08 — Reconstruction & Containment Workflows (deterministic, integrity-testable)

Package: one-roof-axis-auth-proposal-operational-hardening-build-ready-design-2026-06-02 Mode: DESIGN ONLY · READ-ONLY · NO COMMIT · NO MUTATION Hardens: prior …-2026-06-01/07-reconstruction-and-containment-axis-workflow.md. Closes GPT review gap (reconstruction/containment operationally clear and integrity-testable).

---

8.0 Both axes are deterministic — workflow is validation, not proposal

AX-RECON and AX-CONTAINMENT are structural axes (doc 04 §4.2): assignment is intrinsic (computed from structure), there is no confidence/zone, and the operating workflow is detect-and-fix (validation). A position either reconstructs correctly or it does not; a parent either exists or dangles. There is no "candidate reconstruction". Graph = truth; tree = projection.

---

8.1 AX-RECON — reconstruction axis

• Anchors (live information_unit): doc_code, section_code, section_type, sort_order. The reconstruction order is intrinsic to these.
• Operation: fn_iu_reconstruct_source(doc_code) returns the ordered IU sequence that rebuilds the original document.
• Non-exemptable invariant (verbatim intent): for a document, reconstruction must return every source position 1..N exactly once — contiguous and unique, sort_order strictly monotonic, gap_before_count = 0. This invariant is never exemptable (a document that cannot be exactly rebuilt is corrupt).
• Fingerprint (integrity test):

  recon_fingerprint(doc_code) :=   md5( string_agg( canonical_address || ':' || content_hash,                    '|' ORDER BY source_position ) )
  

  Recomputable; changes iff body or order changes. Store the expected fingerprint; a mismatch = reconstruction_integrity_fail (critical).
• Owner: GOV-SIV (system integrity, Điều 31).

Note: information_unit.canonical_address is used within a single document's ordered agg (where it is populated for IUs), not as a global key — distinct from birth_registry.canonical_address which is globally NULL (doc 01 §1.5). The global candidate key remains collection:entity_code (doc 05 §5.3).

---

8.2 AX-CONTAINMENT — containment axis

• Primary parent: information_unit.parent_or_container_ref (the canonical single parent).
• Graph (multi-parent truth): iu_relation with relation_type='contains' (live: all 60 rows are contains). An IU may belong to multiple parents (graph).
• Closure (tree projection): iu_tree_path (root_unit_id, parent_id, depth, path_ids[], path_addresses[], sibling_order, path_hash). The tree is a projection of the graph for one chosen parent spine.
• Change logs: iu_tree_change_log, iu_structure_operation, iu_piece_collection, iu_piece_membership.
• Owner: GOV-SIV.

---

8.3 Integrity detectors (feed doc 09; severity computed)

Detector	Meaning	Severity
reconstruction_gap	missing source position (gap_before_count > 0)	critical
reconstruction_duplicate	a position appears twice	high
reconstruction_integrity_fail	fingerprint mismatch	critical (non-exemptable)
containment_dangling_parent	parent_or_container_ref points at a non-existent IU	high
containment_cycle	a containment cycle (recursive-CTE detect)	critical
containment_primary_ambiguous	multiple primary parents claimed	high
iu_object_orphan	an IU/object with no owner / not covered	medium-high

---

8.4 Operational workflows

WF-R — Reconstruction axis: validate original document restoration

• Input: doc_code. Output: ordered reconstruction + integrity verdict. Store: information_unit (anchors) + stored fingerprint. Owner: GOV-SIV. Approval: read/validate = none; a structural fix (re-order, fill gap) = high ⇒ L2/L3. Agents: Quality (run fn_iu_reconstruct_source + fingerprint), Critique, Sync (apply fix under grant). Quality checks: contiguity + uniqueness + monotonic sort_order + fingerprint match. Rollback: change-set reverse; deprecate-not-delete. UI: reconstruction reader (doc 10) shows the rebuilt document + integrity badge. Coverage trigger: a failing fingerprint opens a critical reconstruction_integrity_fail (doc 09).

WF-C — Containment axis: parent/child/multi-parent/tree projection

• Input: an IU or root. Output: containment tree (and the multi-parent graph). Store: iu_relation(contains) + iu.parent_or_container_ref + iu_tree_path. Owner: GOV-SIV. Approval: read = none; cut/split/merge = high ⇒ L2/L3. Agents: Quality (cycle/dangling/ambiguity detect), Sync (structural edit under grant). Quality checks: no cycle, no dangling parent, one primary parent, closure consistent with graph. Rollback: iu_structure_operation reverse + iu_tree_change_log; deprecate-not-delete. UI: containment tree + graph browser (doc 10). Coverage trigger: a cycle/dangling opens a critical/high issue (doc 09).

---

8.5 Integrity-test procedure (how to validate, build-ready)

1. Reconstruction: recompute recon_fingerprint(doc_code) and compare to the stored expected value; independently assert contiguity (min=1, max=N, count(distinct position)=N, gap_before_count=0) and strict monotonic sort_order.
2. Containment cycle: recursive CTE over iu_relation(contains) detecting a node reachable from itself.
3. Dangling parent: parent_or_container_ref not matched in information_unit.
4. Closure consistency: iu_tree_path paths must be derivable from the live iu_relation graph for the chosen primary spine. All four are pure read-only checks runnable by a Quality agent or a coverage DOT (doc 09); none require mutation.

---

8.6 Structural edits route the ladder

Cut / split / merge / re-order are high-risk (they change reconstruction and containment truth). They are L2-approved and L3-granted, carry a rollback plan, and are deprecate-not-delete. Reconstruction integrity, relation integrity, vector consistency, and governance coverage are the non-exemptable integrity classes — no exception row can waive them.

Forbidden-compliance: design-only; no reconstruction/containment row written; no structural edit applied; read-only.