Incomex AI Portal
KB-2540

Mega Gate — S8 Rollback / Downstream-Certify Readiness

13 min read Revision 1

Mega Gate — S8 Rollback / Downstream-Certify Readiness

Date: 2026-06-18 · Workstream: LEGO-PILOT-SLICE-0-B2-MEGA-GATE-BUNDLE-2026-06-18 (Deliverable 17 of 20) · Editorial revision: rev1 Class: design-only / rollback-unit readiness / IO-contract boundary · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NOT remediation · NOT technical design · NOT implementation · NO rollback script · NO blocker resolved · NO runtime touched.

Metadata convention. Editorial revision (rev1) only. AgentData storage revision and content_length are authoritative in AgentData metadata at read time; not pinned in this body.

S8-readiness lock. This packet states B2's per-run rollback unit and the downstream-certify interaction it must account for — as a discipline/contract, not a script. It writes no rollback script, no DELETE/UPDATE/SQL/command sequence. It evaluates fn_iu_enact and the Đ39 pre-batch snapshot as reuse candidates, not turnkey. HOLD-2 (no atomic birth-certify promote transaction) is OPEN and unresolved.

0. Status and non-authorization

STATUS: PASS — engineering / design-only. This is a complete design-only S8 rollback-readiness packet: B2's per-run rollback unit, the downstream B4 auto-certify interaction the unit must account for, the reuse candidates (fn_iu_enact pattern; Đ39 pre-batch snapshot) as candidates-not-turnkey, the fail-closed S8 rule, and the HOLD-2-open posture.

Engineering PASS ≠ authority PASS. A PASS means the S8 readiness is fully specified on paper. It is not an Owner authorization to execute a rollback, write a rollback script, or build B2. Default disposition: HOLD.

Pipeline position (downstream-only). Deliverable 17 of the Mega Gate Bundle; it deepens GATE-8 (the S8 unit + Đ39 snapshot + downstream-certify; HOLD-2) and the B2 TD-prep §10 / interface S8 into a rollback-unit readiness. It writes no script.

Non-authorization (explicit). As Deliverable 1 §0, and specifically: it writes no rollback script / DELETE / UPDATE / SQL / command sequence; executes no rollback; builds no B2; resolves no HOLD-2. v0.1/FIX7 V3 not overwritten; v0.2 not authority.

Evidence basis — INHERITED_EVIDENCE. No runtime queried. fn_iu_enact (atomic + fail-closed + post-write-verify, IU lineage) is carried; HOLD-2 (no atomic birth-certify promote txn) is OPEN. AgentData metadata authoritative at read time. CAV-3/CAV-4/CAV-5 carried.

Reading discipline (Codex caveat, honored). All sources read directly from AgentData KB, bounded/sequential, by the main process — no parallel/background reader-agents, no sub-agents, no local-prose inference. /tmp = decode-scratch only, never SSOT.

1. Purpose

State the S8 rollback prerequisites for B2 (GATE-8). The packet answers:

  1. What is B2's per-run rollback unit? — §5 unit.
  2. What downstream-certify interaction must it account for? — §5 downstream.
  3. What reuse candidates exist, and why are they candidates-not-turnkey? — §5 reuse.
  4. What is the fail-closed S8 rule, and where does HOLD-2 stand? — §5 fail-closed.

The one rule, above all detail. B2's rollback unit = one producer run; completing all three inspect_* legitimately triggers B4's independent auto-certify, so the rollback unit must account for that downstream effect (whether/how to unwind a triggered certify is FUTURE_TECHNICAL_DESIGN_REQUIRED + Owner-gated). A design with no clean rollback unit is not authorized — fail closed. HOLD-2 is OPEN: no atomic end-to-end birth-certify promote transaction exists today. This packet states the unit; it writes no script.

2. Sources read

All 25 required sources read first-hand from AgentData KB, by the main process, sequentially; none SOURCE_NOT_READ (full list in Deliverable 20 §2). Used principally: the B2 TD-prep §10 (the per-run unit; reuse candidates; the downstream-certify subtlety; fail-closed S8 rule; HOLD-2); the interface packet S8 (rollback unit discipline, no script); the R2 readiness scope §8 (fn_iu_enact atomic for IU lineage, distinct from birth-certify; HOLD-2 PARTIAL); the staging rollback boundary (Deliverable C §10 — staging has no downstream certify); operating-rules (no-script discipline).

3. Accepted baseline (carried, not re-derived)

  • B2 rollback unit = one producer run (a single bounded scan-and-stamp pass) — the unit at which B2 can be undone, deleted, and rebuilt (swap channel, keep contract).
  • Reuse candidates (patterns, not turnkey): the Điều 39 mandatory pre-batch snapshot before an ABox-style write pass; the fn_iu_enact atomic + fail-closed + post-write-verify pattern (IU lineage) — both are candidates to evaluate, never scripts to copy (Điều 35 "reuse the pattern, not the running system").
  • The downstream-certify subtlety (carried): completing all three inspect_* on a row legitimately triggers B4's independent auto-certify — a downstream effect (certified=true) outside B2; the rollback unit must account for whether/how to unwind it (FUTURE_TECHNICAL_DESIGN_REQUIRED, Owner-gated).
  • Fail-closed S8 rule: if a clean per-run rollback unit cannot be defined for a candidate B2 design (incl. the downstream-certify interaction), that design is not authorized for write.
  • HOLD-2 OPEN: no atomic end-to-end birth-certify promote transaction today; fn_iu_enact is for the IU lineage, distinct from birth-certify, and must not be assumed to cover it.
  • No script (carried, B2-AC-9 / RP-AC-8): S8 is a per-block rollback unit discipline only.
  • Blockers — all OPEN. Tool/packet lock carried.

4. Analysis — the unit is clean; the downstream effect is the open part

B2's own writes are simple to bound: one producer run sets some inspect_* columns; rolling that back is, in principle, unsetting exactly those columns from that run. The complication is not B2's writes — it is the legitimate downstream trigger: if a run completes all three inspect_* on a row, B4 independently and atomically flips certified=true. That certify lies outside B2 (B4 acts on its own contract through the B3 stud), so "rollback one producer run" has a downstream effect B2 cannot directly undo. This does not break LEGO isolation (B2 still writes only inspect_*), but the rollback-unit definition must account for it. And because there is no atomic end-to-end birth-certify promote transaction (HOLD-2), there is no existing single transaction whose rollback would cleanly cover both the stamp and the triggered certify. The readiness verdict is therefore Partial: the unit is defined; the mechanism + downstream-certify unwind + HOLD-2 are open. The staging case is strictly simpler (Deliverable C §10): staging never certifies (B4 never sees candidates), so the staging rollback has no downstream effect — which is exactly why the minimal pilot proves the producer half safely.

5. S8 rollback / downstream-certify readiness

5.1 The per-run rollback unit (GATE-8)

# Rollback-unit element What it requires (discipline, not a script) State today
S8R-1 Unit = one producer run one bounded scan-and-stamp pass is the undo/delete/rebuild unit (swap channel, keep contract) Defined (carried)
S8R-2 Đ39 pre-batch snapshot a mandatory pre-batch snapshot before any ABox-style write pass — a candidate pattern to evaluate, not copy Candidate (carried) — to evaluate in TD
S8R-3 fn_iu_enact reuse evaluated, not assumed the atomic + fail-closed + post-write-verify pattern (IU lineage) is a reuse candidate; it is distinct from birth-certify and must not be assumed to cover it (HOLD-2) Candidate (carried) — distinct from birth-certify
S8R-4 Downstream-certify interaction accounted for completing all three inspect_* triggers B4's auto-certify; the unit must account for whether/how to unwind a triggered certify (Owner-gated, FUTURE_TD) Open — mechanism FUTURE_TD
S8R-5 Fail-closed S8 rule if a clean per-run rollback unit (incl. downstream-certify) cannot be defined, the design is not authorized for write Stated — fail-closed default

5.2 The downstream-certify interaction (the open part)

  • What happens: a producer run that completes all three inspect_* on a row → B4 (trg_birth_auto_certify → fn_birth_auto_certify) atomically flips certified=true, certified_at. This is the intended pipeline coupling through the B3 stud, not a call from B2.
  • Why it complicates rollback: undoing "one producer run" leaves a triggered certify downstream of B2. Whether to also unwind that certify, and how, is FUTURE_TECHNICAL_DESIGN_REQUIRED and Owner-gated. No mechanism is decided here.
  • HOLD-2 (OPEN): there is no atomic end-to-end birth-certify promote transaction; fn_iu_enact is IU-lineage-only and must not be assumed to cover birth-certify. So no existing single transaction cleanly brackets stamp + triggered certify.
  • Staging contrast (carried): in staging, B4 never sees candidates, so completing all three candidate inspect_* triggers no certify — the staging rollback unit has no downstream effect (Deliverable C §10). This is why the minimal pilot (Deliverable 15) proves the producer half without the downstream-certify complication.

5.3 No-script discipline

The rollback mechanism (how the unit is executed; how a triggered certify would be unwound) is FUTURE_TECHNICAL_DESIGN_REQUIRED. No rollback script / DELETE / UPDATE / migration plan / command sequence is written here (B2-AC-9 / RP-AC-8). S8 is a per-block rollback unit discipline only.

Verdict (GATE-8): PARTIAL. The unit (S8R-1) is defined; the reuse candidates (S8R-2/S8R-3) are evaluated as candidates; the downstream-certify mechanism (S8R-4) is open; HOLD-2 is OPEN. A read-only re-confirm of fn_iu_enact (atomic/fail-closed/post-verify, IU lineage) + the B4 trigger is part of Macro-1; the rollback mechanism is designed within the TD behind a separate gate. No script is written; no rollback is executed; HOLD-2 is not resolved.

6. Owner-gated future work

Future work Gate required Forbidden now?
Define/execute the per-run rollback mechanism (incl. downstream-certify unwind) Điều 32 + S8 within B2's package Yes
Evaluate/reuse the fn_iu_enact pattern + Đ39 snapshot for B2 Điều 32 (design); reuse-pattern-not-turnkey Yes
Resolve HOLD-2 (build an atomic birth-certify promote transaction) a separate Owner-gated workstream Yes
Re-confirm fn_iu_enact + the B4 trigger read-only Owner authorizes a read-only pass (Macro-1) Yes

7. What remains unresolved

  • GATE-8 Partial — unit defined; mechanism + downstream-certify + HOLD-2 open.
  • HOLD-2 OPEN — no atomic end-to-end birth-certify promote transaction; fn_iu_enact is IU-lineage-only, distinct from birth-certify.
  • The downstream-certify unwind is FUTURE_TD — completing all three inspect_* triggers B4; whether/how to unwind is Owner-gated.
  • No rollback script written (B2-AC-9 / RP-AC-8) — S8 is a unit discipline only.
  • Staging is simpler — no downstream certify in staging; the minimal pilot proves the producer half without this complication.
  • Blockers — all OPEN, none resolved: CONS-002, CONS-003, CELL-003/004/007, HOLD-1, HOLD-2, RISK-BYPASS, GOV-016/017, GOV-REUSE-001, Điều 39 runtime-EMPTY, Điều 35 production-readiness FAIL.
  • FUTURE_TECHNICAL_DESIGN_REQUIRED (NOT written here): the rollback mechanism, the downstream-certify unwind, any DELETE/UPDATE/SQL/command sequence.

8. Ready for GPT/Codex review

Yes — as a design-only rollback-unit readiness packet, not a script.

Core rule, kept above all detail: B2's rollback unit = one producer run; completing all three inspect_* triggers B4's independent certify, so the unit must account for that downstream effect (unwind mechanism FUTURE_TD); reuse fn_iu_enact/Đ39-snapshot as candidates-not-turnkey; a design with no clean rollback unit is not authorized (fail closed). HOLD-2 is OPEN; no script is written; no rollback is executed.

Default disposition: HOLD. Engineering PASS = a complete rollback-unit readiness on paper; it is not an Owner authorization to execute a rollback, write a script, or resolve HOLD-2. No PASS authorizes writes. All blockers remain OPEN.

Back to Knowledge Hub knowledge/dev/laws-new/newlaws/consolidation/mega-gate-s8-rollback-downstream-certify-readiness-2026-06-18.md