{ "document": "authority-decision-matrix-draft-after-baseline", "verdict": "AUTHORITY_MATRIX_READY_FOR_GPT_REVIEW", "production_mutation": "NO", "nature": "decision matrix DRAFT for owner/GPT/Codex review; not implementation, not plan-to-build, not cleanup, not reconciliation-mutation", "do_not_collapse_counts": true, "source_baseline": { "md": "knowledge/dev/laws/tool-kiem-thu/reports/dot-registry-directus-text-as-code-baseline-reconciliation-2026-06-09.md", "json": "knowledge/dev/laws/tool-kiem-thu/reports/dot-registry-directus-text-as-code-baseline-reconciliation-2026-06-09.json", "baseline_verdict": "BASELINE_READY_FOR_AUTHORITY_DECISION", "utc_anchor": "2026-06-09T07:11:52Z", "pg_role": "context_pack_readonly", "mode": "READ ONLY" }, "baseline_denominators_carried": { "registry_dot_tools_rows": {"count": 309, "note": "system of record; frozen since 2026-04-02", "conf": "HIGH"}, "cat006_record_count": {"count": 309, "conf": "HIGH"}, "pivot_PIV007_total": {"count": 309, "conf": "HIGH", "fresh": "2026-06-09T07:07Z"}, "pivot_PIV104_groupsum": {"count": 309, "conf": "HIGH"}, "cat006_actual_count": {"count": 163, "conf": "HIGH_value_UNVERIFIED_definition"}, "cat006_baseline_count": {"count": 151, "conf": "HIGH"}, "fs_total_snapshot": {"count": 289, "ts": "2026-06-09T02:10Z", "conf": "HIGH"}, "fs_operational": {"count": 214, "conf": "HIGH"}, "fs_backup": {"count": 75, "conf": "HIGH"}, "reg_intersect_fs_mapped": {"count": 186, "conf": "HIGH"}, "reliability_strata": {"CONFIRMED": 186, "REGISTERED": 100, "HELPER": 19, "MISSING_FILE": 4, "_total": 309}, "registry_no_file": {"count": 41, "conf": "HIGH", "note": "own match-base"}, "file_no_registry": {"pure_0603": 16, "incl_backup_0603": 26, "derived_0609": 28, "conf": "HIGH_for_base"}, "registry_shape": {"file_path": 228, "script_path": 119, "classification_real": 0}, "command_catalog": {"count": 54, "mutating": 39, "reversible": 41}, "command_run": 55, "dot_operations": 20, "runtime_lease": "exists", "law_dot_enforcement": {"count": 272, "warn": "different denominator than old 272 dot_tools"}, "directus_flows": {"total": 128, "active": 111, "dot_named": 36}, "directus_dot_control": "PARTIAL_EVIDENCE_ONLY", "local_checkout": {"count": 163, "note": "NOT prod, NOT registry"}, "information_unit": 219, "tac_logical_unit": 102, "tac_iu_bridge_view": 0 }, "blocked_or_unverified": [ {"item": "/opt/incomex/scripts '42' surface", "status": "BLOCKED", "feeds": ["fresh_read"]}, {"item": "direct OS listing /opt/incomex/dot/bin", "status": "BLOCKED", "feeds": ["B", "D", "fresh_read"]}, {"item": "CAT-006 actual_count=163 filter definition", "status": "UNVERIFIED", "feeds": ["A", "B", "fresh_read"]}, {"item": "Đ23 inverse-check unmonitored/unregistered (F5)", "status": "UNVERIFIED_not_run", "feeds": ["G", "fresh_read"]}, {"item": "TAC<->IU corpus authority", "status": "UNRESOLVED", "feeds": ["H"]}, {"item": "Directus 100% DOT-control", "status": "PARTIAL_EVIDENCE_ONLY", "feeds": ["E"]} ], "domains": [ { "id": "A", "name": "DOT registry/catalog/listing authority", "question": "which denominator for registry/catalog/listing?", "candidates": ["309 dot_tools/PIV-007", "214 operational", "186 confirmed/mapped", "163 actual_count/local", "other"], "recommended": "309 dot_tools = catalog of record (system of record); listing always a live query, never the literal 309; 214/186/163 belong to other domains", "confidence": "HIGH (registry=catalog); MEDIUM that 309 is currently accurate (frozen 2026-04-02)", "evidence": ["A1/A8/A9/A13/A14=309 consistent", "A7 freeze", "A6 classification=0"], "risks": ["freeze may overstate live reality", "142/309 no category", "41 registry-no-file"], "prohibited_until_resolved": ["treating 309 as runnable/file-backed count", "baking any constant into a tool"], "codex_review_required": "light", "blocks_ip_dot_spec": false }, { "id": "B", "name": "DOT runtime executable authority", "question": "which surface proves a DOT can actually run?", "candidates": ["/opt/incomex/dot/bin operational", "dot_tools registry", "command catalog", "local checkout", "other"], "recommended": "/opt/incomex/dot/bin operational (214) = presence authority; proof-of-run = presence + dot_iu_command_run record; registry does NOT prove runnability (classification=0, frozen); local checkout(163) is NOT prod", "confidence": "MEDIUM", "evidence": ["B2=214", "A6 classification unused", "A4/A5 228/119 -> ~190 DB/non-file", "C1=163 not prod", "E1/E2 54/55"], "risks": ["operational != successfully-runs", "B8 direct listing BLOCKED -> rests on PG mirror", "actual_count=163 filter UNVERIFIED"], "prohibited_until_resolved": ["asserting runnability from registry/local alone", "treating 214 as proven-runnable not proven-present"], "codex_review_required": "yes", "blocks_ip_dot_spec": "yes (exec-claim portion) + needs fresh read" }, { "id": "C", "name": "DOT safe-reuse authority for new checker", "question": "which subset is safe for a new checker to call directly?", "candidates": ["all 309", "214 operational", "186 confirmed/mapped", "command catalog 54 only", "manual whitelist"], "recommended": "computed profile = 186 fs-confirmed (v_dot_reconciliation_reliability=DOT_EXECUTABLE_CONFIRMED) INTERSECT command-catalog-governed (dot_iu_command_catalog reversible/lease-bound), evaluated by runtime query; v0.1 reads not invokes; reject all-309, raw-214, and any static whitelist (disguised hardcode)", "confidence": "MEDIUM", "evidence": ["F1 strata", "B5=28 unmapped", "E1/E6 catalog+lease govern execution"], "risks": ["186 rests on 02:10 mirror", "41-vs-4 drift affects 'confirmed'", "any invoke in v0.1 breaks read-only"], "prohibited_until_resolved": ["calling outside sealed profile", "static whitelist constant", "any execution in v0.1"], "codex_review_required": "yes", "blocks_ip_dot_spec": "yes (call/execute portion; reporting skeleton not blocked)" }, { "id": "D", "name": "Registry<->filesystem reconciliation contract", "question": "how to treat registry-no-file(41) and file-no-registry(16-28)?", "options": ["block all design", "allow design + block calls to unmatched", "read-only warning only", "require cleanup first"], "recommended": "allow design + block runtime calls to unmatched (fail-closed call boundary) + read-only warning; no cleanup-first (mutation, out of scope); reuse deployed reconciler surfaces; owner must pick canonical reg->FS diff base (41 vs 4)", "confidence": "MEDIUM", "evidence": ["F1/F2/F3/F4", "41-vs-4 drift (different FS base/key)", "reconciler surfaces deployed"], "risks": ["wrong canonical base mislabels confirmed/missing", "date skew (reg 04-02 vs FS 06-09) inflates drift"], "prohibited_until_resolved": ["treating unmatched entries as callable", "any reconciliation mutation/cleanup", "rebuilding a reconciler"], "codex_review_required": "yes", "blocks_ip_dot_spec": "yes (prerequisite for C)" }, { "id": "E", "name": "Directus mutation authority", "question": "can IP DOT or future tools touch Directus directly?", "options": ["no direct mutation until 100% control proven", "only via existing Sync/Utility flows", "only via approved Directus DOT tools", "unresolved"], "recommended": "no direct Directus mutation until 100% DOT-control proven; future writes route only via [DOT-REG] sync / [WATCHDOG] flows; v0.1 read-only does not write Directus", "confidence": "HIGH", "evidence": ["control=PARTIAL_EVIDENCE_ONLY", "128 flows/36 DOT-named/~21 [DOT-REG]/3 [WATCHDOG]", "manual-block not proven"], "risks": ["scope-creep to direct CRUD before control proven"], "prohibited_until_resolved": ["any direct Directus MCP/API CRUD", "assuming estate is 100% DOT-controlled"], "codex_review_required": "no now; yes if mutation ever proposed", "blocks_ip_dot_spec": false }, { "id": "F", "name": "Checker/logger authority", "question": "which logger/checker issue sink is authoritative?", "candidates": ["fn_tac_log_checker_issue->system_issues", "existing DOT issue flow", "file-report-only for v0.1", "new logger prohibited"], "recommended": "authoritative sink = deployed fn_tac_log_checker_issue->system_issues (Đ23); new logger PROHIBITED; v0.1 (read-only) uses file-report-only and DEFERS the system_issues write until approved to mutate", "confidence": "HIGH", "evidence": ["fn_tac_log_checker_issue->system_issues deployed (S183)", "Đ23 routes findings to system_issues", "write is a mutation excluded from read-only v0.1"], "risks": ["writing system_issues in v0.1 breaks read-only", "new logger forks authority"], "prohibited_until_resolved": ["new logger/sink", "system_issues write from read-only v0.1"], "codex_review_required": "no", "blocks_ip_dot_spec": false }, { "id": "G", "name": "Graph/duplicate/orphan authority", "question": "which system owns duplicate/orphan/impact detection?", "candidates": ["universal_edges/v_kg_edges_all", "entity_dependencies", "Đ23 inverse-check", "Đ19 orphan scanners", "duplicate engine if exists", "new resolver prohibited unless proven gap"], "recommended": "reuse existing; new resolver PROHIBITED until a gap is proven by running existing engines read-only; DOT orphan=v_dot_reconciliation_reliability+v_dot_registry_no_file; general orphan=Đ19; inverse=Đ23; impact/graph=universal_edges/v_kg_edges_all+entity_dependencies", "confidence": "MEDIUM", "evidence": ["F5 UNVERIFIED (Đ23 inverse-check not run)", "universal_edges(CAT-130)/v_kg_edges_all + Đ8/Đ19/Đ14 deployed (memory)"], "risks": ["new resolver forks authority and repeats the anti-duplication failure this initiative prevents"], "prohibited_until_resolved": ["authoring any new duplicate/orphan/graph resolver before running existing engines and proving a true gap"], "codex_review_required": "yes", "blocks_ip_dot_spec": "partial (new-resolver work only)" }, { "id": "H", "name": "Text-as-Code corpus authority", "question": "how to treat information_unit=219 vs tac_logical_unit=102?", "options": ["IU canonical/TAC legacy", "TAC canonical until bridge", "dual-corpus unresolved (tool must not choose)", "require compat/bridge view first", "allow read-only dual reporting"], "recommended": "dual-corpus unresolved + tool must NOT choose + allow read-only dual reporting now + require bridge view (or owner decree) before any tool consumes a canonical corpus", "confidence": "HIGH", "evidence": ["G1 IU=219", "G2 TAC=102 (+102/102/4)", "G4 no DB compat view (pg_views=0)", "dot_iu_command_catalog(54) does not reconcile corpus authority"], "risks": ["picking one by assumption silently de-authorizes the other and bakes wrong SSOT"], "prohibited_until_resolved": ["consuming IU or TAC as THE canonical corpus", "silent merge", "assuming legacy/canonical without owner/bridge"], "codex_review_required": "yes", "blocks_ip_dot_spec": "partial (corpus-consumption only; dual reporting not blocked)" }, { "id": "I", "name": "Evidence/report storage authority", "question": "where should future checker evidence be written?", "options": ["file-report-only under tool-kiem-thu/", "system_issues", "context_pack reports", "Directus registry tables", "unresolved"], "recommended": "v0.1 = file-report-only under knowledge/dev/laws/tool-kiem-thu/; escalate confirmed issues to system_issues via fn_tac_log_checker_issue once approved to mutate; Directus tables = NO; context_pack = read-only consume", "confidence": "HIGH", "evidence": ["consistent with E (no Directus mutation) and F (system_issues eventual sink, deferred)"], "risks": ["premature mutation"], "prohibited_until_resolved": ["writing evidence to system_issues/Directus/any DB table from read-only v0.1"], "codex_review_required": "no", "blocks_ip_dot_spec": false }, { "id": "J", "name": "Runtime mirror authority", "question": "where can future executable DOT code live?", "options": ["/opt/incomex/dot/bin only", "KB design + runtime mirror /opt/incomex/dot/bin", "repo dot/bin then deploy", "unresolved"], "recommended": "KB design (knowledge/dev/...) + runtime mirror /opt/incomex/dot/bin, matching deployed pattern (Đ43 build/verify on VPS cron; dryrun.py template); local checkout(163) is NOT a runtime; binds only post-spec when code is written", "confidence": "MEDIUM-HIGH", "evidence": ["C1 local 163 not prod", "B1/B2 /opt/incomex/dot/bin is runtime", "Đ43 build rev11/verify rev5 cron, dryrun.py deployed (memory)"], "risks": ["future divergence between KB design and runtime mirror if not gated by Đ43 verify"], "prohibited_until_resolved": ["treating local checkout as prod runtime", "deploying runtime code before spec exists"], "codex_review_required": "light", "blocks_ip_dot_spec": false } ], "closure_plan": { "decide_now_safe_defaults": ["A", "E", "F", "I", "J"], "need_codex_review": ["C", "D", "G", "H", "B"], "need_fresh_read": ["CAT-006 actual_count=163 filter", "direct OS listing /opt/incomex/dot/bin", "/opt/incomex/scripts '42'", "run Đ23 inverse-check/Đ19 read-only (F5)"], "defer": ["J runtime-mirror specifics (post-spec)", "B proof-of-run deepening via dot_iu_command_run"], "should_not_block_ip_dot_spec": ["A", "E", "F", "I", "J", "H read-only dual-reporting half"] }, "ip_dot_impact": { "reuse_safely": ["dot_tools", "meta_catalog(CAT-006)", "pivot_definitions/pivot_results(PIV-007/PIV-104)", "wf_fs_dot_bin_snapshot", "_recon_dot_fs_inventory", "v_dot_fs_reconciliation", "v_dot_registry_no_file", "v_dot_reconciliation_reliability", "dot_iu_command_catalog/_run/_runtime_lease", "dot_operations", "iu-cutter dryrun.py", "fn_tac_log_checker_issue->system_issues", "universal_edges/v_kg_edges_all", "entity_dependencies", "Đ19/Đ23 engines", "directus_flows [DOT-REG]/[WATCHDOG]", "law_dot_enforcement"], "must_not_touch": ["registry edit", "Directus mutation", "PG mutation", "system_issues write in v0.1", "new logger", "new duplicate/graph/orphan resolver until gap proven", "choosing canonical TAC/IU corpus", "static DOT-count constant", "executing any DOT in read-only v0.1", "FIX7 resume", "install"], "true_gaps_possible_conditional": ["command-runner-with-exit-codes (dryrun.py refuses to run) [conditional on B + fresh read]", "claim<->test binder [confirm vs command-catalog/run-ledger first]", "canonical-DOT-denominator contract [D]", "canonical reg->FS diff base 41-vs-4 [D]", "package_manifest.json+schema / --selftest+module_sha256 / audit_dead_links() [re-check for existing equivalent first]"], "spec_may_begin": "PARTIAL_conditionally_yes", "spec_scope_allowed_now": "read-only reporting skeleton (query named surfaces; report set+timestamp+source+both-direction diff; file-report-only) under defaults A/E/F/I/J", "spec_scope_blocked": ["call/execute (C)", "reconciliation contract (D)", "new duplicate/graph work (G)", "corpus consumption (H)"] }, "questions_for_review": [ "(A/D) Confirm 309 dot_tools = catalog of record (listing=live query, freeze noted); designate canonical 'runnable' (214 vs 186) and 'actual' (163) as a contract, not a collapsed number.", "(D) Canonical reg->FS diff base: v_dot_registry_no_file=41 vs reliability DOT_MISSING_FILE=4 — which is canonical?", "(C) Is computed 186-confirmed INTERSECT command-catalog-governed acceptable as the safe-call set, or stricter (54 only), or execution forbidden in v0.1?", "(H) TAC<->IU corpus: which canonical, or require a bridge/compat view before any tool consumes a corpus?", "(G) Confirm no new duplicate/orphan/graph resolver until existing Đ19/Đ23/universal_edges engines run read-only prove a gap; authorize those runs.", "(B+fresh read) Authorize read-only fresh read for CAT-006 actual_count filter / direct OS listing of /opt/incomex/dot/bin / scripts '42'; or accept PG mirror as canonical and close as UNVERIFIED-by-design.", "(E) Confirm 'no direct Directus mutation until 100% control proven', or name the approved Directus-DOT tool path.", "(scope) Approve beginning the read-only reporting skeleton spec under A/E/F/I/J while C/D/G/H stay blocked — or hold all spec until every domain is sealed." ] }