KB-3F83
dot-iu-cutter v0.1 — Đ32 P0 Standard Items Risk Review (Lane A)
19 min read Revision 1
dot-iu-cutterdieu32risk-reviewlane-astandardp0-5p0-1p0-2p0-6no-ddlrev5d
dot-iu-cutter v0.1 — Đ32 P0 Standard Items Risk Review (Lane A)
Date: 2026-05-15 Status: Đ32 P0 RISK REVIEW — Lane A (Standard items) Scope: RISK REVIEW ONLY. No DDL, no SQL, no migration, no PG mutation, no implementation planning, no implementation execution. Master:
risk-review/dot-iu-cutter-v0.1-dieu32-p0-risk-review-master-2026-05-15.md
1. Purpose
Lane A covers the four Standard-risk P0 items in reviewer order per the design master §4:
- P0-5
decision_backlog_entry - P0-1
canonical_address - P0-2
manifest_envelope+manifest_unit_block - P0-6
review_decision
Each item is reviewed at the Standard Đ32 path. The expected stance is approve_with_notes where risks are controlled at design level.
2. Source Inputs
migration-design/dot-iu-cutter-v0.1-p0-5-decision-backlog-entry-migration-design-2026-05-15.mdmigration-design/dot-iu-cutter-v0.1-p0-1-canonical-address-migration-design-2026-05-15.mdmigration-design/dot-iu-cutter-v0.1-p0-2-manifest-envelope-unit-block-migration-design-2026-05-15.mdmigration-design/dot-iu-cutter-v0.1-p0-6-review-decision-migration-design-2026-05-15.mdmigration-design/dot-iu-cutter-v0.1-p0-migration-design-risk-coverage-report-2026-05-15.mdreviews/dot-iu-cutter-v0.1-p0-migration-design-package-gpt-review-2026-05-15.md
3. Shared Lane A Posture
lane_a_risk_class_aggregate: Standard
lane_a_review_path: Đ32 Standard
lane_a_review_authority_baseline: Đ32
lane_a_review_co_authorities:
P0-5: G-2 Registry Custodian
P0-1: Đ24 vocab owner + Đ0-G birth-gate owner
P0-2: Đ44 family registry custodian + Đ24 vocab owner
P0-6: Đ44 + Đ37 + G-5 (PII handling)
lane_a_default_recommendation: approve_with_notes
lane_a_evidence_basis: per-item §11 risks + design package risk/coverage report §4
4. P0-5 decision_backlog_entry — Standard
4.1 Risk class confirmation
risk_class: Standard
class_confirmed_by: GPT §3.3 + design master §7 + risk/coverage report §4
class_acceptance: confirmed
4.2 Main risks (prioritized)
| # | Risk | Severity | Source |
|---|---|---|---|
| 1 | History preservation across rollback events (backlog history must survive a P0-3 rollback that touches its FK references) | Standard | per-item §9 items 9-10; risk/coverage §4 |
| 2 | PII handling for owner_seat / actor identifiers (governance accountability trail records reviewer + executor identity) |
Standard | per-item §9 item 7-ish surface; risk/coverage §4; cross-link G-5 |
| 3 | Markdown mirror access scope (mirror generator must not leak governance trail to non-authorized audiences) | Standard | per-item §9 item 8; cross-link G-5 |
| 4 | Dependency-cycle detection on entries that reference each other (closure_evidence pointing back) | Standard | per-item §9 item 5 |
| 5 | Re-opened state distinctness (resolved → re_opened semantics) | Standard | per-item §9 item 9 |
| 6 | History granularity (per-field vs row snapshot) impacts retention storage growth | Standard | per-item §9 item 10 |
4.3 Required mitigations (logical only)
mitigations:
m_p0_5_1_history_preservation:
description: backlog history MUST remain immutable independent of P0-3 rollback chain; rollback of cut_change_set does NOT rollback decision_backlog_history
binding: design-level; documented in per-item §6 lifecycle and §10 sub-decision
enforcement: application-layer v0.1; PG FUTURE
m_p0_5_2_pii:
description: owner_seat stored as role-seat identifier (not natural person PII) wherever feasible; mapping to natural person held by G-5 operational seat, not in backlog
binding: design-level; carried into G-5 operational handoff
m_p0_5_3_mirror_scope:
description: markdown mirror generator MUST emit governance trail only to reviewer/G-2 audiences; non-authorized audience access blocked at retrieval layer (FUTURE)
binding: design-level; planning-level for retrieval-side gating
m_p0_5_4_cycle_detection:
description: dependency graph among backlog entries MUST be acyclic; cycle detection at write time (application v0.1; PG check FUTURE)
binding: design-level
m_p0_5_5_state_distinctness:
description: state enum MUST distinguish resolved vs re_opened; re_opened entries point back to prior resolved entry via prior_entry_id (field expansion at planning time)
binding: design-level → planning-level (field expansion)
m_p0_5_6_history_granularity:
description: per-field delta storage; full row snapshot reserved for risk_class=high entries
binding: planning-level
4.4 Approval recommendation
recommendation: approve_with_notes
notes:
- state enum (re_opened) extension confirmed at planning time
- history granularity strategy confirmed at planning time
- PII storage policy confirmed at G-5 operational handoff
- mirror generator scoping deferred to retrieval-layer FUTURE design
4.5 Blockers before implementation planning
design_level_blockers: none
planning_level_blockers:
- schema placement (cross-cutting X-1)
- primary ID form (cross-cutting X-2)
- enum implementation strategy (cross-cutting X-3)
- history granularity field finalization
operational_level_blockers:
- G-2 Registry Custodian seat named
- G-5 PII policy confirmed
4.6 Residual risk
residual_risk_carried_forward:
- history preservation policy is application-layer v0.1; PG-constraint enforcement deferred
- PII surface for owner_seat depends on G-5 operational policy
- markdown mirror generator implementation entirely FUTURE
residual_risk_level: low
5. P0-1 canonical_address — Standard
5.1 Risk class confirmation
risk_class: Standard
class_confirmed_by: GPT §3.3 + design master §7 + risk/coverage report §4
class_acceptance: confirmed
5.2 Main risks (prioritized)
| # | Risk | Severity | Source |
|---|---|---|---|
| 1 | Backfill data exposure on existing TAC rows when canonical_address is populated retroactively | Standard | per-item §9 item 6; risk/coverage §4 |
| 2 | Authority misclassification (canonical_address.authority pulled from Đ0-G enum incorrectly on legacy rows) | Standard | per-item §9 item 5; cross-link Đ0-G |
| 3 | Trigram / search index leakage of canonical addresses to unauthorized audiences (FUTURE retrieval concern) | Standard | per-item §9 item 3; FUTURE |
| 4 | Mutation policy ambiguity (when can a canonical_address change after publication?) | Standard | per-item §9 item 2 |
| 5 | Uniqueness scope (per-publication vs global) | Standard | per-item §9 item 1 |
| 6 | NULL on legacy rows; constraint enforcement timing | Standard | per-item §9 items 9-10 |
| 7 | Alias storage shape and lifecycle | Standard | per-item §9 item 4 |
5.3 Required mitigations (logical only)
mitigations:
m_p0_1_1_backfill_exposure:
description: backfill executed in batches with reviewer audit; rows touched are recorded in a backfill report; no automatic publication
binding: planning-level
m_p0_1_2_authority_classification:
description: authority value sourced from Đ0-G enum via Đ24 lookup; legacy rows annotated with `authority_inferred=true` until reviewer confirms
binding: design-level → planning-level
m_p0_1_3_index_leakage:
description: trigram / search exposure gated by retrieval-layer audience filter (FUTURE); design accepts that index existence alone does not leak — leakage only on query path
binding: planning-level (no FUTURE retrieval design changes here)
m_p0_1_4_mutation_policy:
description: canonical_address mutation requires explicit reviewer authorization + entry in backlog; default policy = immutable after publication
binding: design-level
m_p0_1_5_uniqueness_scope:
description: uniqueness scoped to (publication_id, canonical_address); cross-publication aliases handled via alias table
binding: design-level
m_p0_1_6_nullability:
description: nullable on legacy rows until backfill complete; NOT NULL constraint enabled only post-backfill (separate planning step)
binding: planning-level
m_p0_1_7_alias_table:
description: canonical_address_alias separate table; alias lifecycle (active / retired) recorded; never delete
binding: design-level
5.4 Approval recommendation
recommendation: approve_with_notes
notes:
- backfill plan must be reviewed at planning time
- authority enum binding confirmed via Đ24 ratification
- mutation policy default = immutable post-publication
- NOT NULL constraint enabled only post-backfill
5.5 Blockers before implementation planning
design_level_blockers: none
planning_level_blockers:
- backfill plan documented + reviewed
- uniqueness scope finalized
- alias table lifecycle finalized
- schema placement (cross-cutting X-1)
- primary ID form (cross-cutting X-2)
operational_level_blockers:
- Đ24 vocab owner sign-off on authority enum binding
- Đ0-G birth-gate owner sign-off on authority classification
5.6 Residual risk
residual_risk_carried_forward:
- backfill data quality depends on retroactive enrichment quality
- retrieval-layer leakage risk is FUTURE (not addressable in P0)
residual_risk_level: low
6. P0-2 manifest_envelope + manifest_unit_block — Standard
6.1 Risk class confirmation
risk_class: Standard
class_confirmed_by: GPT §3.3 + design master §7 + risk/coverage report §4
class_acceptance: confirmed
joint_design_pair: envelope + unit_block per Đ44 Step 1 (preserved)
6.2 Main risks (prioritized)
| # | Risk | Severity | Source |
|---|---|---|---|
| 1 | Vocabulary leakage: Đ24-controlled enums populated with off-vocabulary values | Standard | per-item §9 (vocabulary discipline); cross-link Đ24 |
| 2 | source_span unit correctness — must align with axis_1_drift_unit on P0-4 (joint cross-cutting decision X-A) |
Standard (Đ32 review) but HIGH at joint | per-item §9 item 4; risk/coverage §5.8 |
| 3 | review_required stickiness (once required, must not silently flip back) |
Standard | per-item §9 item 7 |
| 4 | Composite identity enforcement on manifest_unit_block (envelope_id + unit_local_id) | Standard | per-item §9 item 2 |
| 5 | cut_reason_tags shape / vocabulary leakage |
Standard | per-item §9 item 8 |
| 6 | Manifest diff materialization strategy (computed vs stored) | Standard | per-item §9 item 9 |
| 7 | decision_backlog_root_entry_id semantics under re-cut |
Standard | per-item §9 item 11 |
6.3 Required mitigations (logical only)
mitigations:
m_p0_2_1_vocab_discipline:
description: enum fields wired via Đ24 lookup FK (cross-cutting X-4); off-vocabulary writes rejected
binding: design-level → planning-level (FK target table selection)
m_p0_2_2_source_span_alignment:
description: source_span unit decision JOINT with axis_1_drift_unit on P0-4; Lane B will record the joint decision; Lane A defers to Lane B + cross-cutting register
binding: design-level; must close before planning
m_p0_2_3_review_required_stickiness:
description: once review_required=true, only explicit reviewer authorization may clear it; recorded in backlog entry
binding: design-level
m_p0_2_4_composite_identity:
description: enforce (envelope_id, unit_local_id) uniqueness on manifest_unit_block; application-layer v0.1; PG FUTURE
binding: design-level → planning-level
m_p0_2_5_cut_reason_tags:
description: tag values drawn from Đ24-controlled set; freeform fallback rejected v0.1
binding: planning-level
m_p0_2_6_diff_materialization:
description: diff computed at read time v0.1; materialized only if performance requires it (FUTURE)
binding: planning-level
m_p0_2_7_root_entry_semantics:
description: decision_backlog_root_entry_id stable across re-cut iterations; re-cut creates child entries, not new root
binding: design-level
6.4 Approval recommendation
recommendation: approve_with_notes
notes:
- source_span unit decision MUST close jointly with P0-4 axis_1_drift_unit before planning (cross-cutting X-A)
- composite identity enforcement strategy confirmed at planning time
- enum FK target tables aligned with Đ24
- review_required stickiness rule confirmed at planning time
6.5 Blockers before implementation planning
design_level_blockers:
- source_span unit ↔ axis_1_drift_unit joint decision (see Lane B + cross-cutting X-A)
planning_level_blockers:
- schema placement (cross-cutting X-1)
- primary ID form (cross-cutting X-2)
- JSONB validation policy (cross-cutting X-3)
- enum implementation strategy (cross-cutting X-4)
- manifest diff materialization choice
operational_level_blockers:
- Đ44 family registry custodian sign-off
- Đ24 vocab owner sign-off
6.6 Residual risk
residual_risk_carried_forward:
- vocabulary discipline depends on Đ24 lookup completeness
- composite-identity application-layer enforcement v0.1
residual_risk_level: low-to-medium (medium because of joint cross-link with P0-4)
7. P0-6 review_decision — Standard
7.1 Risk class confirmation
risk_class: Standard
class_confirmed_by: GPT §3.3 + design master §7 + risk/coverage report §4
class_acceptance: confirmed
7.2 Main risks (prioritized)
| # | Risk | Severity | Source |
|---|---|---|---|
| 1 | AI reviewer independence enforcement (reviewer_identity must not equal cutter executor identity) | Standard (Đ32) but security-adjacent | per-item §9 item 5; cross-link Đ37 |
| 2 | cross_signed_by_dot_verifier semantics ambiguity |
Standard | per-item §9 item 10 |
| 3 | reviewer_identity PII surface |
Standard | per-item §9 item 9; cross-link G-5 |
| 4 | Re-review handling — when manifest changes, must new review_decision be issued | Standard | per-item §9 item 4 |
| 5 | Verdict enum elevation to Đ24 governance | Standard | per-item §9 item 2 |
| 6 | AI/Human/Council distinction in reviewer_kind | Standard | per-item §9 item 6 |
| 7 | escalation_ref cardinality (1:1 vs 1:N) to backlog entries |
Standard | per-item §9 item 7 |
| 8 | Findings completeness checklist enforcement (D2 §4.6 10 items) | Standard | per-item §9 item 8 |
7.3 Required mitigations (logical only)
mitigations:
m_p0_6_1_independence:
description: reviewer_identity must differ from cut executor identity for the same manifest_id; application-layer enforcement v0.1; PG check FUTURE
binding: design-level → planning-level
m_p0_6_2_cross_signed_semantics:
description: cross_signed_by_dot_verifier means a separate DOT-pair verifier co-signed the review verdict (distinct from VERIFY-stage signature); document binding in planning
binding: planning-level
m_p0_6_3_pii:
description: reviewer_identity stored as governance-seat identifier where feasible; natural-person mapping held by G-5
binding: G-5 operational
m_p0_6_4_re_review:
description: new review_decision row issued for any manifest version change; prior row remains immutable; FK to prior_review_decision_id (field expansion at planning time)
binding: planning-level
m_p0_6_5_verdict_enum:
description: verdict enum {PASS, FAIL, NEEDS_HUMAN} elevated to Đ24 vocabulary; aligned with P0-4 verdict pattern
binding: design-level → planning-level
m_p0_6_6_reviewer_kind:
description: reviewer_kind enum {ai, human, council}; council requires reviewer_set field listing council members
binding: planning-level
m_p0_6_7_escalation_cardinality:
description: escalation_ref is 1:N (one review may spawn multiple backlog entries); model as junction table only if cardinality > 1 is observed in v0.1
binding: planning-level
m_p0_6_8_findings_checklist:
description: findings JSONB MUST include D2 §4.6 10-item checklist when verdict in {FAIL, NEEDS_HUMAN}; application-layer enforcement
binding: planning-level
7.4 Approval recommendation
recommendation: approve_with_notes
notes:
- reviewer independence rule confirmed at planning + Đ37 sign-off
- verdict enum elevated through Đ24
- re-review chain via prior_review_decision_id added at planning time
- PII handling deferred to G-5 operational policy
7.5 Blockers before implementation planning
design_level_blockers: none
planning_level_blockers:
- schema placement (cross-cutting X-1)
- primary ID form (cross-cutting X-2)
- verdict enum implementation (cross-cutting X-4)
- prior_review_decision_id field added
- escalation cardinality finalized
operational_level_blockers:
- Đ37 sign-off on independence rule
- Đ44 family ratifier confirmation
- G-5 PII handling policy confirmed
7.6 Residual risk
residual_risk_carried_forward:
- independence enforcement is application-layer v0.1; PG-constraint enforcement FUTURE
- cross_signed_by_dot_verifier semantics defined at planning time
- PII surface remains a G-5 operational dependency
residual_risk_level: low
8. Lane A Aggregate Verdict
lane_a_aggregate_verdict: approve_with_notes
items_recommended_approve: 0
items_recommended_approve_with_notes: 4 (P0-5, P0-1, P0-2, P0-6)
items_recommended_reject: 0
design_level_blockers_total:
count: 1
entry:
id: lane-a-design-blocker-1
item: P0-2
description: source_span unit ↔ axis_1_drift_unit joint decision (Lane B)
classification: design-level; must close before implementation planning may open
routed_to: Lane B + cross-cutting register (X-A)
planning_level_blockers_total:
count: many (cross-cutting X-1 through X-4 plus per-item planning-level items)
classification: planning-level; implementation planning phase may open with these on its plate
operational_level_blockers_total:
- G-2 seat named
- Đ24 vocab owner sign-off
- Đ0-G birth-gate owner sign-off
- Đ37 sign-off on reviewer independence
- Đ44 family ratifier sign-off
- G-5 PII handling policy
classification: operational; parallel to planning; do not gate planning opening unless tied to specific design-level decisions
lane_a_implementation_planning_signal: conditional_open
condition: design-level blocker (source_span ↔ axis_1_drift_unit) closed via Lane B + cross-cutting register
9. Explicit Confirmation
no_ddl_written: true
no_sql_written: true
no_create_table_or_alter_table_in_this_document: true
no_column_ddl_in_this_document: true
no_index_ddl: true
no_constraint_ddl_in_this_document: true
no_trigger_or_function_or_rls_policy_written: true
no_migration_executed: true
no_pg_mutation: true
no_qdrant_mutation: true
no_data_writes: true
no_implementation_planning: true
no_implementation_execution: true
no_migration_design_file_modified: true
no_previous_phase_file_modified: true
output_form: risk_review_documentation_only