08 — Automated DOT Scanner Family

The operating mechanism (not a one-time audit). 5 scanner functions, idempotent, ran once, digests populated. Registry: workflow_scanner_registry (status=DRAFT).

Scanner	compute_fn	digest	RP view	proposed sched	ran
DOT_WF_UNIVERSAL_CENSUS	fn_dot_wf_universal_census	wf_census_digest	v_universal_workflow_source_census	0 4 * * *	✓
DOT_WF_ORPHAN_DETECTOR	fn_dot_wf_orphan_detector	wf_orphan_digest	v_workflow_orphan_components	30 4 * * *	✓
DOT_WF_RP_VISIBILITY_PROOF	fn_dot_wf_rp_visibility_proof	wf_rp_coverage_digest	v_registries_pivot_process_coverage_proof	0 5 * * *	✓
DOT_WF_SOURCE_ADAPTER_HEALTH	fn_dot_wf_source_adapter_health	wf_source_adapter_health	v_workflow_discovery_source_health	15 4 * * *	✓
DOT_WF_CLASSIFICATION_DRIFT	fn_dot_wf_classification_drift	wf_classification_drift	(via snapshot)	45 5 * * *	✓ (BASELINE)

Orchestrator: fn_dot_wf_run_all() returns a JSON summary of all five. Run log: wf_scanner_run_log (status/rows/summary per run).

Properties (each scanner)

• Idempotency: DELETE-then-INSERT into its own digest; safe to re-run any time.
• last_run/last_success/error: tracked in workflow_scanner_registry + wf_scanner_run_log.
• Read-only against production: they only read source tables and write their own digests; no source mutation, no birth.
• Coverage counters: embedded in run summary jsonb.

What is LIVE vs what is gated

• LIVE: compute functions, digests, registry, run log, RP views — all queryable now via RO MCP.
• OWNER-GATED: registering these as real rows in dot_tools (insert fires birth_trigger_dot_tools → +5 births + birth gate). Deliberately NOT done.
• OPS-GATED: wiring SELECT fn_dot_wf_run_all(); into host cron / a systemd timer (mirrors existing process-discovery-policy-scan.timer pattern). Apply-ready snippet in 12.

Conclusion: automated scanning is LIVE-COMPUTE and re-runnable today; production scheduling is one owner birth-admission + one cron line away. This is apply-ready with an exact, small blocker.