13 — Hardened Clause Revision Package (Consolidated Draft Text, Branch M) (2026-06-01)
13 — Hardened Clause Revision Package (Consolidated Draft Text, Branch M)
The single consolidated hardened wording for the whole revision. DRAFT TEXT ONLY — no enactment, no version bump, no
normative_registry/law_catalogtouch, no status change, no approval. These fold into a future hardening revision of the decision pack, then (separately, by human ratification) into law. Extends the prior package's M-DEF-1..7 with M-DEF-8/9 (axes) and adds the §4.15-ter (profiles), §4.15-quater (open axis), and §0-GOV hook clauses. Each entry: hardened wording → folds which blocker → acceptance test.
A. Report-level definitions (M-DEF-1..9) — belong in the decision pack
M-DEF-1 — Non-governed (Class 0) + shared-truth test [T1-1]
A non-governed artifact (Class 0) cannot alter shared system truth or authority: single-user/session/agent-private, read-only against shared truth, no approval/execution power. Membership test = shared-truth-reachability: if changing it can change what another user/agent sees as truth, or can authorize a mutation, it is governed. This is the single system-wide membership predicate; future domains inherit it without a law edit. The Class-0 source-kind set is a COUNCIL-owned list (exclusion is governed, not silent).
- Test: user-pin → no issue; global pin →
pin_policy_unowned; new artifact with no shared-truth reach → auto-Class-0, no code.
M-DEF-2 — Coverage profiles [T1, doc 06]
Thirteen object classes, each a coverage profile = checklist of profile-mandatory links. Every L1 source row carries a
default_profile;covered ⟺ all profile-mandatory links resolve. New object type = new L1 row + profile (data). The profile catalog is itself a governed registry (Class 2, COUNCIL-owned); editing a profile's mandatory-link list → Đ32.
- Test: every candidate maps to exactly one profile (incl. Class 0); adding a type needs no code; weakening a profile without Đ32 →
approval_path_gap(red-team #48).
M-DEF-3 — Role taxonomy + responsibility scope [T1-2]
Six responsibility scopes (policy, health, execution, render, approval, audit); exactly one accountable owner per (object × scope); unlimited supporting roles. §4.12 "one content one law" = one accountable owner per scope, not one owner per object.
- Test: grouping policy → {policy:COUNCIL, health:SIV, exec:DOT, render:MOUT}, zero §4.12 violations; same-scope double owner → conflict (red-team #7/#40).
M-DEF-4 — Birth↔governance dedup precedence [T1-5]
Birth/registry orphan is a prerequisite failure: for an unborn/unregistered object the governance scanner does NOT raise
OWNER_GAP(defers to birth-orphan detector). Governance coverage is a layer above birth; one root cause → one issue (shared coalesce namespace).
- Test: unregistered object → 1 issue (birth); register-without-owner → birth resolves, 1 governance issue.
M-DEF-5 — Anarchic = missing authority-critical link [T1-3/D2]
Anarchic = governance-orphan missing an authority-critical link (owner, or for a mutating/high-risk object its approval-path/rollback/dot-authority/reconstruction-integrity). Descriptive-only gaps (design_ref, audit on read-only) = orphan, not anarchic. Computed from gap_type × profile.
- Test: RO-missing-design_ref = not anarchic; mutating-DOT-no-owner = anarchic/critical.
M-DEF-6 — Exception record (11 fields) + non-exemptable invariants [T1, doc 08]
Full record:
exception_type, scope, accountable_owner, reason, risk, approval_ref, expiry, review_cadence, rollback_ref, replacement_plan (mandatory), issue_on_expiry; bound to a state fingerprint (auto-invalidate on signature change). Non-exemptable floors: no write-outside-DOT, no local approval, no UI truth-math, no unregistered emit/write, no reconstruction/vector integrity waiver. Max 2 renewals. Interim homeadmin_fallback_loguntilgrant_governance_exceptionaction-type exists.
- Test: no-replacement-plan → cannot grant; RO→write adapter → auto-invalidate (
exception_scope_drift).
M-DEF-7 — Governance grain + identity + owner-link-only inheritance [T1-3/T1-4]
Identity at the governance grain = roots + non-inheriting classes + containers (inheriting leaf records not counted individually).
total_governed = covered + orphans + approved_exceptions + retired_or_approved_ignore + stale_unverifiable. Inheritance resolves OWNER-link ONLY; risk-required links never inherited (anti-hiding).ignoredis a gated permanent exception, not free.
- Test: +10⁶ children →
Δtotal_governed=0; child policy under covered parent stillAPPROVAL_PATH_GAP.
M-DEF-8 — Axis (NEW) [Branch B]
An axis is any dimension along which objects are classified/counted/grouped/pivoted/ordered/related/displayed — anything that can change shared truth, classification, counting, display, or interpretation. An axis is distinct from the objects it organizes and is itself a governed object (Class 3, profile
AXIS). Membership = the shared-truth test applied to changing the axis's definition/vocab/grouping. No axis is enumerated in law.
- Test: a pivot group-by, a tag-namespace driving display, a new
unit_kindvalue → each is an axis; introducing one without registration →axis_unregistered(red-team #25/#26).
M-DEF-9 — Axis Registry (NEW) [Branch B]
The Axis Registry is a governed registry object (Class 2) enumerating every active axis by its nine attributes (axis, family, owner-per-scope, scope, source-registry, grouping-policy, coverage-rule, issue-path, lifecycle). It is the ground-truth inventory of axes the scanner reconciles against. A future axis = a new registry row (data). Its absence is itself a governance gap (
inventory_gapuntil created). Owned per-scope (policy:COUNCIL, substrate:GOV-KG-SYS, health:SIV, exec:DOT), born via Đ0-G, follows the Đ2 registry pattern. No fixed axis array anywhere.
- Test: introduce an axis-bearing surface absent from the registry →
axis_unregistered(critical); the registry's own absence →inventory_gap.
B. Điều 37 — Governance Hub (v3.3 enacted; owner GOV-COUNCIL) — DRAFT
§4.15 (revised) — One-Roof, governed object, anarchic, valid-owner
(a) Every governed object (shared-truth test, M-DEF-1) must have a valid central owner path per (object × scope) — valid = {direct edge | governance_relations to active agency | law_jurisdiction primary owned by active agency | recorded delegation | inherited owner-link where law permits}. Does NOT count: comment/frontend owner, local approval, unratified design as sole authority, machine-pseudo-approval, stale registry-only entry, an approved exception (an exception is a separate coverage state, NOT an owner). Plus risk-required approval/audit/rollback/dot-authority links per its coverage profile (M-DEF-2). (b) Anarchic = governance-orphan missing an authority-critical link (M-DEF-5). (c) No local governance island (object-level or law-level). (d) Detection is an automatically-computed invariant (Đ31), not memory; GOV-COUNCIL is owner of last resort for unmapped objects; the scanner is itself a governed object (anti-bootstrap, seed-attested).
§4.15-bis (new) — Roles & responsibility scope — M-DEF-3.
§4.15-ter (new) — Coverage profiles — M-DEF-2; the 13 classes + the profile catalog is a governed registry; profile edits → Đ32.
§4.15-quater (new) — Open-axis governance [Branch B]
An axis (M-DEF-8) is a governed object; all axes are registered in the Axis Registry (M-DEF-9). No axis may be hardcoded in law, code, or UI (Constitution NT4). A future axis is registered by filling the nine attributes (data); registration is APR-gated (
assign_axis_owner/register_axis— prerequisite). An unregistered axis is detected asaxis_unregistered(critical), exactly as an orphan is detected. Information Unit axes are governed under this clause; IU axes are not enumerated in law (doc 03).
§4.16 (revised) — Owner-assignment, two-mode interim [T1-6]
Assignment = scan→propose→approve(Đ32)→apply→audit. Apply two-mode: law-anchored objects → agency→law edge (works today); law-orphan objects (route/adapter/standalone-policy/IU object/axis) → require §5.4-EXT — recorded as a known limitation with a named upgrade path, not a silent gap. SoD: propose ≠ approve ≠ apply-verify; approval always Đ32 quorum, never the DOT; a DOT never mints law/owner/action-type/event/axis.
§4.17 (revised) — Approved-exception — M-DEF-6 (11 fields, replacement_plan mandatory, non-exemptable floors, max 2 renewals, grant_governance_exception prerequisite, interim admin_fallback_log).
§4.18 (revised) — Future-feature readiness gate [T1-3/F3/K1]
Severity-aware (block on high/critical for touched objects; warning = 30-day TARGET; info ignored) and tiered by phase (G-DESIGN/IMPL/ROUTE/PROD). Waivable only by president, TTL-bounded, recorded (the waiver is itself a governed exception).
§5.4-EXT (reclassified) — Object/axis ownership edges [T1-6]
Reclassified from "deferred" to "prerequisite for object-grain & axis-grain ownership." Either extend
governance_relations(target_type='object'|'axis'+target_object_type/target_ref) or addgovernance_object_ownership(...)(council preference: new table). Until it exists, object/axis-grain APPLY isapply_blockedand law-orphan objects/axes areOWNER_GAPby construction. The single structural change the remediation half depends on.
§0-GOV hook (new pattern, for specialized laws) — doc 05 §5.4
Required declarative block in every specialized law touching governed objects: governed objects + coverage profile(s) + accountable owner per scope + axes introduced (→ Axis Registry) + risk-required links + issue/event types + "defers to Đ37 for definitions/invariant/exception/gate." A law missing §0-GOV is a law-level island (
hook_missing, caught at Đ20 review + inventory reconciliation).
C. Specialized-law clauses (folded from prior doc 13, unchanged in substance)
| Law | Clauses | Net effect |
|---|---|---|
| Đ31 | §4.3-Loại6 (6th check = Governance Coverage, cross-ref Đ37 §4.15, no redefinition); §4.6-ext (issue vocab register-before-write); §4.8-ext (severity-aware gate); §4.9-ext (inventory-completeness + route inventory + Axis Registry reconciliation + context triggers) | detection mechanism; severity gate; ground-truth reconciliation |
| Đ32 | new action-types assign_governance_owner(handler), grant_governance_exception/delegate_authority/assign_axis_owner(council-review) — substrate prerequisite |
enables PROPOSE/APPLY of owner/exception/axis |
| Đ35 | §6.2-bis coverage-DOT lifecycle DETECT→PROPOSE→APPROVE→APPLY→VERIFY→CLOSE; SoD; bootstrap seed; PROPOSE needs registered action-types; two-mode apply; IU DOTs must register in dot_tools SSOT |
execution; de-island IU DOTs |
| Đ24/29 | §0-OWNER policy(COUNCIL)/substrate(GOV-KG-SYS) split; max_ungrouped ≤ 50 = COUNCIL-owned threshold row; all numeric thresholds governed rows not literals |
classification axis ownership |
| Đ26 | §0-OWNER pivot inherits source owner only if source covered (anti-hiding); else pivot_coverage_unowned; PIVOT_MISSING; grand-total = constant-bucket VIEW |
pivot axis coverage |
| Đ28 | §0-OWNER render→GOV-MOUT, interim COUNCIL TTL-delegation; NT-D1-ext Nitro server/api/** in render tier, no truth-math; §VIII-ext Direct-PG = verified read-only exception, QUARANTINED; no hardcoded axis list in UI |
render ownership; Direct-PG exception |
| Đ41 | Direct-PG/deploy exceptions follow Đ37 exception model; ledger vps_deploy_log |
infra exceptions governed |
| Đ44/38 | §0-GOV hook; IU = governed domain; IU axes → Axis Registry; DEFER owner binding to OP-B council decision; review_decision as governed approval-adapter exception |
IU folded in (doc 03) |
| Đ45 | §3.2 register-before-emit; correct names (live = bare governance.*/proposal.* under mother, all active=false); new GOV-SIV governance/integrity domain (OQ-H1); register-before-write issue vocabulary; cooldown/escalation/suppression/emit-ceiling |
event/issue anti-spam |
| Đ0-G/Đ2/Đ20/Đ30/Đ36/Đ39 | REFERENCE Đ37 (no redefinition); birth precedence; registry pattern; design-gate precondition; rollback link; collection coverage; KG relation axis | reconciliation (doc 04) |
D. Coverage / consistency check of this package
| Mission §16 required element | Provided by |
|---|---|
| revised One-Roof principle | §4.15c |
| revised governed object definition | §4.15a + M-DEF-1 |
| revised governed object classes | M-DEF-2 + §4.15-ter + doc 06 |
| revised governance-orphan definition | M-DEF-5 + §4.15b |
| revised local island definition | §4.15c (object + law level) |
| revised ownership model | M-DEF-3 + §4.15-bis + doc 07 |
| revised exception model | M-DEF-6 + §4.17 + doc 08 |
| revised invariant | M-DEF-7 + doc 09 |
| revised detection obligations | §4.15d + Đ31 §4.9-ext + doc 10 |
| revised issue/event anti-spam rules | Đ45 notes + doc 11 |
| revised readiness gate | §4.18 + doc 09 §9.4 |
| IU / future-axis clause | §4.15-quater + M-DEF-8/9 + doc 03 |
| Điều 37 hub clause | §4.15..§4.18 + §0-GOV + doc 05 |
| specialized-law reference pattern | §0-GOV hook |
All thirteen required elements present.
Branch-M verdict
The consolidated hardened wording extends the prior 7 definitions to 9 (adding the axis + axis-registry definitions), adds three new Đ37 clauses (profiles, open-axis, §0-GOV hook) plus the §0-GOV declarative pattern, and folds all specialized-law clauses. Everything is draft-only; nothing is enacted, version-bumped, or status-changed. This is the text a future ratification phase patches into law — not patched here.