KB-6F4F

MOWD Phase 1 — Governance / Proposal Flow (Branch G)

5 min read Revision 1

mowdphase1governanceproposalapprovaldieu-322026-05-29

Branch G — Phase 1 Governance / Proposal Flow

Reuses the live approval spine — no new law, no new tables. workflow_change_requests (per-workflow design proposals; change_type, dsl_diff jsonb, schema_warnings, approved_by, status) + approval_requests (211) / apr_approvals (42; cross-sign ≥2) for schema/registry-level changes.

1. Flow (proposal → activation)

author (user OR agent)
   │  dot_mow_design_propose_change
   ▼
[proposal_queue] = workflow_change_requests (status=draft) | approval_requests (status=draft, for schema-level)
   │  dot_test_gate  ──►  dot_mow_design_validate must be GREEN  +  Điều-35 paired DOT test passed
   ▼
[review]  human/council reads dsl_diff + validation + schema_warnings
   │  apr_approvals: ≥2 distinct human approvers (approver_type='human', decision='approve')
   ▼
[activation_gate]  dot_mow_design_activate (GOV-COUNCIL only) — bumps active_design_version, sets status
   │  audit (approval_requests.applied_at, _dot_origin, before/after JSON)
   ▼
[active]  ── rollback path: dot_mow_design_rollback (forward-only version-pin, council)

2. Stage detail

Propose: dot_mow_design_propose_change inserts workflow_change_requests (change_type ∈ existing vocab incl. add_step/add_block, extended with design binds) with dsl_diff (before/after) + schema_warnings. Agent may propose; row lands status='draft', never auto-applied. Schema-level changes (e.g. new DOT, new design table) go to approval_requests (request_type ∈ schema_add/new_dot/reclassify).
dot_test_gate: before review, dot_mow_design_validate must be GREEN for the target workflow, and any new/changed mutating dot_ref must have a passing paired test (Điều 35). Failing tests block promotion out of draft.
activation_gate: dot_mow_design_activate checks: validation GREEN + apr_approvals ≥2 human approves bound to the request + caller is GOV-COUNCIL. Only then bumps active_design_version and flips workflow status.
audit: every transition writes actor, timestamp, before/after (current_state/proposed_action), _dot_origin; dot_mow_design_audit reads it back for UI Surface 2/4.
rollback: dot_mow_design_rollback re-pins to a prior active_design_version (forward-only, Điều 30) — never destructive; requires approval + council.

3. Running-instance policy (Phase 1)

Phase 1 has no runtime (doc 08) → there are no running workflow instances. Design activation therefore affects only future runtime (Phase 2+). Policy stated now so Phase 2 inherits it: activating a new design version does not retroactively alter in-flight instances; in-flight instances complete on their pinned version; new instances use active_design_version. Freeze blocks new instance creation against that design.

4. Freeze / unfreeze

dot_mow_design_freeze(workflow_id, reason, by) → sets freeze_active=true, freeze_reason, freeze_at, freeze_by. Frozen designs reject activate/bind mutations (and, in Phase 2, new instance creation).
dot_mow_design_unfreeze(workflow_id, by) → clears freeze fields. Both are MOW-owner actions, audited. Freeze is the emergency stop for a design found unsafe post-activation, pending a rollback.

5. Approval-request mapping

Change	Channel	request_type / change_type	Approver
Per-workflow design edit / step bind	`workflow_change_requests`	`add_step`,`add_block`,`bind_*`	MOW owner (binds), council (activation)
Schema EXTEND (doc 02)	`approval_requests`	`schema_add`	Council ≥2
New DOT registration	`approval_requests`	`new_dot`	GOV-DOT + council
Design activation/rollback	`approval_requests`+`apr_approvals`	`reclassify`/custom	GOV-COUNCIL ≥2

6. Who can approve

MOW owner role: binds, freeze/unfreeze, propose.
GOV-COUNCIL (human, ≥2 cross-sign): activate, rollback, schema EXTEND, new mutating DOT.
GOV-DOT: DOT registration review.
GOV-SIV: integrity/health sign-off (advisory).

7. What the Agent is forbidden to self-approve

The agent may propose (insert draft rows) and run read DOTs. The agent is forbidden to: insert/approve apr_approvals; call dot_mow_design_activate or dot_mow_design_rollback with itself as approver; flip any approval_requests.status to approved/applied; register a mutating DOT without recorded approval. This is enforced by the automated-agent CHECK (prior G3 work: automated_agent ⇒ NOT approve/reject) plus owner = GOV-COUNCIL on activation DOTs. No law enactment in Phase 1.

8. Governance flow verdict

Defined, fully on existing spine (workflow_change_requests + approval_requests/apr_approvals), with proposal→test→review→activation→audit→rollback, freeze/unfreeze, approver matrix, and the explicit agent self-approval prohibition. No new law.