03 — All-Domain Coverage Proof (Branch C) (2026-06-01)
03 — All-Domain Coverage Proof (Branch C)
Claim under test: the One-Roof model covers every present domain and absorbs future domains with no hardcoded array. Method: run each domain through the same five-part pipeline; show that the only "list" the runtime depends on is data (the Object-class registry + the Axis Registry + the Class-0 source list), never an enumerated array in law/code/UI.
The pipeline (identical for every domain):
- Governed? = the shared-truth/authority predicate (M-DEF-1): if changing it can change what another user/agent sees as truth, or can authorize a mutation, it is governed. Else Class 0.
- Class & profile = one of the 13 object classes → its coverage profile (M-DEF-2). New object type = a new L1 inventory row +
default_profile(data), never a code edit. - Owner (per scope) = federated model (M-DEF-3): policy→GOV-COUNCIL, health→GOV-SIV, KG/label/vector→GOV-KG-SYS, exec→GOV-DOT, render→GOV-MOUT, law→GOV-NRM-SYS. Resolved relationally (no per-table owner column).
- Inheritance = owner-link ONLY (M-DEF-7); risk-required links (approval/rollback/dot-authority/recon) never inherit.
- Detection → issue/event = inventory reconciliation + §0-GOV hook + birth precedence (M-DEF-4) → central
system_issues+ Đ45 event, coalesced (Branch K).
The no-hardcode lemma: "governed?" is a predicate, not a membership list; the catalogue of object types is discovered from the L1 source inventory (which includes a first-class future_object_type row); axes are rows in the Axis Registry. Therefore adding a new domain/axis/object type changes data, not law/code. (Compliance: mission no_hardcode_absolute, discover_first_reuse_first.)
3.1 Coverage matrix — current domains
Legend: G = governed? (Y/N/Cond). Class = object class / profile. Inh = inheritance allowed (owner-link only). Det = primary detection path. HC-risk = hardcode risk. Gap = remaining substrate gap.
| Domain | G | Class / profile | Owner (accountable scope) | Inh | Det | HC-risk | Gap |
|---|---|---|---|---|---|---|---|
| Laws (NRM) | Y | LAW | NRM-SYS (law) / COUNCIL (policy) | container→clause | normative_registry inventory + agency-orphan | low | Đ20/23/44/45 unregistered (L-2) |
| Governance agencies | Y | POLICY | COUNCIL (policy) | no | governance_registry inventory | low | capability JSON not in enacted Đ37 (drift) |
| Registries | Y | REGISTRY/POLICY | domain owner | container→row | Đ2 registry + inventory | low | — |
| Collections | Y | REGISTRY | GOV-DOT (exec) / domain (policy) | container→row | collection health DOT | low | — |
| Tables (PG) | Y | SURFACE/substrate | GOV-SIV (health) | container→col | pg_catalog inventory | low | — |
| Pivots | Y | AXIS/POLICY | Đ26 → COUNCIL(policy)/SIV(health) | no | pivot_definitions inventory | med (group-by axis) | pivot domain agency-orphaned |
| DOTs | Y | DOT | GOV-DOT (exec) | no (never inherits exec) | dot_tools inventory + paired_dot | low | — |
| Labels / taxonomy | Y | AXIS | GOV-KG-SYS (substrate) / COUNCIL (policy) | namespace→value | Đ24 + label inventory | med (label dim = axis) | classification domain agency-orphaned |
| Species / composition | Y | AXIS/POLICY | GOV-KG-SYS | container→member | Đ0-B + species inventory | med | — |
| Birth / registry | Y | POLICY | GOV-SIV (health) / Đ0-G | precedence-root | Đ19 orphan scanner (LIVE) | low | — |
| IU / information units | Y | IU classes (17+1) | OP-B (TBD) → KG-SYS/SIV/DOT/MOUT | container→piece | iu inventory + conformance | high | OP-B + SB-AXIS-ENVELOPE |
| IU axes | Y | AXIS | per Axis-Registry row | no | Axis Registry reconcile | high | Axis Registry absent; envelope hardcodes 3 (SB-3) |
| KG / relation graph | Y | POLICY/SURFACE | GOV-KG-SYS | edge→edge no | Đ39 + iu_relation inventory | med | edge-write DOT missing |
| SQL links | Y | SURFACE | GOV-SIV (health) | no | Đ8 dependency + iu_sql_link | low | — |
| Vectors / indexing | Y | SURFACE | GOV-KG-SYS / GOV-SIV (drift) | no | vector_sync_point drift | med | reindex DOT missing |
| Workflows | Y | DOT/POLICY | GOV-MOW (draft) / COUNCIL | container→step | Đ34 (draft) inventory | med | Đ34 draft; GOV-MOW draft |
| Tasks | Y | DOT/EPHEMERAL | GOV-MOT (draft) | container→task | assembly.task inventory | low | GOV-MOT draft |
| Forms / input tables | Y | SURFACE/POLICY | GOV-MOIT (draft) | container→field | assembly.input inventory | low | GOV-MOIT draft |
| Output tables / reports | Y | SURFACE | GOV-MOUT (draft) | container→row | assembly.output inventory | med | GOV-MOUT draft (C-5) |
| Events / queues | Y | POLICY | GOV-SIV / Đ45 | type→type no | event_type_registry inventory | low | Đ45 unregistered (L-2) |
| Notifications | Y | SURFACE | GOV-SIV | no | notification route inventory | low | — |
| Approvals | Y | POLICY | GOV-COUNCIL / Đ32 | no | approval_requests + action-type inventory | low | action-type vocab gap (C-2) |
| Audit logs | Y | SURFACE | GOV-SIV | no | audit inventory | low | governance_audit_log dormant |
| Routes / API | Y | SURFACE | GOV-MOUT / GOV-SIV | no | derived-on-scan (OQ-G2) | high | route inventory not yet built |
| Nuxt / render / display | Y | SURFACE | GOV-MOUT (after Đ28) | template→instance | Đ28 + render inventory | high | Đ28 agency-orphaned |
| VPS / deploy / host | Y | SURFACE/EXCEPTION | Đ41 / GOV-SIV | no | vps_deploy_log inventory | med | Đ41 agency-orphaned; Direct-PG un-ledgered |
| Documents | Y | IU/SURFACE | NRM-SYS / KG-SYS | container→section | iu inventory | med | rides on IU/OP-B |
| User/cowork/agent artifacts | Cond | Class 0 or governed by reachability | COUNCIL (Class-0 list) | n/a | shared-truth test at share-time | high | OQ-A2 (share-time governance) |
3.2 Coverage matrix — future / not-yet-existing domains (the real test)
The model must absorb categories that do not exist today without a law rewrite. Each is handled by the same pipeline; the only artifact that changes is a data row.
| Future domain | Absorbed how (no code/law edit) | Where the "new" lives |
|---|---|---|
| Future object type (unknown class) | The L1 inventory carries a first-class future_object_type row → Class 12 FUTURE profile + owner-of-last-resort (COUNCIL) until classified. Detected the moment it appears in source inventory (inventory_gap). |
1 L1 inventory row (data) |
Future axis (new pivot group-by, new unit_kind, new label dimension, new IU axis) |
M-DEF-8: it is an axis the moment changing its definition changes classification/counting/display. Born via Đ0-G → registered as an Axis Registry row (9 attributes) → owner per scope. Until registered = axis_unregistered (critical). |
1 Axis-Registry row (data) |
Future document axis (e.g. evidence_unit, risk_signal, customer_instruction) |
Same as future axis, axis family = iu. No IU-axis array in law (the current 3 are examples). |
1 Axis-Registry row |
| Future module / registry | New L1 inventory + default_profile; §0-GOV hook in its design doc declares owner/scope/coverage at Đ20 review. |
1 inventory row + §0-GOV block |
| Future DOT | Đ35 registration into dot_tools + paired_dot; covered by GOV-DOT automatically. |
1 dot_tools row |
| Future law / design doc | Must carry a §0-GOV hook declaring its governed objects + owner + coverage profile; absence at Đ20 review = governance_hook_missing. |
§0-GOV block in the doc |
| AI-agent-generated workflow/pivot/label/DOT | The artifact is born (Đ0-G) → classified by predicate → owned → covered. The creator being an AI changes nothing: the artifact is governed by what it is, not who made it (red-team #25/#43/#44). | 1 birth + inventory row |
| Future approval/exception/route type | New apr_action_type / route → covered by the same profiles; the action-type vocabulary is itself a governed registry (Class 2). |
1 action-type row (after C-2) |
Proof of no-hardcode: in every future case, the runtime decision uses (a) the shared-truth predicate, (b) a lookup into the Object-class inventory or the Axis Registry, (c) the federated owner model. None of these enumerate the domains in law/code/UI. The mission's anti-hardcode requirement (NT4, no_hardcode_absolute) is satisfied by construction, not by listing.
3.3 The three structural mechanisms that make it open (not a list)
- Shared-truth predicate (M-DEF-1/8) — membership is computed, so an unforeseen object is classified on first sight, not omitted because it wasn't listed.
- L1 source inventory +
future_object_type— the catalogue of what exists is derived from the live system (pg_catalog, dot_tools, normative_registry, route scan, iu inventory…), so "everything that exists" is reconciled, and anything in source-but-not-in-the-registry is aninventory_gap. This is the inventory-completeness guarantee (the governance twin of the Đ19 orphan scanner). - Axis Registry (M-DEF-9, data) — dimensions are rows. A 4th, 5th, Nth axis is a row, not a schema/law change. (Caveat: at the IU substrate this is currently violated —
iu_three_axis_envelopehardcodes 3 axes; see SB-3 / doc 05. The concept is open; the IU substrate must be generalized to honor it.)
3.4 Where the model is open in concept but blocked in substrate (honest)
The model absorbs every domain in concept. Three live substrate facts mean some domains are detected-and-blocked but not yet auto-remediable, exactly the CONDITIONAL-GO frontier:
- Object/axis-grain ownership (routes, IU objects, axes, standalone policies) cannot be written until SB-2 (object edge) lands → those domains return
apply_blocked(red-team #14/#45). - IU domain ownership is unassigned (OP-B) → every IU object
OWNER_GAPuntil C-3. - IU axes cannot exceed 3 at substrate until SB-3 generalizes the envelope.
None of these is an uncaught gap — each is detected and gate-blocked. They are sequencing realities, not coverage holes.
3.5 Answer to Success-Target Q3 & partial Q4/Q5
Q3 ("covers all current + future domains without hardcoded lists?") → YES — proven over ~29 current + 8 future domains via one predicate-driven pipeline; the only runtime "lists" are data registries. Q4 (IU + future IU axes) → YES at concept (each IU axis = an Axis-Registry row), with the substrate caveat SB-3. Q5 (count>1 without flooding) → see doc 04.