Điều 33 — Luật PostgreSQL — Amendment DRAFT

DRAFT · NON-ENACTING · READ-ONLY · NON-AUTHORIZING. 2026-06-17, rev1. Law Revision Workstream B1. This is a draft amendment, not an enacted law. It is not adopted, not in force, and does not change laws/dieu33-postgresql-law.md. It is review material for GPT → Codex → Owner. Codex/GPT PASS ≠ Owner authorization. Target law: Điều 33 — Luật PostgreSQL v2.1 BAN HÀNH (knowledge/dev/laws/dieu33-postgresql-law.md, rev5). Catalog disposition: Law Merge catalog record #3 = AMEND ("Keep PG-foundation / 4-DB-3-layer; amend auto-fix + schema-auto-change clauses") → LAW_READING_INDEX.md §3.3 = READ_NEW_AMENDED_VERSION_PENDING. This document is that pending amended version, in draft form only. Model: F0→F5/FX. PG/Directus remains the truth/enforcement foundation; schema mutation flows through design-before-execution (NT15 / Điều 20) → checker (F4) → approval / Owner gate (Điều 32) → regression protection (Điều 30). The scanner is list-only (FX/D11).

0. Boundary & non-authorization (read first)

This draft preserves Điều 33's foundation: PostgreSQL as the single enforcement/truth platform, the 4-DB cluster, the 3-layer Não/Kho/Cổng architecture, the naming conventions, and the canonical-field discipline. It only blocks the unsafe rollout mechanism — automatic schema mutation / auto-DDL run from scanners before technical design.
It does not enact, adopt, or put any clause in force. It does not edit, move, or delete laws/dieu33-postgresql-law.md. It does not patch the Constitution.
It performs no DDL, no schema change, no technical design, no Phase-1, no live DB/runtime query, no implementation, no materialization of any field/column/table/index/registry.
It does not resolve CONS-002/003/004/005, CELL-003/004/007, HOLD-1, HOLD-2, RISK-BYPASS/GC/CAP; it does not change the authority order or the v0.1-stable / FIX7 V3 baseline.
Default disposition until the Owner acts: HOLD.

1. Preserved goals (what stays — DO NOT weaken)

Preserved from v2.1	Clause	Status under this draft
PG = sole enforcement/truth foundation; "PG = nơi ENFORCE tất cả luật"; app logic only reads enforced results	§1	KEEP — strengthen
4-DB architecture in 1 cluster (`directus` / `incomex_metadata` / `workflow` / `postgres`); "KHÔNG ĐƯỢC GOM 4 DB"	§0.1	KEEP
3-layer Não / Kho / Cổng (Brain / Warehouse / Gate); no role-mixing; data flow Gate → Brain → Warehouse	§0.2	KEEP
"Read the architecture first" rule ("DB nào? Lớp nào?" before any PG analysis)	§0.3	KEEP
Naming conventions (snake_case plural; same-meaning = same-name across tables; field standards `code/name/status/entity_type/…`)	§2	KEEP (this is the discipline behind canonical fields)
Pivot-ready by default	§3	KEEP
canonical-field discipline / dictionary concept (one standard name per meaning; aliases catalog)	§11.2, §11.5	KEEP the discipline; defer materialization (see §3)
Migration & change management discipline	§7	KEEP
5 legalized exceptions E1–E5 for existing bounded infrastructure (register in `dot_tools`, idempotent, GSM password, log, paired verify DOT)	§13	KEEP, bounded (see §3 A6)
Access control — 1 password GSM; bans on hardcoded passwords / committed `.env`	§14	KEEP
CI/deploy hooks legalized (DOT-MIGRATION-APPLY, DOT-CAT-ALL-REFRESH; GitHub Actions = Cổng, no direct PG write); session-variable bypass removed	§15	KEEP

§1 already says PG enforces and application logic only reads the enforced result. This amendment keeps that and extends it: enforcing a rule is PG's job; changing the schema that defines the rules is a design-gated act, not an automatic one.

2. Unsafe rollout mechanisms identified (verbatim, with clause)

These are the automatic schema-change / auto-DDL behaviors that mutate the database structure directly from a scanner finding, before any technical design. They are the reason Điều 33 is AMEND.

#	Mechanism	Clause	Why unsafe under F0→F5/FX
U1	Loại 1 — "Rõ ràng, tự xử được": missing required field → `ALTER TABLE ADD COLUMN … DEFAULT …` tự chạy → báo cáo; wrong type → `ALTER COLUMN TYPE` tự chạy → báo cáo	§11.4	Auto-DDL run from a scanner finding, no design / checker / Owner gate.
U2	DOT Loại 2 — "Tự xử (apply ngay)": thiếu field bắt buộc → ADD; thiếu birth → tạo; thiếu meta_catalog → tạo; deprecated >90d → retire	§12.2	Schema/structural auto-apply "ngay, không chờ ai."
U3	DOT-SCHEMA-SCANNER maps drift → schema_rename / schema_add_field / schema_type_fix / schema_extract	§11.3	The propose half is acceptable; the auto-apply half (via §11.4/§12.2) is not.
U4	canonical_fields auto-generation: "tạo table mới → đọc canonical_fields → tạo đủ fields chuẩn"; materialize `canonical_fields` table + seed	§11.2, §11.5	Materializes canonical/standard fields automatically; touches `composition_level` / `species_code` while CONS/CELL blockers are open.
U5	"AUTO 100%" read as a blanket auto-everything (incl. schema)	§1	NT3 "DOT 100%" has 5 bounded exceptions (§13); it is not a license for scanner-triggered DDL.
U6	E1 — Schema Bootstrap DDL exception: specialized DOTs go straight to PG for `CREATE/ALTER TABLE/INDEX/TRIGGER`	§13.1	Legitimate for existing bounded infra DOTs, but not a license for new auto-DDL or design-before-design.

3. Amendment logic (clause-by-clause reframe)

Single principle: schema is detected and proposed automatically; schema is never mutated automatically. Every schema change runs the standard chain — mục tiêu/non-goal → luật liên quan → evidence → design (đã review) → checker → approval / Owner gate (Điều 32) → execution → rollback/test/observability (Điều 30) → đánh giá (Hiến pháp NT15 / Điều 20). The scanner is list-only (FX/D11).

A1 — Loại 1 "tự xử" becomes detect + propose, never auto-ALTER (reframe U1). Replace the auto-ALTER TABLE ADD COLUMN / auto-ALTER COLUMN TYPE in §11.4 with: schema drift → DETECT + PROPOSE (approval types schema_add_field / schema_type_fix already exist in §11.3). No ALTER runs from the scanner. "Rõ ràng" (clear) may lower the proposal's risk class under Điều 32 §4.2; it does not authorize automatic DDL. The change applies only after design-before-execution + checker + the Điều 32 gate, with regression protection (Điều 30).

A2 — DDL is never "DOT Loại 2 / tự xử ngay" (reframe U2, U3). The two-DOT taxonomy (§12) is kept for non-schema bookkeeping, but DDL / structural change is never Loại 2. Any "Loại 2 auto-apply" that performs ADD COLUMN / ALTER / table or trigger creation / retire-with-structural-effect is reclassified to Loại 1 (xin phép). DOT-SCHEMA-SCANNER stays a Loại 1 detector-proposer (its §11.3 propose behavior is correct); its §11.4/§12.2 auto-apply path is removed.

A3 — No automatic schema mutation (new top clause). Add: "Không có thay đổi schema tự động. Không auto-ALTER TABLE / auto-tạo column / auto-đổi type / auto-tạo table / auto-tạo trigger từ scanner. Schema = enforce tự động (đã ban hành); thay đổi schema = thiết kế trước, có checker + Điều 32 + Điều 30." PG keeps enforcing existing constraints automatically (that is its job); it does not automatically rewrite the constraints/columns that define enforcement.

A4 — canonical-field discipline kept; materialization deferred (reframe U4). Keep canonical_fields as a discipline / dictionary concept (one standard name per meaning, alias catalog, naming-convention enforcement). Defer materialization: do not auto-create the canonical_fields table/seed, and do not auto-generate standard fields when creating tables, while it touches pivot-critical fields and identity classification. Specifically, dot_role / cell_id / canonical fields (incl. composition_level, species_code) must NOT be materialized while CONS-003 (6 Lớp vs 7) and CELL-003/004/007 remain open. Materialization is a later, design-gated act.

A5 — "AUTO 100%" scoped to process, not schema (reframe U5). Clarify: NT2/NT3 automation applies to processes/operations; schema mutation is excluded from "auto 100%" and runs the design chain. NT3 "DOT 100%" already has exactly 5 bounded exceptions (§13 E1–E5) — those are the only direct-PG paths, and they are not a blanket auto-DDL license.

A6 — E1–E5 exceptions kept but bounded (reframe U6). The 5 exceptions remain valid for existing, bounded infrastructure (DOT registered in dot_tools, idempotent, GSM password, logged, paired verify DOT). Add the explicit limit: E1 (Schema Bootstrap DDL) is not authorization for (a) scanner-triggered auto-DDL, nor (b) creating new schema before technical design. E1 lets a reviewed, registered, idempotent infra DOT apply a designed DDL; it is not a self-running fixer.

A7 — PG law does not self-authorize Phase-1 or technical design (new clause). Add: "Điều 33 (PG là nền tảng) không tự uỷ quyền Phase-1, technical design, hay live schema survey. Việc PG là nền tảng enforce KHÔNG có nghĩa scanner/luật được tự đổi schema hay tự mở Phase-1. Owner mở phase." Engineering PASS / schema-scan PASS ≠ authority PASS.

4. Proposed amended wording (DRAFT — not enacted)

Draft recommended wording for a future, Owner-gated amended Điều 33. Not enacted, not in force. Final wording decided later under Owner gate, in newlaws/.

§11.4 (reframed) — Xử lý khi phát hiện schema lệch. "Mọi lệch schema → DETECT + ĐỀ XUẤT (approval schema_add_field / schema_type_fix / schema_rename / schema_extract). Không auto-ALTER từ scanner. Áp dụng sau: thiết kế-trước-thực-thi (NT15/Điều 20) → checker → Điều 32 → Điều 30 (regression). 'Rõ ràng' chỉ hạ risk class của đề xuất, không uỷ quyền DDL tự động."

§12 (reframed) — Hai loại DOT. "Loại 1 (xin phép) / Loại 2 (tự xử) chỉ cho thao tác non-schema. DDL / thay đổi cấu trúc luôn là Loại 1. ADD COLUMN / ALTER / tạo table / tạo trigger / retire-có-tác-động-cấu-trúc = Loại 1, không bao giờ Loại 2."

§11.2 / §11.5 (reframed) — canonical_fields. "Giữ canonical_fields như kỷ luật/từ điển (1 nghĩa = 1 tên chuẩn, alias catalog). Hoãn materialization: không auto-tạo bảng/seed canonical_fields, không auto-gen field chuẩn khi tạo table. dot_role / cell_id / canonical fields (gồm composition_level, species_code) KHÔNG materialize khi CONS-003 + CELL-003/004/007 còn mở."

§1 (kept + new clause). "PG = nền tảng enforce duy nhất (giữ). Không thay đổi schema tự động — PG enforce ràng buộc đã có; thay đổi ràng buộc/column = thiết kế-trước + checker + Điều 32 + Điều 30. 'AUTO 100%' áp cho quy trình, không cho schema mutation. NT3 'DOT 100%' có đúng 5 ngoại lệ §13 — không phải giấy phép auto-DDL."

§13.1 (clarified). "E1 Schema Bootstrap DDL = ngoại lệ cho DOT hạ tầng đã đăng ký, idempotent, đã review áp DDL đã thiết kế. Không phải uỷ quyền (a) auto-DDL từ scanner, (b) tạo schema mới trước technical design."

New §X — Không tự uỷ quyền. "Điều 33 không tự uỷ quyền Phase-1 / technical design / live schema survey. Engineering/schema-scan PASS ≠ authority PASS. Owner mở phase."

5. Mapping to F0→F5/FX

Điều 33 element	F0→F5/FX placement
PG = truth/enforcement; 4-DB; 3-layer; naming	Foundation (PG/Directus = truth; VPS = SSOT runtime) — preserved
DOT-SCHEMA-SCANNER (detect drift)	Scanner / Observability (FX · D11) — list-only, propose, no auto-DDL
schema_add_field / schema_type_fix / schema_rename	Approval (Điều 32) proposed actions
Apply a schema change	Design-before-execution (NT15/Đ20) → checker (F4) → Điều 32 → Điều 30 regression
canonical_fields / `composition_level` / `species_code` / `dot_role` / `cell_id`	Deferred — gated on CONS-003 + CELL-003/004/007
E1–E5 direct-PG exceptions	Bounded existing-infra exceptions; not a new auto-DDL license

Consistent with the bad-readings the index already rejects (LAW_READING_INDEX.md §4): scanner is list-only (#7); registered/enacted ≠ live/production-ready (#5, #6, #10); newlaws/ does not auto-replace laws/ (#11).

6. Held blockers carried (not resolved here)

CONS-003 — 6 Lớp (Đ0-B) vs 7-dimension framing; blocks cell_id and canonical-field materialization. Carried.
CELL-003 / 004 / 007 — cell_id dimensions unmaterialized (the only canonical matrix). Carried; this draft explicitly forbids materializing dot_role/cell_id/canonical fields while these are open.
HOLD-2 — atomic promote transaction absent; relevant to any schema change that promotes/canonicalizes.
RISK-BYPASS / RISK-GC / RISK-CAP — runtime governance bypass and GC/capacity risks. Carried.
CONS-002 — IO Contract examples gap. Carried.
Engineering / schema-scan PASS ≠ authority PASS — restated, not a runtime proof.

7. Bad readings this draft explicitly REJECTS

"This draft is adopted / Điều 33 is now amended." FALSE — non-enacting draft; laws/dieu33-postgresql-law.md unchanged.
"Schema auto-change is still allowed because PG = auto 100%." FALSE — schema mutation is removed from "auto 100%" and routed through design + checker + Điều 32 + Điều 30.
"PG is the foundation, so the scanner may auto-ALTER." FALSE — PG enforces automatically; it does not auto-rewrite its own schema from a scanner finding.
"canonical_fields / cell_id / dot_role can be materialized now." FALSE — deferred while CONS-003 + CELL-003/004/007 are open.
"E1 Schema Bootstrap authorizes new auto-DDL / design-before-design." FALSE — E1 is bounded to reviewed, registered, idempotent infra DOTs applying designed DDL.
"Điều 33 authorizes Phase-1 / technical design / live schema survey." FALSE — Điều 33 does not self-authorize any of these; the Owner opens a phase.
"4-DB / 3-layer / naming discipline is being weakened." FALSE — those are preserved; only auto-DDL is blocked.

8. Non-authorization checklist

no adopted amendment: confirmed (DRAFT only) · no rewrite: confirmed · no technical design: confirmed · no Phase-1: confirmed · no DB/runtime query: confirmed · no implementation/schema/table/registry/index: confirmed · no auto-DDL / column / type / table / trigger materialization: confirmed · no dot_role/cell_id/canonical-field materialization: confirmed · no authority-order change: confirmed · no edit/move/delete under knowledge/dev/laws/: confirmed · no Constitution patch: confirmed · no resolution of CONS/CELL/HOLD/RISK: confirmed · no change to v0.1-stable / FIX7 V3 baseline: confirmed · no v0.2-hardening promotion: confirmed.
Codex/GPT PASS ≠ Owner authorization. Default disposition: HOLD.

Điều 33 amendment DRAFT rev1 | 2026-06-17 | non-enacting | preserve PG-foundation/4-DB/3-layer/naming/canonical-discipline · block auto-DDL/schema-auto-change → design + checker + Điều 32 + Điều 30 | read-only · non-authorizing