⚠️ BUILD ADDENDUM — NON-SEMANTIC CROSS-REFERENCE (added 2026-06-01; design below UNCHANGED) This is the T6 coverage-scanner/DOT base design (doc 25, complete). Do NOT build from this document alone. T6/T7 BUILD requires the GCOS substrate — SB-10/11/12/13 (docs 38–41) built first, plus the 10 build addenda in doc 35 §3.2, per the consolidated build index doc 45. Live corrections that override values printed below: birth_registry≈1.04M & still growing; canonical_address is NULL in ALL rows (key on collection_name:entity_code); worker watermark is text type-generalized (int birth-id vs uuid outbox-id). Re-verify live before any build. START HERE: doc 45 → doc 42 → docs 38–41 → docs 31–35 → doc 46 (C-7) → then this design.

25 — T6 Governance Coverage Scanner / DOT Family Technical Design

Path: knowledge/dev/reports/architecture/one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/ Doc: 25. Track: T6 (Branch C). Now unblocked for design: T3 (SB-1, doc 16) + T4 (SB-2, doc 17) are design-complete (doc 20). Builds on doc 08 (scanner scaffold), doc 24 (T7 taxonomy), concept canon 01–02. Status: DESIGN ONLY. APPLY IS NO-GO. The scanner detects → classifies → proposes. It never self-applies a remediation, never registers a DOT, never emits a production signal, and never mutates a governed object. No PG/Directus/Qdrant/Nuxt mutation occurs in this macro. Owner (proposed): GOV-SIV (Điều 31, monitoring.integrity) runs the read/detect/propose/audit family; the apply DOT is a GOV-DOT (Điều 35) executor that runs only an approved APR. SIV proposes; COUNCIL/owner approves; GOV-DOT executes. No agency self-applies. Evidence base: doc 18 + re-verified read-only 2026-06-01 (dot_coverage_required=11; dot_tools=309; governance_audit_log=1 stale; system_issues≈190,288; meta_catalog=169; governance_object_ownership/…_responsibility_scope ABSENT).

1. Scope, non-goals, apply NO-GO

In scope (design): the coverage scanner lifecycle; the 6-layer detector; the 7-DOT family (scan/detect/classify/propose/audit/exception-review/issue-route separation); how it consumes SB-1 (action-types) and SB-2 (ownership store + views); the inventory-completeness reconciliation (the governance twin of birth-orphan); audit-loop activation (SB-7); the dot_coverage_required rows to add (SB-8); reuse of the T7 anti-spam taxonomy.

Non-goals / forbidden here: registering any DOT in dot_tools; running any production scan; emitting any event; inserting any system_issues/dot_coverage_required row; creating any APR; writing any owner row; any PG/Directus/Qdrant/Nuxt mutation.

Apply NO-GO (hard). The dot_governance_assignment_apply DOT (the only mutating member) writes governance_object_ownership. It is NO-GO until: SB-1 Phase-B handler is built and handler_ref flipped (C-2), SB-2 table is live (C-1), the APR it executes is quorum-approved (Điều 32), and sovereign sign-off exists (H-2/SB-6; os_proposal_approvals=0 ⇒ COMMIT_FORBIDDEN). Design may proceed; apply may not.

2. Reuse map — no second scanner, no second roof

Need	Reused live mechanism	How
Orphan/inventory scan pattern	Điều 19 birth-orphan scanner (`thiếu_quan_hệ`/`thiếu_mã_định_danh`; `dot_coverage_required` birth.orphan/scan rows)	governance coverage is the layer above birth; reuses the same scan/coalesce shape; yields to birth on unborn objects (M-DEF-4)
DOT lifecycle / A-B pairing	Điều 35 + GOV-DOT (`dot_tools`=309; live `governance.approval` propose(A)/execute(B)/health(A) coverage rows)	tier-A = read/propose/health (no mutation); tier-B = execute (mutation, approved APR only)
Detection ownership	Điều 31 / GOV-SIV	SIV detects + proposes; never self-applies
Findings / events / anti-spam	doc 24 (T7) taxonomy + `system_issues`/`event_outbox`/`registry_changelog`	scanner is the producer of the 20 findings; reuses coalesce/cooldown/ceiling
Owner resolution	SB-2 views `v_object_effective_owner` / `v_object_owner_gap` (doc 17)	the detector's owner layer reads these (gated on SB-2 live)
Remediation verbs	SB-1 action-types (doc 16)	`propose` sets `proposed_action_code ∈ {assign_governance_owner, grant_governance_exception, delegate_authority, assign_axis_owner}`
Audit	`registry_changelog` (+ `event_outbox`)	audit-loop activation (SB-7); `governance_audit_log` stays relation-scoped, untouched

3. No-hardcode inventory sourcing (no axis/object literals — mandatory)

The scanner must not enumerate current axes or object classes from a code array. Its inventory is discovered from registries / config / source inventory at run time:

Object classes ← meta_catalog.entity_type (169 live classes) + the coverage-profile class catalog (a Class-2 governed registry, M-DEF-2). A new object class is a row → automatically in scope, no code change.
Per-class members ← each class's registry_collection (from meta_catalog), e.g. pivot_definitions, dot_tools, information_unit, collection registries.
Axes ← the Axis Registry (M-DEF-9) when it exists; interim the axis inventory is derived from pivot_definitions.group_spec dimensions + the classification/pivot law domains (law_jurisdiction). The Axis Registry's absence is itself a finding (axis_unregistered / inventory_gap, critical) — never a silent hardcoded fallback.
Required scopes ← governance_responsibility_scope (the 6 SB-2 rows: policy/health/execution/render/approval/audit).
Coverage profiles (mandatory-link checklists) ← the M-DEF-2 profile registry (data). covered ⟺ all profile-mandatory links resolve.
Severity / routing policy ← computed from (gap_family × object_risk_class × shared_truth) and resolved owners (doc 24 §5, §7) — no literal.

Invariant: if the source-of-truth registry for any dimension is missing, the scanner raises an inventory_gap/axis_unregistered finding and fails closed for that dimension; it does not invent a list.

4. The 6-layer coverage detector

Each scan pass runs six layers in order; a layer's output feeds the next.

Layer	Name	What it does	Reads	Emits (finding types, doc 24)
L1	Inventory	Enumerate every governed object + axis from §3 sources; build the run's object set at the governance grain (roots + non-inheriting + containers; M-DEF-7).	meta_catalog, registry_collections, Axis Registry/pivot_definitions, profile registry	— (builds set); `inventory_gap`/`axis_unregistered` if a source registry missing
L2	Birth precedence	Drop unborn/unregistered objects (yield to Điều 19); share `coalesce_key` so one root cause = one issue (M-DEF-4).	birth registry / orphan scan output	— (suppresses; no governance issue on unborn)
L3	Owner resolution	For each (object × required scope), resolve the effective accountable owner via `v_object_effective_owner` (owner-link inheritance).	SB-2 views	`owner_gap`, `owner_conflict`, `pivot_coverage_unowned`, `classification_policy_unowned`, `pin_policy_unowned`
L4	Profile / coverage	Check every profile-mandatory link resolves (owner, approval-path, rollback, dot-authority, audit, capability, law-ref, design-ref, issue-event).	profile registry, governance_relations, dot_tools, normative_registry, KB design refs	`capability_gap`, `approval_path_gap`, `audit_gap`, `rollback_gap`, `dot_authority_gap`, `issue_event_gap`, `law_ref_gap`, `design_ref_gap`, `governance_orphan`
L5	Anarchy / island	Classify missing authority-critical links as anarchic (M-DEF-5); detect islands via dual channel — (a) PG: no-owner-table / owner-constant-in-data; (b) CI/source-scan: local-approval-flag / owner-hardcoded-in-code / frontend-declared-owner.	PG state + source/CI scan	`local_governance_island`, plus severity-escalation of L3/L4 findings to anarchic
L6	Reconciliation / invariant	Close coverage invariant v3 at the governance grain; reconcile inventory completeness; coalesce; emit summary + heartbeat.	all prior layers + exception register	`governance_schema_drift`, `unratified_exception`, `direct_pg_unratified_exception`, `phantom_definition_gap`; `governance.coverage.summary` + `…scan_completed` heartbeat

Coverage invariant v3 (L6): total = covered + orphans + approved_exceptions + retired/ignored + stale, closing exactly at the governance grain (incl. axis-grain and IU-grain). A non-closing scope → governance_schema_drift. (IU axis-grain is capped at 3 axes at the substrate until SB-3 — the invariant is concept-true now, IU-substrate-true only after SB-3; L1 records this caveat for IU objects.)

5. Scanner lifecycle (state machine)

        ┌─────────────────────────────── periodic schedule / on-demand ──────────────────────────────┐
        ▼                                                                                              │
   [SCAN] ──▶ [DETECT] ──▶ [CLASSIFY] ──▶ [PROPOSE] ──▶ (human/council APPROVE — NOT the scanner) ──▶ [APPLY*]
   L1        L2–L4        L5 + severity   raise APR        Điều 32 quorum (fn_apr_quorum_check)         GOV-DOT
   inventory gaps         anarchic/island  (SB-1 verb)      president+2 council; self-approve barred    writes SB-2*
        │                     │                                                                          │
        ▼                     ▼                                                                          ▼
   [ISSUE-ROUTE] ◀───────────┴─── findings (system_issues, doc 24) ───────────────────────────▶ [AUDIT] ──▶ changelog+event
        │                                                                                          │
        ▼                                                                                          ▼
   notify owner (event_outbox signal, Đ45)                                              [EXCEPTION-REVIEW] (TTL/renewal/fingerprint)

* APPLY is NO-GO (see §1). The approve step is always human/council via the APR spine — the scanner cannot approve its own proposal (fn_apr_quorum_check bars proposer==approver; doc 27).

Stage → DOT mapping: SCAN→dot_governance_coverage_scan; DETECT→dot_governance_orphan_detect; CLASSIFY is folded into detect+propose (severity/anarchy computed); PROPOSE→dot_governance_gap_propose; APPLY→dot_governance_assignment_apply (NO-GO); AUDIT→dot_governance_coverage_audit; EXCEPTION-REVIEW→dot_governance_exception_review; ISSUE-ROUTE→dot_governance_issue_route.

6. The 7-DOT family — full specifications

Common to all: owner = GOV-SIV except the apply DOT (GOV-DOT); each is itself a governed object (registered in dot_tools at build time, covered by a dot_coverage_required row, §9); each is paired with a test DOT (Điều 35 A/B pairing); no DOT hardcodes axis/object lists (§3).

6.1 `dot_governance_coverage_scan` (SCAN)

Owner: GOV-SIV. Tier: A (read/health). Read/Mutate: READ-ONLY (registries, source inventory). No mutation.
Approval need: none to run (read-only). Input: scan scope (all / class / axis), profile registry, §3 sources. Output: the run's governed-object+axis inventory set at governance grain + inventory_gap/axis_unregistered findings + a governance.coverage.scan_completed heartbeat.
State transition: none on governed objects; writes only the heartbeat/summary signal (gated) + scan run-record in registry_changelog (audit).
Audit: registry_changelog run row. Rollback: N/A (read-only; idempotent).
Paired test: dot_governance_coverage_scan_test — assert inventory derived from registries (no literal list), Δtotal=0 when 10⁶ children added under a covered anchor, fails-closed on a missing source registry.
Failure mode: a source registry missing → raise inventory_gap, fail closed (do not invent list). Timeout on a huge class → sample + report population count.
Issue/event integration: producer of L1 findings + heartbeat (doc 24). SB-1/SB-2 dependency: none to run read-only (inventory only).

6.2 `dot_governance_orphan_detect` (DETECT)

Owner: GOV-SIV. Tier: A. Read/Mutate: READ-ONLY.
Approval need: none. Input: the L1 inventory set + SB-2 views + profile/relations/dot/law/KB sources. Output: L2–L4 findings: governance_orphan, owner_gap, owner_conflict, capability_gap, approval_path_gap, audit_gap, rollback_gap, dot_authority_gap, issue_event_gap, law_ref_gap, design_ref_gap, pivot/classification/pin_*_unowned.
State transition: raises/updates system_issues rows (coalesced) — a finding write, not a governed-object mutation. (Live emit gated.)
Audit: registry_changelog per raise/close. Rollback: auto-close on next clean scan (idempotent by coalesce_key).
Paired test: …_detect_test — owner_gap raised iff no accountable owner resolves; anti-hiding (approval_path_gap on a child under a covered parent); birth precedence suppresses unborn.
Failure mode: SB-2 views absent → owner-resolution layer (L3) degraded: emits a governance_schema_drift/design-stage note for owner-dependent findings and reports only non-owner gaps; never guesses owners.
Issue/event integration: primary producer of doc 24 Table 5 findings. SB-1/SB-2 dependency: L3 owner findings require SB-2 views live; L4 non-owner findings do not. Read-only either way.

6.3 `dot_governance_gap_propose` (PROPOSE)

Owner: GOV-SIV. Tier: A (propose). Read/Mutate: reads findings; writes a proposal only to the approval spine (approval_requests) via the sanctioned path — never to a governed object.
Approval need: the proposal needs none; the resulting APR requires quorum before any apply. Input: a finding (+ resolved route owner + the matching SB-1 verb). Output: an approval_requests row with proposed_action_code ∈ {assign_governance_owner|grant_governance_exception|delegate_authority|assign_axis_owner}, action='review' (never add — doc 27), target_collection set, source_context.proposer='GOV-SIV', payload carrying the proposed owner/scope or 11-field exception.
State transition: system_issues.status → proposed (links apr_id); APR pending.
Audit: registry_changelog proposal row. Rollback: withdraw/expire the APR (status='rejected'/'expired'); no governed state touched.
Paired test: …_propose_test — proposal uses action≠'add'; proposed_action_code FK-valid; proposer set (so self-approve is detectable); no proposal for a suppressed finding.
Failure mode: SB-1 action-types not registered → FK rejects an unknown proposed_action_code ⇒ propose degrades to draft-only (records intent in finding detail, submits nothing). Fails closed.
Issue/event integration: transitions findings to proposed; emits governance.<gap>.proposed. SB-1/SB-2 dependency: requires SB-1 Phase-A registered to submit a valid APR; the target of the eventual apply is SB-2.

6.4 `dot_governance_assignment_apply` (APPLY — NO-GO)

Owner: GOV-DOT (Điều 35 executor). Tier: B (execute, mutating). Read/Mutate: MUTATES governance_object_ownership / the governed-exception register / a governance_relations delegation.
Approval need: mandatory — runs only an APR already quorum-approved (fn_apr_quorum_check passed). This DOT is the handler_ref target that C-2 Phase-B flips from 'unimplemented'.
Input: an approved APR (status='approved', validated). Output: the owner/exception/delegation row (with approval_ref back-link) + a lifecycle event (governance.owner.assigned / .exception.granted / .authority.delegated / .axis.owner_assigned).
State transition: APR approved→applied; system_issues finding proposed→resolved (auto-close); ownership row active.
Audit: registry_changelog apply row + event_outbox lifecycle signal. Rollback: supersedes_id chaining + lifecycle_status='revoked'/'expired' + rollback_ref; action-type retire/flip-to-unimplemented re-arms fail-closed. Never hard-delete.
Paired test: …_apply_test — refuses an unapproved APR; refuses if handler_ref='unimplemented'; enforces one-accountable-per-scope (partial UNIQUE); writes approval_ref; rollback restores prior owner.
Failure mode: NO-GO until SB-1 Phase-B + SB-2 live + sovereign sign-off; while handler_ref='unimplemented', fn_apr_block_unimplemented_handler RAISES — the DOT cannot run by construction. SB-1/SB-2 dependency: depends on both (the handler is SB-1 Phase-B; the write target is SB-2).

6.5 `dot_governance_coverage_audit` (AUDIT — SB-7 activation)

Owner: GOV-SIV. Tier: A (health/audit). Read/Mutate: READ-ONLY over governed objects; writes audit records to registry_changelog (+ heartbeat to event_outbox).
Approval need: none. Input: a scan run's results + the exception register + the prior audit record. Output: an audit record closing coverage invariant v3 (the {total, covered, orphans, approved_exceptions, retired, stale} ledger), a drift finding if it doesn't close, and the Điều 37 §5.5 audit-loop heartbeat.
State transition: none on governed objects; appends audit/changelog rows.
Audit: is the audit (this is SB-7 activation — the loop reuses registry_changelog/event_outbox; governance_audit_log stays relation-scoped and is not repurposed). Rollback: N/A (append-only audit).
Paired test: …_audit_test — invariant closes for a synthetic covered scope; a planted unowned object opens it; a missed scan heartbeat raises audit_gap on the scanner.
Failure mode: invariant doesn't close → governance_schema_drift (high); scanner silent (no heartbeat) → audit_gap on the scanner itself (silent-gap, Đ45).
Issue/event integration: emits governance.coverage.audit_completed; raises drift. SB-1/SB-2 dependency: reads SB-2 store for the covered/exception counts (degraded pre-SB-2).

6.6 `dot_governance_exception_review` (EXCEPTION-REVIEW)

Owner: GOV-SIV. Tier: A. Read/Mutate: READ-ONLY; raises findings/proposes.
Approval need: none to detect; any grant/renew routes through grant_governance_exception (quorum). Input: the governed-exception register (M-DEF-6 records). Output: TTL/expiry findings; fingerprint-staleness checks; renewal-count checks (max 2; 3rd → escalate critical); unratified_exception/direct_pg_unratified_exception findings.
State transition: marks exceptions expiring/expired; fires issue_on_expiry; proposes replacement via APR.
Audit: registry_changelog. Rollback: auto-clears finding when exception renewed/replaced.
Paired test: …_exception_review_test — expiring exception fires governance.exception.expiring; stale fingerprint lifts suppression (fails closed); 3rd renewal escalates to critical.
Failure mode: an exception found with no APR/approval_ref → unratified_exception; an exception applied directly in PG (no APR) → direct_pg_unratified_exception (critical). SB-1/SB-2 dependency: depends on the exception register existing (SB-1 C-2 store + SB-2 substrate); pre-build it reviews only any interim APR-payload exceptions.

6.7 `dot_governance_issue_route` (ISSUE-ROUTE)

Owner: GOV-SIV. Tier: A. Read/Mutate: READ-ONLY over findings; emits notification signals (event_outbox, gated).
Approval need: none (routing a signal ≠ a job; Đ45). Input: an open finding + its resolved route owner (doc 24 §7). Output: an event_outbox signal addressed to the route owner's delivery_lane, honoring cooldown/emit-ceiling/digest (doc 24 §6).
State transition: none on governed objects; records the notification in registry_changelog.
Audit: registry_changelog notify row. Rollback: N/A (a signal; superseded by .resolved).
Paired test: …_issue_route_test — respects cooldown (no re-emit in window); routes to v_object_effective_owner result, escalates to GOV-COUNCIL on null; never routes a suppressed finding.
Failure mode: route owner unresolved → escalate to GOV-COUNCIL; event type not registered → hold (register-before-emit; raise issue_event_gap). SB-1/SB-2 dependency: uses SB-2 v_object_effective_owner for routing; degrades to default-hint/COUNCIL pre-SB-2.

7. Inventory-completeness reconciliation — the governance twin of birth-orphan

Birth-orphan (Điều 19) answers "does every object that exists get registered?". The governance twin (L6) answers "does every registered/inventoried object get a detector + a coverage row + (where required) an axis-registry entry?":

Source-present-but-unregistered → birth's job (yield, M-DEF-4).
Registered-but-no-coverage-row (no dot_coverage_required row for its domain) → inventory_gap (the class is governed in principle but unscanned in practice).
Surface/axis present but absent from the Axis Registry → axis_unregistered (M-DEF-9).
Detector registered but never producing a heartbeat → audit_gap (silent scanner).

Reconciliation closes the loop: every governed class must be reconcilable by a registered detector, and the invariant must close at every grain. This is the central obligation Điều 37 OWNs; the mechanism is Điều 31 (detector) + Điều 19 (orphan) + Điều 35 (DOT) — referenced, not duplicated.

8. Audit-loop activation (SB-7)

governance_audit_log is 1 stale row and relation-scoped (FK → governance_relations.id, no object FK) → it cannot carry object-coverage audits. The design activates the Điều 37 §5.5 audit loop by reusing registry_changelog (object-/entity-keyed) + event_outbox (heartbeat) via dot_governance_coverage_audit (§6.5). governance_audit_log is left untouched (its relation-audit role is preserved). No third audit channel is minted. Activation is a build step (T6/T11), NOT performed here.

9. `dot_coverage_required` rows to add (SB-8) — proposed, not inserted

The 7 DOTs and the governance classes must themselves be covered. Proposed rows (domain, operation, tier) — design only; not inserted:

domain	operation	tier	for
`governance.coverage`	`scan`	A	coverage_scan
`governance.coverage`	`detect`	A	orphan_detect
`governance.coverage`	`propose`	A	gap_propose
`governance.coverage`	`apply`	B	assignment_apply (NO-GO)
`governance.coverage`	`audit`	A	coverage_audit (SB-7)
`governance.coverage`	`exception_review`	A	exception_review
`governance.coverage`	`issue_route`	A	issue_route
`governance.classification`	`scan`/`health`	A	classification-axis coverage
`governance.pivot`	`scan`/`health`	A	pivot-axis coverage
`governance.axis`	`scan`/`health`	A	axis coverage (Axis Registry)
`governance.iu`	`scan`/`health`	A	IU coverage (gated on OP-B + SB-3)

These extend the live family (which already has governance.approval propose(A)/execute(B)/health(A)) by the same A/B pattern — reuse, not a new scheme.

10. Anti-spam reuse (T7)

The scanner is the producer for the doc 24 anti-spam model: it coalesces by coalesce_key at the governance grain (children under an anchor collapse to one finding, Δ open-issues=0), honors cooldown/emit-ceiling/digest per severity tier, emits summary-vs-detail, samples large classes, fails closed on stale, and emits the heartbeat. It does not implement a new de-dup engine — it writes coalesce_key/occurrence_count on system_issues, exactly as live template_gap (≈183,378 occurrences) already demonstrates.

11. Dependencies on SB-1 / SB-2, and gates

Capability	Needs	Status
Scan/inventory (L1), non-owner gaps (L4), island (L5)	nothing live (read-only)	design + dry-run designable now
Owner gaps/conflicts (L3), routing	SB-2 views live	gated; degrades gracefully pre-SB-2
Submit a valid remediation APR (propose)	SB-1 Phase-A registered (C-2)	gated; degrades to draft-only
Apply remediation (`…_assignment_apply`)	SB-1 Phase-B handler + SB-2 table live + approved APR + sovereign sign-off	NO-GO
Register DOTs / coverage rows / event types	T6/T7 build authorization	NO-GO (design only)

No gate may be satisfied by self-approval. The scanner proposes; COUNCIL/owner approves; GOV-DOT executes — three separated authorities (Đ31/Đ32/Đ35).

12. Verdict

T6 governance coverage scanner / DOT design: COMPLETE (Branch C). The scanner lifecycle (scan→detect→classify→propose→[approve]→apply→audit→exception-review→issue-route), the 6-layer detector, and the 7-DOT family are fully specified — each DOT with owner, tier, read/mutate, approval need, input, output, state transition, audit, rollback, paired test, failure mode, issue/event integration, and SB-1/SB-2 dependency. Inventory is sourced from registries/config/source-inventory with no hardcoded axis/object list; reconciliation is the governance twin of birth-orphan; audit-loop activation reuses registry_changelog/event_outbox (SB-7); dot_coverage_required rows are proposed (SB-8); anti-spam reuses T7. Apply is NO-GO; nothing registered, emitted, or mutated. Next: doc 26 (OP-B IU owner packet), doc 27 (auto-approve hardening).