06 — Production review_decision Governance Path Authority (2026-05-28)
06 — Production review_decision Governance Path Authority
Refines the predecessor pack. The agent must never self-mint a production Điều 32 review_decision. This document specifies the test-vs-production builder boundary and the path to a lawful production builder. Authority pack — defer implementation to human/council/sovereign.
1. Live substrate (2026-05-28)
review_decision,manifest_envelope,manifest_unit_blocklive in schemacutter_governance— privilege-walled: invisible tocontext_pack_readonlyviainformation_schema, visible viapg_class. To introspect/operate, re-connect asworkflow_admin.- FKs confirm the governance shape:
review_decision → manifest_envelope(the decision is bound to a manifest),review_decision → manifest_unit_block, and self-FKsprior/superseded(decisions form a supersession chain). - Live builder:
fn_iu_test_review_decision_create(p_actor, p_reason, p_manifest_tag)— a TEST builder. - Consumers requiring a
review_decision_id:fn_iu_enact,fn_iu_retire,fn_iu_supersede, and the split/merge functions (FK-probed).
2. Test builder vs production builder
| Dimension | Test builder (fn_iu_test_review_decision_create) |
Production builder (to design) |
|---|---|---|
| Builder identity | automated_agent |
human / council / sovereign |
cross_signed |
false |
true (≥2 distinct authorities) |
| Scope tag | test_scope |
production / load-bearing |
| Manifest binding | a test/synthetic manifest_tag | a real manifest_envelope bound to actual manifest_unit_blocks |
| Verdict authority | none (test only) | Điều 32 authority |
| May gate enact of load-bearing IUs? | NO | YES |
Hard rule: a test_scope decision must never be promoted to production governance, and must never be the review_decision for a load-bearing enact/retire/supersede in production. The pilot (doc 01) uses test decisions on non-load-bearing/test-tagged IUs only.
3. Human / council / sovereign reviewer requirement
A production review_decision requires:
- A named human reviewer (or council/sovereign principal) — not
automated_agent. - The reviewer's authority recorded and verifiable (links to GOV-COUNCIL or sovereign).
- For high-risk verdicts (retire/supersede of enacted, or 4-Mothers births): cross-sign by a second distinct authority.
4. Real manifest binding
- The production builder must bind to a real
manifest_envelope(not a synthetic tag): the envelope enumerates the actualmanifest_unit_blocks being decided on. - The FK
review_decision_manifest_fkenforces the envelope link;review_decision_unit_block_fkenforces the block link. The production builder must populate both with real rows.
5. Verdict vocabulary
Use a constrained verdict vocab (e.g. approve, reject, approve_with_conditions, defer) via a vocab table / CHECK — not free text. The test builder may emit only approve-equivalent in test_scope; production may emit the full vocab and must record conditions/reasons.
6. No self-mint by the agent
- The agent may call only the test builder, and only for test-scoped, non-load-bearing IUs.
- The agent must never create a
cutter_governance.review_decisionrow that claims human/council/sovereign authority, nor setcross_signed=true, nor bind a real manifest as if reviewed. - Attempting to do so is a stop condition (doc 01 §15).
7. Lifecycle
draft → submitted → decided (approve/reject/conditions) → (optionally) superseded. Supersession uses the self-FK chain (prior/superseded) — decisions are never hard-deleted (Đ30/Đ31). A superseded decision remains in the chain for audit.
8. Rollback / retire
- A wrong decision is superseded, not deleted, creating a new decision that points
priorat the old one. - Operations gated by a later-superseded decision are themselves reviewed (retire/supersede the affected IUs lawfully).
9. Cutter_governance access note
The read-only role cannot see cutter_governance via information_schema. To design/build the production builder, re-introspect the schema as workflow_admin (privilege-walled by design — this is correct, not a bug). Treat the schema's privilege wall as part of the Đ32 governance boundary.
10. Exact macro prompt for future governance implementation
See doc 08, prompt #6 (IU_PRODUCTION_REVIEW_DECISION_GOVERNANCE_PATH). Acceptance: production builder requires named human/council/sovereign principal + real manifest binding + cross-sign for high-risk; agent path remains test-only; no allow_no_review_decision flip ever.
11. No-go
- No agent self-mint of production decisions.
- No
cross_signed=truewithout ≥2 distinct authorities. - No synthetic manifest standing in for a real one in production.
- No
iu_enact.allow_no_review_decision=true(NEVER-FLIP).