Macro-4 B2 Rollback/Delete Contract — R2-B2 (2026-06-19)
Macro-4 B2 Rollback/Delete Contract — R2-B2 (2026-06-19)
Date: 2026-06-19 · Workstream: R2-B2-MACRO-4-STAGING-WORKBENCH-IO-CONTRACT-TD-ENTRY-GATE-2026-06-19 (Deliverable 33 of 90) · Editorial revision: rev1
Class: B2 rollback/delete contract · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · B2-ONLY · NO write performed.
Metadata convention. Editorial revision (rev1) only. Storage revision/
content_lengthauthoritative at read time.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. B2's rollback_surface + delete-fast unit. Engineering PASS ≠ authority PASS. Default: HOLD.
1. Purpose
Define B2's rollback/delete as one bounded unit, with the downstream-certify subtlety surfaced.
2. Sources / evidence read
Inspect-producer §10 (S8 unit + downstream-certify); TD-readiness §9 (HOLD-2); pilot-slice staging IO contract §10 (staging = deletion is rollback). Main process, no reader-agents.
3. Accepted baseline (carried)
B2's rollback unit = one producer run. In the workbench, deletion is the rollback (no production rollback). HOLD-2 OPEN: no atomic birth-certify promote txn; fn_iu_enact (IU lineage) is distinct.
4. Evidence / analysis — B2 rollback/delete
| Element | Requirement |
|---|---|
| Unit | one B2 producer run = one rollback/delete unit |
| Workbench | candidate inspect_* + staging evidence delete together; production untouched |
| Production (future) | completing all three inspect_* triggers B4 auto-certify → the unit must account for unwinding a triggered certify (Owner-gated, future TD) |
| Snapshot | Điều 39 pre-batch snapshot = candidate pattern to evaluate, not a script |
| No script | no DELETE/UPDATE/migration written |
5. Contract / requirement / matrix / result
If a clean per-run unit cannot be defined (incl. downstream-certify), the design is not write-authorized — fail-closed. The mechanism is FUTURE_TECHNICAL_DESIGN_REQUIRED.
6. Owner-gated future work
Defining/executing the rollback/delete mechanism (incl. downstream-certify) is Owner-gated; forbidden now.
7. What remains unresolved
HOLD-2 OPEN; downstream-certify unwind undecided.
8. Ready for GPT/Codex review
Yes — Codex should confirm the unit is one run, surfaces downstream-certify, and writes no script.