Macro-4 Rollback Without Production Touch — R2-B2 (2026-06-19)
Macro-4 Rollback Without Production Touch — R2-B2 (2026-06-19)
Date: 2026-06-19 · Workstream: R2-B2-MACRO-4-STAGING-WORKBENCH-IO-CONTRACT-TD-ENTRY-GATE-2026-06-19 (Deliverable 41 of 90) · Editorial revision: rev1
Class: rollback without production touch · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NO write performed.
Metadata convention. Editorial revision (rev1) only. Storage revision/
content_lengthauthoritative at read time.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. Why workbench rollback never touches production, and how the production case differs. Engineering PASS ≠ authority PASS. Default: HOLD.
1. Purpose
Establish that in the workbench, deletion is the rollback and there is no production rollback to perform.
2. Sources / evidence read
Pilot-slice staging IO contract §10; bad-input/delete-fast plan §9; inspect-producer §10 (downstream-certify, HOLD-2). Main process, no reader-agents.
3. Accepted baseline (carried)
Because the workbench never wrote production, the rollback boundary lives entirely inside the staging surface — strictly simpler than B2's production S8 rollback (which must contend with downstream-certify + HOLD-2).
4. Evidence / analysis
| Case | Rollback |
|---|---|
| Workbench draft run | dispose the candidate outputs + staging evidence; no production rollback (it never wrote production) |
| No downstream-certify | B4 never sees staging candidates → completing all three candidate inspect_* triggers no production certify → nothing downstream to unwind |
| Production B2 (future) | completing all three real inspect_* triggers B4 auto-certify → the rollback unit must account for a triggered certify (Owner-gated, future TD); HOLD-2 OPEN |
5. Contract / requirement / matrix / result
The workbench rollback is contained and complete (deletion = rollback). The production rollback is a separate, harder problem surfaced honestly and not solved here. No rollback is executed here.
6. Owner-gated future work
Defining the production rollback (incl. downstream-certify) is Owner-gated; forbidden now.
7. What remains unresolved
HOLD-2 OPEN; the production downstream-certify unwind is undecided.
8. Ready for GPT/Codex review
Yes — Codex should confirm the workbench rollback touches no production and the production case is left open, not faked.