01 — One-Roof Governance Principle

Branch A. Supplemental decision pack — no enactment, no version bump.

1.1 The principle (Vietnamese)

Nguyên tắc Một Mái Nhà Quản trị (One-Roof Governance):

Mọi đối tượng và hành động liên quan đến quản trị đều sống dưới một mái nhà quản trị trung tâm duy nhất. Một sổ đăng ký cơ quan (governance_registry), một trục phê duyệt (Điều 32), một hệ thống phát hiện/sự cố/sự kiện (Điều 31 + Điều 45), một mô hình thực thi DOT (Điều 35). Không có ốc đảo quản trị địa phương. Sinh ra mà không đăng ký dưới mái nhà chung = mồ côi quản trị (governance-orphan). Hành động làm thay đổi sự thật hệ thống mà không có chủ sở hữu / phê duyệt / kiểm toán / hoàn tác trung tâm = đối tượng vô chính phủ (anarchic object). Hệ thống không được phụ thuộc vào việc con người hay agent tương lai ghi nhớ nguyên tắc này — nó phải tự động phát hiện mọi thứ nằm ngoài quản trị, giống như cách phát hiện mồ côi khai sinh.

This restates, at the governance tier, the foundational rules already enacted: Điều 2 §3 "Không có ID = KHÔNG TỒN TẠI; Không trong registry = VÔ HÌNH"; Điều 37 NV1 "Sinh ra = đăng ký. Không đăng ký = mồ côi"; Điều 31 §I "MÁY KIỂM TRA MÁY. Không phụ thuộc con người nhớ, tuân thủ, hay canh" (Điều 30 §I echoes this).

1.2 The principle (technical)

A single central governance roof is the conjunction of these existing, live substrates — no new substrate is invented by this principle:

Roof pillar	Substrate (live)	Owning law	Owner agency
Owner / capability matrix	governance_registry (9), law_jurisdiction	Điều 37 §5.1–5.2	GOV-COUNCIL
Ownership edges	governance_relations (8)	Điều 37 §5.4	GOV-COUNCIL
Approval spine	approval_requests (211) + apr_approvals (42) + apr_action_types (6)	Điều 32	GOV-COUNCIL (quorum)
Audit	governance_audit_log (1) + system_issues (188,250) + vps_deploy_log + lifecycle_log	Điều 37 §5.5 + Điều 31	GOV-SIV
Integrity / detection	system_issues, count-integrity, orphan/phantom/drift contracts	Điều 31	GOV-SIV
DOT execution	dot_tools (309) + paired_dot + dot_coverage_required	Điều 35	GOV-DOT
Issue / event routing	system_issues + event_outbox + event_type_registry (40)	Điều 31 + Điều 45	GOV-SIV / Đ45 substrate
Render / display / API	design_templates whitelist + paired DOTs	Điều 28	GOV-MOUT (draft)

Federated-but-central (per GPT review, and consistent with Điều 37 §4.12 "một nội dung chỉ một luật quản lý" + §4.13 "trang bị đủ công cụ"): governance ownership is distributed by function across owners, but every owner is registered in the one governance_registry and every authority-bearing action passes the one Điều 32 approval spine, emits to the one Điều 31/45 issue-event substrate, and (if executed by code) runs as a Điều 35 DOT.

• Policy owner — GOV-COUNCIL: cross-system policy definitions (classification/grouping/threshold/label-dimension, phantom definition, pin policy), and the §4.12d tie-breaker.
• Health/integrity owner — GOV-SIV: count-integrity, orphan/phantom/drift detection, pivot coverage, and governance-coverage / anarchy detection (this pack's new responsibility, placed under Điều 31).
• DOT execution owner — GOV-DOT: scan / propose / apply / audit DOT lifecycle (Điều 35).
• Render/display/API owner — GOV-MOUT (after activation + a Điều 28 ownership clause): the render-shell that displays governance state and never decides it.

1.3 What One-Roof forbids (the seven "no local island" rules)

Synthesized from GPT direction ("Non-negotiable") + Điều 37 §4.12/§4.14 + Điều 45 §3.1/§11.2:

1. No local governance island — no surface-scoped owner/approval/lifecycle/rules cluster outside the central roof.
2. No per-module approval system — all approval goes through approval_requests/apr_approvals under Điều 32 quorum; no surface invents its own "approved" flag.
3. No per-module owner model — ownership is expressed only via governance_registry + governance_relations (+ law_jurisdiction); no owner semantics invented locally.
4. No standalone policy table without central owner/approval/audit/rollback — e.g. display_policy, registry_pin, registry_grouping_policy, phantom-definition tables must each carry owner_gov_code (or a governance relation), a capability requirement, an approval gate, lifecycle status, audit fields, and a rollback/retire path.
5. No DOT action outside DOT governance — every executing DOT is registered in dot_tools, tiered A/B, and (if tier B / mutating) has a paired_dot and an approval gate (Điều 35 §3).
6. No Direct-PG / render / API exception without governance approval — the live Registries-Pivot Direct-PG read-only adapter (Nitro → read-only pg Pool) is a sanctioned-or-orphan exception that must be either ratified as a governed read-only adapter or recorded as an approved exception (Điều 33 §13 exception list).
7. No production feature without governance coverage — the GOVERNANCE_COVERAGE_PASS readiness gate (doc 04 §4.6, doc 09): a feature reaches production only if every one of its governed objects is covered or has an approved exception.

1.4 Application matrix (the principle applied to each surface)

Surface / object	Governed?	Correct owner (reuse-first)	Live status / gap
Registries-Pivot page	yes (render)	GOV-MOUT (render) + GOV-SIV (truth)	GOV-MOUT draft; display agency-orphaned
grouping / classification policy	yes (policy)	GOV-COUNCIL (cross-system taxonomy)	no policy home; would be local island if standalone
labels / taxonomy (Đ24)	yes (policy)	GOV-COUNCIL; law-24 unowned	law-24 has no owner edge
threshold policy (50 ungrouped ceiling)	yes (policy)	GOV-COUNCIL	display_policy proposal = island risk until owned
registry pin / ghim	yes (policy)	GOV-COUNCIL (global), user/role/team scope	registry_pin NEW; island risk if standalone
phantom definition	yes (policy + law-gap)	GOV-COUNCIL defines + GOV-SIV detects	LAW_DEFINITION_GAP (no phantom_count law)
pivot coverage (PIVOT_MISSING)	yes (health)	GOV-SIV	law-26 unowned; PIVOT_MISSING not an issue type
DOTs (scan/propose/apply)	yes (execution)	GOV-DOT	pattern exists; coverage DOTs NEW
Directus / API surface	yes (render/API)	GOV-MOUT	Direct-PG adapter = unratified exception
Nuxt / render-shell	yes (render)	GOV-MOUT	must display, not decide (Đ28 NT-D1)
future modules / object types	yes	resolved by detection (doc 05)	must be auto-covered, not memory-covered
information units	yes (substrate)	future law-substrate owner	governs the future law substrate itself
documents	yes	GOV-NRM-SYS / GOV-KG-SYS	covered via normative/kg domains
workflows	yes	GOV-MOW (draft)	factory draft
tasks	yes	GOV-MOT (draft)	factory draft
agents / capabilities	yes (authority)	GOV-COUNCIL + capability_code	capability matrix mostly NULL
event / queue types	yes	Đ45 substrate + registering owner	register-before-emit (Đ45 §3.2)

1.5 Examples (governed, correctly under the roof)

• A new grouping policy for Registries-Pivot is created as a row in a governed policy table that has owner_gov_code='GOV-COUNCIL', a capability requirement, and is changed only via an approval_requests row of an APR action type — never by editing UI or code.
• A new mutating DOT is registered in dot_tools (tier B) with a paired_dot tier-A checker and an approval gate; its run writes back to PG (Điều 45 §6.7 work_state_machine), audits to vps_deploy_log, and is rollback-safe.
• The Registries-Pivot Direct-PG read-only adapter is recorded as an approved exception with a law reference (Điều 33 §13) and a periodic re-review.

1.6 Non-examples (would be a local island — forbidden)

• A display_policy table with no owner_gov_code, edited directly in Directus, with a frontend "is this approved?" boolean → local approval island (violates rule 2 + 4).
• A Registries-Pivot–only "pin" mechanism stored in localStorage or a UI-owned table → local ownership island (violates rule 3; also Điều 28 NT-D1 "Nuxt không business logic").
• A grouping DOT that mutates classification but is not in dot_tools and has no paired_dot → DOT-governance bypass (violates rule 5; Điều 35 §3 trigger rejects tier-B without paired_dot).
• Count/grouping truth computed in health.get.ts / index.vue (the live totalGap = reduce(+Math.abs(gap)), hardcoded CAT-017 rows) → render island deciding truth (violates rule 7 + Điều 28 NT-D1 + §0-AU).

1.7 Forbidden patterns (canonical list, for CI in doc 10 / doc 12)

F-ISLAND-1 local owner semantics · F-ISLAND-2 local approval flag/table · F-ISLAND-3 policy table without owner_gov_code+approval+audit+rollback · F-ISLAND-4 DOT mutating outside dot_tools/paired_dot · F-ISLAND-5 Direct-PG/API/render exception without ratification or approved-exception record · F-ISLAND-6 UI computing count/grouping/classification truth · F-ISLAND-7 event_type emitted without event_type_registry registration (Đ45 §3.2) · F-ISLAND-8 new production object with no governance owner and no detection coverage · F-ISLAND-9 governance principle enforced only by documentation/memory rather than by a scanner + gate.

Cross-refs: doc 02 (what counts as a governed object), doc 03 (how an island/orphan is detected), doc 04 (the coverage invariant that operationalizes rule 7).