KB-7A1E
35 — Backfill/Handoff/Input-Control Integration & Readiness (Branch E T6/T7 compat + exact patch plan + Branch F scale/budget + new blockers SB-10..SB-13/C-7, design-only, 2026-06-01)
20 min read Revision 1
one-roof-governanceimplementation-indexintegration-readinessbranch-ebranch-ft6-compatt7-compatpatch-planscanner-dot-io-changedot-lifecycleproduction-gate-changeanti-spam-changescale-budgetbatch-concurrency-ratecooldown-coalescefull-audit-cadencestale-thresholdretry-dlqload-guardno-ui-full-scanobservabilitynew-blockerssb-10sb-11sb-12sb-13c-7gcosdesign-only2026-06-01
35 — Backfill / Handoff / Input-Control Integration & Readiness (Branch E + Branch F)
Path:
knowledge/dev/reports/architecture/one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/Doc: 35. Track: Branch E (T6/T7 compatibility + patch plan) + Branch F (scale / resource budget) + the integration & readiness map for docs 31–34. Builds on docs 24 (T7), 25 (T6), 31–34, concept canon 01–02, blocker register (doc 03). Status: DESIGN ONLY. No mutation; no registration; no emit; no patch applied to any existing doc (cross-reference only, §0.2). This doc decides what changes when T6/T7 go to build, surfaces the new blockers, and sets the scale/resource controls. Evidence base: docs 31–34 + live read-only 2026-06-01.
0. Naming, scope, and the no-patch-of-old-docs decision
- GCOS = the umbrella for branches A–D: Governance Candidate & Onboarding Substrate — the layer that sits between Birth/Registry and the T6 coverage detector (backfill seed → handoff sustain → input gate → dirty-group candidate scan).
- 0.1 — what GCOS is: an operational layer (cursors, snapshots, ruleset versions, dirty-group state, input verdicts) that makes T6/T7 complete (no missed objects), current (handoff-driven), trustworthy (input-gated), and scalable (incremental, no perpetual full scan).
- 0.2 — no-patch-of-old-docs decision (mission §8): docs 24/25 are left byte-for-byte unchanged (zero revision bump). The mission says "Do not patch old docs unless only adding a cross-reference/addendum note is necessary. Prefer new addendum docs." The new docs are discoverable via
list_documents/search; therefore patching is not necessary. The exact patches docs 24/25 will need at T6/T7 build time are specified here as a patch plan (§3), to be applied in the T6/T7 build macro, not now. A future curator may add one-line pointer references to docs 24/25/29 — that is the only edit ever permitted to them, and it is a content-only cross-reference (no version bump, no status change).
§0-GOV Governance Coverage Declaration — GCOS (umbrella, branches A–D)
governed_objects: [ backfill_run, handoff_signal, input_quality_verdict, candidate_state,
candidate_scan_run, gov_worker_cursor, governance_source_snapshot,
governance_ruleset ] (all Class-2 governed process records)
owner_per_scope: { policy: GOV-COUNCIL, health: GOV-SIV, execution: GOV-DOT,
render: GOV-MOUT(TTL→C-5), approval: Điều32-spine, audit: GOV-SIV }
coverage_profile: [ process/worker/queue/scan-state profiles per doc 31–34 ]
axes_introduced: [ none — GCOS consumes the Axis Registry, mints no axis ]
detection_path: birth_registry + registry_changelog + meta_catalog + candidate-state store
issue_event_types: [ all governance.backfill.* / governance.handoff.* / governance.input.* /
governance.candidate.* (docs 31–34) ] (register-before-emit — NOT registered)
exceptions: [ reuses M-DEF-6; none minted ]
1. How GCOS composes with T6/T7 (the layered picture)
Birth (Đ0-G/Đ19) ─┐
Registry (Đ2) ────┤→ [B] HANDOFF INTAKE (doc 32, Đ45 cursor-tail) ─┐
Backfill seed ────┘ (one-time, doc 31) │ dirty-mark
▼
[C] INPUT-QUALITY GATE (doc 33, "L0")
│ accepted only
▼
[D] CANDIDATE SCAN / DIRTY-GROUP (doc 34)
verdict=relevant? ── no ──▶ record, no issue
│ yes
▼
T6 COVERAGE DETECTOR (doc 25, L3–L6, unchanged logic)
│ findings
▼
T7 ISSUE/EVENT/NOTIFY (doc 24, unchanged taxonomy + anti-spam)
▼
PRODUCTION GATE (concept §11) — fail-closed on stale/unknown high-risk
GCOS is a pre-stage, not a replacement. T6's 6-layer detector, 7-DOT family, 20 findings, register-before-emit, GOV-SIV ownership, and apply-NO-GO all remain valid — GCOS changes only which objects T6 works on, when, and whether the input is fit.
2. New blockers this addendum surfaces (register; all OPEN; design now, build NO-GO)
Consistent with doc 03's SB-1..SB-9 / C-1..C-6 / H-1/H-2 register. These are new substrate/decision gaps that GCOS build (not design) requires.
| ID | Blocker | Evidence (live 2026-06-01) | Blocks | Does NOT block | Design now? | Build now? |
|---|---|---|---|---|---|---|
| SB-10 | Candidate-state store absent | no governance_candidate_state/equivalent table |
persisting candidate verdicts keyed by snapshot+ruleset (doc 34) | the candidate-scan design; read-only dry-run | YES | NO |
| SB-11 | Governance event domain + handoff path absent | event_type_registry has no governance domain (SB-4); event_pending=0 (unused); no handoff cursor |
emitting handoff/candidate/input/backfill signals; durable handoff activation | the handoff design (cursor-tail, doc 32); reuse decision | YES | NO (register-before-emit, Đ45) |
| SB-12 | Source-snapshot + ruleset-version registry absent | evolution_snapshots=1 (global only); no per-group snapshot; no governance_ruleset row |
reproducible verdicts; snapshot/ruleset-driven invalidation | the snapshot/ruleset design (reuse evolution_snapshots/measurement_registry) |
YES | NO |
| SB-13 | Governance worker-cursor family absent | iu_route_worker_cursor has 1 row (iu_outbound_default); none for governance |
running backfill-sweep / handoff-intake / candidate-scan workers with resumable cursors+DLQ | the cursor design (reuse iu_route_worker_cursor shape) |
YES | NO |
| C-7 | Input-trust policy + backfill ruleset ownership + legacy-bypass deadline | no source-trust policy; ruleset owner unassigned; C-6/A3 set a 60-day legacy-bypass default | input gate trust decisions (doc 33); who owns ruleset_version; the backfill cut-over deadline; the "observer trigger on Birth = modifying Birth?" ruling (doc 32 §4 Option B) |
the gate/backfill design (defaults stated; proceeds on default per C-6 pattern) | YES (decision packet) | NO (council ruling, not agent) |
Relationship to existing blockers: GCOS owner-relevant work still depends on SB-1/SB-2 (owner resolution) and any apply on H-1/H-2/SB-6 (os_proposal_approvals=0 ⇒ COMMIT_FORBIDDEN) — exactly as T6/T7. GCOS adds no new apply surface; its only mutating descendant is still T6's dot_governance_assignment_apply (NO-GO).
3. Branch E — T6/T7 compatibility assessment + exact patch plan
3.1 What remains VALID in T6 (doc 25) and T7 (doc 24) — no change
- T6: the 6-layer detector logic (L1–L6), the 7-DOT family roles, owner/tier/read-mutate/approval-need per DOT, apply-NO-GO, GOV-SIV ownership, no-hardcode inventory sourcing, audit-loop activation (SB-7),
dot_coverage_requiredproposals (SB-8), the governance-twin-of-birth reconciliation. - T7: all 20 issue types, computed severity, the Điều 45 register-before-emit contract, the anti-spam model (coalesce/cooldown/emit-ceiling/summary/heartbeat), owner routing, suppression precedence, the reuse map to
system_issues/event_outbox/registry_changelog.
3.2 What needs an ADDENDUM (apply in the T6/T7 build macro, not now)
| Target | Current text (doc) | Required patch | Reason |
|---|---|---|---|
| T6 §4 L1 (Inventory) | "enumerate every governed object + axis on each scan pass" | add a pre-stage L0 = input-quality gate (doc 33); change L1 to "enumerate the dirty + stale-expired candidate set from the candidate-state store (doc 34); full enumeration only during the periodic full audit and the initial backfill (doc 31)" | scalability over 1.04M; no perpetual full scan |
| T6 §4 L2 (Birth precedence) | "drop unborn objects" | note it is now pre-enforced by the input gate state birth_or_registry_missing (doc 33 §4); retain L2 as defense-in-depth |
single precedence rule, two enforcement points |
| T6 §5 lifecycle | SCAN→DETECT→… |
insert the GCOS pre-stages: HANDOFF-INTAKE → INPUT-GATE → CANDIDATE-SCAN → [SCAN/DETECT…]; SCAN now reads the candidate working set |
the candidate layer is upstream of SCAN |
| T6 §6 DOT family | 7 DOTs | add 4 GCOS DOTs (§3.4) and a dot_coverage_required row per each |
GCOS DOTs are themselves governed objects (DOT-100%) |
T6 §9 dot_coverage_required |
governance.coverage/classification/pivot/axis/iu | add governance.candidate, governance.backfill, governance.handoff, governance.input rows (A-tier read/propose) |
cover the GCOS DOTs |
| T7 §5 issue table (20 types) | 20 governance findings | add the GCOS finding types: 4 backfill (doc 31 §10), 4 handoff (doc 32 §8), 7 input-quality (doc 33 §8), 4 candidate (doc 34 §10) = 19 new types, all riding existing buckets + the governance domain |
input/backfill/handoff/candidate gaps must be findings, not silent |
| T7 §6 anti-spam | coalesce by object anchor | add a coalesce dimension group_key (doc 34 §3) so dirty-group storms coalesce; add group_invalidation_storm ceiling |
dirty-group churn is a new storm source |
| T7 §9 auto-close | "close on next clean scan" | re-key auto-close by (coalesce_key, ruleset_version) so a close under an old ruleset cannot mask a needed re-open under a new ruleset |
stale-truth safety; ties to doc 34 §6 |
| T7 §2 / Đ45 contract | governance lifecycle + detection events | register the GCOS event types under the same governance domain (one domain, GOV-SIV) — backfill./handoff./input./candidate. |
one event domain, no second bus |
| Production gate (concept §11) | severity-aware G-PROD | add rule: candidate status stale/unknown for a high-risk object ⇒ G-PROD blocks (fail-closed); low-risk ⇒ scheduled re-scan |
the GPT fail-closed requirement (doc 34 §6) |
3.3 What must NOT be implemented until this addendum is incorporated (hard)
- T6 build must not register the 7 scanner DOTs until SB-10/SB-12/SB-13 are designed-and-built. Otherwise the scanner has only two options, both wrong: (a) rescan all 1.04M every pass (unscalable under the 5 s read timeout), or (b) track "checked" as a permanent boolean (the exact anti-pattern GPT forbade) → silent missed objects on any later ruleset/source change.
- T7 build must not register the
governanceevent domain for emit until the candidate/handoff/input findings are part of the taxonomy (else findings are emitted with no upstream gate and re-storm). - Net: T6/T7 build is now gated on GCOS design acceptance + SB-10..SB-13. T6/T7 design (docs 24/25) is unaffected and remains complete.
3.4 DOT lifecycle change — 4 GCOS DOTs (design-only; GOV-SIV; tier-A read/propose)
| DOT (proposed) | Stage | Tier | Read/Mutate | Reuses |
|---|---|---|---|---|
dot_governance_backfill_sweep |
backfill (doc 31) | A | READ-ONLY; writes candidate-state seed (gated) | keyset cursor over birth_registry; iu_route_worker_cursor shape |
dot_governance_handoff_intake |
handoff (doc 32) | A | READ-ONLY; writes dirty-marks + capture (gated) | cursor-tail of birth_registry/registry_changelog; event_pending |
dot_governance_input_gate |
input (doc 33) | A | READ-ONLY; writes input_quality_state + issues (gated) |
system_issues; coverage-profile/meta_catalog |
dot_governance_candidate_scan |
candidate (doc 34) | A | READ-ONLY; writes candidate verdict + dirty-clear (gated) | derived_objects_registry dirty/stale pattern |
All are A-tier, non-mutating w.r.t. governed objects, paired with test DOTs (Đ35 A/B), and NO-GO to register until SB-10..SB-13. The single mutating DOT remains T6's dot_governance_assignment_apply (GOV-DOT, NO-GO). |
4. Branch F — scale and resource budget (mission §9)
Sized to the live scale: 1,037,716 born objects, 78 source registries, 190,288 system_issues, a 5 s read statement-timeout on the context_pack_readonly role, 500-row hard query LIMIT. Every control reuses a live precedent.
| Control | Design | Live anchor |
|---|---|---|
| Batch size | 2k–5k rows/batch; each batch read completes < 5 s; ~210–520 batches for the initial 1.04M seed | query_pg 5 s timeout; keyset pagination |
| Concurrency | one worker per scope/cursor; parallelism only by disjoint group_key ranges (no cursor races) |
iu_route_worker_cursor (per-worker) |
| Rate limits | max batches/min for backfill; max emits/min for issue-route (cooldown-tiered) | T7 §6 cooldown tiers |
| Scan priority | high-risk/write groups first (short TTL); dirty before periodic; production-path objects before descriptive | risk class from coverage profile (M-DEF-2) |
| Group coalescing | dirty-marks coalesce by group_key within a window; one mark per group per window |
doc 34 §4; coalesce_key |
| Issue coalescing | reuse T7: one open issue per coalesce_key; occurrence_count++; summary/digest beyond ceiling |
system_issues.coalesce_key/occurrence_count (proven at template_gap≈183k) |
| Cooldown | severity-tiered (critical 1h / high 6h / medium 24h / low 7d) for emits | T7 §6 |
| Full-audit cadence | periodic full reconciliation (e.g. weekly) — the safety net (doc 34 §5); off-peak | derived_objects_registry.stale_after |
| Backfill throttling | off-peak seed; pause on load-guard breach; resume from cursor | doc 31 §11 |
| Stale-scan threshold | stale_after = scan_time + ttl(risk_class); past it ⇒ verdict stale/unknown ⇒ fail-closed for high-risk |
doc 34 §6 |
| Retry policy | bounded backoff; error_count/last_error per item |
event_pending |
| DLQ policy | dead-letter after N attempts; dead_lettered counter; *_dlq/*_overflow findings |
iu_route_worker_cursor.dead_lettered |
| Server-load guard | pause backfill/scan if lock-wait or replication lag exceeds threshold; never hold long read txns | 5 s timeout + read-only role |
| No UI full-table scan | UI/render reads coverage summary views only (counts, invariant ledger), never the raw 1.04M sweep or the candidate store directly | Điều 28; doc 25 §6 sampling rule |
| Observability metrics | cursor lag (per worker), dirty-queue depth, stale count, DLQ depth, invariant-closure %, heartbeat freshness, batches done/total | iu_route_worker_cursor counters + evolution_snapshots + heartbeats |
No silent caps (constitution): any bounded coverage (sampling a huge class, top-N per scan, DLQ truncation) must log/emit a summary finding stating what was deferred — silent truncation reads as "covered everything" when it did not (doc 25 §6.1 / T7 §6 summary).
5. Dependency graph & build order (when gates open)
concept canon (GO) ─┬─ T3 SB-1 design (doc16, done) ─┐
├─ T4 SB-2 design (doc17, done) ─┤
├─ T7 design (doc24, done) ───────┤
└─ T6 design (doc25, done) ───────┤
▼
GCOS DESIGN (docs 31–35, this addendum, DONE)
│
┌───────────────── build gates (all NO-GO now) ─┴───────────────────┐
▼ ▼ ▼ ▼
SB-12 snapshot/ruleset SB-13 cursor family SB-10 candidate store SB-11 gov event domain
(reuse evolution_snap+ (reuse iu_route_ (reuse derived_objects (register-before-emit,
measurement_registry) worker_cursor) pattern) Đ45; SB-4)
└───────────────┬───────────────────────────────┬───────────────────┘
▼ ▼
Branch B handoff intake Branch A backfill seed (one-time)
└──────────────┬──────────────────┘
▼
Branch C input gate + Branch D candidate scan (incremental)
▼
T6/T7 build (patched per §3) — owner work needs SB-1/SB-2;
apply needs H-1/H-2/SB-6 (COMMIT_FORBIDDEN until sovereign sign-off)
Recommended build order: SB-12 + SB-13 (cheap, reuse-shaped) → SB-10 (candidate store) → SB-11 (register governance domain, GOV-SIV) → Branch B intake → Branch A seed → Branch C/D → patched T6/T7. Council items C-7 (and the OP-B/SB-1/SB-2 line for owner work) run in parallel on the decision track.
6. Readiness gate table (one screen)
| Tier | Gate (all must be met) | Status |
|---|---|---|
| GCOS concept/design (docs 31–35) | concept GO + T6/T7 design done + reuse-first + Đ45 + no-hardcode/no-island | GO — done (this addendum) |
| Snapshot/ruleset + cursor build | SB-12 + SB-13 designed-and-authorized | NO-GO (design only) |
| Candidate-state store build | SB-10 | NO-GO |
| Governance event domain register (emit) | SB-11/SB-4 + register-before-emit + GOV-SIV ownership ruled | NO-GO |
| Handoff intake / backfill seed run | SB-10..SB-13 + worker build | NO-GO |
| Owner-relevant candidate→coverage work | SB-1 + SB-2 live | NO-GO |
| Any apply (owner/exception/delegation) | SB-1 Phase-B + SB-2 + approved APR + H-1/H-2/SB-6 (os_proposal_approvals=0) |
NO-GO (COMMIT_FORBIDDEN) |
| Input-trust + backfill-ruleset + legacy deadline | C-7 ruling | decision pending |
No gate may be satisfied by self-approval.
7. Verdict
Branch E (T6/T7 compatibility) + Branch F (scale/resource budget): COMPLETE. T6/T7 are assessed line-by-section: their detector logic, DOT family, 20 findings, anti-spam, register-before-emit, and apply-NO-GO all remain valid; the exact patch plan (§3.2 — eleven targeted addenda) is specified for the T6/T7 build macro, with a hard list of what must not be built until GCOS is incorporated (§3.3) and the 4 new GCOS DOTs (§3.4). The scale/resource budget (§4) is sized to the live 1.04M / 78-registry / 5 s-timeout reality, every control reusing a live precedent, with a no-silent-cap rule. Four new blockers (SB-10..SB-13) and one council item (C-7) are registered; the dependency graph, build order, and readiness gate table are set. Old docs 24/25 are unchanged (cross-reference only). No mutation, registration, emit, or self-approval. Next: doc 36 (paste-ready next prompts) + doc 37 (self-review & acceptance).