06 — GOV-SIV Scanner + GOV-DOT Coverage Lifecycle

Branch F. Design only — DOTs are proposed, none registered. Reuses the live Điều 35 scan→propose→apply→verify lifecycle and paired_dot enforcement.

6.1 Principle (Điều 35-aligned)

scan / detect / audit = automatic, read-only, tier A.
propose = automatic, proposal-only (writes an approval_requests row; mutates nothing else), tier B.
apply / assignment / exception-grant = approval-gated (Điều 32), tier B, paired with a tier-A verifier.
issue-route = governed by Điều 45, register-before-emit.

This mirrors the live DOT-FIX-REPAIR-DETECT [A] → DOT-FIX-REPAIR-PROPOSE [B] → DOT-FIX-REPAIR-VERIFY [B] (+ -TEST [A]) chain and dot-ops-silent-fail-scan [A] / -propose [B] — the governance-coverage chain is the same pattern, new domain (governance.coverage).

6.2 The seven proposed DOTs

Owner column = the governance_registry agency that owns the DOT's function; all DOTs are registered under GOV-DOT's execution governance (Điều 35) regardless. paired_dot is mandatory for tier-B writers (Điều 35 §3 trigger).

DOT-GOV-COVERAGE-SCAN

Owner: GOV-SIV · tier: A · read/mutate: read-only · approval: none (read-only).
Inputs: L1 source inventory, v_governed_object_candidates, v_governance_coverage.
Outputs: refreshes v_governance_coverage_summary; writes a scan-run row (run log), no object mutation.
Audit: scan-run log + coverage_status on its dot_tools row; Audit: to system_issues only on its own failure.
Rollback: n/a (read-only).
Paired test: DOT-GOV-COVERAGE-SCAN-TEST [A] (verifies scan output is internally consistent — invariant closes, doc 04 §4.2).
Failure mode: scan stale / dies → WATCHDOG (Điều 31 Nguyên tắc 6); system_issues kind='governance_scan_stale' (cf. live dot-metadata-repair H13 stale>2h critical).
Issue/event: none on success (Điều 31 §4.5 INFO = no issue).

DOT-GOV-ORPHAN-DETECT

Owner: GOV-SIV · tier: A · read-only · approval: none.
Inputs: v_governance_orphans.
Outputs: one system_issues row per orphan coalesce_key (idempotent), severity-graded (doc 03 §3.3).
Audit: system_issues.occurrence_count/last_seen_at.
Rollback: n/a; issues are auto-resolved when the orphan disappears (status→resolved on next clean scan).
Paired test: DOT-GOV-ORPHAN-DETECT-TEST [A] (seeded synthetic orphan must be detected; absence ⇒ detector blind = critical).
Failure mode: false-negative (blind detector) — caught by the seeded-orphan test, the most important guard.
Issue/event: governance_orphan, local_governance_island, *_gap (doc 07).

DOT-GOV-GAP-PROPOSE

Owner: GOV-DOT · tier: B · mutate: writes approval_requests only (proposal) · approval: the proposals it creates are approval-gated; the DOT itself proposes automatically.
Inputs: v_governance_orphans (high/critical) + a resolution-rule table (which gap → which proposed owner/exception).
Outputs: approval_requests rows proposing owner assignment / exception grant / DOT pairing, with evidence + alternatives (Điều 32 split code/payload).
Audit: approval_requests history.
Rollback: withdraw/expire the proposal (no system change yet).
Paired test: DOT-GOV-GAP-PROPOSE-TEST [A] (proposal is well-formed, references a valid action-type, never auto-applies).
Failure mode: proposing an unsafe assignment → caught by approval (human/quorum) before apply.
Issue/event: governance.proposal_created (would reuse the dormant mother.proposal.created shape — must be activated/registered first, doc 07).

DOT-GOV-ASSIGNMENT-APPLY

Owner: GOV-DOT · tier: B · mutate: writes governance_relations / owner assignment · approval: REQUIRED (Điều 32; medium for routine owner assignment, high if it changes a law-owned domain).
Inputs: an approved approval_requests row (status passed quorum).
Outputs: the owner edge / capability / exception record; closes the originating system_issues orphan.
Audit: vps_deploy_log + governance_audit_log minute (Điều 37 §5.5).
Rollback: reverse the edge (the assignment is a single relational row → reversible; Điều 20 §9.1 / Điều 30).
Paired test: DOT-GOV-ASSIGNMENT-APPLY-VERIFY [A] (post-apply, the orphan is gone AND no new orphan/island created; bug reappears ⇒ rollback).
Failure mode: apply without quorum → blocked by Điều 32 §6 lifecycle gate (status only advances on quorum pass); apply creating a double-owner → blocked by Điều 37 §4.12 / Trigger 3 (one primary per domain).
Issue/event: governance.unblocked (dormant shape) on success.

DOT-GOV-COVERAGE-AUDIT

Owner: GOV-SIV · tier: A · read-only · approval: none.
Inputs: the full pipeline (L1–L5) + prior scan runs.
Outputs: periodic coverage report (coverage_pct trend, new/closed orphans, exception expiries), to KB report + system_health_checks (Điều 22, where Đ35 H10–H14 already live).
Audit: this is the audit; it also audits the scanner (WATCHDOG-of-watchdog, Điều 31 Nguyên tắc 6).
Rollback: n/a.
Paired test: DOT-GOV-COVERAGE-AUDIT-TEST [A].
Failure mode: audit silent → system_issues kind='watchdog_fault' (live Điều 31 §4.6 issue class).
Issue/event: governance_coverage_degraded (summary, throttled) when coverage_pct drops below a governed threshold.

DOT-GOV-EXCEPTION-REVIEW

Owner: GOV-COUNCIL (policy) · tier: B · mutate: flips expired exceptions · approval: review-gated.
Inputs: approved_exceptions with TTL near/over expiry (e.g. the Direct-PG RP adapter).
Outputs: re-review proposal, or auto-flip expired exception → system_issues kind='unratified_exception' (reuses the live admin_fallback_log → fn_admin_fallback_overdue_scan() → fallback_audit_overdue pattern, Điều 35 §6.5).
Audit: exception ledger.
Rollback: restore exception if re-approved.
Paired test: DOT-GOV-EXCEPTION-REVIEW-TEST [A].
Failure mode: expired exception silently honored → caught by overdue scan.
Issue/event: unratified_exception, direct_pg_unratified_exception.

DOT-GOV-ISSUE-ROUTE

Owner: GOV-SIV · tier: B · mutate: writes event_outbox from system_issues · approval: none (routing), but event types must be pre-registered (Điều 45 §3.2).
Inputs: open governance system_issues.
Outputs: event_outbox signals (signal-not-data, Điều 45 §4); notification fan-out per event_subscription.
Audit: event_outbox + delivery state machine (Điều 45 §6.7).
Rollback: events are append-only signals; dead-letter via fn_iu_route_dead_letter_replay (Điều 45 §8.4), no auto-replay.
Paired test: DOT-GOV-ISSUE-ROUTE-TEST [A] (no emit of unregistered event_type; no payload leakage past safe_payload CHECK).
Failure mode: emit unregistered type → producer fail by Điều 45 anti-pattern (registry CHECK). Emit body/secret → safe_payload CHECK reject → queue.payload_violation.
Issue/event: routes all governance issue types (doc 07).

6.3 Lifecycle state machine (per DOT, Điều 35 §6.1)

proposed → registered(dot_tools) → active → {idle (A passes) | firing (A finds gap)} → deprecated → retired

Tier-A IDLE ⟺ tier-B is behaving (Điều 35 §3). For coverage: ORPHAN-DETECT idle ⟺ no orphans ⟺ GOVERNANCE_COVERAGE_PASS.
ADMIN fallback (Điều 35 §6.5): only the president may bypass APR, must INSERT admin_fallback_log first, and file a retroactive APR within 24h or auto-flip to audit_overdue.

6.4 Pairing map (Điều 35 §3 — every tier-B writer paired)

Writer (B)	Checker (A)
DOT-GOV-GAP-PROPOSE	DOT-GOV-GAP-PROPOSE-TEST
DOT-GOV-ASSIGNMENT-APPLY	DOT-GOV-ASSIGNMENT-APPLY-VERIFY
DOT-GOV-EXCEPTION-REVIEW	DOT-GOV-EXCEPTION-REVIEW-TEST
DOT-GOV-ISSUE-ROUTE	DOT-GOV-ISSUE-ROUTE-TEST
(scan/detect/audit are tier-A; self-paired by -TEST)	—

6.5 Anti-bootstrap-orphan rule (critical, self-referential)

The governance-coverage scanner is itself a governed object. On registration it must be covered (owner GOV-SIV/GOV-DOT, paired, audited, law-ref Điều 31/35) — otherwise the detector that finds anarchic objects would itself be anarchic. Điều 31 Nguyên tắc 6: "Ai canh gác người canh gác?" — DOT-GOV-COVERAGE-AUDIT watches DOT-GOV-COVERAGE-SCAN; if the auditor is silent, watchdog_fault fires. This closes the bootstrap loop without a memory dependency.

Cross-refs: doc 04 §4.5 (computed-not-remembered), doc 05 (the views these DOTs run), doc 07 (issue/event types), doc 10 (the phase that designs/rehearses these DOTs).