KB-93DB rev 2
00 — Overview & State Recovery (READ ME FIRST)
9 min read Revision 2
one-roof-governanceaxisauthorizationproposalhardeningbuild-readydesign-onlyread-only2026-06-02overview
00 — Overview & State Recovery (READ ME FIRST)
Package:
one-roof-axis-auth-proposal-operational-hardening-build-ready-design-2026-06-02Date: 2026-06-02 · Mode: DESIGN ONLY · READ-ONLY · NO COMMIT · NO MUTATION (muc-tieu v1.3 §4H Design-Only Macro Mode) Effort class: operational-design hardening + build-ready technical design. This is the read-me-first document for the package.
0.0 What this package is (and is not)
This is the hardening + build-ready pass requested after the GPT Council review of 2026-06-02 (gpt-review-axis-proposal-authorization-substrate-design-conditional-pass-needs-hardening-2026-06-02.md), which accepted the prior design one-roof-axis-proposal-authorization-operating-substrate-design-2026-06-01/ at direction level but ruled it not yet sufficient for build.
Per muc-tieu v1.3 §4F (Author-Ready Follow-up): this package hardens the prior package into exact, build-ready designs — it does not redesign from scratch. It is not an island: it supersedes the prior package's column sketches (doc 12 H7) and folds back into the Phase-1 implementation-index one-roof-governance-technical-addendum-and-implementation-index-2026-06-01.
It is not a build. No schema, row, approval, event, DOT, or law was created or changed.
0.1 The 7 GPT hardening gaps → where each is closed
| GPT gap (2026-06-02) | Closed in |
|---|---|
| 1. Authorization L0–L4 → exact state machine, records, anti-forgery proof, TTL/revocation, verifier | doc 02 (behaviour) + doc 03 (CREATE-TABLE substrate) |
2. axis_registry/axis_assignment → CREATE-TABLE-level + compatibility |
doc 04 (model) + doc 05 (storage) |
| 3. Topic promotion/birth rules → exact criteria, who promotes, min evidence | doc 07 |
4. Proposal layer → exact reuse decision (unit_edit_draft/approval_requests/iu_merge_set/doc_reviews) |
doc 06 |
| 5. Governance auto-coverage → precise detector inputs, severity/noise, issue types | doc 09 |
| 6. UI projections → exact view contracts | doc 10 |
| 7. Phase-1 build plan → repatch after M-1 redefinition + SB-0 | doc 11 + doc 12 + doc 13 |
0.2 Package map (read order)
| Doc | Title | Role |
|---|---|---|
| 00 | Overview & state recovery | this file |
| 01 | Live substrate gap audit | live evidence (2026-06-02), reuse spine, absent tables, stale-assumption corrections |
| 02 | Approval/authorization state machine | L0–L4, 12 transitions, 12 anti-forgery invariants, verifier algorithm |
| 03 | Authorization build-ready substrate (SB-0) | governance_build_authorization CREATE-TABLE, v_build_auth_valid, action-type rows |
| 04 | Axis operating model (hardened) | common, open-ended, deterministic/uncertain |
| 05 | Axis storage (build-ready) | axis_registry + axis_assignment column DDL, compatibility, key fix |
| 06 | Proposal/review/agent model | exact reuse decision, 6 roles, hybrid PG-native |
| 07 | Topic operational workflows | 3 paths, promotion criteria, merge/split/deprecate |
| 08 | Reconstruction & containment | deterministic, fingerprint, integrity-testable |
| 09 | Governance auto-coverage detectors | inputs, issue types, severity/noise |
| 10 | UI projection contracts | per-surface views, candidate-vs-official, badges |
| 11 | Phase-1 impact & rebuild plan | 5-class classification, build order |
| 12 | Required patches to prior docs | P1–P7 + L1–L4 + H1–H7 |
| 13 | Final build-readiness matrix | what's build-ready, blockers, the one gate |
| 14 | Next prompts | N1–N6 follow-on macros |
| 15 | Self-review & acceptance | PASS 15/15, forbidden-compliance |
| 16 | Sync to PG truth & birth promotion (added) | the promotion runtime transaction |
0.3 State recovery — sources used (live wins over old report)
- Controlling GPT review:
gpt-review-…-needs-hardening-2026-06-02.md(read in full — the 7-gap driver). - Prior package:
one-roof-axis-proposal-authorization-operating-substrate-design-2026-06-01/(all 16 docs digested). - Phase-1 implementation-index:
one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/(M-1, SB-0..SB-13, F-83-1, doc96 baseline, build order, Hard-Gate-0/A). - Laws: Điều 31 (integrity/GOV-SIV), 32 (approval spine/GOV-COUNCIL), 35 (DOT/GOV-DOT), 37 (governance org hub), 38 (scaffold graph), 39 (KG/GOV-KG-SYS), 45 (queue/event, register-before-emit). NĐ-36-01: no distinct decree found in the KB — Điều 36 is the closest; flagged for verification (doc 05 §5.7, doc 12 H4).
- Live PG: read-only
query_pgaudit, dbdirectus, PG16, 2026-06-02 (doc 01).
Live baseline (2026-06-02) and the corrections that matter
| Surface | Live | Note |
|---|---|---|
os_proposal_approvals |
0, human e-sign module (esignature_agreement, FK proposal) |
M-1 surface — L4 only |
birth_registry |
1,069,055, all status='born', canonical_address NULL |
key = collection:entity_code |
apr_action_types |
6 implementation rows (not the governance set) | SB-1 genuinely unbuilt |
entity_labels |
787,723 | live axis-assignment substrate at scale |
taxonomy_facets / taxonomy |
10 / 58 (FAC-08 topic, max=0) |
the de-facto axis registry/nodes |
iu_relation / universal_edges / iu_tree_path |
60 / 2,199 / 199 | relations + closure (reuse) |
axis_registry, governance_build_authorization, SB-2/10/12/13 tables |
ABSENT | true new-build gaps |
governance event domain |
absent (5 domains, 40 types) | SB-11 gap |
(Full audit + stale-assumption corrections: doc 01.)
0.4 Verdicts at a glance
- Authorization: build-ready (state machine + CREATE-TABLE + verifier + anti-forgery proof). Build NO-GO pending one-time L2+L4 ratification (bootstrap).
- Axis / storage: build-ready (
axis_registry+axis_assignmentcolumn-level), compatible withtaxonomy/entity_labels/KG; canonical-key inconsistency fixed. - Proposal/agent: build-ready (exact reuse, no new table); hybrid PG-native.
- Topic: operationally clear with exact promotion criteria; governance bounds (does not "solve") semantic correctness.
- Reconstruction/containment: deterministic + integrity-testable (fingerprint, cycle/gap detectors).
- Coverage: detector inputs + issue types + noise controls specified.
- UI: view contracts specified; UI never SoT.
- Phase-1: repatched — SB-0 added as first substrate; M-1 redefined per-step; SB-12…SB-1 reclassified; T6/T7/backfill/topic-UI deferred.
The one gate (doc 13): everything waits on the L2 council + L4 sovereign ratification of the authorization model (redefine M-1; adopt SB-0). After that, every reversible build step is per-step L3-authorized via SB-0. fn_auto_approve_add hardening (P5) may land first, standalone.
0.5 Cross-links (anti-island) & forbidden-compliance
- Hardens:
…/one-roof-axis-proposal-authorization-operating-substrate-design-2026-06-01/(supersedes its sketches). - Folds into:
…/one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/(patches in doc 12). - Driven by:
…/gpt-review-axis-proposal-authorization-substrate-design-conditional-pass-needs-hardening-2026-06-02.md. - Rehearsed & published (2026-06-02):
…/one-roof-auth-axis-bootstrap-ratification-rehearsal-go-nogo-2026-06-02/— N2 + N5 (doc 14) executed live as BEGIN..ROLLBACK: SB-0 (governance_build_authorization+v_build_auth_valid+ verifier) and axis (axis_registry+axis_assignment) are REHEARSED-GREEN (entry==exit, zero residue,idle_in_transaction=0); all 7 fail-closed modes (forged/expired/consumed/revoked/insufficient-quorum/sovereign-no-esign/self-grant) DENY. Build remains NO-GO pending the one gate (§0.4). Final decision there = GO_TO_RATIFICATION_INTAKE. - Forbidden-compliance: design-only; read-only; no COMMIT/schema/approval/event/DOT/law/production mutation; no hardcode; no island; no false claim about semantic correctness or
os_proposal_approvals. Full table: doc 15 §15.2.