01 — Tier-1 Blocker Folding (Branch A)

Folds the Tier-1 blockers from the prior package (doc 14 §14.2/§14.4 + §14.1 contradictions). For each: restate → hardened wording (folded) → why it resolves → residual substrate blocker → acceptance test. Definition IDs M-DEF-n and clause IDs M-Đ37 §x are the consolidated draft text in doc 13. This doc is the resolution layer; doc 13 is the verbatim clause text.

The prior package listed 7 Tier-1 blockers (T1-1..T1-7) plus the contradiction set (B5, F1, F3, I2, C2, D2). This package folds them into one revision. Crucially, six of the seven are wording-only and are resolved in full here; only T1-6 needs a future substrate change and is reclassified from "deferred" to "prerequisite" with a named upgrade path.

T1-1 — No non-governed (Class 0) artifact + shared-truth test

Restate: Without a defined non-governed class, the scanner either floods on every personal pin/pref/scratch note (noise → alarm fatigue → real islands hide) or, to avoid noise, misses a personal→global escalation. This contradicts the mission's explicit anti-over-governance instruction.
Folded wording (M-DEF-1, generalized): A non-governed artifact (Class 0) cannot alter shared system truth or authority: it is single-user / single-session / single-agent-private, read-only against shared truth, and carries no approval/execution power. The membership test is the shared-truth-reachability test — if changing it can change what a different user/agent sees as truth, or can authorize a mutation, it is governed. Class 0 is OUT of the coverage population. The set of Class-0 source kinds is a COUNCIL-owned list (the exclusion is itself governed, not silent). Generalization for this revision: the shared-truth test is the single membership predicate for the entire system — it replaces any per-domain "is this in scope" question, so future domains inherit the same boundary without a law edit.
Why it resolves: turns "what is governed?" into one decidable predicate that scales to unknown domains; the escalation path (personal → shared) is exactly the boundary crossing the predicate fires on.
Residual substrate blocker: none (wording). A Class-0 source-kind list lives in a COUNCIL-owned policy row, not code.
Acceptance test: synthetic user-scoped pin → no issue; synthetic global pin (same object re-scoped shared) → pin_policy_unowned (high). A new artifact type with no shared-truth reachability → auto-Class-0 with no code change.

T1-2 — Accountable-owner-per-scope + role taxonomy; reconcile with Điều 37 §4.12

Restate: The drafted §4.15 federated model (policy=COUNCIL, health=SIV, exec=DOT, render=MOUT) contradicts the enacted §4.12 "one content → one law / one owner." As written the new clause self-conflicts; the federation is unstatable.
Folded wording (M-DEF-3): Six responsibility scopes — policy, health, execution, render, approval, audit. Exactly one accountable owner per (object × scope). Unlimited supporting roles (delegate / executor / reviewer / auditor / exception-approver). §4.12 "one content one law" is re-read as one accountable owner per scope, NOT one owner per object. A legitimate multi-agency split across scopes is therefore not a §4.12 violation; two accountable owners in the same scope is.
Why it resolves: the only reading of §4.12 that both (a) keeps the enacted text true and (b) permits federation is "per scope." This removes contradiction C2 and makes double-owner (red-team #7) detectable as "two accountable owners, same scope."
Residual substrate blocker: none (wording). Scope is a value on the ownership edge, not a new table — but see T1-6: the edge itself for object-grain is un-expressible today.
Acceptance test: a grouping policy resolves to {policy:COUNCIL, health:SIV, execution:DOT, render:MOUT} with zero §4.12 violations; injecting a second policy owner on the same object → island_detected/conflict (high).

T1-3 — Exception/owner contradiction (B5) + identity grain (F1) + gate severity (F3)

This is the keystone — three contradictions in the invariant + gate. Folded together:

B5 — exception is NOT an owner. Folded (M-Đ37 §4.15a): an approved exception is a separate coverage state, NOT a valid owner path. A governed object with an approved exception is "covered-by-exception," not "owned." This removes the contradiction where an exception both satisfied and bypassed ownership.
F1 — identity grain. Folded (M-DEF-7): the coverage identity is computed at the governance grain = roots + non-inheriting classes + containers; inheriting leaf records are NOT counted individually. This is what makes "scale to 10⁸" true (red-team #20 fix relies on it).
F3 — gate severity. Folded (M-Đ31 §4.8-ext): the gate is severity-aware — it blocks on high/critical orphans for touched truth/authority objects; warning is TARGET-tracked with a deadline (default 30 days, OQ-F3); info is ignored. The earlier contradiction ("gate requires covered==true" vs "warning is non-blocking") is resolved: covered==true is not the gate predicate — zero high/critical for touched objects is.
Why it resolves: the invariant keystone now has a single consistent semantics — identity at governance grain; exception is a coverage state; gate blocks on severity, not on a boolean. Without this the identity closes while gaps hide (accounting-fraud analog) and the gate is permanently red.
Residual substrate blocker: none (wording).
Acceptance test: +10⁶ inheriting children → total_governed changes by 0; an object parked with an approved exception is reported in approved_exceptions, not covered; a touched object with only a warning gap → gate passes but a deadline TARGET row is created; a touched object with a high owner gap → gate fails.

T1-4 — Inheritance covers owner-link ONLY (anti-hiding)

Restate: Red-team #20 (the headline scale risk): a covered parent registry hides a child policy's missing approval path. Silent inheritance of all links would let real gaps disappear behind containers at 10⁸ scale.
Folded wording (M-DEF-7 / M-Đ26 §0-OWNER): Inheritance resolves the OWNER-link ONLY. Risk-required links (approval-path, audit, rollback, DOT-authority) are never inherited — each governed child computes its own per-profile mandatory links. A pivot/child inherits the owner of a covered source only if the source is itself covered; otherwise ..._coverage_unowned.
Why it resolves: the one link that is safe to inherit (who is accountable) is inherited; the links whose absence is dangerous (can this mutate without approval/audit/rollback?) are computed per object. A covered parent can no longer mask a child's authority gap.
Residual substrate blocker: none (wording).
Acceptance test: a child policy under a covered parent that itself lacks an approval path → child flagged APPROVAL_PATH_GAP (high) despite the covered parent; a read-only child under a covered parent → covered-by-inherited-owner, no spurious issue.

T1-5 — Birth ↔ governance dedup precedence

Restate: A birth/registry orphan and a governance orphan can both fire on the same unborn/unregistered object → two scanners, duplicate noise (mission §7).
Folded wording (M-DEF-4): Birth/registry orphan is a prerequisite failure. For an unborn/unregistered object the governance scanner does NOT raise OWNER_GAP — it defers to the birth-orphan detector. Governance coverage is a layer above birth coverage. One root cause → one issue (shared coalesce_key namespace). When birth resolves, the birth issue closes and then exactly one governance issue may open if the now-registered object still lacks an owner.
Why it resolves: establishes a strict precedence (birth before governance) so the two detectors never double-fire on the same root cause.
Residual substrate blocker: none (wording). Reuses existing system_issues orphan types (thiếu_quan_hệ, thiếu_mã_định_danh) + shared coalesce key.
Acceptance test: an unregistered object → 1 issue (birth), not 2; register-without-owner → birth issue resolves, exactly 1 governance issue opens.

T1-6 — Substrate prerequisites (the only non-wording blocker) — RECLASSIFIED to PREREQUISITE

This is the one structural blocker. Re-verified still present live this session (doc 00 §0.3).

Restate (two parts):
- I1/E2 — missing APR action-types. PROPOSE cannot file a well-formed approval to assign an owner or grant an exception because no such action-type exists. Live proposed_action_code ∈ {create_item, enact_nrm, patch_ops_code} — none is assign_governance_owner / grant_governance_exception / delegate_authority. Red-team #13: PROPOSE returns proposal_blocked.
- I2/B7 — object/axis ownership edge un-expressible. governance_relations.chk_relations_target_type restricts target_type ∈ {law, agency}. An owner edge to a route / adapter / standalone-policy / IU object / axis cannot be written. Red-team #14: APPLY returns apply_blocked: object_edge_unexpressible. The prior package §5.4-EXT marked this "deferred" — that classification is the defect: the remediation half is inoperable for object/axis grain.
Folded wording (M-Đ37 §4.16 two-mode apply + §5.4-EXT reclassified):
- APPLY is two-mode. Mode 1 (works today): law-domain-anchored objects → agency→law edge (covers objects via law_jurisdiction + container inheritance). Mode 2 (blocked today): law-orphan objects (route / adapter / standalone-policy / IU object / axis) → require §5.4-EXT.
- §5.4-EXT reclassified from "deferred" to "prerequisite for object-grain & axis-grain ownership." Either extend governance_relations (target_type='object'|'axis' + target_object_type/target_ref) or add a governance_object_ownership(...) table (council preference: new table, no CHECK-migration risk on live edges — OQ-B7/I2). Until it exists, object/axis-grain APPLY is apply_blocked and law-orphan objects are OWNER_GAP by construction — a known limitation with a named upgrade path, not a silent gap.
- The required APR action-type bundle: assign_governance_owner (handler), grant_governance_exception (council-review), delegate_authority (council-review), and assign_axis_owner (new in this revision, for the open-axis model — council-review). Interim exception home = admin_fallback_log until grant_governance_exception exists.
Why it resolves (as a prerequisite): it does not remove the blocker by wording — it names the exact substrate delta and makes it a gate: detection + blocking work today (the gate sees apply_blocked/OWNER_GAP and refuses to pass); auto-remediation waits for the delta. This converts a silent inoperability into an explicit, council-owned upgrade item.
Residual substrate blocker: YES — this is the residual. §5.4-EXT (object/axis edge) + the 4 APR action-types. This is the single thing standing between CONDITIONAL GO and full GO (doc 14).
Acceptance test: until delta lands — PROPOSE for an object/axis owner → proposal_blocked (high, detected, gate fails); APPLY for object/axis owner → apply_blocked: object_edge_unexpressible (high, detected, gate fails). After delta — same PROPOSE/APPLY succeed and the object/axis becomes covered. Detection and gate must behave identically before and after; only remediation changes.

T1-7 — Route/API ground-truth registry + detection completeness

Restate: Red-team #1/#21/#22 — routes/API are the most island-prone surface and are undetectable today (no route inventory). And the L1 source inventory itself can silently miss a source (detector blind), or rot when an owner agency flips draft.
Folded wording (M-Đ31 §4.9-ext + M-Đ28 NT-D1-ext):
- Route ground-truth: a route inventory derived-on-scan by reconciling nginx config + Nuxt server/api/** + page routes (reuse-first, no new table needed — OQ-G2 default). A route present in nginx/Nuxt but not mapped to an owner → route_orphan (high).
- Inventory-completeness check: the coverage scanner reconciles its L1 source list against ground-truth inventories (information_schema, directus_collections, meta_catalog, dot_tools, event_type_registry, the route inventory, and — new in this revision — the axis registry, doc 02). Anything present in a ground-truth inventory but not classified into a coverage profile → inventory_gap (critical — the detector is provably blind). This is the mechanism that "detects anything outside governance like it detects orphans."
- Governance-context-change re-scan triggers: re-scan dependents when an owner agency flips status (draft↔active), when a law's jurisdiction changes, or when a coverage profile is edited (changed_since(object) alone misses context changes).
Why it resolves: ground-truth reconciliation removes the "remember to add the L1 row" memory-dependence — the new memory-dependence the prior pack accidentally introduced. The route inventory closes the largest live blind spot. Context triggers stop silent rot.
Residual substrate blocker: none for detection (derived-on-scan). The route inventory is a scan artifact; the axis registry (doc 02) is a new governed registry object that must be born/registered, but its absence is itself detected as inventory_gap until created.
Acceptance test: add a Nuxt server/api/x route with no owner → route_orphan (high), G-ROUTE fails; remove a source from the L1 list while it still exists in information_schema → inventory_gap (critical); flip an owner agency to draft → dependents re-scanned, newly-uncovered objects flagged.

Folded contradiction ledger (from doc 14 §14.1)

Contradiction	Folded by	State
B5/F4 — exception as owner-path vs separate term	M-Đ37 §4.15a (exception = coverage state, not owner)	RESOLVED (wording)
F1 — per-object identity vs container grain	M-DEF-7 (governance grain)	RESOLVED (wording)
F3/J5 — gate `covered==true` vs warning non-blocking	M-Đ31 §4.8-ext (severity-aware gate)	RESOLVED (wording)
I2/J3 — apply writes object edge vs CHECK-blocked + §5.4-EXT deferred	M-Đ37 §4.16 two-mode + §5.4-EXT reclassified	RESOLVED as PREREQUISITE (substrate)
C2 — federated multi-owner vs §4.12 one-owner	M-DEF-3 (per-scope owner)	RESOLVED (wording)
D2/J2 — anarchic "capacity" circular	M-DEF-5 (missing authority-critical link)	RESOLVED (wording)

Tier-2/Tier-3 items folded opportunistically

This revision also folds, because they are cheap and the red-team v2 needs them: D2/J2 (anarchic re-base, M-DEF-5), E1/E4/E5 (11-field exception record, M-DEF-6, doc 08), F2 (ignored is a gated exception, doc 09), H1/H2/H3 (event names + issue vocabulary + anti-spam, doc 11), I3 (bootstrap seed, doc 07/10), I4/C6 (separation of duty, doc 07), J6 (interim render-delegation, doc 07), J7 (label/taxonomy owner split, doc 04), K1/K3 (tiered gate + waiver, doc 09).

Branch-A verdict

6 of 7 Tier-1 blockers fully resolved by folded wording. The 7th (T1-6) is reclassified from "deferred" to prerequisite with a named, council-owned upgrade path; it is detected and gate-blocked today, remediation pending one substrate delta. This is the basis for the CONDITIONAL GO in doc 14.