03 — Information Unit / miếng thông tin Governance Coverage (Branch C) (2026-06-01)
03 — Information Unit / miếng thông tin Governance Coverage (Branch C)
Treats IU as a first-class governed domain under One-Roof. Maps every IU class to a coverage profile + accountable owner; defines a generic IU axis-registration model that does not hardcode the current axes. All facts below are live-verified (2026-06-01) or cited to KB design docs; IU governance is currently an island (§3.I) — this doc is the remediation model, not an implementation.
3.0 IU status (live + design)
- Điều 44 (Universal Object Schema Law) = controlled DRAFT v0.1.2, NOT enacted. IU is not its own enacted law — it is a family under Điều 38 (base: identity/content/publication/lifecycle) extended by Đ44 (schema-logic), Đ0-B (composition), Đ24/Đ29/Đ39 (label/species/KG), Đ34 (BPMN), Đ35 (DOT), Đ37 (agency).
- Design docs: P38-XC (IU Profile/Schema, "final — uploaded", but "Proposed Tier-0 Baseline, NOT cưỡng chế"); IU-0 minimum standard (FULL DRAFT MODULAR v2, awaiting polish); P44-1 Family Registry, P44-2..5 — all uploaded DRAFT, none ratified.
- Live tables:
information_unit(219 rows:law_unit187 +design_doc_section32; only 2 of 9 seedunit_kindvalues exist),iu_relation(60, allcontains),iu_three_axis_envelope(216),iu_tree_path(199),iu_qdrant_collection_registry(1),iu_vector_sync_point(152),iu_sql_link(3),dot_iu_command_catalog(54),dot_iu_command_run(55), plus ~31iu_*tables — all inpublic, none carry anowner_gov_code/governance column.
3.1 The IU island finding (why IU must be folded in)
IU runs a rich internal governance microcosm (gates, command catalog, command-run audit, review_decision_id, fail-closed logging) but is structurally disconnected from the central spine — the canonical "local governance island":
| Spine element | IU today | Central? |
|---|---|---|
| Owner | No governance_registry row owns information_unit. Family owner_agency_code = TBD/unassigned (OP-B). owner_ref is free-text (agent:p3d1, incomex_council, macro names) — not an FK to any agency |
❌ ISLAND |
| DOT authority | dot_iu_command_catalog (54) is a parallel registry; constitutional dot_tools (Đ35 SSOT, 309) holds only 2 IU tools (DOT-IU-CUTTER + verify), no paired_dot Tier field on the catalog |
❌ ISLAND |
| Approval | approval_requests = 0 rows ever referencing IU; gated by internal review_decision_id, not Đ32 APR |
❌ ISLAND |
| Audit | IU-private (dot_iu_command_run, iu_lifecycle_log), not central governance_audit_log/registry_changelog |
❌ ISLAND |
| Issue/event | 7 IU event types (piece_added_to_collection, …structure_piece_split), emission gated off in pilot; not wired into the central anarchy/orphan detector |
❌ ISLAND |
This is exactly the pattern the One-Roof model exists to forbid. Folding IU in does not mean discarding the IU microcosm — it means binding it to the spine: assign the IU owner (per scope), register IU DOTs into dot_tools, route IU approvals through Đ32 (or record the review_decision mechanism as a council-approved domain-local approval pattern under a governed exception), and wire IU issues/events into the central detector.
3.2 Generic IU axis-registration model (NOT the 3 axes hardcoded)
The headline "three-axis" (A source/order, B domain-tags, C containment) is a denormalized envelope (iu_three_axis_envelope), not the closed set of IU axes. The live/implied IU axes are at least nine: A, B, C, composition/species, relation/KG, label/taxonomy, vector/index, lifecycle/version, workflow. Axis B is itself an open multi-namespace tag-bag (unit_kind/section_type/legal_document/topic/legal_domain, extensible as data).
Per Branch B (doc 02), IU does not get its own axis list in law. Each IU axis is registered in the Axis Registry (M-DEF-9) with the nine attributes, axis family = iu. A future IU axis (policy_clause, evidence_unit, risk_signal, customer_instruction are already named candidates) is a new Axis-Registry row, not a law edit. The IU design itself states vocab is "controlled-draft, KHÔNG enum hardcode, extended via APR cấp medium" (NT4 "cấm hardcode" self-audit PASS) — so the open-axis model is the natural fit. Compliance: no hardcoded IU axis array; IU axes are data under the Axis Registry.
3.3 Per-class IU governance coverage
For each IU class: governed?, risk, accountable owner (policy/substrate), supporting, approval, DOT authority, audit, rollback, issue/event, inheritance allowed?, red-team risk. (Recommended owners; OP-B council decision binds them — §3.5.)
| IU class | Gov? | Risk | Accountable owner | Approval | DOT authority | Audit/Rollback | Issue/event | Inherit? | Red-team |
|---|---|---|---|---|---|---|---|---|---|
IU object / profile (information_unit, identity_profile) |
YES | med | policy COUNCIL · substrate GOV-KG-SYS | birth + profile-field reg (INV-P3) | dot_iu_create_piece, …_clone_piece |
central audit + soft-delete (Đ30/36) | iu_object_orphan / iu_profile_field_unregistered |
owner-link only | agent invents profile field (P44-3) → island |
| IU source / origin (axis A) | YES | med | COUNCIL · GOV-KG-SYS | APR if changes order/identity | dot_iu_mark_article, …_cut_from_manifest |
reconstruct-verifiable | iu_source_axis_unowned |
owner-link only | re-order changes truth without approval |
IU cut (dot_iu_cut_from_manifest/fn_iu_cut) |
YES | high | execution GOV-DOT · policy COUNCIL | manifest = Đ32 artifact | mutating DOT, paired | command-run audit; soft-delete | iu_cut_unapproved |
NO (action) | cut without approved manifest |
IU split (dot_iu_split_piece) |
YES | high | GOV-DOT | requires review_decision_id (G1) |
mutating DOT | additive; source untouched | iu_split_unapproved |
NO | split without review_decision |
IU merge (dot_iu_merge_piece) |
YES | high | GOV-DOT | requires review_decision_id |
mutating DOT | additive | iu_merge_unapproved |
NO | merge loses provenance |
IU compose (fn_iu_compose, file/workflow) |
YES | med | GOV-DOT · render GOV-MOUT | APR if publishes | mutating DOT | reversible | iu_compose_unowned |
NO | compose bypasses render owner |
IU reconstruct (fn_iu_reconstruct_source) |
YES | low (RO) | health GOV-SIV | none (read-only) | DOT wrapper MISSING (gap) | read-only, fingerprinted | iu_reconstruct_gap (if gaps>0) |
owner-link only | unverifiable reconstruction |
| IU specialty/domain axis (axis B tags) | YES | med | policy COUNCIL · vocab GOV-KG-SYS (Đ24) | APR for vocab edit | none (data) | audited | axis_vocab_unowned (doc 02) |
owner-link only | new tag namespace = classification island |
IU parent-child-grandchild axis (axis C / iu_relation contains) |
YES | med | COUNCIL · GOV-KG-SYS | APR if changes tree truth | dot_iu_subtree (RO) |
reversible | iu_tree_axis_unowned |
owner-link only | tree edit hides child gap |
IU relation graph / KG edges (iu_relation, v_kg_edges_all, Đ39) |
YES | med | substrate GOV-KG-SYS | KG "proposes only, never auto-mutates" (Đ39 A8) | edge-WRITE DOT MISSING; only RO dot_iu_kg_edge_audit |
provenance-or-quarantine | iu_kg_edge_unowned |
owner-link only | edge write outside DOT |
| IU labels / taxonomy (Đ24) | YES | med | policy COUNCIL · substrate GOV-KG-SYS | APR (no new taxonomy) | via Đ24 | audited | label_rule_unowned |
owner-link only | label rule invents taxonomy |
IU SQL links (iu_sql_link) |
YES | med | GOV-SIV (binds IU↔SQL truth) | APR if binds counting contract | trigger capture; …_sql_link_validate (RO) |
reversible | iu_sql_link_unowned |
owner-link only | SQL link asserts false truth |
IU DOT commands (dot_iu_command_catalog 54) |
YES | high | execution GOV-DOT | register in dot_tools (Đ35) |
self (mutating tier) | command-run audit | dot_authority_gap / dot_unregistered |
NO | 54-catalog parallel to SSOT (island) |
IU vector / index profile (iu_qdrant_collection_registry, iu_vector_sync_point) |
YES | med | health GOV-SIV · execution GOV-DOT | APR for collection/embedder change | reindex DOT MISSING (CLI-indexed) | digest drift detect | iu_vector_unowned / vector_sync_drift |
owner-link only | vector exception never expires (#33) |
| IU event / trigger routes (7 IU event types) | YES | med | GOV-SIV (Đ45) | register-before-emit | event producers | event audit | event_unregistered |
owner-link only | emit before registration (#18) |
| IU API / UI surfaces | YES (when born) | med | render GOV-MOUT (interim COUNCIL) | route registry | — | — | route_orphan (doc 02) |
owner-link only | no unit_kind='ui' live → surface-as-IU DEFER |
| IU evidence / reconstruction invariant | YES | critical | health GOV-SIV | non-exemptable invariant | fn_iu_reconstruct_source + fingerprint |
— | reconstruction_integrity_fail |
NO | a cut that breaks reconstruction |
| IU future axes (unknown) | YES | per-profile | per Axis Registry (doc 02) | assign_axis_owner (T1-6 prereq) |
coverage-DOT | — | axis_unregistered (critical) |
owner-link only | new axis added without governance (#25) |
3.4 IU evidence / reconstruction invariant (non-exemptable)
fn_iu_reconstruct_source(doc_code)must return every source position1..Nexactly once (contiguous + unique,sort_orderstrictly monotonic,gap_before_count=0), and the fingerprintmd5(string_agg(canonical_address||':'||content_hash, '|' ORDER BY source_position))must be recomputable and change iff any piece body or ordering changes. Proven live: DIEU-3733e5a1a3…(17 pieces), DIEU-35b079d615…(36 pieces), 0 gaps.
This is a non-exemptable safety invariant (M-DEF-6): no exception may waive reconstruction integrity. Companion vector-per-IU invariant: one vector/chunk = exactly one IU, never straddling a boundary; every chunk carries unit_id+parent_piece_id; drift = content_digest ≠ indexed_digest. Both are owned by GOV-SIV (health) and detected by the central scanner, not the IU microcosm alone.
3.5 OP-B — the council decision that gates IU design patch
The IU family owner_agency_code is TBD/unassigned. Until resolved, every IU object is an OWNER_GAP by construction (and — see T1-6 — the owner edge for IU objects is apply_blocked anyway, since IU objects are law-orphan, not law-anchored).
Recommended owner assignment (council to ratify, OQ-IU below):
- policy (IU vocab, axis grouping, cut/publish policy) → GOV-COUNCIL;
- substrate / health (IU schema, profiles, KG/taxonomy/vector, reconstruction integrity) → GOV-KG-SYS (active, domain
kg) for KG/taxonomy/vector and GOV-SIV for integrity/coverage; - execution (IU DOTs, cut/split/merge/compose) → GOV-DOT;
- render (IU surfaces, file/UI output) → GOV-MOUT when active; interim COUNCIL delegation (TTL-bounded);
- law owner of the IU family → GOV-NRM-SYS (active, domain
normative) for Đ38/Đ44 stewardship.
Open question OQ-IU-OWNER: does the IU review_decision_id mechanism count as a council-approved domain-local approval pattern (recorded governed exception, doc 08) or must IU mutations route through the central Đ32 APR? Recommended default: record review_decision as a governed approval-adapter exception with a replacement plan to migrate to Đ32, so IU stops being an approval island without freezing live IU work.
3.6 IU coverage inheritance rule
IU is a deep container tree (doc→section→piece). Inheritance follows the system rule (M-DEF-7): owner-link inherits down the containment tree; risk-required links (cut/split/merge approval, DOT authority, audit, rollback, reconstruction integrity) are computed per node and never inherited. A covered IU document may NOT mask a child piece whose split ran without a review_decision_id. This is the IU instance of red-team #20/#28.
3.7 IU as the proof case for the open model
IU is the best stress test for the open-axis model because it already has (a) more than three axes, (b) an open tag-bag axis, (c) named future axes, (d) a live island. If the One-Roof model can fold IU without enumerating IU axes in law and without dissolving the IU microcosm, it can fold any future domain. Doc 12 runs IU-specific red-team scenarios (#25–#36) to verify this.
Branch-C verdict
IU is explicitly covered as a first-class governed domain with: 17 mapped classes + profiles, a generic axis-registration model (no hardcoded IU axes), the reconstruction/vector invariants marked non-exemptable, and an explicit remediation of the IU island (assign OP-B owner, register IU DOTs in dot_tools, route approval via Đ32-or-governed-adapter, wire IU issues/events into the central detector). The one council decision required before IU design patch is OP-B owner assignment + the review_decision exception ruling.