dot-iu-cutter v0.1 — P0 Blocker Closure Workstream C — Infrastructure / Preflight / Dry-run Readiness

Date: 2026-05-15 Status: BLOCKER CLOSURE PROGRAM — Workstream C Scope: CLOSURE PLANNING ONLY. No backup taken, no snapshot taken, no environment provisioned, no library scaffolded, no signing scheme implemented, no signal channel wired, no dry-run executed, no DDL, no SQL, no migration. Master: blocker-closure/dot-iu-cutter-v0.1-p0-blocker-closure-master-plan-2026-05-15.md

---

1. Purpose

Address the infrastructure / preflight / dry-run readiness blockers and conditions-to-execute for dot-iu-cutter v0.1 P0:

• HB-08: Directus backup + restore test plan
• HB-09: schema + row-count snapshots + dry-run environment plan
• CTE-02: signal routing plan (dot_pair_drift / signature_failure → G-2)
• CTE-03: canonicalization library scaffolding plan (v0.1)
• CTE-04: signing scheme v0.1 plan (hash-based pseudo-signature)
• HB-05: rollback test plan dry-run readiness + 26-scenario dependency
• CTE-01: failure-stop rule enforcement (documented; execution-time)

For each closure: acceptance criteria, dependency order, what is forbidden in this phase.

2. Source Inputs

• final-readiness/dot-iu-cutter-v0.1-p0-final-readiness-blocker-register-2026-05-15.md §3.5, §3.8, §3.9, §4
• implementation-planning/dot-iu-cutter-v0.1-p0-preflight-and-backup-plan-2026-05-15.md
• implementation-planning/dot-iu-cutter-v0.1-p0-rollback-test-plan-2026-05-15.md
• implementation-planning/dot-iu-cutter-v0.1-p0-cross-cutting-resolution-plan-2026-05-15.md §8, §10

3. Closure HB-08 — Directus Backup + Restore Test

closure_id: HB-08
title: Directus PG full backup taken and restore-test passed in a separate environment
authority: G-4 Custodian + operational DBA (assigned via Đ37 once G-4 named)
prerequisites: HB-06 G-4 named

acceptance_criteria:
  backup_artefact:
    form: full pg_dump of Directus DB (full dump, all schemas)
    timing_at_execution: < 60 minutes old at the moment migration starts
    storage: archived; retention >= 30 days post-migration
    integrity_check: backup file checksum recorded and verified
  restore_test_artefact:
    environment: separate PG instance (dry-run environment from HB-09 acceptable)
    acceptance: restored DB starts cleanly; sample queries return expected row counts; smoke test on existing TAC tables produces unchanged rows
    sign_off: G-4 + operational DBA
  closure_state: closed when backup file + restore-test artefact both present + sign-off recorded

what_HB_08_does_NOT_close:
  - any DDL on the production DB
  - any rollback test plan dry-run (separate; HB-05)
  - any cutter_governance schema creation (separate; first DDL of Step 1)

forbidden_in_this_planning_phase: actually taking backup, running restore test

4. Closure HB-09 — Schema + Row-Count Snapshots + Dry-run Environment

closure_id: HB-09
title: pg_dump --schema-only of Directus + per-table row-count snapshot + dry-run environment provisioned
authority: operational DBA (primary) + G-2 (records snapshot artefact in backlog history once G-2 named)
prerequisites: HB-06 G-2 named (for backlog artefact recording); HB-08 not required upstream but typically performed alongside

acceptance_criteria:
  schema_snapshot_artefact:
    form: pg_dump --schema-only of all affected schemas (public, tac, plus cutter_governance once approved; pre-migration snapshot captures absence of cutter_governance)
    timing: alongside HB-08 backup
  row_count_snapshot_artefact:
    form: per-table row counts for affected schemas at snapshot time (timestamp + schema.table + row_count)
    emphasis_on: tac_logical_unit, tac_unit_version, tac_publication, universal_edges
    new_tables_expected_row_count: 0 (cutter_governance does not yet exist)
  dry_run_environment_artefact:
    form: separate PG instance with restored Directus snapshot OR isolated schema in production DB (acceptable fallback per preflight plan §6)
    requirement: dry-run environment supports the full migration sequence + the 26-scenario rollback test plan
    sign_off: operational DBA + G-2
  closure_state: closed when all three artefacts present + sign-off recorded

5. Closure CTE-02 — Signal Routing Wired

closure_id: CTE-02
title: signal channels for dot_pair_drift and signature_failure wired to G-2 backlog channel
authority: G-2 (receiver; channel owner) + G-4 (emitter; sets the rule)
prerequisites: HB-06 G-2 named; HB-06 G-4 named; HB-07 DOT-pair registered (because drift signals reference DOT identifiers)

acceptance_criteria:
  channel_artefact:
    form: a configured backlog channel owned by G-2 seat holder
    capability_proof:
      - a synthetic dot_pair_drift signal posted to the channel is acknowledged by G-2 seat holder
      - a synthetic signature_failure signal posted to the channel is acknowledged
  emission_binding_artefact:
    form: documented binding that on tool_revision_match=false → state=invalid_drift on cut_change_set + dot_pair_drift signal emit; on missing/invalid signature → signature_failure signal emit
  closure_state: closed when channel + emission binding + capability proof recorded

forbidden_in_this_planning_phase: actually wiring channels, posting synthetic signals

6. Closure CTE-03 — Canonicalization Library Scaffolding (v0.1)

closure_id: CTE-03
title: v0.1 canonicalization rule library scaffolding present per Đ24-ratified prose
authority: G-3 oversight (capability intake reviewer; soft) + engineering (implementation)
prerequisites: HB-04 Đ24 canonicalization prose ratification

acceptance_criteria:
  scaffold_artefact:
    form: application-layer library that:
      - reads source bytes as UTF-8
      - strips UTF-8 BOM
      - applies NFC normalization
      - normalizes line endings to LF
      - trims trailing whitespace per line
      - enforces exactly one LF at file end (per Đ24 prose)
      - tokenizes into canonical_tokens per Đ24 token boundary definition
      - emits (start_token_position, end_token_position) for a given byte_span
    identifier_field_emission: library reports canonicalization_rule_used = canon-md-v0.1.0 (or final Đ24 identifier)
    determinism_verification: running the library twice on the same input produces identical token streams
  closure_state: closed when scaffold present + determinism test logs present
  note: scaffold is "implementation" of the canonicalization rule library; it is engineering work that runs once before execution but is NOT a migration DDL
  classification_clarification: this Workstream C planning file does NOT scaffold the library; it specifies the acceptance criteria for a future engineering session

7. Closure CTE-04 — Signing Scheme v0.1 Implementation

closure_id: CTE-04
title: v0.1 hash-based pseudo-signature signing scheme implementation
authority: G-4 oversight + engineering
prerequisites: HB-06 G-4 named; HB-03 X-6 polish signed off (the implementation references the signed shape)

acceptance_criteria:
  implementation_artefact:
    form: application-layer signing scheme that produces dot_pair_signature rows conforming to HB-03-signed shape:
      - payload_envelope structured per signature_kind
      - payload_hash = deterministic hash of canonical payload bytes
      - signature_payload = derived from payload_hash + DOT credential indirection (v0.1; cryptographic FUTURE)
      - signed_at, signer_dot_id, signer_tool_revision populated
      - cross_reference exactly-one rule (per HB-03 polish) enforced at application layer
  capability_proof:
    - signing scheme produces a valid synthetic executor_cut signature row in dry-run
    - signing scheme produces a valid synthetic verifier_cut signature row in dry-run
    - both signatures share a payload_envelope referencing the same change_set_id
  sign_off: G-4 Custodian (post G-4 named)
  closure_state: closed when implementation artefact + capability proofs + G-4 sign-off recorded

8. Closure HB-05 — Rollback Test Plan Dry-run + Sign-off

closure_id: HB-05
title: 26-scenario rollback test plan executed in dry-run environment with synthetic data; Đ32 (HIGH-risk path) + G-4 sign off
authority: Đ32 (HIGH-risk path) + G-4
prerequisites (must all be closed first):
  - HB-06 G-2 named (for signal channel observation)
  - HB-06 G-4 named (for sign-off authority)
  - HB-03 X-6 polish signed (for dot_pair_signature shape used in scenarios)
  - HB-07 DOT-pair registered (for signature emission in scenarios)
  - HB-09 dry-run environment provisioned (for execution)
  - HB-04 canonicalization rule prose ratified (for scenarios involving rule)
  - CTE-02 signal routing wired (for scenarios that observe channel)
  - CTE-03 canonicalization rule library scaffolded (for scenarios producing canonical_token streams)
  - CTE-04 signing scheme v0.1 implementation present (for scenarios producing signatures)

acceptance_criteria:
  scenario_pass_rate: 100% of 26 scenarios (S01..S26 per rollback test plan §4) pass their expected outcomes
  any_scenario_failure: BLOCKS production execution; root-cause analysis required
  sign_off_artefact:
    form: closure file under closures/ or ratification/ recording scenario outcomes + sign-off attribution
    signers: Đ32 (HIGH-risk path) + G-4 Custodian
  closure_state: closed when all 26 scenarios pass + sign-off file recorded
  retry_policy: failed scenario retry requires Đ32 sign-off; plan revision requires Đ32 review

forbidden_in_this_planning_phase: actually running scenarios, generating signatures, emitting signals, mutating any state

9. Closure CTE-01 — Failure-Stop Rule Enforcement

closure_id: CTE-01
title: failure-stop rule actively enforced at execution time (per preflight plan §8)
authority: G-4 + operational DBA
prerequisites: documented at planning level (preflight plan §8) — already complete; execution-time enforcement separate

acceptance_criteria:
  enforcement_artefact:
    form: execution-time tool/runbook honours failure-stop:
      - any preflight failure stops migration
      - any backup or restore-test failure stops migration
      - any step's validation failure stops migration
      - retries are NOT automatic; require explicit Đ32 sign-off
  closure_state:
    planning-level: closed (preflight plan §8 documents the rule)
    execution-time: closed when execution-phase tool/runbook enforces the rule (separate execution-phase concern)
  classification_clarification: CTE-01 has TWO halves; planning half is already closed by preflight plan §8; execution half is execution-phase concern, not blocked here but tracked

10. Closure Order for Workstream C

order_internal_to_workstream_c:
  - HB-08 (backup + restore test) — depends on HB-06 G-4 named; otherwise independent
  - HB-09 (snapshots + dry-run environment) — depends on HB-06 G-2 named for artefact recording; can run alongside HB-08
  - CTE-02 (signal routing wired) — depends on HB-06 G-2 + G-4 named + HB-07 DOT-pair registered
  - CTE-03 (canonicalization library scaffolding) — depends on HB-04 Đ24 prose ratification (Workstream B)
  - CTE-04 (signing scheme v0.1) — depends on HB-06 G-4 named + HB-03 X-6 polish signed (Workstream A)
  - HB-05 (rollback test plan dry-run + sign-off) — depends on HB-06 + HB-03 + HB-07 + HB-09 + HB-04 + CTE-02 + CTE-03 + CTE-04 — i.e., LAST

parallel_capability:
  - HB-08 + HB-09 can run in parallel after G-2 / G-4 seats named
  - CTE-03 can run as soon as HB-04 completes (independent of A's G-4 chain)
  - CTE-04 can run as soon as HB-03 completes
  - CTE-02 can run as soon as G-2 + G-4 named + HB-07 registered

last_step_constraint:
  - HB-05 is the LAST closure in Workstream C; everything else feeds it
  - HB-05 dry-run is the closure event that allows Final Readiness Review to be re-run

11. Authority Map for Workstream C

Closure	Authority
HB-08 Directus backup + restore test	G-4 + operational DBA
HB-09 snapshots + dry-run environment	operational DBA + G-2
CTE-01 failure-stop rule enforcement	G-4 + operational DBA
CTE-02 signal routing wired	G-2 (channel owner) + G-4 (emitter rule)
CTE-03 canonicalization library scaffolding	G-3 oversight + engineering
CTE-04 signing scheme v0.1 implementation	G-4 + engineering
HB-05 rollback test plan dry-run + sign-off	Đ32 (HIGH-risk path) + G-4

12. Acceptance Criteria — Aggregate

Closure	Artefact	Sign-off	Closure State
HB-08	backup file + restore-test artefact	G-4 + operational DBA	closed when artefact + sign-off present
HB-09	schema snapshot + row-count snapshot + dry-run environment	operational DBA + G-2	closed when all three artefacts present
CTE-01	execution-time failure-stop enforcement	G-4 + operational DBA	planning-level closed; execution-time tracked
CTE-02	channel wired + emission binding + capability proof	G-2 + G-4	closed when all three present
CTE-03	scaffold + determinism test logs	engineering + G-3 oversight	closed when both present
CTE-04	signing scheme implementation + capability proofs	G-4 + engineering	closed when implementation + proofs + G-4 sign-off present
HB-05	26-scenario dry-run outcomes (100% pass) + closure file	Đ32 + G-4	closed when all 26 scenarios pass + closure file recorded

13. What Workstream C Does NOT Do

this_workstream_does_NOT:
  - take any backup
  - take any snapshot
  - provision any environment
  - scaffold any library
  - implement any signing scheme
  - wire any signal channel
  - execute any dry-run scenario
  - emit any signal (synthetic or real)
  - generate any signature
  - write any DDL / SQL / code
  - mutate any state
  - sign off any artefact
all_above_actions_are_for_separate_explicit_prompt_sessions: true

14. Explicit Confirmation

no_backup_taken: true
no_snapshot_taken: true
no_environment_provisioned: true
no_library_scaffolded: true
no_signing_scheme_implemented: true
no_signal_channel_wired: true
no_dry_run_executed: true
no_signature_generated: true
no_ddl_written: true
no_sql_written: true
no_code_written: true
no_migration_executed: true
no_pg_mutation: true
no_qdrant_mutation: true
no_directus_mutation: true
no_data_writes: true
no_execution: true
no_phase_prior_file_modified: true
output_form: workstream_c_closure_planning_only