Checkpoint — Universal Workflow Census + Automated DOT Scanner System (short SSOT)

Date: 2026-06-04 · Macro: UNIVERSAL_WORKFLOW_CENSUS_AND_AUTOMATED_DOT_SCANNER_SYSTEM Final status: PARTIAL — all DB-scannable sources censused + 5 live scanner functions built (birth-free); 6 host/FS/KB source classes lack adapters; RP visibility proven = 0 assigned. Execution mode: EXECUTION_MODE. RO=query_pg (5s/500-row); RW=ssh contabo→docker exec -i postgres psql -U directus -d directus; KB=Incomex_KB; staging=/opt/incomex/docs/mcp-writes/universal-workflow-census-2026-06-04/ Live mutation: YES — additive/reversible/BIRTH-FREE. birth_registry 1,163,522 before == 1,163,522 after. No process birth / owner approval / event activation / REAL_RUN / dot_tools insert.

Hard truth verdict: COVERAGE_PARTIAL

• Workflow universe denominator (DB process-definitions) = 373 = 309 dot_tools + 54 dot_iu_command_catalog + 8 distinct job_kind + 2 workflows.
• Census sources = 16: 10 DB live-scannable (LIVE_DB_FN), 6 host/FS/KB MISSING_ADAPTER.
• DB objects censused = 1851 (incl 571 functions, 410 triggers — components); host objects = 400 (+ kb_sop count UNKNOWN).
• RP visible (AX-PROCESS axis_assignment) = 0 (ratio 0.0000). candidate_visible = 17 (0.0456). verified = 1 / job:cut (0.0027). rp_missing = 373 (1.0).
• Orphan signal (7 kinds): user_trigger_unmodelled 410, host_source_unmanaged 400, rp_missing_all_definitions 311, dot_without_process_candidate 178, queue_run_without_candidate 7, event_type_no_candidate 7, phantom_axis_process 0. Existing discovery: orphan_components 84, correlation_gaps 17, drift_signals 17, real_run 0.
• Reconciliation gaps (blind spots, numeric): dot_tools.cron_schedule=41 vs host_crontab=49; dot_tools.script_path=119 vs fs_dot_bin=288; AX-PROCESS assignments=0 vs 373 definitions.

Automated scanner DOT family status: LIVE-COMPUTE, owner-gated for production

5 functions built + idempotent + ran once, digests populated:

• DOT_WF_UNIVERSAL_CENSUS → wf_census_digest (fn_dot_wf_universal_census; sched 0 4 * * *)
• DOT_WF_ORPHAN_DETECTOR → wf_orphan_digest (30 4 * * *)
• DOT_WF_RP_VISIBILITY_PROOF → wf_rp_coverage_digest (0 5 * * *)
• DOT_WF_SOURCE_ADAPTER_HEALTH → wf_source_adapter_health (15 4 * * *)
• DOT_WF_CLASSIFICATION_DRIFT → wf_classification_drift + wf_metric_snapshot (45 5 * * *); first run = BASELINE.
• Orchestrator fn_dot_wf_run_all(). Registry: workflow_scanner_registry (5 rows, status=DRAFT, scanners_active=0).
• NOT YET: registered into dot_tools (birth trigger → owner-gated) and NOT wired into host cron/systemd (ops-gated). This is the precise remaining blocker — engineering is complete.

Source adapter status

LIVE_DB_FN (10): dot_tools, dot_family_pairs, job_queue, event_type_registry, pg_trigger, pg_proc_functions, workflows, approval_requests, dot_iu_command, orphan_components. MISSING_ADAPTER (6): host_crontab(49), systemd_timers(21), fs_dot_bin(288), fs_scripts(31), docker_containers(11), kb_sop_docs(UNKNOWN). Config-driven via workflow_discovery_source_registry — new source = new row.

Safe live artifacts (all in directus DB, reversible via uwc_rollback.sql)

• Tables (8, trigger-free): workflow_discovery_source_registry(16), workflow_scanner_registry(5), wf_census_digest(16), wf_orphan_digest(7), wf_rp_coverage_digest(6), wf_source_adapter_health(16), wf_metric_snapshot, wf_classification_drift, wf_scanner_run_log.
• Functions (6): fn_dot_wf_{universal_census,orphan_detector,rp_visibility_proof,source_adapter_health,classification_drift,run_all}.
• Views (16): v_universal_workflow_{source_census,coverage_matrix,uncovered_objects,classification_summary}; v_workflow_{orphan_components,unmanaged_process_clusters,rp_missing_processes,phantom_process_candidates}; v_registries_pivot_process_{coverage_proof,missing_surface,operational_status}; v_workflow_discovery_source_{health,missing_adapter}; v_process_axis_{review_action_queue_v2,census_action_items,universal_workflow_dashboard}.
• Action panel: +2 deliberate buttons (REGISTER_SOURCE_ADAPTER, REQUEST_MERGE; is_checkbox=false); +7 coverage AI reviews in process_axis_ai_review (6 NEEDS_MORE_EVIDENCE, 1 PASS). No checkbox/direct mutation. No fake approval.

Next macro

UNIVERSAL_WORKFLOW_DISCOVERY_SOURCE_ADAPTERS_AND_SCANNER_DEPLOY — build the 6 host-side adapters (cron/systemd/fs/container/kb), register the 5 scanners as production DOTs (owner birth-gate), wire host cron, then re-run census to lift coverage. Do NOT proceed to AX-PROCESS canon until coverage rises above the current 0 RP-assigned.

Exact blocker

1. 6 host/FS/KB source adapters do not exist (DB cannot read host cron/systemd/FS/containers/KB) → ~400+ objects uncensused.
2. Scanner production promotion needs owner birth-admission (dot_tools insert = birth) + ops cron wiring.
3. RP assignment requires owner ratification of AX-PROCESS + GOV-MOW ownership bootstrap (carried from prior macro). NO engineering blocker on the DB census/scanner/views/action-panel layer — all live.

Report dir: knowledge/dev/reports/architecture/universal-workflow-census-automated-dot-scanner-system-2026-06-04/ (00..17). SQL staged: /opt/incomex/docs/mcp-writes/universal-workflow-census-2026-06-04/{uwc_apply,uwc_rollback}.sql.