Incomex AI Portal
KB-33A3

dot-iu-cutter v0.1 — Council Ratification Package (5 governance gaps)

24 min read Revision 1
dot-iu-cutterratificationcouncil5-governance-gapsdieu37rev5d

dot-iu-cutter v0.1 — Council Ratification Package

Date: 2026-05-15 Status: READY_FOR_COUNCIL_RATIFICATION Trigger: GPT batch review PASS_WITH_RATIFICATION_PACKAGE_REQUIRED on G-1/G-5/G-3/G-4 (plus prior PASS on G-2) Purpose: Đóng gói nội dung 5 governance closure artifacts thành agenda + decision matrix duy nhất cho Đ37 Council ratify trong một phiên. Scope: RATIFICATION AGENDA ONLY. No code, no DDL, no SQL, no migration, no PG mutation, no Qdrant/vector mutation, no implementation planning.

1. Hard Boundaries

no_code: true
no_ddl: true
no_sql: true
no_migration: true
no_pg_mutation: true
no_qdrant_mutation: true
no_ui_build: true
no_implementation_planning: true
no_gap_resolved_yet: true
no_closure_file_modified: true
no_design_file_modified: true
no_planning_file_modified: true
package_purpose: prepare_dieu37_council_session_only

2. Provenance

This package consolidates content from 7 prior artifacts; it modifies none of them. They remain authoritative for full per-gap detail.

Artifact Path
G-2 closure closures/dot-iu-cutter-v0.1-g2-backlog-custodian-closure-2026-05-15.md
G-1 closure closures/dot-iu-cutter-v0.1-g1-threading-roles-closure-2026-05-15.md
G-5 closure closures/dot-iu-cutter-v0.1-g5-access-control-authority-closure-2026-05-15.md
G-3 closure closures/dot-iu-cutter-v0.1-g3-capability-intake-reviewer-closure-2026-05-15.md
G-4 closure closures/dot-iu-cutter-v0.1-g4-dot-pair-signing-authority-closure-2026-05-15.md
Governance Closure Execution Checklist closures/dot-iu-cutter-v0.1-governance-closure-execution-checklist-2026-05-15.md
GPT batch review (G-1/G-5/G-3/G-4) reviews/dot-iu-cutter-v0.1-governance-closure-batch-g1-g5-g3-g4-gpt-review-2026-05-15.md
User Decision Confirmation closures/dot-iu-cutter-v0.1-user-decision-confirmation-2026-05-15.md

3. Ratification Agenda (Đ37 Council session)

3.1 Session Order (must follow dependency chain)

[1] G-2 Backlog Custodian          (foundational; tracking infrastructure)
        ↓
[2] G-1 Threading Roles          ∥  G-5 Access-Control Authority  ⚠️ HIGH RISK
                                    (parallel votes; both depend on G-2)
        ↓
[3] G-3 Capability-Intake Reviewer  (depends on G-1 + G-2 + G-5)
        ↓
[4] G-4 DOT-Pair Signing Authority  (depends on G-3; LAST in chain)

Order is strict: Council MAY discuss all five in one session, but must vote in this order. A vote on G-1 / G-5 may not be cast before G-2 is ratified; G-3 vote may not be cast before G-1 + G-5 are ratified; G-4 vote may not be cast before G-3 is ratified.

If any earlier vote is ratify_with_notes with material conditions, downstream votes pause until those notes are addressed in the same session (or follow-up).

If any vote is reject, all downstream votes are cancelled and re-scheduled.

3.2 Pre-Session Materials

Council members must have read:

  • All 5 closure files (per Provenance §2).
  • Governance Closure Execution Checklist.
  • User Decision Confirmation.
  • GPT batch review.

The Registry Custodian role (G-2) acts as session secretary if pre-ratified; otherwise the Đ37 council clerk substitutes for this session only.

4. SOP Mapping Rule (applies to every ratification vote)

Per GPT batch review §4 Issue 2 — binding for this Council session:

sop_mapping_rule:
  step_1: attempt mapping the proposed role to an EXISTING Đ37 SOP role
  step_2_if_insufficient: create a SOP SUB-ENTRY under an existing governance-ops or governance class
  forbidden: create a new top-level governance organization
  forbidden: invent a new role outside Đ37 SOP
  forbidden: create a parallel notification system (criterion 38)
  forbidden: silently extend Đ24 vocabulary

Council must record, for each gap, whether mapping was: existing_sop_role_match / new_sop_sub_entry / mapping_failed_request_new_proposal.

5. Decision Matrix

5.1 G-2 Backlog Custodian

Field Value
Proposed role Registry Custodian — dot-iu-cutter v0.1
Proposed owner seat / occupant placeholder TBD-RegistryCustodian-v0.1 (council to name)
Backup seat TBD-RegistryCustodianDeputy-v0.1
Required Council action (1) confirm/seat custodian + deputy; (2) ratify authority scope per G-2 closure §4.1; (3) ratify sweep cadence (proposed 7 days); (4) confirm markdown mirror path knowledge/dev/laws/dieu44-trien-khai/registry/; (5) confirm escalation path per G-2 §4.3
Cross-law ratification required Đ24 vocabulary check (no new terms introduced); Đ33/Đ43 confirms target layer = Lớp KHO; Đ37 SOP mapping per §4
Risk class Standard
Acceptance criteria still pending (8 total) 1, 2, 3, 4 (require Council); 6 (requires P0-5 schema realization). Already-met: 5, 7, 8.
Recommended Council vote ratify (assuming Council can name seats; otherwise ratify_with_notes: vote conditional on seat appointment within Council window)
Dependency none upstream
Special note This is foundational; without G-2 ratify, no other vote tracks to PG SSOT once P0-5 lands

5.2 G-1 Threading Roles

Field Value
Proposed role Threading Domain Owner (per domain) + AI Council Reviewer + Council split/merge authority
Proposed owner seat / occupant placeholder TBD-ThreadingDomainOwner-birth_gate; TBD-ThreadingDomainOwner-segmentation; AI Council seat per Đ37 SOP
Backup seat TBD-ThreadingDomainOwnerDeputy-(per domain); AI reviewer redundant instance
Required Council action (1) appoint Threading Domain Owners for starter domains [birth_gate, segmentation]; (2) confirm AI Council reviewer authority scope; (3) confirm human reviewer escalation routing through existing Đ37 escalation queue; (4) take ownership of split/merge governance; (5) confirm disagreement arbitration channel; (6) confirm anomaly oversight responsibility split (custodian (G-2) + Council); (7) ratify Decision 1 thresholds (Balanced: conf ≥ 0.75, ≥ 2 signals, allowlist [birth_gate, segmentation])
Cross-law ratification required Đ24 (no new threading vocabulary introduced beyond ratified D9); Đ39 (universal_edges authority preserved); Đ44 (semantic_thread Family Registry submission — parallel governance phase, not a G-1 prerequisite)
Risk class Standard
Acceptance criteria still pending (9 total) 1–7 (require Council); 8 (requires P0-5 + chain). Already-met: 9 (no parallel channel).
Recommended Council vote ratify_with_notes (notes: starter domain owners must be named within the same session; allowlist expansion rules must be filed as Decision Backlog policy entries after G-2 ratify)
Dependency G-2 ratified first
Special note Decision 1 effective status moves from recorded_pending_g1_ratification to effective only after this vote

5.3 G-5 Access-Control Authority ⚠️ HIGH RISK

Field Value
Proposed role Access-Control Authority — dot-iu-cutter v0.1
Proposed owner seat / occupant placeholder TBD-AccessControlAuthority-v0.1 (may map to existing security/governance lead)
Backup seat TBD-AccessControlAuthorityDeputy-v0.1
Required Council action (1) confirm/seat Authority + Deputy; (2) ratify Decision 3 audience classes [AI-Agent, Employee, Partner, Customer]; (3) ratify Decision 3 tiered scheme [public, partner, employee, internal, restricted]; (4) ratify Decision 3 default-internal-only rule; (5) ratify Decision 3 published-required-for-Customer-and-Partner readiness gate; (6) ratify Decision 6 Block + Log + Escalate handling; (7) formally adopt Decision 6 "no auto-rollback" rule; (8) confirm Đ37 escalation queue accepts wrong_audience_result routing; (9) ratify Đ32 risk class HIGH for wrong_audience_result; (10) authorize Authority to publish access-control runbook; (11) adopt fail-closed default (block + log + immediate Council notification when Authority AND Deputy unavailable)
Cross-law ratification required Đ24 (visibility/readiness/publication/authority vocab — must engage in parallel); Đ32 (HIGH-risk class confirmation + full escalation path); Đ37 escalation queue wiring
Risk class HIGH
Acceptance criteria still pending (12 total) ALL 12 require external ratification (Đ37 council + Đ32 + Đ24 + P0-5 schema)
Recommended Council vote ratify_with_notes (notes: see §6 HIGH-risk addendum below — explicit User acknowledgement REQUIRED for Decisions 3 + 6 prior to final ratification stamp)
Dependency G-2 ratified first
Special note GPT batch review §4 Issue 1: explicit User acknowledgement REQUIRED for Decisions 3 + 6 even though formal Đ37 governance does not strictly require User confirmation for HIGH-risk security policy ratification. See §6 below.

5.4 G-3 Capability-Intake Reviewer

Field Value
Proposed role TAC Governance Reviewer + KG Governance Reviewer + Council (intake authority)
Proposed owner seat / occupant placeholder TAC Governance Reviewer = (may map to existing Đ38 owner); KG Governance Reviewer = (may map to existing Đ39 owner); Council intake authority = Đ37 council quorum
Backup seat TBD-TACReviewerDeputy; TBD-KGReviewerDeputy
Required Council action (1) confirm TAC Governance Reviewer (mapping or new sub-entry per §4 mapping rule); (2) confirm KG Governance Reviewer similarly; (3) take ownership of policy/threshold/tool_revision intakes; (4) formalize Đ24 cross-law vocabulary intake channel; (5) confirm joint Council + G-5 authority for audience filter policy intakes; (6) ratify Self-Review cadence defaults (30 days / 100 cuts / per TAC-KG release / on-complaint); (7) adopt D4 intake → review → approval flow into Đ37 SOP; (8) confirm Đ32 escalation path for HIGH/Standard+ risk intakes
Cross-law ratification required Đ24 (vocabulary channel); Đ32 (high-risk intake review); Đ38 (TAC capability owner alignment); Đ39 (KG capability owner alignment); Đ44 (schema-impacting intake routing to Family Registry)
Risk class Standard (G-3 role assignment); HIGH for individual high-risk intakes downstream
Acceptance criteria still pending (9 total) 1–7 (require Council); 8 (Đ32 + Đ37 queue confirmation); 9 (P0-5 schema + chain). Already-met: 0 by document.
Recommended Council vote ratify_with_notes (notes: TAC/KG reviewer mapping requires confirmation that existing Đ38/Đ39 owners can absorb the load; Self-Review cadence may be adjusted by Council vote within the session)
Dependency G-1 + G-2 + G-5 ratified first
Special note G-3 acts as the intake review channel for the executor/verifier boundary policy that G-4 needs (cross-link §5.5)

5.5 G-4 DOT-Pair Signing Authority

Field Value
Proposed role DOT Registry Custodian — dot-iu-cutter v0.1
Proposed owner seat / occupant placeholder TBD-DOTRegistryCustodian-v0.1 (may map to existing S178 A+3 paired-DOT custodian role)
Backup seat TBD-DOTRegistryCustodianDeputy-v0.1
Required Council action (1) confirm/seat DOT Registry Custodian (mapping to S178 A+3 custodian preferred); (2) authorize pair registration of dot-iu-cutterdot-iu-cutter-verify; (3) ratify joint signature authority concept (the IDEA — not DDL; DDL is FUTURE P0-3/P0-4 migration phase); (4) final Council co-sign on executor/verifier boundary policy (G-3 prepares intake; Council ratifies); (5) ratify pair rotation/revocation authority (Custodian + Đ32 for mid-cycle); (6) formally adopt both-signatures-required rule (no REPORT PASS without executor + verifier co-sign); (7) ratify tool_revision drift policy (both DOTs must be at same revision for valid co-sign); (8) confirm cross-link to FUTURE P0-3/P0-4 migration design; (9) confirm fail-safe continuity rule (during Custodian outage: existing pair continues operating; no NEW registrations/rotations)
Cross-law ratification required Đ32 (rotation/revocation risk; HIGH for mid-cycle events); Đ37 (escalation queue for dot_pair_drift / signature_failure signals); Đ38 (tool_revision content alignment via G-3)
Risk class Standard (G-4 role assignment); HIGH for actual revocation events
Acceptance criteria still pending (9 total) 1–7 (require Council + Đ32); 9 (P0-5 + chain). Already-met: 8 (cross-link recorded).
Recommended Council vote ratify_with_notes (notes: executor/verifier boundary policy ratification deferred to G-3 D4 intake — Council co-sign on that intake mandatory before G-4 considered fully ratified)
Dependency G-3 ratified first
Special note Per GPT batch review §4 Issue 3: indirect path via G-3 D4 capability intake is ACCEPTED, but Council MUST co-sign the boundary policy intake before G-4 is operational

6. G-5 HIGH-Risk Addendum (mandatory per GPT review §4 Issue 1)

6.1 HIGH Risk Marker

G-5 is the only gap in this package marked HIGH risk. Rationale (from G-5 closure §1, §8):

  • Audience-scope access-control is a security requirement, not retrieval quality (rev5d §14.2).
  • wrong_audience_result is a security/governance event with information-leakage potential.
  • Decisions 3 + 6 affect what each audience class can see — direct exposure surface.

6.2 Explicit User Acknowledgement Required

Per GPT batch review §4 Issue 1, binding for this Council session:

g5_user_acknowledgement_requirement:
  scope: Decisions 3 (audience definitions) AND 6 (wrong_audience_result handling)
  formal_basis: not strictly required by Đ37 governance for HIGH-risk security policy ratification
  operational_basis: safer operating decision given that GPT proposed these defaults on User's behalf
  council_must_record:
    - User has reviewed Decision 3 final ratified content
    - User has reviewed Decision 6 final ratified content
    - User explicit acknowledgement statement (or User explicit delegation to Council)
    - Date of acknowledgement
  if_user_unreachable: Council may proceed with ratify_with_notes; note explicitly that User acknowledgement is OUTSTANDING and tracked in Decision Backlog as a follow-up entry (kind=escalation, next_review_date = within 7 days)
  if_user_objects_to_decision_3_or_6: Council MUST hold G-5 ratification; route back to User Decision Pack for revision

6.3 Fail-Closed Default

Per GPT batch review §4 Issue 4, accepted as binding:

g5_fail_closed_default:
  scenario: Access-Control Authority unavailable AND Deputy unavailable
  default_behavior:
    - block any wrong_audience_result event handling that would deliver content
    - log the event to consumer_contract_log (when P3 schema exists) OR to closure backlog mirror (in v0.1 bootstrap)
    - immediate Council notification via Đ37 escalation queue (no parallel channel)
  must_never:
    - fail open (deliver content when Authority unavailable)
    - silently downgrade to search-quality signal
    - auto-rollback the response (rejection of auto-recall is binding per Decision 6)
  council_action: formally adopt this default as part of G-5 ratification (item 11 in §5.3 Required Council action)

6.4 Đ32 Risk Ratification REQUIRED

dieu32_ratification_for_g5:
  HIGH_risk_class_confirmation: required for wrong_audience_result event class
  HIGH_risk_class_confirmation: required for audience-policy changes affecting external surface
  full_escalation_path: required (Authority → Council → Đ32 council)
  audit_evidence_envelope: must conform to Đ32 risk-event schema (TBD by Đ32 SOP)
  rollback_during_incident: Đ32 may invoke filter rule rollback during active incident

6.5 Đ24 Vocabulary Ratification REQUIRED

dieu24_ratification_for_g5:
  visibility_tier_values: [public, partner, employee, internal, restricted]
  audience_class_values: [AI-Agent, Employee, Partner, Customer]
  readiness_state_values: (subset of existing Đ24 vocab; explicit alignment needed)
  publication_state_values: (subset of existing Đ24 vocab; explicit alignment needed)
  authority_values: [enacted, draft, runtime] (Đ0-G cross-law)
  wrong_audience_result_event_kind: must be added as Đ24-controlled term
  no_silent_invention: criterion 39 binding

7. G-4 Addendum (mandatory per GPT review §4 Issue 3)

g4_executor_verifier_boundary_council_path:
  step_1_prepare: G-3 D4 capability intake record drafted (post-G-3 ratify)
  step_2_review: G-3 TAC/KG reviewers + Council review intake
  step_3_council_co_sign: Council co-signs boundary policy as part of G-4 ratification
  step_4_g4_operational: G-4 considered fully ratified only after Council co-sign on boundary

g4_both_signatures_required_rule:
  rule: no REPORT PASS without executor (dot-iu-cutter) + verifier (dot-iu-cutter-verify) co-signing
  enforcement: at REPORT emission boundary; if either signature missing, REPORT goes NEEDS_HUMAN
  exception: none in v0.1; rotation/revocation events block CUT operations entirely

g4_tool_revision_drift_rule:
  rule: executor.tool_revision MUST equal verifier.tool_revision for valid co-sign
  detection: at CUT pre-check
  response: block CUT execution; emit dot_pair_drift signal to G-2 backlog; route to Custodian
  coordinated_upgrade: both DOTs upgrade together via G-3 + G-4 joint approval
  half_upgrade_revert: if only one side upgraded, revert via G-4 + Đ32 review

8. Cross-Law Ratification Summary (single-glance view)

Gap Đ24 Đ32 Đ37 SOP Đ38 Đ39 Đ44 Đ0-G
G-2 check required
G-1 check required check (universal_edges) parallel (semantic_thread family)
G-5 required required (HIGH) required check (authority field)
G-3 required (intake channel) required (high-risk intakes) required required (TAC alignment) required (KG alignment) required (schema-impacting intake routing)
G-4 required (rotation/revocation) required required (tool_revision content via G-3)

9. Vote Outcome Tracking Template (Council clerk fills during session)

For each gap, Council records:

gap_id: G-X
vote_outcome: ratify | ratify_with_notes | reject
vote_timestamp: YYYY-MM-DDTHH:MM:SS+07:00
vote_quorum_present: <count>
vote_quorum_required: <count per Đ37 SOP>
vote_yes: <count>
vote_no: <count>
vote_abstain: <count>
notes_recorded: <free text if ratify_with_notes>
sop_mapping_outcome: existing_sop_role_match | new_sop_sub_entry | mapping_failed_request_new_proposal
named_occupant: <seat>
named_deputy: <seat>
cross_law_signatures: 
  dieu24: <signer or n/a>
  dieu32: <signer or n/a>
  dieu37_council: <signer>
  ...
decision_backlog_entry_id: (filled after G-2 ratify allows tracking)
user_acknowledgement_for_g5: present | outstanding | objected (G-5 only)

Template recorded in this package for council use; actual votes are appended to the registry mirror at knowledge/dev/laws/dieu44-trien-khai/registry/ once G-2 custodian is seated.

10. Post-Ratification Status Mapping

After Council session completes, status transitions per gap:

Vote outcome Status after vote
ratify resolved (subject to P0-5 schema realization for PG SSOT)
ratify_with_notes resolved_with_open_followups (notes filed as Decision Backlog entries)
reject proposed_closed_pending_council_ratification (stays at current status; reject reasons filed as backlog)

No status transition happens within this package. This package only prepares the agenda; status transitions are recorded by Council clerk at session.

11. What This Package Does NOT Authorize

not_authorized_by_this_package:
  - implementation_planning: false (still gated)
  - migration_design_for_p0_items: false (still gated)
  - schema_change: false
  - code_writing: false
  - ddl_writing: false
  - sql_writing: false
  - pg_mutation: false
  - qdrant_mutation: false
  - tool_revision_deployment: false
  - audience_filter_implementation: false
  - retrieval_layer_implementation: false
gate_to_next_phase:
  requires_all_of:
    - all_5_governance_gaps_ratified
    - dieu44_family_registry_4_families_ratified (parallel governance)
    - dieu24_vocabulary_ratifications (parallel; cross-link with G-5)
    - dieu32_high_risk_approvals_for_decisions_3_and_6 (via G-5)
    - council_co_sign_on_g4_executor_verifier_boundary (via G-3 D4 intake post-G-3 ratify)
    - user_explicit_acknowledgement_for_decisions_3_and_6 (recommended; HIGH-risk addendum §6.2)
  unlocks_next: migration_design_package_for_p0_items_phase
  migration_design_unlocks_next: implementation_planning_phase
  implementation_planning_unlocks_next: implementation_execution_phase

12. Output Status

package_status: READY_FOR_COUNCIL_RATIFICATION
governance_gaps_resolved: false
governance_gaps_in_package: 5 (G-2, G-1, G-5, G-3, G-4)
gaps_at_standard_risk: 4 (G-2, G-1, G-3, G-4)
gaps_at_high_risk: 1 (G-5)
user_acknowledgement_required_for: [Decision 3, Decision 6] (via G-5)
fail_closed_default_adopted_text: present (§6.3)
both_signatures_required_rule_adopted_text: present (§7)
tool_revision_drift_rule_adopted_text: present (§7)
sop_mapping_rule_binding: true (§4)
dependency_order_binding: true (§3.1)
recommended_council_votes:
  g2: ratify (or ratify_with_notes if seat not nameable in session)
  g1: ratify_with_notes (starter domain owners must be named)
  g5: ratify_with_notes (HIGH-risk addendum; User acknowledgement required)
  g3: ratify_with_notes (mapping confirmation needed)
  g4: ratify_with_notes (Council co-sign on boundary via G-3 D4 intake)
implementation_planning_allowed: false
implementation_allowed: false
no_code: true
no_ddl: true
no_sql: true
no_migration: true
no_pg_mutation: true
no_qdrant_mutation: true
no_design_or_planning_or_closure_file_modified: true
package_purpose: prepare_dieu37_council_ratification_session_only

13. Coverage Check (mandatory sections from prompt)

Mandatory section Where addressed
1. Ratification agenda for 5 gaps §3
2. Decision matrix per gap §5 (G-2 in §5.1; G-1 in §5.2; G-5 in §5.3; G-3 in §5.4; G-4 in §5.5)
3. Dependency order G-2 → G-1 ∥ G-5 → G-3 → G-4 §3.1
4. G-5 HIGH risk + User acknowledgement + fail-closed + Đ32 + Đ24 §5.3 + §6 (full addendum)
5. G-4 DOT Registry Custodian + both-signatures + boundary via G-3 + drift rule §5.5 + §7 (full addendum)
6. SOP mapping rule (existing first; sub-entry if insufficient; no new org) §4
7. Output status (READY / not-resolved / no-impl) §12
Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/ratification/dot-iu-cutter-v0.1-council-ratification-package-2026-05-15.md