KB-45E0
dot-iu-cutter v0.2 — P0-6 + P0-5 Remainder Risk & Dry-Run Plan (2026-05-16)
8 min read Revision 1
dot-iu-cutterdieu44v0.2p0-6p0-5-remainderriskdry-run-planningdieu32standard
dot-iu-cutter v0.2 — P0-6 + P0-5 Remainder Risk & Dry-Run Plan
document_path: knowledge/dev/laws/dieu44-trien-khai/v0.2-design/dot-iu-cutter-v0.2-p0-6-p0-5-remainder-risk-and-dry-run-plan-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.2 — P0-6 + P0-5-remainder risk/dry-run PLANNING (no DDL, no dry-run started)
status: PLANNING ONLY — estimates, not commitments
master: dot-iu-cutter-v0.2-p0-6-p0-5-remainder-batch-design-master-2026-05-16.md
§1 — Đ32 Risk Class Estimate (batch)
proposed_risk_class: STANDARD
escalation_to_HIGH_council_required: NO
rationale:
- 4 NEW, EMPTY tables added into an existing live schema (cutter_governance, 8 tables)
- all parents already LIVE & EMPTY (decision_backlog_entry, manifest_envelope,
manifest_unit_block) — no new parent, no prerequisite migration
- no touch to any v0.1 / Phase α / P0-2 live table (no column/constraint/trigger added)
- no CUT / VERIFY / DOT-pair signing / data mutation / backfill
- only in-family in-schema FKs + soft cross-family uuid refs (no cross-schema FK)
- additive + empty pattern is operationally proven 3× (v0.1 5-table, Phase α, P0-2)
councils_engaged_for_open_decisions (gate DDL freeze, NOT design review):
- GPT (RD-1/2/3/5/6, DBH-1, DBD-1)
- Đ24 (RD-4, DBH-2, DBD-2, DBS-1, BATCH-1 enum strategy)
- Đ32 (RD-6 reviewer-independence enforcement model)
note: risk class is an ESTIMATE for the future risk-review lane; NOT ratified here
§2 — Risk Surfaces
| # | Surface | Risk | Mitigation posture |
|---|---|---|---|
| RS-1 | 4 new tables | added to a live governance schema | additive only; empty at create; DROP-table rollback (3× proven) |
| RS-2 | in-schema FKs (history/dependency→entry; review→manifest) | insert-order coupling to live empty parents | parents LIVE & stable; FK is correct integrity; tables empty so no ordering data risk |
| RS-3 | soft refs (escalation_ref, cut_change_set_ref) | no PG FK → possible dangling ref | intentional decoupling (P0-2 precedent); integrity = app-layer/P1; dry-run asserts shape only |
| RS-4 | empty-table migration | DDL on production schema | single-transaction additive DDL (future lane); fresh pre-backup; schema-diff added-only |
| RS-5 | reviewer independence (P0-6) | AI reviewer not actually independent of MARK | HIGH at field level; app-layer evidence + audit in v0.2; PG enforcement FUTURE (RD-6) — NOT a create-time risk |
| RS-6 | cross_signed_by_dot_verifier (P0-6) |
silent omission breaks criterion 28 | HIGH at field level; app-layer enforcement v0.2; PG constraint FUTURE — NOT a create-time risk |
| RS-7 | dependency-graph cycles (P0-5) | cyclic blocks/supersedes edges | app-layer recursive-CTE check v0.2 (DBD-1); PG trigger FUTURE; correctness not create-time risk |
| RS-8 | history-preservation across rollback | losing governance trail | NOT applicable at create (empty); becomes relevant only AFTER P1 backfill — flagged for Đ32 |
| RS-9 | JSONB intent fields (findings/change_diff/sweep findings) | unvalidated payloads | NO PG json-schema in this batch; app-layer schema; validated at P1 dry-run |
| RS-10 | open decisions unresolved | wrong column shape if frozen early | hard DDL-freeze gate; design proceeds with columns present, semantics open |
| RS-11 | reviewer_identity / owner PII | audience-scope leakage | pseudonymous alias only (G-5 internal-only); named PII via authorization_ref out-of-band |
§3 — Proposed Dry-Run Scope (LATER — NOT started)
when: AFTER all open decisions resolved + this batch GPT-reviewed PASS + DDL authored
+ GPT-reviewed + explicit prompt
proposed_scope (HB-equivalent, future lane):
- fresh isolated env (postgres:16, no published port; sibling-env discipline;
NOT reusing protected dry-run envs)
- create all 4 tables (empty) in a cutter_governance clone
- assert: schema-diff added-only; v0.1 + Phase α + P0-2 objects byte-stable; 0 rows
- in-transaction ROLLBACK test → schema-diff empty (v0.1/Phase α/P0-2 pattern)
- in-schema FKs enforced (history/dependency→entry, review→manifest);
soft-ref columns accept arbitrary uuid (no FK error)
- composite nullable FK (review→manifest_unit_block) behaves correctly when null
- DROP TABLE rollback leaves cutter_governance at its pre-state
- scenario matrix discipline: 100% PASS threshold (HB-05 / Phase α / P0-2 precedent)
status: NOT STARTED — planning sketch only
§4 — Proposed Verification (LATER)
proposed_verification (future verify_*.sql analogue):
- information_schema: all 4 tables exist in cutter_governance, 0 rows
- in-schema FKs present exactly as designed; NO FK on soft-ref columns; NO cross-schema FK
- no CHECK / no trigger / no function / no RLS / no DEFAULT-data introduced
- cutter_governance count: 8 → 9 (P0-6) → 12 (P0-5 remainder); v0.1+α+P0-2 tables byte-stable
- public.tac_logical_unit + sandbox unchanged (no regression)
- production untouched outside the additive DDL transaction
status: NOT STARTED
§5 — Blockers Before DDL Freeze
B-FREEZE-1: RD-1/2/3/5/6 resolved + ratified [GPL/GPT] OPEN
B-FREEZE-2: RD-4 verdict enum elevation decided [Đ24+GPT] OPEN
B-FREEZE-3: DBH-1, DBH-2, DBD-1, DBD-2, DBS-1 resolved [GPT/Đ24] OPEN
B-FREEZE-4: BATCH-1 enum implementation strategy decided [Đ24+GPT] OPEN
B-FREEZE-5: this 7-doc batch design set GPT-reviewed PASS PENDING
B-FREEZE-6: explicit User prompt opening the DDL-authoring lane PENDING
B-FREEZE-0: upstream parents LIVE (decision_backlog_entry, manifest_envelope,
manifest_unit_block) SATISFIED
§6 — Blockers Before Dry-Run
B-DR-1: DDL freeze unblocked (all B-FREEZE-* cleared) + DDL authored + GPT-reviewed
B-DR-2: fresh isolated dry-run env provisioned (sibling discipline; protected envs untouched)
B-DR-3: baseline backup taken + verified
B-DR-4: explicit User/GPT prompt to enter the dry-run lane
status: all OPEN (sequential, strictly after DDL freeze)
§7 — Blockers Before Production
B-PROD: dry-run 100% PASS → HB-equivalent closure → final-readiness review →
command-review package → GPT review of each → fresh pre-backup (<60min) →
explicit User production-execution prompt → SEPARATE execution session
status: all OPEN; mirrors v0.1 / Phase α / P0-2 discipline; NO self-advance
sequencing_note: P0-6 and P0-5-remainder may be executed as one batch or split;
either way each table is empty-at-create with independent DROP-table rollback
§8 — Hard Boundaries
no_DDL_written: TRUE
no_dry_run_started: TRUE
no_env_provisioned: TRUE
no_production_touch: TRUE
no_backfill: TRUE
risk_class_ratified: FALSE (estimate only)
open_decision_self_closed: FALSE
output_form: p0_6_p0_5_remainder_risk_and_dry_run_plan
End of P0-6 + P0-5-remainder risk & dry-run plan.