RS5A-05 — Candidate Owner-of-record Decision Matrix — 2026-06-21

Macro: RS5A · Mục tiêu D · Deliverable: 05 of 15 · design-only (designates no owner). Candidate source rule: candidates are drawn only from live governed surfaces. No person, no email, no caller text may be invented as a candidate. Surface result: an Owner-head surface is proven — governance_registry (9 codes, [[rs5a-02]] §3). Therefore the result is not NO_CANDIDATE_SURFACE_PROVEN. But no candidate is a bound accountable head (governance_object_ownership = 0), so every candidate is at best acceptable to bring to the Owner decision, never already the Owner.

1. Matrix — governed candidates (from governance_registry)

candidate_ref	source surface	scope fit	authority fit	conflict risk	least-privilege	rollback path	auditability	can sign register_dot now?	caveat	verdict
GOV-DOT (Quản trị DOT, system, active)	governance_registry	high — domain monitoring.dot matches DOT registration	candidate accountable head for DOT_REGISTRATION_AUTHORITY / DOT_ARTIFACT_ADMISSION	medium — same body monitors DOT health (separate audit head advised)	fits if scoped to registration only, not activation	per-row rollback_ref; supersede via lifecycle	approval_ref/audit_ref columns exist	No — no ownership row + no register_dot action	not yet bound; needs scope + action authored	OWNER_CANDIDATE_ACCEPTABLE_FOR_DECISION
GOV-SIV (Toàn vẹn Hệ thống, system, active)	governance_registry	high — monitoring.integrity matches DOT_HEAD_UNIQUENESS / DOT_AUDIT_SINK	candidate head for integrity/audit scopes	low	good separation from GOV-DOT	as above	as above	No	best as audit/integrity head in a split (Option B)	OWNER_CANDIDATE_ACCEPTABLE_FOR_DECISION
GOV-COUNCIL (Hội đồng Kiến trúc, council, active)	governance_registry	medium — governance council; maps to quorum ai_council body	candidate approval/quorum authority, not day-to-day head	low	over-broad if made sole head	as above	as above	No	suited to high-risk approval, not registrar ownership	OWNER_CANDIDATE_ACCEPTABLE_FOR_DECISION (approval role)
GOV-NRM-SYS (normative, active)	governance_registry	medium — policy/DOT_STATUS_DOMAIN	candidate policy head	low	scope to status/policy only	as above	as above	No	narrow fit	OWNER_CANDIDATE_UNPROVEN (until scope authored)
GOV-KG-SYS (kg, active)	governance_registry	low — knowledge graph, not registrar	—	—	—	—	—	No	wrong domain	OWNER_CANDIDATE_UNPROVEN
GOV-MOIT/MOT/MOUT/MOW (factory, draft)	governance_registry	low	—	—	—	—	—	No	draft status; assembly domain	OWNER_CANDIDATE_REJECTED_NO_ACCOUNTABLE_HEAD

2. Matrix — non-governed pseudo-candidates (must be rejected)

pseudo-candidate	source	why rejected	verdict
caller asserting "I am owner"	request payload	self-assertion ≠ authority	OWNER_CANDIDATE_REJECTED_CALLER_TEXT
dot_tools.owner = system / claude_ai / null	dot_tools varchar	uncontrolled free text; 212 null / 93 system / 4 claude_ai	OWNER_CANDIDATE_REJECTED_FREE_TEXT
Directus Administrator / tac-admin / any of 13 users	directus_roles/users	RBAC ≠ governance ownership; not bound to governance_object_ownership	OWNER_CANDIDATE_REJECTED_OPERATOR_ONLY
registrar runtime / operator job	registrar artifact	executes, never authorises	OWNER_CANDIDATE_REJECTED_OPERATOR_ONLY
APR proposer / reviewed_by text	approval_requests	proposer self-excluded from quorum	OWNER_CANDIDATE_REJECTED_CALLER_TEXT

3. Result

• Surface: OWNER_CANDIDATE_SURFACE_PROVEN (governance_registry).
• Strongest acceptable-for-decision candidate(s): GOV-DOT (registration/admission), with GOV-SIV (integrity/audit) and GOV-COUNCIL (high-risk approval) as the natural split partners — feeding Option B in [[rs5a-10]].
• Bound accountable head today: none (governance_object_ownership = 0) ⇒ NO_ACCOUNTABLE_HEAD_BOUND.
• Can any candidate sign register_dot today: No — both the binding row and the register_dot action are absent, and the owner-mint path is fail-closed ([[rs5a-02]] §7).

RS5A does not pick the Owner. It establishes that a defensible candidate set exists and that the act of choosing + binding is the Owner decision (G2), reserved to the Owner.