KB-15C8

Macro-5 Staging TD Candidate Rollback Model — R2-B2 (2026-06-19)

3 min read Revision 1

laws-newR2-B2macro-5staging-td-candidaterollback-modelhold-2non-authorizing2026-06-19

Macro-5 Staging TD Candidate Rollback Model — R2-B2 (2026-06-19)

Date: 2026-06-19 · Workstream: R2-B2-MACRO-5-STAGING-BUILD-AUTHORIZATION-PACKAGE-2026-06-19 (Deliverable 20 of 110) · Editorial revision: rev1 Class: non-executable staging TD candidate (rollback model) · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NO write performed.

Metadata convention. Editorial revision (rev1) only. AgentData storage revision/content_length authoritative at read time.

NON_EXECUTABLE_TD_CANDIDATE. No DELETE/UPDATE/migration/rollback script. One-unit rollback described, not coded.

0. Status and non-authorization

STATUS: PASS — engineering / design-only. The candidate rollback model: one run = one delete unit; downstream-certify surfaced. Engineering PASS ≠ authority PASS. Default: HOLD.

1. Purpose

Define rollback as one bounded unit, with the downstream-certify subtlety kept visible.

2. Sources / evidence read

Macro-4 B2 rollback/delete contract (D33); TD-readiness HOLD-2 (carried); pilot-slice "deletion is rollback". Main process, no reader-agents.

3. Accepted baseline (carried)

B2's rollback unit = one producer run. In the workbench, deletion is the rollback. HOLD-2 OPEN: no atomic birth-certify promote txn; fn_iu_enact (IU lineage) is distinct.

4. Evidence / analysis — rollback model

Element	Requirement
unit	one B2 producer run = one rollback/delete unit
workbench	candidate `inspect_*` + staging evidence delete together; production untouched
production (future)	completing all three `inspect_*` triggers B4 auto-certify → the unit must account for unwinding a triggered certify (Owner-gated, future TD)
snapshot	Điều 39 pre-batch snapshot = a pattern to evaluate, not a script
no script	no DELETE/UPDATE/migration written

5. Candidate / requirement / gate / result

If a clean per-run unit cannot be defined (incl. downstream-certify), the design is not write-authorized — fail-closed. The mechanism is FUTURE_TECHNICAL_DESIGN_REQUIRED. HOLD-2 remains OPEN.

6. Owner-gated future work

Defining/executing the rollback/delete mechanism is Owner-gated; forbidden now.

7. What remains unresolved

HOLD-2 OPEN; downstream-certify unwind undecided.

8. Ready for GPT/Codex review

Yes — Codex should confirm the unit is one run, surfaces downstream-certify, and writes no script.