Checkpoint — Authority Matrix Fresh-Read Closure B/C/D/G/H (2026-06-09)

Session goal: narrow READ-ONLY fresh-read closure of the five GPT-deferred authority domains (B/C/D/G/H), turning the Authority Decision Matrix draft's blocked domains into reviewable/sealable evidence. NOT design / implementation / cleanup / reconciliation mutation.

Final status: FRESH_READ_CLOSURE_PARTIAL Production mutation: NO (every PG read READ-ONLY via query_pg/context_pack_readonly; no Directus write, no FS write, no detector run, no system_issue created; only 4 KB docs written).

What was done

• Read the baseline + matrix draft in full; ran ~30 read-only query_pg calls (schemas, view/function definitions, counts, join tests, samples).
• Closed each of the 8 required investigations; captured exact view definitions so denominators are no longer opaque.

Decisive findings

1. CAT-006 actual_count=163 — written by the external on-deploy dot-catalog-sync FS-scan script, NOT a DB object. Only 3 DB functions touch actual_count (refresh_all_meta_counts etc.) and all set it to count(*)=309; refresh_all_meta_counts is inert (guarded by record_count IS DISTINCT FROM count(*), already 309). Filter UNVERIFIABLE read-only; UNSAFE as denominator (= local non-prod checkout 163; conflicts in-row with record_count 309).
2. /opt/incomex/dot/bin — wf_fs_dot_bin_snapshot (02:10, UNCHANGED vs baseline): total 289 / operational 214 / backup 75 / mapped 186. All object_type='executable'. Live OS listing BLOCKED (allowlist + no shell). No fresh delta.
3. The "42 surface" RESOLVED — wf_fs_script_snapshot (02:10:47): /opt/incomex/scripts = 42 (32 exec-OP + 7 backup + 3 file-OP); mapped_dot_code=0 → separate ops-script surface, EXCLUDE from DOT authority.
4. Registry↔FS 41-vs-4 EXPLAINED — v_dot_registry_no_file=41 (stale 06-03 _recon, name-key, active/published dot-%) vs v_dot_reconciliation_reliability.MISSING_FILE=4 (fresh 06-09 snapshot, code-key, all 309). Different base+key+population; neither wrong.
5. Safe-call 186 ∩ command-catalog = NON-COMPUTABLE — join on name=0, on code=0. Disjoint spaces (filesystem dot_tools vs fn_iu_* PG functions). A computable safe read-only set exists only on the IU layer = 15 mutating=false commands (12 also reversible). The 186 filesystem DOTs are NOT directly callable (no exit-code/governance, coverage partial). → matrix C formula withdrawn.
6. Đ23 inverse-check + duplicate/graph/orphan = EXISTING_AUTHORITY_SUFFICIENT — deployed & populated: universal_edges(2199)/v_kg_edges_all(2259)/entity_dependencies(142); fn_dot_wf_orphan_detector(_v2)+wf_orphan_digest_v2(6)+queue(145); duplicate engines (v_birth_duplicate_issue_guard/v_rp_dedup_signature_gap/v_system_issue_semantic_duplicate_dashboard); fn_reconcile_fk_vs_edges/rules_vs_views; system_issues open 223,313. New resolver PROHIBITED; doc-level gap UNPROVEN.
7. TAC↔IU = NO_BRIDGE_DUAL_REPORT_ONLY — 0 views & 0 functions join tac_logical_unit+information_unit; no bridge table; IU 117 fn/11 views/219 rows vs TAC 7 fn/0 views/102 rows; tac_change_set=0. Tool must dual-report, never choose/merge/build-bridge.

Domain outcomes

• B: evidence resolved; "can run" definition (presence+proof-of-run) pending Codex.
• C: resolved-as-refuted; pick one call layer pending Codex.
• D: evidence resolved; canonical base (recommend fresh code-keyed reliability view) pending owner.
• G: RESOLVED — EXISTING_AUTHORITY_SUFFICIENT.
• H: RESOLVED — NO_BRIDGE_DUAL_REPORT_ONLY.

Permanently unverifiable read-only (bounded, accepted)

• CAT-006 actual_count=163 exact filter (external script).
• Live OS listing of /opt/incomex/dot/bin & /opt/incomex/scripts (allowlist + no shell) → PG mirror accepted as canonical-available.

Minimal next step (one)

Route to Codex/owner to seal D + B, decide C (one call layer; 186∩catalog withdrawn), ratify G + H. No further read productive. No tool/schema/runner until seals.

Outputs (read-back)

• reports/authority-matrix-fresh-read-closure-bcdgh-2026-06-09.md
• reports/authority-matrix-fresh-read-closure-bcdgh-2026-06-09.json
• checkpoints/checkpoint-authority-matrix-fresh-read-closure-bcdgh-2026-06-09.md (this file)
• 00-index.md patched (revision bump).