Điều 35 — DOT Governance (v5.2 FINAL) — Compatibility Note

Reading category: READ_OLD_WITH_COMPATIBILITY_NOTE (catalog record #12, KEEP+NOTE). Status of this note: READ-ONLY · NON-AUTHORIZING · NOT enacted law. 2026-06-17, rev1. Basis: FX execution report §4.1 + audit reports/architecture/checkpoint-codex-…-2026-06-05.md.

1. Old source

• Path: knowledge/dev/laws/dieu35-dot-governance-law.md — "LUẬT QUẢN TRỊ DOT v5.2 FINAL BAN HÀNH" (S178 Fix 15, after Council Round 3 sign-off Gemini 10 / GPT 9.6).
• Status: ENACTED. But the live substrate is NOT production-certified. (Footer line still says "v5.1 FINAL" — a stale label, not a content change; flag for source-recovery.)

2. Preserved goal

DOT is the single gate for data operations, and Điều 35 governs the DOTs themselves: see-all → measurable → self-operating closed loop. dot_tools as single SSOT registry, dot_domains, paired DOT (A=check/read-only, B=execute/write) enforced by PG trigger. New/fix DOT via APR (Điều 32). These goals are preserved.

3. How F0→F5/FX interprets it

• Shared root, narrowed scope: the new model's "DOT = một việc hẹp" (narrow info-completion machine) descends from Đ35's paired-DOT discipline. But Đ35's MT3 "tự vận hành khép kín / 100%" + its self-governing cron DOTs frame DOT as an engine; the new model rejects DOT-as-engine and reads the secondary engine as scanner = list-only.
• Reusable pattern (pattern, not a running system): §6.2 fix_repair_dot 6-step DETECT → PROPOSE → APPROVE → APPLY → VERIFY → CLOSE is the closest existing analog to the laws-new "scanner → checker → promote, list-only, fail-closed" loop; §6.5 ADMIN-fallback (audited) ≈ Owner-gate / Mức 3 with audit; fn_dot_enforce_paired ≈ "No checker, no lane." Reuse the pattern, carry the caveats — do not import the running governance system turnkey.

4. What is NOT authorized

• Not treating the enacted v5.2 or its live substrate as production-ready.
• Not reusing the live governance automation directly; the prod-readiness FAIL + bypass caveats (below) must travel with any reuse.
• No amendment to Đ35 (it is KEEP+NOTE; the auto-fix re-scoping pressure lives in Đ22 = AMEND, not here).
• No technical design, Phase-1, live query, schema/registry change, or authority-order change.

5. Remaining blockers / caveats (must travel with the asset)

• PRODUCTION READINESS FAIL — audit checkpoint-codex-2026-06-05 reads "CORE AUDIT PASS / PRODUCTION READINESS FAIL"; 14/14 health checks not LIVE.
• RISK-BYPASS (BLOCKER) — confirmed authority bypass fn_auto_approve_add() applied scanner requests without vote = 160 (160 unvoted applies). The gate cannot be trusted until Phase-1-verified and the bypass closed.
• fn_birth_gate scope — Đ35 §8.3 says it is dot_tools metadata gate, NOT generic Đ0-G birth gate; default mode='warn' + app.bypass_birth_gate kill-switch. It is not the F4 canonical-birth gate.
• Phase-1 (Batch D) must verify the live Đ35 automation, close the bypass, and confirm production-readiness before any governance lane is trusted.

6. Where this fits in the index

LAW_READING_INDEX.md §3.2, record #12, category READ_OLD_WITH_COMPATIBILITY_NOTE.

7. Bad readings this note rejects

• "Điều 35 is production-ready because it is enacted v5.2" → FALSE; PRODUCTION READINESS FAIL + confirmed bypass.
• "fix_repair_dot is a turnkey running loop we can reuse directly" → FALSE; reuse the pattern, carry the caveats.
• "fn_birth_gate is the canonical-birth gate" → FALSE; it is dot_tools-metadata-scoped, warn-mode, with a kill-switch.
• "This note amends Điều 35" → FALSE.

Điều 35 compatibility note rev1 | 2026-06-17 | read-only · non-authorizing | enacted ≠ production-ready · carry RISK-BYPASS