KB-5AC7
dot-iu-cutter v0.2 — P0-2 Risk Review Note (2026-05-16)
5 min read Revision 1
dot-iu-cutterdieu44v0.2p0-2ddl-authoringrisk-notestandard
dot-iu-cutter v0.2 — P0-2 Risk Review Note
document_path: knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-p0-2-risk-review-note-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.2 — P0-2 DDL AUTHORING (risk note; NOT a ratification)
risk_class: STANDARD (carried from GPT review estimate; no evidence to escalate)
§1 — Đ32 Risk Class
risk_class: STANDARD
basis:
- GPT P0-2 design review §1 risk_class_estimate: STANDARD
- DDL is additive only: 2 NEW empty tables, no ALTER of any live object
- single in-schema FK; zero cross-schema FK; no CHECK/trigger/DEFAULT
- no data write, no CUT/VERIFY, no alias write, no SSOT touch
- mirrors v0.1 / Phase α additive-empty precedent (both ran STANDARD)
escalation_to_HIGH: NOT warranted — no live-table mutation, no sister-table
touch, no irreversible step; rollback = drop empty tables
no_evidence_to_change_class: TRUE
§2 — Risk Surfaces & Mitigations
| # | Surface | Risk | Mitigation (P0-2) | Residual / owner |
|---|---|---|---|---|
| 1 | Future split/merge semantics | Schema cannot express a P1 operation → forced P0-2 re-migration | operation_kind + block_role + source_span + candidate_edges + soft refs make split/merge representable now; forward-compat test in BR-6 doc §5 |
Residual: P1 executor design must validate the forward-compat assumption (P1 concern) |
| 2 | Soft refs (escalation_ref, cut_change_set_ref, target_unit_id, decision_backlog_ref, superseded_by_envelope_id) |
No PG FK → dangling references possible | Intentional decoupling before P1 write pathways stabilize; integrity is an app-layer / P1 concern; Phase α soft-ref precedent | Residual: P1 must add referential validation in the writer/dry-run, not in PG |
| 3 | JSONB fields (source_span, payload_summary, candidate_edges, report_summary) |
Unschematized JSON → shape drift | INTENT-only in P0-2; no JSON-schema PG enforcement by policy; X-3 schema governs at app layer | Residual: X-3 JSON schema must be pinned before P1 writers emit rows |
| 4 | Empty tables | Zero rows → no runtime exercise of the schema in v0.2 | Acceptable: P0-2 is structural only; verification plan asserts row count = 0 as a pass condition; first rows are P1 | Low |
| 5 | Relation to canonical_address_alias |
Premature manifest↔alias coupling | GOV-3 O1 ratified: no alias_ref column; alias derived event-backed at P1; verification V-12 asserts absence |
Residual: P1 must specify the derivation logic (alias not coupled here) |
| 6 | Relation to cut_change_set / verify_result |
Manifest could leak execution-state / out-of-band mutation | INV-6: only cut_change_set_ref names the change-set; no "applied"/"verified" flags; manifest performs no mutation |
Residual: P1 enactment must route all metadata mutation through cut_change_set + verify_result |
| 7 | Relationship with future P0-6 review_decision |
P0-2 may under/over-couple to a not-yet-designed review table | INV-5: escalation_ref is a soft hook only; no reverse column added now; P0-6 references backlog/envelope when it lands (dependency note, not designed here) |
Residual: P0-6 design must define the review→envelope linkage; P0-2 deliberately leaves it open |
| 8 | GOV-ratified-but-P1-enforced semantics (GOV-1 coining, GOV-2 demote-to-draft) | Ratified rules are not PG-enforced in P0-2 → P1 could violate them | Columns exist & frozen (rule ratified); enforcement is app-layer/P1 by policy (no CHECK) | Residual: P1 writer/dry-run must enforce GOV-1 tail/sequence + GOV-2 born-draft |
§3 — Blockers Before Dry-Run
blockers_before_dry_run:
- GPT review PASS of THIS DDL-authoring package (draft + verification +
rollback + this risk note + report)
- explicit User authorization to enter a dry-run lane
- dry-run environment provisioning authorization (protected envs
pg-dry-run-hb05-2026-05-15 / pg-dry-run-v0.2-phase-alpha-2026-05-16
MUST NOT be reused or torn down without explicit authorization)
status: ALL OPEN — dry-run NOT allowed (GPT review §6)
§4 — Blockers Before Production
blockers_before_production:
- dry-run executed + PASS + GPT-ratified (separate gate, separate session)
- command-level review of the exact production runbook
- explicit User production-execution prompt (separate session)
- pre-migration backup + restore-test precedent (Phase α pattern)
status: ALL OPEN — production migration NOT allowed (GPT review §1/§6)
§5 — Hard Boundaries
risk_class_ratified_here: FALSE (carried estimate; council/GPT ratifies)
ddl_executed: FALSE
dry_run_started: FALSE
production_migration_allowed: FALSE
output_form: p0_2_risk_review_note
End of P0-2 risk review note.