dot-iu-cutter v0.1 — P0 Operational Seat Naming Plan

Date: 2026-05-15 Status: IMPLEMENTATION PLANNING — Lane "operational-seats" Scope: PLANNING ONLY. No role created, no seat actually named, no human or system identity bound, no Đ37 mutation, no PG mutation, no execution. Master: implementation-planning/dot-iu-cutter-v0.1-p0-implementation-planning-master-2026-05-15.md

---

1. Purpose

Lay out the placeholder plan for the 5 governance operational seats (G-1..G-5) that gate parts of the dot-iu-cutter v0.1 P0 execution surface. For each seat: required seat, placeholder, proposed operational occupant/role, Đ37 dependency, what work can proceed without a named human, and what work cannot.

This file does NOT create any role and does NOT name any seat. Role/seat creation is exclusively Đ37's authority and is performed as a separate operational session.

2. Source Inputs

• Council Ratification Outcome §5.5 (G-1..G-5 ratified_with_notes)
• migration-design/dot-iu-cutter-v0.1-p0-migration-design-risk-coverage-report-2026-05-15.md §8 (operational seats listed as parallel governance phases)
• risk-review/dot-iu-cutter-v0.1-dieu32-p0-risk-review-report-2026-05-15.md §7.3 (execution-level blocker subset)
• implementation-planning/dot-iu-cutter-v0.1-p0-cross-cutting-resolution-plan-2026-05-15.md (each X- cross-cutting decision references its responsible seat)

3. Required Operational Seats

The five governance gaps (per Council Ratification Outcome §5.5) define the seats that must be named in Đ37 before HIGH-risk execution may proceed.

seats_required:
  G_1: Threading Roles
  G_2: Backlog Custodian
  G_3: Capability-Intake Reviewer
  G_4: DOT-Pair Signing Authority
  G_5: Access-Control Authority

4. Per-Seat Plan

4.1 G-1 — Threading Roles

seat_id: G-1
seat_title: Threading Roles
seat_purpose:
  - own semantic-thread roles per Đ44 Step 4 (parallel governance phase; P2-deferred)
  - in P0 scope, G-1 is consulted only for review_decision.reviewer_kind=council scenarios
placeholder_now: 'G-1 placeholder; named seat pending Đ37 operational handoff'
proposed_occupant_role: governance-council standing role under Đ37; not a single natural person
dieu37_dependency: REQUIRED — Đ37 role creation + assignment
work_that_can_proceed_without_named_human:
  - all P0 design and planning artefacts (this phase)
  - dry-run scenarios that do not require council action
work_that_cannot_proceed_without_named_human:
  - any production review_decision with reviewer_kind=council
blocks_p0_execution: false (P0 reviews are ai/human; council reviews are P2+ scope)

4.2 G-2 — Backlog Custodian

seat_id: G-2
seat_title: Backlog Custodian
seat_purpose:
  - own decision_backlog_entry routing, sweep_log, anti-forgetting infrastructure (P0-5)
  - receive signature_failure / dot_pair_drift signals
  - record migration step events as backlog entries during execution
placeholder_now: 'G-2 placeholder; named seat pending Đ37 operational handoff'
proposed_occupant_role: operational governance seat under Đ37; may be a single role-seat held by an on-call rotation rather than a single person
dieu37_dependency: REQUIRED
work_that_can_proceed_without_named_human:
  - design + planning of decision_backlog_entry (P0-5)
  - dry-run scenarios that emit synthetic backlog entries
work_that_cannot_proceed_without_named_human:
  - production backlog triage
  - production routing of signature_failure / dot_pair_drift signals
  - resolution closure of production backlog entries
blocks_p0_execution: true (Step 1 onward routes signals to G-2 backlog channel; channel must have a responsible owner)

4.3 G-3 — Capability-Intake Reviewer

seat_id: G-3
seat_title: Capability-Intake Reviewer (D4 intake)
seat_purpose:
  - own D4 capability intake (executor/verifier boundary, cryptographic signing scheme upgrade, AST canonicalization extension, etc.)
  - in P0 scope, G-3 is the gate keeping FUTURE upgrades out of v0.1 unless intake is accepted
placeholder_now: 'G-3 placeholder; named seat pending Đ37 operational handoff'
proposed_occupant_role: capability-intake role-seat under Đ37
dieu37_dependency: REQUIRED
work_that_can_proceed_without_named_human:
  - design + planning that defers items to D4 capability intake (this phase explicitly defers cryptographic signing scheme + AST canonicalization to D4)
  - record open items as planned intake requests
work_that_cannot_proceed_without_named_human:
  - any FUTURE capability accepted into v0.1 scope
  - any intake-acceptance signature
blocks_p0_execution: false in strict sense (v0.1 scope is already defined); soft blocker because some Lane B mitigations reference D4 intake as the FUTURE channel

4.4 G-4 — DOT-Pair Signing Authority

seat_id: G-4
seat_title: DOT-Pair Signing Authority (DOT Registry Custodian)
seat_purpose:
  - register DOT identities (dot-iu-cutter executor + dot-iu-cutter-verify verifier)
  - own both-signatures-required rule + tool_revision drift rule per Council Ratification Outcome §5.5
  - sign off on rollback test plan dry-run
  - sign off on dot_pair_signature shape final polish (X-6)
  - sign off on rollback authority for mid-cycle manual rollback (per P0-3 §9 item 11)
placeholder_now: 'G-4 placeholder; named seat pending Đ37 operational handoff'
proposed_occupant_role: DOT Registry Custodian role-seat under Đ37; HIGH-risk authority
dieu37_dependency: REQUIRED
work_that_can_proceed_without_named_human:
  - all P0 design + planning artefacts including this file
  - rollback test plan authoring (this phase)
work_that_cannot_proceed_without_named_human:
  - DOT-pair registration
  - rollback test plan dry-run sign-off
  - X-6 polish sign-off
  - mid-cycle manual rollback authorization
  - any production CUT (depends on registered DOT-pair)
  - any production VERIFY (depends on registered DOT-pair)
blocks_p0_execution: true (Steps 5 and 6 — HIGH risk — depend on G-4 named)

4.5 G-5 — Access-Control Authority

seat_id: G-5
seat_title: Access-Control Authority
seat_purpose:
  - own audience filter + visibility policy + wrong_audience_result_event (per Đ24 Step 2 ratification path)
  - own PII boundary for reviewer_identity, owner_seat (mapping role-seat → natural person)
  - in P0 scope, G-5 is the boundary owner for markdown mirror generator scope (P0-5) and reviewer_identity PII (P0-6)
placeholder_now: 'G-5 placeholder; named seat pending Đ37 operational handoff'
proposed_occupant_role: access-control role-seat under Đ37; security-adjacent
dieu37_dependency: REQUIRED
work_that_can_proceed_without_named_human:
  - design + planning that records role-seat identifiers in place of natural-person PII
  - all P0 design and planning artefacts
work_that_cannot_proceed_without_named_human:
  - production PII mapping (role-seat → natural person)
  - audience filter implementation (FUTURE; out of P0 scope)
  - markdown mirror generator audience scoping (FUTURE; out of P0 scope)
blocks_p0_execution: partial — PII policy must be in place for review_decision and decision_backlog_entry rows that record reviewer/owner identifiers; otherwise role-seat identifiers suffice

5. What CAN Proceed Without Actual Named Human

work_that_can_proceed_without_named_humans:
  - all design phases (already complete)
  - all risk review phases (already complete)
  - all ratification phases that bind logical decisions (X-A complete)
  - all implementation planning artefacts (this phase)
  - GPT review of any of the above
  - dry-run synthetic-data scenarios that DO NOT require Đ32/G-4 sign-off (e.g., scenario authoring; not the sign-off itself)
  - DDL/SQL authoring (the future execution phase will produce DDL/SQL; even DDL authoring can proceed without named humans, because authoring ≠ execution)

6. What CANNOT Proceed Without Actual Named Human

work_that_cannot_proceed_without_named_humans:
  - Đ32 HIGH-risk sign-off of rollback test plan dry-run
  - G-4 sign-off of X-6 polish + rollback test plan dry-run + DOT-pair registration
  - Đ24 ratification of canonicalization_rule_v0.1 full prose (X-7)
  - Đ24 lookup table population for all enums (X-4)
  - Đ44 + Đ33/Đ43 sign-off of schema placement (X-1)
  - G-2 backlog channel ownership (signal routing recipient must be a responsible owner)
  - G-5 PII boundary policy
  - DOT-pair registration (G-4-controlled)
  - directus backup + restore test sign-off (G-4 + operational DBA)
  - dry-run sign-off (Đ32 + G-4)
  - final execution readiness review sign-off (Đ32 + Đ44 + Đ37 + G-4)
  - explicit user authorization to begin production execution

7. Đ37 Dependency Specification

dieu37_dependency:
  authority_for_seat_creation: Đ37 EXCLUSIVELY
  not_in_scope_for_this_phase:
    - role creation outside Đ37
    - seat assignment outside Đ37
    - any persona naming outside Đ37
  handoff_pattern:
    - this planning phase records seat purposes + placeholders + dependencies
    - Đ37 operational session (separate) creates roles + assigns occupants
    - Đ37 operational session records seat assignment as a Đ37-owned artefact
    - operational artefact then unblocks the execution-level seats listed in §6

8. Seat Naming Acceptance Criteria

The future Đ37 operational session that names seats should satisfy these acceptance criteria so this plan can be considered fulfilled:

acceptance_criteria_for_seat_naming_to_unblock_execution:
  - G-2 named: any signal routing test (synthetic dry-run) reaches the named seat's channel
  - G-4 named: DOT-pair registration succeeds against the registry; rollback test plan dry-run signed off
  - G-5 named: PII policy bound to role-seat identifiers; review_decision.reviewer_identity convention confirmed
  - G-3 named: optional for P0; required only if any D4 capability intake item is accepted into v0.1
  - G-1 named: optional for P0; required only if any review_decision.reviewer_kind=council is recorded
sign_off_authority_for_each_seat_naming: Đ37

9. Hand-off Status

this_planning_file_hand_off_status:
  output: this prose plan (planning level only)
  recipient: future Đ37 operational session
  blocker_status_for_p0_execution:
    G_2: BLOCKER (signal routing channel ownership)
    G_4: BLOCKER (DOT-pair registration + sign-offs)
    G_5: PARTIAL BLOCKER (PII boundary; role-seat identifiers acceptable as v0.1 placeholder)
    G_3: SOFT BLOCKER (only blocks FUTURE capability acceptance; not v0.1 execution)
    G_1: NON-BLOCKER for P0 (P2+ scope)
no_role_created_in_this_file: true
no_seat_named_in_this_file: true
no_dieu37_mutation_in_this_file: true

10. Explicit Confirmation

no_role_created: true
no_seat_named: true
no_dieu37_mutation: true
no_human_identity_recorded: true
no_natural_person_pii_in_this_file: true
no_ddl_written: true
no_sql_written: true
no_migration_executed: true
no_pg_mutation: true
no_qdrant_mutation: true
no_directus_mutation: true
no_data_writes: true
no_implementation_execution: true
no_phase_prior_file_modified: true
output_form: operational_seat_planning_only