Incomex AI Portal
KB-D624

dot-iu-cutter v0.2 — P0-6 + P0-5 Remainder Production Command-Review Package (2026-05-16)

16 min read Revision 1
dot-iu-cutterdieu44v0.2p0-6p0-5-remainderproductioncommand-reviewnot-executedready-for-gpt-review

dot-iu-cutter v0.2 — P0-6 + P0-5 Remainder Production Command-Review Package

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.2-execution/dot-iu-cutter-v0.2-p0-6-p0-5-remainder-production-command-review-package-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
sovereign: User / anh Huyên
verifier: GPT (command-review — PENDING)
phase: v0.2 — P0-6 + P0-5-remainder PRODUCTION COMMAND-REVIEW (authored; NOT executed)
ddl_revision: r2 (r1 superseded — DO NOT EXECUTE r1)
command_review_package_status: ready_for_gpt_review
production_execution_authorized: false
ddl_executed: false
mutation_performed: false

⛔ COMMAND-REVIEW ONLY — NOTHING IN THIS DOCUMENT HAS BEEN EXECUTED

No production command was run, no backup taken, no DDL executed, no mutation, no deploy, no CUT/VERIFY. Commands below are authored for GPT review. Production execution is gated on: GPT review PASS of THIS package + explicit User production-execution prompt + a SEPARATE execution session. Agent self-advance to execution is PROHIBITED.

§1 — Execution Scope (when later authorized)

batch: FINAL v0.2 structural batch (P0-6 + P0-5 remainder)
target: PRODUCTION (vps 38.242.240.89 → container `postgres`, DB `directus`,
        superuser role `workflow_admin`, schema `cutter_governance`)
approved_operations_ONLY:
  a. CREATE TABLE cutter_governance.review_decision
  b. CREATE TABLE cutter_governance.decision_backlog_history
  c. CREATE TABLE cutter_governance.decision_backlog_dependency
  d. CREATE TABLE cutter_governance.decision_backlog_sweep_log
  e. CREATE 7 in-schema FKs exactly as proven in the r2 dry-run
single_transaction: TRUE (BEGIN…COMMIT; ON_ERROR_STOP=1)
effect: cutter_governance 8 → 12 tables, all empty

§2 — Explicit Non-Scope (hard)

no_INSERT: true
no_seed_rows: true
no_backfill: true
no_review_rows / no_history_rows / no_dependency_rows / no_sweep_rows: true
no_P0_2_changes: true            # manifest_envelope / manifest_unit_block untouched
no_phase_alpha_changes: true     # canonical_address_alias untouched
no_v0_1_changes: true            # 5 v0.1 tables incl decision_backlog_entry untouched
no_public_tac_logical_unit_changes: true
no_sandbox_tac_logical_unit_changes: true
no_production_CUT: true
no_production_VERIFY: true
no_qdrant_or_vector_mutation: true
no_deploy: true
no_ALTER / no_DROP of any pre-existing object: true
no_DEFAULT / no_CHECK / no_trigger / no_PG_enum / no_lookup_table / no_cross_schema_FK: true

§3 — DDL Source Provenance (single source of truth)

ddl_source_doc: knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-p0-6-p0-5-remainder-ddl-draft-2026-05-16.sql.md
ddl_revision: r2
canonical_extracted_sql_sha256: 89652d5f1f22dad18b6dfeaf88dc77b3452e78a0f28cc79befa389af3025c4b0
dry_run_provenance:
  artefact_on_vps: /root/p0-6-p0-5-dryrun/p0_6_p0_5_r2.sql  (same sha256 — dry-run PASS_WITH_NOTES)
  dry_run_log: /root/p0-6-p0-5-dryrun/dryrun.log (MARK END 2026-05-16 06:33:28 UTC)
rule: the production execution artefact MUST be byte-identical to
  canonical_extracted_sql_sha256 AND to the dry-run-proven artefact. Any
  mismatch = ABORT (gate G-03 / G-10). r1 is NOT a valid source.
prod_identity_expected:
  container: postgres ; db: directus ; PROD_SYSID: 7611578671664259111

§4 — Exact Command Plan (8 commands; authored, NOT executed)

Work dir (to be created at execution time, separate session): /root/p0-6-p0-5-prod-exec/. Commands shown for review.

C-01 — Fresh production backup (read-only on prod)

TS=$(date -u +%Y%m%dT%H%M%SZ)
docker exec postgres pg_dump -U workflow_admin -d directus \
  > /root/p0-6-p0-5-prod-exec/prod-directus-$TS.sql

C-02 — Backup checksum + age stamp

sha256sum /root/p0-6-p0-5-prod-exec/prod-directus-$TS.sql \
  | tee /root/p0-6-p0-5-prod-exec/backup.sha256
date -u +%s > /root/p0-6-p0-5-prod-exec/backup.epoch   # for the <60min gate G-02

C-03 — Pre-migration schema snapshot (read-only)

docker exec postgres psql -U workflow_admin -d directus -c "\
SELECT table_name FROM information_schema.tables WHERE table_schema='cutter_governance' ORDER BY 1;" \
 > /root/p0-6-p0-5-prod-exec/pre_schema_cg.txt
docker exec postgres psql -U workflow_admin -d directus -c "\
SELECT conrelid::regclass, conname, contype, pg_get_constraintdef(oid) \
FROM pg_constraint WHERE connamespace='cutter_governance'::regnamespace ORDER BY 1,2;" \
 > /root/p0-6-p0-5-prod-exec/pre_constraints_cg.txt

C-04 — Pre-migration row-count snapshot (read-only)

docker exec postgres psql -U workflow_admin -d directus -tAc "\
SELECT 'cg_count='||count(*) FROM information_schema.tables WHERE table_schema='cutter_governance'; \
SELECT 'tac_lu='||count(*) FROM public.tac_logical_unit; \
SELECT 'sandbox_lu='||count(*) FROM sandbox_tac.logical_unit; \
SELECT 'me='||count(*) FROM cutter_governance.manifest_envelope; \
SELECT 'mub='||count(*) FROM cutter_governance.manifest_unit_block;" \
 > /root/p0-6-p0-5-prod-exec/pre_rowcounts.txt

C-05 — Preflight checks (read-only; all must hold — see gates §5)

docker exec postgres psql -U workflow_admin -d directus -tAc "
SELECT 'PROD_SYSID='||system_identifier FROM pg_control_system();
SELECT 'cg_exists='||(to_regclass('cutter_governance.decision_backlog_entry') IS NOT NULL);
SELECT 'cg_count='||count(*) FROM information_schema.tables WHERE table_schema='cutter_governance';
SELECT 'absent_review_decision='||(to_regclass('cutter_governance.review_decision') IS NULL);
SELECT 'absent_history='||(to_regclass('cutter_governance.decision_backlog_history') IS NULL);
SELECT 'absent_dependency='||(to_regclass('cutter_governance.decision_backlog_dependency') IS NULL);
SELECT 'absent_sweep_log='||(to_regclass('cutter_governance.decision_backlog_sweep_log') IS NULL);
SELECT 'dbe_pk='||a.attname||' '||format_type(a.atttypid,a.atttypmod)
  FROM pg_constraint c JOIN pg_attribute a ON a.attrelid=c.conrelid AND a.attnum=ANY(c.conkey)
  WHERE c.contype='p' AND c.conrelid='cutter_governance.decision_backlog_entry'::regclass;
SELECT 'me_pk='||pg_get_constraintdef(oid) FROM pg_constraint
  WHERE contype='p' AND conrelid='cutter_governance.manifest_envelope'::regclass;
SELECT 'mub_pk='||pg_get_constraintdef(oid) FROM pg_constraint
  WHERE contype='p' AND conrelid='cutter_governance.manifest_unit_block'::regclass;
SELECT 'me_rows='||count(*) FROM cutter_governance.manifest_envelope;
SELECT 'mub_rows='||count(*) FROM cutter_governance.manifest_unit_block;
SELECT 'alias_present='||(to_regclass('cutter_governance.canonical_address_alias') IS NOT NULL);
SELECT 'tac_lu='||count(*) FROM public.tac_logical_unit;
SELECT 'sandbox_lu='||count(*) FROM sandbox_tac.logical_unit;"
# DDL artefact checksum gate
sha256sum /root/p0-6-p0-5-prod-exec/p0_6_p0_5_r2.sql   # MUST == 89652d5f…c4b0

Expected preflight values: cg_count=8; all four absent_*=t; dbe_pk=entry_id uuid; me_pk=PRIMARY KEY (envelope_id); mub_pk=PRIMARY KEY (envelope_id, unit_local_id); me_rows=0; mub_rows=0; alias_present=t; tac_lu=86; sandbox_lu=76; PROD_SYSID=7611578671664259111.

C-06 — Migration (single transaction; ON_ERROR_STOP=1; r2 SQL only)

docker exec -i postgres psql -U workflow_admin -d directus \
  -v ON_ERROR_STOP=1 -f - < /root/p0-6-p0-5-prod-exec/p0_6_p0_5_r2.sql

(The artefact contains its own single BEGIN … COMMIT; no extra SQL is added. Source = the dry-run-proven r2 artefact, sha 89652d5f…c4b0.)

C-07 — Post-migration verification (read-only; expectations §6)

docker exec postgres psql -U workflow_admin -d directus -tAc "
SELECT 'cg_count='||count(*) FROM information_schema.tables WHERE table_schema='cutter_governance';
SELECT 'fk_count='||count(*) FROM pg_constraint WHERE contype='f' AND conrelid IN
 ('cutter_governance.review_decision'::regclass,'cutter_governance.decision_backlog_history'::regclass,
  'cutter_governance.decision_backlog_dependency'::regclass,'cutter_governance.decision_backlog_sweep_log'::regclass);
SELECT 'rows='||(SELECT count(*) FROM cutter_governance.review_decision)
  +(SELECT count(*) FROM cutter_governance.decision_backlog_history)
  +(SELECT count(*) FROM cutter_governance.decision_backlog_dependency)
  +(SELECT count(*) FROM cutter_governance.decision_backlog_sweep_log);
SELECT 'forbidden_cols='||count(*) FROM information_schema.columns WHERE table_schema='cutter_governance'
  AND ((table_name='decision_backlog_history' AND column_name='decision_id')
    OR (table_name='decision_backlog_dependency' AND column_name IN ('from_decision_id','to_decision_id')));
SELECT 'xschema_fk='||count(*) FROM pg_constraint co JOIN pg_class ch ON ch.oid=co.conrelid
  JOIN pg_namespace nch ON nch.oid=ch.relnamespace JOIN pg_class pf ON pf.oid=co.confrelid
  JOIN pg_namespace npf ON npf.oid=pf.relnamespace WHERE co.contype='f' AND nch.nspname='cutter_governance'
  AND ch.relname IN ('review_decision','decision_backlog_history','decision_backlog_dependency','decision_backlog_sweep_log')
  AND npf.nspname<>'cutter_governance';
SELECT 'check='||count(*) FROM pg_constraint WHERE contype='c' AND conrelid IN
 ('cutter_governance.review_decision'::regclass,'cutter_governance.decision_backlog_history'::regclass,
  'cutter_governance.decision_backlog_dependency'::regclass,'cutter_governance.decision_backlog_sweep_log'::regclass);
-- + trigger / DEFAULT / pg_enum / lookup-table / column-count / tac_lu / sandbox_lu
-- + FK-shape listing (pg_get_constraintdef) identical to dry-run §2 of verification-results
"

C-08 — Rollback (CONDITIONAL — only on post-commit hard fail or explicit prompt)

docker exec -i postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1 <<'RB'
BEGIN;
DROP TABLE cutter_governance.decision_backlog_sweep_log;
DROP TABLE cutter_governance.decision_backlog_dependency;
DROP TABLE cutter_governance.decision_backlog_history;
DROP TABLE cutter_governance.review_decision;
COMMIT;
RB

(Source: r2 rollback draft. Plain DROP TABLE, no CASCADE. Drops ONLY the 4 new empty tables; live parents NOT dropped.)

§5 — Safety Gates (11; ABORT on any)

Gate Condition → ABORT
G-01 fresh backup (C-01) fails / file absent / size 0
G-02 at C-06, backup age (now − backup.epoch) > 60 min → re-take backup, do not proceed
G-03 DDL artefact sha256 ≠ 89652d5f…c4b0 (checksum mismatch)
G-04 production identity unclear: PROD_SYSID ≠ 7611578671664259111 OR container/db not postgres/directus
G-05 cutter_governance table count before migration ≠ 8
G-06 any of review_decision / decision_backlog_history / decision_backlog_dependency / decision_backlog_sweep_log already exists
G-07 decision_backlog_entry PK ≠ entry_id uuid (A-1)
G-08 P0-2 parent shapes differ: manifest_envelope PK ≠ (envelope_id) OR manifest_unit_block PK ≠ (envelope_id, unit_local_id) OR either non-empty
G-09 Phase α state differs: canonical_address_alias absent OR tac_logical_unit≠86 OR sandbox_tac.logical_unit≠76 (vs dry-run-proven baseline; confirm at execution time)
G-10 dry-run provenance unavailable OR artefact SHA mismatch vs dry-run-proven 89652d5f…c4b0
G-11 any post-migration verification (C-07) fails its expectation 
on_any_gate: ABORT immediately. Pre-commit: single-txn auto-rollback (nothing
  persisted). Post-commit hard fail: execute C-08 rollback ONLY with explicit
  trigger; then restore-from-backup path is the escalation if rollback unsafe.
agent_self_trigger_of_rollback: PROHIBITED (explicit failure trigger required).

§6 — Verification Expectations (identical to the PASS_WITH_NOTES dry-run)

- 4 new tables exist (review_decision, decision_backlog_history,
  decision_backlog_dependency, decision_backlog_sweep_log)
- all 4 row count = 0 ; total seed rows = 0
- cutter_governance table count = 12
- FK count = 7 with EXACT shapes:
  1. review_decision.manifest_id -> manifest_envelope.envelope_id
  2. review_decision(manifest_id, manifest_unit_local_id) -> manifest_unit_block(envelope_id, unit_local_id)
  3. review_decision.prior_review_decision_id -> review_decision.review_decision_id
  4. review_decision.superseded_by_review_decision_id -> review_decision.review_decision_id
  5. decision_backlog_history.entry_id -> decision_backlog_entry.entry_id
  6. decision_backlog_dependency.from_entry_id -> decision_backlog_entry.entry_id
  7. decision_backlog_dependency.to_entry_id -> decision_backlog_entry.entry_id
- no old child columns: decision_id / from_decision_id / to_decision_id (count = 0)
- no cross-schema FK ; no CHECK ; no trigger ; no DEFAULT ; no PG enum ; no lookup table
- no seed rows
- no collateral changes to v0.1 tables (5 present; decision_backlog_entry PK still entry_id uuid)
- no collateral changes to Phase α canonical_address_alias
- no collateral changes to P0-2 manifest tables (still empty; PKs unchanged)
- no changes to public.tac_logical_unit (86 → 86)
- no changes to sandbox_tac.logical_unit (76 → 76)
- column counts: review_decision=25, history=9, dependency=6, sweep_log=10
pass_condition: ALL above hold → migration PASS. Any miss → G-11 ABORT.

§7 — Rollback Policy

rollback_path: C-08 (r2 rollback draft) — DROP only the 4 new EMPTY tables
order: sweep_log → dependency → history → review_decision (child-safe; single txn)
no_CASCADE: TRUE (plain DROP TABLE; fail-fast on unexpected inbound dependency;
  CASCADE not justified — tables empty, no inbound FK from pre-existing objects)
live_parents: NEVER dropped (decision_backlog_entry / manifest_envelope /
  manifest_unit_block / canonical_address_alias remain)
data_loss: NONE expected (tables created empty; zero writers; no INSERT)
trigger: post-commit rollback requires an EXPLICIT failure trigger (G-11 hard
  fail) or explicit GPT/User prompt. If a table is unexpectedly non-empty at
  rollback → STOP/escalate (scope breach), do not silently DROP.
escalation_if_rollback_unsafe: restore from the C-01 fresh backup (separate
  authorized procedure).

§8 — Final Status

command_review_package_status: ready_for_gpt_review
production_execution_authorized: false
ddl_executed: false
mutation_performed: false
production_touched: false
backup_taken_in_this_step: false
dry_run_basis: PASS_WITH_NOTES (r2; A-1 PASS; 19/19 verification; rollback PASS)
next_step: GPT review of THIS command-review package → (if PASS) explicit User
  production-execution prompt → SEPARATE execution session. No self-advance.

§9 — Hard Boundaries (honored in this step)

command_review_only: TRUE
production_command_executed: FALSE
backup_created_in_this_step: FALSE
production_ddl: FALSE
production_mutation: FALSE
deploy: FALSE
CUT_or_VERIFY: FALSE
self_advance: PROHIBITED
output_form: p0_6_p0_5_remainder_production_command_review_package

End of P0-6 + P0-5-remainder production command-review package.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.2-execution/dot-iu-cutter-v0.2-p0-6-p0-5-remainder-production-command-review-package-2026-05-16.md