KB-22A9
dot-iu-cutter v0.1 — P0 Preflight and Backup Plan
9 min read Revision 1
dot-iu-cutterimplementation-planningpreflightbackupp0no-executionno-ddlrev5d
dot-iu-cutter v0.1 — P0 Preflight and Backup Plan
Date: 2026-05-15 Status: IMPLEMENTATION PLANNING — Lane "preflight" Scope: PLANNING ONLY. No backup executed, no DDL, no SQL, no migration, no PG mutation, no execution. Master:
implementation-planning/dot-iu-cutter-v0.1-p0-implementation-planning-master-2026-05-15.md
1. Purpose
Specify preflight and backup requirements that any future execution phase must satisfy before performing the P0 migration sequence. This file is planning only; no backup is actually executed here, no snapshot is taken, no environment is changed.
2. Source Inputs
implementation-planning/dot-iu-cutter-v0.1-p0-migration-sequence-plan-2026-05-15.mdmigration-design/dot-iu-cutter-v0.1-p0-migration-design-risk-coverage-report-2026-05-15.md§8 (blockers before execution)risk-review/dot-iu-cutter-v0.1-dieu32-p0-risk-review-report-2026-05-15.md§7.3
3. Directus Backup Requirement
directus_backup:
required: true
scope: full backup of Directus PG database (per Memory Index — Directus on PG since 2026-03-13)
timing: IMMEDIATELY before execution begins; backup must be < 60 minutes old at the moment migration starts
retention: kept for at least 30 days post-migration; archived per operational policy
restore_test:
requirement: a restore test from this backup MUST be performed in a separate dry-run environment before the production backup is accepted as the migration safety net
acceptance_criterion: restored DB starts cleanly, sample queries return expected row counts
responsible_role: G-4 Custodian + operational DBA (assigned via Đ37 operational handoff)
failure_behavior: if backup fails OR restore test fails, execution is BLOCKED — no migration begins
not_performed_in_this_phase: true
4. Schema Snapshot Requirement
schema_snapshot:
required: true
scope:
- full PG schema dump (pg_dump --schema-only) of Directus DB
- includes all schemas (public, tac, cutter_governance if any pre-existing, …)
- excludes data
timing: at the same time as the Directus backup, prior to migration
retention: kept alongside the backup; archived
use_at_rollback_time:
- schema snapshot is the authoritative "before" state for diff-based rollback verification
- any rollback must reconcile the post-rollback schema against this snapshot
responsible_role: operational DBA
not_performed_in_this_phase: true
5. Current Row-Count Snapshot
row_count_snapshot:
required: true
scope:
- row count per table for all schemas that will be touched
- emphasis on tac_logical_unit, tac_unit_version, tac_publication, universal_edges
- empty-row count = 0 expected for new cutter_governance tables (they don't yet exist)
timing: at the same time as the schema snapshot
format: timestamp + schema.table + row_count, recorded into a snapshot artefact (planning level only here)
use_at_validation_time:
- post-migration row counts compared against snapshot for unaffected tables (must be unchanged)
- new cutter_governance tables expected to have 0 production rows until first real CUT
responsible_role: operational DBA + G-2 Backlog Custodian (records snapshot artefact in decision_backlog history)
not_performed_in_this_phase: true
6. Dry-Run Environment Requirement
dry_run_environment:
required_if_available: true
required_for_high_risk_steps: true (Steps 5 and 6 — P0-3 and P0-4 — MUST be dry-run tested before production execution)
preferred_form:
- a separate PG instance with restored Directus snapshot
- or a separate Directus environment with its own PG
acceptable_fallback_if_full_clone_unavailable:
- a temporary schema within the production DB used only for dry-run, isolated from production schemas
- dry-run schema MUST be dropped after dry-run completes
scope_of_dry_run:
- run the entire migration sequence (Steps 1-6) end-to-end with synthetic data
- run the rollback test plan scenario matrix (see rollback test plan)
- run signature dry-runs producing synthetic dot_pair_signature rows
- run a complete VERIFY round-trip producing synthetic verify_result rows
acceptance_criteria:
- all six step validation checks pass per the migration sequence plan
- all rollback test plan scenarios pass per the rollback test plan
- canonicalization rule v0.1 produces identical canonical_token streams across two consecutive runs over the same source
- signature_failure / dot_pair_drift signals route to the configured G-2 backlog channel
failure_behavior: any dry-run failure BLOCKS production execution
not_performed_in_this_phase: true
7. Rollback Verification Prerequisite
rollback_verification_prerequisite:
required: true
description:
- rollback test plan dry-run (per X-8) MUST be executed before production execution
- rollback per step MUST be verified to restore the exact "before" state for that step
- schema snapshot (per §4) and row-count snapshot (per §5) are the authoritative "before" state
scope_of_verification:
- drop-and-recreate idempotency: re-running a step after rollback produces the same end state
- per-step rollback works without affecting earlier steps
- HIGH-risk steps (5, 6) verified per the joint review §5.6 + §10
responsible_role: Đ32 (HIGH-risk path) + G-4 Custodian
failure_behavior: rollback verification failure BLOCKS production execution
not_performed_in_this_phase: true
8. Failure-Stop Rule
failure_stop_rule:
rule: any failure during preflight, backup, restore-test, dry-run, or any step's validation stops the migration immediately
no_silent_continuation: true
no_partial_commit: each step's commit gated on its validation passing
escalation_on_failure:
- emit a decision_backlog_entry (kind=migration_step_failed if P0-5 already migrated; otherwise emit manually-tracked record)
- notify Đ32 + G-4 Custodian + operational DBA
- HIGH-risk failure (Steps 5 or 6): escalate to Đ32 HIGH-risk path immediately
- DO NOT re-run the failed step until root cause is recorded and a remediation plan is signed off
retry_policy:
- retries are NOT automatic
- retries require an explicit Đ32 sign-off + backlog entry resolution
9. Preflight Checklist (Planning-Level Specification; Not Executed Here)
preflight_checklist:
- directus_backup_taken: pending (execution-phase task)
- directus_backup_restore_test_passed: pending
- schema_snapshot_recorded: pending
- row_count_snapshot_recorded: pending
- dry_run_environment_available: pending
- dry_run_migration_sequence_passed: pending
- rollback_test_plan_dry_run_passed: pending
- canonicalization_rule_v0.1_prose_dieu24_ratified: pending (X-7)
- dot_pair_executor_registered: pending
- dot_pair_verifier_registered: pending
- signing_scheme_v0.1_implemented: pending
- signal_routing_dot_pair_drift_wired: pending
- signal_routing_signature_failure_wired: pending
- canonicalization_rule_library_v0.1_scaffolded: pending
- operational_seats_G1_G2_G3_G4_G5_named: pending (per operational seat plan)
- final_execution_readiness_review_signed: pending
all_items_must_be_complete_before_execution_authorized: true
10. Responsible Roles (Subject to Đ37 Operational Handoff)
responsible_roles_for_preflight:
directus_backup_and_restore_test: G-4 Custodian + operational DBA
schema_and_row_count_snapshots: operational DBA + G-2 Backlog Custodian (records snapshot artefact)
dry_run_environment_provisioning: operational DBA + G-3 Capability-Intake Reviewer
rollback_verification: Đ32 (HIGH-risk path) + G-4 Custodian
preflight_sign_off: Đ32 + G-4 Custodian (joint)
all_named_roles_pending_dieu37_operational_seat_naming: true
11. Explicit Confirmation — No Action Taken Here
no_backup_executed: true
no_snapshot_taken: true
no_row_count_recorded: true
no_dry_run_environment_provisioned: true
no_rollback_run: true
no_signal_routing_wired: true
no_dot_pair_registered: true
no_canonicalization_rule_implemented: true
no_seat_named: true
no_ddl_written: true
no_sql_written: true
no_migration_executed: true
no_pg_mutation: true
no_qdrant_mutation: true
no_directus_mutation: true
no_data_writes: true
no_implementation_execution: true
no_phase_prior_file_modified: true
output_form: preflight_and_backup_planning_only