Incomex AI Portal
KB-7495

dot-iu-cutter v0.1 — G-5 Access-Control Authority Closure

13 min read Revision 1
dot-iu-cutterclosureg-5access-control-authorityhigh-riskdieu37dieu32rev5d

dot-iu-cutter v0.1 — G-5 Access-Control Authority Closure ⚠️ HIGH RISK

Date: 2026-05-15 Status: CLOSURE RESULT — G-5 step of Governance Closure Execution Trigger: GPT PASS on G-2 closure; batch execution of remaining 4 gaps Baseline: Governance Closure Execution Checklist §7 + User Decision Confirmation §4.3 (Decision 3) + §4.6 (Decision 6) + Governance Closure Package §5.5 + D11 design + rev5d §14.2 Scope: CLOSURE RECORD ONLY. HIGH RISK class. No code, no DDL, no migration, no PG mutation, no implementation planning. G-5 ratifies User Decisions 3 and 6.

1. Gap Scope

G-5 đóng governance gap về Audience-Scope Access-Control Authority — owner cho audience class definitions, filter policy, wrong_audience_result security event handling, visibility/readiness/publication vocabulary cross-law (Đ24), và response block/unblock authority.

G-5 ratifies User Decisions 3 + 6, both HIGH risk.

g5_scope:
  audience_classes_in_scope: AI-Agent / Employee / Partner / Customer (per Decision 3)
  default_visibility: internal-only
  tiered_visibility_scheme: public / partner / employee / internal / restricted
  wrong_audience_handling: Block + Log + Escalate, NO auto-rollback (per Decision 6)
  risk_class: HIGH (security event class)
  scope_basis: rev5d §14.2 + D11 §4.10 + Decisions 3, 6

G-5 covers:

  • Audience class definition + vocabulary (Đ24 cross-law).
  • Audience filter policy approval.
  • wrong_audience_result event ownership (security/governance, NOT search-quality).
  • Response block/unblock authority.
  • Visibility/readiness/publication/authority field vocabulary discipline.

G-5 does NOT cover:

  • Retrieval performance metrics (D11 §4.8 — separate target setting in Decision 2 / G-3).
  • Capability intake for new retrieval features (G-3).
  • Tool revision signing (G-4).
  • Anti-forgetting sweep (G-2).

2. Proposed Owner Role (per Đ37)

2.1 Primary Role — Access-Control Authority

Role name (Đ37 SOP): Access-Control Authority — dot-iu-cutter v0.1

role: Access-Control Authority
scope: dot-iu-cutter v0.1 retrieval access surface + threading audience visibility
parent_dieu37_sop_class: security_governance (existing or formally created)
seat: TBD by Đ37 council
mapping_hint: may map to existing security/governance lead

Authority:

  • Audience class definition + maintenance.
  • Filter policy approval (Standard+ risk → Council co-sign).
  • wrong_audience_result security event handling per Decision 6.
  • Response block/unblock authority.
  • Cross-law liaison with Đ24 for visibility/readiness/publication vocabulary.

2.2 Decision 3 Ratification (Audience Definitions — HIGH RISK)

G-5 formally ratifies Decision 3 once Authority is named + Council co-signs + Đ24 vocab approves:

decision_3_ratification_path:
  audience_classes: [AI-Agent, Employee, Partner, Customer]
  default_visibility: internal-only
  tiered_scheme: [public, partner, employee, internal, restricted]
  default_readiness_gate: published required for Customer & Partner
  ratification_required_from:
    - Access-Control Authority (G-5 primary)
    - Đ37 Council
    - Đ24 governance (vocabulary cross-law)
    - Đ32 (HIGH-risk class confirmation)
  status: proposed_pending_quad_ratification

2.3 Decision 6 Ratification (wrong_audience_result Handling — HIGH RISK)

decision_6_ratification_path:
  handling_policy: Block + Log + Escalate
  auto_rollback: false (explicit rejection of auto-recall option)
  escalation_target: Đ37 escalation queue + Access-Control Authority
  audit_target: consumer_contract_log (D11 §5; future P3 schema)
  ratification_required_from:
    - Access-Control Authority (G-5 primary)
    - Đ37 Council
    - Đ37 escalation queue wiring (no parallel channel)
    - Đ32 (HIGH-risk class confirmation; full escalation path)
  status: proposed_pending_quad_ratification

3. Backup / Deputy Role

Primary role Backup
Access-Control Authority Access-Control Authority Deputy — Đ37 SOP standby seat
Council co-signer Đ37 council quorum (no single seat)
Đ32 escalation reviewer Đ32 standby reviewer per existing Đ32 SOP

Special continuity rule: For HIGH-risk security events (wrong_audience_result), if primary Authority is unavailable AND deputy is unavailable, ALL events default to block + log + immediate Council notification (fail-closed, never fail-open). This default is itself part of the G-5 ratification.

4. Responsibility Boundaries

4.1 Access-Control Authority Owns

  • Audience class lifecycle (define, deprecate, classify).
  • Filter policy approval per query/role/scope.
  • wrong_audience_result security event triage and response.
  • Block/unblock authority for retrieval responses.
  • Cross-law sync with Đ24 on vocabulary changes.
  • Liaison with Đ32 for HIGH-risk events.

4.2 Council Co-Signs

  • Initial audience class set ratification (Decision 3).
  • Initial wrong_audience_result handling policy ratification (Decision 6).
  • Vocabulary expansion (new visibility tiers, readiness states).
  • Audience-related filter policy changes beyond marginal tuning.

4.3 Đ32 Risk Authority

  • Every wrong_audience_result event is HIGH risk → Đ32 escalation mandatory.
  • Audience policy changes are at minimum Standard risk; HIGH if touching customer-facing surface.
  • Filter rule rollback authority during incidents.

4.4 Đ24 Vocabulary Cross-Law

  • All visibility/readiness/publication/authority enum values controlled by Đ24.
  • New audience tier additions require Đ24 ratification BEFORE G-5 can extend filter policy.
  • "Wrong_audience_result" itself is a controlled term (Đ24 / D11 §5).

4.5 Boundaries — What G-5 Does NOT Own

  • Retrieval performance metrics (G-3 / Decision 2).
  • Capability intake for non-security retrieval features (G-3).
  • DOT-pair signing (G-4).
  • Backlog sweep (G-2).
  • Thread membership review (G-1).
  • Implementation of access-control enforcement code (FUTURE migration + implementation planning).

5. Acceptance Criteria for Closure (per Checklist §7)

Mapping to Governance Closure Execution Checklist §7 — 12 criteria:

# Criterion Status
1 Access-Control Authority role recorded in Đ37 SOP proposed; requires Council ratify
2 Named occupant recorded pending Đ37 council assignment
3 Decision 3 audience classes ratified by Council proposed; HIGH risk; requires Council + Đ32
4 Decision 3 tiered visibility ratified by Council + Đ24 vocab proposed; requires Council + Đ24
5 Decision 3 default-internal-only rule confirmed at policy level proposed; requires Council ratify
6 Decision 6 Block + Log + Escalate handling ratified proposed; requires Council + Đ32
7 Decision 6 "no auto-rollback" rule formally adopted proposed; explicit rejection of auto-recall — requires Council adoption
8 Đ37 escalation queue wired for wrong_audience_result events proposed (no parallel channel); requires Đ37 confirmation queue accepts routing
9 Đ32 risk class for wrong_audience_result confirmed as HIGH proposed; requires Đ32 ratification
10 Đ24 cross-law agreement for visibility/readiness/publication/authority vocab proposed; requires Đ24 ratification
11 Access-control runbook published proposed (envelope in §4.1–§4.4); requires Authority to author + Council ratify
12 D5 backlog entry for G-5 transitions status = resolved pending P0-5 schema + quad ratification (Authority + Council + Đ32 + Đ24)

Net status: 0 of 12 criteria fully met by this document alone. All 12 require external ratification (Đ37 council, Đ32, Đ24, P0-5 schema).

6. Dependencies

dependencies:
  upstream:
    - G-2 (Backlog Custodian) — required for tracking
  parallel:
    - G-1 (Threading roles) — runs in parallel; both fire after G-2 ratify
  downstream:
    - G-3 (Capability-intake reviewer) — audience filter intake authority depends on G-5
    - G-4 (DOT-pair signing) — depends on G-3
  cross_law:
    - Đ24 (visibility/readiness/publication vocab — must engage in parallel)
    - Đ32 (HIGH risk approval required)
    - Đ37 (escalation queue wiring; council ratification)
    - rev5d §14.2 (access-control guardrail authoritative reference)

G-5 is the gating closure for HIGH-risk Decisions 3 and 6. Without G-5 ratification, those Decisions remain recorded but held per User Decision Confirmation §4.3, §4.6.

7. Blockers if G-5 Unresolved

If G-5 does NOT close:

  1. Audience-scoped search degenerates to quality filter — rev5d §14.2 guardrail violated.
  2. wrong_audience_result security events have no owner — potential information leakage at scale.
  3. Customer/partner-facing surfaces (out of v0.1 build scope but with metadata hooks) lack policy authority — hooks accumulate without governance.
  4. v0.1 metadata fields (visibility, readiness, publication_state, authority) accumulate without Đ24 ratification → vocabulary fragmentation.
  5. Decisions 3 + 6 remain HIGH-risk-held → User Decision Confirmation cannot transition those to effective.
  6. D11 implementation planning blocked — retrieval access-control enforcement cannot be designed without Authority owner.
  7. G-3 partially blocked — audience filter policy intake authority requires G-5.
  8. Đ32 HIGH-risk path untested — first real test will be live security event with no rehearsed escalation chain.
  9. Threading visibility (D9 thread access scope per audience) undefined — D9 + D11 cross-cut surface unsafe.
  10. Risk of accidental external exposure during any retrieval implementation experiment — no Authority to gate.

This is the most consequential governance gap for safety; therefore the strictest ratification path.

8. Required Ratification Authority

ratification_authority:
  primary: Đ37 Council + Đ32 Risk (joint)
  authority_role: Access-Control Authority (Đ37 SOP)
  ratifications_required:
    - dieu37_council: Authority role + occupant + policy scope
    - dieu37_escalation_queue: receives wrong_audience_result events (no parallel)
    - dieu32_risk: HIGH-risk class confirmation for wrong_audience_result + audience-policy changes
    - dieu24_vocab: visibility/readiness/publication/authority enum values
  risk_class: HIGH
  dieu32_required: YES (full escalation path for wrong_audience_result + audience policy)
  user_required: 
    formal_requirement: NO (User PASSed Decisions 3+6 default via GPT)
    practical_recommendation: YES (because HIGH-risk; Council should confirm with User before final ratify)
  council_quorum: YES (Đ37 council quorum required)
  joint_signing: Authority + Council + Đ32 + Đ24 all on closure rationale

Special G-5 ratification clause: Because Decisions 3 + 6 are HIGH risk and were proposed by GPT on User's behalf, the ratification record SHOULD explicitly note User acknowledgement at ratification time, even though formal requirement does not mandate it. Council recommended to seek User confirmation before final ratification stamp.

9. Final Status

g5_status: proposed_closed_pending_council_and_risk_ratification
g5_risk_class: HIGH
g5_ratification_authority: Đ37 Council + Đ32 Risk + Đ24 vocab + Access-Control Authority
decisions_ratified_by_g5_closure: [Decision 3, Decision 6]
decision_3_effective_status: held_pending_g5_ratification (HIGH RISK)
decision_6_effective_status: held_pending_g5_ratification (HIGH RISK)
g5_dependencies_preserved:
  upstream_g2: required_before_pg_tracking_via_p0_5
  parallel_g1: independent_can_run_simultaneously
  downstream_g3: partially_blocked_until_g5_closes (audience filter intake)
  downstream_g4: blocked_until_g3_closes
  cross_law_dieu24: must_engage_in_parallel
  cross_law_dieu32: HIGH_risk_escalation_path
acceptance_criteria_satisfied_by_this_document: 0 of 12
acceptance_criteria_pending_dieu37_council: 11 of 12
acceptance_criteria_pending_p0_5_schema: 1 of 12
fail_closed_default_in_authority_absence: confirmed (§3 continuity rule)
implementation_planning_allowed: false
implementation_execution_allowed: false
no_code: true
no_ddl: true
no_migration: true
no_pg_mutation: true
no_design_or_planning_or_prior_closure_file_modified: true
Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/closures/dot-iu-cutter-v0.1-g5-access-control-authority-closure-2026-05-15.md