02 — Open-Question Closure Ledger (Branch B)

Every open item from Round 1 (5 open risks), Round 2 (19 open questions), Round 3 (carried + new), and Round 4 (newly surfaced) is closed here. No item is left as "needs discussion." Each has a status, a recommended default, and a risk if unresolved.

Status vocabulary (mission §6): resolved (design-default firm — needs no decision) · design-default (firm default, council ratification optional) · council-decision-required (GOV-COUNCIL must rule; default recommended) · human-decision-required (sovereign/president ratification) · substrate-blocker (PG schema delta needed) · law-drift-blocker (content-only law correction needed) · defer-safe (can wait, no scale risk).

Closure summary: 27 unique items → 11 resolved/design-default, 6 council-decision-required, 2 human-decision-required, 3 substrate-blocker, 3 law-drift-blocker, 2 defer-safe. Net council/human decision surface = 8 items (6 council + 2 human), each with a recommended default. Zero items unclassified.

2.1 Cluster R — Resolved / firm design-default (no decision needed to proceed with concept docs)

ID	Question (source)	Final answer (default)	Evidence	Risk if ignored
OQ-B2	`PROFILE-SURFACE-RO` for read-only routes drop the rollback link? (R2)	Yes — a read-only surface has no mutation, so rollback is not a profile-mandatory link; rollback stays mandatory for mutating surfaces.	M-DEF-2 profiles are per-class checklists; read-only ⇒ no rollback obligation.	Over-flagging RO routes as ROLLBACK_GAP → noise.
OQ-D1	Does the Đ37 agency-orphan detector overlap the new object-coverage detector for laws 24/26/28/45? (R2)	Resolved by boundary clause: law/agency coverage gaps belong to the existing Đ37 agency-orphan + birth detector; object/axis coverage gaps belong to the new governance-coverage detector. They share `system_issues` + a common `coalesce_key` namespace so one root cause = one issue (M-DEF-4 precedence).	Live: `governance_relations` already detects agency→law; object edges don't exist (CHECK). Two grains, two detectors, one issue store.	Double-emission on laws 24/26/28 (already agency-orphaned).
OQ-D3	Which island sub-types are PG-detectable vs CI-only? (R2)	Resolved: no-owner-table / owner-constant-in-data = PG-detectable; local-approval-flag / owner-hardcoded-in-code / frontend-declared-owner = CI-only (source scan). The island clause names both detection channels.	Mission `no_hardcode_absolute` + live `hardcode_violation`(11)/`hc_finding_*` issue types already split PG vs source findings.	Islands hidden in code escape a PG-only scan.
OQ-E1/K3	Max exception/waiver renewals before replacement_plan must execute? (R2)	2 (matches M-DEF-6 "max 2 renewals"). After the 2nd renewal the exception auto-escalates to `critical` and the replacement_plan must execute.	Consistent across R2 M-DEF-6 and R3 doc 08.	"Temporary-forever" exceptions.
OQ-F3/H3/K2	warning→high escalation deadline? (R2/R3 OQ-F3)	30 days — `warning`-severity coverage gap is non-blocking but carries a 30-day remediation target; on expiry it escalates to `high` (blocking).	Severity-aware gate (T1-3 resolution).	Warnings silently rot.
OQ-G2	Route registry: new table vs derived-on-scan? (R2/T1-7)	Derived-on-scan (reuse-first): reconcile nginx `location` + Nuxt `server/api/**` + page routes into a derived route inventory; a route present in source but absent from the derived inventory = `route_orphan` (high); a route-class object with no owner = `OWNER_GAP`. No new table.	Mission `discover_first_reuse_first`; live Direct-PG adapter is exactly an unregistered route.	Routes are the most island-prone surface (G2 gap).
OQ-H1	New `governance`/`integrity` event domain vs reuse the dormant `mother` rows? (R2/R3)	New GOV-SIV `governance`/`integrity` event domain (born under Đ45 register-before-emit). Leave the 9 dormant `mother.governance.`/`proposal.` rows for the factory mothers.	Live: `mother.` events are `active=false` and owned by the factory domain*; reusing them couples governance health to the factory lane (H1 naming defect).	Mis-routed events, naming collision.
OQ-I2	Bring §5.4-EXT forward as a Tier-1 prerequisite? (R2)	YES — already done (Round 3 = T1-6b). Closed.	R3 doc 14 §14.3.	n/a (closed).
OQ-J7	Taxonomy/label substrate owner: GOV-KG-SYS vs a dedicated taxonomy agency? (R2)	GOV-KG-SYS (it already exists, active, owns the `kg` domain incl. labels/taxonomy/vector). No new agency.	Live: GOV-KG-SYS active, `created_by_law=NRM-LAW-39`.	Proliferation of agencies (island risk).
OQ-K6	CI blocking-in-deploy vs scheduled-detect? (R2)	Blocking-in-deploy for the production gate (a true gate must block); scheduled-detect for the population sweep.	Mission `no_production_mutation_without_gate`; readiness gate G-PROD.	A non-blocking "gate" is not a gate.
D-1/D-2/D-3	Three internal Round-3 doc discrepancies. (R4)	Resolved in doc 01 §1.3: 48/48 (100%)+44 auto-remediable authoritative; `AXIS` referenced by name (frozen Class 3); "17 enumerated + 1 open" IU classes.	doc 01.	Internal inconsistency in the final package.

2.2 Cluster C — Council-decision-required (GOV-COUNCIL must rule; default recommended; does NOT block concept-doc patch)

C-1 · OQ-B7 / I2 — object/axis ownership edge: extend CHECK vs new table

Question: record agency→object/axis ownership by widening governance_relations CHECK, or by adding a new governance_object_ownership(...) table?
Resolvable by evidence? Partly — evidence favors a default; the choice is a council call (it is a schema-design + risk decision).
Evidence: live chk_relations_source_type/chk_relations_target_type both ∈ {law, agency}; 8 live edges all agency→law. Widening the CHECK is an in-place migration on the load-bearing edge table; a new table is additive (no migration risk to live edges).
Recommended default: new table governance_object_ownership (additive, no CHECK-migration risk). Also a substrate-blocker (see doc 08 SB-2) — concept docs may reference the model; apply waits on it.
Risk if unresolved: object-grain & axis-grain remediation stays inoperable (red-team #14/#45 remain 🟧).

C-2 · OQ-C7 / E2 / I1 — new APR action-type bundle

Question: add the governance action-types as one bundle? which get handlers vs council-review-only?
Evidence: live apr_action_types = 6 (none for owner-assign/exception/axis); amend_law/enact_nrm already exist but unimplemented.
Recommended default: one bundle of 4 — assign_governance_owner (with handler), grant_governance_exception (council-review), delegate_authority (council-review), assign_axis_owner (council-review). Until added, exceptions live in admin_fallback_log (M-DEF-6 interim). Also a substrate-blocker (doc 08 SB-1).
Risk: PROPOSE cannot file a well-formed APR (red-team #13/#36 remain 🟧); the proposer self-trips its own approval_path_gap.

C-3 · OP-B — IU family owner assignment

Question: which agency owns the IU family, per scope?
Resolvable by evidence? No — this is a governance assignment, not a fact. (Evidence proves the gap, not the answer.)
Evidence: no governance_registry row owns information_unit; owner_ref on all 219 IUs is free-text (agent:p3d1, incomex_council), not an agency FK; conformance_status='open' for all 219 (gate never closes).
Recommended default (council to ratify): policy→GOV-COUNCIL; substrate/health (KG/taxonomy/vector)→GOV-KG-SYS + integrity/coverage→GOV-SIV; execution (cut/split/merge/compose DOTs)→GOV-DOT; render→GOV-MOUT (interim COUNCIL delegation, TTL-bounded); law owner of IU family→GOV-NRM-SYS.
Blocker status: council-decision-required; gates IU surface/owner-binding design docs (NO-GO until decided). Concept-level IU coverage may be patched now (excluding owner-binding).
Risk: IU stays an island; every IU object is OWNER_GAP.

C-4 · OQ-IU-OWNER — `review_decision_id` as approval adapter

Question: does IU's internal review_decision_id count as a council-approved domain-local approval, or must IU mutations route through central Đ32 APR?
Recommended default: record review_decision as a governed approval-adapter exception (11-field record, with a replacement_plan to migrate to Đ32). If council instead requires full Đ32 routing, IU de-islanding is heavier (self-review weakness #7).
Blocker status: council-decision-required (rides with OP-B).
Risk: either a hidden local-approval island (if accepted silently) or a much larger IU migration (if rejected).

C-5 · OQ-J6 — render ownership: COUNCIL delegation vs GOV-MOUT activation

Question: provisional COUNCIL render-delegation now, or fast-track GOV-MOUT activation?
Evidence: GOV-MOUT is draft, has 0 relation edges, born of Đ7 not Đ28; Đ28 itself is agency-orphaned (no display/render domain).
Recommended default: delegation now (TTL-bounded), GOV-MOUT activation as the end-state (requires a separate high-risk Đ32 approval + Đ28 binding).
Blocker status: council-decision-required; does not block concept docs.
Risk: render/display truth has no live owner (Đ28 island risk).

C-6 · OQ-A2 / A3 — shareable-but-personal boundary & legacy-bypass deadline

Question (A2): when does a personal artifact (a pin that can be exported/shared) become governed? (A3): standard deadline to regularize an inherited live bypass?
Recommended default: (A2) a Class-0 artifact crosses into governed at the moment of export/share (sharing changes shared-truth reachability — M-DEF-1). (A3) 60 days. Both are firm defaults the council may simply ratify (borderline-resolved).
Blocker status: council-decision-required (ratification); safe to proceed on the defaults.
Risk: either over-governing private pins or letting shared pins escape.

2.3 Cluster H — Human-decision-required (sovereign / president)

H-1 · Sovereign sign-off absent → enactment blocked

Question: how do the new clauses become enacted law?
Evidence: os_proposal_approvals = 0 (never used); apr_approvals = 42 all S178 DOT-repair; amend_law/enact_nrm handler_ref unimplemented; live enact-via-APR attempts (id 204–210) all rejected.
Final answer: enactment is a separate human-ratification phase (council_review + manual/admin-fallback enact into normative_registry, the way the live corpus was bootstrapped). Out of scope for the design patch.
Blocker status: human-decision-required. Does not block concept-doc patching (design ≠ enactment).
Risk: clauses remain draft; design proceeds, enactment waits.

H-2 · OP-B owner assignment ratification

OP-B (C-3) requires a council decision and sovereign ratification to bind IU ownership into live governance_registry/governance_object_ownership. Listed here as the human-phase tail of C-3.

2.4 Cluster S — Substrate-blocker (PG schema delta; design may reference, apply waits)

S-1 · T1-6a — APR action-types (see C-2). Substrate delta = 4 new `apr_action_types` rows + handlers/council-review wiring. Detail: doc 08 SB-1.

S-2 · T1-6b — object/axis ownership edge (see C-1). Substrate delta = new `governance_object_ownership` table (preferred) or widened `governance_relations` CHECK. Detail: doc 08 SB-2.

S-3 · SB-AXIS-ENVELOPE (NEW, Round 4) — IU substrate hardcodes exactly 3 axes

Question: the open-axis model says "no fixed axis array," but the live IU substrate physically hardcodes 3 axes. How does a 4th IU axis exist without DDL?
Evidence (NEW): iu_three_axis_envelope columns are axis_a_doc_code/axis_a_sort_order/axis_a_section_code, axis_b_tags/axis_b_tags_by_source, axis_c_parent_id/axis_c_depth/axis_c_ancestors — exactly three axes in DDL. 216 rows. A 4th axis (e.g. policy_clause, risk_signal) cannot be added without ALTER TABLE.
Recommended default: treat iu_three_axis_envelope as a denormalized projection / hot-cache of the Axis Registry, NOT the axis universe. The Axis Registry is the ground truth; the envelope may carry the first-N "hot" axes for query speed, while all axes (incl. future) live in a generic axis-value store (e.g. iu_axis_value(unit_id, axis_code, value, ...), keyed by an Axis-Registry axis_code). Concept-level open-axis model is patchable now; the substrate generalization is IU technical design, after OP-B.
Blocker status: substrate-blocker + defer (to IU design phase). Detail: doc 08 SB-3.
Risk: the keystone "no hardcoded axis array" claim is contradicted at substrate until generalized — a future axis silently requires a schema change (a hidden hardcode).

2.5 Cluster L — Law-drift-blocker (content-only law correction; GOV-NRM-SYS; blocks a law patch, not the design patch)

L-1 · OQ-J10 — enacted-law drift

Items: Đ45 ban_hanh=false leftover lines; Đ36 v4.0 (index) vs v5.0 (file draft) ambiguity; enacted Đ37 v3.3 text vs live column names (gov_type/created_by_law/relation_type/enforcement_role + capability JSON not in the law).
Final answer: resolve content-only by GOV-NRM-SYS before any law patch (separate prompt). Does not block the design patch.
Blocker status: law-drift-blocker. Risk: a law patch built on drifted text re-introduces the drift.

L-2 · Law-registration gap (NEW, Round 4) — Đ44, Đ45, Đ20, Đ23 absent from `normative_registry`

Evidence (NEW): normative_registry (47 rows) contains no article 20, 23, 44, or 45. Yet IU runs live under Đ44 (draft), events under Đ45 (KB-enacted but unregistered), design-before-impl under Đ20, DOT-scan under Đ23.
Final answer: GOV-NRM-SYS must register these as normative_registry rows (status draft for Đ44; enacted for Đ45/Đ20/Đ23 per their KB headers) before any clause referencing them is patched into law. Concept design may cite them as "draft / KB-only, registration pending."
Blocker status: law-drift-blocker. Risk: the design references laws that the live law registry does not know exist → GOVERNANCE_SCHEMA_DRIFT.

L-3 · R1-OR4 — phantom definition wording

Per-source-model phantom definition (record>actual unreliable: model-A write-race vs model-B genuine) still needs council clause wording (drafted but un-ratified). Blocker status: law-drift-blocker (content). Default: define phantom per source_model (model-A = stale-actual write-race ≠ phantom; model-B = genuine record>actual). Risk: false phantom findings.

2.6 Cluster D — Defer-safe (no scale risk in waiting)

ID	Question (source)	Default	Why defer-safe
OQ-B3	Build a `design_link` registry or keep design_ref advisory? (R2)	Advisory now; promote to a registry only if DESIGN_REF_GAP noise warrants.	design_ref is descriptive-only (not authority-critical, M-DEF-5) → never anarchic.
OQ-G1	File/config ground-truth scan root (model-B `File:…`, nginx)? (R2)	Defined scan root on the VPS (config-driven, not hardcoded).	Implementation detail of the scanner; concept model is agnostic.
OQ-I5	Verify `event_outbox` registry CHECK exists (fail-closed)? (R2)	Fail-closed required; verify in scanner design. Live note: `system_issues.issue_type`/`issue_class` have no CHECK (free-text) — so register-before-emit must be enforced by Đ45 + the emit path, not a DB CHECK.	Verifiable at implementation; default is the safe direction.
OPEN P38-X-11	`axis.iu.legal_domain` source registry: Đ24 taxonomy vs `dot_config`? (R3)	Đ24 taxonomy (Đ24 Label Law is enacted; `dot_config` is config, not a taxonomy SSOT).	A registration detail for one axis; the Axis-Registry model is agnostic.
IU-CONF	IU `conformance_status='open'` for all 219 — gate never closes (R4).	GOV-SIV closes conformance as part of the coverage scan; implementation, not concept.	Concept model already specifies the conformance gate; closing it is scanner work.

2.7 Round-1 open-risk mapping (for completeness)

Round-1 risk	Closed as
§5.4-EXT structural decision	C-1 / S-2 (council: new table; substrate-blocker).
GOV-MOUT activation	C-5 (council: delegation now, activation end-state).
Law ratification human-only	H-1 (human-decision; separate phase).
Phantom definition wording	L-3 (law-drift; per-source-model default).
Direct-PG exception un-ledgered	defer→C/L: ratify under Đ41/Đ33 OR add PK to views + route via Directus; back-fill `vps_deploy_log`. Council clause; does not block concept design.

2.8 Answer to Success-Target Q2

"Are all unresolved questions from Round 2 and Round 3 either resolved or turned into exact council/human decisions?" → YES. All 27 unique items carry a status + default + risk. The decision surface the council/human must actually rule on is exactly 8 (C-1..C-6 + H-1 + H-2), every one with a recommended default. Everything else is resolved-default, substrate-blocker (named, with upgrade path), law-drift (content-only), or defer-safe. Zero vague items remain.