Orphan Detection Report — Tool-Kiem-Thu Objects (2026-06-10)
Orphan Detection Report — Tool-Kiem-Thu Objects
Date: 2026-06-10. Scope: every object/accessory in the object registry (TKT-OBJ-001..041). An object is an orphan if it lacks any of: canonical ID/path, owner, authority class, lifecycle, retention/cleanup rule, roadmap relation, unambiguous allowed-use — OR carries shadow-SSOT / duplicate-authority risk, or is local/tmp evidence retained without a lifecycle. Evidence: object registry + auto-system audit (query_pg first-hand).
1. Two distinct orphan questions
- Native-orphan (w.r.t. the auto-birth/governance system): proven for ALL TKT-OBJ-* —
birth_registryreturned 0 project rows. This is expected (external/file objects) and is handled by the auto-system audit + root-cause blockers, not by re-mutating the registry here. - KB-governance-orphan (the thing this macro actively fixes): an object with no KB-level governance facts. Goal: reduce KB-governance-orphans to zero.
2. KB-governance-orphan status (after this macro)
| Risk dimension | Objects previously missing it | Resolution in this macro |
|---|---|---|
| No canonical ID | all non-doc objects (tool, repo, seccomp, packet, image) | Assigned TKT-OBJ-001..041 |
| No owner | runtime/CI/sandbox artifacts | Owner-class assigned (OPERATOR/SYSTEM/AUTHORITY) |
| No authority class | all | evidence-only / design-authority / provisional-non-authority assigned |
| No lifecycle | all | lifecycle assigned (active-pilot/reference/retained/provisional/deferred/pending-cleanup) |
| No retention/cleanup rule | local /tmp artifacts (b7_validate.py, packet sample), ephemeral image, CI 30-day artifacts, CI repo |
Retention/cleanup rules added (see §3) |
| No roadmap relation | new species/statuses, Phase 3.5 | Linked to roadmap-after-phase3-governance-b7 |
| Ambiguous allowed-use | inspector, packet, catalog | Allowed/prohibited use stated in registry |
Result: 0 KB-governance-orphans remain. Every important object + accessory now has the full classification set OR an action-ready blocker for the part only an authority can grant (production-registry insertion, catalog promotion, KB writer).
3. Local / ephemeral evidence needing a retention or cleanup rule (explicit)
| Object | Lifecycle | Rule assigned |
|---|---|---|
TKT-OBJ-004 b7_validate.py (/tmp/tki-ci) |
retained-evidence-local-non-authority | Non-authority local evidence; canonical copy is the in-repo / KB-described form; /tmp copy may be deleted any time (no governance value once KB validation report exists). |
| TKT-OBJ-016 packet sample (/tmp/tki-ci JSON) | retained-evidence-local-non-authority | Same — superseded by the KB validation report's recorded manifest_hash; /tmp deletable. |
| TKT-OBJ-010 built image digest | pending-cleanup-ephemeral | Ephemeral CI image; not retained; no action. |
| TKT-OBJ-015 CI run artifacts | retained-evidence-auto-expire | GitHub 30-day auto-expiry; KB reports + raw-log indices are the durable record. |
TKT-OBJ-011 repo tool-kiem-thu-ci |
retained-evidence | RETAINED inert as reproducible source-of-record; deletion is owner's call (gh repo delete …). See CI repo lifecycle record. |
4. Shadow-SSOT / duplicate-authority scan
- No shadow SSOT created. KB remains SSOT; this registry is explicitly a KB-level record, not a production authority. The provisional named-query catalog is marked
provisional-non-authorityprecisely so it cannot become a shadow SSOT (B7-EXP-1 gates promotion). - No duplicate authority. This macro does not fork or re-state native registries (
dot_tools,dot_iu_command_catalog,context_pack_manifest); it references them read-only. The object registry is the single KB home for object-level governance facts. - One residual auto-system risk (not created here): KB docs born into
knowledge_documentswithowner=null, address=nullare a latent relationship-gap that could, if left, look like duplicate/untraceable records. Raised as OWNER_GAP/RELATIONSHIP_GAP blocker — not resolved by mutation here.
5. Objects deliberately left UN-onboarded (with reason)
None left silently. Every object is classified. Items that are not given a production-governance home are explicitly deferred via blockers: named-query catalog promotion (B7-EXP-1), automated export service (B7-EXP-2/D9), KB writer (D10), gate consumer (D11), and production birth-registry insertion (this macro's authority blocker). These are deferrals with owners, not orphans.
Verdict
ORPHAN_DETECTION_PASS_AT_KB_LEVEL — 0 KB-governance-orphans; all native-orphan status documented and root-caused; production-registry onboarding remains an action-ready AUTHORITY blocker (not a hidden orphan).