42 — GCOS Substrate Integration & Build Readiness (SB-10/11/12/13 build order, dependency graph, gate table, docs 24/25 cross-ref, rollback, no-island/no-hardcode proof, design-only, 2026-06-01)
42 — GCOS Substrate Integration & Build Readiness
Package:
knowledge/dev/reports/architecture/one-roof-governance-technical-addendum-and-implementation-index-2026-06-01/Track: GCOS substrate — integration of SB-10/SB-11/SB-12/SB-13 (docs 40/41/38/39). Mission Branch E. Status: Design-only readiness map. BUILD NO-GO. No mutation. KB document only. Reads / controls: doc 00 (controlling) → concept canon → Round-4 law →prompt-muc-tieu-mo. Integrates docs 38 (SB-12), 39 (SB-13), 40 (SB-10), 41 (SB-11); against docs 24/25 (T6/T7), 31–35 (GCOS), 03 (blocker register), 35 §3.2 (the 11 build-time addenda). Date: 2026-06-01 · Mutation footprint: KB document only.
42.1 The four substrates at a glance (decision + footprint)
| Blocker | What | Reuse/Extend/New | Additive footprint | Build gate |
|---|---|---|---|---|
| SB-12 (doc 38) | source-snapshot + ruleset-version | REUSE evolution_snapshots (snapshots) + NEW tiny governance_ruleset (or reuse evo, Option A) |
≤ 1 tiny registry | DDL + C-7 (ruleset owner) |
| SB-13 (doc 39) | governance worker-cursor family | NEW gov_worker_cursor (reuse-shaped, type-generalized) + REUSE queue_heartbeat/event_pending |
1 table | DDL |
| SB-10 (doc 40) | candidate-state store (keystone) | NEW governance_candidate_state (+ optional object table), modeled on derived_objects_registry |
1–2 tables | DDL + consumes SB-12/SB-13 |
| SB-11 (doc 41) | governance event domain + handoff path | REUSE ONLY event_type_registry/event_outbox/event_pending/event_read/event_subscription/queue_heartbeat/system_issues/registry_changelog |
0 tables | register-before-emit (T7 build) + C-7 (observer-trigger, input-trust) |
Total additive PG footprint for all four: ≤ 4 tables (1 of them optional), 0 new buses/stores/notifiers. Everything else is reuse of live substrate. This is deliberately minimal — the GCOS substrate is a durability/efficiency layer under the existing T6/T7 stateless-rescan model (doc 35 §3.2), not a new roof.
42.2 Build order (per doc 35 §5 + GPT review; refined by live findings)
PHASE 0 (decision track, parallel) PHASE 1 (substrate build, gated DDL)
C-7 ruling: input-trust, ruleset owner, 1. SB-12 evolution_snapshots reuse + governance_ruleset
60-day legacy cut-over, 2. SB-13 gov_worker_cursor (reuse queue_heartbeat/event_pending)
observer-trigger (Đ32 §4 B) 3. SB-10 governance_candidate_state (consumes SB-12+SB-13)
SB-1 / SB-2 owner-substrate line 4. SB-11 register governance domain (register-before-emit)
(gates owner-relevant verdicts only)
PHASE 2 (activation, gated)
5. Branch B handoff intake (cursor-tail, Option A)
6. Branch A backfill seed (phase=seeding)
7. Branch C/D input-gate + candidate-scan
8. T6/T7 build with the 11 addenda (doc 35 §3.2)
Why SB-12+SB-13 first: cheapest (reuse-shaped), and SB-10 cannot key verdicts without the snapshot/ruleset (SB-12) nor be seeded/dirtied without cursors (SB-13). SB-10 third (the convergence point). SB-11 fourth because emit is register-before-emit and is only meaningful once there is candidate/handoff state to emit about; and because activating the domain is itself the T7 build step. GPT pairs SB-12+SB-13 as step 1 — consistent.
Parallelism: C-7 (council) and the SB-1/SB-2 owner line run on a separate decision/substrate track and gate only owner-relevant verdicts (the candidate store degrades to owner_scope=null, never guessing, until SB-2 is live — docs 40 §40.11, 25 L3).
42.3 Dependency graph (edges = "must exist before")
SB-12 (snapshot+ruleset) ─┐
├─▶ SB-10 (candidate-state) ─┐
SB-13 (worker-cursor) ────┘ │
├─▶ Branch B intake ─▶ Branch A seed ─▶ Branch C/D scan ─▶ T6/T7 (patched)
SB-11 (event domain) ─────────────────────────────────┘ ▲
│
C-7 (input-trust, ruleset owner, observer-trigger, 60-day) ─────────────┤ (gates input.* + ruleset activation + Option B)
SB-1 Phase-A (APR verbs) ───────────────────────────────────▶ propose remediation (T6 DOT #3)
SB-1 Phase-B + SB-2 + APR quorum + sovereign (H-1/H-2/SB-6) ─▶ APPLY (T6 DOT #4, NO-GO)
SB-2 (owner table + scopes) ────────────────────────────────▶ owner-relevant verdicts/routing (degrade-until-live)
SB-3 (axis envelope) ───────────────────────────────────────▶ IU axis-grain invariant > 3 axes (caps at 3 until live)
Hard reads SB-10..13 do NOT require to design or to run read-only: none. All four are designable now and the read/detect path runs without owner substrate. What they DO require to build: gated DDL + the gates in §42.5.
42.4 What T6/T7 cannot build until these substrates exist (the gate, doc 35 §3.3)
T6 build must not register the 7 scanner DOTs, and T7 build must not register/activate the governance event domain, until SB-10/SB-11/SB-12/SB-13 are designed-and-built — because the only alternatives are the two anti-patterns GPT forbade:
- Rescan all 1,037,724 born objects every pass — unscalable under the 5 s read statement-timeout + 500-row LIMIT (Branch F).
- Track "checked" as a permanent boolean — the exact "checked-forever" anti-pattern (doc 34 §1).
SB-10 (durable, snapshot/ruleset-keyed, group-grain, decaying-clean state) + SB-12 (reproducible keys + targeted invalidation) + SB-13 (resumable keyset cursors) + SB-11 (register-before-emit signals) are precisely what lets T6 read a bounded working set (dirty + stale-expired + periodic-full) instead of a full rescan, and lets T7 emit instead of only logging findings.
Net: T6/T7 design (docs 24/25) is COMPLETE and unaffected. T6/T7 build is gated on GCOS design-acceptance + SB-10/11/12/13 build + the 11 addenda.
42.5 Exact acceptance gates (every gate must be green before the named build step)
| Gate | Condition | Blocks |
|---|---|---|
| G-DESIGN | docs 38–41 accepted as technical design addendum (this package) | start of any GCOS build |
| G-DDL | operator with full privileges runs additive DDL in a reversible BEGIN/ROLLBACK rehearsal; pre-flight shows 0 collisions (the 4 target tables confirmed ABSENT live) | creating governance_ruleset/gov_worker_cursor/governance_candidate_state(+object) |
| G-C7 | council rules: input-trust policy, ruleset owner + activation policy, 60-day legacy cut-over, observer-trigger (Đ32 §4 Option B) | input.* emit, ruleset activation, backfill cut-over deadline, Option B trigger |
| G-RBE (register-before-emit, Điều 45) | event_type_registry(governance, type) rows registered+active=true |
any event_outbox emit on the governance domain |
| G-SB2 | governance_object_ownership + 6-row governance_responsibility_scope + v_object_effective_owner live |
owner-relevant verdicts/routing sharpen from default_owner_hint/COUNCIL to resolved owner (degrade-until-live, not a hard block) |
| G-SB1A | SB-1 Phase-A action-types registered (handler_ref='unimplemented') |
scanner can submit a valid APR proposal (DOT #3) |
| G-APPLY | SB-1 Phase-B handler flipped (C-2) + SB-2 live + APR quorum-approved (Đ32) + sovereign sign-off (H-2/SB-6; os_proposal_approvals > 0) |
the ONLY mutating DOT dot_governance_assignment_apply — NO-GO today |
| G-PROD | candidate status not stale/unknown for the high-risk object (fail-closed) |
a production/execution action on a governed object |
os_proposal_approvals = 0 ⇒ COMMIT_FORBIDDEN remains the master gate over any apply (H-1/H-2/SB-6).
42.6 Do docs 24/25 need a cross-reference patch before implementation? — YES (the GPT warning)
The GPT review's single standing concern: "docs 24/25 were deliberately not patched; before build, create a consolidated technical build plan/index or patch docs 24/25 with cross-references so implementation agents cannot miss GCOS."
Recommendation (design-only; not executed here): before any T6/T7 build macro, do one of:
- (Preferred) Add a non-destructive cross-reference header to docs 24 and 25 — a short "BUILD ADDENDUM" pointer block at the top linking to docs 31–35 + 38–42 and the 11 addenda (doc 35 §3.2). This preserves the byte-for-byte design (no revision bump to the design body) while making the build dependency impossible to miss. This is an allowed surgical-drift / author-ready follow-up patch (law §4F/§4G) — a cross-ref header changes no contract or business meaning.
- (Alternative) A consolidated "T6/T7 GCOS Build Plan" doc (e.g. doc 45) that enumerates the 11 addenda + the SB-10..13 dependencies as the single build entrypoint, leaving 24/25 untouched.
Either is the next macro's job (doc 43 lists it). This doc does not patch 24/25 (design-only; and 24/25 are deliberately frozen per doc 35 §0.2). Flag (doc 35 §3.2 discrepancy): the patch set is enumerated as 10 table rows + the production-gate rule = "eleven targeted addenda"; the build plan must pin the exact count by re-reading doc 35 §3.2 live (noted in doc 44 weaknesses).
42.7 Rollback strategy (reversible-by-default, law §5)
| Step | Rollback |
|---|---|
Additive DDL (governance_ruleset, gov_worker_cursor, governance_candidate_state(+object)) |
DROP TABLE (greenfield, no dependents until activated); rehearsed in BEGIN/ROLLBACK first; no data loss (tables empty at create). |
Reuse-writes to evolution_snapshots (governance-scoped rows) |
Delete rows WHERE scope LIKE 'governance.%'; the global row untouched. |
Reuse-writes to event_pending/queue_heartbeat (governance rows) |
Delete governance rows; live IU/cut rows untouched (distinct worker_name/executor_name/event_domain). |
Register governance event types |
Set active=false (de-activate) or delete the rows; no emit occurred while inactive (register-before-emit) → nothing downstream to unwind. |
| Worker start | Stop worker; cursor watermark is the durable resume/disable point; no partial commits (idempotent upserts). |
| Apply DOT (NO-GO) | N/A — never reached; if ever built, rollback via supersedes_id chaining + lifecycle_status='revoked', never hard-delete (doc 25 DOT #4). |
Disable-before-apply: every mutating member has a kill-switch (de-activate event type / stop worker / status flag) before it can act. No irreversible step in the GCOS substrate.
42.8 No-local-governance (no-island) proof
The four substrates introduce no second governance roof. Each obligation maps to the one existing central object:
| Obligation | Single central object reused | New parallel object? |
|---|---|---|
| Snapshots | evolution_snapshots |
none |
| Rules | measurement_registry (+ tiny governance_ruleset version row) |
none (version registry is a config-version row, not a rule store) |
| Cursors/lease/heartbeat | iu_route_worker_cursor shape + queue_heartbeat + event_pending |
gov_worker_cursor is a governance-scoped twin of the live cursor, not a new framework |
| Candidate state | (new) governance_candidate_state modeled on derived_objects_registry |
the dirty/stale engine is reused, not rebuilt |
| Event domain | event_type_registry (one governance domain) |
none |
| Emit | event_outbox |
none |
| Capture/retry | event_pending |
none |
| Notification | event_subscription + event_read |
none |
| Findings | system_issues |
none |
| Audit | registry_changelog |
none |
| Ownership/authority | SB-2 governance_object_ownership + governance_responsibility_scope (gated) |
none |
One domain, one bus, one issue store, one audit, one heartbeat, one cursor family, one candidate store. GOV-SIV owns detection/emit; Điều 31/32/35 separation preserved (propose → council → GOV-DOT execute); no component self-applies.
42.9 No-hardcode proof
Every literal a naïve implementation would hardcode is sourced from a registry/config/catalog (law §5 no_hardcode_absolute):
| Would-be literal | Discovered from |
|---|---|
| object classes | meta_catalog.entity_type (169) + coverage-profile class catalog (M-DEF-2) |
| per-class members | meta_catalog.registry_collection → birth_registry/pivot_definitions/dot_tools/information_unit/collection registries |
| source registries | birth_registry.collection_name (78) |
| axes | Axis Registry (M-DEF-9) when live; interim pivot_definitions (37) + law_jurisdiction (43); absence = axis_unregistered finding, never a silent fallback |
| scopes | governance_responsibility_scope (6 SB-2 rows; null-degrade until live) |
| rules / detectors | measurement_registry enabled rows (140/142), hashed into ruleset_version |
| risk class / coverage-required | coverage profile (M-DEF-2) |
| severity | computed (escalate(base, risk, shared_truth), doc 24) |
| owner / route | v_object_effective_owner (SB-2) → default_owner_hint → GOV-COUNCIL |
| event types | rows in event_type_registry |
| worker sources / batch sizes / windows | gov_worker_cursor.source_name/metadata (data) |
| coverage decisions | collection_registry.coverage_status ledger (168) |
A new class / registry / axis / rule / scope = a new row → automatically in scope. No code array of axes or object classes anywhere; missing source → fail closed + finding, never an invented list.
42.10 Which parts are designable now vs require council/human approval
| Item | Now (design) | Council / human |
|---|---|---|
| SB-12 snapshot reuse + ruleset hashing design | ✅ (done, doc 38) | ruleset owner + activation policy = C-7 |
| SB-13 cursor family design | ✅ (done, doc 39) | — (DDL is operator, not council) |
| SB-10 candidate-state schema + verdict model | ✅ (done, doc 40) | input-trust policy (input_quality_state) = C-7 |
| SB-11 domain vocabulary + handoff path design | ✅ (done, doc 41) | observer-trigger ruling (Đ32 §4 B) = C-7; activation = register-before-emit gate |
| Any build (DDL, register, emit, worker, apply) | ❌ NO-GO | G-DDL operator + G-C7 + G-RBE + (apply) G-APPLY/H-1/H-2/SB-6 |
42.11 Integrated readiness verdict
GCOS substrate design (SB-10/11/12/13) = COMPLETE and mutually consistent. Build-prep = GO. Build = NO-GO pending: G-DDL (operator rehearsal), G-C7 (council ruling), G-RBE (register-before-emit at T7 build), and — for owner-relevant work and any apply — SB-1/SB-2/H-1/H-2/SB-6. Additive footprint ≤ 4 tables, 0 new buses/stores. No-island and no-hardcode both proven. The substrates slot under the unchanged T6/T7 design as the durability/efficiency layer; T6/T7 build is correctly gated on these four + the 11 addenda + the docs-24/25 cross-ref. No self-approval; os_proposal_approvals=0 ⇒ COMMIT_FORBIDDEN.
(Cross-refs: docs 38/39/40/41 (the four designs), doc 35 §3.2/§3.3/§5, doc 03 blocker register, doc 43 next prompts, doc 44 self-review.)