Incomex AI Portal
KB-15FC

05 — Điều 37 as Governance Hub: Own / Reference / Hook Model (Branch E) (2026-06-01)

8 min read Revision 1
one-roof-governancehardening-revisionbranch-edieu37-hubown-vs-referencegovernance-hookconflict-resolutionfuture-law-declarationanti-bloat2026-06-01

05 — Điều 37 as Governance Hub: Own / Reference / Hook Model (Branch E)

Defines Điều 37 as the governance hub without making it a dumping ground. Splits what Đ37 must own directly from what it references; defines the governance-hook declaration pattern for specialized laws; defines conflict resolution and the rule that future laws must declare governance coverage. All clause text is DRAFT (doc 13); no enactment.

5.1 The hub principle

Điều 37 owns the governance model (definitions + obligations). Specialized laws own mechanisms + substrate and declare governance hooks that reference Đ37.

This is the single rule that keeps Đ37 authoritative but small. A definition appears once (in Đ37); a mechanism appears once (in its specialized law); a specialized law that re-states a Đ37 definition is a drift defect.

5.2 What Điều 37 MUST own directly (the model)

These are SSOT in Đ37. Each is a folded definition/clause from doc 13:

# Đ37 owns Clause (doc 13)
1 One-Roof Governance principle — every governed object lives under the central roof; no local governance M-Đ37 §4.15c
2 Governed-object definition — shared-truth/authority test (M-DEF-1) M-Đ37 §4.15a
3 Non-governed (Class 0) definition — the exclusion is a COUNCIL-owned list M-DEF-1
4 Governance-orphan / anarchic definition — orphan = missing required central link; anarchic = missing an authority-critical link (M-DEF-5) M-Đ37 §4.15b
5 Governance coverage invariant (the identity + grain) M-DEF-7 / doc 09
6 No-local-governance-island rule M-Đ37 §4.15c
7 Accountable-owner-per-scope + role taxonomy (M-DEF-3) M-Đ37 §4.15-bis
8 Coverage profiles — the 13 object classes + profile mechanism (M-DEF-2) M-Đ37 §4.15-ter (new)
9 Governed-exception rule — exception is a coverage state, not an owner; non-exemptable invariants (M-DEF-6) M-Đ37 §4.17
10 Open-axis registration rule — axis is a governed object; Axis Registry; no hardcoded axes (M-DEF-8/9) M-Đ37 §4.15-quater (new)
11 Readiness-gate hook — tiered, severity-aware, waiver-governed M-Đ37 §4.18
12 Governance-coverage scanner hook — detection is an automatically-computed invariant, not memory; scanner is itself a governed object (anti-bootstrap) M-Đ37 §4.15d + Đ31 ref
13 Owner-of-last-resort — unmapped objects default to GOV-COUNCIL (never "no owner because ambiguous") M-Đ37 §4.15d

5.3 What Điều 37 REFERENCES (not owns)

Đ37 points to these; it does not contain their mechanics:

Referenced Lives in Đ37 says
Detection mechanism (6-layer scanner, queries, inventory reconciliation) Đ31 "coverage is the 6th integrity check; mechanism per Đ31"
Approval mechanics (quorum, APR lifecycle, action-types) Đ32 "risk-required changes need Đ32 approval"
DOT execution (paired_dot, tiers, coverage-DOT lifecycle) Đ35 "execution by governed DOTs per Đ35; SoD"
Vocabulary substrate (facets/label_rules/species/event types) Đ24/Đ29/Đ45 "axes anchor vocab to a registered source registry"
Render boundary (Test-4, Nuxt) Đ28 "render owner per Đ28; no truth-math in render tier"
Birth/orphan detection Đ0-G "governance coverage is a layer above birth (precedence)"
Rollback/reversibility Đ30 "rollback is a risk-required link for relevant profiles"
Registry pattern Đ2 "registries (incl. Axis Registry) follow Đ2"
IU schema/profile Đ38/Đ44 "IU is a governed domain; coverage per Đ37"
Host/deploy/Direct-PG exception Đ41 "infra exceptions follow the Đ37 exception model"

5.4 The governance-hook declaration pattern (for specialized laws)

Every specialized law that touches a governed object declares a governance hook — a small, standard block that references Đ37, instead of redefining the model:

## §0-GOV — Governance hook (references Điều 37)
- Governed objects in this law: <list of object classes>           # e.g. pivot definitions, pivot coverage rows
- Coverage profile(s): <profile per class>                          # e.g. POLICY, REGISTRY (doc 06)
- Accountable owner per scope: <policy/health/execution/render>     # e.g. policy:COUNCIL, health:SIV
- Axes introduced (if any): <axis codes> → registered in Axis Registry (Đ37 §4.15-quater)
- Risk-required links: <approval/audit/rollback/dot-authority>      # per profile
- Issue/event types: <registered types> (Đ45 register-before-emit)
- Defers to Đ37 for: governed-object def, anarchic def, invariant, exception model, gate

This block is declarative and uniform. A future law author cannot "forget governance" — the hook is a required section, and a law missing it is a law-level island caught at design review (Đ20) and by the doc-drift check. This is how mission question 11 ("how future laws must declare governance coverage") is answered structurally rather than by memory.

5.5 Conflict resolution

When a specialized law and Đ37 appear to conflict:

  1. Definition conflict (a law redefines a governed-object/anarchic/coverage term) → Đ37 wins; the specialized text is a drift defect to correct content-only.
  2. Owner conflict (two laws claim the same object×scope) → §4.12 per-scope rule (M-DEF-3); if still ambiguous → GOV-COUNCIL tie-break (§4.12d) / owner-of-last-resort.
  3. Mechanism conflict (two laws specify different scan/approval mechanics) → the referenced specialized law wins for its mechanism (Đ31 for detection, Đ32 for approval, Đ35 for DOT); Đ37 only sets the obligation.
  4. Substrate conflict (a clause assumes a substrate that doesn't exist, e.g. object edge) → the clause is apply_blocked and the limitation is recorded with a named upgrade path (T1-6), never silently ignored.

Precedence summary: Constitution > Đ37 (model) > specialized law (mechanism) > implementation. Đ37 cannot override the Constitution (NT4 no-hardcode binds Đ37 too).

5.6 How future laws/modules are pulled in automatically

Three mechanisms, all data/structure, no memory:

  1. Design-review hook (Đ20): a new law/design without a §0-GOV hook fails design review.
  2. Inventory reconciliation (Đ31 §4.9-ext): a new object/collection/route/axis/DOT/event that appears in a ground-truth inventory but is not classified into a coverage profile → inventory_gap (critical). This catches modules that ship without a hook.
  3. Birth precedence (Đ0-G): a new object is a birth-orphan until born, then a governance-orphan until owned — two ordered detectors, no gap.

Together these mean a future module is pulled into coverage whether it arrives via law (hook), design (review), or data (inventory reconciliation). Question 4 answered three ways.

5.7 Anti-bloat guardrails for Điều 37

To keep the hub small:

  • Đ37 contains definitions, obligations, and the owner table — not queries, not quorum math, not vocab lists.
  • Each Đ37 clause is ≤ one screen and ends with a cross-ref to the specialized law that implements it.
  • New governance content defaults to a specialized law + a Đ37 reference, not a new Đ37 clause, unless it is a definition or system-wide obligation (then it belongs in Đ37).
  • The Axis Registry, profile catalog, and Class-0 list are data tables, referenced by Đ37, not enumerated in it.

Branch-E verdict

Điều 37 becomes the governance hub by owning 13 model elements (definitions + obligations + the open-axis rule + the readiness/scanner hooks) and referencing all mechanisms/substrate. The §0-GOV governance-hook pattern makes every current and future specialized law declare its coverage by structure. Conflict resolution is precedence-ordered (Constitution > Đ37 model > specialized mechanism > impl). Anti-bloat guardrails keep Đ37 a hub, not a dump.

Back to Knowledge Hub knowledge/dev/reports/architecture/one-roof-governance-hardening-revision-all-domains-all-axes-2026-06-01/05-dieu37-governance-hub-model.md