RS5A-04 — Object Scope Taxonomy and Boundaries — 2026-06-21
RS5A-04 — Object Scope Taxonomy and Boundaries — 2026-06-21
Macro: RS5A · Mục tiêu C · Deliverable: 04 of 15 · design-only (creates no scope row).
Constraint: scopes attach to governance_object_ownership.scope (FK → governance_responsibility_scope). Today that vocabulary has only {approval, audit, execution, health, policy, render} — none registration-specific ([[rs5a-02]] §2). All scopes below are REQUIRED_NOT_PRESENT.
1. The nine registrar object scopes
Each is a separate LEGO block: it can be born, tested, changed, and rolled back independently, and is joined to others only by an explicit contract edge — never by implicit inheritance.
| Scope | Governs (the decision it owns) | Maps to RS4A/PATCH2 leg | Before register_dot? |
|---|---|---|---|
DOT_REGISTRAR_CONTRACT |
what the registrar is allowed to do at all (replace-not-wrap, no mass-scan) | RS4A REPLACE decision | MUST (gate) |
DOT_REGISTRATION_AUTHORITY |
who may admit a register_dot effect |
RS4A-05 owner/APR | MUST (gate) |
DOT_ARTIFACT_ADMISSION |
which artifact bytes/hash may enter | PATCH2 canonical_artifact_hash |
MUST (gate) |
DOT_HASH_CARRIER |
where the authoritative artifact hash lives | RS4A-06 interface-F | MUST (gate) |
DOT_HEAD_UNIQUENESS |
U3 current-head policy | PATCH2-03 U3 | MUST (gate) |
DOT_STATUS_DOMAIN |
the legal status vocabulary + enforcement | PATCH1 inert-state=draft |
MUST (gate) |
DOT_ACTIVATION_AUTHORITY |
who may move draft→active (notify) |
PATCH1/trigger closure | can be after registration (registration writes draft) |
DOT_REPLAY_SURFACE |
single-use/idempotency of an effect | PATCH2 nonce + replay | can be after (degrades to duplicate-detect) |
DOT_AUDIT_SINK |
failure-only audit ledger | PATCH2-04 Phase-4 | can be after (but failure path needs it) |
Six gate scopes must exist and be owned before any register_dot write; three may follow. See dependency edges §3.
2. Separability proof (no mega-owner)
| Property | Demonstration |
|---|---|
| born separately | each scope is one scope_code row + one ownership row; insertion order is free subject to §3 edges |
| tested separately | each has its own negative tests in [[rs5a-09]] (e.g. DOT_HEAD_UNIQUENESS ↔ U3 cases; DOT_AUDIT_SINK ↔ audit cases) |
| changed separately | revoking/superseding the head of one scope (lifecycle_status='superseded') does not touch another scope's ownership row |
| rolled back separately | rollback_ref is per-ownership-row; rollback of DOT_ACTIVATION_AUTHORITY leaves DOT_REGISTRATION_AUTHORITY intact |
| no implicit inherit | is_inherited_anchor=false by contract for these scopes; an Owner of DOT_REGISTRATION_AUTHORITY does not automatically own DOT_ACTIVATION_AUTHORITY |
MUST_NOT_IMPLICIT_INHERIT (hard): DOT_REGISTRATION_AUTHORITY → DOT_ACTIVATION_AUTHORITY, DOT_REGISTRATION_AUTHORITY → DOT_ARTIFACT_ADMISSION, DOT_REGISTRAR_CONTRACT → anything. Registration authority must never silently confer activation authority (that is exactly the unsafe "register ⇒ active" path RS4A rejected).
3. Dependency edges (contract, not inheritance)
DOT_REGISTRAR_CONTRACT ─┐ (the registrar may act)
DOT_REGISTRATION_AUTHORITY ─┤
DOT_ARTIFACT_ADMISSION ─────┼─→ [register_dot effect admissible] ─→ writes status=draft
DOT_HASH_CARRIER ───────────┤ │
DOT_HEAD_UNIQUENESS (U3) ───┤ │ (separate, explicit edge)
DOT_STATUS_DOMAIN ──────────┘ ▼
DOT_ACTIVATION_AUTHORITY ─→ [draft→active / notify]
DOT_REPLAY_SURFACE (guards the effect against re-admission)
DOT_AUDIT_SINK (records failures, separate txn)
Edges are conjunctive admission preconditions, evaluated by the registrar; they are not parent→child ownership. A missing gate edge ⇒ fail-closed reject (codes in [[rs5a-06]]).
4. Mandatory vs deferrable vs never-implicit
| Class | Scopes | Rule |
|---|---|---|
Mandatory before register_dot |
REGISTRAR_CONTRACT, REGISTRATION_AUTHORITY, ARTIFACT_ADMISSION, HASH_CARRIER, HEAD_UNIQUENESS, STATUS_DOMAIN | each REQUIRED_NOT_PRESENT ⇒ overall HOLD |
| May be done after | ACTIVATION_AUTHORITY, REPLAY_SURFACE, AUDIT_SINK | registration writes inert draft; activation/replay/audit can land next; failure audit still required for the failure path |
| Never implicit inherit | all gate→post edges | explicit ownership row per scope |
5. Ownership shape (per scope) — no row created
For each scope the Owner decision would write one row of shape:
(object_type='dot_registrar', object_ref=<scope-target>, scope=<scope_code>, owner_kind='accountable', owner_gov_code=<GOV-…>, lifecycle_status='active', approval_ref=<applied assign_governance_owner APR>, audit_ref=…, source_law_ref=…).
RS5A specifies the shape and preconditions only. Choosing one shared head vs a split set is the Owner decision ([[rs5a-10]], Options A/B/C).