04 — Filesystem DOT Inventory & Drift Status (blind spot G4 CLOSED)
04 — Filesystem DOT Inventory & Drift Status
Blind spot G4 is CLOSED. /opt/incomex/dot/bin is now enumerated, hashed, and reconciled
against dot_tools + birth_registry. Snapshot table _recon_dot_fs_inventory (287 rows) is live.
Snapshot summary
- 287 regular files; 285 dot-prefixed; 76 backups (
.bak-*suffixes). - Owners: mix of
incomex:incomex(legacy deploy, mtime 1775140550) androot:root(recent edits). - Each row carries sha256, exec flag, owner:group, size, mtime.
Reconciliation (v_dot_fs_reconciliation, 1 row/file after dedup)
| fs_status | count | meaning |
|---|---|---|
| OK_REGISTERED_BORN | 193 | on disk, in dot_tools, born |
| BACKUP_FILE | 76 | .bak-* snapshots (not live tools) |
| FILE_NO_REGISTRY | 16 | dot- script on disk, no dot_tools row |
| NON_DOT_ARTIFACT | 2 | TEMPLATE-DOT-SCRIPT, apply_composition_fixes.sh |
Drift categories (macro taxonomy)
| Category | Count | Detail |
|---|---|---|
| FILE_NO_REGISTRY | 16 | see list below (incl. dot-pivot-update) |
| REGISTRY_NO_FILE | 41 | active dot_tools whose basename absent from snapshot (v_dot_registry_no_file) |
| HASH_DRIFT | not detectable | dot_tools has no baseline sha256 column — documented gap, see below |
| DUPLICATE_REGISTRY_NAME | 45 names (×2 rows) | data-quality defect in dot_tools |
| BACKUP_FILE | 76 | accepted noise |
| STAGED_FILE_ONLY | 1 | dot-pivot-update (see doc 10) |
The 16 FILE_NO_REGISTRY (genuine unregistered DOT scripts)
dot-apr-types-register, dot-apr-types-register-audit, dot-context-pack-build.sh,
dot-context-pack-retention-cleanup, dot-context-pack-verify.sh, dot-cron-matrix-setup,
dot-dieu43-fs-init.sh, dot-dieu43-fs-verify.sh, dot-hc-executor, dot-hc-executor-verify,
dot-ops-silent-fail-propose, dot-ops-silent-fail-propose-test, dot-ops-silent-fail-scan,
dot-ops-silent-fail-scan-test, dot-pivot-update, dot-search-canary.
Confirmed genuine: the 4 .sh-suffixed names do not exist in dot_tools even without .sh.
These are real tooling (apr engine, context-pack, dieu43 fs, health-check executor, ops-silent-fail
engine, search-canary) deployed to disk but never registered as governed DOTs.
HASH_DRIFT — documented, not silently dropped
dot_tools has no baseline-hash column, so file tamper/drift cannot be detected today.
Follow-up: add _recon_dot_baseline(name, sha256, set_by, set_at) and compare against
_recon_dot_fs_inventory.sha256. Until then HASH_DRIFT = unknown (out of this macro's scope).
REGISTRY_NO_FILE (41) caveat
Includes tools whose registry basename differs from disk (e.g. relative-path/.sh naming) and
genuinely missing files. Triaged INVESTIGATE (owner) in doc 05 — not auto-actioned.