dot-iu-cutter v0.2 — P0-6 review_decision Design

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.2-design/dot-iu-cutter-v0.2-p0-6-review-decision-design-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
verifier: GPT (PENDING)
phase: v0.2 — P0-6 review_decision DESIGN (LOGICAL ONLY; no DDL)
master: dot-iu-cutter-v0.2-p0-6-p0-5-remainder-batch-design-master-2026-05-16.md
v0.1_predecessor: migration-design/dot-iu-cutter-v0.1-p0-6-review-decision-migration-design-2026-05-15.md
mutation_performed: false
ddl_written: false

---

§1 — Purpose

P0-6 establishes the persistent cutter_governance SSOT for REVIEW-stage outcomes — independent-AI or human review verdicts on a manifest. The D1 CUT precondition ("manifest in PASS state") is materialized as a review_decision row with verdict='PASS'. P0-6 also realizes the governance_event umbrella sub-kind (Đ44 Step 3) for review verdicts. This re-casts the v0.1 P0-6 migration design against the now-live P0-2 manifest tables and v0.2 conventions.

§2 — Source Design References

• v0.1 P0-6 migration design (logical fields baseline; this doc supersedes its OPEN schema-placement item — resolved to cutter_governance per batch master §6).
• D2 §4.6 (REVIEW checklist, 10 items), §4.7 (independent review), §4.8 (risk gating), §6 (schema gap item 3); D1 §4.5/§4.6/§4.14; D9 §4.10 (G-1 reviewer roles).
• Đ44 Step 3 — governance_event umbrella accepts review_decision as P0 sub-kind.
• Đ24 Step 1 (status / kind / risk_class enums); G-1 + G-3 reviewer authority.
• P0-2 set — manifest_envelope / manifest_unit_block are LIVE; P0-2 master §6.4 pre-declared this hook ("when P0-6 lands, review_decision references the envelope/ backlog, not the reverse"; INV-5 satisfied at design level by escalation_ref).

§3 — Logical Object / Table Intent

primary_table: cutter_governance.review_decision
becomes: cutter_governance table #9 (post-create, gated; design only now)
target_db: directus (PostgreSQL)
target_schema: cutter_governance   # resolved (batch master §6); NOT re-opened
target_layer: Não (analytical / state record per D5 storage pattern)
umbrella_mapping (Đ44 Step 3):
  - dedicated table review_decision (clean per-sub-kind ergonomics for v0.2)
  - governance_event_kind='review_decision' carried as forward-compat field
  - future Đ44 umbrella consolidation supported via view-first migration path
authority_pattern: PG = SSOT; KB markdown = mirror only

§4 — Proposed Fields (conceptual level — NO DDL)

Field	Type-class	Nullable	Notes
review_decision_id	uuid	NO	primary identifier
governance_event_kind	enum-ref	NO	fixed review_decision; forward-compat for umbrella
manifest_id	in-schema FK → manifest_envelope (RD-1)	NO	review target (LIVE parent)
manifest_version	text (semver)	NO	exact manifest version reviewed
review_scope	enum-ref	NO	envelope_level / unit_level / mixed
manifest_unit_local_id	part of composite FK (RD-2)	YES	with manifest_id → manifest_unit_block; null for envelope-only
status	enum-ref	NO	pending / in_review / pass / fail / needs_human / escalated / superseded
verdict	enum-ref	NO	PASS / FAIL / NEEDS_HUMAN (terminal)
findings	JSONB (intent)	NO	structured per D2 §4.6 10-item checklist; app-layer schema (no PG JSON-schema in P0-6)
reviewer_class	enum-ref	NO	ai / human / council / dot_pair_verifier
reviewer_identity	JSONB (intent)	NO	polymorphic envelope (§5); pseudonymous for humans (G-5)
reviewer_independence_evidence	JSONB (intent)	YES	separate-execution-context fingerprint (D2 §4.7)
risk_class_assessment	enum-ref (Đ24/Đ32)	NO	reviewer's risk classification
escalation_ref	soft uuid → decision_backlog_entry	YES	matches P0-2 escalation_ref = soft; LIVE empty parent
cut_change_set_ref	soft uuid → cut_change_set	YES	P0-3 cross-link; P0-3 not yet designed
prior_review_decision_id	in-schema self-FK (RD-3)	YES	re-review chain
superseded_by_review_decision_id	in-schema self-FK (RD-3)	YES	set when a re-review supersedes this
decision_at	timestamptz	NO	when verdict rendered
decided_by	text actor	NO	actor identifier / named seat
tool_revision	text	YES	cutter revision used in review
review_duration_ms	integer	YES	advisory metric only (not authoritative)
cross_signed_by_dot_verifier	boolean	NO	DOT-pair verifier co-sign (P0-3/P0-4 cross-link)
version	text (semver)	NO	record version per Đ38
created_at / updated_at	timestamptz	NO	record audit

§4.1 reviewer_identity JSONB envelope (intent only)

discriminator: type
for_ai:      {type:"ai", model, model_revision, execution_context_fingerprint, invocation_id}
for_human:   {type:"human", seat_role(Đ37), seat_occupant_alias(pseudonymous, G-5), authorization_ref}
for_council: {type:"council", quorum_count, quorum_required, council_session_id}
for_verifier:{type:"dot_pair_verifier", verifier_dot_id, verifier_tool_revision, signature_payload_ref}
note: JSONB is INTENT only — no PG json-schema constraint authored in P0-6 (app-layer / P1)

§5 — Field Ownership / Vocabulary Dependency

Field	Vocabulary owner	v0.2 note
governance_event_kind	Đ24 P0 subset	controlled term
review_scope	cutter-local	Đ24 confirm path
status	Đ24 Step 1 ratified	reused
verdict	cutter-local	RD-4 — Đ24 elevation recommended
reviewer_class	Đ24 + Đ37 role mapping	cross-law
findings	D2 §4.6 canonical 10-item	RD-5 completeness rule
risk_class_assessment	Đ24 Step 1 ratified	—

§6 — Lifecycle

pending → in_review → ┬→ pass        (verdict=PASS; unlocks CUT)
                      ├→ fail        (verdict=FAIL; CUT blocked)
                      └→ needs_human (escalation_ref → decision_backlog_entry [soft])
                              → escalated → (re-review = NEW row; prior_review_decision_id chains)
                                          → superseded

Re-review = NEW row; prior row retained (audit trail per Đ38). Cycles prevented by chain semantics. INV-5 (split/merge is review-gated) is satisfied because a manifest with operation_kind ∈ {split, merge} cannot reach CUT without a verdict='PASS' row.

§7 — Relationship to Live v0.1 / Phase α / P0-2 Objects

P0-2 manifest_envelope (LIVE, empty):
  - review target; review_decision.manifest_id → manifest_envelope (in-schema FK; RD-1)
  - no column added to manifest_envelope; relationship is review_decision-side only
P0-2 manifest_unit_block (LIVE, empty):
  - unit-level review target; (manifest_id, manifest_unit_local_id) → composite FK,
    NULLABLE (RD-2); used only when review_scope ∈ {unit_level, mixed}
v0.1 decision_backlog_entry (LIVE, empty):
  - escalation hook; review_decision.escalation_ref ┄┄> soft uuid (NOT in-schema FK —
    matches P0-2's deliberate decoupling of escalation_ref)
v0.1 cut_change_set (LIVE, empty):
  - P0-3 cross-link; review_decision.cut_change_set_ref ┄┄> soft uuid (P0-3 undesigned)
v0.1 verify_result / dot_pair_signature: no direct edge from review_decision
Phase α canonical_address_alias (LIVE, empty): NO coupling (INV-4; alias = P1)
public.tac_logical_unit: NO FK; not referenced directly (reached via manifest only)
no_existing_live_table_modified: TRUE (no column / constraint / trigger added anywhere)

§8 — FK Policy (this table)

in_schema_FK (both ends in cutter_governance, tight structural edge):
  - manifest_id -> manifest_envelope                         (lean; RD-1 open)
  - (manifest_id, manifest_unit_local_id) -> manifest_unit_block, NULLABLE composite (lean; RD-2 open)
  - prior_review_decision_id / superseded_by_review_decision_id -> review_decision self (lean; RD-3 open)
soft_uuid (cross-family / decoupling-sensitive — P0-2 precedent):
  - escalation_ref      ┄┄> decision_backlog_entry
  - cut_change_set_ref  ┄┄> cut_change_set
no_cross_schema_FK: TRUE
rationale: manifest_envelope is a hard structural review target (CUT precondition) and is
  LIVE+stable → in-schema FK is the correct integrity guarantee and is consistent with the
  P0-2 block→envelope single-FK precedent. escalation/cut_change_set are cross-family and
  kept soft to preserve the P0-2 decoupling philosophy until P1 write paths exist.

§9 — Empty-at-Create & Rollback Posture

empty_at_create: TRUE — 0 rows, no seed, no DEFAULT-data, no backfill
rollback: DROP TABLE review_decision (empty) → cutter_governance returns to 8
data_loss_on_rollback: NONE (empty at create)
note: reviewer-independence / cross-sign HIGH concerns are P1/app-layer enforcement,
  not create-time; rollback of an empty table forfeits no audit trail

§10 — Đ32 Risk Class (estimate)

STANDARD (estimate; ratified later, not here). Additive empty table; only in-family in-schema FKs + soft cross-family refs; no live-table touch; no CUT/VERIFY; no data mutation. Đ32 attention (deferred, not create-time risk): (a) AI reviewer independence is a soft app-layer guarantee in v0.2 (RD-6); (b) cross_signed_by_dot_verifier silent omission breaks criterion 28 — app-layer enforcement in v0.2, PG constraint FUTURE; (c) reviewer_identity audience scope internal-only (G-5). Full surface table: File 6.

§11 — Open Decisions (registration only; Agent does NOT self-close)

• RD-1 manifest_id: in-schema FK (lean) vs soft uuid (P1-decoupling consistency). Owner GPT.
• RD-2 unit-level link: nullable composite FK (lean) vs soft uuid pair. Owner GPT.
• RD-3 re-review chain: in-schema self-FK (lean) vs soft uuid (avoids insert-order). Owner GPT.
• RD-4 verdict enum Đ24 elevation (lean: elevate). Owner Đ24 + GPT.
• RD-5 findings completeness: all-10-for-PASS (lean) vs partial allowed. Owner GPT + Đ44.
• RD-6 reviewer-independence enforcement: app-only v0.2 (lean) vs PG trigger. Owner Đ32 + GPT.
• BATCH-1 enum implementation (PG enum vs Đ24-lookup FK vs CHECK). Owner Đ24 + GPT.

All block DDL freeze; NONE block this design review.

§12 — Dependencies

upstream (all SATISFIED — LIVE):
  - manifest_envelope, manifest_unit_block (P0-2 LIVE)
  - decision_backlog_entry, cut_change_set (v0.1 LIVE)
  - Đ44 Step 3 umbrella; Đ24 Step 1 enums; Đ37 reviewer roles; G-1/G-3/G-5
downstream:
  - P0-3 cut_change_set requires verdict=PASS row before CUT
  - P0-4 verify_result cross-references review_decision_id
  - D3 health signals; D11 retrieval citation
no_new_parent_table_required: TRUE

§13 — Explicit Confirmation

no_ddl_written: true
no_sql_written: true
no_create_or_alter_table: true
no_column_or_index_or_constraint_ddl: true
no_trigger_or_function_or_rls_policy: true
no_migration_executed: true
no_pg_mutation: true
no_data_writes: true
no_backfill: true
no_existing_file_or_table_modified: true
open_decision_self_closed: false
output_form: logical_design_only

End of P0-6 review_decision design.