00 — Axis-Proposal & Authorization Operating-Substrate Design — Overview & Control

Package: knowledge/dev/reports/architecture/one-roof-axis-proposal-authorization-operating-substrate-design-2026-06-01/ Mission: ONE_ROOF_AXIS_PROPOSAL_AND_AUTHORIZATION_OPERATING_SUBSTRATE_DESIGN Mode: Design-Only Macro Mode (charter prompt-muc-tieu-mo-for-claude-code v1.3 §4H). No build. No COMMIT. No persistent mutation. Run date: 2026-06-02 (live re-verify). Package date label 2026-06-01 per mission spec and to sit beside the implementation-index package of the same date. Channels: KB read/write (Incomex_KB MCP); live PG read-only (query_pg, AST-validated READ ONLY role, 5s timeout, LIMIT 500). No write channel to PG used. Status: PASS (design complete). Live audit verdict, authorization-model verdict, axis-model verdict and Phase-1 impact verdict are in §00.7 and the per-branch docs.

---

00.0 Why this package exists

Phase-1 build of One-Roof Governance is BLOCKED, and the prior runs (implementation-index docs 104–125) correctly refused to proceed. Two design gaps were surfaced and confirmed by GPT council review (see §00.2):

1. Authorization gap. The master commit gate M-1 was defined as "≥1 row in os_proposal_approvals". Live audit proves os_proposal_approvals is a human e-signature surface belonging to a sales/deal proposal module — not a technical build-authorization substrate. An agent cannot satisfy it without forging a person's e-signature. So every correct agent stops at M-1, and the system has no legitimate way to authorize a controlled technical build short of the President personally e-signing — which is the wrong instrument for routine, reversible, controlled engineering.

2. Axis / topic / content-governance gap. Governance was designed around objects already visible in PG, but the operating workflows for Information-Unit axes — topic / semantic, reconstruction, containment, and future axes — are not specified. Topic in particular is uncertain and must support human-requested, AI-proposed, KG-assisted, and review/merge/sync workflows without hardcoding every process in PG or DOTs, and without creating a one-off topic island.

This package designs the missing operating substrate for both, end-to-end, as design only. It does not implement, build, or commit anything.

00.1 Hard Gate 0 — safety attestation (this run)

All ten Hard-Gate-0 confirmations from the mission §2 are satisfied for this run:

#	Requirement	Status this run
1	KB read/write confirmed	✅ KB read (batch_read/list/get) used; KB write = this document upload + the rest of the package
2	Live PG read-only confirmed	✅ query_pg AST-validated READ ONLY role; every audit query was a SELECT
3	No PG mutation	✅ Zero INSERT/UPDATE/DELETE/DDL issued. The write transport (ssh contabo → docker exec psql) was not used
4	No COMMIT	✅ No transaction opened against PG at all
5	No schema/table/view/function/trigger creation	✅ None. All new objects in this package are paper designs
6	No Directus/Qdrant/Nuxt mutation	✅ None
7	No approval / self-approval creation	✅ No row written to approval_requests/apr_approvals/os_proposal_approvals
8	No event/DOT registration	✅ None
9	No law enactment/version/status change	✅ normative_registry/law_catalog untouched
10	No production changes	✅ Read-only audit + KB design docs only

Classification (charter §3.5/§4): this branch is DESIGN-ONLY / AUTHOR-MODE. There is no live-apply branch; the forbidden list makes COMMIT impossible by construction.

00.2 Controlling sources (read order)

Read and treated as binding context, highest authority first:

1. knowledge/dev/laws/prompt-muc-tieu-mo-for-claude-code.md — the 100000x charter v1.3 (Design-Only Macro Mode, Điều 45 reference, guardrails).
2. …/gpt-analysis-phase1-blocked-by-human-esign-m1-next-options-2026-06-01.md — GPT verdict: agent was correct to block; recommended Option B (governance-model patch: a proper internal build-authorization record distinct from human e-sign) + a minimal Option A human-e-sign handoff.
3. …/gpt-analysis-topic-axis-governance-operational-gap-and-design-direction-2026-06-01.md — GPT verdict: separate deterministic (reconstruction/containment) from uncertain (topic/semantic) axes; topic determination relies on Điều 38 Text-as-Code + Điều 39 KG / semantic relation infra, with governance owning lifecycle/ownership/approval/UI/issue-detection.
4. …/gpt-analysis-governance-operational-workflow-gaps-iu-axes-topic-and-containment-2026-06-01.md — GPT verdict: need end-to-end IU axis governance workflow, not only substrate tables.
5. Implementation-index package …/one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/ docs 00–125 (esp. 72 build-authorization template, 88 blocker ledger, 89 build handoff, 114 approval-intake schema & gate analysis, 124 final status). This package cross-links to that one; it does not duplicate it.
6. Concept/law grounding: one-roof-governance-concepts/02-open-axis-iu-and-dieu37-hub-concepts.md; hardening-revision 02-open-axis-model.md + 03-information-unit-governance-coverage.md; dieu38-trien-khai/L3-metadata-governance.md; dieu39-knowledge-graph-law.md; nd-36-01-semantic-relationship-infrastructure.md.

Rule (charter): old reports are evidence, not authority; live verification wins. Where this package contradicts an older doc, the live finding and the contradiction are stated explicitly (see doc 01 and doc 13).

00.3 Scope — what this mission MAY and MAY NOT do

MAY (design-only): survey KB; survey live PG read-only; produce design packs, a common axis operating model, a PG-first storage model, a proposal-layer evaluation, topic / reconstruction / containment / agent / governance-coverage / UI-projection models, a multi-level authorization model (incl. the user's Branch B2 L0–L4 ladder), a Phase-1 impact assessment, a required-patch list, a risk register, and next-prompt packages.

MAY NOT (forbidden, charter §4H + mission §16): DDL/DML; migration; trigger/worker/cron; production mutation; approval/self-approval creation; event emit or DOT/event registration; law enactment/version/status change; Directus/Qdrant/Nuxt mutation; implementation disguised as design; hardcode; local governance island.

00.4 Package map (docs 00–15)

Doc	Branch	Title
00	—	Overview & control (this doc)
01	A	Live substrate audit
02	B + B2	Authorization model — technical vs sovereign (L0–L4 ladder)
03	C	Axis operating model — common layer
04	D	Axis storage model — PG-first
05	E	Axis proposal layer — GitLawb vs PG vs hybrid
06	F	Topic operational workflow
07	G	Reconstruction & containment axis workflow
08	H	Agent workflow & review model
09	I	Governance coverage & anarchy detection
10	J	UI projection — tree / graph / human reading
11	—	Sync to PG truth & birth promotion
12	K	Impact on Phase-1 build
13	—	Design patches required
14	—	Next prompts
15	—	Self-review (acceptance criteria 1–15)

This is a new, clearly linked package (mission §3 preferred path). It is not an island: doc 01, 12, and 13 cross-reference the implementation-index docs by number, and doc 13 lists the exact patches to fold back into that package at build time.

00.5 Live baseline snapshot (read-only, 2026-06-02)

Captured this run; identical to the doc-96/doc-114 baseline on the governance spine (no drift, no foreign mutation):

Surface	Live value	Note
os_proposal_approvals (M-1)	0	COMMIT_FORBIDDEN under current M-1 definition. Sales/deal e-sign module (see doc 01)
approval_requests / apr_approvals	211 / 42	governance proposal spine
apr_action_types	6	low/medium/high risk tiers; no build-auth action type
governance_registry / governance_relations	9 / 8	GOV-COUNCIL, GOV-DOT, GOV-KG-SYS, GOV-MO{IT,T,UT,W}(draft), GOV-NRM-SYS, GOV-SIV
information_unit	219	unit_kind ∈ {law_unit 187, design_doc_section 32}; conformance_status='open' for all 219; lifecycle {enacted 146, draft 58, deprecated 12, retired 3}
iu_relation	60	all relation_type='contains', status active (only containment axis populated)
universal_edges	~2199	USES 1486 / BELONGS_TO 431 / CONTAINS 282 (live cross-collection KG)
taxonomy / taxonomy_facets	58 / 10	FAC-08 "Chủ đề nội dung?" (topic) + FAC-07 "Thuộc tài liệu nào?" exist as facets
entity_labels	~771,481	live label-assignment substrate at scale
iu_three_axis_envelope	216	denormalized projection (axis_a doc/order, axis_b tags, axis_c parent/depth)
birth_registry	~1.04M	organic growth; canonical identity spine
idle in transaction	0	clean

(Full audit, columns and gap analysis: doc 01.)

00.6 Foundational design decisions (one-paragraph each, detailed in branch docs)

• Authorization (doc 02). Replace the single human-e-sign gate with a 5-level ladder L0–L4. Reuse the existing approval spine (approval_requests + apr_action_types + apr_approvals + fn_apr_quorum_check) for L0–L2; introduce one new technical substrate — governance_build_authorization — for L3 (controlled technical build/deploy), backed by a recorded council/owner quorum, scoped, single-use, expiring, revocable; reserve os_proposal_approvals-style human e-sign for L4 sovereign acts only. Routine controlled builds no longer require the President's e-signature; sovereignty escalation is by threshold.
• Axis (docs 03–04). One common axis operating model (Axis Registry → Node → Relation → Assignment → Projection → Quality-Issue → Lifecycle) built by reusing what already exists (taxonomy_facets as the facet/axis registry, taxonomy as semantic nodes, iu_relation/universal_edges as relations, entity_labels/iu_metadata_tag as assignments, iu_tree_path/iu_three_axis_envelope as projections). No fixed axis array; the 3-axis envelope is a projection, not the model. Minimal new substrate only where a confidence/evidence/lifecycle gap exists in the assignment layer.
• Proposal layer (doc 05). Hybrid, PG-native. PG is truth/runtime; the Git-like model (base-version, diff, review gates, merge, rollback) is already partly present (unit_edit_draft, iu_merge_set/iu_split_set, doc_reviews, approval_requests). Do not stand up an external Git/GitLab/Gitea/GitLawb system now (operational complexity, identity/sign split-brain, sync-to-PG fragility).
• Topic (doc 06). Topic = FAC-08 facet + taxonomy nodes + entity_labels/iu_metadata_tag assignments + KG semantic discovery — not a new island. Candidate → provisional → active(born/UI) lifecycle; human-requested > AI-proposed > KG-provisional.
• Coverage (doc 09). An axis/node/relation/assignment becomes governed when it is born + active/UI-visible; candidates are governed only as input quality, never as governance orphans. The GCOS scanner + collection_registry.coverage_status + meta_catalog orphan detection discover unregistered axes/islands.

00.7 Headline verdicts (full text in branch docs and doc 15)

• Live audit: PASS — substrate is far richer than "topic lives nowhere"; the real gaps are (a) no build-auth substrate, (b) no axis registry generalizing facets, (c) assignment layer lacks confidence/evidence/lifecycle for semantic axes, (d) iu_three_axis_envelope hardcodes 3 axes as a projection.
• Authorization model: RECOMMENDED — adopt L0–L4 with governance_build_authorization (L3) + sovereign-e-sign reserved for L4. Unblocks Phase-1 controlled build without forging signatures.
• Axis model: RECOMMENDED — common reuse-first model; generalize taxonomy_facets into the Axis Registry; SB-3 (IU axis envelope) becomes a projection of it.
• PG storage: RECOMMENDED — born = approved/active/UI topic & axis nodes; candidate = uncertain; reuse relation/KG/taxonomy/label tables; one minimal axis_assignment for semantic confidence/evidence.
• Proposal layer: RECOMMENDED — hybrid PG-native; no external Git system now.
• Topic / reconstruction-containment / agent / coverage / UI: all designed (docs 06–10).
• Phase-1 impact: substrate spine can build after the authorization model lands (L3), kept empty/inactive; T6/T7 + topic/IU operational activation wait for the axis model in this package. (doc 12)

00.8 Forbidden-compliance statement

No persistent PG mutation; no COMMIT; no schema/table/view/function/trigger creation; no Directus/Qdrant/Nuxt mutation; no approval creation; no event/DOT registration; no event emit; no law change; no production change; no implementation disguised as design; no hardcode introduced; no local governance island (this package cross-links the implementation-index and reuses live substrate). Re-attested in doc 15.