KB-B63F

07 — Human-Org-Role / Permission Law Draft (2026-05-28)

6 min read Revision 1

law-drafthuman-org-rolepermissiondirectus-policygovernance-cockpit4-mothersdieu37mow2026-05-28

07 — Human-Org-Role / Permission Law Draft

A serious draft law (working title Điều 37-H — Human Organizational Roles & Permissions) filling the live gap: Điều 37 governance_registry has factory/system/agency roles but no human organizational roles. This blocks MOW-UI, the Governance Cockpit, and production review_decision (doc 06). Draft only — enactment is forbidden here.

1. Problem statement

Live: governance_registry (5 rows) is all council/system; no staff/department-lead/admin rows. Directus has its own policy/role system but it is not mapped to a governed human-role law.
Consequence: no lawful way to say "this human, in this role, may approve/edit/view this surface" → production review_decision and MOW-UI cannot resolve a reviewer principal.

2. Role taxonomy (7 roles)

Role code	Scope	Typical principal
`staff`	own work items in assigned collections	individual contributor
`department_lead`	a department's collections + its staff	team manager
`specialty_lead`	a domain specialty across departments	domain expert lead
`company_admin`	company-wide config, non-sovereign	operations admin
`domain_admin`	a governance domain (e.g. legal, finance)	domain owner
`super_admin`	platform-wide technical authority	platform owner
`ai_agent`	machine principal; never an approver of record	Claude/automation

3. Verb model (5 verbs) × role matrix

Verbs: view, edit, approve, delegate, escalate.

Role	view	edit	approve	delegate	escalate
staff	own+assigned	own draft	✗	✗	✓ (to lead)
department_lead	dept	dept	dept (bounded)	to staff	to specialty/domain
specialty_lead	specialty	specialty	specialty (bounded)	to dept leads	to domain
company_admin	company	config	✗ governance	✓ (ops)	to council
domain_admin	domain	domain	domain governance	✓ within domain	to council/sovereign
super_admin	all (technical)	technical	✗ governance	✓ technical	to council
ai_agent	granted-scope read	draft only	✗ always	✗	✓ (raise to human)

Key invariants: approve is human-only (ai_agent never approves); escalate always available (no dead-ends); delegate is bounded (cannot delegate above own scope); production review_decision approval requires ≥2 distinct human approvers (cross-sign, doc 06).

4. PG-first shape (under the birth contract)

CREATE TABLE IF NOT EXISTS public.human_org_role (
  id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  principal_id  text NOT NULL,         -- stable human/agent identity
  role_code     text NOT NULL,         -- staff|department_lead|...|ai_agent
  scope_kind    text NOT NULL,         -- collection|department|specialty|domain|company|platform
  scope_ref     text,                  -- the specific scope value
  is_human      boolean NOT NULL,
  status        text NOT NULL DEFAULT 'active',
  created_by_law text NOT NULL DEFAULT 'dieu37h',
  granted_by    text NOT NULL,         -- who granted (audit)
  granted_at    timestamptz NOT NULL DEFAULT now()
);
CREATE TABLE IF NOT EXISTS public.human_org_permission (
  id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  role_code   text NOT NULL,
  verb        text NOT NULL,           -- view|edit|approve|delegate|escalate
  resource    text NOT NULL,           -- collection/surface/governance-object
  effect      text NOT NULL DEFAULT 'allow',  -- allow|deny
  condition   jsonb,
  created_by_law text NOT NULL DEFAULT 'dieu37h'
);

Both require birth-contract registration (doc 02 §2) + Đ32 approval to be born.

5. Directus policy mapping

Each human_org_role maps to a Directus policy (not a raw role): view→read permission, edit→create/update on draft state, approve→a custom flow gate (Directus cannot express cross-sign natively → enforce in PG function, doc 06).
ai_agent maps to a read-scoped Directus policy + the PG-level approve-deny invariant; never a Directus admin policy.
Directus app access is the surface; the authority of record lives in human_org_role + cutter_governance (single source for approvals).

6. Impact map

Nuxt templates (Đ28): every surface checks human_org_permission(role, verb, resource) server-side; UI hides unavailable verbs.
Governance Cockpit: consumes the role/verb matrix to render approve/delegate/escalate controls and the cross-sign queue.
MOW/MOT/MOIT/MOUT: each Mother's output is owned by a governance_role; humans act on it only through their human_org_role grant. MOW (work) is the first consumer (needs staff/lead/admin to operate).
Production review_decision (doc 06): p_reviewer_role resolves against human_org_role; agent principals fail the approve check.

7. No conflict with Điều 37

Đ37 keeps owning factory/system/agency governance (machine agents, factories). Đ37-H adds the orthogonal human layer. They join via governance_role on objects: an object has a factory owner (Đ37) AND a human-role ACL (Đ37-H). No column is redefined; no factory role becomes a human role.

8. Verdict & next macro

DRAFT DELIVERED (law + tables + matrix + Directus map + impact). Enactment forbidden here. Next macro: IU_HUMAN_ORG_ROLE_LAW_RATIFY_AND_BIRTH_500000X (council/sovereign ratification + governed birth of the two tables).