RS5A-02 — Current Authority-State Fresh Reconstruction (LIVE) — 2026-06-21
RS5A-02 — Current Authority-State Fresh Reconstruction (LIVE) — 2026-06-21
Macro: RS5A · Mục tiêu A · Deliverable: 02 of 15
Method: read-only query_pg against DB directus (read-only role, READ ONLY txn, statement_timeout 5s, hard LIMIT 500) + pg_get_functiondef / information_schema / pg_catalog. 0 writes. 0 DDL/DML.
Evidence tier: LIVE (every row below was observed this macro, not copied from a report). Function bodies were pg_get_functiondef, truncated=false.
This file does not trust prior reports. It re-derives the authority state from the substrate. Where a fact matches a prior macro, that is convergence, not citation.
1. Owner-of-record surface
| # | Surface | Observed fact | Tier |
|---|---|---|---|
| A1 | governance_object_ownership rowcount |
0 | LIVE |
| A2 | governance_object_ownership columns (20) |
object_type, object_ref, scope, owner_kind, owner_gov_code, is_inherited_anchor, effective_from/to, lifecycle_status, approval_ref, audit_ref, rollback_ref, source_law_ref, source_design_ref, supersedes_id, created_* — NO operation, NO artifact_hash, NO revocation_ref column |
LIVE |
| A3 | owner_kind CHECK |
{accountable, supporting, delegated, exception} |
LIVE |
| A4 | lifecycle_status CHECK |
{active, superseded, revoked, expired} |
LIVE |
| A5 | chk_delegated_ttl |
owner_kind='delegated' ⇒ effective_to NOT NULL |
LIVE |
| A6 | head-uniqueness index uq_gov_obj_accountable |
UNIQUE(object_type, object_ref, scope) WHERE owner_kind='accountable' AND lifecycle_status='active' — at most one active accountable head per (object,scope) |
LIVE |
| A7 | FK scope |
→ governance_responsibility_scope(scope_code) |
LIVE |
| A8 | FK owner_gov_code |
→ governance_registry(code) |
LIVE |
Reading: the ownership table is structurally rich and head-uniqueness is DB-enforced (A6) — but it is empty (A1). There is no Owner-of-record for anything, including the DOT registrar. An owner row, when written, must reference (a) a real scope_code and (b) a real governance head code. Both FK targets are examined below.
2. Scope vocabulary (FK target of ownership.scope)
governance_responsibility_scope — 6 rows:
| scope_code | description |
|---|---|
| approval | Approval routing |
| audit | Audit |
| execution | DOT execution |
| health | Health/integrity |
| policy | Policy authority |
| render | Display/render |
Reading: there is no DOT_REGISTRATION_AUTHORITY / DOT_ARTIFACT_ADMISSION / DOT_ACTIVATION_AUTHORITY scope. The closest, execution ("DOT execution"), is running a DOT, not admitting/registering one. ⇒ the registrar object scopes RS5A needs are REQUIRED_NOT_PRESENT (see [[rs5a-04]]). Creating them is an Owner/governance act, out of RS5A scope.
3. Governance-head registry (FK target of ownership.owner_gov_code)
governance_registry — 9 rows (these are governance objects/bodies/systems, not persons):
| code | name | gov_type | domain | status |
|---|---|---|---|---|
| GOV-COUNCIL | Hội đồng Kiến trúc | council | governance | active |
| GOV-DOT | Quản trị DOT | system | monitoring.dot | active |
| GOV-SIV | Toàn vẹn Hệ thống | system | monitoring.integrity | active |
| GOV-NRM-SYS | Hệ thống Văn bản Quy phạm | system | normative | active |
| GOV-KG-SYS | Hệ thống Knowledge Graph | system | kg | active |
| GOV-MOIT/MOT/MOUT/MOW | the four "Mothers" | factory | assembly.* | draft |
Reading: a candidate-head surface exists (notably GOV-DOT, GOV-SIV, GOV-COUNCIL, all active). This is not NO_CANDIDATE_SURFACE. But a candidate code is only a potential head; it becomes an accountable Owner-of-record only when an governance_object_ownership row binds it to a scope with owner_kind='accountable' — and there are 0 such rows. See candidate matrix [[rs5a-05]].
4. APR action surface
apr_action_types — 14 rows. register_dot is ABSENT.
| action_code | risk_level | handler_ref | note |
|---|---|---|---|
| register_axis | high | unimplemented | register-shaped, reserve-only |
| register_topic_node | high | unimplemented | register-shaped, reserve-only |
| assign_governance_owner | high | unimplemented | the owner-mint action is itself reserve-only |
| delegate_authority | high | unimplemented | |
| grant_governance_exception | high | unimplemented | |
| activate_event_type, amend_law, assign_axis_owner, authorize_build_step, enact_nrm | high | unimplemented | |
| add_field | medium | dot-apr-execute:add_field | implemented |
| create_item / update_item | low | dot-apr-execute:* | implemented |
| patch_ops_code | high | dot-apr-execute:patch_ops | implemented |
CHECKs: risk_level ∈ {low,medium,high}; status ∈ {active,deprecated,retired}; PK action_code; rename-guard trigger present.
Reading: register_dot ⇒ REGISTER_DOT_ACTION_REQUIRED_NOT_PRESENT. Even the action that would mint an Owner (assign_governance_owner) is handler_ref='unimplemented' ⇒ reserve-only ⇒ cannot execute (see §7).
5. APR request / vote surface and its binding gap
approval_requests — 230 rows, 26 cols. Status counts: applied 176, approved 2, pending 19. proposed_action_code IS NULL on 182/230 rows.
- CHECK
action ∈ {add, modify, delete, review}(no register-shaped verb). - CHECK
status ∈ {pending, approved, applied, rejected, expired}. target_collection NOT NULL; binds an action to a (target_collection, target_entity_code) row reference.- FK
proposed_action_code → apr_action_types. - NO
effect_identity, NOartifact_hash, NOcanonical_artifact_identitycolumn. An APR cannot, in the current schema, be bound to the artifact bytes or to the PATCH2 effect digest — only to a target row reference.
apr_approvals — 7 cols: approver(text), approver_type CHECK {human, ai_council}, decision CHECK {approve, reject, abstain}, UNIQUE(apr_id, approver). Votes present: ai_council approve 28, human approve 14, 0 reject. No column binds a vote to an effect/artifact.
6. Quorum semantics — READABLE (not unproven)
Both bodies were obtained via pg_get_functiondef (truncated=false):
quorum_passed(p_code text) → boolean (STABLE): looks up risk_level from apr_action_types by the request's proposed_action_code; counts apr_approvals for the APR; excludes the proposer (source_context->>'proposer'|'created_by'); any reject ⇒ false; then by tier: high ⇒ president≥1 AND council≥2, medium ⇒ president≥1, low ⇒ total≥1. Returns false if request or proposed_action_code is NULL, or risk unknown.
fn_apr_quorum_check() trigger (BEFORE UPDATE OF status, pending→approved): same rule set; row-locks votes; RAISE EXCEPTION on shortfall, reject, or self-approve.
Three binding gaps proven by the source (carried as proof obligations [[rs5a-08]]):
- No effect/artifact binding. Quorum verifies vote counts by tier; it never checks the approval is bound to a specific
effect_identityorartifact_hash(no such column exists). presidentis a text match:approver ILIKE '%president%'. Any vote row whose free-textapprovercontains "president" satisfies the president requirement. Approver identity is not bound to agovernance_registryhead ⇒ fail-open on identity.- No freshness / supersession / drift check. Quorum does not test approval age, artifact drift, or whether the approved object was superseded.
⇒ QUORUM_SEMANTICS_READ but QUORUM_EFFECT_BINDING_INSUFFICIENT + QUORUM_APPROVER_IDENTITY_UNVERIFIED. Quorum is necessary, not sufficient for register_dot.
7. Fail-closed and fail-open surfaces (source-level)
| Surface | Body | Direction |
|---|---|---|
fn_apr_block_unimplemented_handler() (→applied) |
re-proves quorum_passed(NEW.code) fail-closed, then blocks any handler_ref='unimplemented' ("Reserve-only, cannot execute") |
FAIL-CLOSED — blocks assign_governance_owner apply ⇒ Owner cannot be minted via APR today |
fn_auto_approve_add() |
P0 containment 2026-06-06: auto-approve DISABLED; only writes a review_note; rows stay pending |
FAIL-CLOSED (closed a prior bypass) |
quorum_passed on NULL action |
returns false ⇒ apply blocked | FAIL-CLOSED |
fn_pa_handler_assign_governance_owner(text,text) |
exists, delegates fn_pa_domain_handler('PROC-OWN-04',…) — but apr_action_types.handler_ref='unimplemented', so it is not wired as the action handler ⇒ apply still blocked |
FAIL-CLOSED (function present ≠ action wired) |
approver ILIKE '%president%' |
identity by text | FAIL-OPEN (latent) — must be closed by [[rs5a-06]]/[[rs5a-08]] before register_dot |
dot_tools.owner free-text varchar |
values: null 212, system 93, claude_ai 4 (of 309) |
NOT an Owner — reject (see [[rs5a-03]]) |
dot_tools.status varchar |
active 291, published 16 (out-of-vocab), null 2; no CHECK |
STATUS_DOMAIN_NOT_DB_ENFORCED (carried) |
8. RBAC vs governance ownership
directus_roles — 9 RBAC roles: Administrator, Agent, AI Agent, Antigravity Public, Editor, Public ×2, tac-admin, tac-agent. directus_users — 13. None is a governance Owner-of-record. A Directus role/user is an operational identity; it is not bound to governance_object_ownership and confers no accountable-head authority (see [[rs5a-03]]).
9. Reconstruction verdict
| Question (Mục tiêu A) | Answer |
|---|---|
| ownership rowcount? | 0 |
| accountable head exists? | No |
| DOT registrar scope exists? | No (REQUIRED_NOT_PRESENT) |
register_dot in action types? |
No (REQUIRED_NOT_PRESENT) |
| register-shaped actions? | register_axis, register_topic_node — both high, unimplemented |
quorum_passed exists / readable? |
Yes / Yes — but effect-binding insufficient |
fn_apr_quorum_check readable? |
Yes |
| APR surface binds artifact/effect? | No (binds target row ref only) |
| authority immutability/lifecycle guard? | head-uniqueness (A6) + lifecycle CHECK (A4) + delegated-TTL (A5) present; but table empty |
| owner candidate surface? | Yes (governance_registry: GOV-DOT/GOV-SIV/GOV-COUNCIL) — but no head bound |
Net: authority infrastructure is present and largely fail-closed; authority content is absent. The controlling fact for G2 is governance_object_ownership = 0 with no DOT_REGISTRATION_AUTHORITY scope and no register_dot action ⇒ default HOLD / fail-closed until an Owner decision designates a head and the missing scope + action surfaces are authored. NO_LIVE_READ does not apply — this file is live.