KB-3891
Architecture Survey — Modular Rewrite Track (DRAFT)
14 min read Revision 1
laws-newmodular-architecturesurveydraft2026-06-12
Architecture Survey — Modular Rewrite Track
Status: DRAFT — survey/analysis only. Nothing here is enacted. No production mutation performed or authorized.
Date: 2026-06-12. Track: knowledge/dev/laws-new/ (SSOT for the modular rewrite track per README).
1. What was inspected
All inspection was read-only (KB documents + local evidence capsules). No live PG/Directus/VPS contact.
| Area | Sources read |
|---|---|
| Constitution | knowledge/dev/laws/constitution.md v4.6.3 BAN HÀNH (15 NT, 4-DB + 3-layer architecture, law catalog Đ0–Đ44, changelog) |
| Core governance laws | Đ20 v1.2 (design-before-execution), Đ26 v4.0 (pivot), Đ29 v2.0 (classification), Đ30 v1.2 (regression), Đ31 v1.2 (system integrity), Đ32 v1.1 (approval/APR/quorum), Đ37 v3.3 (governance organization) |
| Data/registry/DOT laws | Đ33 v2.1 (PostgreSQL), Đ35 v5.2 (DOT governance), Đ43 v1.2 FINAL rev6 (system map/context pack), Đ38 v3.0 DRAFT + Appendix 01 BAN HÀNH (text-as-code), Đ39 v2.3 (knowledge graph), Đ34 v1.0 DRAFT (workflow), Đ36 v5.0 DRAFT / v4.0 enacted (collection protocol) |
| Đ44/UOSL design family | Đ44 v0.1.2 controlled DRAFT; P44-1 Family Registry; P44-2 SCMR; P38-XC IU profile/UMC/DOT contract matrix; 12c birth-process classification (QT-001/QT-002/third case) |
| Code-operation law & CI/deploy | Đ41 v1.1 BAN HÀNH (+2026-05-21 agent-sandbox and real-PG-sandbox revisions), Đ41 living appendix (reality inventory), FIX7 prod-scoping CI/deploy inventory |
| Sandbox patterns | Đ41 §2A zones + S0–S5 DB-access corridor; O11 iu-cutter agent sandbox (/opt/incomex/dot/iu-cutter-agent-sandbox/ charter docs); P7B sandbox_tac PG schema sandbox; Đ38/Article-14 deny-by-default inspector sandbox |
| Manifest/packet/contract patterns | FIX7 packet skeleton (manifest.json, HASH_MANIFEST, packet_tree, commands.sh/RERUN.sh, validators, bad-input probes, rollback proofs) across 8 packets; TKT Base pack L0–L3 evidence levels + 7 checker policies; O11 patch-as-information-unit contract (13-field meta.yaml); Đ41 §2A.2 11-file task ledger |
| Production gate code surfaces | fn_birth_register foundation doc, sql/prod/99_run_all.sql tiered executor (Tier-0 db=directus AND os_proposal_approvals>=1 guard), QT001 audit verdict, P6 checker/DOT design, dot_tools registry + dot-dot-register/health state |
| Local mirrors | /Users/nmhuyen/Documents/Manual Deploy/.claude/laws + .gemini/laws (older Agent-Data/GCP governance family — Não/Kho/Cổng layering origin) |
2. Current bottlenecks
The system is safe but treats most changes as castle-wide. The bottlenecks are authority surfaces, not data structures — the data layer already has owners, tiers, contracts, and jurisdictions; the decision layer is global and singular.
- One global approval quorum (Đ32).
apr_action_types.risk_levelhas no scope dimension. Aadd_fieldon a module-private table requires the same singlepresidentas a core-schema change. High risk requires president + 2 AI-council everywhere. No delegated or per-domain approvers.amend_lawis RESERVED/unimplemented — every law adaptation is a manual constitutional event. - Whole-system design gate (Đ20). The Context Graph Gate requires reading five whole-system maps for any non-small design; Tier 2 requires User approval whenever runtime is touched, regardless of blast radius; review authority is a single central council (GPT/Gemini/Opus).
- Enacted-law immutability + Council-only amendment (Đ37). Enacted = immutable; change = new amendment through 2-round Council. Combined with Đ20's "missing law → STOP and write the law first" and Đ37 §4.13 (a law must own a table + DOT + health check), any genuinely new local pattern costs a full legislative cycle before building.
- Single global CI/audit verdicts (Đ30/Đ31). One Playwright suite; 1 FAIL anywhere blocks any PR. Đ31 nightly audits everything; coverage gates are computed globally. Unrelated modules couple through the shared verdict.
- One registry namespace for everything. Every executable → global
dot_tools(global code space + file_path uniqueness + paired-DOT FK in the same table); every PG table →collection_registry(HC-REG: unregistered = CRITICAL); every relation → singleuniversal_edges; every field name → globalcanonical_fields. Internal module detail and kernel-bearing objects share one register and one ceremony. - Macro-lane ceremony as the only change lane. The FIX7/TKT experience (2026-06): even no-production KB changes ran through authority → planning → dry-run → independent review → hardening → fold → execution → review → production-scoping, each phase a sealed packet with its own owner grant. Proven safe — and proven heavy: the only lane available is the heaviest one.
- Reality gaps that magnify ceremony. Đ41's own enforcement tooling is unbuilt (no
vps_deploy_log, no deploy scripts, 6 guard DOTs missing);fn_birth_gatestillmode=warning; QT001 apply judged NOT_SAFE; FIX7 CI seal-vs-bytes check undesigned; Nuxt main divergent with no push credentials. Because mechanical enforcement is missing, every change compensates with manual evidence ceremony.
3. Where the old system is too monolithic
- Authority: one president, one AI council, one waiver approver (Đ30: a single named human), one legislative path. No concept of a module owner with bounded authority.
- Verdicts: one CI gate, one nightly audit, one coverage number, one
system_issuesstream (mitigated byjurisdictiontags, but triage SLAs are global). - Identity: one birth chain (5-trigger sequence into one
birth_registry), one species taxonomy applied to all governed entities, one COL/DOT/WF code sequence space. - Relations: Đ44 §5.1 says ALL object relations go through
universal_edges; thetac_publication_memberconflict (internal containment stored locally) is still OPEN (P44-2-δ) — the system has not yet legalized module-internal edges. - Process: Đ20 §6.9 forbids parallel agents until a single design fixes all boundaries — correct for the rescue phase, hostile to independent module teams.
4. Where the current system already supports modularization
These are load-bearing primitives a modular rewrite can stand on without inventing new doctrine:
| Existing primitive | Where | What it already gives us |
|---|---|---|
| Family Registry (design) | Đ44/P44-1 | A module manifest: stable family_code, owner law, owner agency, maturity M0–M4, lifecycle, supersession — "no entry = not legal" |
| SCMR (design) | Đ44/P44-2 | Per-physical-target conformance envelope: G1–G12 mapping, legal N/A, gap codes A–E, conformance judged at family aggregate; physical_target_ref already storage-agnostic (pg.*, qdrant.*, fs.*) |
| UMC + role profiles (design) | P38-XC | Contract-vs-implementation split: 10 invariant core elements; per-kind physical tables explicitly legal; versioned profiles extend without touching core; tiered progressive enforcement |
governance_role = managed/observed/excluded |
Đ29/Đ36 | A working lightweight registration tier — observed skips species mapping and full birth obligations |
| Extensible birth taxonomy | 12c | QT-001/QT-002 plus an acknowledged third case; precedent for module-specific birth paths integrated with central birth_registry |
jurisdiction column |
Đ22/Đ35/Đ43 health checks | Content owned per-law, infrastructure shared — the content/infrastructure federation seam, already in production |
| Gateway-per-DB | Đ33 E4 | Precedent for a module owning its own store behind one declared gateway (Agent Data ↔ incomex_metadata) |
| Generic metadata dispatcher | Đ43 section_definitions | Global surfaces assembled from per-module rows (target_db, whitelisted template/query) with zero per-section code |
| Risk/tier vocabularies | Đ20 Tier 0–3, Đ32 low/med/high, Đ30 A/B/C + R1–R5, Đ31 severity/issue_class | Blast-radius classes already exist in four dialects — they need unification, not invention |
| Per-route/per-sensor contracts | Đ30 tests/contracts/*.json, Đ31 contracts |
Owner, tier, enabled, grace — module-manifest knobs in production today |
| Packet/manifest/validator toolkit | FIX7/TKT/O11/Đ41 §2A | manifest.json with authority string + denial flags + hash pins; packet_tree = sha256(HASH_MANIFEST); bad-input probes 100% fail-closed; rollback PROVEN_IN_STAGING; patch quad with trust ladder; L0–L3 evidence ceiling with forbidden overclaims |
| Sandbox corridor | Đ41 S0–S5, O11, sandbox_tac | DB-access classes from none → real-PG-sandbox → prod-read → rollback-proof → sovereign write; DENY-list fail-closed charters; one-command cleanup with verified evidence |
| Jurisdictional law scoping | Đ37 law_jurisdiction + backlog TD-H |
law × domain coverage with a planned granularity upgrade (collection/prefix/species) — the seed of per-module legal scope |
| Low-risk auto-approve lane | Đ32 | An existing legal basis for Class A/B lanes that never wake the president |
5. Where the current system resists modularization
- Đ32 quorum has no scope dimension — root blocker for delegated lanes (needs amendment, not workaround).
- Đ37 enacted-immutable + 1-primary-law-per-domain + SSOT 6-step transfer — module-level specialization of an owned domain is a heavyweight transfer event.
- Đ36 HC-REG assumes all tables live in the one
directusDB and must be individually registered — needs an envelope tier for module-private tables (and the Đ33 E4 gateway pattern generalized). - Single
universal_edgesrule — until P44-2-δ/P44-4 legalizes intra-family internal edges, every module-internal relation table is a violation. - Global pivots/counting (Đ26/Đ43) assume instance-level reachability of every governed record with canonical field names — envelope-only publication breaks counts unless envelopes carry rollups (the Đ43 manifest already models aggregate counts — template exists).
- Đ35 global
dot_tools— every module writer/checker must register centrally with a globally unique file path; fine as a catalog, hostile as a change gate. - NT3 "DOT 100%" + NT6 5-layer sync read as system-wide absolutes — they predate contract scoping; the constitution does not yet say "applies within declared contract scope."
6. Risk map
| # | Risk | Severity | Where it bites | Mitigation direction (proposal doc) |
|---|---|---|---|---|
| R1 | Weakening the production kernel while "lightening" process | CRITICAL | Đ32 quorum, Tier-0 prod SQL guard, birth authority, rollback law | Kernel is frozen: Class E lane keeps the full current macro path verbatim; modular lanes apply only below the kernel boundary |
| R2 | Blast-radius misclassification (Class A change is actually Class C/D) | HIGH | Self-declared class; FAST/FULL lesson from Đ41 (smoke level must be computed, never agent-declared) | Class computed mechanically from declared contract surfaces + diff paths; misdeclaration = fail-closed to higher class; bad-input probes on the classifier |
| R3 | Module sandboxes leaking into prod (secrets, network, shared cluster) | HIGH | O11 isolation runner unprovisioned; one PG cluster, one GSM password | Sandboxes inherit Đ41 S-class + O11 DENY charter; S2 real-PG sandbox uses separate DB/schema/run-id tags + verified one-command cleanup; no prod secrets in module env |
| R4 | Federated registry drift (envelope says X, module registry says Y) | HIGH | New failure mode introduced by federation itself | Envelope carries module-registry pointer + content hash; paired drift-checker DOT per module (Đ35 pattern); conformance_status non_compliant = escalate, never delete |
| R5 | Orphan/phantom objects invisible to global scanners | MEDIUM | Đ29 phantom detection, Đ31 nightly sweep, Đ43 projection assume global reach | Module envelope must publish a standard classification view/section row (Đ43 dispatcher mechanism); orphan scanning delegated to module with global checker verifying the delegation is alive (watchdog pattern from Đ31) |
| R6 | Two SSOTs during migration (laws/ vs laws-new/, global vs module registries) | MEDIUM | This very track | SSOT rule already in README; migration strategy is strangler-pattern with per-phase cutover and parallel-run verification (Đ38 R9 precedent) |
| R7 | Contract tests pass but contracts are vacuous (PASS-leak class) | MEDIUM | TKT lesson: PASS-substring leaks, detector-correctness rule | Module contract tests must include bad-input probes with any_fail_open=false and detector-correctness, inherited from TKT base policies |
| R8 | Governance capture by ceremony again (modular lanes accrete ritual) | MEDIUM | FIX7 lane history | Hard rule in proposal: Class A/B lanes have fixed maximum artifact counts; adding a required artifact to a lane is itself a Class D change |
| R9 | Unbuilt enforcement (Đ41 tooling, birth gate warning-mode) makes new lanes paper-only | HIGH | Appendix F1 reality gap | Migration sequence builds mechanical enforcement for the new lanes first (classifier, envelope checker) before any lane is opened; a lane without its fail-closed checker may not be used |
| R10 | Open design decisions block federation (P44-2-δ internal edges, OP-B owner agency, QT001 unsafe) | HIGH | Đ44 design family | Migration map marks these as prerequisite decisions with owners; federation phases gate on them |
7. Summary judgment
The system does not need new safety machinery — it needs scope. Every safety mechanism (quorum, birth, rollback, evidence, watchdog, audit) is sound; each is currently applied at a single global scope. The rewrite's job is to add a declared-scope dimension (module contract + blast-radius class) to the routing of those mechanisms, keep the kernel lanes byte-for-byte as they are, and reuse the already-designed Đ44 Family Registry/SCMR/UMC stack as the federated registry rather than inventing a parallel one.