RS5A-PATCH1-04 — GOV-COUNCIL Approval/Quorum Edge — 2026-06-21

Macro: RS5A-PATCH1 · Mục tiêu C + R3 · Deliverable: 04 of 10. Supersedes: RS5A-05 §3 / RS5A-10 Option B assignment of GOV-COUNCIL to a "high-risk approval/quorum" cluster without an explicit scope or contract edge. Codex §5/§14: existing broad approval scope cannot silently substitute for a registration-specific approval authority after RS5A itself rejected broad scopes as insufficient.

1. Decision: Option C1 — explicit 10th scope

Chosen: define an explicit scope DOT_APPROVAL_QUORUM_AUTHORITY (a 10th registrar scope) as GOV-COUNCIL's only home. (Option C2 — a standalone non-owner approver-body contract — is the alternative; C1 is chosen because it keeps every authority inside the same governance_object_ownership / scope LEGO model rather than inventing a parallel mechanism. The identity-binding obligations C2 would carry are folded into C1 §3.)

field	value
scope_code	DOT_APPROVAL_QUORUM_AUTHORITY
owns	who may approve high-risk DOT governance actions (including register_dot) and what quorum means for them
candidate accountable head	GOV-COUNCIL only (council body; matches live gov_type='council')
does NOT own	DOT_REGISTRATION_AUTHORITY, DOT_ARTIFACT_ADMISSION, DOT_ACTIVATION_AUTHORITY, or any other scope
present today?	No — REQUIRED_NOT_PRESENT (not in governance_responsibility_scope)
head bound today?	No — governance_object_ownership = 0
execution	none (design-only)

2. No broad-approval inheritance (the hard rule)

• The existing approval scope ("Approval routing", [[rs5a-02]] §2) is generic routing; it is explicitly NOT the registration approval authority.
• GOV-COUNCIL owning DOT_APPROVAL_QUORUM_AUTHORITY confers approval authority only and never registration/admission/activation ownership.
• MUST_NOT_IMPLICIT_INHERIT: DOT_APPROVAL_QUORUM_AUTHORITY → DOT_REGISTRATION_AUTHORITY (and any other scope) is forbidden. Approving an effect ≠ owning its registration.

3. Identity-binding contract (folds in Option C2 obligations)

This closes the live fail-open where quorum_passed matches approver ILIKE '%president%' ([[rs5a-02]] §6):

obligation	requirement	replaces
approver identity binding	each quorum approver must resolve to a governance_registry head (or a head-delegated identity), not free-text	approver ILIKE '%president%' text match
approver-body binding	ai_council votes must bind to GOV-COUNCIL as the accountable approval head, not self-declared approver_type	self-declared approver_type='ai_council'
effect/artifact binding	an approval is valid only when bound to the exact effect_identity + artifact_hash_ref	target-row-ref-only approvals
no ownership inheritance	approval authority grants no scope ownership	implicit broad approval

These are design requirements for a future surface; none is implemented (fail-closed today).

4. Why a 10th scope is NOT a mega-scope (LEGO proof)

LEGO property	demonstration
narrow	owns exactly one decision class — who may approve / quorum meaning — and nothing else
born separately	one scope_code row + one ownership row (head=GOV-COUNCIL)
tested separately	negative tests F-group (quorum/identity) + new approver-identity cases
changed separately	supersede the GOV-COUNCIL ownership row without touching registration/admission heads
rolled back separately	per-row rollback_ref
no implicit inherit	explicit MUST_NOT_IMPLICIT_INHERIT edges (§2)

A mega-scope would be one head owning approval and registration and admission. This scope owns only approval authority ⇒ it increases separation of duties, not coupling. The taxonomy becomes 10 scopes (6 gate + 3 deferrable + this 1 approval-authority), each an independent block.

5. Status

R3 CLOSED — GOV-COUNCIL is resolved to an explicit DOT_APPROVAL_QUORUM_AUTHORITY scope with an identity-binding contract and no broad-approval inheritance. GOV_COUNCIL_EDGE is no longer implicit ⇒ the HOLD …GOV_COUNCIL_EDGE_INSUFFICIENT does not apply.