08 — DOT Governance Alignment (Branch H)

Source: Đ35 DOT Governance Law v5.2 FINAL (knowledge/dev/laws/dieu35-dot-governance-law.md), live dot_tools/dot_operations/dot_iu_command_catalog/law_dot_enforcement/dot_coverage_required.

How grouping DOTs MUST work (Đ35 model applied)

Đ35 core: "DOT là cổng duy nhất thao tác dữ liệu" (Đ0-H). Two tiers + mandatory pairing: Cấp A (audit/monitor) = read-only, auto-approve ✅; Cấp B (execute) = read+write, pending Đ32 approval ❌; every B-tier writer must have an A-tier paired_dot of the same scope (PG trigger trg_dot_enforce_paired). enforcement_role live = executor/auditor.

Grouping DOT	Tier	R/O or mutating?	Approval?	Capability/op	Owner gov	Logs/audit	Rollback	Paired test	Failure path
scan (detect ungrouped/PIVOT_MISSING/stale-label)	A	read-only	auto-approve	op health/audit/verify	GOV-SIV	fn_log_issue() (mandatory, no silent-fail)	n/a	dot-XXX-test smoke	finding → system_issues
propose (suggest grouping/threshold/new dimension)	A→APR	read-only + creates APR	the APR it raises is the gate	op report/classify	GOV-SIV→GOV-COUNCIL	APR row + evidence	n/a	smoke	reject if missing evidence/root-cause/test-plan (§6.3)
apply (write grouping/label/threshold/pivot)	B	mutating	Đ32 approval required (paired_dot NOT NULL)	op classify/update/create	GOV-DOT exec, GOV-COUNCIL/SIV authority	backup .bak-{session} + commit log (Đ41 §5.8)	restore from backup (3-tier verify, bug-reappear=FAIL→rollback)	mandatory regress test before commit	rollback on any tier FAIL
audit (recompute, reconcile invariant)	A	read-only	auto-approve	op audit/health	GOV-SIV	governance_audit_log/system_issues	n/a	smoke	WARNING/CRITICAL → issue

Answers to Branch-H questions

• read-only vs mutating: scan/audit = read-only (A); apply = mutating (B). propose is read-only but creates the approval artifact.
• approval required: only apply (B-tier), via Đ32 (apr_action_types.risk_level: a grouping update_item = low → ≥1 approve; a schema_add new table = medium → ≥1 president; a phantom/threshold law-touch = high → president + ≥2 ai_council).
• capability required: dot_coverage_required(domain × operation × tier) — a grouping apply DOT needs domain classification/pivot × operation classify/update × tier B. The operations already exist (classify is a live dot_operations code).
• owner governance: scan/audit → GOV-SIV; apply authority → GOV-COUNCIL (policy) / GOV-SIV (health); execution body → GOV-DOT.
• logs/audit: every health check H1–H14 MUST fn_log_issue(); CẤM curl … || true (§8.1.14 silent-fail ban). DOT registered in dot_tools (11 NOT-NULL fields; infer-fail = FORBIDDEN to POST partial → fn_log_issue + backfill_metadata APR).
• rollback: Đ35 §6.2 backup→patch→dry-run→commit; §6.4 3-tier (syntax→dry-run→integration); any FAIL → rollback from backup.
• paired test: §6.6 NT12 — every canonical bash DOT needs a dot-XXX-test smoke test.
• DOT registry metadata: dot_tools SSOT; new DOT = 8-step flow gated by APR new_dot.
• failure path / issue-event: system_issues (kind dot_bug w/ file:line, Đ22) + 3-tier verify; fix_repair_dot flow for bugs.

Expected principle (confirmed against law)

scan = automatic/read-only ✅ · propose = automatic ✅ (creates APR) · apply = approval-gated ✅ · audit = scheduled/read-only ✅ · no DOT bypasses central governance ✅ (no SQL by hand, no --admin, no curl bypass).

This matches Đ35 exactly. A grouping DOT built outside this model (e.g. a Nuxt-side or hand-SQL classifier) is the DOT_AUTHORITY_GAP / island risk. None exist today (no grouping DOT authored yet) — so the correct action is to author them under Đ35, paired, approval-gated, never local.

Reuse vs new

• Operations: REUSE (classify/audit/health/verify/report/update all exist).
• Tiers/pairing/approval/rollback/test: REUSE (Đ35 fully specifies them).
• New: only the specific DOT rows (e.g. dot-grouping-scan A, dot-grouping-apply B paired to it, dot-pivot-declare↔dot-pivot-health) — registered via new_dot APR. NEW under central law, not local.

Verdict

DOT governance is the most complete and directly reusable central substrate for grouping execution. Disposition: NEW grouping DOTs authored strictly under Đ35 (A-tier scan/audit auto, B-tier apply approval-gated + paired + regress-tested), owner GOV-DOT/GOV-SIV. Zero justification for any local/bypass classifier.