00 — One-Roof Governance Clause Review & Hardening — Overview & Control (2026-06-01)
00 — One-Roof Governance Clause Review & Hardening — Overview & Control
- Mission: ONE_ROOF_GOVERNANCE_CLAUSE_REVIEW_AND_HARDENING
- Date: 2026-06-01
- Class: Strict law/design clause review + hardening. No implementation. No canonical design patch. No law enactment. No version bump.
- Mode: READ-ONLY. KB + live PG (read-only role) only.
- Output channel: KB report docs only (this package, 17 docs
00–16). - Effort: xhigh.
- Primary review target:
knowledge/dev/reports/architecture/one-roof-governance-decision-pack-2026-06-01/(14 docs00–13).
0.1 What this package is (and is not)
This is a second-pass, adversarial clause review of the One-Roof Governance Decision Pack, performed before any move to canonical design or technical design, per:
- the mission brief (clause-by-clause, adversarial, no implementation);
…/gpt-direction-one-roof-governance-clause-hardening-before-technical-design-2026-06-01.md("the law/design layer must be reviewed sentence by sentence … before technical design");…/gpt-decision-governance-one-roof-and-anarchy-detection-for-registries-pivot-2026-06-01.md(the federated-but-central model + anarchy detection requirement).
It is not a rewrite of the decision pack, not a patch to canonical design docs (knowledge/dev/design/registries-pivot-os-agency/), and not an enactment of any clause. It produces hardened wording proposals, acceptance tests, open questions, and a GO/NO-GO recommendation. The decision pack stands; this package proposes how to tighten it.
No-version-bump / content-only regime is inherited verbatim from the decision pack (its doc 00 §0.1): no law/design version increment, no status change, no normative_registry/law_catalog/governance_docs touch, no enactment/approval workflow. Corroborated live: apr_action_types.amend_law and enact_nrm both risk_level='high', handler_ref='unimplemented' (re-verified this session) — the engine itself blocks APR enactment, so every clause here is a draft proposal by construction.
0.2 Hard Gate 0 — pre-work confirmation (PASS)
| # | Gate | Result | Evidence (this session) |
|---|---|---|---|
| 1 | KB read access | ✅ | list_documents paginated the decision pack (14 docs); batch_read/get_document returned full content of docs 00–13 + both GPT direction docs + the prompt-standard law. |
| 2 | This is clause review / hardening only | ✅ | Output is 17 KB review docs; no design/law file touched. |
| 3 | No canonical design patch | ✅ | knowledge/dev/design/registries-pivot-os-agency/ not written; decision pack not modified. |
| 4 | No law enactment | ✅ | No normative_registry/enactment touch; all wording is draft proposal text. |
| 5 | No version bump | ✅ | No version/status field changed anywhere. |
| 6 | No PG/Directus/Qdrant/Nuxt mutation | ✅ | Only query_pg SELECT (read-only role, READ ONLY txn, AST-blocked DDL/writes, 5s timeout, LIMIT 500); no Directus/Qdrant/Nuxt tool used. |
| 7 | No approval creation | ✅ | No approval_requests/apr_approvals/os_proposal_approvals write. |
| 8 | All outputs are standalone KB docs | ✅ | This package under …/one-roof-governance-clause-review-hardening-2026-06-01/; verified empty before writing (clean slate). |
0.3 Live re-verification ledger (this session, directus, 2026-06-01)
The decision pack's facts were independently re-verified live (not taken from memory or from the pack). Results:
| Fact | Live result | Bearing |
|---|---|---|
governance_relations CHECK on target_type |
chk_relations_target_type = target_type ∈ {law, agency} (+ chk_relations_source_type same) |
Agency→object edges are CHECK-blocked. Load-bearing for Branch B (contract), Branch I (apply DOT), Branch J (Đ37 §5.4-EXT). |
governance_registry status counts |
5 active, 4 draft | Confirms 4 mother factories draft (GOV-MOW/MOT/MOIT/MOUT) → render owner not yet active (Branch C, J). |
Coverage DOTs (%gov%coverage%/governance_orphan%) |
0 | All 7 proposed DOTs are NEW (Branch I). |
| Governance-coverage/anarchy/island event types | 0 | All proposed events NEW (Branch H). |
os_proposal_approvals |
0 | No sovereign sign-off spine populated → COMMIT_FORBIDDEN downstream (Branch K). |
apr_action_types amend_law / enact_nrm |
both high, handler_ref='unimplemented' |
Law enactment is human-only; draft-only regime is enforced by the engine (Branch J). |
| Dormant governance event types (live names) | governance.blocked, governance.unblocked, proposal.created, proposal.approved, proposal.rejected — all active=false |
Live names are bare governance.* / proposal.*, NOT mother.governance.* / mother.proposal.* as the pack cites. Naming defect (Branch H, doc 08). |
0.4 Review method (applied per clause family in docs 01–13)
Each branch doc applies the mission §3 method to every reviewed clause:
- Original clause/definition summary (with source path + clause id).
- Risk analysis.
- Ambiguity / loophole / contradiction (adversarial — including internal contradictions between pack docs).
- Scale risk (to 10⁸ objects).
- Misimplementation risk (the trap an implementer would fall into).
- Local-governance-island risk.
- Suggested hardened wording.
- Acceptance test (how to know the clause is satisfied — computable, not asserted).
- Remaining open question, if any.
Findings are ID'd <BRANCH><n> (e.g. A2, F3, I2) and carried into doc 13 (revised clauses) and doc 14 (open questions + GO/NO-GO).
0.5 Headline verdict (full detail in doc 14)
The decision pack is structurally sound, live-anchored, and reuse-first — but it is NOT yet tight enough to enter canonical design. It has 6 genuine internal contradictions, 6 unaddressed gaps (one of them — no non-governed class — a serious over-governance/noise risk), and several memory-dependence and implementation traps that re-introduce the exact failure mode One-Roof exists to kill.
Recommendation: NO-GO for canonical design patching until the Tier-1 blockers (doc 14 §14.4) are resolved; GO after a single, well-scoped hardening revision of the decision pack. The fixes are wording-level and self-contained; none requires a structural redesign. A conditional GO is available for design-patch concept docs that carry the hardened definitions, provided the contradictions are resolved first.
The biggest issues (preview)
| ID | Issue | Type | Doc |
|---|---|---|---|
| A2 / B1 | No non-governed / ephemeral / personal object class defined → personal pins, UI prefs, session state get scanned as "islands" → over-governance noise flood; contradicts mission "avoid over-governing harmless local notes." | Gap | 01, 02 |
| B5 / F-contradiction | "Approved exception" listed as a valid owner path (§2.4/§4.3) but also as a separate invariant term (§4.2) → an exception-object can be miscounted as covered. Internal contradiction. |
Contradiction | 02, 06 |
| I2 (live) | DOT-GOV-ASSIGNMENT-APPLY "writes governance_relations owner assignment" — but live CHECK blocks agency→object edges and §5.4-EXT is deferred. The apply DOT cannot assign object owners with the current schema. |
Contradiction / trap | 09, 10 |
| F3 | GOVERNANCE_COVERAGE_PASS defined as "covered==true" (§4.6) but draft-owner orphans are "warning, non-blocking" (§4.7) → is warning blocking? Gate is not severity-aware. |
Contradiction | 06, 11 |
| C1 | No accountable-owner vs supporting-role taxonomy; "one owner" (Đ37 §4.12) appears to forbid SIV auditing a COUNCIL policy. Branch C is under-served by the pack. | Gap | 03 |
| D1 | No birth-orphan ↔ governance-orphan joint matrix / dedup precedence → two scanners fire on one root cause = duplicate noise. | Gap | 04 |
| G2 | Routes/API have no ground-truth registry → the most island-prone surface (red-team #1) is undetectable; route coverage is unverifiable, not covered. | Gap / trap | 07 |
| E2 / I1 (live) | No grant_exception / assign_owner APR action-type exists → PROPOSE/exception DOTs cannot write a well-formed approval_requests row. |
Trap | 05, 09 |
| H1 (live) | Event names mis-cited (mother.governance.* vs live governance.*); new governance.orphan_detected collides into the existing governance.* namespace. |
Defect | 08 |
| A4 / K | No emergency-fix / hotfix lane for the production gate → One-Roof makes incident response brittle. | Gap | 01, 11 |
0.6 Package map
| Doc | Branch | Title |
|---|---|---|
| 00 | — | Overview & Control (this) |
| 01 | A | One-Roof Principle hardening |
| 02 | B | Governed Object Contract hardening |
| 03 | C | Accountable owner vs supporting roles |
| 04 | D | Governance-orphan vs birth-orphan |
| 05 | E | Governed exception model |
| 06 | F | Governance Coverage Invariant hardening |
| 07 | G | Scalable detection hardening |
| 08 | H | Issue / event / notification hardening |
| 09 | I | DOT lifecycle hardening |
| 10 | J | Law clause hardening |
| 11 | K | Readiness gate hardening |
| 12 | L | Red-team scenarios (≥20) |
| 13 | M | Revised clause proposals |
| 14 | §14 | Open questions + GO/NO-GO |
| 15 | §18 | Next paste-ready prompts |
| 16 | §17 | Self-review & forbidden compliance |
0.7 Forbidden compliance (pre-declared, audited in doc 16)
No PG / Directus / Qdrant / Nuxt mutation; no route change; no law enactment; no version bump; no status change; no normative_registry/law_catalog update; no approval creation; no self-approval; no table/schema change; no event/job/notification emit; no canonical design doc patch; no hardcode (every literal sourced from the pack, the live ledger §0.3, or a named law clause). All 17 docs are standalone KB review reports.