dot-iu-cutter v0.1 — HB-03 X-6 dot_pair_signature Shape Sign-Off Closure

Date: 2026-05-15 Status: HB-03 CLOSURE RECORD — closed_with_notes Trigger: GPT review of HB-06 returned PASS (2026-05-15). G-4 seat named by HB-06 (executor side: Claude Code CLI / Agent; verifier side: GPT; secondary reviewer: Opus; human escalation: User / anh Huyên). User has explicitly authorized batch closure of HB-01, HB-02, HB-03, HB-04. Scope: CLOSURE RECORD ONLY. No code, no DDL, no SQL, no schema created, no migration, no PG mutation, no Directus mutation, no Qdrant/vector mutation, no DOT-pair registration, no signature generated, no backup, no snapshot, no dry-run, no execution.

---

1. Scope

HB-03 binds the logical shape of the shared dot_pair_signature table per X-6, with the revocation lifecycle additions and the exactly-one cross-reference rule. The shape is already designed in P0-3 §4.3 and referenced by P0-4 §4.1; HB-03 records sign-off attribution for the polished shape.

hb_03_scope:
  in_scope:
    - record X-6 selected approach acceptance (shared table; signature_kind enum; exactly-one cross-reference; revocation lifecycle additions)
    - record G-4 + Đ44 sign-off attribution
    - record downstream effect on HB-07 (DOT-pair registration becomes ready_to_close)
    - record downstream effect on CTE-04 (signing scheme v0.1 becomes preparable)
  not_in_scope:
    - register any DOT (HB-07; separate session)
    - implement the signing scheme (CTE-04; separate session)
    - create the table (DDL is future execution-phase task)
    - generate any signature
    - wire any signal channel (CTE-02; separate session)

2. Source References

• reviews/dot-iu-cutter-v0.1-hb-06-operational-seats-closure-gpt-review-2026-05-15.md (PASS — authorizes batch closure)
• blocker-closure/dot-iu-cutter-v0.1-hb-06-operational-seats-closure-2026-05-15.md (G-4 named: executor Claude Code CLI / Agent; verifier GPT; secondary Opus; human escalation User / anh Huyên)
• migration-design/dot-iu-cutter-v0.1-p0-3-cut-change-set-rollback-key-migration-design-2026-05-15.md §4.3 (shape designed) + §7 (both-signatures rule) + §9 item 12 (signature revocation)
• migration-design/dot-iu-cutter-v0.1-p0-4-verify-result-migration-design-2026-05-15.md §4.1 (shared usage) + §10
• risk-review/dot-iu-cutter-v0.1-p0-cross-cutting-decision-register-2026-05-15.md §3.6 (X-6 options + recommendation)
• implementation-planning/dot-iu-cutter-v0.1-p0-cross-cutting-resolution-plan-2026-05-15.md §8 (X-6 polish additions)
• blocker-closure/dot-iu-cutter-v0.1-p0-workstream-a-governance-seats-signoffs-2026-05-15.md §4 (HB-03 acceptance criteria)
• final-readiness/dot-iu-cutter-v0.1-p0-final-readiness-blocker-register-2026-05-15.md §3.3 (HB-03 entry)

3. Decision Recorded

decision_id: HB-03
cross_cutting_decision_resolved: X-6
selected_option: shared_table_with_signature_kind_enum_and_cross_reference_fks_plus_revocation_lifecycle

logical_shape_signed_off:
  table_name: dot_pair_signature (single shared table across cut + verify families)
  family_membership: signature_family (shared between cut_family and verify_family per HB-01 schema class)
  fields_from_P0_3_section_4_3 (baseline):
    - signature_id (uuid; primary identifier)
    - signature_kind (Đ24 lookup FK; values: executor_cut, verifier_cut, executor_verify, verifier_verify)
    - signer_dot_id (text)
    - signer_tool_revision (text)
    - payload_hash (text)
    - payload_envelope (JSONB; validated per X-3 application-layer)
    - signature_payload (text; v0.1 hash-based pseudo-signature; cryptographic FUTURE)
    - signed_at (timestamptz)
    - cross_reference_change_set_id (FK to cut_change_set; nullable)
    - cross_reference_verify_result_id (FK to verify_result; nullable)
    - validation_state (Đ24 lookup FK; values: pending, valid, invalid, revoked)
  polish_additions_signed_off_per_cross_cutting_resolution_section_8:
    revocation_lifecycle:
      - revoked_at (timestamptz; nullable; populated when validation_state transitions to revoked)
      - revocation_reason (text; nullable; populated on revocation)
      - revoked_by (text actor; nullable; populated on revocation)
      - prior_signature_id (FK self-reference; nullable; chains revocation history if a signature is re-issued)
    exactly_one_cross_reference_rule:
      rule: (cross_reference_change_set_id IS NOT NULL) XOR (cross_reference_verify_result_id IS NOT NULL); never both, never neither
      enforcement_v0_1: application-layer
      enforcement_FUTURE: PG check constraint or trigger
    validation_state_lifecycle:
      transitions:
        - pending → valid (on validation pass)
        - pending → invalid (on validation fail)
        - valid → revoked (on revocation; revoked_at + revocation_reason + revoked_by populated)
      revocation_cascade:
        - on revocation: emit decision_backlog_entry kind=signature_revoked (per HB-02 outstanding enum extension)
        - flag dependent cut_change_set / verify_result rows referencing the signature for Đ32 review

dual_signature_rule_restated (not new; restated for binding clarity per criterion 28):
  cut_commit_condition: executor_signature.validation_state='valid' AND verifier_signature.validation_state='valid' AND tool_revision_match=true
  verify_pass_condition: same dual condition concurrently
  v0_1_enforcement: application-layer
  FUTURE_enforcement: PG-constraint (PEF-03)

4. Authority / Sign-Off

authorities_signing:
  primary_signers:
    - G-4 DOT-Pair Signing Authority (per HB-06):
        executor_side: Claude Code CLI / Agent
        verifier_side: GPT
        secondary_reviewer: Opus
        human_escalation: User / anh Huyên
    - Đ44 family registry custodian — accepts shared-table family pattern per Đ44 Step 2 joint ratification (cut_change_set + verify_result share dot_pair_signature)
  secondary_signers:
    - GPT (policy reviewer; PASS upstream on cross-cutting register and X-6 recommendation)
    - User / anh Huyên (sovereign authority)
    - Opus / Agent (record-keeping side)

what_each_authority_accepts:
  G_4:
    - shared dot_pair_signature shape with signature_kind enum
    - exactly-one cross-reference rule (application-layer v0.1)
    - revocation lifecycle fields (revoked_at, revocation_reason, revoked_by, prior_signature_id)
    - v0.1 hash-based pseudo-signature as the signature_payload form; cryptographic FUTURE via D4 capability intake (PEF-04)
    - tool_revision drift rule binding (state=invalid_drift on mismatch; dot_pair_drift signal emit — channel wiring is CTE-02)
  Đ44:
    - shared-table family pattern per Đ44 Step 2 joint ratification
    - alignment with HB-01 schema class placement (signature_family in cutter_governance)
  GPT:
    - cross-cutting register §3.6 recommendation matches the closure
  User / anh Huyên:
    - sovereign acceptance per the explicit prompt

5. Acceptance Criteria

acceptance_criteria_for_hb_03:
  shape_signed_off:
    status: SIGNED (baseline fields from P0-3 §4.3 + polish additions from Cross-Cutting Resolution Plan §8)
  exactly_one_cross_reference_rule_recorded:
    status: BOUND (application-layer v0.1; PG FUTURE)
  revocation_lifecycle_fields_added_recorded:
    status: ADDED (revoked_at, revocation_reason, revoked_by, prior_signature_id)
  signing_attribution_recorded:
    status: ATTRIBUTED (G-4 executor=Claude Code CLI / Agent + verifier=GPT + secondary=Opus + human escalation=User / anh Huyên; Đ44 family confirm; GPT policy review; User sovereign)
  no_DOT_registration:
    status: confirmed (HB-07 remains OPEN; now ready_to_close)
  no_signature_generated:
    status: confirmed
  no_table_created:
    status: confirmed
  no_DDL:
    status: confirmed
hb_03_acceptance_state: ALL EIGHT criteria satisfied; closure_with_notes

6. Downstream Effects

downstream_effects_of_hb_03_closure:
  HB_07_dot_pair_registration:
    status_before: blocked (waited on HB-03)
    status_after: ready_to_close (HB-03 signed)
    next_action: open separate session for G-4 (executor=Claude Code CLI / Agent + verifier=GPT) to register DOT-pair (dot-iu-cutter executor + dot-iu-cutter-verify verifier) + bind tool_revision drift rule emission point
    note: HB-07 is NOT closed by this closure

  CTE_04_signing_scheme_v0_1:
    status_before: blocked (waited on HB-03 + G-4 named)
    status_after: ready_to_close OR preparable (G-4 named at HB-06; HB-03 signed now)
    next_action: open engineering session for v0.1 hash-based pseudo-signature implementation referencing the signed shape; G-4 oversight
    note: CTE-04 is NOT closed by this closure

  CTE_02_signal_routing:
    status_before: blocked (waited on HB-07)
    status_after: still blocked (HB-07 must close first; channel emission references registered DOTs)
    status_change: none

  HB_05_rollback_test_plan_dry_run:
    status_before: blocked
    status_after: still blocked (terminal node; many upstream remain)
    status_change: none — HB-05 cannot close until HB-06 G-4/G-2, HB-03, HB-07, HB-09, HB-04, CTE-02, CTE-03, CTE-04 all close

  HB_01_HB_02_HB_04_HB_08_HB_09:
    status_change: none (independent of HB-03)

what_HB_03_does_NOT_do:
  - register any DOT
  - implement any signing scheme
  - generate any signature
  - create the dot_pair_signature table
  - wire any signal channel
  - implement PG-constraint enforcement of dual-signature rule (FUTURE)
  - upgrade signing scheme to cryptographic (FUTURE D4 capability intake)

7. Status

HB_03_status: closed_with_notes
HB_03_closure_authority: G-4 + Đ44 (per cross-cutting register §3.6 + user prompt 2026-05-15)
HB_03_closure_signers:
  - G-4 DOT-Pair Signing Authority (per HB-06):
      executor_side: Claude Code CLI / Agent (primary)
      verifier_side: GPT (primary)
      secondary_reviewer: Opus
      human_escalation: User / anh Huyên
  - Đ44 family registry custodian (primary)
  - GPT (policy reviewer)
  - User / anh Huyên (sovereign authority)

execution_authorized: false
implementation_allowed: false
ddl_allowed: false
migration_allowed: false
DOT_pair_registered: false (HB-07 remains OPEN; now ready_to_close)
signing_scheme_implemented: false (CTE-04 remains OPEN; now preparable)

notes_carried_forward:
  - exactly-one cross-reference rule is application-layer v0.1; PG enforcement FUTURE
  - signature_payload is v0.1 hash-based pseudo-signature; cryptographic FUTURE via D4 capability intake (PEF-04)
  - dual-signature criterion 28 enforcement is application-layer v0.1; PG enforcement FUTURE (PEF-03)
  - signature_kind, validation_state enum values still pending Đ24 ratification per HB-02 §3 outstanding enum sets
  - revocation cascade emits decision_backlog_entry kind=signature_revoked (HB-02 outstanding enum extension)
  - tool_revision drift rule binding emission point fixed here; channel wiring is CTE-02
  - HB-03 closure DOES NOT register DOT-pair; HB-07 remains OPEN

8. Hard Boundaries Confirmation

no_dot_pair_registered: true (HB-07 remains OPEN)
no_signing_scheme_implemented: true (CTE-04 remains OPEN; now preparable)
no_signature_generated: true
no_table_created: true
no_signal_channel_wired: true (CTE-02 still blocked)
no_ddl_written: true
no_sql_written: true
no_migration_script_written: true
no_migration_executed: true
no_pg_mutation: true
no_qdrant_mutation: true
no_directus_mutation: true
no_data_writes: true
no_pg_constraint_enforcement_of_dual_signature_in_this_file: true (FUTURE)
no_cryptographic_signing_scheme_in_this_file: true (FUTURE)
no_execution: true
no_phase_prior_file_modified: true
output_form: hb_03_closure_record_in_markdown_only