KB-2253
dot-iu-cutter v0.2 — P0-2 Risk & Dry-Run Planning Note (2026-05-16)
6 min read Revision 1
dot-iu-cutterdieu44v0.2p0-2riskdry-run-planningdieu32standard
dot-iu-cutter v0.2 — P0-2 Risk & Dry-Run Planning Note
document_path: knowledge/dev/laws/dieu44-trien-khai/v0.2-design/dot-iu-cutter-v0.2-p0-2-risk-and-dry-run-planning-note-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.2 — P0-2 risk/dry-run PLANNING NOTE (no DDL, no dry-run started)
status: PLANNING ONLY — estimates, not commitments
§1 — Đ32 Risk Class Estimate
proposed_risk_class: STANDARD
escalation_to_HIGH_council_required: NO
rationale:
- P0-2 is two NEW, EMPTY tables in an existing live schema (cutter_governance)
- no touch to v0.1 live tables, no touch to Phase α columns, no sister-table touch
- no DOT-pair signing, no CUT/VERIFY, no production data mutation
- additive + empty pattern is operationally proven (v0.1 5-table create, Phase α alias)
- only one in-schema FK; all other refs soft uuid (no cross-schema FK risk)
councils_already_engaged:
- Đ24 (GOV-1 address-coining; gates DDL freeze, not design)
- Đ0-G (GOV-2 authority inheritance; gates DDL freeze, not design)
- GPT (GOV-3 manifest↔alias linkage; gates DDL freeze)
note: risk class is an ESTIMATE for the future risk-review lane; not ratified here
§2 — Risk Surfaces
| # | Surface | Risk | Mitigation posture |
|---|---|---|---|
| RS-1 | manifest tables | new tables in a live governance schema | additive only; empty at create; DROP TABLE rollback (v0.1 proven) |
| RS-2 | soft refs | no PG FK → possible dangling references | intentional (decouple before P1 write paths); integrity is application-layer/P1; dry-run asserts shape only |
| RS-3 | empty-table migration | DDL applied to production schema | single-transaction additive DDL (future lane); fresh pre-backup; schema-diff added-only; updated_at untouched (no data rows) |
| RS-4 | later split/merge semantics | schema may under/over-fit P1 | Option D minimum-hooks + INV-1..6 carried; forward-compat test (P1 needs no schema change) |
| RS-5 | relation to alias table | premature coupling | NO manifest↔alias coupling (GOV-3 O1); alias stays empty; INV-4 emits at P1 |
| RS-6 | relation to cut_change_set / verify_result | INV-6 out-of-band mutation risk | manifest only names change-set (soft ref); performs/stores no mutation or verify state |
| RS-7 | GOV-1/2/3 unresolved | wrong column shape if frozen early | DDL-freeze gate (hard); design proceeds with columns present, semantics open |
| RS-8 | JSONB intent fields | unvalidated payloads | no PG JSON-schema enforcement in P0-2; X-3 schema is application-layer; validated at P1 dry-run |
§3 — Proposed Dry-Run Scope (LATER — not started)
when: AFTER GOV-1/2/3 resolved + design GPT-reviewed + DDL authored + explicit prompt
proposed_scope (HB-equivalent, for the future lane):
- fresh isolated env (postgres:16, no published port; sibling-env discipline,
NOT reusing protected dry-run envs)
- create manifest_envelope + manifest_unit_block (empty) in a cutter_governance clone
- assert: schema-diff added-only; v0.1 + Phase α objects unchanged; 0 rows
- in-transaction ROLLBACK test → schema-diff empty (v0.1/Phase α pattern)
- the single in-schema FK enforced; soft refs accept arbitrary uuid (no FK error)
- DROP TABLE rollback leaves cutter_governance at its pre-state
- scenario matrix discipline: 100% PASS threshold (HB-05 / Phase-α precedent)
status: NOT STARTED. This is a planning sketch only
§4 — Proposed Verification (LATER)
proposed_verification (future verify_*.sql analogue):
- information_schema: both tables exist in cutter_governance, 0 rows
- exactly one FK (block.envelope_id → envelope); no FK on soft-ref columns
- no CHECK / no trigger / no DEFAULT-data introduced
- cutter_governance table count = 6 (Phase α) + 2 = 8; v0.1+α tables byte-stable
- public.tac_logical_unit + sandbox unchanged (no Phase-α regression)
- production untouched outside the additive DDL transaction
status: NOT STARTED
§5 — Blockers Before DDL Freeze
B-FREEZE-1: GOV-1 (address-coining) resolved + ratified [Đ24+GPT] OPEN
B-FREEZE-2: GOV-2 (authority inheritance) resolved + ratified [Đ0-G+GPT] OPEN
B-FREEZE-3: GOV-3 (manifest↔alias linkage) resolved + ratified [GPT] OPEN
B-FREEZE-4: this 7-doc P0-2 design set GPT-reviewed PASS PENDING
B-FREEZE-5: explicit User prompt opening the DDL-authoring lane PENDING
§6 — Blockers Before Dry-Run
B-DR-1: DDL freeze unblocked (all B-FREEZE-* cleared) + DDL authored + GPT-reviewed
B-DR-2: fresh isolated dry-run env provisioned (sibling discipline)
B-DR-3: baseline backup taken/verified
B-DR-4: explicit User/GPT prompt to enter the dry-run lane
status: all OPEN (sequential after DDL freeze)
§7 — Blockers Before Production
B-PROD: dry-run 100% PASS → HB-equivalent closure → final-readiness review →
command-review package → GPT review of each → fresh pre-backup (<60min) →
explicit User production-execution prompt → SEPARATE execution session
status: all OPEN; mirrors v0.1 / Phase-α discipline; no self-advance
§8 — Hard Boundaries
no_DDL_written: TRUE
no_dry_run_started: TRUE
no_env_provisioned: TRUE
no_production_touch: TRUE
risk_class_ratified: FALSE (estimate only)
output_form: p0_2_risk_and_dry_run_planning_note
End of P0-2 risk & dry-run planning note.