10 — Law-Level Detection Obligations (Branch J)

Defines what the law/design must require the system to be able to detect — not the SQL. Detection is an automatically-computed invariant (Đ31), not memory (Đ37 §4.15d). Mechanism lives in Đ31; obligations are declared in Đ37. No queries designed here.

10.1 The detection mandate

The system must be able to detect, automatically and without relying on any human or agent remembering governance principles, every condition in §10.2 — and must reconcile its own detector inputs against ground-truth inventories so that anything outside governance is found the way an orphan is found.

This is the literal answer to the user's core requirement ("the system must detect anything outside governance like it detects orphans; a governance-orphan / anarchic / vô chính phủ object must be a first-class system integrity condition").

10.2 The twelve detection obligations

The law must require detection of each, with the named issue/event type (register-before-write):

#	Condition	Issue/event type	Severity	Class
1	governance orphan — governed object missing a required central link	governance_orphan / owner_gap	high (critical if authority link)	all
2	local governance island — governance owned locally (local owner column / local approval flag / local owner constant) instead of centrally	island_detected	high	2,4,6
3	unregistered axis — thing functioning as an axis not in the Axis Registry	axis_unregistered	critical	3
4	ungoverned DOT — mutating routine outside dot_tools / no paired_dot	dot_authority_gap / dot_unregistered	critical	5
5	ungoverned pivot — pivot not inheriting a covered source owner	pivot_coverage_unowned	high	2
6	ungoverned label rule — grouping/classification outside Đ24 facets	classification_policy_unowned / label_rule_unowned	high	3,4
7	ungoverned IU operation — IU mutation without approval/review_decision; IU DOT not in SSOT	iu_*_unapproved / dot_unregistered	high–critical	11
8	ungoverned route/API — route in nginx/Nuxt not owner-mapped	route_orphan	high	6
9	ungoverned exception — bypass without 11-field record / expired / scope-drifted	unratified_exception / exception_expired / exception_scope_drift	critical	7
10	missing issue/event path — object with no registered issue/event channel; emit/write of unregistered type	event_unregistered / issue_type_unregistered	high	9
11	missing approval path — mutating object with no Đ32 approval route	approval_path_gap	critical	4,5,6,11
12	missing audit/rollback path — object whose profile requires audit/rollback and lacks it	audit_gap / rollback_gap	high	5,7,10,11

Plus two meta detections that make the above trustworthy:

• inventory completeness — inventory_gap (critical): anything in a ground-truth inventory but not classified into a profile (the detector-is-blind check);
• scan integrity — scan_integrity_fail (critical): the closure identity (doc 09 §9.2) doesn't balance, or the scanner itself is unowned (watchdog_fault).

10.3 The six detection layers (mechanism summary, owned by Đ31)

The detector reads, in layers, reusing the existing orphan/integrity pattern (GOV-SIV, Đ31) — not a new isolated scanner:

1. L1 source inventory — the classified population (every governed source + its default_profile), reconciled against ground truth (L0).
2. L0 ground-truth inventories — information_schema, directus_collections, meta_catalog, dot_tools, event_type_registry, the route inventory (derived from nginx + Nuxt), the Axis Registry, governance_registry, governance_relations, law_jurisdiction. Anything in L0 ∉ L1 → inventory_gap.
3. Ownership resolution — resolve accountable owner per (object × scope); apply owner-link container inheritance; detect orphan/double-owner/dangling/stale (doc 07 §7.5).
4. Risk-link resolution — per object (never inherited): approval-path, audit, rollback, dot-authority, reconstruction/vector integrity.
5. Exception/state overlay — apply approved exceptions (fingerprint-checked), ignored (gated), retired; classify into the identity terms (doc 09).
6. Coverage computation + closure check — compute the identity, the severity decomposition, and the gate per phase; assert closure.

This is law-level: Đ37 mandates these layers exist and reconcile against ground truth; Đ31 owns the implementation; no SQL is fixed here.

10.4 Detection freshness (anti-rot)

The law must require re-scan triggers beyond changed_since(object) (G3):

• object changed (the obvious one);
• owner agency status flip (draft↔active↔retired) → re-scan its objects;
• law jurisdiction change → re-scan dependent objects;
• coverage profile edited → re-scan all objects on that profile;
• Axis Registry change → re-scan axis-bearing surfaces;
• scheduled full reconciliation (catches L0 drift the triggers miss).

10.5 How a detection becomes action (the five outputs)

Every detection must be able to become each of these — the law mandates the capability, not a fixed routing:

Output	Rule
system issue	a system_issues row with a registered issue_type (register-before-write, H2), a coalesce_key (dedup), and a severity; birth-orphan precedence applies (M-DEF-4)
event	an event_outbox emit of a registered event type (register-before-emit, Đ45); governance events go to a new GOV-SIV governance/integrity domain (OQ-H1), not the dormant mother rows
notification	derived from event severity + cooldown (doc 11); summary-not-detail at scale
Registries-Pivot display	every detection is a pivotable row in the coverage surface (doc 02 §2.8) — orphans, islands, unregistered axes, exceptions all visible together; no separate page
blocking gate	severity-aware, phase-tiered (doc 09 §9.4): critical/high on touched objects block; warning creates a deadline TARGET

10.6 Anti-bootstrap (the detector is a governed object)

The scanner, the Axis Registry, the profile catalog, the route inventory are themselves in the population (Class 2/3/5). The law must require: seed attestation before first scan (I3); a watchdog (COVERAGE-AUDIT watches SCAN); watchdog_fault if the scanner becomes unowned; and the scanner cannot approve its own ownership (SoD). Detection that can't detect its own failure is not detection.

10.7 What detection does NOT do (scope guard)

• It does not auto-remediate without approval (PROPOSE→Đ32→APPLY; the DOT never self-applies authority changes).
• It does not raise per-row issues for inherited children (doc 11).
• It does not detect at object grain what is apply_blocked by the substrate (T1-6) — instead it raises the gap and marks it apply_blocked so the inoperability is visible, not silent.

Branch-J verdict

Twelve detection obligations + two meta-detections (inventory completeness, scan integrity), realized through a six-layer reconciliation reusing the existing GOV-SIV/Đ31 orphan pattern, with ground-truth inventory reconciliation as the mechanism that "detects anything outside governance like an orphan," six freshness triggers, five mandated outputs, and full anti-bootstrap. All law-level; no SQL fixed. This satisfies mission §13 and questions 3/5.