GPT Legal Recheck — Pack 2A DOT Gateway Risk

Date: 2026-05-04 Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI Trigger: User reminded that each domain has governing law/tooling and direct manual writes may violate law.

Documents checked

• knowledge/dev/laws/law-04-birth-process.md rev 5
• knowledge/dev/laws/dieu35-dot-governance-law.md rev 13 — v5.2 FINAL
• knowledge/dev/laws/dieu36-collection-protocol-law.md rev 4 — v5.0 DRAFT 30%, references v4.0 enacted and defines GP8.1 HC-REG/HC-SCHEMA + 5 DOT
• knowledge/current-state/reform-PG-tools/09-khai-sinh-collection.md rev 1 — DOT-COLLECTION-CREATE 9 bước
• knowledge/dev/laws/law-02-registry.md search result
• knowledge/dev/laws/dieu20-thiet-ke-truoc-trien-khai.md rev 10 — v1.2 FINAL
• knowledge/dev/laws/dieu44-trien-khai/design/11-iu0-pack2-option-a-governance-cleanup-execution-pack.md rev 3

Finding

Previous approval of Pack 2A dispatch was premature.

File 11 rev3 allows raw metadata INSERT into collection_registry after discovery. That may violate:

• Đ4 §2: every new entity must be created via DOT/standard script, not direct code.
• Đ2 Registry: every entity requires ID/registry/minimal metadata and automated management tooling.
• Đ36: collection registration is governed by Collection Protocol; v5.0 DRAFT references v4.0 enacted and defines DOT-COL-REGISTER / collection governance; HC-REG marks public PG tables missing collection_registry as CRITICAL.
• PG Reform Tools §6: new collection birth must go through DOT-COLLECTION-CREATE 9-step flow; problem statement explicitly calls direct psql collection creation an invisible audit gap.
• Đ35: DOT is governed through dot_tools and DOT tooling. Where a DOT/tool exists, use it. ADMIN fallback is limited and audited, not silent raw SQL.

Scope nuance

Pack 2A is not creating the two PG tables; Pack 1 already did. Pack 2A is trying to close the catalog/governance gap. However, catalog registration itself is a governed action. If a domain tool exists, raw INSERT is not allowed.

Blocker

Do not dispatch Claude Code with current prompt as execution/write-capable.

Current prompt is safe for read-only discovery, but unsafe for write because it does not require using domain DOT/tooling for collection registration or trigger governance registration.

Required rebase

Create a revised Pack 2A prompt/design that has two phases:

Phase A — Read-only legal/tool discovery only

Claude Code may inspect:

• Whether DOT-COL-REGISTER, DOT-COLLECTION-CREATE, or relevant collection registration script exists.
• Whether dot_tools, file system /opt/incomex/dot/bin, Directus/PG show a valid tool for collection registration.
• Whether trigger governance has a governing DOT/tool/registry.
• Whether admin fallback tables/procedure exist (admin_fallback_log, APR retroactive flow).
• Current rows in collection_registry, birth_registry, meta_catalog, directus_collections, system_health_checks, and relevant trigger registry tables.

No writes in Phase A.

Phase B — Decision only after discovery report

If appropriate DOT/tool exists: next execution must use the tool, not raw SQL.

If no tool exists: STOP and present options:

1. Build/activate the proper DOT/tool first.
2. Use ADMIN fallback only if legal conditions are satisfied and explicitly approved, with admin_fallback_log before action and retroactive APR within 24h.
3. Defer Pack 2A writes.

Updated directive status

Pack 2A should be re-scoped from “governance cleanup execution” to “Pack 2A Legal/Tooling Preflight Discovery” until the proper domain gateway is confirmed.

No Pack 2B/2C, no CRUD, no vector/outbox, no Directus exposure.