Phase 2 — Scanner provenance root cause

Evidence (live, DB-direct)

Source	Latest	Class
wf_adapter_run_log.finished_at	2026-06-05 02:10:44 (run_id 20260605T021001Z)	TRUE FRESH
workflow_discovery_source_registry.last_scanned_at	2026-06-05 02:10:50	TRUE FRESH
wf_scanner_run_log.run_at	2026-06-04 09:53	FROZEN
workflow_scanner_registry.last_run_at	2026-06-04 10:25	FROZEN

Root cause (from /opt/incomex/dot/scanners/wf_scan_orchestrator.sh)

The orchestrator runs: adapters (→ wf_adapter_run_log), fn_dot_wf_map_host_objects, fn_dot_wf_run_all_v2, fn_dot_wf_build_remediation_queue, then a registry flip that UPDATEs workflow_discovery_source_registry (the v2 table). It has no statement that writes wf_scanner_run_log (v1 append log, 6 frozen scanner_codes) or workflow_scanner_registry.last_run_at. Those two are v1 provenance artifacts → frozen = provenance lie if read as freshness.

Patch design

• Safe location: 2 appended statements in the script body, after registry flip, before DONE echo.
• Rollback: restore wf_scan_orchestrator.sh.bak-20260605-prov.
• Does NOT touch the systemd timer/service units.
• Idempotent: INSERT = one append per run (correct log semantics); UPDATE idempotent within a run.