KB-4554
05 — Workstream D: 16 FILE_NO_REGISTRY Filesystem Scripts
4 min read Revision 1
05 — Workstream D: 16 FILE_NO_REGISTRY Filesystem Scripts
Status: BLOCKED (registrar-credential-gated) — all 16 durably classified; none executed; none quarantined (would risk prod)
The 16 files (live from _recon_dot_fs_inventory / v_dot_fs_reconciliation)
All are dot-prefixed executables in /opt/incomex/dot/bin, not in dot_tools, not backups.
| file | bytes | owner | mtime | classification |
|---|---|---|---|---|
| dot-apr-types-register | 4442 | root | 2026-04-20 | DOT_CANDIDATE → SHOULD_REGISTER |
| dot-apr-types-register-audit | 3505 | root | 2026-04-20 | DOT_CANDIDATE → SHOULD_REGISTER |
| dot-context-pack-build.sh | 64001 | root | 2026-05-20 | DOT_CANDIDATE → SHOULD_REGISTER (script) |
| dot-context-pack-retention-cleanup | 2060 | root | 2026-05-20 | DOT_CANDIDATE → SHOULD_REGISTER |
| dot-context-pack-verify.sh | 31728 | incomex | 2026-04-23 | DOT_CANDIDATE → SHOULD_REGISTER (script) |
| dot-cron-matrix-setup | 1775 | incomex | 2026-04-04 | DOT_CANDIDATE → SHOULD_REGISTER (cron helper) |
| dot-dieu43-fs-init.sh | 4966 | incomex | 2026-04-17 | DOT_CANDIDATE → SHOULD_REGISTER (script) |
| dot-dieu43-fs-verify.sh | 3853 | incomex | 2026-04-17 | DOT_CANDIDATE → SHOULD_REGISTER (script) |
| dot-hc-executor | 48837 | root | 2026-04-23 | DOT_CANDIDATE → SHOULD_REGISTER (likely cron-invoked) |
| dot-hc-executor-verify | 7212 | root | 2026-04-23 | DOT_CANDIDATE → SHOULD_REGISTER |
| dot-ops-silent-fail-propose | 4451 | root | 2026-04-20 | DOT_CANDIDATE → SHOULD_REGISTER |
| dot-ops-silent-fail-propose-test | 2012 | root | 2026-04-20 | TEST harness → SHOULD_REGISTER or NON_DOT-test |
| dot-ops-silent-fail-scan | 8614 | root | 2026-04-20 | DOT_CANDIDATE → SHOULD_REGISTER |
| dot-ops-silent-fail-scan-test | 3190 | root | 2026-04-20 | TEST harness → SHOULD_REGISTER or NON_DOT-test |
| dot-pivot-update | 14441 | root | 2026-06-03 | STAGED_FILE_ONLY — stays blocked (doc 06) |
| dot-search-canary | 5988 | root | 2026-05-20 | DOT_CANDIDATE → SHOULD_REGISTER |
Why no mutation
- Registration path = governed registrar
dot-dot-register(Directus-API), admin creds ABSENT. A manualdot_toolsINSERT is not the governed path (forbidden) and would bypass governance. - No blind quarantine. These are live operational tools (health-check executor, cron-matrix setup, silent-fail scanners, context-pack builders, Điều-43 fs init/verify). Moving them off the executable path could break production cron/automation — a hard-to-reverse outward action. The forbidden list permits quarantine only for clearly invalid scripts; these are not clearly invalid.
- No exception added to game the count (forbidden). The
-testvariants could be argued as non-registry test artifacts, but exempting them just to lower the BLOCK would violate the rules. - None executed.
dot-pivot-updatestays blocked.
Operator/admin packet (to clear fs_dot_file_no_registry)
- Obtain admin credentials for
dot-dot-register(Directus-API). - For the 15 operational scripts (all but
dot-pivot-update): register each via the governed registrar with correct DOT metadata (name, code, file_path, category). Birth follows registration. - Re-run
02_collect+03_loadfs snapshot, thenfn_preflight_guard→fs_dot_file_no_registryrecomputes (drops as each is registered). dot-pivot-updateis handled separately (doc 06) — it must complete the full lawful path.
Completion: all 16 durably classified; dot-pivot-update remains blocked; count unchanged because
the only lawful registration path is credential-gated → exact operator action recorded.