Incomex AI Portal
KB-5B8C

dot-iu-cutter v0.1 — G-4 DOT-Pair Signing Authority Closure

14 min read Revision 1
dot-iu-cutterclosureg-4dot-pair-signingdieu37rev5d

dot-iu-cutter v0.1 — G-4 DOT-Pair Signing Authority Closure

Date: 2026-05-15 Status: CLOSURE RESULT — G-4 step of Governance Closure Execution (LAST in dependency chain) Trigger: GPT PASS on G-2; batch execution of remaining 4 gaps Baseline: Governance Closure Execution Checklist §9 + Governance Closure Package §5.4 + D1 §4.14 (DOT-pair design) + criterion 28 + S178 A+3 paired-DOT pattern Scope: CLOSURE RECORD ONLY. No code, no DDL, no migration, no PG mutation, no implementation planning. G-4 batch with G-1, G-3, G-5; dependency order preserved.

1. Gap Scope

G-4 đóng governance gap về DOT-Pair Signing Authority — owner cho việc đăng ký, ký, xoay vòng, thu hồi cặp DOT dot-iu-cutter (executor) + dot-iu-cutter-verify (verifier), bao đảm criterion 28 (DOT-pair / dual-engine verification mandatory for REPORT PASS) được vận hành hợp lệ.

g4_scope:
  dot_pair: 
    executor: dot-iu-cutter
    verifier: dot-iu-cutter-verify
  authority_for:
    - pair_registration
    - joint_signature_authority
    - executor_vs_verifier_boundary_policy
    - pair_rotation_and_revocation
    - tool_revision_drift_policy
  scope_basis: D1 §4.14 + criterion 28 + S178 A+3 existing pattern
  pattern_reference: S178 A+3 (DOT-HC-EXECUTOR ↔ DOT-HC-EXECUTOR-VERIFY paired-DOT) — same custodianship discipline

G-4 covers:

  • Pair registration in DOT registry.
  • Joint signature authority + signing schema concept (NOT signature DDL — that is P0-3/P0-4 schema territory).
  • Executor vs Verifier boundary policy (Gate 2 §3.6 closure).
  • Pair rotation / revocation policy.
  • Tool revision drift rule (both sides must be at same revision for valid co-sign).

G-4 does NOT cover:

  • Signing schema DDL (FUTURE P0-3 / P0-4 migration phase).
  • Verifier internal code (separate implementation pathway).
  • Tool revision content (G-3 owns intake review).
  • Sweep / anti-forgetting (G-2).

2. Proposed Owner Role (per Đ37)

2.1 Primary Role — DOT Registry Custodian

Role name (Đ37 SOP): DOT Registry Custodian — dot-iu-cutter v0.1

role: DOT Registry Custodian
scope: dot-iu-cutter v0.1 paired-DOT registration + signature authority
parent_dieu37_sop_class: governance_ops_dot_registry (likely existing from S178 A+3 pattern)
seat: TBD by Đ37 council
mapping_hint: may map to existing DOT registry custodian role established under S178 A+3 paired-DOT pattern

Authority:

  • Register the pair (dot-iu-cutterdot-iu-cutter-verify) in the DOT registry.
  • Authorize joint signing key / signature record on REPORT envelopes.
  • Define executor precheck vs verifier final co-sign boundary (via G-3 D4 capability intake).
  • Authorize pair rotation / revocation (Đ32 review if mid-cycle).
  • Enforce tool_revision drift rule (both sides must match for valid co-sign).
  • Block REPORT PASS if either signature missing or revisions diverge.

2.2 Council Co-Signs

  • Joint signature schema ratification (high-level authority, not low-level DDL).
  • Boundary policy ratification (via G-3 D4 intake).
  • Pair rotation / revocation policy ratification.
  • Both-signatures-required rule formal adoption.

2.3 Đ32 Co-Reviews

  • Mid-cycle pair rotation events.
  • Pair revocation due to suspected compromise.
  • Tool revision drift incidents.
  • Any signature failure resulting in REPORT PASS denial.

3. Backup / Deputy Roles

Primary role Backup
DOT Registry Custodian DOT Registry Custodian Deputy (Đ37 SOP standby)
Council co-signer Đ37 council quorum
Đ32 reviewer Đ32 standby per existing SOP

Critical continuity rule: If primary AND deputy custodian are unavailable, no NEW pair registrations or rotations are permitted. Existing registered pair continues to operate normally; signature verification continues. This is fail-safe: never block legitimate operations on custodian outage, never permit unaudited NEW registrations during outage.

4. Responsibility Boundaries

4.1 DOT Registry Custodian

  • Maintain DOT registry entry for dot-iu-cutterdot-iu-cutter-verify.
  • Ensure both DOTs are at compatible tool_revision before any CUT batch.
  • Block REPORT PASS emission if signature pair invalid or drift detected.
  • Audit signature events; emit health signal dot_pair_drift or signature_failure to G-2 backlog.
  • Coordinate rotation / revocation per policy.

4.2 Council Authority

  • Ratify joint signature schema concept (the IDEA of dual-sig, not the DDL).
  • Ratify executor / verifier boundary policy (Gate 2 §3.6: precheck vs final co-sign).
  • Approve rotation / revocation rules.
  • Adopt both-signatures-required rule formally.

4.3 Executor vs Verifier Boundary (Gate 2 §3.6 Closure)

Proposed boundary policy:

executor_role: 
  performs: MARK, CUT, internal pre-VERIFY
  signature_authority: signs CUT execution + pre-VERIFY result
verifier_role:
  performs: independent VERIFY in separate execution context
  signature_authority: signs final VERIFY result (co-sign with executor)
joint_pass_requirement:
  - executor signature on CUT result
  - verifier signature on independent VERIFY result
  - both signatures present + tool_revision matched → REPORT may emit PASS
  - any divergence → REPORT NEEDS_HUMAN
status: proposed_pending_council_ratification (via G-3 D4 intake channel)

Council finalizes this boundary policy through a G-3 capability intake record (one-time policy intake, then frozen unless explicit D4 re-intake).

4.4 Tool Revision Drift Rule

tool_revision_drift_policy:
  rule: executor.tool_revision MUST equal verifier.tool_revision for valid co-sign
  drift_action: 
    detection: at CUT pre-check
    response: block CUT execution; emit dot_pair_drift signal to G-2; route to Custodian
  rotation_during_drift: 
    coordinated_upgrade: both DOTs upgrade together via G-3 + G-4 joint approval
    if_only_one_upgraded: revert (G-4 + Đ32 review)
status: proposed_pending_council_ratification

4.5 Pair Rotation / Revocation

rotation_policy:
  trigger: planned tool_revision upgrade per G-3 capability intake
  authority: Custodian + Council
  dieu32_review: required if mid-cycle
revocation_policy:
  trigger: suspected compromise, signature failure cluster, security incident
  authority: Custodian + Đ32 full escalation + Council
  immediate_action: pause CUT operations; existing manifests remain; rollback if mid-cycle
status: proposed_pending_council_ratification

4.6 Boundaries — What G-4 Does NOT Own

  • Signing schema DDL → P0-3 + P0-4 schema gap (FUTURE migration phase).
  • Tool revision content decisions → G-3 (Capability-intake reviewer).
  • Backlog sweep → G-2.
  • Threading authority → G-1.
  • Access-control authority → G-5.
  • DOT implementation code → separate implementation pathway.

5. Acceptance Criteria for Closure (per Checklist §9)

Mapping to Governance Closure Execution Checklist §9 — 9 criteria:

# Criterion Status
1 DOT registry custodian role confirmed for cutter pair proposed (§2.1); may map to S178 A+3 custodian; requires Council confirm
2 Pair dot-iu-cutterdot-iu-cutter-verify registered proposed; requires Custodian to perform registration after role ratify
3 Joint signature authority ratified by Council proposed; requires Council ratify
4 Executor / Verifier boundary policy decided (via G-3 D4 intake) proposed (§4.3); requires G-3 closure + Council ratify via D4 capability intake
5 Pair rotation / revocation authority documented proposed (§4.5); requires Council + Đ32 ratify
6 Both-signatures-required rule formally adopted proposed (§4.3); requires Council formal adoption
7 tool_revision drift policy documented proposed (§4.4); requires Council ratify
8 Cross-link to P0-3 / P0-4 migration design recorded honored (this document §1, §4.6); migration is FUTURE phase
9 D5 backlog entry for G-4 transitions status = resolved pending P0-5 schema + dependency chain (G-1+G-2+G-3+G-5) ratify

Net status: 1 of 9 criteria fully met by this document (criterion 8 — cross-link recorded). 7 require Đ37 council action plus Đ32 (criteria 1–7). 1 requires P0-5 schema + full upstream chain (9).

6. Dependencies

dependencies:
  upstream:
    - G-3 (Capability-intake reviewer) — REQUIRED; tool_revision policy + boundary policy intake routed through G-3
    - G-2 (Backlog Custodian) — required for tracking
    - G-1 (Threading roles) — indirect (via G-3 dependency chain)
    - G-5 (Access-Control Authority) — indirect (via G-3 dependency chain)
  parallel:
    - none (G-4 is the last gap in closure chain)
  downstream:
    - P0-3 cut_change_set (signature schema realization — FUTURE migration)
    - P0-4 verify_result (signature schema realization — FUTURE migration)
    - Implementation planning gate (after ALL governance + P0 + Đ44 + Đ24 close)
  cross_law:
    - Đ32 (rotation/revocation risk approval)
    - Đ37 (escalation queue for signature_failure / dot_pair_drift signals)
    - Đ38 (tool_revision content — via G-3)
  pattern_reference:
    - S178 A+3 (existing paired-DOT pattern; DOT-HC-EXECUTOR / DOT-HC-EXECUTOR-VERIFY)
    - lockfile pattern reference: /var/lock/dot-hc-executor.lock (for serialization discipline; cross-pattern hint, not v0.1 schema)

G-4 is the LAST closure in the dependency chain. Implementation planning gate opens only after G-4 closes (still requires Đ44 Family Registry, Đ24 vocabulary, Đ32/Council ratify for Decisions 3+6, AND P0 migration design).

7. Blockers if G-4 Unresolved

If G-4 does NOT close:

  1. REPORT cannot emit valid PASS — criterion 28 fails; both signatures required but no signing authority.
  2. If only executor signs → DOT-pair guarantee broken; rev5d criterion 28 violation.
  3. Tool revision drift silently allowed — executor and verifier at different revisions could produce invalid co-sign undetected.
  4. Cross-link with S178 A+3 pattern lost — existing DOT registry discipline not honored; inconsistency across DOT family.
  5. D1 implementation planning blocked — DOT-pair contract is core of D1 §4.14; cannot enter migration design phase without owner.
  6. P0-3 cut_change_set design blocked — signature column schema needs Authority owner.
  7. P0-4 verify_result design blocked — same reason; dual-signature schema needs Authority.
  8. Implementation planning gate stays BLOCKED — gate requires all 5 governance closures.
  9. Rotation / revocation incidents have no playbook — first compromise event becomes ad-hoc crisis.
  10. G-3 partial degradation — tool_revision intakes can be reviewed (G-3) but cannot be executed (no G-4 to sign cut-over).

8. Required Ratification Authority

ratification_authority:
  primary: Đ37 Council
  per_role_specific:
    dot_registry_custodian: Council confirms (may map to S178 A+3 custodian)
    pair_registration: Custodian performs after role ratified
    joint_signature_authority: Council ratifies
    boundary_policy: Council ratifies via G-3 D4 capability intake
    rotation_revocation_policy: Council + Đ32 ratify
  cross_law:
    dieu32: rotation/revocation risk approval; mid-cycle review
    dieu37_escalation_queue: dot_pair_drift / signature_failure signal routing
    dieu38: tool_revision content alignment (via G-3)
  risk_class: Standard (governance role assignment); HIGH for actual revocation events
  dieu32_required:
    for_g4_role_assignment: NO (Standard)
    for_rotation_mid_cycle: YES
    for_revocation: YES (full escalation)
  user_required: NO (User PASS on design phase covers strategic direction)
  council_quorum: YES
  dependency_chain_must_close_first: [G-1, G-2, G-3, G-5]

9. Final Status

g4_status: proposed_closed_pending_council_ratification
g4_ratification_authority: Đ37 Council + Đ32 + DOT Registry Custodian
g4_position_in_dependency_chain: LAST (after G-1, G-2, G-3, G-5)
g4_dependency_status:
  g1_threading_roles: pending (indirect via G-3)
  g2_backlog_custodian: pending (blocks G-4 tracking)
  g3_capability_intake_reviewer: pending (DIRECT blocker — boundary policy intake routes through G-3)
  g5_access_control_authority: pending (indirect via G-3)
g4_blocks_downstream:
  p0_3_cut_change_set_design: blocked
  p0_4_verify_result_design: blocked
  implementation_planning_gate: blocked
  criterion_28_runtime_validity: blocked (no valid REPORT PASS possible without G-4)
g4_pattern_reference: S178_A+3_paired-DOT (existing custodian discipline; recommended map-to)
acceptance_criteria_satisfied_by_this_document: 1 of 9 (criterion 8 cross-link recorded)
acceptance_criteria_pending_dieu37_council_and_dieu32: 7 of 9 (criteria 1–7)
acceptance_criteria_pending_p0_5_schema_and_chain: 1 of 9 (criterion 9)
implementation_planning_allowed: false
implementation_execution_allowed: false
no_code: true
no_ddl: true
no_migration: true
no_pg_mutation: true
no_design_or_planning_or_prior_closure_file_modified: true
Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/closures/dot-iu-cutter-v0.1-g4-dot-pair-signing-authority-closure-2026-05-15.md