoped schema
48	DOT_COLLECTION_CREATE / dot-collection-creat	A	collection	opt/incomex/dot/bin/dot-collection-create	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
49	DOT_COLLECTION_FIELD_SYNC / dot-collection-f	A	collection	opt/incomex/dot/bin/dot-collection-field-sync	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
50	DOT_COLLECTION_HEALTH / dot-collection-healt	A	collection	opt/incomex/dot/bin/dot-collection-health	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
51	DOT_COLLECTION_REGISTER / dot-collection-reg	A	collection	opt/incomex/dot/bin/dot-collection-register	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
52	DOT-COL-SYNC / dot-collection-field-sync	A	collection · refresh	bin/dot/dot-collection-field-sync.ts	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; writes prod public-NOT run-scoped schema
53	DOT_FIELD_DUPLICATE_CHECK / dot-field-duplic	A	collection	opt/incomex/dot/bin/dot-field-duplicate-check	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
54	DOT_SCHEMA_APPLY / dot-schema-apply	A	collection	opt/incomex/dot/bin/dot-schema-apply	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
55	DOT_SCHEMA_BLOG_ENSURE / dot-schema-blog-ens	A	collection	opt/incomex/dot/bin/dot-schema-blog-ensure	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
56	DOT_SCHEMA_CHECKPOINT_NODE_IDENTITY / dot-sc	A	collection	opt/incomex/dot/bin/dot-schema-checkpoint-node	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
57	DOT_SCHEMA_CHECKPOINTS_ENSURE / dot-schema-c	A	collection	opt/incomex/dot/bin/dot-schema-checkpoints-ens	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
58	DOT_SCHEMA_COMMENTS_ENSURE / dot-schema-comm	A	collection	opt/incomex/dot/bin/dot-schema-comments-ensure	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
59	DOT_SCHEMA_COMMENTS_EXTEND / dot-schema-comm	A	collection	opt/incomex/dot/bin/dot-schema-comments-extend	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
60	DOT_SCHEMA_DIFF / dot-schema-diff	A	collection	opt/incomex/dot/bin/dot-schema-diff	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
61	DOT_SCHEMA_DOT_ORIGIN_ENSURE / dot-schema-do	A	collection	opt/incomex/dot/bin/dot-schema-dot-origin-ensu	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
62	DOT_SCHEMA_ENSURE / dot-schema-ensure	A	collection	opt/incomex/dot/bin/dot-schema-ensure	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
63	DOT_SCHEMA_ENTITY_DEPENDENCIES_ENSURE / dot-	A	collection	opt/incomex/dot/bin/dot-schema-entity-dependen	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
64	DOT_SCHEMA_FEEDBACK_ENSURE / dot-schema-feed	A	collection	opt/incomex/dot/bin/dot-schema-feedback-ensure	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
65	DOT_SCHEMA_KNOWLEDGE_ENSURE / dot-schema-kno	A	collection	opt/incomex/dot/bin/dot-schema-knowledge-ensur	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
66	DOT_SCHEMA_META_CATALOG_ADD_ATOM_GROUP / dot	A	collection	opt/incomex/dot/bin/dot-schema-meta-catalog-ad	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
67	DOT_SCHEMA_META_CATALOG_ADD_BASELINE / dot-s	A	collection	opt/incomex/dot/bin/dot-schema-meta-catalog-ad	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
68	DOT_SCHEMA_META_CATALOG_ADD_COMPOSITION / do	A	collection	opt/incomex/dot/bin/dot-schema-meta-catalog-ad	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
69	DOT_SCHEMA_META_CATALOG_ENSURE / dot-schema-	A	collection	opt/incomex/dot/bin/dot-schema-meta-catalog-en	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
70	DOT_SCHEMA_NAVIGATION_ENSURE / dot-schema-na	A	collection	opt/incomex/dot/bin/dot-schema-navigation-ensu	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
71	DOT_SCHEMA_REDIRECTS_ENSURE / dot-schema-red	A	collection	opt/incomex/dot/bin/dot-schema-redirects-ensur	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
72	DOT_SCHEMA_REGISTRY_CHANGELOG_ENSURE / dot-s	A	collection	opt/incomex/dot/bin/dot-schema-registry-change	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
73	DOT_SCHEMA_REGISTRY_COLLECTIONS_ENSURE / dot	A	collection	opt/incomex/dot/bin/dot-schema-registry-collec	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
74	DOT_SCHEMA_SNAPSHOT / dot-schema-snapshot	A	collection	opt/incomex/dot/bin/dot-schema-snapshot	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
75	DOT_SCHEMA_SPECIES_ENSURE / dot-schema-speci	A	collection	opt/incomex/dot/bin/dot-schema-species-ensure	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
76	DOT_SCHEMA_SPECIES_TREE_ENSURE / dot-schema-	A	collection	opt/incomex/dot/bin/dot-schema-species-tree-en	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
77	DOT_SCHEMA_SYSTEM_ISSUES_ENSURE / dot-schema	A	collection	opt/incomex/dot/bin/dot-schema-system-issues-e	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
78	DOT_SCHEMA_TABLE_PROPOSALS_ENSURE / dot-sche	A	collection	opt/incomex/dot/bin/dot-schema-table-proposals	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
79	DOT_SCHEMA_TABLE_REGISTRY_ENSURE / dot-schem	A	collection	opt/incomex/dot/bin/dot-schema-table-registry-	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
80	DOT_SCHEMA_TASKS_ENSURE / dot-schema-tasks-e	A	collection	opt/incomex/dot/bin/dot-schema-tasks-ensure	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
81	DOT_SCHEMA_TAXONOMY_ENSURE / dot-schema-taxo	A	collection	opt/incomex/dot/bin/dot-schema-taxonomy-ensure	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
82	DOT_SCHEMA_TAXONOMY_PG_APPLY / dot-schema-ta	A	collection	opt/incomex/dot/bin/dot-schema-taxonomy-pg-app	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
83	DOT_SCHEMA_TRIGGER_REGISTRY_ENSURE / dot-sch	A	collection	opt/incomex/dot/bin/dot-schema-trigger-registr	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
84	DOT_SCHEMA_WORKFLOW_CATEGORIES_ENSURE / dot-	A	collection	opt/incomex/dot/bin/dot-schema-workflow-catego	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
85	DOT_SCHEMA_WORKFLOW_GOVERNANCE_ENSURE / dot-	A	collection	opt/incomex/dot/bin/dot-schema-workflow-govern	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
86	DOT_SCHEMA_WORKFLOWS_ENSURE / dot-schema-wor	A	collection	opt/incomex/dot/bin/dot-schema-workflows-ensur	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library; writes prod public-NOT run-scoped schema
87	DOT-TAC-COLLECTION-REGISTER / TAC Collection	A	collection · register	runner(on-deploy)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:partial; writes prod public-NOT run-scoped schema
88	DOT-TAC-COLLECTION-VERIFY / TAC Collection V	A	collection · verify	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial; writes prod public-NOT run-scoped schema
89	DOT-TAC-SCHEMA-ENSURE / TAC Schema Ensure	A	infrastructure.schema · ensure	runner(on-deploy)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:partial; writes prod public-NOT run-scoped schema
90	DOT-TAC-SCHEMA-VERIFY / TAC Schema Verify	A	infrastructure.schema · verify	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial; writes prod public-NOT run-scoped schema
91	DOT-095 / dot-orphan-scan	B	birth.orphan	bin/dot/dot-orphan-scan	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
92	DOT-111 / dot-entity-deprecate	B	lifecycle	dot/bin/dot-entity-deprecate	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
93	DOT-112 / dot-entity-retire	B	lifecycle	dot/bin/dot-entity-retire	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
94	DOT-115 / dot-orphan-scanner	B	birth.orphan	bin/dot/dot-orphan-scanner	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
95	DOT-118 / dot-birth-backfill	B	birth.register	bin/dot/dot-birth-backfill	Write	dot_tools	Forbidden	frozen	DANGEROUS-do not call; cov:partial; no-trigger/library
96	DOT-119 / dot-birth-trigger-setup	B	birth.register	bin/dot/dot-birth-trigger-setup	Write	dot_tools	Forbidden	frozen	DANGEROUS-do not call; cov:partial; no-trigger/library
97	DOT-123 / dot-label-trigger-setup	B	classification.label	bin/dot/dot-label-trigger-setup	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
98	DOT-133 / dot-schema-birth-registry-ensure	B	infrastructure.schema	bin/dot/dot-schema-birth-registry-ensure	Write	dot_tools	Forbidden	monitored	DANGEROUS-do not call; cov:partial; no-trigger/library
99	DOT-145 / dot-species-map	B	classification.species	bin/dot/dot-species-map	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
100	DOT-146 / dot-species-register	B	classification.species	bin/dot/dot-species-register	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
101	DOT_BIRTH_BACKFILL / dot-birth-backfill	B	lifecycle	opt/incomex/dot/bin/dot-birth-backfill	Write	dot_tools	Forbidden	frozen	DANGEROUS-do not call; uncategorized; cov:none; no-trigger/library
102	DOT_BIRTH_TRIGGER_SETUP / dot-birth-trigger-	B	lifecycle	opt/incomex/dot/bin/dot-birth-trigger-setup	Write	dot_tools	Forbidden	frozen	DANGEROUS-do not call; uncategorized; cov:none; no-trigger/library
103	DOT_SCHEMA_BIRTH_REGISTRY_ENSURE / dot-schem	B	collection	opt/incomex/dot/bin/dot-schema-birth-registry-	Write	dot_tools	Forbidden	monitored	DANGEROUS-do not call; uncategorized; cov:none; no-trigger/library
104	DOT-TAC-BIRTH-GATE / TAC Birth Gate	B	data_quality · gate	runner(event)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:partial
105	DOT-TAC-BIRTH-VERIFY / TAC Birth Verify	B	data_quality · verify	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
106	DOT-039 / dot-knowledge-info	C	sync	dot/bin/dot-knowledge-info	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
107	DOT-040 / dot-knowledge-ingest	C	sync	dot/bin/dot-knowledge-ingest	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
108	DOT-041 / dot-knowledge-ingest-batch	C	sync	dot/bin/dot-knowledge-ingest-batch	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
109	DOT-042 / dot-knowledge-search	C	sync	dot/bin/dot-knowledge-search	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
110	DOT-043 / dot-knowledge-sync	C	sync	dot/bin/dot-knowledge-sync	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; KG write-gated
111	DOT-044 / dot-knowledge-sync-agentdata	C	sync	dot/bin/dot-knowledge-sync-agentdata	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; KG write-gated
112	DOT-045 / dot-knowledge-sync-github	C	sync	dot/bin/dot-knowledge-sync-github	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library; KG write-gated
113	DOT_KG_CLASSIFY / dot-kg-classify	C	kg.formation	runner(on-demand)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
114	DOT_KG_COMPLETENESS / dot-kg-completeness	C	kg.formation	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
115	DOT_KG_CONSISTENCY / dot-kg-consistency	C	kg.formation	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
116	DOT_KG_CONSTRAINT_CHECK / dot-kg-constraint-	C	kg.governance	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
117	DOT_KG_CONVERSE_EXTRACT / dot-kg-converse-ex	C	kg.conversational	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
118	DOT_KG_CONVERSE_VERIFY / dot-kg-converse-ver	C	kg.conversational	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
119	DOT_KG_CORRECT / dot-kg-correct	C	kg.quality	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
120	DOT_KG_DISCOVER_PROPOSE / dot-kg-discover-pr	C	kg.governance	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
121	DOT_KG_EVICT_SCAN / dot-kg-evict-scan	C	kg.eviction	runner(on-demand)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
122	DOT_KG_EVICT_VERIFY / dot-kg-evict-verify	C	kg.eviction	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
123	DOT_KG_EXPLAIN / dot-kg-explain	C	kg.explain	runner(on-demand)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
124	DOT_KG_EXPLAIN_VERIFY / dot-kg-explain-verif	C	kg.explain	runner(dual)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
125	DOT_KG_EXTRACT / dot-kg-extract	C	kg.formation	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
126	DOT_KG_FEEDBACK / dot-kg-feedback	C	kg.business	runner(cron)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
127	DOT_KG_HEALTH / dot-kg-health	C	kg.quality	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
128	DOT_KG_INTENT_CAPTURE / dot-kg-intent-captur	C	kg.business	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
129	DOT_KG_INTENT_RECALC / dot-kg-intent-recalc	C	kg.business	runner(cron)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
130	DOT_KG_JOURNEY_UPDATE / dot-kg-journey-updat	C	kg.business	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
131	DOT_KG_LINK / dot-kg-link	C	kg.formation	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
132	DOT_KG_ORPHAN / dot-kg-orphan	C	kg.quality	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
133	DOT_KG_OVERRIDE_AUDIT / dot-kg-override-audi	C	kg.governance	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
134	DOT_KG_OVERRIDE_LOG / dot-kg-override-log	C	kg.governance	runner(on-demand)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
135	DOT_KG_PRIORITY_DECOMPOSE / dot-kg-priority-	C	kg.priority	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
136	DOT_KG_PRIORITY_RECALC / dot-kg-priority-rec	C	kg.priority	runner(cron)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
137	DOT_KG_PROVENANCE_AUDIT / dot-kg-provenance-	C	kg.governance	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
138	DOT_KG_PROVENANCE_TAG / dot-kg-provenance-ta	C	kg.governance	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
139	DOT_KG_RECOMMEND / dot-kg-recommend	C	kg.business	runner(on-demand)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
140	DOT_KG_SCAFFOLD_BUILD / dot-kg-scaffold-buil	C	kg.scaffold	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
141	DOT_KG_SCAFFOLD_VALIDATE / dot-kg-scaffold-v	C	kg.scaffold	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
142	DOT_KG_SCOPE_PROJECT / dot-kg-scope-project	C	kg.priority	runner(on-demand)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
143	DOT_KG_SCOPE_VERIFY / dot-kg-scope-verify	C	kg.priority	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
144	DOT_KG_SELF_LEARN / dot-kg-self-learn	C	kg.learning	runner(dual)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; KG write-gated
145	DOT_KG_SELF_SCORE / dot-kg-self-score	C	kg.learning	runner(on-demand)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
146	DOT_KG_SIMILARITY / dot-kg-similarity	C	kg.quality	runner(on-demand)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
147	DOT_KG_TIMELINESS / dot-kg-timeliness	C	kg.business	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
148	DOT_KG_VALIDATE / dot-kg-validate	C	kg.formation	runner(dual)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
149	DOT-018 / dot-content-approve	D	workflow	dot/bin/dot-content-approve	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
150	DOT-023 / dot-cost-audit	D	governance.audit	dot/bin/dot-cost-audit	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
151	DOT-029 / dot-fix-knowledge-permissions	D	lifecycle	dot/bin/dot-fix-knowledge-permissions	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
152	DOT-030 / dot-fix-permissions	D	lifecycle	dot/bin/dot-fix-permissions	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
153	DOT-059 / dot-permission-ensure	D	governance.audit	dot/bin/dot-permission-ensure	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
154	DOT-060 / dot-permissions-setup	D	governance.audit	dot/bin/dot-permissions-setup	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
155	DOT-113 / Pivot Declaration Tool	D	pivot	dot/bin/dot-pivot-declare	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
156	DOT-114 / Pivot Health Check	D	pivot	dot/bin/dot-pivot-health	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
157	DOT-117 / dot-audit-create	D	governance.audit	bin/dot/dot-audit-create	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
158	DOT-307 / dot-pivot-virtual-create	D	pivot	bin/dot/dot-pivot-virtual-create	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
159	DOT-308 / dot-cron-pivot-setup	D	pivot	bin/dot/dot-cron-pivot-setup	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
160	DOT-309 / APR Propose	D	governance.approval	dot/bin/dot-apr-propose	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
161	DOT-310 / APR Execute	D	governance.approval	dot/bin/dot-apr-execute	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
162	DOT-311 / APR Health	D	governance.approval	dot/bin/dot-apr-health	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
163	DOT-312 / Matrix Declaration Tool	D	pivot · create	dot/bin/dot-matrix-declare	Write	dot_tools	Owner-gated	dry-run-gated
164	DOT-313 / Matrix Update Tool	D	pivot · update	dot/bin/dot-matrix-update	Write	dot_tools	Owner-gated	dry-run-gated
165	DOT-314 / Matrix Retire Tool	D	pivot · delete	dot/bin/dot-matrix-retire	Write	dot_tools	Owner-gated	dry-run-gated
166	DOT-315 / Matrix Health Check	D	pivot · health	dot/bin/dot-matrix-health	Read	dot_tools	Operator-read	usable-read
167	DOT-316 / dot-trigger-guard	D	monitoring	/opt/incomex/dot/bin/dot-trigger-guard	Read	dot_tools	Operator-read	usable-read	cov:none
168	DOT-317 / dot-sync-orphan-scan	D	monitoring	/opt/incomex/dot/bin/dot-sync-orphan-scan	Read	dot_tools	Operator-read	usable-read	cov:none
169	dot-apr-types-register-audit / APR Types Reg	D	governance.audit · verify	opt/incomex/dot/bin/dot-apr-types-register-aud	Read	dot_tools	Operator-read	usable-read	uncategorized
170	DOT_DOC_GENERATE / dot-doc-generate	D	normative	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
171	DOT_DOC_PARTITION / dot-doc-partition	D	normative	runner(cron)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
172	DOT_DOC_RENDER / dot-doc-render	D	normative	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
173	DOT-FIX-REPAIR-DETECT / dot-fix-repair-detec	D	governance.audit · audit	opt/incomex/dot/bin/dot-fix-repair-detect	Read	dot_tools	Operator-read	usable-read	uncategorized
174	DOT-FIX-REPAIR-DETECT-TEST / dot-fix-repair-	D	governance.audit · verify	opt/incomex/dot/bin/dot-fix-repair-detect-test	Read	dot_tools	Operator-read	usable-read	uncategorized
175	DOT-FIX-REPAIR-PROPOSE / dot-fix-repair-prop	D	governance.approval · register	opt/incomex/dot/bin/dot-fix-repair-propose	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized
176	DOT-FIX-REPAIR-PROPOSE-TEST / dot-fix-repair	D	governance.approval · verify	opt/incomex/dot/bin/dot-fix-repair-propose-tes	Read	dot_tools	Operator-read	usable-read	uncategorized
177	DOT_GOV_SEED / dot-gov-seed	D	governance · seed	dot/bin/dot-gov-seed	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
178	DOT_GOV_VERIFY / dot-gov-verify	D	governance · verify	dot/bin/dot-gov-verify	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
179	DOT-IU-CUTTER / dot-iu-cutter executor	D	governance.audit	host bin/runner-triage	Write	dot_tools	Owner-gated	dry-run-gated	cov:none; no-trigger/library
180	DOT-IU-CUTTER-VERIFY / dot-iu-cutter-verify	D	governance.audit	host bin/runner-triage	Read	dot_tools	Operator-read	usable-read	cov:none; no-trigger/library
181	DOT_NRM_AMEND / dot-nrm-amend	D	normative.enact	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
182	DOT_NRM_BINDING / dot-nrm-binding	D	normative	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
183	DOT_NRM_CONFIG / dot-nrm-config	D	normative	runner(on-demand)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
184	DOT_NRM_DISCOVER / dot-nrm-discover	D	normative	runner(cron)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
185	DOT_NRM_DRAFT / dot-nrm-draft	D	normative.enact · import	opt/incomex/dot/bin/dot-nrm-draft	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
186	DOT_NRM_ENACT / dot-nrm-enact	D	normative.enact	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
187	DOT_NRM_IMPACT / dot-nrm-impact	D	normative	runner(on-demand)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
188	DOT_NRM_LIFECYCLE / dot-nrm-lifecycle	D	normative	runner(cron)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
189	DOT_NRM_RETIRE / dot-nrm-retire	D	normative	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
190	DOT_NRM_SYNC / dot-nrm-sync	D	normative	runner(cron)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none
191	DOT_NRM_VERIFY / dot-nrm-verify	D	normative	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none
192	dot-ops-silent-fail-propose / Silent-fail Pr	D	governance.approval · propose	opt/incomex/dot/bin/dot-ops-silent-fail-propos	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized
193	dot-ops-silent-fail-propose-test / Silent-fa	D	governance.approval · test	opt/incomex/dot/bin/dot-ops-silent-fail-propos	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized
194	dot-ops-silent-fail-scan / Silent-fail Scann	D	governance.audit · scan	opt/incomex/dot/bin/dot-ops-silent-fail-scan	Read	dot_tools	Operator-read	usable-read	uncategorized
195	dot-ops-silent-fail-scan-test / Silent-fail	D	governance.audit · test	opt/incomex/dot/bin/dot-ops-silent-fail-scan-t	Read	dot_tools	Operator-read	usable-read	uncategorized
196	DOT-TAC-DAILY-INVARIANT / TAC Daily Invarian	D	data_quality · check	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
197	DOT-TAC-ENACT-GATE / TAC Enactment Gate	D	governance.approval · gate	runner(event)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:partial
198	DOT-TAC-HASH-DRIFT / TAC Hash Drift Check	D	data_quality · check	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
199	DOT-TAC-LABEL-FACET-VERIFY / TAC Label Facet	D	classification.label · verify	runner(on-demand)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
200	DOT-TAC-LABEL-FORMAT-VERIFY / TAC Label Form	D	classification.label · verify	runner(on-demand)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
201	DOT-TAC-LABEL-SYNC / TAC Label Sync	D	classification.label · sync	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:partial
202	DOT-TAC-LABEL-VERIFY / TAC Label Verify	D	classification.label · verify	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
203	DOT-TAC-ROLE-ENSURE / TAC Role Ensure	D	infrastructure.deploy · ensure	runner(on-deploy)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:partial
204	DOT-TAC-ROLE-VERIFY / TAC Role Verify	D	infrastructure.deploy · verify	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
205	DOT-TAC-SEGMENTER / TAC Segmenter	D	kb · segment	runner(on-demand)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:partial
206	DOT-TAC-SEG-VERIFY / TAC Segmentation Verify	D	kb · verify	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
207	DOT-TAC-VECTOR-SYNC / TAC Vector Sync	D	infrastructure.sync · sync	runner(cron)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:partial
208	DOT-TAC-VECTOR-VERIFY / TAC Vector Verify	D	infrastructure.sync · verify	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
209	DOT-019 / dot-content-create	E	workflow	dot/bin/dot-content-create	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
210	DOT-020 / dot-content-delete	E	workflow	dot/bin/dot-content-delete	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
211	DOT-021 / dot-content-list	E	workflow	dot/bin/dot-content-list	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
212	DOT-022 / dot-content-update	E	workflow	dot/bin/dot-content-update	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
213	DOT-057 / dot-nav-remove-item	E	workflow	dot/bin/dot-nav-remove-item	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
214	DOT-CONTEXT-PACK-BUILD / Context Pack Builde	E	context.pack · CONTEXT_PACK_BU	opt/incomex/dot/bin/dot-context-pack-build.sh	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized
215	DOT-CONTEXT-PACK-VERIFY / Context Pack Verif	E	context.pack · CONTEXT_PACK_VE	opt/incomex/dot/bin/dot-context-pack-verify.sh	Read	dot_tools	Operator-read	usable-read	uncategorized
216	DOT-012 / dot-arch-check	F	monitoring.integrity	dot/bin/dot-arch-check	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
217	DOT-024 / dot-e2e-test	F	monitoring.health	dot/bin/dot-e2e-test	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
218	DOT-027 / dot-field-duplicate-check	F	data_quality	dot/bin/dot-field-duplicate-check	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
219	DOT-037 / dot-health-check	F	monitoring.health	dot/bin/dot-health-check	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
220	DOT-054 / dot-mcp-verify	F	monitoring.integrity	dot/bin/dot-mcp-verify	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
221	DOT-058 / dot-ops-status	F	monitoring.health	dot/bin/dot-ops-status	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
222	DOT-084 / dot-spider	F	monitoring.health	dot/bin/dot-spider	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
223	DOT-087 / dot-test-login	F	monitoring.health	dot/bin/dot-test-login	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
224	DOT-089 / dot-vector-audit	F	data_quality	dot/bin/dot-vector-audit	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
225	DOT-090 / dot-vector-audit-schedule	F	data_quality	dot/bin/dot-vector-audit-schedule	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
226	DOT-091 / dot-verify	F	monitoring.integrity	dot/bin/dot-verify	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
227	DOT-092 / dot-verify-ai-connections	F	monitoring.integrity	dot/bin/dot-verify-ai-connections	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
228	DOT-098 / dot-dependency-scan	F	monitoring.integrity	dot/bin/dot-dependency-scan	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
229	DOT-101 / dot-layer3-audit	F	monitoring.integrity	dot/bin/dot-layer3-audit	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
230	DOT-102 / dot-registries-verify	F	monitoring.integrity	dot/bin/dot-registries-verify	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
231	DOT-104 / dot-registry-integrity-check	F	monitoring.integrity	dot/bin/dot-registry-integrity-check	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
232	DOT-106 / dot-selftest-registries	F	monitoring.integrity	dot/bin/dot-selftest-registries	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
233	DOT-109 / dot-production-truth-gate	F	monitoring.integrity	dot/bin/dot-production-truth-gate	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
234	DOT-110 / dot-coverage-inspector	F	monitoring.integrity	dot/bin/dot-coverage-inspector	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
235	DOT-116 / dot-misclass-scanner	F	classification.species	bin/dot/dot-misclass-scanner	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
236	DOT-121 / dot-id-collision-check	F	data_quality	bin/dot/dot-id-collision-check	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
237	DOT-122 / dot-inspect-pen	F	monitoring.integrity	bin/dot/dot-inspect-pen	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
238	DOT-124 / dot-layer-integrity-audit	F	monitoring.integrity	bin/dot/dot-layer-integrity-audit	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
239	DOT-152 / dot-accuracy-verify	F	monitoring.integrity	bin/dot/dot-accuracy-verify	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
240	DOT_API_HEALTH / dot-api-health	F	kb · verify	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized
241	DOT-COVERAGE / dot-dot-coverage	F	monitoring.dot · report	bin/dot/dot-dot-coverage.ts	Read	dot_tools	Operator-read	usable-read	uncategorized
242	DOT-FIX-REPAIR-VERIFY / dot-fix-repair-verif	F	monitoring.integrity · verify	opt/incomex/dot/bin/dot-fix-repair-verify	Read	dot_tools	Operator-read	usable-read	uncategorized
243	DOT-FIX-REPAIR-VERIFY-TEST / dot-fix-repair-	F	monitoring.integrity · verify	opt/incomex/dot/bin/dot-fix-repair-verify-test	Read	dot_tools	Operator-read	usable-read	uncategorized
244	DOT-HC-EXECUTOR / Generic Health Check Execu	F	monitoring.health	opt/incomex/dot/bin/dot-hc-executor	Read	dot_tools	Operator-read	usable-read
245	DOT-HC-EXECUTOR-VERIFY / HC Executor Paired	F	monitoring.health	opt/incomex/dot/bin/dot-hc-executor-verify	Read	dot_tools	Operator-read	usable-read
246	DOT-HEALTH-DOT / dot-dot-health	F	monitoring.dot · health	bin/dot/dot-dot-health.ts	Read	dot_tools	Operator-read	usable-read	uncategorized
247	DOT-REGISTER / dot-dot-register	F	monitoring.dot · register	bin/dot/dot-dot-register.ts	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized
248	DOT_SCRIPT_LINT / dot-script-lint	F	monitoring.integrity	runner(cron)	Unknown	dot_tools	Unknown	needs-triage	uncategorized; cov:none
249	DOT-051 / dot-mcp-config-claude	H	infrastructure.sync	dot/bin/dot-mcp-config-claude	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
250	DOT-052 / dot-mcp-status	H	infrastructure.sync	dot/bin/dot-mcp-status	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
251	DOT-053 / dot-mcp-stdio-restart	H	infrastructure.sync	dot/bin/dot-mcp-stdio-restart	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
252	DOT_KB_PROTECT / dot-kb-protect	H	kb · snapshot+audit	runner(event)	Read	dot_tools	Operator-read	usable-read	uncategorized
253	DOT_KB_RESTORE / dot-kb-restore	H	kb · restore	runner(on-demand)	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized
254	DOT_KB_VERIFY / dot-kb-verify	H	kb · verify	runner(cron)	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:partial
255	DOT-014 / dot-backup	J	infrastructure.backup	dot/bin/dot-backup	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
256	DOT-025 / dot-env-backup	J	infrastructure.deploy	dot/bin/dot-env-backup	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
257	DOT-026 / dot-env-restore	J	infrastructure.deploy	dot/bin/dot-env-restore	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
258	DOT-001 / dot-agent-down	L	infrastructure.sync	dot/bin/dot-agent-down	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
259	DOT-002 / dot-agent-status	L	infrastructure.sync	dot/bin/dot-agent-status	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
260	DOT-003 / dot-agent-up	L	infrastructure.sync	dot/bin/dot-agent-up	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
261	DOT-004 / dot-ai-bridge-check	L	infrastructure.sync	dot/bin/dot-ai-bridge-check	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
262	DOT-005 / dot-ai-connect-all	L	infrastructure.sync	dot/bin/dot-ai-connect-all	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
263	DOT-006 / dot-ai-gateway-setup	L	infrastructure.sync	dot/bin/dot-ai-gateway-setup	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
264	DOT-007 / dot-ai-manifest	L	infrastructure.sync	dot/bin/dot-ai-manifest	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
265	DOT-008 / dot-ai-start	L	infrastructure.sync	dot/bin/dot-ai-start	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
266	DOT-009 / dot-ai-status	L	infrastructure.sync	dot/bin/dot-ai-status	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
267	DOT-010 / dot-ai-user-setup	L	infrastructure.sync	dot/bin/dot-ai-user-setup	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
268	DOT-013 / dot-auth	L	infrastructure.deploy	dot/bin/dot-auth	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
269	DOT-015 / dot-catalog-sync	L	sync	dot/bin/dot-catalog-sync	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
270	DOT-016 / dot-claude-restart	L	infrastructure.sync	dot/bin/dot-claude-restart	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
271	DOT-017 / dot-clean-data	L	infrastructure.deploy	dot/bin/dot-clean-data	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
272	DOT-028 / dot-fix-gap3	L	lifecycle	dot/bin/dot-fix-gap3	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
273	DOT-031 / dot-flow-setup-registry-sync	L	sync	dot/bin/dot-flow-setup-registry-sync	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
274	DOT-032 / dot-flow-setup-sync	L	sync	dot/bin/dot-flow-setup-sync	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
275	DOT-033 / dot-flow-setup-tasks-sync	L	sync	dot/bin/dot-flow-setup-tasks-sync	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
276	DOT-034 / dot-gemini-setup	L	infrastructure.sync	dot/bin/dot-gemini-setup	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
277	DOT-035 / dot-gpt-copy-spec	L	infrastructure.sync	dot/bin/dot-gpt-copy-spec	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
278	DOT-036 / dot-gpt-setup	L	infrastructure.sync	dot/bin/dot-gpt-setup	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
279	DOT-038 / dot-hook-deploy	L	infrastructure.deploy	dot/bin/dot-hook-deploy	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
280	DOT-046 / dot-local-down	L	infrastructure.deploy	dot/bin/dot-local-down	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
281	DOT-047 / dot-local-logs	L	infrastructure.deploy	dot/bin/dot-local-logs	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
282	DOT-048 / dot-local-restart	L	infrastructure.deploy	dot/bin/dot-local-restart	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
283	DOT-049 / dot-local-status	L	infrastructure.deploy	dot/bin/dot-local-status	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
284	DOT-050 / dot-local-up	L	infrastructure.deploy	dot/bin/dot-local-up	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
285	DOT-055 / dot-metadata-audit	L	data_quality	dot/bin/dot-metadata-audit	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
286	DOT-056 / dot-metadata-fill	L	data_quality	dot/bin/dot-metadata-fill	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
287	DOT-062 / dot-rollback	L	infrastructure.deploy	dot/bin/dot-rollback	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
288	DOT-082 / dot-seed-agency-os	L	infrastructure.deploy	dot/bin/dot-seed-agency-os	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
289	DOT-083 / dot-seed-knowledge-test	L	infrastructure.deploy	dot/bin/dot-seed-knowledge-test	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
290	DOT-085 / dot-start-all	L	infrastructure.deploy	dot/bin/dot-start-all	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
291	DOT-086 / dot-sync-check	L	sync	dot/bin/dot-sync-check	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
292	DOT-088 / dot-token	L	infrastructure.deploy	dot/bin/dot-token	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
293	DOT-093 / dot-web28-complete	L	lifecycle	dot/bin/dot-web28-complete	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
294	DOT-094 / dot-flow-setup-auto-id	L	infrastructure.sync	bin/dot/dot-flow-setup-auto-id	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
295	DOT-099 / dot-fill-tool-descriptions	L	data_quality	dot/bin/dot-fill-tool-descriptions	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
296	DOT-100 / dot-flow-setup-count-refresh	L	infrastructure.sync	dot/bin/dot-flow-setup-count-refresh	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
297	DOT-108 / dot-flow-setup-changelog	L	infrastructure.sync	dot/bin/dot-flow-setup-changelog	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
298	DOT-125 / dot-migration-s127d-legacy-origin	L	lifecycle	bin/dot/dot-migration-s127d-legacy-origin	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
299	DOT-126 / dot-migration-s128b-dead-links	L	lifecycle	bin/dot/dot-migration-s128b-dead-links	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
300	DOT-147 / dot-update-tool-categories-vn	L	data_quality	bin/dot/dot-update-tool-categories-vn	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
301	DOT-148 / dot-task-create	L	workflow	bin/dot/dot-task-create	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
302	DOT-149 / dot-task-update	L	workflow	bin/dot/dot-task-update	Write	dot_tools	Owner-gated	dry-run-gated	cov:partial; no-trigger/library
303	DOT-150 / dot-task-list	L	workflow	bin/dot/dot-task-list	Read	dot_tools	Operator-read	usable-read	cov:partial; no-trigger/library
304	DOT-151 / dot-task-close	L	workflow	bin/dot/dot-task-close	Unknown	dot_tools	Unknown	needs-triage	cov:partial; no-trigger/library
305	DOT_MIGRATION_S127D_LEGACY_ORIGIN / dot-migr	L	sync	opt/incomex/dot/bin/dot-migration-s127d-legacy	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library
306	DOT_MIGRATION_S128B_DEAD_LINKS / dot-migrati	L	sync	opt/incomex/dot/bin/dot-migration-s128b-dead-l	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library
307	DOT_MIGRATION_S155_P1B / dot-migration-s155-	L	sync	opt/incomex/dot/bin/dot-migration-s155-p1b	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library
308	DOT_SEED_AGENCY_OS / dot-seed-agency-os	L	lifecycle	opt/incomex/dot/bin/dot-seed-agency-os	Write	dot_tools	Owner-gated	dry-run-gated	uncategorized; cov:none; no-trigger/library
309	DOT_SYNC_CHECK / dot-sync-check	L	sync	opt/incomex/dot/bin/dot-sync-check	Read	dot_tools	Operator-read	usable-read	uncategorized; cov:none; no-trigger/library

§5.3 row count = 309 (STT 1–309, contiguous). Group tallies: A=90, B=15, C=43, D=60, E=7, F=33, H=6, J=3, L=52 (G/I/K not used as row-groups here — agent-api G = §5/§10's 2 contracts; Directus-generic I is forbidden, §3; dangerous K members are flagged inline via Forbidden/frozen/monitored while keeping their functional group). Read/Write: Read=99, Write=133, Unknown=77. Authority: Operator-read=99, Owner-gated=127, Forbidden=6, Unknown=77. Status: usable-read=99, dry-run-gated=127, frozen=4, monitored=2 (DOT-133 = DOT_SCHEMA_BIRTH_REGISTRY_ENSURE, same tool / two registry codes), needs-triage=77. (All sum to 309; counts computed from the same read-only projection — inferred, not executed; see §14.)

---

6. Schema / Postgres / Directus DOTs

The DOT-only zone's working tools. Read §3 and §15 before using any of these.

STT	Tên DOT/tool	Sử dụng khi	Cách gọi	Có được tạo schema không?	Guardrails	Status	Ghi chú
1	DOT-COL-CREATE / dot-collection-create	Tạo collection (table) mới	host bin / runner (on-demand)	Tạo TABLE trong public — KHÔNG tạo separate run-scoped schema	calls birth-trigger-setup [[ -x ]] + 2>/dev/null (degrades when frozen)	DRY_RUN_GATED · dangerous LOW	Closest to "create" but writes prod public
2	DOT_SCHEMA_APPLY / dot-schema-apply	Áp dụng schema defs idempotent	host bin / runner	Tạo/sửa TABLE/field trong public	idempotent pattern; no allowlist for separate schema	DRY_RUN_GATED	Via Directus API + Postgres
3	DOT_SCHEMA_ENSURE (+ ~30 *_ENSURE)	Đảm bảo bảng cụ thể tồn tại (blog, tasks, comments, knowledge, workflows, registry_*, species, taxonomy, trigger_registry, table_registry, meta_catalog, …)	runner	Ensure named tables in public	additive-only ensure	DRY_RUN_GATED / uncovered	Each ensures one named table; none creates a disposable schema
4	DOT_SCHEMA_SNAPSHOT	Snapshot schema để recover/diff	runner	No (read/export)	read-only	usable (read)	Recovery aid
5	DOT_SCHEMA_DIFF	So sánh schema vs định nghĩa	runner	No (report)	read-only	usable (read)
6	DOT_SCHEMA_TAXONOMY_PG_APPLY	Áp taxonomy vào Postgres	runner	Sửa bảng trong public	additive	DRY_RUN_GATED
7	DOT-TAC-SCHEMA-ENSURE / -VERIFY	Ensure/verify tac_* tables	on-deploy / cron	Ensure named tables in public	paired ensure+verify	NEEDS_RECONCILE
8	DOT_SCHEMA_BIRTH_REGISTRY_ENSURE	Ensure birth_registry schema (Đ0-G)	host bin	Ensure in public + redefines fn_birth_auto_certify	⚠️ MONITORED (§13)	MONITORED / MEDIUM	Touches a gateway fn — restricted
9	DOT-COL-HEALTH / DOT_COLLECTION_HEALTH	Kiểm sức khoẻ collection	runner/cron	No (read)	read-only	usable (read)
10	DOT-COL-SYNC / DOT_COLLECTION_FIELD_SYNC	Đồng bộ field collection↔Directus	event	Sửa field metadata	grep-swept clean	DRY_RUN_GATED	SAFE_RECONCILE_ONLY
11	DOT_COLLECTION_REGISTER / dot-collection-register	Đăng ký collection vào registry	runner	No (metadata register, QT-003R)	clean	usable

Verdict for this group: the schema DOT family can create/ensure tables inside the existing public (prod) schema. None of them creates a separate, run-scoped, disposable schema (CREATE SCHEMA … / DROP SCHEMA … CASCADE) with allowlist + abort-on-drift. See §15.

---

7. Birth / B2 / PEN-STAMP-GATE DOTs

STT	Tên DOT/tool	Sử dụng khi	Cách gọi	Read/Write	Status	Ghi chú
1	dot-inspect-pen	Ghi inspect PEN/STAMP/GATE cols trên birth_registry (KHÔNG births)	host bin	Write (inspect cols only)	SAFE (clean)	The B2-adjacent inspect surface; the genuine PEN producer is still MISSING (B2 gap)
2	dot-coverage-inspector	Soi coverage	host bin	Read	SAFE
3	DOT-TAC-BIRTH-GATE / -VERIFY	Cổng birth cho TAC	event / cron	gate/verify	NEEDS_RECONCILE
4	fn_dot_birth_qt001_plan_v2 / _apply / sp_dot_birth_qt001_apply	Plan/apply qt001 birth	SQL fn/proc	plan=Read, apply=Write	OWNER_GATED	Birth apply is governed
5	DOT_SCHEMA_BIRTH_REGISTRY_ENSURE	Ensure birth_registry schema	host bin	Write + redefine	MONITORED §13
6	dot-birth-backfill	(do not use)	—	Write (direct INSERT)	FROZEN / HIGH §13
7	dot-birth-trigger-setup	(do not use)	—	Write (redefine gateway)	FROZEN / CRITICAL §13

B2 note: the inspect-producer that B2 needs is not present as a working DOT — fn_birth_auto_certify only reads inspect_* columns; nothing genuinely produces them. This handbook does not build, design, or run B2 logic (mission lock).

---

8. KG / universal_edges / provenance DOTs

~36 DOTs in kg.* domains (business, formation, governance, priority, quality, conversational, eviction, explain, learning, scaffold). Most are cron 0 */6 * * * and currently NEEDS_RECONCILE (registry says cron but fs_confirmed=false).

Pattern	Examples	Read/Write	Status
Explain / verify	DOT_KG_EXPLAIN (agent-api, dry-run), DOT_KG_EXPLAIN_VERIFY	Read	DRY_RUN_GATED / contract_ready
Audit / health / validate / consistency	DOT_KG_PROVENANCE_AUDIT, DOT_KG_HEALTH, DOT_KG_VALIDATE, DOT_KG_CONSISTENCY, DOT_KG_COMPLETENESS, DOT_KG_CONSTRAINT_CHECK, DOT_KG_ORPHAN, DOT_KG_TIMELINESS	Read	NEEDS_RECONCILE
Write KG (gated)	DOT_KG_LINK, DOT_KG_CORRECT, DOT_KG_EXTRACT, DOT_KG_PROVENANCE_TAG, DOT_KG_OVERRIDE_LOG, DOT_KG_JOURNEY_UPDATE, DOT_KG_INTENT_CAPTURE, DOT_KG_DISCOVER_PROPOSE, DOT_KG_SCAFFOLD_BUILD	Write (KG)	OWNER_GATED — do not run as standing
Learning / scoring	DOT_KG_SELF_LEARN, DOT_KG_SELF_SCORE, DOT_KG_RECOMMEND, DOT_KG_SIMILARITY, DOT_KG_PRIORITY_RECALC/DECOMPOSE	mixed	ADVISORY/NEEDS_RECONCILE
IU KG audit	dot_iu_kg_edge_audit	Read	usable

universal_edges runtime is known to be 2199 edges / 0-provenance (Đ39 open). The audit DOTs here are read-only; the write DOTs are gated and must not be used to "fix" provenance without Owner authorization.

---

9. Matrix / Stamp / Approval / Governance DOTs

STT	Tên DOT/tool	Sử dụng khi	Read/Write	Status	Ghi chú
1	DOT-312/313/314 (matrix declare/update/retire)	Quản lý matrix 2D pivot	Write (metadata)	ADVISORY	Validate source in collection_registry
2	DOT-315 dot-matrix-health	Sức khoẻ matrix	Read	CANDIDATE
3	DOT-307, DOT-308, DOT-113, DOT-114	Pivot family	mixed	triage	pivot category
4	DOT-309, DOT-310	Governance	mixed	triage	governance category
5	DOT_GOV_SEED / DOT_GOV_VERIFY	Seed/verify governance	seed=Write, verify=Read	ADVISORY	verify cron 0 5 * * *
6	DOT-IU-CUTTER / -VERIFY	IU cutter (governance-classed)	Write/Read	governed	Heavy design lineage in KB
7	dot_iu_verify_mark_manifest / dot_iu_gate_open / _close / _watchdog	IU gate/approval	Write	gate OFF	reversible (open/close), watchdog
8	DOT-316 dot-trigger-guard	Canh trigger	Read	CANDIDATE

Approval rows live in governance_registry / Đ32 / Đ37 quorum — not mutated by any of these without an Owner step.

---

10. IO / Cell / Context / Candidate / Staging DOTs — full IU command catalog (54)

The IU operator command runner. iu_core.operator_runtime_enabled=false today → mutating commands refuse. Read/Write = mutating flag; Rev = reversible. ⚠️ "staging" here = IU content staging, not a Postgres schema.

Read-only (mutating=false) — runnable now (17): dot_iu_healthcheck, dot_iu_validate_collection, dot_iu_filter_axis_b, dot_iu_gate_verify_closed, dot_iu_kg_edge_audit, dot_iu_operator_cleanup_staging_dry_run, dot_iu_operator_verify_cut, dot_iu_operator_verify_mark, dot_iu_verify_cut_result, dot_iu_reconstruct_source, dot_iu_render_file, dot_iu_sql_link_resolve, dot_iu_sql_link_validate, dot_iu_subtree, dot_iu_test_harness_run — plus checkpoint/rebuild listed under "read" category.

Mutating (mutating=true) — gated OFF, refuse until Owner opens gate (37):

Category	Commands (→ target fn_iu_*)	Reversible
collection (11)	add_piece, auto_instantiate_from_event, create_collection, create_file_from_pieces, create_workflow_from_steps, record_template_instance, register_template, register_template_version, remove_piece, reorder_piece, retire_template_version	yes
lifecycle (14)	auto_instantiate_rollback_by_actor, delete_piece_soft, merge_piece, restore_piece, retire_piece, split_piece, supersede_piece, test_review_decision_create, staging_create, staging_approve, staging_cleanup, staging_consume, staging_reject, staging_unregister	mixed (staging_* NOT reversible)
piece (7)	clone_piece, create_piece, cut_from_manifest, mark_article, operator_cut_staging, operator_mark_file, update_piece_metadata	mostly yes
health (5)	gate_open, gate_close, gate_watchdog, verify_mark_manifest, post_cut.axis_materialize	mixed
read (2, mutating)	checkpoint_collection, rebuild_metadata_axes	yes

Context-pack DOTs (IO/output): DOT-CONTEXT-PACK-BUILD (cron 0 */3, writes to /opt/incomex/context-pack), DOT-CONTEXT-PACK-VERIFY (cron 30 */3, read). Config: context_pack_mode=warn, context_pack_output_root=/opt/incomex/context-pack.

---

11. Scanner / Heartbeat / Monitor DOTs

STT	Tên DOT/tool	Sử dụng khi	Cách gọi	Read/Write	Status	Ghi chú
1	DOT-HC-EXECUTOR	Health-check executor (central monitor)	dual cron 0 */3 * * *	Read/heal	Active (last run today)	hc_auto_close_enabled=true
2	DOT-HC-EXECUTOR-VERIFY	Paired verify (NT12)	dual cron 30 */3	Read	CANDIDATE
3	dot-ops-silent-fail-scan	Silent-fail scanner (Đ22 §4.2)	cron 30 3 * * *	Read	CANDIDATE	paired -propose
4	DOT-316 dot-trigger-guard	Trigger drift guard	cron 15 3	Read	CANDIDATE
5	DOT-317 dot-sync-orphan-scan	Orphan scan	dual cron 0 5	Read	CANDIDATE
6	DOT-311	Scanner (category=scanner)	—	Read	triage
7	DOT_API_HEALTH	API health	cron 30 21	Read	NEEDS_RECONCILE
8	DOT-HEALTH-DOT / DOT-COVERAGE	DOT self-health / coverage	cron	Read	NEEDS_RECONCILE	monitoring.dot domain
9	Giám sát hệ thống (7) + monitoring.integrity (17) + monitoring.health (7)	System monitors	various	Read	mixed	Largest read-only monitor family
10	queue.heartbeat (fn_queue_heartbeat_tick)	Queue heartbeat	gated fn	Write (tick)	queue.heartbeat.enabled=true	Đ45 Phase 1

Monitors are the safest DOTs to run — they read and report. fn_dot_wf_universal_census, fn_dot_wf_orphan_detector, fn_dot_wf_source_adapter_health are read-only census/health functions.

---

12. MCP / AgentData / KB DOTs

STT	Tên DOT/tool	Sử dụng khi	Cách gọi	Read/Write	Status	Ghi chú
1	kết_nối_mcp family (DOT-051…054)	Kết nối MCP	—	mixed	triage	4 DOTs
2	DOT_KB_VERIFY	Verify KB integrity	cron	Read	NEEDS_RECONCILE	kb domain
3	DOT_KB_PROTECT	Bảo vệ KB	event	Write	NEEDS_RECONCILE
4	DOT_KB_RESTORE	Khôi phục KB	on-demand	Write	ADVISORY
5	tri_thức family (DOT-039…045)	Tri thức / knowledge	—	mixed	triage	7 DOTs
6	AgentData MCP (the KB itself)	Read/write KB docs	mcp__agent-data__* (search/list/batch_read/upload)	Read/Write KB	this handbook's own write channel	KB writes are allowed (≠ Directus/Postgres)
7	Containers	—	incomex-agent-data :8080, incomex-claude-kb :8000, incomex-claude-mcp :8000	—	Up (healthy)	infra

KB is a different zone from Directus/Postgres. Writing documents to AgentData KB (via upload_document) is the allowed output channel and is how this handbook was written. It is not part of the DOT-only schema zone.

---

13. Dangerous / forbidden / do-not-use paths

From v_birth_dangerous_dot_inventory + v_birth_dangerous_dot_risk_classification (15 audited). Three carry real risk:

DOT	Risk class	Severity	Disposition	Why dangerous
dot-birth-trigger-setup	DANGEROUS_CAN_REDEFINE_GATEWAY	CRITICAL	FROZEN	Embeds CREATE OR REPLACE FUNCTION fn_birth_registry_auto() with OLD logic (no coverage_status/BIRTH_EXEMPT) + DROP/CREATE TRIGGER. Would re-open the birth pollution gateway.
dot-birth-backfill	DANGEROUS_CAN_BACKFILL_BROKEN	HIGH	FROZEN	Direct INSERT INTO birth_registry executed via docker exec psql; no coverage_status filter; incompatible 22/36 governed.
dot-schema-birth-registry-ensure	DANGEROUS_CAN_REDEFINE_GATEWAY	MEDIUM	MONITORED_NOT_FROZEN	CREATE OR REPLACE FUNCTION fn_birth_auto_certify() (auxiliary certify fn; schema/meta only; no trigger redeploy). Restricted, watch closely.

Forbidden lanes (not DOTs — manual paths that must never be used for the DOT-only zone):

• Manual psql / docker exec -i postgres psql -U directus against directus.public.
• Hand-written DDL/DML; SQL staged for a human to run.
• Directus generic collection/table create used to make schema/tables.
• Any REAL_RUN of a process-DOT while the runtime gate is shut (fn_process_agent_api_dispatch refuses these by design — do not try to bypass).

The other 12 audited DOTs (collection-field-sync, collection-health, collection-register, coverage-inspector, inspect-pen, nrm-lifecycle, schema-registry-collections-ensure, schema-species-ensure, schema-species-tree-ensure, species-map, species-register, plus collection-create=LOW/degrades) are SAFE_RECONCILE_ONLY (grep-swept clean).

---

14. UNKNOWN / NEED TRIAGE

Do not guess these — they need a human/Owner triage pass.

1. 142 uncategorized DOTs (§5.2) — have codes + (mostly) descriptions but no category; many are the DOT_KG_*, DOT_NRM_*, DOT_SCHEMA_*, DOT-TAC-* families. Triage = assign category + confirm Read/Write + confirm channel.
2. 103 DOTs with coverage_status empty + 177 partial — only 29 have complete coverage. Partial/empty = contract not fully proven; treat call semantics as unverified.
3. 205 DOTs with no trigger_type — library/wrapper DOTs (not standing processes). Their "Cách gọi" is called by another DOT or fn; individual invocation path unknown — need triage.
4. NEEDS_RECONCILE processes (fs_confirmed=false but registry says cron) — registry claims a process the filesystem snapshot can't confirm. ~ the bulk of DOT_KG_*/DOT_NRM_*/DOT-TAC-*. Reconcile dot_tools ↔ wf_fs_dot_bin_snapshot (289) ↔ _recon_dot_fs_inventory (287).
5. DOT count by source does not need to match (record separately):

Source	Count
dot_tools (registry SSOT)	309
dot_iu_command_catalog (callable IU)	54
dot_operations (verbs)	20
dot_agent_api_contract (executor)	2
wf_fs_dot_bin_snapshot (host /opt/incomex/dot/bin)	289
_recon_dot_fs_inventory (DB↔FS recon)	287
law_dot_enforcement (bindings)	272
v_dot_process_type1_projection (runnable processes)	104
dangerous audited (v_birth_dangerous_dot_*)	15

6. Filesystem specs (/opt/incomex/dot/specs) — allowlisted for read_file but not directory-enumerable with the available tools (read_file /opt/incomex/dot/specs/README.md → DENIED "not a regular file"). Per-spec content not inventoried here; triage with a directory listing capability.

---

15. Macro-9A decision: is there an authorized DOT for a schema shell build?

Question (from Macro-8 SB-4): is there a confirmed, authorized DOT that builds one disposable, run-scoped staging schema — separate schema in the directus DB, zero prod data, prod-untouched, delete-fast (DROP SCHEMA … CASCADE), abort-on-drift?

Answer: NO. No confirmed authorized DOT matches that requirement.

Evidence:

• The schema-create family (DOT-COL-CREATE, DOT_SCHEMA_APPLY, the ~30 DOT_SCHEMA_*_ENSURE, DOT-TAC-SCHEMA-ENSURE) creates tables inside the existing public (prod) schema. Using them would write into prod — the exact opposite of SB-4's "separate schema / prod-untouched / delete-fast."
• None of them issues CREATE SCHEMA <run_scoped> / DROP SCHEMA … CASCADE, and none carries a staging-only allowlist or abort-on-drift guard.
• The dot_iu_staging_* commands are IU content staging (fn_iu_staging_*), not Postgres schema DDL — and they're gated OFF.
• DOT_SCHEMA_BIRTH_REGISTRY_ENSURE touches a gateway fn → MONITORED (§13), not usable as a clean shell builder.
• The whole execute substrate is dry-run-gated (process_dot_runtime.real_run_enabled=false; dispatcher refuses REAL_RUN; iu_core.operator_runtime_enabled=false).

Markers:

• 🟥 NO CONFIRMED AUTHORIZED DOT FOR SCHEMA CREATE (run-scoped/disposable/delete-fast variety).
• 🟧 The nearest existing DOTs EXIST BUT ARE UNSAFE for this purpose — they write prod public, lack a separate-schema allowlist, and lack DROP-SCHEMA-CASCADE delete-fast + abort-on-drift.

Recommended next action:

• Do NOT proceed with the Macro-9A DOT-only build gate using existing DOTs. They cannot satisfy SB-4 without touching prod.
• Macro-9B (recommended): create/harden ONE dedicated run-scoped staging-schema DOT first — staging-only, allowlist-guarded (CREATE SCHEMA/DROP SCHEMA … CASCADE on a run-scoped schema name only), prod-public reject, abort-on-drift, delete-fast — authored as an artifact, Owner-authorized, runtime-gate opened explicitly, and only then run. This is an Owner decision; this handbook authorizes nothing.
• Until that DOT exists and is authorized: schema-shell build = NO-GO (consistent with Default HOLD).

---

16. Update log

Rev	Date	Change	By
rev1	2026-06-19	Initial handbook. Read-only inventory of 309 dot_tools + 54 IU commands + 2 agent-api contracts + 15 dangerous + runtime gates + schema verdict. STATUS PASS_WITH_CAVEATS.	Macro-9A0
rev2	2026-06-19	Supplement (Macro-9A0-supplement). Added §5.3 full row-level inventory (all 309 DOTs, one row each, grouped A–L; Cách gọi/Read-Write/Authority/Status inferred via read-only SQL projection, nothing executed) + §17 future dot_operator_catalog candidate. STATUS PASS_WITH_CAVEATS.	Macro-9A0

Refresh queries (read-only, run against directus.public):

-- master count + category roster
SELECT COALESCE(category,'(uncat)') cat, count(*) n,
       string_agg(code, ', ' ORDER BY code) codes
FROM dot_tools GROUP BY 1 ORDER BY 1;
-- callable IU command health
SELECT * FROM v_dot_iu_command_registry ORDER BY mutating DESC, command_name;
-- dangerous inventory
SELECT * FROM v_birth_dangerous_dot_risk_classification ORDER BY severity;
-- runtime gates
SELECT key, value FROM dot_config
WHERE key LIKE 'process_dot_runtime.%' OR key LIKE 'iu_core.%' OR key LIKE 'iu_create.gateway.%';
-- runnable processes + reliability
SELECT code, name, trigger_type, cron_schedule, fs_confirmed, reliability_label
FROM v_dot_process_type1_projection ORDER BY reliability_label, code;

17. Future collection / PG table candidate: dot_operator_catalog

After the LEGO staging shell and an authorized DOT schema path are proven, this handbook should be normalized into a governed collection/table, tentatively named dot_operator_catalog (or governance_dot_operator_catalog).

⚠️ This is a design note only — do NOT create the collection/table in this macro. It must not be created manually. It must be created only through an authorized DOT — never via manual SQL / psql / docker exec psql / Directus generic collection-create (§3: Directus/Postgres/schema is a DOT-only zone).

Candidate columns: dot_code · dot_name · group · purpose · call_method · read_write · surface · authority · status · risk_level · owner_role · evidence_ref · last_verified_at · update_mode · notes.

Scope (broader than DOTs): the future table should also cover procedures, functions, triggers, routes, workflows, cron jobs, and MCP tools — i.e. the full callable-surface registry, not only dot_tools rows.

Preconditions before it may be built (all required):

1. An authorized run-scoped staging-schema DOT exists and is proven (Macro-9B — see §15).
2. Owner authorization + the runtime execute gate opened explicitly (§2.4).
3. Created through that authorized DOT, not by hand; populated from the read-only projection that generated §5.3.

Until all three hold, dot_operator_catalog stays a candidate on paper. This handbook (the markdown file) remains the living manual in the meantime.

---

End of DOT Usage Handbook (rev2+ — adds §5.3 full 309-row inventory + §17 future dot_operator_catalog). Engineering PASS ≠ Owner authority PASS. Default HOLD.