T2 Watchdog 03 — Scanner Provenance Watch (2026-06-05)
03 — Scanner Provenance Watch
Verdict: STALE — PROVENANCE LIE PERSISTS — AWAITING_T1_FINAL
Because T1 is still running and its NEXT plan includes wiring the provenance fix reversibly, this area cannot be declared PASS. It is reported as observed state, marked AWAITING_T1_FINAL.
A. The three provenance surfaces (live)
| surface | latest timestamp | rows | meaning |
|---|---|---|---|
| wf_adapter_run_log (finished_at) — HONEST | 2026-06-05 02:10:44 UTC | 21 | FRESH — matches systemd timer fire 04:10 CEST = 02:10 UTC |
| wf_scanner_run_log (run_at) — LIE | 2026-06-04 09:53:28 UTC | 5 | FROZEN at 06-04 |
| workflow_scanner_registry.last_run_at — LIE | 2026-06-04 10:25:12 UTC | 6 | FROZEN at 06-04 |
| workflow_scanner_registry.last_success_at — LIE | 2026-06-04 10:25:12 UTC | 6 | FROZEN at 06-04 |
B. Honest read path per source (wf_adapter_run_log)
| source_key | latest finished_at | status |
|---|---|---|
| docker_containers | 2026-06-05 02:10:44 | OK |
| fs_scripts | 2026-06-05 02:10:41 | OK |
| fs_dot_bin | 2026-06-05 02:10:12 | OK |
| systemd_timers | 2026-06-05 02:10:08 | OK |
| host_crontab | 2026-06-05 02:10:02 | OK |
| kb_sop_docs | 2026-06-04 10:15:33 | PARTIAL (by-design, frozen) |
Five host sources ran OK at the 02:10 UTC timer fire on 06-05; kb_sop is PARTIAL and legitimately older. The scanner is proven LIVE via the honest path.
C. Interpretation
The documented "provenance lie" gotcha is STILL TRUE and UNCHANGED at audit time: the orchestrator writes adapter-log + digests and flips status only, never the freshness columns on wf_scanner_run_log / workflow_scanner_registry. Those remain frozen at 06-04 while the real run happened 06-05 02:10. The honest freshness read MUST come from wf_adapter_run_log (or orphan-queue computed_at), never the run-log/registry.
The drift detector independently agrees: its scanner_provenance_age_vs_real_run_age row is still is_actionable_drift=true with disposition T1_CAN_WIRE and note "provenance table not wired to orchestrator". So as of this audit T1 has NOT yet wired the provenance fix.
D. What T1 must re-confirm at final
- After wiring the reversible provenance fix,
wf_scanner_run_log/workflow_scanner_registryshould advance to the real run time AND the driftscanner_provenancerow should flip out of actionable. - The rewire must NOT break the honest read path from
wf_adapter_run_log, and must NOT cause the no-blind-spot guard to regress from 7/7. - Provenance wiring must be birth-free (before==after) and reversible (rollback present).
No regression observed; the honest read path works and the lie is correctly flagged by drift teeth.