READY-TO-ASSEMBLE-LEGO1 08 — C1 Rollback & Recovery Plan (Not Executed) — 2026-06-22
READY-TO-ASSEMBLE-LEGO1 08 — C1 Rollback & Recovery Plan (Not Executed) — 2026-06-22
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations.
Carrier: C1 — canonical_operation vocabulary contract. All rollback commands below: WRITE_PLANNED_NOT_RUN. Defining this contract does not authorize executing it (I10).
1. What rollback MEANS for C1
A C1 rollback is a versioned, compensating, local supersession: mark a canonical_operation value (or vocabulary version) superseded/retired, keep it resolvable for historical effects, set successor_code if replaced, and write a rollback_ref audit entry. It is never destructive deletion.
2. What rollback is FORBIDDEN to do
- Delete a value referenced by a historical effect (would be
ROLLBACK_DELETES_REFERENCED_IDENTITY). - Erase the value's prior record/audit (
ROLLBACK_ERASES_HISTORY). - Re-mean an existing value in place (
ROLLBACK_CHANGES_HISTORICAL_SEMANTICS). - Drop/optionalize
governing_authority_ref(ROLLBACK_WEAKENS_AUTHORITY). - Leave a retired value admissible for new use (
ROLLBACK_FORWARD_FAIL_CLOSED_VIOLATED). - Require editing C2 or any other carrier to "complete" the rollback (
ROLLBACK_NOT_LOCAL). - Execute as a runtime act during design/review (
RUNTIME_MUTATION_REJECTED).
3. Rollback rules
- Successor / supersession rule: every retire sets
statusand (if replaced)successor_code; absence ⇒ROLLBACK_SUCCESSOR_RULE_ABSENT(RBP-7). - Forward fail-closed (I6): new use of a retired value is rejected unless a successor maps it; admissibility-after-retire ⇒
ROLLBACK_FORWARD_FAIL_CLOSED_VIOLATED(RBP-8). - History preservation (I2): prior value records and audit remain readable.
- Reference preservation (I1/I3): historical effects that hashed the value still resolve it.
- Authority non-weakening (I5):
governing_authority_refstays required. - Audit trail (I8): the rollback writes a
rollback_ref+ audit row. - Locality (I9): rollback stays within
governance_canonical_operation_vocab.
4. RBP-0..RBP-10 mapping (explicit, per instruction §3.8)
| RBP | Code | C1 rollback obligation | Violating input → result |
|---|---|---|---|
| RBP-0 | RUNTIME_MUTATION_REJECTED |
no rollback executed at design/review | execute now → rejected |
| RBP-1 | ROLLBACK_PLAN_ABSENT |
a rollback plan object exists for C1 | no plan → rejected |
| RBP-2 | ROLLBACK_DELETES_REFERENCED_IDENTITY |
never delete a referenced value | delete value → rejected |
| RBP-3 | ROLLBACK_ORPHANS_DEPENDENCY |
keep C1→C2 ref resolvable | dangling C2 ref → rejected |
| RBP-4 | ROLLBACK_ERASES_HISTORY |
keep prior value/audit readable | erase record → rejected |
| RBP-5 | ROLLBACK_CHANGES_HISTORICAL_SEMANTICS |
no in-place re-meaning | re-mean value → rejected |
| RBP-6 | ROLLBACK_WEAKENS_AUTHORITY |
keep governing_authority_ref required |
drop authority → rejected |
| RBP-7 | ROLLBACK_SUCCESSOR_RULE_ABSENT |
set status/successor on retire | no successor rule → rejected |
| RBP-8 | ROLLBACK_FORWARD_FAIL_CLOSED_VIOLATED |
retired value fail-closed for new use | still admissible → rejected |
| RBP-9 | ROLLBACK_AUDIT_TRAIL_ABSENT |
write rollback_ref + audit |
no audit → rejected |
| RBP-10 | ROLLBACK_NOT_LOCAL |
stay within C1 table | needs C2 edit → rejected |
| RBP-PASS | ROLLBACK_CONTRACT_VALID_FOR_REVIEW |
all I1–I10 hold (review-only; not execution authority) | — |
PASS is reachable only when ¬RBP0 ∧ ¬RBP1 ∧ … ∧ ¬RBP10 (closeout file 02). A valid C1 rollback plan (retire-with-successor, resolvable, audited, local, authority-preserving) earns ROLLBACK_CONTRACT_VALID_FOR_REVIEW — which is necessary-not-sufficient and grants no execution authority.
5. Rollback command shape (WRITE_PLANNED_NOT_RUN)
-- retire-with-successor (local, resolvable, audited) — NOT RUN
UPDATE governance_canonical_operation_vocab
SET status='retired', successor_code=:successor, superseded_at=now(),
superseded_by=:executor, rollback_ref=:rollback_ref
WHERE operation_code=:target AND status='active';
-- + INSERT audit row referencing :rollback_ref
There is no DELETE in any C1 rollback. A DELETE would be ROLLBACK_DELETES_REFERENCED_IDENTITY and is forbidden.
6. Rollback verification (DRY_RUN_PLANNED_NOT_RUN)
- Retired value still resolvable for historical effects (lookup under old version succeeds).
- New use of the retired value rejected (
…_RETIRED_FOR_NEW_USE) unless successor maps it. rollback_ref+ audit row present.- No row deleted; no other carrier changed (diff is local).
7. Rollback evidence (file 10)
before-state snapshot of the value, the UPDATE diff, the audit rollback_ref, after-state readback proving resolvable+fail-closed, and a hash of the rollback record.
8. Rollback stop states
| Condition | Stop |
|---|---|
| Rollback would delete/erase/re-mean/weaken/non-local/leave-admissible | reject with the matching RBP code; do not execute |
| No Chairman authorization for the rollback act | G2_EXECUTION_REQUIRES_SEPARATE_AUTHORIZATION (rollback execution is its own authorized act) |
| Runtime mutation attempted in review | RUNTIME_MUTATION_REJECTED (RBP-0) |
9. Recovery (forward) — never destructive
If a wrong value was admitted: retire it (RBP-8-safe) and admit a corrected successor as a new governed entry. Recovery is forward supersession, never deletion or in-place edit. Deletion ≠ rollback.
10. Boundary attestation
This file defines a rollback contract at design level. It executes no rollback, deletes nothing, writes no row, opens no P2/lane, and clears no blocker. Every command is WRITE_PLANNED_NOT_RUN. REGISTRATION_HOLD retained; REGISTRATION_CAN_PROCEED = NO; 0 runtime mutations; I1–I10 not weakened.