RS5A-10 — Owner Decision Options and Recommendation — 2026-06-21
RS5A-10 — Owner Decision Options and Recommendation — 2026-06-21
Macro: RS5A · Mục tiêu I + J · Deliverable: 10 of 15 · design-only (executes nothing). These are options for the Owner to decide. RS5A does not select a head, write a row, or author a scope/action.
1. Option A — single accountable head for DOT_REGISTRATION_AUTHORITY only
| facet | detail |
|---|---|
| prerequisites | author DOT_REGISTRATION_AUTHORITY scope_code; designate one governance_registry head (candidate GOV-DOT); author register_dot action (high) |
| benefits | smallest decision surface; fastest to a governed registration path; one accountable point |
| risks | concentration — same head may also own admission/audit ⇒ weak separation of duties (A11/C05 fail-open class) |
| rollback | supersede the single ownership row (lifecycle_status='superseded'); revert scope/action authoring |
| LEGO boundary | one scope block; must not implicit-inherit activation/admission/audit |
| unlocks | register_dot admission of inert draft under one head |
| does NOT unlock | activation, artifact-admission, audit-sink, replay — each still fail-closed |
2. Option B — split Owner by scope cluster (recommended for the decision)
| facet | detail |
|---|---|
| prerequisites | author the 6 gate scopes ([[rs5a-04]]); designate heads per cluster — registration/admission → GOV-DOT, integrity/head-uniqueness/audit → GOV-SIV, high-risk approval/quorum → GOV-COUNCIL; author register_dot (high) |
| benefits | genuine separation of duties; matches live governance_registry domains; each scope born/tested/changed/rolled-back independently; defeats concentration fail-opens |
| risks | larger decision surface; more ownership rows to author and keep current |
| rollback | per-scope supersession; isolated rollback_ref per row |
| LEGO boundary | one ownership row per scope; explicit contract edges only; MUST_NOT_IMPLICIT_INHERIT enforced |
| unlocks | a properly separated registration path (registration ≠ activation ≠ audit) |
| does NOT unlock | anything beyond the scopes explicitly bound; deferred scopes stay fail-closed until owned |
3. Option C — HOLD until Owner model is formally authored elsewhere
| facet | detail |
|---|---|
| prerequisites | none (status quo) |
| benefits | zero risk of premature/over-broad authority; preserves default HOLD |
| risks | registrar remains ungoverned; no progress on G2 |
| rollback | n/a |
| LEGO boundary | n/a |
| unlocks | nothing |
| does NOT unlock | registration of any kind |
4. Recommendation
Primary verdict: G2_OWNER_DECISION_READY_FOR_CODEX_REVIEW. The dossier is complete: authority state freshly reconstructed (live), Owner concept and role lattice defined, scopes bounded as separable LEGO, a defensible candidate set proven, register_dot action contract + authority envelope + quorum proof obligations + 84 negative tests authored — all design-only, with REGISTRATION_HOLD intact.
Recommended option to put before the Owner: Option B (split by scope cluster), because it matches the live governance_registry/scope structure and structurally defeats the concentration fail-opens found in [[rs5a-02]] §7.
RS5A does NOT choose the Owner. A defensible candidate surface exists (G2_OWNER_DECISION_READY_FOR_CODEX_REVIEW), but no accountable head is bound and the missing scope + register_dot action + nonce/hash/audit surfaces are all REQUIRED_NOT_PRESENT. Therefore the controlling sub-state remains fail-closed: no owner ⇒ no register_dot.
5. Carried HOLD sub-findings (none cleared by RS5A)
NO_ACCOUNTABLE_HEAD_BOUND (gov_owner=0) · REGISTER_DOT_ACTION_REQUIRED_NOT_PRESENT · scope REQUIRED_NOT_PRESENT (no registration-authority scope) · OWNER_MINT_PATH_FAIL_CLOSED (assign_governance_owner unimplemented) · QUORUM_EFFECT_BINDING_INSUFFICIENT + QUORUM_APPROVER_IDENTITY_UNVERIFIED · ARTIFACT_HASH_CARRIER_UNPROVEN · STATUS_DOMAIN_NOT_DB_ENFORCED · U3_HEAD_POLICY_SURFACE_ABSENT · FAILURE_AUDIT_SINK_UNPROVEN. Blockers G2–G7 carried.