KB-64C3

07 — Human-Org-Role / Permission Law Brief (MOW UI blocker) (2026-05-28)

5 min read Revision 1

human-org-rolepermission-lawdieu37directus-policymowgovernance-cockpitstaffdepartment-leadsuper-adminlaw-brief2026-05-28

07 — Human-Org-Role / Permission Law Brief

MOW (Mother of Workflow) UI needs staff / department-lead / super-admin visibility & action rules. Today there is no law that defines human organizational roles. This brief frames the gap, the relationship to existing layers, and the blocking analysis. Brief only — no law enactment, no Directus/Nuxt change.

1. What Điều 37 (Governance) currently covers — live evidence

governance_registry (5 rows, 2026-05-28):

code	gov_type	domain	created_by_law
GOV-COUNCIL	council	governance	NRM-LAW-37
GOV-DOT	system	monitoring.dot	NRM-LAW-35
GOV-KG-SYS	system	kg	NRM-LAW-39
GOV-NRM-SYS	system	normative	NRM-LAW-38
GOV-SIV	system	monitoring.integrity	NRM-LAW-31

Đ37 models governance agencies (gov_type ∈ {council, system}) — system factories and councils. It carries output_target, domain, primary_collection, created_by_law, health_dot, status.

2. What Điều 37 does NOT cover

No human organizational roles. There is no gov_type='human'/staff/department_lead/super_admin, no person principals, no department/specialty/company hierarchy. gov_type is council/system only.
No gov_type='factory' row — the 4 Mothers are not registered as factories.
No edit/approve/delegate/escalate rights matrix for humans.
No mapping from a human principal to a Directus policy/role.

Conclusion: Đ37 governs agencies and factories, not people in an organization. The human-org-role layer is a genuine missing law.

3. What the missing law must define

Subjects (human-org roles):

staff — operates within an assigned specialty/domain.
department_lead — owns a department/domain; approves within it; delegates.
super_admin — cross-domain administration (bounded by sovereign/council).
Optional axes: specialty, company, domain scoping.

Rights (per role × scope):

view (visibility): which IUs / collections / workflow steps a role can see, scoped by domain/specialty/company.
edit: create/edit drafts within scope.
approve: issue review_decisions within scope (ties to doc 06 — a department_lead may be a valid production reviewer for in-scope items).
delegate: hand a right to another principal temporarily.
escalate: raise to department_lead → council → sovereign.

Invariants: every right is scoped (no ambient authority); super_admin is bounded by sovereign; all grants are auditable (Đ31); reversibility (Đ30) on delegations.

4. Relationship to existing layers

Directus policy/role: the human-org-role law is the law layer; Directus roles/policies are the enforcement layer. The law defines roles+rights; Directus implements view/edit permissions; a mapping table binds law-role → Directus-policy. (The predecessor noted "Đ37 has no human roles → use Directus + Đ32 layer + a FUTURE human-org-role law" — this brief is that flagged law.)
Nuxt / Điều 28 templates: every MOW UI surface must be a design_templates row (only 1 exists today). The human-org-role law decides who sees which template-rendered surface.
Điều 32 (Approval): approval rights in §3 connect directly to the production review_decision path (doc 06) — a department_lead's in-scope approval can be a lawful production reviewer; cross-domain/high-risk still needs council/sovereign cross-sign.
Governance Cockpit: the cockpit reads governance_registry + (future) human-org-role registry to render who-can-do-what. Without the law, the cockpit cannot show human visibility/permission rules.

5. Blocking analysis

Workstream	Blocked by missing human-org-role law?
MOW UI (staff/dept-lead/super-admin visibility)	YES — hard blocker
4 Mothers (MOW specifically)	YES (plus CR build, factory registration)
MOIT/MOUT/MOT factories	Partially — they need factory registration + Đ32, but human visibility rules are MOW-centric
IU limited-production pilot (doc 01)	NO — pilot operates via canonical functions + test/council review decisions; it does not need human-org roles
P-pub staged promotion (doc 05)	NO (council sign-off suffices)
KG enrichment (doc 03)	NO

6. Recommendation

Draft the human-org-role law as a new law (or Đ37 amendment) introducing human role subjects + a rights-×-scope matrix + a law-role → Directus-policy mapping, explicitly orthogonal to the agency/factory model. Sequence it before MOW UI but not before the IU pilot. See doc 08, prompt #7 (HUMAN_ORG_ROLE_PERMISSION_LAW_BRIEF_OR_DRAFT).

7. No-go

No enacting this law in this bundle (brief only).
No creating human-role rows in governance_registry (wrong table; Đ37 is for agencies/factories).
No Directus policy changes.