KB-8F1E
08 — Governed Exception & Emergency Model (Branch H) (2026-06-01)
8 min read Revision 1
one-roof-governancehardening-revisionbranch-hgoverned-exceptionemergency-lane11-field-recordreplacement-planttlstate-fingerprintdirect-pgquarantine2026-06-01
08 — Governed Exception & Emergency Model (Branch H)
Defines governed exceptions and the emergency lane so that a bypass is visible, owned, time-boxed, and self-expiring — never a permanent silent island. Builds on M-DEF-6. The exception is a coverage state, not an owner (B5 resolution). All draft; no enactment.
8.1 The 11-field exception record (M-DEF-6)
Every governed exception (Class 7, profile EXCEPTION) carries:
| # | Field | Rule |
|---|---|---|
| 1 | exception_type |
from a registered vocabulary (register-before-write) |
| 2 | scope |
exactly what is bypassed (object/route/operation); narrow, not "the module" |
| 3 | accountable_owner |
one owner (policy COUNCIL + risk SIV); an exception with no owner is forbidden |
| 4 | reason |
why the normal path can't be used now |
| 5 | risk |
severity if abused |
| 6 | approval_ref |
Đ32 approval (grant_governance_exception — T1-6 prereq; interim admin_fallback_log) |
| 7 | expiry |
mandatory TTL; no open-ended exception |
| 8 | review_cadence |
periodic re-review interval |
| 9 | rollback_ref |
how to revert when it ends |
| 10 | replacement_plan |
mandatory — the governed path that will replace it; an exception with no replacement plan cannot be granted |
| 11 | issue_on_expiry |
the issue raised if it lapses unreplaced |
Bound to a state fingerprint — a hash of the exempted object's signature (e.g. route method-set, adapter grant-set). Any signature change auto-invalidates the exception → object re-enters orphan + exception_scope_drift (critical). This kills scope-creep (red-team #23/#33).
8.2 Non-exemptable safety invariants
No exception may waive these — they are floors, not negotiable:
- no write-outside-DOT (mutations go through governed DOTs);
- no local approval (approval is always Đ32 quorum);
- no UI truth-math (render tier computes no governance/count truth, Đ28);
- no unregistered emit/write (register-before-emit events, register-before-write issue types);
- no reconstruction/vector integrity waiver (IU, doc 03 §3.4).
An "exception" requesting any of these is rejected at grant time.
8.3 Exception lifecycle
REQUEST → (11-field record + replacement_plan) → Đ32 APPROVE → ACTIVE (fingerprinted, TTL running)
→ periodic REVIEW (review_cadence) → [renew ≤ N times | replace via plan | EXPIRE]
EXPIRE/lapse → issue_on_expiry fires → object re-enters orphan → gate blocks production
signature change → auto-invalidate → exception_scope_drift (critical) → re-approve or remove
- Max renewals before replacement_plan must execute: default 2 (OQ-E1/K3). After that, renewal is refused and the replacement plan must run.
- Production visibility: every active exception is a first-class row in Registries-Pivot (doc 02 §2.8) — exceptions are never hidden; the count of active exceptions is a tracked health metric.
8.4 The emergency lane
A genuine emergency (production-down, data-integrity threat) may bypass the normal cadence but not the governance floor:
- Emergency grant: president (or delegated authority) may grant an exception immediately, but the 11-field record is created at grant time (not deferred), with a short TTL (default 72h) and a mandatory post-incident review.
- Standard regularization deadline for an inherited/legacy live bypass: default 60 days (OQ-A3) — the time to either ratify (full exception record + replacement plan) or remove.
- The emergency lane writes to
admin_fallback_loginterim (untilgrant_governance_exceptionaction-type exists, T1-6) and is always ledgered — an emergency action that leaves no ledger entry is itself a critical violation.
8.5 Worked examples
| Example | Profile | Owner | Approval | TTL | Replacement plan | Notes |
|---|---|---|---|---|---|---|
Direct-PG read-only adapter (the live rpGatewayDb route serving views Directus can't) |
EXCEPTION | COUNCIL+SIV+MOUT | grant_exception (interim admin_fallback_log) | bounded | migrate to Directus view-PK or ratified pooled adapter | read-only verified vs information_schema grants (E3); ledgered vps_deploy_log; QUARANTINED transitional for the already-live adapter (A3); fingerprint = grant-set → any write-grant auto-invalidates |
Temporary preview route (/ui-preview/...) |
EXCEPTION | MOUT/interim-COUNCIL | grant_exception | short | promote to governed route or remove | non-production; must not compute truth |
| Emergency hotfix | EXCEPTION (emergency lane) | president | immediate + post-incident review | 72h | proper fix via normal lane | full record at grant time; mandatory review |
| Unavailable Directus exposure (collection 403 even to admin, no PK) | EXCEPTION | SIV+MOUT | grant_exception | bounded | add PK/view or ratified adapter | the root cause of the Direct-PG exception |
Unregistered law handler (amend_law/enact_nrm handler_ref unimplemented → manual council_review) |
EXCEPTION | NRM-SYS+COUNCIL | council-review | bounded | implement handler or keep manual-with-ledger | a known live gap; recorded, not silent |
IU review_decision as approval adapter (doc 03 §3.5) |
EXCEPTION | COUNCIL | council-review (OQ-IU-OWNER) | bounded | migrate IU approvals to Đ32 | lets IU keep working while de-islanding |
8.6 What is forbidden (hard rules)
- Permanent unratified exception — every exception has a TTL; no TTL = invalid.
- Silent bypass — every bypass is a recorded 11-field exception; an undocumented bypass is the worst-severity finding (
unratified_exception, critical). - Exception without owner — rejected at grant.
- Exception without expiry — rejected at grant.
- Exception without replacement_plan — rejected at grant.
- Exception that waives a non-exemptable invariant (§8.2) — rejected at grant.
- Exception parked to make a gate green — an object parked in
ignoredwithout a gated exception =UNRATIFIED_EXCEPTION(critical, red-team #24);ignoredis a gated permanent exception (COUNCIL + law-ref + replacement_plan), not a free state.
8.7 Detection of exception abuse
| Condition | Issue/event | Severity |
|---|---|---|
| bypass with no 11-field record | unratified_exception |
critical |
| exception missing replacement_plan | (cannot be granted) | — |
| TTL lapsed / renewals > max | exception_expired |
critical |
| signature changed (scope creep) | exception_scope_drift |
critical |
ignored without gated exception |
unratified_exception |
critical |
| Direct-PG adapter gains write grant | fingerprint auto-invalidate → exception_scope_drift |
critical |
Branch-H verdict
Exceptions are hardened to 11 fields + state fingerprint + mandatory replacement_plan + TTL + max-2-renewals + non-exemptable floors + production visibility, with an emergency lane that bypasses cadence but never the floor and a 60-day regularization deadline for legacy bypasses. Every forbidden form (permanent/silent/ownerless/expiry-less/plan-less/gate-gaming) is explicitly rejected and detected. The single substrate dependency is the grant_governance_exception action-type (T1-6); interim home is admin_fallback_log.