KB-4080
14 — Open Questions & GO/NO-GO (2026-06-01)
10 min read Revision 1
one-roof-governanceclause-hardeninggo-no-goopen-questionstier-1-blockerscouncil-decisioncanonical-design2026-06-01
14 — Open Questions & GO/NO-GO
The decision document. Consolidates findings into blocker tiers, lists open questions for human/GPT/council, and gives the GO/NO-GO recommendation for moving to canonical design patching.
14.1 Findings roll-up
- Internal contradictions found (6): B5/F4 (exception as owner-path vs separate term) · F1 (per-object identity vs container-grain) · F3/J5 (gate "covered==true" vs warning non-blocking) · I2/J3 (apply writes object edge vs CHECK-blocked + §5.4-EXT deferred) · C2 (federated multi-owner vs Đ37 §4.12 one-owner) · D2/J2 (anarchic "capacity" circular vs governed-object definition).
- Unaddressed gaps (mission-required, not in pack): A2/B1 (non-governed class) · C1 (role taxonomy / accountable-vs-support) · D1 (birth↔governance joint matrix) · E1 (exception replacement_plan + full fields) · G2 (route registry) · K1/K3 (tiered gate + waiver authority).
- Live-verified traps (substrate can't yet do what the pack assumes): I1/E2 (no
grant_exception/assign_ownerAPR action-type) · I2 (no agency→object edge) · H1 (event names mis-cited). - Memory-dependence re-introductions: B3 (design_ref "by convention") · G1 (L1 completeness base case) · G3 (context-change blind spot) · G4 (unsourced thresholds).
14.2 Tier-1 — BLOCKERS (must resolve before canonical design patch)
These either (a) make the deployed system noisy/unusable, (b) let real gaps hide, or (c) make a drafted clause self-contradictory or inoperable.
| # | Blocker | Finding | Why it blocks |
|---|---|---|---|
| T1-1 | Define the non-governed (Class 0) artifact + shared-truth test | A2/B1, M-DEF-1 | Without it the scanner floods on personal pins/prefs (noise → alarm fatigue → real islands hide). Contradicts the mission's anti-over-governance instruction. |
| T1-2 | Define accountable-owner-per-scope + role taxonomy; reconcile with Đ37 §4.12 | C1/C2, M-DEF-3 | The new Đ37 §4.15 otherwise contradicts the enacted §4.12; the federated model is unstatable. |
| T1-3 | Fix the exception/owner-path contradiction (B5) and the identity grain (F1) and gate severity (F3) | B5/F1/F3/F4 | Three contradictions in the invariant + gate — the keystone. If imprecise, the identity closes while gaps hide and the gate is permanently red. |
| T1-4 | Inheritance covers owner-link ONLY (anti-hiding) | B4, M-DEF-7 | Red-team #20: child policy gaps hide behind covered parents — the headline scale risk. |
| T1-5 | Birth↔governance dedup precedence | D1, M-DEF-4 | Without it, two scanners double-fire (duplicate noise — mission §7). |
| T1-6 | Substrate prerequisites: grant_exception/assign_owner action-types (I1/E2) + reclassify §5.4-EXT object edge from "deferred" to "prerequisite for object-grain apply" (I2/B7) |
I1/I2/E2/B7 | Red-team #13/#14 ❌: the remediation half cannot run (PROPOSE files malformed APRs; APPLY can't assign object owners). This is the only blocker needing a future substrate change; the rest are wording. |
| T1-7 | Route registry / detection completeness | G1/G2/G3 | Red-team #1/#21/#22: the most island-prone surface (routes) is undetectable; L1 completeness base case + context-change triggers prevent silent rot. |
14.3 Tier-2 — SHOULD-FIX (resolve during the design-patch phase, can run in parallel)
D2/J2 (anarchic re-base) · E1/E4/E5 (full exception record) · F2 (gate ignored) · G6 (stale/unverifiable identity term) · H1/H2/H3/H4 (event names, issue vocabulary, anti-spam) · I3 (bootstrap seed) · I4/C6 (separation of duty) · J6 (interim render-delegation) · J7 (label/taxonomy owner split) · K1/K3 (tiered gate + waiver) · A3 (QUARANTINED) · A4/K4 (emergency lane).
14.4 Tier-3 — NICE-TO-HAVE / NOTE
B3 (design_ref advisory) · A6/A7 (wording, F-ISLAND-8 split) · D3/D4 (island roll-up framing) · G7/G8 (emit ceiling, Nitro-in-scope) · J10 (slot/version drift — a P3 prerequisite check) · K5/K7 (evidence manifest, gate ordering).
14.5 Open questions for human / GPT / council
| OQ | Question | Owner | Recommended default |
|---|---|---|---|
| OQ-A2 | Boundary for shareable-but-personal artifacts (a personal pin that can be exported/shared)? | COUNCIL | shareable ⇒ governed at share time |
| OQ-A3 | Standard regularization deadline for an inherited/legacy live bypass? | COUNCIL | 60 days |
| OQ-B2 | PROFILE-SURFACE-RO for read-only routes (drop rollback)? |
SIV | yes |
| OQ-B3 | Build a design_link registry, or accept design_ref permanently advisory? |
COUNCIL | advisory now |
| OQ-B7/I2 | Extend governance_relations (CHECK change) vs new governance_object_ownership table? |
COUNCIL+SIV | new table (no CHECK-migration risk on live edges) |
| OQ-C7/E2/I1 | One bundle of new APR action-types (assign_governance_owner, grant_governance_exception, delegate_authority)? Handlers or council-review-only? |
COUNCIL | one bundle; owner-assign has a handler, exception/delegate council-review |
| OQ-D1 | Does the Đ37 agency-orphan detector overlap the new object-coverage detector for laws 24/26/28/45? | SIV | keep law/agency gaps with Đ37 detector; object gaps with new detector; state boundary |
| OQ-D3 | Which island sub-types are PG-detectable vs CI-only? | SIV | no-owner-table=PG; approval-flag/owner-constant=CI |
| OQ-E1/K3 | Max exception/waiver renewals before replacement_plan must execute? | COUNCIL | 2 |
| OQ-F3/H3/K2 | warning→high escalation deadline? | COUNCIL | 30 days |
| OQ-G1 | File/config ground truth (model-B File:… substrate, nginx)? |
SIV | defined scan root on VPS |
| OQ-G2 | Route registry: new table vs derived-on-scan from nginx+Nuxt? | MOUT/SIV | derived-on-scan (reuse-first) |
| OQ-H1 | New governance/integrity event domain (GOV-SIV) vs reuse mother dormant rows? |
SIV+Đ45 | new domain; leave mother rows for factories |
| OQ-I2 | Bring §5.4-EXT forward as Tier-1 prerequisite? | COUNCIL | yes |
| OQ-I5 | Verify the event_outbox registry CHECK actually exists (fail-closed)? |
SIV | verify in P4 |
| OQ-J6 | Provisional COUNCIL render-delegation vs fast-track GOV-MOUT activation? | COUNCIL | delegation now, activation as end-state |
| OQ-J7 | Taxonomy/label substrate owner (GOV-KG-SYS vs dedicated taxonomy agency)? | COUNCIL | GOV-KG-SYS |
| OQ-J10 | Resolve Đ45 (ban_hanh=false leftover) + Đ36 (v4.0 vs v5.0) authoritative status (content-only)? |
NRM-SYS | resolve before P3 |
| OQ-K6 | CI blocking-in-deploy vs scheduled-detect? | SIV | blocking-in-deploy for a true gate |
14.6 GO / NO-GO recommendation
RECOMMENDATION: NO-GO for canonical design patching until the Tier-1 blockers (§14.2) are folded into a hardening revision of the decision pack. After that single revision, GO.
Rationale:
- The decision pack is structurally sound, live-anchored, reuse-first, and non-islanding — its architecture is the right one and should be kept, not redesigned.
- But the red-team is decisive (doc 12): the un-hardened pack catches only the cases the existing Đ35/Đ45 machinery already enforces; 19 of 24 governance-specific attacks require a hardening fix, and 2 cannot run at all until substrate prerequisites land. Patching canonical design on top of an invariant with 3 internal contradictions and a remediation path that can't execute would propagate those defects into the design docs and then into law.
- The fixes are almost entirely wording-level and self-contained (M-DEF-1..7 + the Đ37/31/35/24/26/28/45 revisions in doc 13). Only one blocker (T1-6) needs a future substrate change (new APR action-types + §5.4-EXT object edge) — and that is design/prep work, not part of this or the next macro.
CONDITIONAL GO available: the design-patch concept docs (doc 09 P-09.1/P-09.4 — the One-Roof statement + the new 14-governance-coverage… doc) may proceed if and only if they carry the hardened definitions (M-DEF-1..7) and explicitly flag T1-6 as a substrate prerequisite. The surface-binding patches (P-09.2/3/5/6/7) should wait until T1-1..T1-7 are settled, because they encode the owner/gate/exception semantics that the blockers change.
14.7 Answers to the mission's final-response questions
- Clause-hardening verdict: the pack is a strong v1 but not yet tight enough; 6 contradictions + 6 gaps + substrate traps must be closed.
- Hardened definitions ready? — partially YES: doc 13 provides ready hardened wording for every reviewed clause + the 7 missing definitions; they need council adoption, not more drafting.
- Readiness gate ready? — NO (needs K1+K3+F3): must become tiered + severity-aware + waiver-governed before it is a usable gate.
- Red-team verdict: the un-hardened pack does not yet stop the attacks it was built to stop (doc 12); after Tier-1 it stops 22/24, with 2 (#13/#14) pending the substrate prerequisite.
- Biggest issues: non-governed class (A2), inheritance anti-hiding (B4), the invariant/gate contradictions (B5/F1/F3), the substrate-can't-do-it traps (I1/I2/E2), and route undetectability (G2).
- GO/NO-GO: NO-GO now; GO after one hardening revision (Tier-1). Conditional GO for the two concept-only design docs that carry the hardened definitions.
Next: doc 15 (prompts), doc 16 (self-review).