KB-3018
08 — Capability Gap Matrix (Q8)
6 min read Revision 1
capability-matrixgapgovernanceregistries-pivotfact-finding
08 — Capability Gap Matrix (Q8)
For each concern: does a live governance capability exist, who owns it, status, approval path, and the gap if absent. All values are live PG as of 2026-06-01. Owner = recommended where currently unowned (per Option-4); "live owner" column states what is recorded today.
Legend: 🟢 ready · 🟡 needs approval/assignment (mechanism exists) · 🔴 needs law clause / activation.
| Concern | Live owner today | Recommended owner | Governing law (status) | Approval path (exists?) | Gap | State |
|---|---|---|---|---|---|---|
| classification policy | none (agency-orphan) | GOV-COUNCIL | Đ24 primary + Đ29 sec (enacted) | reclassify/rule_change ✅ |
GOVERNANCE_OWNER_GAP (assign agency) | 🟡 |
| grouping policy | none (folds into Đ24/29) | GOV-COUNCIL | Đ24/Đ29 (enacted) | rule_change/schema_add ✅ |
OWNER_GAP | 🟡 |
| threshold policy (ungrouped ceiling) | none | GOV-COUNCIL | none | schema_add+rule_change (vocab ✅) |
LAW_GAP (P2) | 🔴 |
| label dimension policy (facets) | none | GOV-COUNCIL | Đ24 (enacted; taxonomy_facets=10 live) |
schema_add (new facet) ✅ |
OWNER_GAP + new-dimension ungated | 🟡 |
| registry pin / watch | none (no table, no domain) | GOV-COUNCIL (global) / self-service (scoped) | none (LAW_GAP+DOMAIN_GAP) | schema_add (vocab ✅) |
LAW_GAP + DOMAIN_GAP (P-PIN) | 🔴 |
| phantom definition | none | GOV-COUNCIL (define) + GOV-SIV (detect) | LAW_DEFINITION_GAP | council_review (law) |
LAW_GAP + ISSUE_EVENT_GAP (P1) | 🔴 |
| pivot coverage | none (Đ26 agency-orphan) | GOV-SIV (health) + GOV-DOT (exec) | Đ26 primary (enacted; 8 DOTs) | new_dot/schema_add ✅ |
OWNER_GAP + APPROVAL_PATH_GAP (new pivots ungated) | 🟡 |
| count-integrity | GOV-SIV (via Đ31) | GOV-SIV | Đ31 (enacted; 22 DOTs) | n/a (auto-detect) | issue type count_integrity_failed unregistered |
🟢/🟡 |
| orphan detection | GOV-SIV (live) | GOV-SIV | Đ19/Đ29§V/Đ31 (enacted) | act = birth_orphan/retire ✅ |
none (orphan halves live: 606+9) | 🟢 |
| drift detection | GOV-SIV (live) | GOV-SIV | Đ31 | n/a | none (sync_fault/sai_lệch_dữ_liệu live) |
🟢 |
| DOT grouping scan | none authored | GOV-DOT | Đ35 (enacted) | scan=A auto ✅ | DOT not authored + no coverage row | 🟡 |
| DOT grouping propose | none authored | GOV-DOT→Council | Đ35 | propose=A raises APR ✅ | DOT not authored | 🟡 |
| DOT grouping apply | none authored | GOV-DOT | Đ35 | apply=B new_dot+Đ32 ✅ (paired) |
DOT not authored + no coverage row | 🟡 |
| DOT grouping audit | none authored | GOV-DOT/SIV | Đ35 | audit=A auto ✅ | DOT not authored | 🟡 |
| Registries-Pivot display/route | unrecorded (route live) | GOV-MOUT | Đ28 (enacted, agency-orphan, 0 DOTs) | route string (RG8) | OWNER_GAP (MOUT draft; Đ28 unowned) | 🔴/🟡 |
| Registries-Pivot API (Nitro direct-pg) | unratified | GOV-MOUT + GOV-DOT | Đ41 (enacted, agency-orphan) | API-exception (none filed) | UNRATIFIED + un-ledgered (doc 07) | 🔴 |
Cross-cutting structural facts (live)
- Relational ownership only. The "governed-object field set" the GPT direction requests (
owner_gov_code,capability_code,approval_request_ref,governed_object_type,audit_ref,rollback_ref,lifecycle_status,effective_from) exists on zero tables.capabilityexists only on the 4 mothers;domainFK→dot_domains. ⇒ bind relationally (governance_registry.domain + governance_relations + law_jurisdiction + approval_requests), do not add per-table gov columns. - Object edges are CHECK-blocked.
governance_relationsCHECK:source_type, target_type ∈ {law, agency}only → agency→object/collection/pivot edges are structurally impossible today. Object-level ownership must be recorded viadomain/law_jurisdiction, OR the CHECK must be widened system-wide (prior P3) — not for RP alone. - dot_domains carries
classification/pivotetc. as FK-able domain values, but no agency claims them (the agency-orphan condition). - dot_coverage_required (11 rows) covers monitoring.dot / collection / governance.approval / birth.* only — no
classification/pivot/monitoring.integritycoverage row yet.
Gap roll-up
| Gap type | Concerns | Severity |
|---|---|---|
| LAW_GAP | threshold, pin, phantom | 🔴 |
| GOVERNANCE_OWNER_GAP (agency-orphan) | classification, grouping, label-facets, pivot-coverage, Đ28 display, Đ41 VPS | 🟡/🔴 |
| APPROVAL_PATH_GAP (ungated today) | new pivots, label-rule changes, new dimensions | 🟡 |
| DOT_AUTHORITY_GAP (unbuilt, model exists) | grouping scan/propose/apply/audit DOTs | 🟡 |
| ISSUE_EVENT_GAP (additive) | pivot_missing, count_integrity_failed, phantom_, classification_required, pin. (doc 09) | 🟡 |
| AUDIT_GAP | governance_audit_log dormant (1 row) | 🟡 |
| UNRATIFIED EXCEPTION | direct-pg API (no approval, no vps_deploy_log) | 🔴 |
Net: every concern maps to REUSE/EXTEND/DEFER under an existing law or an existing approval mechanism. The only items with no central path at all are the three no-law-home policies (threshold/phantom/pin), the two agency-orphaned laws that the recommended model leans on (Đ28 display, Đ41 VPS), and the unratified direct-pg exception.