Incomex AI Portal
KB-1697

dot-iu-cutter v0.1 — Đ32 P0 HIGH-Risk Joint Review (P0-3 + P0-4)

24 min read Revision 1
dot-iu-cutterdieu32risk-reviewlane-bhigh-riskp0-3p0-4dot-pairjoint-reviewno-ddlrev5d

dot-iu-cutter v0.1 — Đ32 P0 HIGH-Risk Joint Review (P0-3 + P0-4)

Date: 2026-05-15 Status: Đ32 P0 RISK REVIEW — Lane B (HIGH risk; JOINT) Scope: RISK REVIEW ONLY. No DDL, no SQL, no migration, no PG mutation, no implementation planning, no implementation execution. Master: risk-review/dot-iu-cutter-v0.1-dieu32-p0-risk-review-master-2026-05-15.md

1. Purpose

Lane B reviews the two HIGH-risk P0 items jointly because they share:

  1. The dot_pair_signature schema (designed in P0-3 §4.3 and referenced by P0-4 §4.1).
  2. The both-signatures-required rule (criterion 28).
  3. The rollback/verify safety surface (FAIL in P0-4 triggers rollback of the change-set in P0-3).
  4. The tool_revision drift rule (G-4 closure binding).

P0-3 alone covers rollback authority; P0-4 alone covers verify authority. They are interlocked: a verdict on rollback safety is not credible without a concurrent verdict on verify safety, and vice versa.

The expected stance for Lane B is approve_with_notes — not clean approve — unless every HIGH-risk mitigation is fully closed at design level. Several mitigations are still in design state, so clean approve is not available.

2. Source Inputs

  • migration-design/dot-iu-cutter-v0.1-p0-3-cut-change-set-rollback-key-migration-design-2026-05-15.md
  • migration-design/dot-iu-cutter-v0.1-p0-4-verify-result-migration-design-2026-05-15.md
  • migration-design/dot-iu-cutter-v0.1-p0-migration-design-risk-coverage-report-2026-05-15.md §4 (HIGH attention notes) + §5.6 + §5.7 + §5.8
  • reviews/dot-iu-cutter-v0.1-p0-migration-design-package-gpt-review-2026-05-15.md §3
  • Council Ratification Outcome §5.5 (G-4 acceptance)

3. Joint Scope

joint_scope:
  primary_tables:
    - cut_change_set (P0-3)
    - cut_change_set_affected_row (P0-3)
    - verify_result (P0-4)
  shared_table:
    - dot_pair_signature (designed in P0-3 §4.3; used by P0-4 §4.1)
  binding_rule: criterion 28 (DOT-pair dual-signature required for REPORT PASS)
  binding_authority: G-4 DOT Registry Custodian + Đ32 (HIGH path) + Đ44 + Đ24 (axis_1_drift_unit) + Đ37
  review_form: single joint approval; one verdict applies to both items
  default_recommendation: approve_with_notes

4. Risk Class Confirmation

P0_3_risk_class: HIGH
P0_4_risk_class: HIGH
risk_class_confirmed_by: GPT §3.3 + design master §7 + risk/coverage report §4
risk_class_acceptance: confirmed
joint_treatment_justification:
  - shared dot_pair_signature schema
  - shared dual-signature rule
  - rollback (P0-3) is the consequence path of verify FAIL (P0-4)
  - tool_revision drift rule applies to both
  - approving one without the other leaves the dual-engine binding incomplete

5. Joint Risk Catalogue

Numbered list of joint risks the joint review evaluates.

5.1 Rollback risk (P0-3 primary, P0-4 trigger)

risk_jr1_rollback_safety:
  severity: HIGH
  description:
    - rollback_key MUST identify exactly one change-set; collision would rollback the wrong cut
    - rollback overlap (change-set B touches rows change-set A also touched) defaults to ERROR with reviewer escalation — must remain default
    - before_state_snapshot fidelity drives rollback correctness; insufficient granularity → wrong reconstructed state
    - rollback NEVER deletes change_set or affected_row entries (audit immutability)
    - automatic rollback is triggered by verify_result.verdict=FAIL (P0-4 §11); if rollback itself fails, a new health signal + backlog entry MUST emit
  sources: P0-3 §6 + §11 risks 1-4; P0-4 §14 row "rollback_triggered=true but rollback fails"

5.2 Verify failure risk (P0-4 primary, P0-3 consequence)

risk_jr2_verify_failure:
  severity: HIGH
  description:
    - verdict=FAIL must auto-trigger rollback; verdict=NEEDS_HUMAN must NOT auto-rollback
    - verdict=PASS gates change_set.state transition to committed
    - executor and verifier verdicts may disagree; disagreement → NEEDS_HUMAN (not silent PASS)
    - canonicalization rule binding influences whether drift is detected; rule changes mid-cycle would create ghost drift
    - axis_2 advisory in v0.1 must NOT silently become blocking
  sources: P0-4 §9 + §14 + §15

5.3 Both-signatures-required rule (joint)

risk_jr3_dual_signature:
  severity: HIGH
  description:
    - change_set transitions to committed ONLY when executor_signature + verifier_signature are both valid AND tool_revision_match=true
    - verify_result.verdict=PASS requires the same dual-signature condition concurrently
    - v0.1 enforcement is application-layer; PG constraint enforcement deferred to FUTURE
    - signature_failure event MUST route to G-2 backlog and G-4 Custodian
    - signature revocation (`validation_state='revoked'`) MUST flag dependent change-sets for review
  sources: P0-3 §7 + §11 rows 1-2 + §12; P0-4 §10 + §14 + §15

5.4 tool_revision drift (joint)

risk_jr4_tool_revision_drift:
  severity: HIGH
  description:
    - executor_tool_revision MUST equal verifier_tool_revision for both CUT and VERIFY
    - tool_revision_match=false → state=invalid_drift on cut_change_set; verdict=NEEDS_HUMAN on verify_result
    - dot_pair_drift signal MUST emit immediately
    - revision skew across the CUT-stage and VERIFY-stage runs is itself a drift case (P0-3 §7 + P0-4 §10)
  sources: P0-3 §7 + P0-4 §10

5.5 signature_failure (joint)

risk_jr5_signature_failure:
  severity: HIGH
  description:
    - missing executor signature: state stays executing; signature_failure signal
    - missing verifier signature: same
    - invalid signature: state stays executing; signature_failure signal; route to G-4 Custodian
    - timeout race conditions (signatures arrive at different times) must NOT silently fall through to commit
    - timeout policy per risk_class (P0-4 §12 item 8) acceptable; HIGH-risk runs require manual-only resolution
  sources: P0-3 §7 + P0-4 §12 item 7-8

5.6 Rollback test plan requirement (joint)

risk_jr6_rollback_test_plan:
  severity: HIGH; blocker
  description:
    - rollback test plan MUST be documented and dry-run executed with synthetic data BEFORE first real CUT
    - test plan must cover:
        scripted_rollback_per_affected_row_scenarios
        verify_triggered_rollback_chain
        rollback_failure_recovery_path
        signature_revocation_cascade
    - this is a design-level + execution-precondition blocker; resolution path is documentation now + execution dry-run before migration execution
  sources: P0-3 §12 + P0-4 §15

5.7 Canonicalization rule dependency (P0-4 primary, affects P0-3 indirectly)

risk_jr7_canonicalization_rule:
  severity: HIGH
  description:
    - axis_1 drift detection depends on canonicalization rule; rule v0.1 is logical-only at design time (NFC + LF + trim recommended)
    - rule MUST be persisted with verify_result (canonicalization_rule_used field) so historical results remain interpretable
    - rule changes mid-cycle would create ghost drift on previously-passing manifests; rule changes MUST go through D4 capability intake
    - per-source_kind rule extensions are FUTURE (ast_node for code; byte for binary)
  sources: P0-4 §6 + §14 row "canonicalization rule changes mid-cycle"

5.8 source_span ↔ axis_1_drift_unit dependency (joint — MUST close before planning)

risk_jr8_unit_alignment:
  severity: HIGH; design-level blocker
  description:
    - source_span unit on manifest_unit_block (P0-2 §9 item 4) MUST align with axis_1_drift_unit on verify_result (P0-4 §6) so MARK-span ↔ VERIFY-drift align
    - recommendation in P0-4 §6: source_span unit = byte offsets (precise span); drift unit = canonical_token (semantic comparison); conversion via canonicalization rule maps byte spans → canonical_token positions
    - decision must be ratified jointly; cross-cutting decision X-A in the cross-cutting register
    - until ratified, planning cannot open because the dependency between P0-2 and P0-4 is design-level
  sources: P0-2 §9 item 4; P0-4 §6 + §12 item 1; risk/coverage §5.8

6. P0-3 — Per-Item Findings

6.1 Risk class

HIGH — confirmed.

6.2 Main risks (prioritized; from P0-3 §11)

  1. Missing or invalid signature silently allowed → CUT commits without valid co-sign (criterion 28 break) — HIGH
  2. tool_revision_match=false allowed silently → invalid co-sign — HIGH
  3. Rollback cascades unintentionally to dependent change-sets — HIGH
  4. before_state_snapshot incomplete → rollback reconstructs wrong state — HIGH
  5. Audit loss on rollback — HIGH (mitigated by design: rollback never deletes)
  6. Signature scheme placeholder (v0.1) accepted as production — Standard (deferred; acceptable v0.1)
  7. Idempotency violation: same manifest cut twice creates two change-sets — Standard
  8. rollback_key collisions — Standard (mitigated by deterministic format)
  9. Signature revocation cascade — Standard
  10. Cross-reference to verify_result that doesn't yet exist (FK timing) — Low

6.3 Required mitigations (logical only)

mitigations:
  m_p0_3_jr3:
    binding: design-level (rule expressed); planning-level (application-layer enforcement implementation)
    description: both-signatures-required rule is application-layer v0.1; FUTURE PG constraint via trigger or check
  m_p0_3_jr4:
    binding: design-level
    description: state=invalid_drift enforced; CUT cannot transition to committed; dot_pair_drift signal
  m_p0_3_jr1_overlap:
    binding: design-level
    description: cascade default ERROR; explicit reviewer + G-4 + Đ32 review for cascade
  m_p0_3_before_state_snapshot:
    binding: design-level → planning-level
    description: minimal snapshot (FK + key columns + JSONB delta); full row for risk_class=high; FUTURE refinement
  m_p0_3_audit_loss:
    binding: design-level
    description: rollback NEVER deletes change_set or affected_row entries; state transitions only
  m_p0_3_signing_scheme:
    binding: design-level (placeholder accepted) → FUTURE D4 capability intake
    description: payload_hash + DOT-pair credential indirection v0.1; cryptographic signature FUTURE; FUTURE upgrade is committed
  m_p0_3_idempotency:
    binding: planning-level
    description: idempotency_key from (manifest_id, manifest_version, review_decision_id); duplicate rejected
  m_p0_3_rollback_key_format:
    binding: design-level
    description: deterministic `RBK-<change_set_id>` over raw uuid for human readability; uuid backbone preserves uniqueness
  m_p0_3_signature_revocation:
    binding: planning-level
    description: validation_state=revoked triggers backlog entry + Đ32 review of dependent change-sets
  m_p0_3_fk_timing:
    binding: planning-level
    description: FK to verify_result established post-VERIFY via application-layer ordering

6.4 Approval recommendation (P0-3)

recommendation: approve_with_notes
notes:
  - criterion 28 enforcement remains application-layer v0.1; PG-constraint FUTURE acceptable only because the same rule applies to P0-4 concurrently
  - signing scheme placeholder accepted ONLY because FUTURE upgrade is committed via D4 capability intake post-G-4 operational seating
  - cascade default ERROR + escalation path approved
  - rollback test plan MUST be documented + dry-run executed before migration execution (execution-level blocker)
  - before_state_snapshot granularity finalized at planning time for risk-class=high path
  - idempotency key strategy finalized at planning time

6.5 Blockers before implementation planning (P0-3)

design_level_blockers:
  - cascade rules confirmed (already default ERROR + escalation — no design change required; record acceptance)
  - signing scheme v0.1 posture explicitly accepted (acceptance now; no DDL written)
planning_level_blockers:
  - schema placement (cross-cutting X-1)
  - primary ID form (cross-cutting X-2)
  - JSONB validation policy (cross-cutting X-3)
  - enum implementation strategy (cross-cutting X-4)
  - dot_pair_signature shape final (cross-cutting X-6)
  - idempotency key planning
  - signature revocation cascade workflow planning
  - before_state_snapshot granularity policy planning
operational_level_blockers:
  - G-4 DOT Registry Custodian seat named
  - DOT-pair (dot-iu-cutter + dot-iu-cutter-verify) registered via G-4
  - dot_pair_drift / signature_failure signal routing wired to G-2 backlog
  - rollback test plan dry-run executed (execution precondition; not a planning blocker but an execution blocker)

6.6 Residual risk (P0-3)

residual_risk_carried_forward:
  - criterion 28 enforcement is application-layer v0.1; risk of bypass exists until PG-constraint enforcement lands
  - signing scheme is hash-based pseudo-signature v0.1; cryptographic scheme is FUTURE
  - cascade ERROR semantics depend on application-layer detection of overlap
  - before_state_snapshot fidelity depends on snapshot granularity policy not yet planned
residual_risk_level: medium-high (typical for HIGH-risk items at this stage)

7. P0-4 — Per-Item Findings

7.1 Risk class

HIGH — confirmed.

7.2 Main risks (prioritized; from P0-4 §14)

  1. axis-1 drift unit mismatch with P0-2 source_span unit → systematic VERIFY failure — HIGH; design-level blocker
  2. Canonicalization rule changes mid-cycle → ghost drift on previously-passing manifests — HIGH
  3. Both DOT signers in same context (verifier not actually independent) — HIGH
  4. Tool revision drift detected but rollback path unclear — HIGH
  5. rollback_triggered=true but rollback fails — HIGH
  6. Axis-2 advisory silently becoming mandatory — Standard
  7. Signature timeout in race conditions — Standard
  8. Verdict drift between verify_result and review_decision — Standard
  9. verdict_rationale left empty on FAIL — Standard
  10. axis_1_drift_details JSONB unbounded growth — Standard
  11. Re-VERIFY without prior_verify_result_id chain — Standard
  12. (rollback chain cycle) — handled at design via decision_backlog routing

7.3 Required mitigations (logical only)

mitigations:
  m_p0_4_jr8_unit_alignment:
    binding: design-level (must close before planning)
    description: joint decision recorded as X-A in cross-cutting register; recommendation = source_span byte offsets + drift_unit canonical_token + canonicalization rule mapping
  m_p0_4_jr7_canonicalization:
    binding: design-level (rule prose deferred to Đ24); planning-level (rule library / per-source_kind extension)
    description: canonicalization_rule_used field captures rule version on each verify_result; rule changes via D4 capability intake only; legacy verify_results remain immutable
  m_p0_4_independence:
    binding: design-level → planning-level (separate execution context implementation deferred to G-3 D4 capability intake)
    description: independence_evidence MUST be embedded in payload_envelope; v0.1 application-layer posture acceptable ONLY IF FUTURE PG enforcement is committed via D4 intake
  m_p0_4_drift_rollback_path:
    binding: design-level
    description: G-4 closure explicit revert path; Đ32 escalation on detection
  m_p0_4_rollback_failure_recovery:
    binding: design-level → execution precondition
    description: rollback failure itself emits new health signal + backlog entry; manual recovery via G-4 Custodian + Đ32; covered by rollback test plan
  m_p0_4_axis_2_advisory_boundary:
    binding: design-level
    description: axis_2_status remains advisory v0.1; elevation only via D4 capability intake + Đ32
  m_p0_4_signature_timeout:
    binding: planning-level
    description: timeout per risk_class (low 5min, standard 30min, high manual-only); Đ32 to confirm policy at planning time
  m_p0_4_verdict_alignment:
    binding: design-level
    description: review precedes verify; on disagreement → NEEDS_HUMAN
  m_p0_4_rationale_enforcement:
    binding: planning-level
    description: application-layer enforcement of verdict_rationale on FAIL / NEEDS_HUMAN; FUTURE PG check
  m_p0_4_jsonb_growth:
    binding: design-level
    description: per-unit breakdown limited to drift-bearing units; full-row breakdown on debug runs only
  m_p0_4_re_verify_chain:
    binding: planning-level (field expansion)
    description: add prior_verify_result_id field to verify_result schema at planning time

7.4 Approval recommendation (P0-4)

recommendation: approve_with_notes
notes:
  - axis_1_drift_unit ↔ source_span unit JOINT decision MUST close before planning (cross-cutting X-A) — design-level blocker
  - canonicalization rule v0.1 prose must reach Đ24 ratification before execution; design-level placeholder is acceptable here
  - DOT-pair verifier separate execution context boundary deferred to G-3 D4 capability intake — explicitly bound at design time
  - axis-2 advisory boundary formally accepted; elevation path documented
  - rollback chain test plan covers verify-triggered rollback; required before execution (joint with P0-3)
  - prior_verify_result_id field added at planning time

7.5 Blockers before implementation planning (P0-4)

design_level_blockers:
  - axis_1_drift_unit ↔ source_span unit joint decision (cross-cutting X-A)
  - canonicalization rule v0.1 logical-only acceptance recorded here (no prose binding; prose is Đ24 phase)
  - independence rule boundary explicitly accepted as application-layer v0.1 (record acceptance)
planning_level_blockers:
  - schema placement (cross-cutting X-1)
  - primary ID form (cross-cutting X-2)
  - JSONB validation policy (cross-cutting X-3)
  - enum implementation strategy (cross-cutting X-4)
  - signature timeout policy per risk_class
  - verdict_rationale enforcement
  - prior_verify_result_id field
  - axis_2_coverage_score formula
operational_level_blockers:
  - G-4 DOT Registry Custodian seat named
  - DOT-pair separate execution context implementation plan
  - dot-iu-cutter-verify DOT registered
  - canonicalization rule library scaffolding (FUTURE per source_kind)
  - Đ24 vocab owner ratification of axis_1_drift_unit value
  - rollback test plan dry-run executed (joint with P0-3; execution precondition)

7.6 Residual risk (P0-4)

residual_risk_carried_forward:
  - independence enforcement is application-layer v0.1; risk of same-context double-sign exists until PG enforcement lands
  - canonicalization rule v0.1 is recommendation-only here; final ratification deferred to Đ24
  - axis-2 advisory may drift toward de-facto mandatory if not monitored; D4 elevation path documented but not implemented
  - rollback failure recovery depends on rollback test plan execution which is FUTURE
residual_risk_level: medium-high (typical for HIGH-risk items at this stage)

8. Joint Approval Recommendation

joint_recommendation: approve_with_notes
rationale:
  - all HIGH-risk mitigations recorded at design level; none are unaddressed
  - some mitigations are application-layer v0.1 with FUTURE PG-constraint paths — acceptable as documented residual risk
  - cross-cutting X-A (source_span ↔ axis_1_drift_unit) is design-level blocker — captured in cross-cutting register
  - rollback test plan is an execution-level blocker (must be dry-run before migration execution) but does NOT block opening of implementation planning
  - signing scheme placeholder is acceptable because FUTURE upgrade is committed via D4 capability intake
  - clean approve would require: (1) PG-constraint enforcement designed now, (2) cryptographic signing scheme designed now, (3) canonicalization rule prose ratified now, (4) separate-execution-context for verifier designed now — none of which are P0 scope

joint_blockers_summary:
  design_level_blockers_for_planning_opening:
    - X-A: source_span unit ↔ axis_1_drift_unit alignment (cross-cutting register)
  planning_level_blockers:
    - X-1 schema placement
    - X-2 primary ID form
    - X-3 JSONB validation policy
    - X-4 enum implementation strategy
    - X-6 dot_pair_signature shape final
    - X-7 canonicalization rule v0.1 ratification path
    - signature timeout policy per risk_class
    - prior_verify_result_id field (P0-4)
    - idempotency key strategy (P0-3)
    - before_state_snapshot granularity (P0-3)
  execution_level_blockers (not planning blockers):
    - X-8 rollback test plan documented + dry-run executed
    - DOT-pair registration via G-4 Custodian
    - dot-iu-cutter-verify DOT registered
    - signing scheme implementation (v0.1)
    - canonicalization rule library scaffolding (v0.1)
    - signal routing (dot_pair_drift, signature_failure) wired to G-2 backlog
    - directus backup before migration

9. Joint Residual Risk

joint_residual_risk_register:
  - id: jr_res_1
    risk: criterion 28 enforcement at application-layer v0.1; bypass risk exists until PG enforcement lands
    mitigation_status: documented; FUTURE D4 capability intake
    residual_level: medium
  - id: jr_res_2
    risk: signing scheme is hash-based pseudo-signature v0.1
    mitigation_status: documented; FUTURE D4 capability intake
    residual_level: medium
  - id: jr_res_3
    risk: verifier independence is application-layer v0.1 (same execution context risk)
    mitigation_status: documented; G-3 D4 capability intake committed
    residual_level: medium
  - id: jr_res_4
    risk: canonicalization rule v0.1 not yet Đ24-ratified prose
    mitigation_status: design-level placeholder accepted; ratification path documented
    residual_level: low-medium
  - id: jr_res_5
    risk: rollback test plan not yet executed
    mitigation_status: execution-level blocker; does not block planning opening
    residual_level: medium until execution
  - id: jr_res_6
    risk: cascade rollback overlap detection at application-layer; PG enforcement FUTURE
    mitigation_status: default ERROR + escalation; documented
    residual_level: low (fail-safe default)
  - id: jr_res_7
    risk: axis-2 advisory boundary may erode toward mandatory if not monitored
    mitigation_status: D4 elevation path explicit; monitoring not yet planned
    residual_level: low (advisory now; elevation gated)

10. Joint Verdict Summary

joint_verdict: approve_with_notes
P0_3_verdict: approve_with_notes (covered by joint verdict)
P0_4_verdict: approve_with_notes (covered by joint verdict)

design_level_blockers_remaining:
  count: 1
  entry:
    id: X-A
    name: source_span unit ↔ axis_1_drift_unit
    classification: design-level
    must_close_before_planning_opens: true

planning_level_blockers: many (see §8.joint_blockers_summary.planning_level_blockers)
execution_level_blockers: many (see §8.joint_blockers_summary.execution_level_blockers)

implementation_planning_signal: conditional_open
  condition: X-A closed (via cross-cutting register) — closing X-A is the gate condition

implementation_execution_signal: blocked
  reason: remains blocked regardless of this phase outcome per Đ32 review master §7

11. Explicit Confirmation

no_ddl_written: true
no_sql_written: true
no_create_table_or_alter_table_in_this_document: true
no_column_ddl_in_this_document: true
no_index_ddl: true
no_constraint_ddl_in_this_document: true
no_trigger_or_function_or_rls_policy_written: true
no_cryptographic_scheme_specified_in_this_document: true
no_canonicalization_rule_prose_in_this_document: true
no_migration_executed: true
no_pg_mutation: true
no_qdrant_mutation: true
no_data_writes: true
no_implementation_planning: true
no_implementation_execution: true
no_migration_design_file_modified: true
no_previous_phase_file_modified: true
no_signature_actually_generated: true
no_verify_actually_run: true
output_form: risk_review_documentation_only
Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/risk-review/dot-iu-cutter-v0.1-dieu32-p0-high-risk-joint-review-p0-3-p0-4-2026-05-15.md