dot-iu-cutter v0.1 — CTE-02 Signal Routing Closure

Date: 2026-05-15 Status: CTE-02 CLOSURE RECORD — closed_with_notes Trigger: GPT review of HB-07 returned PASS; DOT-pair registered (dot_tools id 991 + 992); user explicitly authorized CTE-02 + CTE-03 + CTE-04 small engineering-support closure batch. Scope: ROUTING CONVENTION + EMISSION BINDING ONLY. No code, no DDL, no SQL, no schema created, no migration, no PG mutation outside the documentation, no Qdrant/vector mutation, no Directus mutation, no backup, no snapshot, no dry-run, no signal emitted, no execution.

---

1. Existing Signal / Backlog Mechanisms Inspected

inspection_targets:
  - candidate sinks in production Directus (215 user collections)
  - signal-source readiness (whether cutter can emit signals yet)
candidate_sinks_found:
  - system_issues — "Vấn đề hệ thống — Theo dõi lỗi phát hiện bởi kiểm tra toàn vẹn" (integrity-check focused)
  - admin_fallback_log — Admin fallback log (S178 D35 6.5 pattern)
  - governance_audit_log — Đ37 audit log
  - event_outbox / event_pending / event_read — universal event system
  - event_type_registry / event_subscription — typed event routing infrastructure
  - trigger_guard_alerts — alert collection (Đ25 prep / trigger governance)
  - kg_quality_log — KG quality log
P0_5_target_for_FUTURE: decision_backlog_entry (P0-5 schema; DOES NOT yet exist)
signal_source_readiness:
  cut_change_set: DOES NOT exist (P0-3 schema; HB-05 dry-run will create synthetic rows in dry-run environment per HB-09)
  verify_result: DOES NOT exist (P0-4 schema)
  dot_pair_signature: DOES NOT exist (P0-3/P0-4 shared schema)
  signing_scheme: NOT yet implemented (CTE-04 deferred to spec; production deployment FUTURE)
  cutter_executor_runtime: NOT yet deployed
  cutter_verifier_runtime: NOT yet deployed

2. Routing Decision

routing_decision: closed_with_notes — convention + emission binding documented; physical wiring deferred to HB-05 dry-run scenarios + production runtime deployment
classification_clarification:
  channel_artefact: BOUND at convention level (this document)
  emission_binding_artefact: BOUND (deterministic rule documented in §4)
  capability_proof: DEFERRED to HB-05 dry-run (scenarios S02, S03, S04, S05, S18 per rollback test plan §4 exercise channel observation)

rationale:
  - signal-source infrastructure (cut_change_set, verify_result, dot_pair_signature, signing scheme) does not yet exist in production
  - "wiring" without an emitter is a documented contract, not a physical configuration
  - capability proof requires synthetic emission via HB-05 dry-run; the dry-run will use the routing convention bound here
  - this preserves the safety rule: no unsafe mutation; no architecture invented; no unknown runtime wiring

what_is_NOT_required_for_cte_02_closure_at_this_level:
  - actual signal emitted to a real sink (no emitter yet)
  - PG trigger / Directus flow installed to listen for signals
  - production channel subscription
  - all of the above are HB-05 dry-run + production execution concerns

3. Channel Ownership

g_2_backlog_custodian_seat (per HB-06):
  primary: GPT
  backup: Opus
  human_escalation: User / anh Huyên

channel_definition_v0_1_interim:
  channel_kind: knowledge-base-anchored backlog channel until decision_backlog_entry table (P0-5) exists
  sink_path_convention: knowledge/dev/laws/dieu44-trien-khai/backlog/<event-kind>/<event-id>.md
  sink_path_convention_examples:
    dot_pair_drift: knowledge/dev/laws/dieu44-trien-khai/backlog/dot_pair_drift/<ISO-8601-Z>__<short-id>.md
    signature_failure: knowledge/dev/laws/dieu44-trien-khai/backlog/signature_failure/<ISO-8601-Z>__<short-id>.md
  alternative_v0_1_interim_sinks_authorized_at_dry_run_time (if needed; G-2 decides at HB-05 time):
    - dry-run-private channel under knowledge/dev/laws/dieu44-trien-khai/dry-run-signals/
    - or a tagged knowledge_documents entry with tag=hb05_dry_run_signal_synthetic
  no_actual_channel_created_in_this_closure: true (path conventions only; first artefact emitted at HB-05 dry-run synthetic-signal scenarios)

channel_destination_FUTURE_post_p0_5_schema_creation:
  primary_sink: cutter_governance.decision_backlog_entry (P0-5 schema)
  routing_kind_field: decision_backlog_entry.kind ∈ {dot_pair_drift, signature_failure, rollback_failed, rollback_cascade_blocked, rollback_key_collision, signature_revoked, migration_step_failed, sweep_overdue}
  migration_path: at execution-phase Step 1 (P0-5 schema creation), the interim KB-anchored sink is replaced by row-writes into decision_backlog_entry; all signal emitters refer to the kind enum value rather than the interim path

4. Signal Coverage + Emission Binding

signals_covered:
  dot_pair_drift:
    emitted_when: executor_tool_revision ≠ verifier_tool_revision (per HB-03 §3.3 dual-signature rule + HB-07 §6)
    emitted_by_field_set:
      signal_kind: dot_pair_drift
      emitted_at: timestamptz
      executor_dot_id: DOT-IU-CUTTER (per HB-07 dot_tools id 991)
      verifier_dot_id: DOT-IU-CUTTER-VERIFY (per HB-07 dot_tools id 992)
      executor_tool_revision: text
      verifier_tool_revision: text
      cut_change_set_ref: nullable (populated post P0-3 schema creation)
      verify_result_ref: nullable (populated post P0-4 schema creation)
    routing_destination_v0_1_interim: knowledge/dev/laws/dieu44-trien-khai/backlog/dot_pair_drift/
    routing_destination_FUTURE: decision_backlog_entry.kind=dot_pair_drift
    side_effect_on_cut_change_set_state: state=invalid_drift (per HB-03)
    side_effect_on_verify_result_verdict: verdict=NEEDS_HUMAN (per HB-04 + P0-4 §10)
    receiver: G-2 (GPT); backup Opus; escalation to G-4 + Đ32 (HIGH-risk) on cluster

  signature_failure:
    emitted_when:
      - executor_signature missing OR validation_state=invalid
      - verifier_signature missing OR validation_state=invalid
      - payload_envelope structurally invalid
      - signature_payload hash mismatch (per CTE-04 verification step)
    emitted_by_field_set:
      signal_kind: signature_failure
      emitted_at: timestamptz
      signer_dot_id: text (which DOT failed: DOT-IU-CUTTER or DOT-IU-CUTTER-VERIFY)
      failure_reason: enum-text (missing | invalid_payload_hash | invalid_payload_envelope | tool_revision_mismatch | other)
      cut_change_set_ref: nullable
      verify_result_ref: nullable
      dot_pair_signature_id_ref: nullable (populated post P0-3/P0-4 schema creation)
    routing_destination_v0_1_interim: knowledge/dev/laws/dieu44-trien-khai/backlog/signature_failure/
    routing_destination_FUTURE: decision_backlog_entry.kind=signature_failure
    side_effect_on_cut_change_set_state: state stays executing (no commit allowed)
    receiver: G-2 (GPT); backup Opus; route to G-4 Custodian on persistent failure

5. Emission Trigger Bindings (Logical Rules; Not Code)

emission_trigger_bindings (deterministic; bound to be implemented when CTE-04 + cutter runtime are deployed):
  rule_1_drift:
    where: at CUT pre-check AND at VERIFY verdict computation
    condition: cut_change_set.executor_tool_revision != cut_change_set.verifier_tool_revision OR verify_result.executor_tool_revision != verify_result.verifier_tool_revision
    action:
      - set cut_change_set.state = invalid_drift OR verify_result.verdict = NEEDS_HUMAN
      - emit signal_kind = dot_pair_drift with field set per §4
  rule_2_signature_missing:
    where: at CUT pre-commit checkpoint
    condition: executor_signature_id IS NULL OR verifier_signature_id IS NULL
    action:
      - keep cut_change_set.state = executing (no commit)
      - emit signal_kind = signature_failure with failure_reason = missing
  rule_3_signature_invalid:
    where: at signature validation step (per CTE-04 verification)
    condition: dot_pair_signature.validation_state in (invalid)
    action:
      - keep cut_change_set.state = executing
      - emit signal_kind = signature_failure with failure_reason ∈ (invalid_payload_hash | invalid_payload_envelope | tool_revision_mismatch | other)
  rule_4_signature_revoked:
    where: at signature reuse / re-verification step
    condition: dot_pair_signature.validation_state = revoked
    action:
      - emit signal_kind = signature_revoked → flag dependent cut_change_set / verify_result rows (per HB-03 revocation cascade)
      - NOT a signature_failure per se; emitted to decision_backlog_entry.kind=signature_revoked

no_code_emits_these_signals_in_this_closure: true
binding_is_logical_contract_only: true
production_implementation_deferred_to: CTE-04 implementation + cutter executor/verifier runtime deployment + HB-05 dry-run validation

6. Capability Proof Plan

capability_proof_plan:
  proof_form: synthetic signal emission via HB-05 rollback test plan dry-run scenarios
  scenarios_that_exercise_channel:
    S02_missing_executor_signature: emits signature_failure(missing)
    S03_missing_verifier_signature: emits signature_failure(missing)
    S04_invalid_signature_payload: emits signature_failure(invalid_payload_hash)
    S05_tool_revision_match_false: emits dot_pair_drift
    S18_signature_timeout: emits signature_failure(other) or dot_pair_drift after timeout
    S22_signature_revocation_cascade: emits signature_revoked + cascade flag
    S23_rollback_failure_recovery: emits rollback_failed (separate kind; out of CTE-02 scope but uses same channel)
  acceptance_at_dry_run: G-2 seat holder (GPT) observes each synthetic signal in the configured sink within the scenario timeframe; backup (Opus) acknowledges if GPT unavailable
  proof_recorded_in: HB-05 dry-run closure file (separate session)
  CTE_02_status_at_dry_run_pass: closure_complete (this CTE-02 closure may be upgraded from closed_with_notes to closed_capability_verified at that time)
no_capability_proof_executed_in_this_closure: true

7. Acceptance Criteria

acceptance_criteria_for_cte_02:
  channel_ownership_recorded:
    status: ATTRIBUTED (G-2 primary=GPT; backup=Opus; human escalation=User / anh Huyên)
  signal_coverage_recorded:
    status: COVERED (dot_pair_drift + signature_failure; field sets specified)
  emission_binding_documented:
    status: DOCUMENTED (rules 1-4 in §5 with deterministic conditions + actions)
  v0_1_interim_sink_path_convention_recorded:
    status: BOUND (knowledge/dev/laws/dieu44-trien-khai/backlog/<event-kind>/ until P0-5 decision_backlog_entry exists)
  FUTURE_sink_recorded:
    status: BOUND (decision_backlog_entry.kind=<signal_kind> post P0-5 schema creation)
  capability_proof_deferred:
    status: PLANNED for HB-05 dry-run scenarios S02, S03, S04, S05, S18, S22
  no_signal_emitted_in_this_closure:
    status: confirmed
  no_pg_mutation:
    status: confirmed
  no_directus_mutation:
    status: confirmed (no row written to system_issues, event_outbox, or any sink in this closure)
cte_02_acceptance_state: ALL NINE criteria satisfied; closure_with_notes

8. Downstream Effects

downstream_effects_of_cte_02_closure:
  HB_05_rollback_test_plan_dry_run:
    status_before: blocked (terminal; waits on multiple upstream)
    status_after: still blocked (waits on HB-08, HB-09, CTE-03, CTE-04 in addition to CTE-02 being closed)
    status_change: one prerequisite (CTE-02) is now closed; HB-05 remains terminal
    note: HB-05 cannot close until HB-08, HB-09, CTE-03, CTE-04 also close
  HB_06_HB_07: unchanged (upstream)
  HB_01_HB_02_HB_03_HB_04: unchanged
  CTE_03_canonicalization_library: independent; addressed in separate closure (next file in this batch)
  CTE_04_signing_scheme: independent; addressed in separate closure (next file in this batch)

what_cte_02_does_NOT_do:
  - emit any signal
  - install any PG trigger
  - install any Directus flow
  - write to system_issues / event_outbox / any sink
  - create P0-5 decision_backlog_entry schema
  - deploy any production runtime
  - implement signing scheme (CTE-04)
  - implement canonicalization library (CTE-03)
  - run any rollback dry-run scenario (HB-05)

9. Status

CTE_02_status: closed_with_notes
CTE_02_closure_authority: G-2 (Backlog Custodian; channel owner) + G-4 (DOT-Pair Signing Authority; emission rule binder) per HB-06
CTE_02_closure_signers:
  - G-2 Backlog Custodian (primary=GPT; backup=Opus)
  - G-4 DOT-Pair Signing Authority (executor=Claude Code CLI / Agent; verifier=GPT; secondary=Opus)
  - User / anh Huyên (sovereign authority via explicit prompt)

system_mutation_performed: NONE
files_or_code_changed: NONE (closure record only)
no_signal_emitted: true
execution_authorized: false
p0_migration_allowed: false
ddl_allowed: false

notes_carried_forward:
  - capability proof deferred to HB-05 dry-run scenarios S02, S03, S04, S05, S18, S22
  - v0.1 interim sink = knowledge-base-anchored path convention until P0-5 decision_backlog_entry exists
  - FUTURE sink = decision_backlog_entry.kind=<signal_kind> post P0-5 schema creation
  - migration from interim sink to P0-5 sink occurs at execution-phase Step 1 (P0-5 schema creation); all emitters refer to the kind enum value
  - Đ24 ratification of new event kinds (signature_revoked, rollback_failed, etc.) remains under HB-02 outstanding sets

10. Hard Boundaries Confirmation

no_signal_emitted: true
no_pg_trigger_installed: true
no_directus_flow_installed: true
no_row_written_to_system_issues: true
no_row_written_to_event_outbox: true
no_row_written_to_admin_fallback_log: true
no_row_written_to_governance_audit_log: true
no_row_written_to_trigger_guard_alerts: true
no_row_written_to_any_sink: true
no_schema_created: true
no_p0_5_decision_backlog_entry_created: true (P0-5 schema; FUTURE)
no_ddl_written: true
no_sql_written: true
no_migration_script_written: true
no_migration_executed: true
no_pg_mutation: true
no_qdrant_mutation: true
no_directus_mutation: true
no_data_writes: true
no_production_runtime_deployed: true
no_rollback_dry_run_executed: true
no_backup_taken: true
no_snapshot_taken: true
no_deploy: true
no_execution_gate_opened: true
no_phase_prior_file_modified: true
output_form: cte_02_closure_record_in_markdown_only