Authority Matrix — Fresh-Read Closure for B/C/D/G/H

Nature: narrow READ-ONLY fresh-read closure of the five blocked authority domains (B/C/D/G/H) of the Authority Decision Matrix. NOT design, NOT implementation, NOT cleanup, NOT a reconciliation mutation. Decides nothing; turns the GPT-deferred domains into reviewable/sealable evidence. Production mutation: NO. Every PostgreSQL read was a READ ONLY SELECT via query_pg (role context_pack_readonly, statement_timeout 5s, hard LIMIT 500). No install, no registry edit, no PG mutation, no Directus update, no tool/schema/runner created, no FIX7 resumed, no denominator collapsed, no system_issue generated, no detector function executed, no authority decided by assumption. Strict rule applied: "Không chắc đúng = sai." Anything not directly read is marked UNVERIFIED/BLOCKED. A single canonical DOT number is treated as a disguised hardcode — every count carries denominator + query + surface + timestamp + confidence; counts are not collapsed. Inputs adopted (GPT review, tentative): A/E/F/I/J adopted as safe defaults. This document does not reopen them. It only patches B/C/D/G/H.

0. Evidence mode & timestamp

Field	Value
Session	2026-06-09, follow-on to the baseline (live anchor `2026-06-09 07:11:52 UTC`).
PG surface	PostgreSQL 16, DB `directus`, role `context_pack_readonly`, READ ONLY, 5s timeout, LIMIT 500 (`mcp__claude_ai_Incomex_VPS__query_pg`).
FS surfaces	PG mirror tables `wf_fs_dot_bin_snapshot` (observed_at 2026-06-09 02:10:15 UTC) and `wf_fs_script_snapshot` (observed_at 2026-06-09 02:10:47 UTC). No new OS scan since baseline — same snapshot batch.
Meta scan	`meta_catalog` CAT-006 `last_scan_date = 2026-06-09 06:00:00.436`.
Direct OS listing	BLOCKED — `read_file` allowlist = `/opt/incomex/docs`, `/opt/incomex/dot/specs`, `/var/log/nginx` only; `/opt/incomex/dot/bin` and `/opt/incomex/scripts` are NOT allowlisted; no VPS shell. PG mirrors are the freshest reachable FS evidence.
Mutation status	NO. Reads only. Output = 4 KB docs (this report + JSON + checkpoint + index patch).

Per-domain evidence mode: B/C/D = LIVE-READ (PG views/tables + view definitions) + UNVERIFIABLE-by-tooling residuals named; G = LIVE-READ (catalog + counts; detector fns NOT run); H = LIVE-READ (counts + pg_views/pg_proc bridge search).

1. Final verdict

FRESH_READ_CLOSURE_PARTIAL

The fresh read achieved everything reachable read-only and resolved the evidence questions for all five domains, but cannot be sealed as-is for three reasons, all stated explicitly rather than smoothed over:

C contradicts its own draft recommendation. The matrix's proposed safe-call set 186-confirmed ∩ command-catalog-governed is not computable — the two operands live in disjoint identifier spaces and join to 0 rows. This is a decisive new finding that requires a matrix patch + Codex re-decision (pick a single call layer), not a seal of the existing wording.
Two items are permanently UNVERIFIABLE with read-only tooling (not closeable by any further read): the exact filter behind CAT-006.actual_count = 163 (written by an external on-deploy script, not a DB object) and a true live OS listing of /opt/incomex/dot/bin / /opt/incomex/scripts (allowlist + no shell). Both are now bounded and explained; the PG mirror is the canonical-available FS evidence.
B/C/D still require owner/Codex decisions (not reads): B = the definition of "can run"; C = which execution layer the verifier may call + the safe set; D = the canonical registry↔FS diff base.

Resolved to evidence-complete by this read: D (the 41-vs-4 divergence is now fully explained), G (EXISTING_AUTHORITY_SUFFICIENT), H (NO_BRIDGE_DUAL_REPORT_ONLY), plus the two previously-BLOCKED side surfaces (the "42" scripts surface is resolved; the FS mirror is reproduced exactly).

Why not …READY_FOR_CODEX_SEAL: C's draft formula is refuted by fresh evidence — the matrix must be patched before sealing, and two residuals can never be closed by reading. Sealing now would seal a contradiction. Why not …BLOCKED: nothing the fresh read could reach is missing; G and H are decided, D is explained, and the residuals are bounded — the closure is substantive, only the final decisions remain.

2. B/C/D/G/H status table

Dom	Previous status	Fresh evidence (this read)	Resolved?	Conf	Codex review?	Planning impact
B DOT runtime executable authority	BLOCKED — "which surface proves a DOT can run"; needs fresh read	Surfaces fully sourced: operational 214 + mapped 186 (`wf_fs_dot_bin_snapshot`, 02:10, unchanged); run-ledger `dot_iu_command_run` 55; `dot_iu_runtime_lease` 0 (no live lease); registry has no executable bit (`classification='real'`=0). `actual_count=163` is an external-sync artifact, filter UNVERIFIABLE (see §App-1).	*Evidence resolved; "can run" definition* pending**	MED	YES	"Can run" must be defined as presence (214) + proof-of-run (55 run-ledger) — NOT registry presence, NOT 163, NOT local checkout. Two residuals are UNVERIFIABLE-by-design → accept PG mirror as canonical.
C DOT safe-reuse / safe-call authority	BLOCKED — needs the computed safe-call profile	`186 ∩ command-catalog` JOINS TO 0 (on `name` and on `code`). The two sets are disjoint identifier spaces: 186-confirmed = filesystem `dot_tools` scripts; command-catalog = `fn_iu_` PG functions. A computable safe read-only set DOES exist on the IU layer = 15* `mutating=false` commands (12 also `reversible=true`).	Resolved-as-refuted; decision pending	HIGH (on the refutation) / MED (on the alternative)	YES	The draft C formula cannot be used. Owner/Codex must pick the call layer: filesystem `dot_tools` (no exit-code/governance, coverage `partial` → NOT safe to call) vs IU command-catalog read-only 15 (governed, but defer in read-only v0.1).
D Registry↔FS reconciliation contract	BLOCKED — 41 vs 4 unresolved; canonical base undecided	41-vs-4 fully explained by captured view definitions: `v_dot_registry_no_file`=41 uses stale 06-03 `_recon_dot_fs_inventory`, match-key `name~file_name`, population active/published `dot-%` only; `v_dot_reconciliation_reliability`.DOT_MISSING_FILE=4 uses fresh 06-09 `wf_fs_dot_bin_snapshot`, match-key `code=mapped_dot_code`, over all 309. Neither is wrong — different base + key + population.	Evidence resolved; canonical-base pick pending (owner)	HIGH	YES	Owner picks canonical diff base; the fresh code-keyed reliability view (4 missing) is the more current. Call boundary (unmatched = NON-CALLABLE) + read-only warning stands. Reconcilers already deployed — reuse, don't rebuild.
G Graph / duplicate / orphan authority	BLOCKED/Partial — gap unproven	Deployed and populated: graph `universal_edges`=2199, `v_kg_edges_all`=2259, `entity_dependencies`=142; orphan `fn_dot_wf_orphan_detector(_v2)` + `wf_orphan_digest_v2`=6 + `wf_orphan_remediation_queue`=145 + orphan views; duplicate `v_birth_duplicate_issue_guard` / `v_rp_dedup_signature_gap` / `v_system_issue_semantic_duplicate_dashboard` / `v_system_issue_idempotency_guard`; reconcile `fn_reconcile_fk_vs_edges` / `fn_reconcile_rules_vs_views`.	RESOLVED — `EXISTING_AUTHORITY_SUFFICIENT`	HIGH	Light (confirm no-fork)	New duplicate/graph/orphan resolver PROHIBITED. Doc-level canonical-id resolver = gap NOT proven (existing engines target DB entities) → must run existing engines and show a miss before any build.
H Text-as-Code corpus authority	BLOCKED/UNRESOLVED — IU 219 vs TAC 102, no compat view	NO bridge at any level: 0 views and 0 functions reference both `tac_logical_unit` and `information_unit`; 0 views reference `tac_logical_unit` at all; no `tac_iu_`/`iu_tac_` table. IU layer = 117 `fn_iu_` + 11 views + 219 rows; TAC = 7 `fn_tac_` + 0 views + 102 rows. `tac_change_set`=0 (TAC's own supersession machinery is empty + TAC-internal).	RESOLVED — `NO_BRIDGE_DUAL_REPORT_ONLY`	HIGH	YES (corpus authority is owner+Codex)	Tool MUST remain dual-reporting only; MUST NOT choose canonical; MUST NOT create a bridge. Bridge/owner-decree required before any tool consumes a corpus.

3. Count / diff table (DO NOT COLLAPSE)

All query_pg against DB directus, this session. Every row is a distinct denominator on a distinct surface at a distinct date.

#	Surface	Denominator	Count	Date / mode	Conf	Notes
R1	`dot_tools`	registry rows	309	live; frozen 04-02	HIGH	catalog of record (domain A)
R2	CAT-006 `record_count`/`active_count`	catalog claim	309 / 309	scan 06:00	HIGH	= R1
R3	CAT-006 `actual_count`	external FS-scan field	163	scan 06:00	HIGH value / UNVERIFIABLE filter	written by `dot-catalog-sync` (external); no DB writer sets 163 — see §App-1
R4	CAT-006 `baseline_count`	baseline	151	scan 06:00	HIGH
F1	`wf_fs_dot_bin_snapshot` total	`/opt/incomex/dot/bin` objects	289	snapshot 02:10 (unchanged)	HIGH	all `object_type='executable'`
F2	…status=OPERATIONAL	live non-backup	214	02:10	HIGH	reproduced exactly
F3	…status=NOISE_BACKUP	backups	75	02:10	HIGH
F4	…`mapped_dot_code` non-null	operational mapped to registry	186 (distinct 186)	02:10	HIGH	reproduced exactly
F5	derived (F2−F4)	operational-not-mapped (file-no-registry, fresh)	28	06-09	MED
S1	`wf_fs_script_snapshot` total	`/opt/incomex/scripts` objects	42	snapshot 02:10:47	HIGH	the "42 surface" (32 exec-OPERATIONAL + 7 exec-BACKUP + 3 file-OPERATIONAL)
S2	…operational	operational scripts	35	02:10:47	HIGH	32 exec + 3 file
S3	…`mapped_dot_code` non-null	scripts mapped to DOT	0	02:10:47	HIGH	separate surface — not DOT
L1	`v_dot_reconciliation_reliability`	309 stratified (fresh snapshot, `code` key)	186 CONFIRMED / 100 REGISTERED / 19 HELPER / 4 MISSING_FILE	live	HIGH	sums 309
L2	`v_dot_registry_no_file`	registry-no-file (stale 06-03, `name` key, active/published `dot-%`)	41	live	HIGH	different base+key+population than L1's 4
L3	`v_dot_fs_reconciliation`	06-03 FS joined to registry	OK_REGISTERED_BORN 193 / BACKUP(in_reg) 68 / FILE_NO_REGISTRY 16 / BACKUP(not_reg) 8 / NON_DOT 2	live; 06-03 base	HIGH	file-no-registry 16 pure
C1	`dot_iu_command_catalog`	IU command bridge entries	54 (mutating 39 / non-mutating 15 / reversible 41)	live	HIGH	→ `fn_iu_*` functions, NOT `dot_tools`
C2	…`mutating=false`	read-only safe-call set (IU layer)	15 (12 also reversible)	live	HIGH	the genuinely safe read-only call set
C3	join `dot_iu_command_catalog ⋈ dot_tools`	on `name` / on `code`	0 / 0	live	HIGH	no join key — disjoint spaces
X1	`dot_iu_command_run`	run-ledger rows	55	live	HIGH	proof-of-run history
X2	`dot_iu_runtime_lease`	active execution leases	0	live	HIGH	none held now
G1	`universal_edges`	graph edges	2199	live	HIGH
G2	`v_kg_edges_all`	KG edges (union view)	2259	live	HIGH
G3	`entity_dependencies`	dependency edges	142	live	HIGH
O1	`dot_coverage_required`	required-coverage rows	11	live	HIGH	basis for "unmonitored" check
O2	`wf_orphan_digest_v2`	orphan digest output	6	live	HIGH	Đ19/Đ23 output present
O3	`wf_orphan_remediation_queue`	remediation queue	145	live	HIGH	populated
O4	`v_registry_counts` (base table)	registry count ledger	169	live	HIGH
T1	`information_unit`	IU rows	219	live	HIGH
T2	`tac_logical_unit`	TAC logical units	102	live	HIGH	+ `tac_unit_version` 102 / `tac_publication_member` 102 / `tac_publication` 4 / `tac_change_set` 0
T3	bridge search	views/functions joining TAC+IU	0 / 0	live	HIGH	views ref IU 11, ref TAC 0; `fn_iu_` 117, `fn_tac_` 7
I1	`system_issues`	issue rows by status	open 223,313 / resolved 674 / archived 20	live	HIGH	sink populated; top source `heal_description_basic` 216,378

4. Safe-call set result

PARTIAL

The expression as literally specified — registry-confirmed/mapped (186) ∩ command-catalog-governed (54) — is NOT computable: dot_iu_command_catalog ⋈ dot_tools joins to 0 rows on both name and code (C3). The 186 are filesystem dot_tools scripts (keyed code / name); the catalog governs fn_iu_* PostgreSQL functions (keyed command_name → target_functions[]). They are disjoint object spaces — the intersection is empty/meaningless. As written: UNSAFE / non-computable → cannot be the safe-call denominator.
A genuinely safe, computable read-only call set DOES exist — but on the IU command-catalog layer alone: 15 commands with mutating=false (12 of those also reversible=true), each mapping to read/verify/healthcheck fn_iu_* functions (e.g. dot_iu_healthcheck, dot_iu_validate_collection, dot_iu_kg_edge_audit, dot_iu_sql_link_validate, dot_iu_gate_verify_closed, dot_iu_render_file, dot_iu_subtree). This set is governed by the mutating/reversible flags and (when used) dot_iu_runtime_lease.
Per-entry attributes of the 186 fs-confirmed (the matrix's intended set): file_path ✅, registry row ✅ (dot_tools), FS executable confirmation ✅ (snapshot object_type='executable'), status ✅ (active) — but command-catalog row ✗ (join=0), native registry executable bit ✗ (classification='real'=0), and coverage_status='partial', classification='other'. So they are shell scripts with no exit-code / reversibility contract → NOT safe for a verifier to call directly.
Safe enough for a future Implementation Package DOT to call directly? Filesystem 186: NO. IU read-only 15: YES on the IU layer, with governance — but deferred in read-only v0.1 (the verifier reads, it does not invoke).
Decision required (Codex/owner): choose ONE call layer (filesystem dot_tools vs IU command-catalog). They cannot be intersected. The matrix's C formula must be replaced (see §7).

5. TAC↔IU result

NO_BRIDGE_DUAL_REPORT_ONLY

information_unit = 219; tac_logical_unit = 102 (tac_unit_version 102, tac_publication_member 102, tac_publication 4).
No bridge exists at any level: pg_views joining both = 0; pg_proc referencing both = 0; views referencing tac_logical_unit at all = 0; no tac_iu_* / iu_tac_* table.
No cross-corpus current/supersession/diff/apply function. TAC has its own change-set machinery (tac_change_set / tac_change_set_member / tac_cs_lifecycle_vocab) but it is empty (0 rows) and TAC-internal. IU has its own (iu_lifecycle_log / iu_relation / iu_merge_set / iu_split_set / iu_structure_operation) — IU-internal. They never meet.
Asymmetry: IU is heavily built out (117 fn_iu_*, 11 views, 219 rows); TAC is lighter (7 fn_tac_*, 0 views, 102 rows).
Tool work must remain dual-reporting only. It must not choose a canonical corpus, must not silently merge, and must not create a bridge. A bridge view or explicit owner decree is required before any tool consumes a corpus as canonical.

6. Duplicate / graph / orphan result

EXISTING_AUTHORITY_SUFFICIENT (for the named scope) — with one unproven doc-level question carried forward.

Graph / impact: universal_edges (2199), v_kg_edges_all (2259), entity_dependencies (142) — deployed & populated.
Orphan: fn_dot_wf_orphan_detector + _v2, fn_refresh_orphan_dot/col/species (+ triggers); outputs wf_orphan_digest_v2 (6), wf_orphan_remediation_queue (145); views v_birth_orphan, v_workflow_orphan_v2, v_process_discovery_orphan_components, v_trigger_orphan_stale_detector — deployed & populated.
Duplicate: v_birth_duplicate_issue_guard, v_rp_dedup_signature_gap, v_system_issue_semantic_duplicate_dashboard, v_system_issue_idempotency_guard — deployed (a real dedup engine exists; system_issues itself carries violation_hash / coalesce_key / occurrence_count / reopen_count).
Đ23 inverse-check: present as a function/view family (orphan detectors + fn_reconcile_fk_vs_edges / fn_reconcile_rules_vs_views / fn_reconcile_all_labels; coverage dot_coverage_required 11, v_registries_pivot_process_missing_surface, v_workflow_rp_missing_processes(_v2); registry-inverse v_dot_registry_no_file/v_dot_fs_reconciliation/v_dot_reconciliation_reliability).
Verdict: a new duplicate/graph/orphan resolver is PROHIBITED — the authority already exists. The first plan's "doc-level canonical-id / duplicate-authority resolver" is NOT a proven gap (the deployed duplicate engines target DB entities — birth_registry, system_issues, rp signatures — not KB-document canonical-id). Before any such build, the existing engines must be run read-only and a concrete miss demonstrated (gap proof), per the anti-duplication discipline this initiative exists to enforce.
⚠️ This read did not execute the detector functions (they may write digests) and did not create or modify any system_issues row; outputs were read from their result tables/views only.

7. Revised authority matrix patch (B/C/D/G/H only)

A/E/F/I/J are unchanged (fresh evidence does not contradict them; F is reinforced — fn_tac_log_checker_issue → system_issues is confirmed live with 223,313 open rows and an idempotency contract). Patches below replace the corresponding draft text.

A (untouched, reinforced): 309 dot_tools = catalog of record, frozen 2026-04-02, listing always a live query. (refresh_all_meta_counts would set record_count=active_count=actual_count=count(*); it is inert because record_count already equals count(*).)
B — patch: "Can run" = filesystem presence (wf_fs_dot_bin_snapshot status=OPERATIONAL = 214) plus an actual-run record (dot_iu_command_run = 55) or a governed dry-run. Registry presence, actual_count=163, and the local checkout are explicitly NOT runnability proof. actual_count=163 is demoted to UNVERIFIABLE-by-design / UNSAFE-as-denominator (external dot-catalog-sync artifact; no DB writer produces it; conflicts with record_count in the same row by design). The PG mirror (02:10) is accepted as the canonical-available FS evidence; a live OS listing is permanently unreachable read-only. Codex still seals the presence-vs-proof-of-run definition.
C — patch (replaces the 186 ∩ command-catalog formula): The intersection is non-computable (join=0; disjoint spaces). The verifier must target one layer. Recommended for read-only v0.1: target the IU command-catalog read-only set (15 mutating=false commands) for any future call, governed by mutating/reversible + dot_iu_runtime_lease; the filesystem dot_tools 186 are NOT directly callable (no exit-code/reversibility contract, coverage partial). v0.1 reads, does not invoke. No static whitelist. Codex/owner picks the call layer.
D — patch: The 41-vs-4 divergence is explained, not a defect: v_dot_registry_no_file=41 (stale 06-03 _recon base, name-key, active/published dot-% only) vs v_dot_reconciliation_reliability.MISSING_FILE=4 (fresh 06-09 snapshot, code-key, all 309). Recommended canonical reg→FS diff base for a current contract: the fresh code-keyed reliability view; keep v_dot_registry_no_file as a stale-base advisory. Call boundary: unmatched = NON-CALLABLE + read-only warning. Reconcilers already deployed — reuse, do not rebuild; no reconciliation mutation. Owner seals the canonical base.
G — patch: EXISTING_AUTHORITY_SUFFICIENT. New duplicate/graph/orphan resolver PROHIBITED. Deployed engines: graph (universal_edges/v_kg_edges_all/entity_dependencies), orphan (fn_dot_wf_orphan_detector(_v2) + digests/queue/views), duplicate (v_birth_duplicate_issue_guard/v_rp_dedup_signature_gap/v_system_issue_semantic_duplicate_dashboard). Doc-level canonical-id resolution is an unproven gap — run existing engines read-only and show a miss before proposing any build.
H — patch: NO_BRIDGE_DUAL_REPORT_ONLY. Confirmed at table/view/function level (0 bridge anywhere). Tool dual-reports IU (219) and TAC (102) separately; never chooses, never merges, never builds a bridge. Bridge view or owner decree required before any corpus consumption.

Net: none of A/E/F/I/J disturbed; B/C/D sharpened and still require Codex/owner seals; G/H now closed to EXISTING_AUTHORITY_SUFFICIENT and NO_BRIDGE_DUAL_REPORT_ONLY respectively. The Implementation Package DOT read-only reporting skeleton remains permitted under A/E/F/I/J; the call (C) / reconcile-contract (D) / corpus-consume (H) / new-resolver (G) surfaces remain BLOCKED pending the seals.

8. Minimal next step (exactly one)

Route this fresh-read closure to Codex/owner to (a) seal D (canonical base = fresh code-keyed reliability view) and B (presence + proof-of-run definition), (b) decide C by picking a single call layer — the matrix's 186 ∩ command-catalog formula is withdrawn as non-computable — and (c) ratify G = EXISTING_AUTHORITY_SUFFICIENT and H = NO_BRIDGE_DUAL_REPORT_ONLY. No further read is productive (the two residuals — actual_count filter and live OS listing — are permanently unreachable read-only and are accepted as UNVERIFIABLE-by-design). No tool/schema/runner until the seals.

Appendix A — Investigation evidence (read-only, reproducible)

App-1 · CAT-006 `actual_count = 163`

meta_catalog has no SQL-filter column; actual_count is a plain integer written externally. CAT-006 row: sync_script='dot-catalog-sync', sync_frequency='on-deploy', source_location='File:dot/bin/', last_scan_date=2026-06-09 06:00:00.436, record_count=309, active_count=309, actual_count=163, baseline_count=151.
Functions referencing actual_count (only 3): refresh_all_meta_counts, refresh_registry_views, fn_registries_pivot_node_substrate. refresh_all_meta_counts does UPDATE meta_catalog SET record_count=active_count=actual_count=count(*) FROM <registry_collection> guarded by IF record_count IS DISTINCT FROM count(*) → for CAT-006 it would set 309 and is inert (record_count already 309). No DB function writes 163. No function/flow named dot-catalog-sync/dot_catalog_sync exists.
Conclusion: 163 is an external on-deploy FS-scan count (dot-catalog-sync, not a DB object, not reachable via read_file allowlist or shell). It numerically equals the local non-production checkout …/web-test/dot/bin (163) and ≠ operational 214 ≠ mapped 186. Filter UNVERIFIABLE; UNSAFE as an authority denominator (undefined filter, conflicts with record_count in-row, written out-of-band). Use wf_fs_dot_bin_snapshot instead.

App-2 · `/opt/incomex/dot/bin` (PG mirror)

wf_fs_dot_bin_snapshot, observed_at 2026-06-09 02:10:15 UTC (single batch). total 289 = executable/OPERATIONAL 214 + executable/NOISE_BACKUP 75; non-executable 0; mapped_dot_code non-null 186 (distinct 186). No fresh delta vs baseline — same snapshot. Naming: dot-<name> executables map to DOT-NNN (e.g. dot-agent-down→DOT-001); non-dot--prefixed .sh (e.g. apply_composition_fixes.sh) are operational-but-unmapped (part of the 28). Live OS listing BLOCKED.

App-3 · `/opt/incomex/scripts` — the "42 surface" (RESOLVED)

wf_fs_script_snapshot, observed_at 2026-06-09 02:10:47 UTC. total 42 = executable/OPERATIONAL 32 + executable/NOISE_BACKUP 7 + file/OPERATIONAL 3. mapped_dot_code non-null = 0. Naming = ops/infra .sh (backup-to-gdrive.sh, cdn-cache-warm.sh, check-*.sh, cron-env.sh, db-permissions-guard.sh, disk-monitor.sh), backups .pre-fix-*/.pre-s174. These are support/automation scripts — a separate filesystem surface from DOT; EXCLUDE from DOT authority and DOT runtime authority. The historical "42" reconciles to this snapshot total.

App-4 · Registry↔FS diffs (view definitions captured)

v_dot_registry_no_file (41): dot_tools WHERE status∈(active,published) AND name LIKE 'dot-%' AND NOT EXISTS (match in _recon_dot_fs_inventory on regexp_replace(file_name,'\.bak.*$','')=name). Stale 06-03 base, name-key.
v_dot_reconciliation_reliability (186/100/19/4): dot_tools LEFT JOIN LATERAL latest wf_fs_dot_bin_snapshot on mapped_dot_code=code; CONFIRMED when snapshot match exists; MISSING_FILE(4) when script_path non-empty and no match. Fresh 06-09 base, code-key, all 309.
v_dot_fs_reconciliation (16 FILE_NO_REGISTRY): _recon (06-03) LEFT JOIN dot_tools on name=tool_name + born-check vs birth_registry.
41 vs 4 = different base (06-03 vs 06-09) + key (name vs code) + population (active/published dot-% vs all 309).

App-5 · Safe-call (join test)

dot_iu_command_catalog ⋈ dot_tools on lower(name)=lower(command_name) = 0; on code=command_name = 0. Catalog total 54 (mutating 39 / non-mutating 15). Read-only set (mutating=false) listed: dot_iu_filter_axis_b, dot_iu_gate_verify_closed, dot_iu_healthcheck, dot_iu_kg_edge_audit, dot_iu_operator_cleanup_staging_dry_run, dot_iu_operator_verify_cut, dot_iu_operator_verify_mark, dot_iu_reconstruct_source, dot_iu_render_file, dot_iu_sql_link_resolve, dot_iu_sql_link_validate, dot_iu_subtree, dot_iu_test_harness_run, dot_iu_validate_collection, dot_iu_verify_cut_result. 186-confirmed sample: status active, classification other, coverage_status partial, has_script_path+has_file_path true.

App-6 · Đ23 inverse-check / system_issues (read-only)

Functions: fn_tac_log_checker_issue (the sink writer, domain F), fn_dot_wf_orphan_detector(_v2), fn_reconcile_all_labels, fn_reconcile_fk_vs_edges, fn_reconcile_rules_vs_views, fn_refresh_orphan_dot/col/species + triggers, fn_iu_staging_unregister. Outputs read: wf_orphan_digest_v2=6, wf_orphan_remediation_queue=145, dot_coverage_required=11, v_registry_counts=169. system_issues: open 223,313 / resolved 674 / archived 20 (top sources heal_description_basic 216,378; dot-context-pack-verify 2,933; dot-dot-health 2,640; …). No detector run, no issue created.

App-7 · Duplicate/graph/orphan engines — see §6. App-8 · TAC↔IU bridge search — see §5.

Appendix B — surfaces read

DB directus via query_pg (READ ONLY): meta_catalog (CAT-006 full row + columns), pg_get_functiondef(refresh_all_meta_counts), pg_proc (actual_count / catalog_sync / tac+iu / orphan/dedup/reconcile fn searches), pg_views (v_dot_* definitions; tac+iu bridge search), information_schema.columns/tables (script/orphan/duplicate/monitor/coverage/iu/tac sweeps), dot_tools (cols + reliability join sample), dot_iu_command_catalog (rows + join tests), dot_iu_command_run/dot_iu_runtime_lease, wf_fs_dot_bin_snapshot / wf_fs_script_snapshot (group-by + samples), v_dot_reconciliation_reliability / v_dot_registry_no_file / v_dot_fs_reconciliation (counts), universal_edges/v_kg_edges_all/entity_dependencies, information_unit/tac_*, dot_coverage_required/wf_orphan_digest_v2/wf_orphan_remediation_queue/v_registry_counts, system_issues (status/source group-by + columns), directus_flows (catalog/sync search). Mutation: NONE.