Incomex AI Portal
KB-5660

SuperBundle — 06 Human-Org-Role / Permission Framework (review-ready)

4 min read Revision 1
human-org-rolepermission-lawdieu37directus-policynuxtmowg2review-ready2026-05-28

06 — Branch F: Human-Org-Role Permission Framework (G2)

Goal: advance G2. Result: ADVANCED — draft → review-ready law/design pack. No enactment (forbidden).

1. Why this gate exists

governance_registry (5 rows) holds only council/system bodies. There is no human-organizational role law: no staff/dept_lead/super_admin, no view/edit/approve/delegate/escalate verbs, no Directus policy binding. This blocks MOW-UI and the human side of Đ32 approval (doc 05) — but it does not block the IU pilot (which is operator-run via SQL/DOT).

2. Role × verb matrix (review-ready)

Role view edit approve delegate escalate
staff ✓ (own scope)
dept_lead ✓ (dept scope)
super_admin
council (existing) ✓ (cross-sign)
sovereign ✓ (final)

approve is human-only (no automated_agent class may hold approve) — ties to doc 05 cross-sign.

3. Proposed paper-to-live structures (DDL — deferred, needs enactment)

CREATE TABLE public.org_role_registry (
  code varchar PRIMARY KEY,            -- ROLE-001 PREFIX-NNN
  name varchar NOT NULL,
  role_class varchar NOT NULL,         -- staff|dept_lead|super_admin|council|sovereign
  directus_policy_id uuid,             -- map to directus_policies
  status varchar NOT NULL DEFAULT 'draft',
  created_by_law varchar NOT NULL      -- the enacting Đ37 clause
);
CREATE TABLE public.org_role_grant (
  id serial PRIMARY KEY,
  role_code varchar REFERENCES org_role_registry(code),
  verb varchar NOT NULL,               -- view|edit|approve|delegate|escalate
  scope varchar NOT NULL,              -- collection/domain/dept
  mother_scope varchar                 -- MOW|MOT|MOIT|MOUT|null
);

Both are born collections → require the same Đ0-G birth contract as doc 01 (meta_catalog + PREFIX-NNN + Đ32).

4. Directus policy map

  • Each org_role_registry.role_class → a directus_policies row (read/create/update permissions per collection).
  • approve verb → write access to cutter_governance.review_decision.verdict (gated; only human classes).
  • staff → read managed collections + edit own-scope drafts.

5. Nuxt / template (Đ28) implications

  • MOW-UI governance cockpit reads org_role_registry to render role-scoped panels.
  • Approve/escalate buttons render only for roles holding the verb (server-checked, not client-trusted).
  • Template binding deferred until law enacted (forbidden: no Nuxt/UI implementation).

6. MOW/MOT/MOIT/MOUT visibility matrix

Mother staff dept_lead super_admin
MOW (workflows) view+edit own +approve full
MOT (tasks) view+edit own +approve full
MOIT (input templates) view +edit+approve full
MOUT (UI/output templates) view +edit+approve full

Advancement: G2 moved from "DRAFT" → "review-ready law pack (matrix + DDL + Directus/Nuxt map + Mother visibility)." Blocked on: council enactment of the Đ37 human-org-role clause. No law enacted here.

Back to Knowledge Hub knowledge/dev/reports/architecture/gate-clearing-first-factory-dry-assembly-superbundle-2026-05-28/06-human-org-role-framework.md