MOWD Phase 1 — DOT Family Design + Rehearsal (Branch C)
Branch C — MOW Design Registry DOT Family (Điều 35)
Catalog: dot_iu_command_catalog (PK command_name text; cols category, mutating, reversible, target_functions[] , registered_at). Live categories observed: collection, piece, lifecycle, read, health. New category for this family: design (read DOTs keep read).
Naming convention (matches live dot_iu_*): dot_mow_design_<verb>[_<noun>].
Authority model: the catalog carries no owner/gate column; gate + owner are enforced by the target function and governance_registry (owner = GOV-MOW; council for activation). Mutating DOTs route through the proposal/approval spine (doc 07).
1. Rehearsal result (read-only subset, GREEN this session)
BEGIN → insert 6 read DOTs (dot_mow_design_list/get/health/validate/render_tree/audit, all mutating=false) → catalog 54 → 60 → ROLLBACK → 54, 0 idle-tx. Mutating DOTs were not registered (they require fn implementation + approval — Phase 1 read subset is registerable now under Điều 35; mutating subset deferred to its own approval).
2. The 15 DOTs
Legend: RW read/mutate · Gate required gate · Ph phase · idempotent (Y/N) · reversible (Y/N).
| # | command_name | RW | Gate | Owner | Inputs | Outputs | Idem | Rev | Ph |
|---|---|---|---|---|---|---|---|---|---|
| 1 | dot_mow_design_list |
read | none | GOV-MOW | filters{status,owner,frozen} | rows of v_mow_design_workflow |
Y | Y | P1 |
| 2 | dot_mow_design_get |
read | none | GOV-MOW | workflow_id | wf header + steps (v_mow_design_step) |
Y | Y | P1 |
| 3 | dot_mow_design_health |
read | none | GOV-SIV | workflow_id? | per-wf health JSON (owner set, version set, freezable, bound-step %, dangling refs) | Y | Y | P1 |
| 4 | dot_mow_design_validate |
read | none | GOV-MOW | workflow_id | validation findings (doc 06 checks) | Y | Y | P1 |
| 5 | dot_mow_design_render_tree |
read | none | GOV-MOW | workflow_id | DAG tree (steps+relations, condition refs) | Y | Y | P1 |
| 6 | dot_mow_design_audit |
read | none | GOV-SIV | workflow_id, range | change history from workflow_change_requests+approval_requests |
Y | Y | P1 |
| 7 | dot_mow_design_bind_iu |
mutate | structure_ops (design-bind) |
GOV-MOW | workflow_id, design_iu_ref(uuid) | sets workflows.design_iu_ref |
Y (set) | Y | P1 |
| 8 | dot_mow_design_bind_step_iu |
mutate | structure_ops |
GOV-MOW | step_id, step_iu_ref/guide_iu_ref | sets step refs | Y | Y | P1 |
| 9 | dot_mow_design_bind_dot |
mutate | structure_ops |
GOV-MOW | step_id, dot_ref(command_name) | sets workflow_steps.dot_ref |
Y | Y | P1 |
| 10 | dot_mow_design_bind_event |
mutate | structure_ops |
GOV-MOW | step_id, (event_domain,event_type) | sets step event refs | Y | Y | P1 |
| 11 | dot_mow_design_freeze |
mutate | structure_ops |
GOV-MOW | workflow_id, reason, by | sets freeze_active=true,reason,at,by |
Y | Y | P1 |
| 12 | dot_mow_design_unfreeze |
mutate | structure_ops |
GOV-MOW | workflow_id, by | clears freeze fields | Y | Y | P1 |
| 13 | dot_mow_design_propose_change |
mutate | none (queue insert) | GOV-MOW | workflow_id, change_type, dsl_diff | inserts workflow_change_requests (status=draft) |
N (new row) | Y | P1 |
| 14 | dot_mow_design_activate |
mutate | structure_ops+approval |
GOV-COUNCIL | workflow_id, version, apr_id | bumps active_design_version, flips status active |
N | Y | P1 |
| 15 | dot_mow_design_rollback |
mutate | structure_ops+approval |
GOV-COUNCIL | workflow_id, to_version, apr_id | version-pin to prior active_design_version (forward-only) |
N | Y | P1 |
All mutating DOTs (#7–15) are Phase 1 design-only — they mutate the design columns / proposal queue, never runtime. None executes a workflow. #14/#15 additionally require a cross-signed approval (
apr_idwith ≥2apr_approvals) and are owned by GOV-COUNCIL — agent forbidden to self-approve (doc 07).
3. Per-DOT contract detail (mutating set)
Each mutating DOT obeys:
- Audit: writes an
approval_requests/workflow_change_requestsrow or an audit event referencing actor, before/after JSON (current_state/proposed_action), and_dot_origin. Reads of the design columns are logged best-effort only. - Idempotency: bind/freeze are set-to-value (re-running with same args is a no-op); propose/activate/rollback create new versioned rows (carry an idempotency key in
dsl_diff.idem_keyto dedupe retries). - Rollback: binds → re-bind to prior value or NULL (reversible); freeze ↔ unfreeze; activate → rollback DOT (#15), forward-only version-pin (never destructive); propose → mark
workflow_change_requests.status='withdrawn'. - Gate: mutating binds/freeze require the governable
structure_opsgate open for the design surface — but note the liveiu_core.structure_ops_enabledgate governs IU structure ops; the design-bind operations gate on a design-scoped capability check (owner=GOV-MOW), not the IU runtime gate. Activation/rollback additionally require approval.
4. Catalog registration SQL (read subset — register now after EXTEND commit)
INSERT INTO dot_iu_command_catalog (command_name, category, mutating, reversible, target_functions, registered_at) VALUES
('dot_mow_design_list', 'read', false, true, ARRAY['v_mow_design_workflow'], now()),
('dot_mow_design_get', 'read', false, true, ARRAY['v_mow_design_workflow','v_mow_design_step'], now()),
('dot_mow_design_health', 'read', false, true, ARRAY['fn_mow_design_health'], now()),
('dot_mow_design_validate', 'read', false, true, ARRAY['fn_mow_design_validate'], now()),
('dot_mow_design_render_tree', 'read', false, true, ARRAY['fn_mow_design_render_tree'], now()),
('dot_mow_design_audit', 'read', false, true, ARRAY['fn_mow_design_audit'], now());
Register inside BEGIN…COMMIT only after target views/functions exist (doc 02 views + the 4 read fns). Rehearsed GREEN (54→60→54). Reversal: DELETE FROM dot_iu_command_catalog WHERE command_name LIKE 'dot_mow_design_%';.
5. Catalog registration (mutating subset — DEFERRED to own approval)
-- DO NOT register until target fns exist AND a mutating-DOT approval is recorded
-- ('dot_mow_design_bind_iu','design',true,true,ARRAY['fn_mow_design_bind_iu'],now()), ... etc (#7-15)
mutating=true, reversible=true for #7–13/15; #14 reversible=true (rollback DOT is its reversal). Category design.
6. DOT family verdict
Fully specified (15/15). Read subset (6) rehearsed GREEN and registerable post-EXTEND. Mutating subset (9) specified with gate/owner/idempotency/rollback; registration deferred behind fn implementation + approval. No DOT executes runtime; activation/rollback are council-owned and approval-gated.