13 — Revised Clause Proposals (Branch M)

Consolidated hardened wording for every reviewed target. DRAFT TEXT ONLY — no enactment, no version bump, no normative_registry/law_catalog touch, no status change. These are proposals to fold into a future hardening revision of the decision pack (then, separately, into law via the human ratification phase). Each entry: original draft ref → revised wording → reason → acceptance test → open question. Finding IDs (A2, I2…) reference docs 01–12.

M-DEF — Report-level definitions to ADD to the decision pack (not laws)

These belong in the pack (docs 02/03/04), feeding the law clauses below.

M-DEF-1 — Non-governed (Class 0) artifact `[A2/B1]`

A non-governed artifact cannot alter shared system truth or authority: it is single-user/session/agent-private, read-only against shared truth, carries no approval/execution power. Test = shared-truth reachability: if changing it can change what a different user/agent sees as truth, or can authorize a mutation, it is governed. Examples: personal UI prefs, user-scoped pins/filters, session state, scratch notes, comments, non-truth logs. Class 0 is OUT of the coverage population; the set of Class-0 sources is a COUNCIL-owned list (the exclusion is governed, not silent).

Reason: prevents over-governance noise (mission's explicit warning) while still catching personal→global escalation (#3).
Test: synthetic user-pin → no issue; synthetic global pin → pin_policy_unowned.
OQ: shareable-but-personal boundary (OQ-A2).

M-DEF-2 — Coverage profiles `[B2]`

Eight named profiles (EPHEMERAL/RO/POLICY/DOT/SURFACE/LAW/CLEANUP/EXCEPTION), each a checklist of profile-mandatory links; every L1 source row carries a default_profile; covered ⟺ all profile-mandatory links resolve. New object type = new L1 row + profile (data, not code).

Reason: operationalizes §2.3, kills "18 links for everything," makes future-type coverage concrete.
Test: every candidate maps to exactly one profile incl. Class 0; adding a type needs no code.

M-DEF-3 — Role taxonomy + responsibility scope `[C1/C2]`

Six responsibility scopes (policy, health, execution, render, approval, audit); exactly one accountable owner per (object × scope); unlimited supporting roles (delegate/executor/reviewer/auditor/exception-approver). §4.12 "one content one law" = one accountable owner per scope, NOT one owner per object.

Reason: reconciles federation with the enacted §4.12 (else the new Đ37 clause self-conflicts).
Test: grouping policy → {policy:COUNCIL, health:SIV, exec:DOT, render:MOUT} with zero §4.12 violations; same-scope double owner = conflict.

M-DEF-4 — Birth↔governance joint matrix + dedup precedence `[D1]`

Birth/registry orphan is a prerequisite failure: for an unborn/unregistered object the governance scanner does not raise OWNER_GAP (defers to the birth-orphan detector). Governance coverage is a layer above birth coverage; one root cause → one issue (shared coalesce namespace).

Reason: kills duplicate-scanner noise (mission §7).
Test: unregistered object → 1 issue (birth) not 2; register-without-owner → birth issue resolves, 1 governance issue opens.

M-DEF-5 — Anarchic re-based on missing-link class `[D2]`

Anarchic = governance-orphan missing an authority-critical link (owner, or for a mutating/high-risk object its approval-path/rollback/dot-authority). Descriptive-only gaps (design_ref, law_ref/audit on read-only) = orphan, not anarchic. Computed from gap_type × profile.

Reason: removes the circular "capacity" test.
Test: read-only-missing-design_ref = not anarchic; mutating-DOT-no-owner = anarchic/critical.

M-DEF-6 — Exception record (11 fields) + non-exemptable invariants `[E1/E4/E5]`

Full record: exception_type, scope, accountable_owner, reason, risk, approval_ref, expiry, review_cadence, rollback_ref, replacement_plan (mandatory), issue_on_expiry. Bound to a state fingerprint (auto-invalidate on signature change). Non-exemptable safety invariants: no write-outside-DOT, no local approval, no UI truth-math, no unregistered emit. Interim home = admin_fallback_log until grant_exception action-type exists.

Reason: kills the "temporary-forever" exception (#5) and scope-creep (#23).
Test: no-replacement-plan exception cannot be granted; read-only→write adapter auto-invalidates.

M-DEF-7 — Governance grain + 5-term identity `[F1/F2/G6]`

Identity computed at the governance grain = roots + non-inheriting classes + containers (inheriting leaf records NOT counted individually). Identity = covered + orphans + approved_exceptions + retired_or_approved_ignore + stale_unverifiable. Inheritance resolves owner-link ONLY; risk-required links never inherited (anti-hiding). ignored is a gated permanent exception, not free.

Reason: makes "scale to 10⁸"真 and stops gaps hiding behind parents/ignore/stale.
Test: +10⁶ inheriting children changes total_governed by 0; child policy under covered parent still flagged APPROVAL_PATH_GAP.

M-Đ37 — Governance Organization (v3.3 enacted; owner GOV-COUNCIL) — DRAFT

§4.15 (revised) — One-Roof, governed object, anarchic, valid-owner

(a) Every governed object (truth/authority test, M-DEF-1) must have a valid central owner path — valid = {direct edge | governance_relations to active agency | law_jurisdiction primary owned by active agency | delegated (recorded) | inherited owner-link where law permits}. Does NOT count: comment/frontend owner, local approval, unratified design as sole authority, machine-pseudo-approval, stale registry-only entry, an approved exception (an exception is a separate coverage state, NOT an owner — [B5]). Plus risk-required approval/audit/rollback links per its coverage profile (M-DEF-2). (b) Anarchic = governance-orphan missing an authority-critical link (M-DEF-5), not merely "capable of changing truth." (c) No local governance island. (d) Detection is an automatically-computed invariant (Đ31), not memory; GOV-COUNCIL is owner of last resort for unmapped objects [A5].

Reason: defines "valid" in-clause [J1]; fixes anarchic circularity [J2]; fixes exception-as-owner [B5]; closes the seam [A5].
Test: J1/J2 tests; frontend-constant owner rejected; ambiguity resolves to COUNCIL not gap.

§4.15-bis (new) — Roles & responsibility scope `[C1/C2]` — see M-DEF-3.

§4.16 (revised) — Owner-assignment, two-mode interim `[J3/I2]`

Assignment = scan→propose→approve(Đ32)→apply→audit. Apply mode depends on substrate: law-domain-anchored objects → agency→law edge (covers objects via law_jurisdiction+inheritance, works today); law-orphan objects (route/adapter/standalone-policy) → not expressible until §5.4-EXT / governance_object_ownership — recorded as a known limitation with a named upgrade path, not a silent gap. Separation of duty: propose ≠ approve ≠ apply-verify; approval is always Đ32 quorum, never the DOT; a DOT may never mint a law/owner/action-type/event [I4/C6].

Reason: §4.16 can't be satisfied for object grain as originally written [I2]; states SoD.
Test: I2/I4 tests.

§4.17 (revised) — Approved-exception `[E1–E5]` — full 11-field record (M-DEF-6); reuse Đ35 §6.5 overdue; `replacement_plan` mandatory; non-exemptable invariants; requires a `grant_exception` action-type (prerequisite, interim `admin_fallback_log`).

§4.18 (revised) — Future-feature coverage `[F3/K1]` — gate is severity-aware (block on high/critical; track warning) and tiered by phase (G-DESIGN/IMPL/ROUTE/PROD, doc 11 K1); waivable only by president, TTL-bounded `[K3]`.

§5.4-EXT (reclassified) — Object-ownership edges `[B7/I2]`

Reclassify from "deferred" to "prerequisite for object-grain ownership." Either extend governance_relations (target_type='object'+target_object_type/ref) or add governance_object_ownership(...). Until it exists, object-grain APPLY is apply_blocked and law-orphan objects are OWNER_GAP by construction. This is the single structural change the remediation half depends on.

OQ: extend the existing table (CHECK change) vs new table (no CHECK risk on existing data)? [OQ-I2]

M-Đ31 — System Integrity (v1.2 enacted; owner GOV-SIV) — DRAFT

§4.3-Loại6 (revised): 6th check = Governance Coverage, with explicit cross-ref (governed object — định nghĩa Điều 37 §4.15; KHÔNG định nghĩa lại — §4.12 SSOT) [J4]. Sits above birth/registry orphan (M-DEF-4 precedence).
§4.6-ext: issue classes from the governed vocabulary registry (register-before-write, H2), not free-text literals.
§4.8-ext (revised): GATE = zero high/critical orphans for touched truth/authority objects (severity-aware [J5/F3]); warning = TARGET-tracked with deadline; info ignored.
§4.9-ext: watchdog-of-coverage + inventory-completeness check (inventory_gap critical vs information_schema/directus_collections/meta_catalog [G1]) + governance-context-change re-scan triggers [G3].

M-Đ35 — DOT Governance (v5.2 FINAL; owner GOV-DOT) — DRAFT

§6.2-bis (revised): coverage-DOT lifecycle DETECT→PROPOSE→APPROVE→APPLY→VERIFY→CLOSE; PROPOSE requires registered action-types (assign_governance_owner/grant_governance_exception, prerequisite [I1]); APPLY two-mode [I2]; SoD [I4]; bootstrap seed sequence + attestation base case [I3]; DOTs refuse stale/unverifiable input [I6].
§3-note / §6.5-note: unchanged (paired_dot + admin_fallback reuse), plus E2 interim exception home.

M-Đ24/29 — Label/Taxonomy/Grouping (Đ24 v1.3; agency-orphaned) — DRAFT

§0-OWNER (revised, J7): cross-system policy (grouping ceiling, pin policy, cross-surface threshold) → GOV-COUNCIL accountable; taxonomy/label substrate (facets/label_rules/species) → GOV-KG-SYS or taxonomy owner accountable, COUNCIL approver. Don't centralize substrate on the policy owner.
§5.2-ext: max_ungrouped ≤50 ceiling = a row in the COUNCIL-owned threshold-policy table, changed only via APR; all detection-pipeline numeric thresholds are governed rows, not literals [G4].

M-Đ26 — Pivot (v4.0; agency-orphaned) — DRAFT

§0-OWNER (revised, J8): pivot inherits source-collection owner only if the source is itself covered (anti-hiding B4/F6); else pivot_coverage_unowned. Health edge GOV-SIV → NRM-LAW-26 (agency→law, expressible today).
§MTx: PIVOT_MISSING = pivot_coverage_unowned issue; grand-total = constant-bucket VIEW (RP PIV-500). §repair: repair = governed DOT INSERT (Đ26 §0-AU/§1E), APR-gated if it changes a counting contract.

M-Đ28 — Display/Nuxt boundary (v2.0; agency-orphaned, MOUT draft) — DRAFT

§0-OWNER (revised, J6): render/display/API → GOV-MOUT; pending MOUT activation, accountability is held provisionally by GOV-COUNCIL via a recorded TTL-bounded delegation (so render objects are covered-by-delegation/warning, not high orphans → gate stays usable). Activation removes the delegation.
NT-D1-ext (revised, G8): "UI/render tier" = Vue and Nitro server/api/**; neither computes governance/count/grouping truth; both read L5/pivot only. Retire health.get.ts:123 totalGap=reduce(+Math.abs(gap)), index.vue CAT-017/orphan_count:hd.totalGap.
§VIII-ext: Direct-PG = approved exception (M-DEF-6), read-only verified against information_schema grants [E3], ledgered in vps_deploy_log, QUARANTINED transitional state for the already-live adapter [A3].

M-Đ45 — Event/Queue (v1.0; substrate-owned) — DRAFT

§3.2-note (revised, H1): register-before-emit for the governance events; correct names: the dormant types are bare governance.blocked/unblocked/proposal.* (domain=mother) — decide whether new coverage events join a new GOV-SIV governance/integrity domain rather than the mother domain (OQ-H1). Extend register-before-emit to a register-before-write issue_type vocabulary [H2/H4].
§4-note: signal-not-data for events and issue bodies [H6]; throttle + hard per-scan emit ceiling [G7]; cooldown + age escalation + approval-gated suppression [H3].
§6.6-note: detect (event) vs remediate (9-state job) unchanged.

M-summary

Target	# revised clauses	Net effect
Report definitions	7 (M-DEF-1..7)	the missing scaffolding (non-governed class, profiles, roles, joint matrix, anarchic re-base, exception record, governance grain)
Đ37	§4.15, §4.15-bis, §4.16, §4.17, §4.18, §5.4-EXT	fixes valid/anarchic/exception-owner/SoD/two-mode-apply; reclassifies §5.4-EXT to prerequisite
Đ31	§4.3-Loại6, §4.6/4.8/4.9-ext	severity-aware GATE; inventory-completeness; context triggers
Đ35	§6.2-bis	action-type prereqs; two-mode apply; SoD; bootstrap seed
Đ24/29	§0-OWNER, §5.2-ext	substrate↔policy owner split; governed thresholds
Đ26	§0-OWNER, §MTx, §repair	covered-source inheritance; PIVOT_MISSING
Đ28	§0-OWNER, NT-D1-ext, §VIII-ext	interim render-delegation; Nitro in scope; verified read-only exception
Đ45	§3.2/§4/§6.6-notes	correct event names; issue vocabulary; anti-spam

All revised clauses remain draft-only; none is enacted, version-bumped, or status-changed. They flow into doc 14 (GO/NO-GO) and the doc 15 prompts (P-clause-correction).

13 — Revised Clause Proposals (Branch M)

M-DEF — Report-level definitions to ADD to the decision pack (not laws)

M-DEF-1 — Non-governed (Class 0) artifact [A2/B1]

M-DEF-2 — Coverage profiles [B2]

M-DEF-3 — Role taxonomy + responsibility scope [C1/C2]

M-DEF-4 — Birth↔governance joint matrix + dedup precedence [D1]

M-DEF-5 — Anarchic re-based on missing-link class [D2]

M-DEF-6 — Exception record (11 fields) + non-exemptable invariants [E1/E4/E5]

M-DEF-7 — Governance grain + 5-term identity [F1/F2/G6]