Incomex AI Portal
KB-7D14

dot-iu-cutter v0.2 — P0-2 Production Command Review Package (2026-05-16)

15 min read Revision 1
dot-iu-cutterdieu44v0.2p0-2command-reviewproductionready-for-gpt-reviewexecution-blocked

dot-iu-cutter v0.2 — P0-2 Production Command Review Package

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.2-execution/dot-iu-cutter-v0.2-p0-2-production-command-review-package-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
sovereign: User / anh Huyền
verifier: GPT (P0-2 production command-review — PENDING)
phase: v0.2 — P0-2 PRODUCTION COMMAND REVIEW (authoring only; nothing executed)
command_review_package_status: ready_for_gpt_review
production_execution_authorized: false
ddl_executed: false
mutation_performed: false

⛔ COMMAND REVIEW ONLY — DO NOT EXECUTE

Every command below is proposed text for review. Nothing in this package has been run. No production backup was taken in this step, no DDL, no migration, no mutation, no deploy, no CUT/VERIFY. Production execution is gated on: GPT PASS of this package + explicit User production prompt + a separate execution session. Agent self-advance: PROHIBITED.

§1 — Authorization Basis

GPT P0-2 dry-run review = PASS_WITH_NOTES; next_step: P0_2_production_command_review_package; production_execution_allowed_now: false. N1 carried: manifest_unit_block = 13 columns (not 14); DDL unchanged. Dry-run: 20/20 verification PASS + rollback PASS, production untouched, SQL sha256 023a3be5…e93eab.

§2 — Execution Scope (P0-2 only; production target)

target: production PostgreSQL — container 'postgres', db 'directus',
        host 38.242.240.89 (vmi3080463), bootstrap su 'workflow_admin'
approved_operations_only:
  a. CREATE TABLE cutter_governance.manifest_envelope        (12 columns, empty)
  b. CREATE TABLE cutter_governance.manifest_unit_block       (13 columns, empty)
  c. CREATE exactly ONE FK:
     manifest_unit_block.envelope_id -> manifest_envelope.envelope_id
source_of_truth_DDL:
  doc: knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-p0-2-ddl-draft-2026-05-16.sql.md
  extracted_artefact: dot-iu-cutter-v0.2-p0-2-r1.sql
  sha256: 023a3be53c9d41c207cbfbae304f8e3d799f52bf90b951c20a625f9903e93eab
  revision: r1   (identical artefact proven in dry-run)

§3 — Explicit Non-Scope (forbidden in P0-2 production)

forbidden:
  - any INSERT (no manifest rows, no unit_block rows)
  - review_decision (P0-6) — not designed, not created
  - P0-5 remainder work
  - any alias rows / canonical_address_alias write
  - identity_profile cleanup
  - production CUT (no cut_change_set INSERT)
  - production VERIFY (no verify_result INSERT)
  - Qdrant / vector-store mutation
  - deploy / app-tooling wiring against new tables
  - cross-schema FK, CHECK, trigger, DEFAULT, alias_ref column, edge tables
  - schema/data change to any pre-existing object

§4 — Exact Command Plan (PROPOSED TEXT — NOT EXECUTED)

Convention: P=postgres (prod container), DB=directus, SU=workflow_admin, WORK=/root/p0-2-prod-exec (created only at the future authorized execution session), TS=$(date -u +%Y%m%dT%H%M%SZ).

C-01 — Fresh production backup

mkdir -p "$WORK"
docker exec "$P" pg_dump -U "$SU" -d "$DB" -Fc --no-owner --no-acl \
  | cat > "$WORK/p0-2-prod-prebackup-$TS.dump"
test -s "$WORK/p0-2-prod-prebackup-$TS.dump"   # non-empty assertion

C-02 — Backup checksum

sha256sum "$WORK/p0-2-prod-prebackup-$TS.dump" | tee "$WORK/p0-2-prod-prebackup-$TS.dump.sha256"
# record BACKUP_SHA + BACKUP_EPOCH=$(date -u +%s) for the 60-minute gate (G-02)

C-03 — Pre-migration schema snapshot

docker exec "$P" psql -U "$SU" -d "$DB" -tAc "
  select table_schema||'.'||table_name||':'||
         (select count(*) from information_schema.columns c
           where c.table_schema=t.table_schema and c.table_name=t.table_name)
  from information_schema.tables t
  where table_schema in ('cutter_governance','public','sandbox_tac')
  order by 1;" | sort > "$WORK/pre_schema_$TS.txt"
docker exec "$P" psql -U "$SU" -d "$DB" -tAc "
  select conrelid::regclass||' '||contype||' '||conname
  from pg_constraint
  where connamespace='cutter_governance'::regnamespace order by 1;" \
  | sort > "$WORK/pre_constraints_$TS.txt"

C-04 — Pre-migration row-count snapshot

docker exec "$P" psql -U "$SU" -d "$DB" -tAc "
  select 'cg.'||tablename||'='||
    (xpath('/row/c/text()',
      query_to_xml(format('select count(*) c from cutter_governance.%I',tablename),
      false,true,'')))[1]::text
  from pg_tables where schemaname='cutter_governance' order by tablename;" \
  > "$WORK/pre_rowcounts_$TS.txt"
docker exec "$P" psql -U "$SU" -d "$DB" -tAc "
  select 'tlu='||count(*)||'|'||coalesce(max(updated_at)::text,'NA')
  from public.tac_logical_unit;" >> "$WORK/pre_rowcounts_$TS.txt"
docker exec "$P" psql -U "$SU" -d "$DB" -tAc "
  select 'stlu='||count(*) from sandbox_tac.logical_unit;" \
  >> "$WORK/pre_rowcounts_$TS.txt"

C-05 — Preflight checks (read-only; ALL must pass before C-06)

q(){ docker exec "$P" psql -U "$SU" -d "$DB" -tAc "$1"; }
# PF-1  production identity
q "select system_identifier from pg_control_system();"        # expect 7611578671664259111
# PF-2  DDL source checksum (artefact staged to $WORK)
sha256sum "$WORK/dot-iu-cutter-v0.2-p0-2-r1.sql"              # expect 023a3be5…e93eab
# PF-3  cutter_governance schema exists
q "select count(*) from pg_namespace where nspname='cutter_governance';"           # expect 1
# PF-4  cutter_governance table count == 6 BEFORE P0-2
q "select count(*) from pg_tables where schemaname='cutter_governance';"           # expect 6
# PF-5  manifest_envelope does NOT exist
q "select coalesce(to_regclass('cutter_governance.manifest_envelope')::text,'ABSENT');"   # expect ABSENT
# PF-6  manifest_unit_block does NOT exist
q "select coalesce(to_regclass('cutter_governance.manifest_unit_block')::text,'ABSENT');" # expect ABSENT
# PF-7  v0.1 tables exist (5)
q "select count(*) from pg_tables where schemaname='cutter_governance'
   and tablename in ('decision_backlog_entry','dot_pair_signature','cut_change_set',
   'cut_change_set_affected_row','verify_result');"           # expect 5
# PF-8  Phase α canonical_address_alias exists
q "select coalesce(to_regclass('cutter_governance.canonical_address_alias')::text,'ABSENT');" # expect cutter_governance.canonical_address_alias
# PF-9  public.tac_logical_unit unchanged from Phase α expectations
q "select count(*) from information_schema.columns
   where table_schema='public' and table_name='tac_logical_unit';"   # expect 15
q "select coalesce(authority,'NULL')||'/'||coalesce(canonical_address_format_version,'NULL')
   ||'/'||count(*) from public.tac_logical_unit group by 1;"          # expect draft/canonical-address-v1/86
# PF-10 sandbox_tac.logical_unit unchanged from Phase α expectations
q "select count(*) from information_schema.columns
   where table_schema='sandbox_tac' and table_name='logical_unit';"   # expect 15
q "select coalesce(authority,'NULL')||'/'||coalesce(canonical_address_format_version,'NULL')
   ||'/'||count(*) from sandbox_tac.logical_unit group by 1;"         # expect NULL/canonical-address-v1/76

C-06 — Migration command (single transaction; extracted P0-2 SQL only)

docker cp "$WORK/dot-iu-cutter-v0.2-p0-2-r1.sql" "$P":/tmp/p0-2.sql
docker exec "$P" psql -U "$SU" -d "$DB" -v ON_ERROR_STOP=1 -f /tmp/p0-2.sql
#   expected psql output: BEGIN / CREATE TABLE / CREATE TABLE / COMMIT  (rc=0)
#   the artefact is itself one explicit BEGIN…COMMIT; ON_ERROR_STOP=1 aborts
#   the whole transaction on any error (nothing persisted). No extra SQL.
docker exec "$P" rm -f /tmp/p0-2.sql

C-07 — Post-migration verification (read-only; same expectations as dry-run)

Run the V-01..V-20 grid (see §6) plus auxiliary V-06n and PROD-INTACT against production using the corrected (schema-qualified) assertions proven in dry-run run-03. Compare C-03/C-04 pre-snapshots vs fresh post-snapshots for the no-collateral-change checks (V-15/V-16/V-18/V-19/V-20).

C-08 — Rollback command (CONDITIONAL — only on explicit failure trigger)

# ONLY if post-commit verification hard-fails AND rollback is explicitly
# triggered/authorized (see §7). Order: child first, parent second. No CASCADE.
docker exec "$P" psql -U "$SU" -d "$DB" -v ON_ERROR_STOP=1 -c \
 "BEGIN; DROP TABLE cutter_governance.manifest_unit_block;
         DROP TABLE cutter_governance.manifest_envelope; COMMIT;"

Production command count: 8 numbered commands (C-01…C-08). C-05 preflight expands to 10 checks (PF-1…PF-10); C-07 verification expands to the 20-check grid (§6). C-08 is conditional and not run on the success path.

§5 — Safety Gates (11 mandatory ABORT conditions)

G-01 abort_if: fresh backup (C-01) fails OR backup file empty
G-02 abort_if: at C-06 start, (now - BACKUP_EPOCH) > 3600s  (backup older than 60 min)
G-03 abort_if: DDL artefact sha256 != 023a3be53c9d41c207cbfbae304f8e3d799f52bf90b951c20a625f9903e93eab
G-04 abort_if: production identity unclear — pg_control_system().system_identifier
               != 7611578671664259111  (NOT the production cluster / unverifiable)
G-05 abort_if: cutter_governance.manifest_envelope already exists
G-06 abort_if: cutter_governance.manifest_unit_block already exists
G-07 abort_if: cutter_governance table count before migration != 6
G-08 abort_if: public.tac_logical_unit Phase α state differs unexpectedly
               (cols != 15, OR distribution != draft/canonical-address-v1/86,
                OR pre row-count snapshot inconsistent)
G-09 abort_if: sandbox_tac.logical_unit Phase α state differs unexpectedly
               (cols != 15, OR distribution != NULL/canonical-address-v1/76)
G-10 abort_if: ANY verification check (C-07 / §6 grid) fails
G-11 abort_if: dry-run provenance unavailable OR SHA mismatch
               (extracted artefact != the dry-run-proven r1 sha256)
abort_behaviour: stop immediately; do NOT proceed; do NOT self-advance;
  if abort occurs AFTER C-06 commit -> escalate + apply C-08 only on explicit
  failure trigger (see §7). Pre-commit abort needs no rollback (single tx,
  ON_ERROR_STOP=1 -> nothing persisted).

§6 — Verification Expectations (production; identical to dry-run grid)

ID Check Expected
V-01 manifest_envelope exists cutter_governance.manifest_envelope
V-02 manifest_unit_block exists cutter_governance.manifest_unit_block
V-03 both tables in cutter_governance 2
V-04 manifest_envelope row count 0
V-05 manifest_unit_block row count 0
V-06 FK shape cutter_governance.manifest_unit_block→cutter_governance.manifest_envelope
V-06n exactly one FK 1
V-07 no cross-schema FK 0
V-08 no CHECK constraint 0
V-09 no trigger 0
V-10 no column DEFAULT 0
V-11e envelope PK PRIMARY KEY (envelope_id)
V-11b unit_block PK PRIMARY KEY (envelope_id, unit_local_id)
V-12 no alias_ref column 0
V-13 no edge table 0
V-14e manifest_envelope column count 12
V-14b manifest_unit_block column count 13 (N1-corrected; NOT 14)
V-14e-names envelope columns exact envelope_id,operation_kind,status,source_doc_ref,escalation_ref,cut_change_set_ref,created_by,created_at,reviewer,reviewed_at,rationale,superseded_by_envelope_id
V-14b-names unit_block columns exact envelope_id,unit_local_id,block_role,source_span,render_order,target_unit_id,proposed_canonical_address,proposed_authority,payload_summary,candidate_edges,report_summary,decision_backlog_ref,created_at
V-15 v0.1 5 tables unchanged 5 present; colcounts == pre-snapshot
V-16 canonical_address_alias unchanged rows 0; index count == pre-snapshot
V-17 cutter_governance table count pre 6 → post 8
V-18 public.tac_logical_unit unchanged cols 15; rows|max(updated_at) == pre-snapshot (no bump — P0-2 has no backfill)
V-19 sandbox_tac.logical_unit unchanged cols 15; rows == pre-snapshot (76)
V-20 schema delta exactly +2 tables, none removed, no ALTER of pre-existing

Pass condition: ALL of the above meet Expected; zero hard-stop hits (G-10).

§7 — Rollback

rollback_path:
  1. DROP TABLE cutter_governance.manifest_unit_block   (child first — has the FK)
  2. DROP TABLE cutter_governance.manifest_envelope     (parent second)
  wrapper: single BEGIN … COMMIT
data_loss_expected: NONE — both tables created EMPTY; no INSERT in P0-2
cascade: NO CASCADE. Plain DROP TABLE so an unexpected dependency fails fast
  rather than cascading silently. CASCADE only if a future explicit, written
  justification exists (none anticipated for empty P0-2 tables).
post_commit_rollback_requires_explicit_failure_trigger: true
  (a hard-fail in C-07/§6 verification post-commit, AND explicit GPT/User
   rollback authorization). Agent self-trigger of rollback: PROHIBITED.
pre_commit_failure: no rollback needed — single transaction + ON_ERROR_STOP=1
  means an aborted C-06 persisted nothing.
non_empty_at_rollback: if either table is unexpectedly non-empty at rollback
  time -> STOP / escalate; do NOT silently DROP.
restore_backstop: the C-01 fresh pre-backup (sha from C-02) is the defence-in-
  depth restore source if structural rollback is insufficient.

§8 — Final Status

command_review_package_status: ready_for_gpt_review
production_execution_authorized: false
ddl_executed: false
mutation_performed: false
backup_taken_in_this_step: false
deploy: false
cut_or_verify: false
self_advance: false
agent_self_advance: PROHIBITED
production_commands_count: 8 (C-01..C-08; C-05→10 PF checks; C-07→20-check grid)
safety_gates_count: 11 (G-01..G-11)
ddl_source_doc: knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-p0-2-ddl-draft-2026-05-16.sql.md
ddl_artefact_sha256: 023a3be53c9d41c207cbfbae304f8e3d799f52bf90b951c20a625f9903e93eab
ddl_revision: r1
next_gated_step: GPT review of THIS package -> (if PASS) explicit User
  production-execution prompt in a SEPARATE session. Execution remains BLOCKED.

§9 — Cross-References

gpt_dry_run_review: knowledge/dev/laws/dieu44-trien-khai/reviews/dot-iu-cutter-v0.2-p0-2-dry-run-gpt-review-2026-05-16.md
dry_run_set:        knowledge/dev/laws/dieu44-trien-khai/v0.2-dry-run/dot-iu-cutter-v0.2-p0-2-dry-run-*-2026-05-16.md
ddl_draft (r1):     knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-p0-2-ddl-draft-2026-05-16.sql.md
verification_plan:  knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-p0-2-ddl-verification-plan-2026-05-16.md
rollback_draft:     knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-p0-2-rollback-draft-2026-05-16.md

End of P0-2 production command review package.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.2-execution/dot-iu-cutter-v0.2-p0-2-production-command-review-package-2026-05-16.md