04 — Governance Coverage Invariant

Branch D. The accounting identity that makes One-Roof self-enforcing instead of memory-dependent. Design only.

4.1 The core invariant

Every governed object must be covered by exactly one valid central governance ownership path, plus the approval / audit / rollback paths required by its risk class. Anything else is a governance-orphan and must be visible.

This is the governance-tier twin of the birth/orphan counting invariant already used for records (the Registries-Pivot count-integrity work: Σrecord = Σactual + drift, leaf-scoped). Here the population is governed objects, and the "actual" is governance coverage.

4.2 The accounting identity

For any scope S (a source, a domain, or the whole system):

total_governed(S)
  = covered(S)                 -- valid owner + risk-required links
  + governance_orphans(S)      -- missing ≥1 required link (doc 03 gap types)
  + approved_exceptions(S)     -- orphan-by-shape but ratified (TTL-bounded)
  + retired_or_ignored(S)      -- lifecycle=retired, or explicitly out-of-governance by law

This identity must close exactly for every scope, the same way the record invariant closes (and the same way leaf-scoping prevents the Điều 28 double-count trap: governed objects are counted at the object grain, never by summing rollup/meta rows). A scope where the four terms do not sum to total_governed is itself a GOVERNANCE_SCHEMA_DRIFT finding (the detector cannot account for everything it sees).

4.2.1 Derived gates

-- Production-eligibility gate (the GOVERNANCE_COVERAGE_PASS gate):
for every production-eligible object o in S:
    governance_orphans({o}) == 0        -- 0 orphans, or covered by approved_exception

-- Authority gate:
for every mutating/authority-bearing object o:
    approval_path_exists(o) == true     -- an APR action-type + (if high) Đ32 quorum

-- DOT gate (already PG-enforced by Đ35 §3 trigger; re-asserted as coverage):
for every code-executed object o:
    dot_authority_exists(o) == true AND (tier_B(o) -> paired_dot(o) IS NOT NULL)

-- Issue gate:
for every issue-producing object o:
    issue_or_event_route_exists(o) == true

GOVERNANCE_COVERAGE_PASS(S) ⟺ all four gates hold for S ⟺ governance_orphans(S \ approved_exceptions) == 0. This is the readiness-gate predicate added to Registries-Pivot's gate set (doc 09 → 12-implementation-readiness-gate.md) and to the future implementation plan (doc 10).

4.3 What counts as "covered" (binding)

Re-stated from doc 02 §2.4 as the invariant's membership rule. covered(o) requires a valid owner path AND the risk-required links:

Valid owner path (any one):

1. direct owner_gov_code (where object→agency edges exist — future);
2. a governance_relations edge to an active owning agency;
3. a law_jurisdiction primary owner whose law is owned by an active agency;
4. an approved exception (approval_requests row, exception action-type, unexpired TTL);
5. an explicit delegated owner recorded centrally;
6. an inherited owner from a parent object where a law explicitly permits inheritance.

Does NOT count (these are the orphan tells): comment-only owner · frontend owner · local approval · unratified design doc as sole authority · machine-generated pseudo-approval (e.g. system_auto_approve rows; os_proposal_approvals=0) · stale law_catalog/normative_registry-only entry with no active owner edge.

4.3.1 Why "active" matters (live consequence)

Paths 2 and 3 require an active agency. Today GOV-MOUT/MOW/MOT/MOIT are draft, so any object whose only owner is a draft mother factory is not yet covered — it is a warning-severity orphan until activation. And laws 24/26/28/45 have no owner edge at all (doc 00 §0.3), so objects relying on those laws for ownership are OWNER_GAP orphans regardless of agency status. The invariant therefore measures the exact backlog the GPT review flagged ("incomplete owner assignment") rather than asserting it from memory.

4.4 Inheritance rule (scale enabler)

To avoid stamping owners on 10⁸ objects, coverage inherits down a parent chain where law permits:

covered(o) := own_owner_path(o)
           OR (parent(o) EXISTS
               AND law_allows_inheritance(class(o))
               AND covered(parent(o)))

Example: a pivot inherits the owner of its source collection; a leaf registry row inherits the owner of its registry; a DOT inherits nothing (execution authority never inherits — every DOT is owned explicitly, Điều 35). Inheritance is the mechanism by which "future expansion is automatically covered": a new child of a covered parent is covered on birth, and a new root with no owner is immediately a visible OWNER_GAP.

4.5 The invariant is computed, never remembered

The whole point (user requirement: "must not depend on user/agent memory") is that coverage is a standing computation over live substrate (doc 05 views) refreshed on a cadence (doc 06 scanner), surfaced as a pivot (Registries-Pivot, doc 09), and gated in CI (doc 10 §phase 8). No human asserts "this is governed"; the scanner derives it and raises system_issues for every gap. This mirrors Điều 31 Nguyên tắc 6 (WATCHDOG: the integrity system watches itself; silence = alarm) — the governance-coverage scanner must itself be covered (it is a DOT under GOV-DOT, paired, audited), or the watchdog flags the watchdog.

4.6 The GOVERNANCE_COVERAGE_PASS readiness gate

A new gate alongside the existing Registries-Pivot readiness gates (RG1…RG9) and Điều 20 tiered approval:

GOVERNANCE_COVERAGE_PASS(feature) :=
    for every governed object o introduced or touched by `feature`:
        covered(o) == true
        OR approved_exception(o) WITH unexpired TTL

• Gate fails ⇒ no production. A feature cannot ship if it introduces an uncovered governed object (doc 01 rule 7).
• The gate is evidence-based (Điều 30 §V "No Blind PASS"; Điều 20 §13): the proof is the scanner's governance_orphans(feature)=0 result + the exception records, attached as artifact — not a claim.
• The gate composes with, and does not replace, Điều 20 Tier 2/3 approval and Điều 32 quorum.

4.7 Numerical anchor (illustrative, from current known governed objects)

This pack does not run the scan (no such view exists yet — building it is doc 05/06, a future macro). But the identity, applied to the currently enumerated governance-tier objects (doc 00 §0.3 + doc 03 §3.4), would today report non-zero governance_orphans in the truth/authority class:

• agencies: 9 total → 5 active-covered, 4 draft (warning).
• laws: ≥6 owned (37/39/35/36/38/31), ≥4 truth-critical agency-orphaned (28/24/26/45) → OWNER_GAP.
• render/display: 1 critical-region exception (Direct-PG) UNRATIFIED_EXCEPTION.
• policy objects (grouping/threshold/pin/phantom): 0 owned today → all OWNER_GAP+island-risk.

⇒ Current GOVERNANCE_COVERAGE_PASS(system, truth-class) = FALSE. That is the expected, honest baseline — the invariant's job is to make this number visible and drive it to zero through governed assignment (doc 06 dot_governance_assignment_apply, approval-gated), not to hide it.

Cross-refs: doc 05 (the views that compute every term), doc 06 (the DOTs that refresh and propose), doc 09 (Registries-Pivot displays the summary), doc 10 (CI gate), doc 11 (how this scales to 10⁸).