06 — Governed Object Classes & Minimum Coverage Profiles (Branch F)

A complete but scalable classification: 13 object classes, each a coverage profile = a checklist of profile-mandatory links. covered ⟺ all profile-mandatory links resolve (M-DEF-2). A new object type is a new profile row + a default_profile mapping = data, not code. Every L1 source row carries a default_profile. Inheritance resolves owner-link only (M-DEF-7, anti-hiding). This generalizes the prior 8 profiles to 13 named classes; the mechanism is unchanged so future classes add without law edits.

6.0 How to read this

For each class: mandatory links (must resolve for covered), optional links, approval threshold (when a change needs Đ32), audit, rollback, issue/event type(s), inheritance rule, detection rule (how an instance is found ungoverned). Severity: orphan missing an authority-critical link (owner / approval / rollback / dot-authority for a mutating object) = anarchic/high-critical; orphan missing only a descriptive link (design_ref / audit on read-only) = orphan/warning (M-DEF-5).

6.1 The 13 classes

Class 0 — Non-governed ephemeral / personal (profile `EPHEMERAL`)

Mandatory: none. Out of the coverage population (M-DEF-1).
Membership: fails the shared-truth-reachability test (single-user/session/agent-private, RO against shared truth, no approval/exec power). Class-0 source kinds = COUNCIL-owned list (exclusion is governed).
Approval/audit/rollback/issue: none. Inheritance: n/a. Detection rule: if it gains shared-truth reachability (e.g. personal pin → global) it leaves Class 0 → re-classified to its target profile and flagged. Red-team #3/#34.

Class 1 — Low-risk read-only governed artifact (profile `RO` / `PROFILE-SURFACE-RO`)

Mandatory: accountable owner (1, any scope), law/design ref. Optional: audit. Approval: none (read-only). Rollback: none (OQ-B2: drop for RO). Audit: light. Issue/event: owner_gap (warning). Inheritance: owner-link inherits. Detection: owner unresolved → warning (not high — read-only can't alter authority).

Class 2 — Governed registry / list object (profile `REGISTRY`)

Mandatory: owner (policy + health), birth/registry entry, issue path. Optional: render owner. Approval: schema/row-policy change → Đ32. Audit: yes. Rollback: yes (reversible). Issue/event: registry_unowned, inventory_gap. Inheritance: members inherit owner-link; risk links per member. Detection: registry table with no owner relation → high; registry not in inventory reconciliation → inventory_gap critical. (Axis Registry, route inventory, threshold-policy table, pin registry are Class 2.)

Class 3 — Governed axis (profile `AXIS`)

Mandatory: policy owner (1), substrate/vocab owner, named source registry, grouping policy, issue path. Optional: render owner. Approval: vocab/grouping/ceiling edit → Đ32 (assign_axis_owner/register_axis — T1-6 prereq). Audit: yes. Rollback: yes. Issue/event: axis_unregistered (critical), axis_owner_gap, axis_vocab_unowned, axis_grouping_island. Inheritance: axis-family container passes owner-link only. Detection: thing functioning as an axis not in Axis Registry → axis_unregistered (doc 02 §2.7).

Class 4 — Governed policy (profile `POLICY`)

Mandatory: policy owner (1, COUNCIL-typical), approval path, audit, issue path. Optional: rollback. Approval: any change → Đ32 (policies change truth/authority). Audit: yes. Rollback: yes. Issue/event: policy_unowned, approval_path_gap. Inheritance: NONE for the approval link (anti-hiding); owner-link may inherit from a policy-family container. Detection: policy-shaped table/row with no owner relation → high; mutable policy with no approval path → critical. Red-team #4/#6/#7/#29/#30.

Class 5 — Governed DOT / action (profile `DOT`)

Mandatory: execution owner (GOV-DOT), dot_tools registration, paired_dot (tier-A/B), approval path for mutating apply, audit (dot_*_run/command-run), rollback. Approval: mutating apply → Đ32 quorum (never the DOT — SoD). Audit: mandatory. Rollback: mandatory (Đ30). Issue/event: dot_authority_gap, dot_unregistered. Inheritance: NONE (an action's authority never inherits). Detection: mutating routine outside dot_tools / no paired_dot → critical (live PG trigger already enforces tier-B pairing). IU's 54-command catalog is Class 5 and currently unregistered in the SSOT (doc 03 §3.1) → dot_unregistered.

Class 6 — Governed production route / API / display surface (profile `SURFACE`)

Mandatory: render owner (GOV-MOUT; interim COUNCIL delegation), route-inventory entry, no-truth-math attestation (Đ28 NT-D1-ext incl. Nitro server/api/**). Optional: approval (for new public route). Audit: deploy ledger (vps_deploy_log). Rollback: deploy rollback. Issue/event: route_orphan, hardcode_violation. Inheritance: owner-link only. Detection: route in nginx/Nuxt not mapped to owner → route_orphan (high); UI computing governance/count truth → hardcode_violation. Red-team #1/#15/#17/#32/#37.

Class 7 — Governed exception / bypass (profile `EXCEPTION`)

Mandatory: the 11-field exception record (M-DEF-6): exception_type, scope, accountable_owner, reason, risk, approval_ref, expiry, review_cadence, rollback_ref, replacement_plan (mandatory), issue_on_expiry; state fingerprint. Approval: always (grant_governance_exception — T1-6 prereq; interim admin_fallback_log). Audit: mandatory. Rollback: mandatory. Issue/event: unratified_exception (critical), exception_scope_drift (critical on fingerprint change), exception_expired. Inheritance: NONE. Detection: any bypass without an 11-field record → critical; exception without replacement_plan cannot be granted; fingerprint change auto-invalidates. Red-team #5/#23/#33.

Class 8 — Governed law / design artifact (profile `LAW`)

Mandatory: law owner (GOV-NRM-SYS), normative_registry entry, jurisdiction/agency link, §0-GOV hook (doc 05). Approval: enactment → sovereign (os_proposal_approvals); content fix → council-review. Audit: registry_changelog. Rollback: supersede (reversible). Issue/event: law_agency_orphan, hook_missing. Inheritance: none. Detection: enacted law with no jurisdiction/owning-agency → law_agency_orphan (the live Đ24/26/28/45 condition); law/design without §0-GOV hook → hook_missing. Red-team #38.

Class 9 — Governed issue / event type (profile `EVENT`)

Mandatory: registration in event_type_registry / issue_type vocabulary (register-before-emit/write), owner (GOV-SIV), event_domain, default_severity. Approval: new type → council-review. Audit: outbox. Rollback: deprecate. Issue/event: event_unregistered, issue_type_unregistered. Inheritance: none. Detection: emit/write of an unregistered type → producer fails (PG CHECK for events; H2 vocabulary gate for issues). Red-team #18/#35.

Class 10 — Governed data substrate / collection / table (profile `SUBSTRATE`)

Mandatory: owner (substrate owner), birth/registry entry, schema-change approval path, audit. Optional: rollback (additive/soft-delete per Đ30/36). Approval: DDL/schema change → Đ32 (schema_add/schema_modify exist live). Audit: yes. Rollback: reversible/soft-delete. Issue/event: substrate_unowned, inventory_gap. Inheritance: rows inherit table owner-link; per-row issues forbidden for inherited children (doc 11). Detection: table in information_schema/directus_collections not classified → inventory_gap critical. Red-team #21.

Class 11 — Governed IU operation (profile `IU-OP`)

Mandatory: execution owner (GOV-DOT), operation approval (review_decision_id or Đ32 — OP-B/OQ-IU-OWNER), dot_iu_command_catalog + dot_tools registration, command-run audit, soft-delete rollback, non-exemptable reconstruction/vector invariant (doc 03 §3.4). Approval: cut/split/merge/compose/publish → approved manifest or review_decision (Đ32-bound). Audit: dot_iu_command_run. Rollback: soft-delete/retire (reversible). Issue/event: iu_*_unapproved, reconstruction_integrity_fail. Inheritance: NONE (operations don't inherit authority); IU container owner-link inherits to pieces. Detection: IU mutation without approval/review_decision → high; IU DOT not in dot_tools SSOT → dot_unregistered. Red-team #25–#36.

Class 12 — Governed future object type (profile `FUTURE` → resolves to a concrete profile)

Mandatory: owner-of-last-resort = GOV-COUNCIL until classified; then the mandatory links of its resolved profile. Approval/audit/rollback/issue: per resolved profile. Inheritance: per resolved profile. Detection: any object that (a) passes the shared-truth test and (b) is not classified into a profile → unclassified_governed_object (high) defaulting to COUNCIL ownership (never "no owner because unknown"). This is the catch-all that makes the model closed without enumeration — a future type is covered by COUNCIL until a profile is assigned (data). Red-team #25/#40.

6.2 Profile mechanics (M-DEF-2, generalized)

Every L1 source row carries a default_profile. A candidate maps to exactly one profile (including Class 0 / EPHEMERAL).
covered ⟺ all profile-mandatory links resolve.
Adding a new object type needs no code — add the L1 row + default_profile, or add a profile row if a genuinely new shape. The set of profiles is itself a governed registry (Class 2), owned by COUNCIL.
A profile's mandatory-link list is data, editable only via Đ32 (changing it can change what counts as covered → it changes truth).

6.3 The closed-without-enumeration property

The classification is complete (every governed object maps to one of 12 governed profiles, or Class 0) and scalable (Class 12 FUTURE + owner-of-last-resort means an unknown type is owned by COUNCIL on contact, then refined to a concrete profile as data). This is how the model is exhaustive without a hardcoded list — the predicate (shared-truth test) decides membership, the FUTURE class catches the unclassified, and the inventory reconciliation surfaces anything that slipped both. Mission questions 1/2/3 (what is / isn't governed, how we know) are answered by this triple.

6.4 Inheritance summary (anti-hiding, all classes)

Link	Inherits down a container?
owner-link	YES (container → members), only if container is itself covered
approval path	NO (per object)
audit	NO (per object)
rollback	NO (per object)
dot-authority	NO (per action)
reconstruction/vector invariant (IU)	NO (per node)

A covered container can therefore never mask a member's authority-critical gap. This is the single most important scale property (red-team #20/#28).

Branch-F verdict

13 classes, 13 profiles, one mechanism (covered ⟺ profile-mandatory links resolve), owner-link-only inheritance, and a FUTURE class + owner-of-last-resort that closes the model without enumeration. Future object types are data; the law does not grow per type.

06 — Governed Object Classes & Minimum Coverage Profiles (Branch F)

6.0 How to read this

6.1 The 13 classes

Class 0 — Non-governed ephemeral / personal (profile EPHEMERAL)

Class 1 — Low-risk read-only governed artifact (profile RO / PROFILE-SURFACE-RO)

Class 2 — Governed registry / list object (profile REGISTRY)

Class 3 — Governed axis (profile AXIS)

Class 4 — Governed policy (profile POLICY)

Class 5 — Governed DOT / action (profile DOT)

Class 6 — Governed production route / API / display surface (profile SURFACE)

Class 7 — Governed exception / bypass (profile EXCEPTION)

Class 8 — Governed law / design artifact (profile LAW)

Class 9 — Governed issue / event type (profile EVENT)

Class 10 — Governed data substrate / collection / table (profile SUBSTRATE)

Class 11 — Governed IU operation (profile IU-OP)

Class 12 — Governed future object type (profile FUTURE → resolves to a concrete profile)