KB-663F
08 — Rollback / retire / ledger plan 2026-06-23
3 min read Revision 1
c1-legorollbackretiredot-manage-ledger
08 — Rollback / retire / ledger plan
Every staged change is individually reversible. Nothing is applied this turn.
A. Rollback per step
| step | forward | rollback / retire |
|---|---|---|
| code deploy (handler fn) | patch_ops_code APR full_replace of dot-apr-execute |
execute_patch_ops_code keeps .bak-<session>; restore backup + vps_deploy_log status='rolled_back'. Or re-deploy prior version. Removing the function/arm reverts dispatch to *) SKIP fail-closed. |
| handler_ref binding | migration UPDATE … = 'dot-apr-execute:authorize_build_step' |
UPDATE … SET handler_ref='unimplemented' WHERE action_code='authorize_build_step' (file migration/…staged.sql rollback block). Reverts to reserve-only RAISE state. |
| a minted grant | handler INSERT (status='active') | UPDATE governance_build_authorization SET status='revoked', revoked_at=now(), revoked_by=<actor>, revoked_reason=<why> WHERE auth_code='GBA-C1-<apr_code>' (chk_revoked_pair: set all three). |
| the proposing APR | dot-apr-propose |
reject/withdraw the APR before approval (status≠applied); no grant exists yet. |
Order of rollback (reverse of apply): revoke grant → unbind handler_ref → restore code.
B. Retire path (decommission the LEGO)
- Unbind:
handler_ref='unimplemented'(action returns to reserve-only; trigger RAISEs again). - Optionally remove the
casearm + function via apatch_ops_codeAPR (dispatch default already fail-closed even if left in place but unbound). - Revoke any live grant. No table is dropped (gba/apr_action_types pre-existed and are shared).
C. DOT-manage ledger plan (governed SoR = AgentData KB)
- This package is uploaded to the AgentData KB (evidence SSOT) with per-file sha256 readback (file 11 / upload step). The KB entry IS the ledger record for this staging milestone.
- The existing staged ledger payload
reports/c1-lego-…/staged-artifacts/dot-manage/dot-manage-c1-ledger-update.staged.mdis extended (not duplicated) at execution time to record: handler deployed (vps_deploy_log id), handler_ref bound (migration applied), issuer registered. Those ledger writes are interleaved with the governed steps (armed HOLD…LEDGER_NOT_UPDATEDif a step lands without its ledger row). - No DOT is registered this turn, so no
dot_tools/CAT-006 ledger row is created or required yet (the issuer remains a staged script; its DOT registration is the separate owner-gated step).
⇒ rollback/retire defined for every step ⇒ does not trigger a rollback-incompleteness stop.