DOT / Registry / Directus / Text-as-Code — Baseline Reconciliation Snapshot (READ-ONLY, 2026-06-09)
DOT / Registry / Directus / Text-as-Code — Baseline Reconciliation Snapshot
Nature: evidence snapshot + reconciliation. NOT planning, NOT design, NOT recommendation. Every count below carries denominator + source query + evidence-mode + timestamp + confidence + conflicts. Counts are not collapsed. Strict rule applied: "Không chắc đúng = sai." Anything not directly read is marked UNVERIFIED or BLOCKED — not filled with judgment.
1. Final verdict
BASELINE_READY_FOR_AUTHORITY_DECISION — for the DOT / registry / Directus / IU-TAC count axis.
The previously "conflicting" numbers are now resolved as distinct denominators on distinct surfaces at distinct dates, all separately named and sourced below. The apparent contradiction (309 vs 287 vs 214 vs 186 vs 163 vs 54 vs 41) was a denominator-collapse error, exactly as the Codex cross-check warned. This baseline does not pick a canonical denominator — that is the owner authority decision this snapshot now enables.
Three residual items remain UNVERIFIED/BLOCKED (listed in §2, §3) and do not block the authority decision but must not be silently resolved:
- the
/opt/incomex/scripts"42" surface (not reachable read-only), - the exact filter behind
CAT-006.actual_count = 163(value read, definition unproven), - the TAC↔IU corpus authority (counts read; no DB compatibility view exists → still an owner decision).
This corrects my own prior text-as-code-reuse-anti-duplication-audit-2026-06-09.md, which the Codex cross-check rated CLAUDE_AUDIT_UNSAFE_TO_USE_FOR_PLANNING for omitting this ledger. (It also flagged my use of background sub-agents; this baseline was produced entirely in the main process via direct read-only query_pg calls — no sub-agents.)
2. Timestamp and evidence mode
| Field | Value |
|---|---|
| UTC timestamp (live anchor) | 2026-06-09 07:11:52 (SELECT now() AT TIME ZONE 'UTC'); further reads through ~07:30 UTC |
| PG surface | PostgreSQL 16.13, DB directus, role context_pack_readonly, READ ONLY transaction, statement_timeout 5s, hard LIMIT 500 (tool: mcp__claude_ai_Incomex_VPS__query_pg) |
| Directus surface | https://directus.incomexsaigoncorp.vn — health ok (tool: mcp__directus__directus_health); container incomex-directus directus/directus:11.5 Up 4 weeks |
| Container surface | mcp__claude_ai_Incomex_VPS__list_docker — 11 containers; postgres:16 Up 7 weeks (healthy) |
| Local FS surface | Bash find/count on /Users/nmhuyen |
| KB surface | mcp__agent-data__* (read) |
| Mutation status | NO — every PG read was a READ ONLY SELECT; no Directus write; no FS write; no KB write except the four output docs of this report |
Per-surface evidence mode: A DOT registry/pivot/metadata = LIVE-READ; B filesystem DOT = LIVE-READ via PG mirror tables (direct OS listing BLOCKED); C repo DOT = LIVE-READ (local); D Directus = LIVE-READ; E command/taxonomy = LIVE-READ; F orphan/mismatch = LIVE-READ (views); G IU/TAC = LIVE-READ; H old reports = KB-READ (comparison only).
3. Count matrix (DO NOT COLLAPSE)
All query_pg against DB directus. "LIVE 07:11" = read this session. Conflicts column points to numerically-close-but-different denominators.
3A. DOT registry / pivot / metadata
| # | Surface | Denominator definition | Count | Source query | Mode/Time | Conf | Conflicts/notes |
|---|---|---|---|---|---|---|---|
| A1 | dot_tools |
registry rows (all) | 309 | SELECT count(*) FROM dot_tools |
LIVE 07:11 | HIGH | ≠ files; ≠ fs-confirmed(186) |
| A2 | dot_tools by status |
rows by status | active 291, published 16, null 2 | SELECT status,count(*) FROM dot_tools GROUP BY status |
LIVE | HIGH | sums 309 |
| A3 | dot_tools by category |
rows by category (25 cats) | null 142, cấu_trúc_dữ_liệu 37, vận_hành 21, … (sum 309) | SELECT category,count(*) FROM dot_tools GROUP BY category |
LIVE | HIGH | 142/309 have NO category |
| A4 | dot_tools.file_path populated |
rows with non-empty file_path | 228 | …count(*) FILTER (WHERE file_path<>'') |
LIVE | HIGH | = Codex 228/309 |
| A5 | dot_tools.script_path populated |
rows with non-empty script_path | 119 | same query | LIVE | HIGH | = Codex 119/309 → ~190 are DB/non-file |
| A6 | dot_tools.classification='real' |
rows flagged "real" | 0 | same query | LIVE | HIGH | classification col unused → "real DOT" NOT derivable from this col |
| A7 | dot_tools freshness |
max(date_updated)/max(last_executed) | 2026-04-02 / 2026-03-31 | same query | LIVE | HIGH | 🔴 registry frozen since 2026-04-02 while FS scans are fresh |
| A8 | meta_catalog CAT-006 |
record_count |
309 | SELECT * FROM meta_catalog WHERE code='CAT-006' |
LIVE; last_scan 06:00 | HIGH | = A1 |
| A9 | CAT-006 | active_count |
309 | same | LIVE | HIGH | = A1 |
| A10 | CAT-006 | actual_count |
163 | same | LIVE; scan 2026-06-09 06:00 | HIGH (value) / UNVERIFIED (definition) | 🔴 in-row 309-vs-163 conflict; exact filter unknown; numerically = C-surface(163) |
| A11 | CAT-006 | baseline_count |
151 | same | LIVE | HIGH | |
| A12 | CAT-006 | orphan_count |
0 | same | LIVE | HIGH | |
| A13 | PIV-007 (pivot_results) |
"DOT Tools — Total" metric.count | 309 | …WHERE pivot_code='PIV-007' |
LIVE; refreshed 07:07, needs_refresh=false | HIGH | = A1 |
| A14 | PIV-104 (pivot_results) |
"DOT Tools theo Nhóm" group-sum (25 groups) | 309 | …WHERE pivot_code='PIV-104' (Σ totals) |
LIVE; refreshed 07:07 | HIGH | parent PIV-007==Σchildren |
3B. Filesystem DOT (PG-mirror surfaces; direct OS listing BLOCKED)
| # | Surface | Denominator | Count | Source query | Mode/Time | Conf | Notes |
|---|---|---|---|---|---|---|---|
| B1 | wf_fs_dot_bin_snapshot |
total objects in /opt/incomex/dot/bin |
289 | SELECT count(*) … |
LIVE-snapshot 2026-06-09 02:10 (freshest FS) | HIGH | = ~287-288 family, fresher |
| B2 | wf_fs_dot_bin_snapshot |
object_type=executable status=OPERATIONAL | 214 | GROUP BY object_type,status |
snapshot 02:10 | HIGH | non-backup live files |
| B3 | wf_fs_dot_bin_snapshot |
status=NOISE_BACKUP | 75 | same | snapshot 02:10 | HIGH | |
| B4 | wf_fs_dot_bin_snapshot |
operational mapped to a registry mapped_dot_code |
186 (distinct 186) | …count(*) FILTER (WHERE mapped_dot_code<>'') |
snapshot 02:10 | HIGH | = reliability FINAL (F1) |
| B5 | derived | operational files NOT mapped to registry | 28 (214−186) | arithmetic | derived | MED | fresh file-no-registry |
| B6 | _recon_dot_fs_inventory |
total files (older inventory) | 287 | SELECT count(*) … |
LIVE-snapshot 2026-06-03 08:27 (6d stale) | HIGH for date | base of B-views below |
| B7 | _recon_dot_fs_inventory |
executable / backup / dot-prefixed | 287 / 76 / 285 | filters | 06-03 | HIGH for date | all 287 executable |
| B8 | direct OS ls /opt/incomex/dot/bin |
actual live directory listing | — | read_file allowlist excludes /opt/incomex/dot/bin; no shell exec; /opt/incomex not local |
BLOCKED | — | rely on B1/B6 PG mirrors |
3C. Repo / local DOT
| # | Surface | Denominator | Count | Source | Mode/Time | Conf | Notes |
|---|---|---|---|---|---|---|---|
| C1 | …/Documents/Manual Deploy/web-test/dot/bin |
files / executable in a LOCAL repo checkout | 163 / 163 | find … -type f |
LIVE-local now | HIGH | the "163" surface; not production, not registry; numerically = A10 |
| C2 | other local dot/bin dirs |
agent-data-test (4), agent-data-langroid (1) | 4 / 1 | find |
LIVE-local | HIGH | tiny test checkouts |
| C3 | /opt/incomex/dot/bin (repo↔VPS compare) |
— | — | /opt/incomex not mounted locally |
BLOCKED | — | cannot diff repo↔VPS file-by-file here |
3D. Directus flows / control
| # | Surface | Denominator | Count | Source query | Mode/Time | Conf | Notes |
|---|---|---|---|---|---|---|---|
| D1 | directus_flows |
total flows | 128 | SELECT count(*) FROM directus_flows |
LIVE | HIGH | active 111 / inactive 17 |
| D2 | directus_flows by status |
active 111, inactive 17 | GROUP BY status |
LIVE | HIGH | "111" ≈ old report 111 | |
| D3 | directus_flows by trigger |
event 121, schedule 5, webhook 2 | GROUP BY trigger |
LIVE | HIGH | ||
| D4 | directus_flows DOT-named |
name ILIKE '%dot%' | 36 (33 active, 3 inactive) | …FILTER(name ILIKE '%dot%') |
LIVE | HIGH | families: [DOT] sync, [DOT-REG] registry→AgentData mirror (~21), [WATCHDOG] dot_tools→Changelog (3), [AUTO-ID] |
3E. Command catalog / operations / taxonomy bindings (separate from DOT-tool count)
| # | Surface | Denominator | Count | Source query | Mode/Time | Conf | Notes |
|---|---|---|---|---|---|---|---|
| E1 | dot_iu_command_catalog |
IU↔DOT command bridge entries | 54 (mutating 39, reversible 41) | SELECT count(*)… |
LIVE; max_registered 2026-05-29 | HIGH | NOT dot_tools; the "54" surface |
| E2 | dot_iu_command_run |
command run-ledger rows | 55 | union count | LIVE | HIGH | runs, not commands |
| E3 | dot_operations |
DOT operation codes | 20 | union count | LIVE | HIGH | |
| E4 | law_dot_enforcement |
law↔DOT enforcement bindings | 272 | union count | LIVE | HIGH | ⚠ numerically = old 04-17 "272 total dot_tools" but different denominator |
| E5 | taxonomy / taxonomy_facets / taxonomy_matrix |
taxonomy rows / facets / matrix bindings | 58 / 10 / 36 | union count | LIVE | HIGH | |
| E6 | dot_iu_runtime_lease |
execution lease surface | (exists, not counted) | listed in schema | LIVE (existence) | HIGH | execution layer — do not ignore |
3F. Orphan / unborn / registry↔file mismatch
| # | Surface | Denominator | Count | Source query | Mode/Time | Conf | Notes |
|---|---|---|---|---|---|---|---|
| F1 | v_dot_reconciliation_reliability |
309 registry rows stratified by FS-confirmation | 186 DOT_EXECUTABLE_CONFIRMED (FINAL, fs 02:10) / 100 DOT_REGISTERED (PARTIAL) / 19 DOT_HELPER_TOOL (ADVISORY) / 4 DOT_MISSING_FILE (NEEDS_RECONCILE) | GROUP BY reliability_label,dot_class |
LIVE | HIGH | sums 309; 186 = fs-confirmed real DOTs |
| F2 | v_dot_registry_no_file |
registry rows with no matching file | 41 | SELECT count(*) FROM v_dot_registry_no_file |
LIVE | HIGH | = Codex 41; on its match-base |
| F3 | v_dot_fs_reconciliation (on 06-03 inv) |
FS files joined to registry | total 287: in_registry/born 261, file_no_registry/unborn 26 | aggregate | LIVE; FS base 06-03 | HIGH for base | 16 pure FILE_NO_REGISTRY + 8 backup + 2 non_dot |
| F4 | v_dot_fs_reconciliation fs_status |
OK_REGISTERED_BORN 193, BACKUP_FILE(in_reg) 68, FILE_NO_REGISTRY 16, BACKUP(not reg) 8, NON_DOT_ARTIFACT 2 | GROUP BY fs_status,in_registry,born |
LIVE; 06-03 base | HIGH | ||
| F5 | unmonitored registry / unregistered table (Đ23 inverse-check) | not computed this session | — | UNVERIFIED | — | dedicated DOT exists (Đ19/Đ23); not run here |
3G. Text-as-Code / IU corpus
| # | Surface | Denominator | Count | Source query | Mode/Time | Conf | Notes |
|---|---|---|---|---|---|---|---|
| G1 | information_unit |
IU rows | 219 | SELECT count(*) FROM information_unit |
LIVE | HIGH | supersedes stale 98 & 175 |
| G2 | tac_logical_unit |
TAC logical-unit rows | 102 | SELECT count(*) FROM tac_logical_unit |
LIVE | HIGH | supersedes stale 86 |
| G3 | tac_publication_member / tac_unit_version / tac_publication |
TAC corpus members / versions / pubs | 102 / 102 / 4 | union count | LIVE | HIGH | |
| G4 | compatibility view (tac_logical_unit ⋈ information_unit) | a DB view bridging both | NONE (0) | SELECT viewname FROM pg_views WHERE definition ILIKE '%tac_logical_unit%' AND '%information_unit%' |
LIVE | HIGH | 🔴 no bridge view → authority UNRESOLVED |
4. DOT registry vs filesystem diff (both directions)
Two diff bases exist and disagree by date/match-key — shown separately, not merged:
Registry → filesystem (registry rows lacking a live file):
v_dot_registry_no_file= 41 (on its match-base).- Fresh stratification
v_dot_reconciliation_reliability.DOT_MISSING_FILE= 4 (against the 2026-06-09 02:10 snapshot). - → The 41-vs-4 gap is itself a reconciliation drift: the no-file view and the fresh reliability view use different FS bases/match-keys. UNVERIFIED which is canonical (owner/contract decision).
Filesystem → registry (live files not in registry):
- On 06-03 inventory:
FILE_NO_REGISTRY= 16 pure (26 incl. 8 backup + 2 non-dot). - On 06-09 snapshot: operational-not-mapped = 28 (214 operational − 186 mapped).
Executable registry entries: registry has no usable executable flag (classification='real'=0); the executable truth lives on the FS side (B2 operational=214) and is linked to the registry only via v_dot_reconciliation_reliability (F1: 186 confirmed).
Non-executable filesystem entries: B7 shows _recon has 0 non-executable (all 287 executable); backups = 76.
Staged/unborn/not-valid candidates: FILE_NO_REGISTRY/unborn = 16–28 (date-dependent); NON_DOT_ARTIFACT = 2; backups (NOISE_BACKUP) = 75 (06-09) / 76 (06-03).
Unknown/unverified: the /opt/incomex/scripts "42" surface (B-adjacent) — BLOCKED; CAT-006 actual_count=163 filter — UNVERIFIED.
5. Pivot consistency
| Check | Value | Source | Verdict |
|---|---|---|---|
| PIV-007 total | 309 | pivot_results, refreshed 07:07, needs_refresh=false | — |
| PIV-104 group-sum (25 groups) | 309 | Σ pivot_results metric.total | — |
| CAT-006 record_count | 309 | meta_catalog row | — |
dot_tools live count |
309 | count(*) | — |
| Parent==children? | PIV-007 (309) == Σ PIV-104 (309) | ✅ AGREE | |
| Pivot==registry? | 309 == 309 == 309 | ✅ AGREE | |
| Stale pivot? | refreshed 2026-06-09 07:07, needs_refresh=false |
✅ FRESH | |
| Catalog internal consistency? | record_count 309 ≠ actual_count 163 | meta_catalog | ⚠ BY DESIGN — the catalog row itself records the registry-vs-actual gap |
The pivot layer is internally consistent and fresh for the registry-row denominator (309). It does not claim that 309 files exist; the file/actual denominators (B/F) are separate and lower.
6. Directus DOT control status
PARTIAL_EVIDENCE_ONLY.
Evidence FOR control: 128 flows (111 active); 36 DOT-named flows incl. [DOT-REG] registry→Agent-Data mirror flows (~21) and [WATCHDOG] dot_tools Create/Update/Delete → Changelog (3, active) → dot_tools mutations ARE watched into registry_changelog; flows are event-driven (121 event triggers).
Evidence AGAINST "100% controlled": these are integration/sync/watchdog flows, not a proof that all Directus mutations route through DOT or that manual MCP/API CRUD is blocked. The Directus operating rule (per Codex review of directus-operating-rules.md) targets "no direct MCP CRUD," but the rule is not evidence the estate is already compliant. No blocking mechanism was read this session.
Verdict: NOT PROVEN 100%; watchdog + sync present; manual-mutation prevention UNVERIFIED.
7. Text-as-Code corpus authority status
UNRESOLVED.
information_unit= 219;tac_logical_unit= 102 (withtac_unit_version102,tac_publication_member102,tac_publication4).- No DB compatibility/bridge view joins the two (
pg_viewssearch returned 0). - The IU↔DOT bridge exists separately as
dot_iu_command_catalog(54) +dot_iu_command_run(55), but it does not reconcile corpus authority. - → Two parallel corpora, no live resolver/compat view. Which is authoritative is an owner decision, now backed by live counts (not the stale 86/98/175 figures).
8. Old report comparison (denominators only — NOT live truth)
| Old number(s) | Most likely denominator | Live counterpart this session |
|---|---|---|
| 29, then 3 | historical earlier-audit states | n/a |
| 75 VPS / 82 repo (2026-03-05) | file vs repo snapshot then | superseded by B1/C1 |
| 93 registered / 95 actual (03-06) | registry vs file then | superseded by A1/B |
| 97 (03-08) | dot_tools then |
now 309 (A1) |
| 272 total / 256 active (04-17) | migration registry population then | ⚠ 272 today = law_dot_enforcement (E4), a different surface |
| 287 / ~288 (06-05) | VPS /opt/incomex/dot/bin snapshot |
287 _recon (B6, 06-03) / 289 snapshot (B1, 06-09) |
| 309 (06-05) | dot_tools registry rows |
309 (A1) ✅ |
| 54 (06-05) | dot_iu_command_catalog |
54 (E1) ✅ |
| 42 (06-05) | /opt/incomex/scripts (separate script surface) |
UNVERIFIED/BLOCKED (not reachable) |
| 163 (06-09 local) | local checkout dot/bin |
163 = web-test/dot/bin (C1) ✅; also = CAT-006 actual_count (A10) |
| 41 registry-no-file; ~18–19 file-no-registry | reconciliation diffs | 41 (F2); 16–26/28 (F3/B5) ✅ |
| 108, 111 | likely flow counts/dated snapshots | 111 = active flows today (D2); 108 unpinned |
| 75, 82, 93, 95, 108, 111 (older set) | mixed file/repo/registry/flow snapshots | each maps to a dated denominator above; do not collapse |
9. Planning impact (for Implementation Package DOT)
- Must NOT be built / assumed yet: any tool, schema, runner, manifest, logger, or scope-spec. No "the DOT count is N" constant — any single number is a disguised hardcode. The tool must query the authoritative surface at runtime and report set + timestamp + source + both-direction diff.
- Must be reused (already deployed, confirmed live this session):
dot_tools/meta_catalog/pivot stack; the reconciliation surfaceswf_fs_dot_bin_snapshot,_recon_dot_fs_inventory,v_dot_fs_reconciliation,v_dot_registry_no_file,v_dot_reconciliation_reliability(these ARE the DOT↔filesystem reconciler — do not rebuild);directus_flowswatchdog/sync;dot_iu_command_catalog/_run/_runtime_lease/dot_operationsexecution layers;law_dot_enforcement. - Authority decisions still BLOCKED (owner): (1) canonical DOT denominator + reconciliation contract among 309 (registry) / 214 (operational FS) / 186 (fs-confirmed) / 163 (actual_count); (2) canonical execution runner/ledger among the layered surfaces (command_catalog/run/lease/operations vs iu_core
fn_iu_op_*vscutter_governance); (3) TAC↔IU corpus authority (219 vs 102, no compat view); (4) Directus mutation-route proof; (5)system_issueswriter authority; (6) manifest/duplicate/graph authority. (Matches Codex §6 gates 1–10.)
10. Minimal next step (exactly one)
Convene the owner authority decision that designates, using THIS ledger: (a) the canonical DOT denominator + reconciliation contract (which of 309 / 214 / 186 / 163 is authoritative for which purpose, and the canonical registry↔FS diff base), and (b) the canonical TAC↔IU corpus (219 vs 102) — recorded as a contract, not collapsed into one number. No tool, schema, runner, or spec until that contract exists.
Appendix — surfaces read (queries are reproducible)
DB directus via query_pg (READ ONLY): now(); pg_database; information_schema.tables/.columns; dot_tools (count, GROUP BY status/category, FILTER file_path/script_path/classification, max dates); meta_catalog WHERE code='CAT-006'; pivot_definitions/pivot_results WHERE pivot_code IN ('PIV-007','PIV-104'); _recon_dot_fs_inventory (agg); wf_fs_dot_bin_snapshot (agg, GROUP BY object_type/status, mapped_dot_code); v_dot_fs_reconciliation (agg + GROUP BY fs_status); v_dot_registry_no_file (count); v_dot_reconciliation_reliability (GROUP BY reliability_label,dot_class); dot_iu_command_catalog/dot_iu_command_run/dot_operations/law_dot_enforcement/taxonomy* (counts); directus_flows (count, GROUP BY status/trigger, name ILIKE '%dot%'); information_unit/tac_* (counts); pg_views (compat-view search). Directus directus_health. list_docker. Local find on ~/…/dot/bin. KB read: Codex cross-check + prior tool-kiem-thu docs. Mutation: NONE.