08 — Auto-Full-Workflow Admission Policy Closeout (Workstream G)

Makes the discovered-workflow operating rule concrete and operational, not just prose.

Final policy (the admission rule)

A discovered auto-workflow becomes an OFFICIAL process only after ALL of:

1. Component graph — member_count ≥ 2 (else not_a_process).
2. Correlation model — a run-level shared id across components (e.g. job_queue.run_id or process_run_id).
3. Dry-run observation — at least one real no-mutation DRY_RUN (for agent_api candidates this requires a bound endpoint).
4. Negative control — a proven failing test: the verifier must reject a bad output, not only accept a good one. (This run made the dot:kg verifier's negative control actually work.)
5. Kill-switch — a runtime gate that fails closed (e.g. process_dot_runtime.execute_enabled=false).
6. Owner — a governance owner-of-record (Điều 37). Only then: verified → birth-ready. No rung may be skipped; SIMULATED never counts as DRY_RUN.

Stricter gate for NEW auto-workflows (operationalized)

• If a new DOT / queue / event cluster appears with no process candidate, RP shows an unmanaged warning (orphan). Backed by v_process_discovery_orphan_components (live).
• If a new multi-step workflow has no correlation_id, it is blocked from official status (fails gate 2). Backed by v_process_discovery_correlation_gaps (live) and the policy-gaps view.
• The negative-control requirement (gate 4) is now enforceable because the verifier fails correctly.

Live policy surface

• v_process_discovery_auto_workflow_policy_gaps — first failing gate per candidate + exact next action. Live read: 8 not_a_process; 8 gap_no_correlation_model (incl. dot:kg); 1 gap_no_owner (job:cut).
• v_process_discovery_orphan_components — unmanaged clusters.
• v_process_discovery_correlation_gaps — missing correlation.
• v_process_discovery_closeout_status (new) — area rollup incl. event activation count.

Periodic orphan scan rule

Run a scheduled read of orphan_components + correlation_gaps + policy_gaps; any new unmanaged cluster or correlation-less multi-step workflow is flagged for triage (candidate, not auto-promoted). Scheduling needs a separate integration (Claude Code agents do not self-schedule); the views make the scan a single read when triggered.

Why no broad governance change

The policy is enforced by existing additive views + the dispatcher's fail-closed gates + the (now-working) negative control. No governance tables were altered; no birth; no activation.

Completion

Policy is operational: each gate maps to a live view or a fail-closed runtime check, and the negative-control gate is now real.