RS5A-03 — Owner-of-record Concept Model — 2026-06-21
RS5A-03 — Owner-of-record Concept Model — 2026-06-21
Macro: RS5A · Mục tiêu B · Deliverable: 03 of 15 · design-only.
Premise (from [[rs5a-02]]): head-uniqueness is DB-enforced (uq_gov_obj_accountable), the ownership table is empty, candidate heads exist in governance_registry.
1. The single rule
Owner-of-record = the accountable governance head bound to an object scope by an active
governance_object_ownershiprow withowner_kind='accountable'.
Nothing else is an Owner. The Owner-of-record is a governance fact (a row in governance_object_ownership referencing a governance_registry head and a governance_responsibility_scope scope), not an operational or textual one.
2. Owner-of-record is NOT … (rejection table)
Each negation below has a live counter-example from [[rs5a-02]] and a reject code reused in [[rs5a-06]]/[[rs5a-09]].
| Owner-of-record ≠ | Why it is not the Owner | Live counter-example | Reject code |
|---|---|---|---|
| operator | runs the registrar; has no accountable authority for the scope | the registrar bash/job that POSTs DOTs | OPERATOR_NOT_OWNER |
| caller | self-assertion is not authority; caller proposes, never authorises | a request claiming "I am owner" |
CALLER_SELF_ASSERTED_OWNER_REJECTED |
| Directus user / role | RBAC identity ≠ governance head; not bound to ownership | Administrator, tac-admin, 13 users |
DIRECTUS_ROLE_NOT_GOVERNANCE_OWNER |
dot_tools.owner free-text |
uncontrolled varchar; values system/claude_ai/null |
93×system, 4×claude_ai, 212×null |
FREE_TEXT_OWNER_REJECTED |
| approval requester | proposer is self-excluded from quorum; cannot authorise own effect | source_context->>'proposer' |
REQUESTER_NOT_OWNER |
| validator | pure/stateless; checks shape, holds no authority | RS-VALIDATOR (design) | VALIDATOR_NOT_OWNER |
| registrar script | the executing artifact; subject of governance, not its source | dot-dot-register |
REGISTRAR_SCRIPT_NOT_OWNER |
3. Role lattice (source-of-truth · can-decide · cannot-decide · fail-closed)
| Role | Source of truth | CAN decide | CANNOT decide | Fail-closed if absent |
|---|---|---|---|---|
| owner_scope | governance_responsibility_scope(scope_code) |
the unit of accountability (which object class is governed) | who the head is | scope REQUIRED_NOT_PRESENT ⇒ no ownership row writable |
| accountable_head | governance_object_ownership (owner_kind='accountable', active) → governance_registry(code) |
admit/deny register_dot for its scope; delegate; revoke |
act outside its scope | OWNER_OF_RECORD_ABSENT / ACCOUNTABLE_HEAD_UNRESOLVED ⇒ deny |
| delegated_approver | governance_object_ownership (owner_kind='delegated', effective_to REQUIRED via chk_delegated_ttl) |
approve within the time-boxed delegation | extend its own delegation; act after effective_to |
delegation expired ⇒ AUTHORIZATION_WINDOW_EXPIRED |
| approver | apr_approvals (approver_type ∈ {human, ai_council}) |
cast a quorum vote | substitute for the head; self-approve | quorum not met ⇒ QUORUM_NOT_SATISFIED |
| operator | registrar runtime identity | execute an already-authorised admission | authorise | — (never an authority) |
| validator | RS-VALIDATOR (pure) | reject malformed input | admit / authorise | — (never an authority) |
| registrar | the registrar artifact | perform the mechanical write under authority | self-authorise | AUTHORITY_BINDING_UNRESOLVED ⇒ refuse |
| auditor | audit sink (failure-only, separate txn) | record what happened | change the decision | sink absent ⇒ FAILURE_AUDIT_POLICY_UNDECLARED |
Separation invariant: the proposer ≠ approver ≠ accountable head chain is partly enforced today (quorum self-exclusion) but identity binding of approver→head is missing ([[rs5a-02]] §6.2). RS5A requires that the accountable-head and delegated-approver identities resolve to governance_registry codes, not free text.
4. Accountable-head admission conditions (what it takes to be the Owner)
A governance_registry code becomes Owner-of-record for a registrar scope only when all hold:
- an
governance_object_ownershiprow exists with thatowner_gov_code, the registrarscope,owner_kind='accountable',lifecycle_status='active'; - the row passes
uq_gov_obj_accountable(no competing active accountable head for the (object,scope)); - the row was created under a sanctioned path (an applied
assign_governance_ownerAPR — currently fail-closed, [[rs5a-02]] §7) withapproval_ref/audit_refpopulated; - the scope itself exists in
governance_responsibility_scope(currently absent for registration authority).
Conditions 3 and 4 are not satisfiable today ⇒ the Owner-of-record is, by this contract, fail-closed: no owner ⇒ no register_dot write (consistent with RS4A-05 AUTHORITY_CONTRACT_FAIL_CLOSED).
5. Why this is a decision, not an execution
RS5A defines what the Owner must be and the conditions to become one. It does not insert the ownership row, create the scope, wire the action, or approve anything. The act of choosing GOV-DOT (or a split set) and authoring the missing scopes/action is the Owner-of-record decision (G2) — reserved to the Owner, surfaced as options in [[rs5a-10]].