KB-44EC
F6 Pre-Activation Macro 03 — Scanner Query Path & Dry-Run
3 min read Revision 1
one-roofphase1f6scannerread-onlydry-run2026-06-02
03 — Scanner Query Path & Dry-Run (Objectives B + D)
Script: sql/f6_scanner_readonly.sql. Mode: read-only (+ the rollback-only seeded variant already exercised in doc 02). Verdict: PASS.
The scanner, decomposed
A coverage scanner has two halves:
- Read half (computation) — derive coverage/gap/conflict from seams + ownership. Pure SELECT. Safe now. ✅ executed.
- Write half (emission) — persist
governance_candidate_staterows, open acandidate_scan_runledger, raisesystem_issues, emitevent_outbox. Activation-gated; NOT run.
This macro runs the entire read half against live state and proves the write half's inputs are correct without performing any emission.
Read-half output over current live state (honest 0 %)
| metric | value |
|---|---|
| governed_objects | 35 |
| active_scopes | 6 |
| ceiling (cells) | 210 |
| covered_cells | 0 |
| gap_cells | 210 |
| conflict_cells | 0 |
| ownership_rows | 0 |
| coverage_pct | 0.00 |
invariant covered+gap=ceiling |
true |
Drill-down (read-only)
- Per scope (each = 35): approval, audit, execution, health, policy, render → Σ 210.
- Per group: GRP-AI 6, GRP-BUSINESS 12, GRP-GOVERNANCE 96, GRP-REGISTRY 84, GRP-WORKFLOW 12 → Σ 210. (= children × 6, matching the containment distribution.)
Dry-run boundary decision
- Read-only dry-run: GO — executed. The summary + drill-downs above ARE the scanner's read-half over real data.
- Rollback-only seeded dry-run: GO — executed (doc 02). Under the transient 30-anchor seed the same scanner metrics moved 210→114→30→0 in-transaction, proving the computation tracks ownership correctly, then rolled back.
- Persistent log-only dry-run (write a
candidate_scan_runrow): NO. It would fabricate scan provenance (assert a scan ran when none is activated) and is unratified governed-state. Declined (see doc 04). - Production scanner loop: NO. Activation-gated, forbidden.
Determinism / safety properties
- The read half is a pure function of (
v_governance_object_inventory,v_governance_object_containment,governance_object_ownership, active scopes). No randomness, no time dependence, no writes. statement_timeout5 s andLIMIT 500on the read channel bound any accidental blowup; the summary returns one row, drill-downs 11 rows.- The scanner is collection-grain (210 ceiling). Object-grain is out of scope and unbounded (doc 06).