Incomex AI Portal
KB-4357

dot-iu-cutter v0.2 — Phase α Production Command Review Package (2026-05-16)

15 min read Revision 1
dieu44-trien-khaidot-iu-cutterv0.2phase-alphaproductioncommand-review-packageready-for-gpt-reviewdo-not-execute2026-05-16

dot-iu-cutter v0.2 — Phase α Production Command Review Package

⚠️ COMMAND REVIEW ONLY — DO NOT EXECUTE. This document enumerates the production command plan for GPT review. No command in this file may be run. No backup is taken in this step. No DDL is dispatched. Production execution requires a separate explicit User prompt in a separate session AFTER GPT ratifies this package.

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.2-execution/dot-iu-cutter-v0.2-phase-alpha-production-command-review-package-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.2 — Phase α PRODUCTION command-review package (review only)
predecessor_gate: GPT PASS_WITH_NOTES on Phase α dry-run (2026-05-16)
command_review_package_status: ready_for_gpt_review
production_execution_authorized: FALSE
ddl_executed: FALSE
mutation_performed: FALSE
backup_taken_in_this_step: FALSE
self_advance: PROHIBITED

§1 — Execution Scope (Phase α, production target)

Target: production PostgreSQL — container postgres, database directus, migration role workflow_admin (rolsuper; owns cutter_governance + sandbox_tac), VPS 38.242.240.89, PG 16.13.

Approved operations only (exactly the frozen r2 DDL §2 body; 9 steps, single transaction):

# Operation Object
a ADD COLUMN authority text (NO default) public.tac_logical_unit
b BACKFILL authority from lifecycle_status (CASE: draft_only→draft, active→enacted, retired→enacted) WHERE authority IS NULL public.tac_logical_unit (86 rows)
c ALTER COLUMN authority SET DEFAULT 'draft' (future rows only) public.tac_logical_unit
d ADD COLUMN canonical_address_format_version text NOT NULL DEFAULT 'canonical-address-v1' public.tac_logical_unit
e ADD COLUMN authority text (NO default) sandbox_tac.logical_unit
f ALTER COLUMN authority SET DEFAULT 'draft' — no backfill (76 rows stay NULL) sandbox_tac.logical_unit
g ADD COLUMN canonical_address_format_version text NOT NULL DEFAULT 'canonical-address-v1' sandbox_tac.logical_unit
h CREATE TABLE canonical_address_alias (9 cols, soft uuid ref, no FK, no CHECK) cutter_governance
i CREATE 4 indexes (alias_text, target_unit_id, alias_kind, validity_window) cutter_governance.canonical_address_alias

The frozen r2 body executes a..i atomically inside one BEGIN; … COMMIT; with ON_ERROR_STOP=1. Step labels in the SQL: a=Step2, b=Step3, c=Step4, d=Step1, e=Step6, f=Step7, g=Step5, h=Step8, i=Step9.

§2 — Explicit Non-Scope

NOT in Phase α production:
  - no manifest_envelope table
  - no manifest_unit_block table
  - no review_decision table
  - no identity_profile jsonb cleanup
  - no alias rows inserted (canonical_address_alias created EMPTY; writers are Phase β)
  - no production CUT
  - no production VERIFY
  - no Qdrant / vector / Agent-Data mutation
  - no deploy (nuxt/directus/agent-data containers untouched)
  - no NOT NULL promotion on authority (Phase β)
  - no CHECK constraint (GPT Q3)
  - no cross-schema FK (GPT Q2)
  - no change to existing canonical_address column or the 5 v0.1 cutter_governance tables
  - no Directus collection-metadata registration (separate operation, out of Phase α)

§3 — Exact Command Plan (REVIEW ONLY — do not run)

All commands are dispatched from the VPS as script artefacts under /opt/incomex/backups/dieu44_phase_alpha_prod_<STAMP>/ (mirroring the dry-run discipline: set -euo pipefail, identity guards, timestamped logs). PROD denotes the production container postgres; the migration role is workflow_admin. <STAMP> = date -u +%Y%m%dT%H%M%SZ.

C-01 — Fresh production backup (custom format)

docker exec postgres pg_dump -U workflow_admin -d directus -F c -Z 6 -f /tmp/phase_alpha_prod_<STAMP>.dump
docker cp postgres:/tmp/phase_alpha_prod_<STAMP>.dump  $DEST/phase_alpha_prod_<STAMP>.dump
docker exec postgres rm -f /tmp/phase_alpha_prod_<STAMP>.dump

(read-only on production; workflow_admin required — directus role cannot dump cutter_governance.)

C-02 — Checksum + freshness stamp

sha256sum $DEST/phase_alpha_prod_<STAMP>.dump | tee -a $DEST/SHA256SUMS
date -u +%s > $DEST/backup_epoch.txt        # used by gate G-2 (≤ 60 min at migration)

C-03 — Pre-migration schema snapshot

docker exec postgres pg_dump -U workflow_admin -d directus --schema-only --no-owner --no-privileges \
  > $DEST/schema/predll_schema_prod_<STAMP>.sql
sha256sum $DEST/schema/predll_schema_prod_<STAMP>.sql | tee -a $DEST/SHA256SUMS

C-04 — Pre-migration row-count + updated_at snapshot

docker exec postgres psql -U workflow_admin -d directus -f /tmp/state_probe.sql        # tac/sbx/cg/alias/newcols/max_updated_at
docker exec postgres psql -U workflow_admin -d directus -tAc \
  "COPY (SELECT id, updated_at FROM public.tac_logical_unit ORDER BY id) TO STDOUT WITH CSV HEADER" \
  > $DEST/schema/prod_pre_updated_at_<STAMP>.csv

C-05 — Extract & freeze DDL from r2 source, assert checksum

# extract §2 BEGIN..COMMIT body from the revision-2 draft into a true .sql
$DEST/sql/dot-iu-cutter-v0.2-phase-alpha-r2.sql
test "$(sha256sum $DEST/sql/dot-iu-cutter-v0.2-phase-alpha-r2.sql | cut -d' ' -f1)" \
   = "65533e0564ee45625b43bff383252ec03f20e284a5cc506d78e1079d6f893fe3"   # G-3; abort on mismatch

C-06 — Preflight checks (all must pass; any failure → ABORT, no migration)

P-1  production identity: docker inspect postgres → confirm container=postgres, db=directus, NOT a dry-run env
P-2  DDL source checksum == 65533e0564ee45625b43bff383252ec03f20e284a5cc506d78e1079d6f893fe3
P-3  schema 'cutter_governance' exists
P-4  v0.1 5 tables exist {cut_change_set, cut_change_set_affected_row, decision_backlog_entry, dot_pair_signature, verify_result}
P-5  cutter_governance.canonical_address_alias does NOT exist
P-6  public.tac_logical_unit.{authority, canonical_address_format_version} do NOT exist
P-7  sandbox_tac.logical_unit.{authority, canonical_address_format_version} do NOT exist
P-8  count(public.tac_logical_unit)  = 86
P-9  count(sandbox_tac.logical_unit) = 76
P-10 Q-CHK-1/2/3 pre-backfill sanity = 0/0/0 (section_type vocab active; parent_id+doc_code parity; canonical_address regex)

C-07 — Migration command (the ONLY production-mutating command)

docker cp $DEST/sql/dot-iu-cutter-v0.2-phase-alpha-r2.sql postgres:/tmp/r2_phase_alpha.sql
docker exec postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1 \
  --echo-errors -f /tmp/r2_phase_alpha.sql        # r2 SQL ONLY; in-file single BEGIN..COMMIT; atomic
# expect psql exit 0 and the in-transaction trailing SELECT:
#   tac_authority_draft=86 enacted=0 runtime=0 null=0 tac_format_v1=86
#   sandbox_authority_null=76 sandbox_format_v1=76 alias_table_present=1

C-08 — Post-migration verification (read-only; same expectations as dry-run)

docker exec postgres psql -U workflow_admin -d directus -tA -f /tmp/verify_alpha.sql   # V-α-1 .. V-α-15
docker exec postgres pg_dump -U workflow_admin -d directus --schema-only --no-owner --no-privileges \
  > $DEST/schema/postddl_schema_prod_<STAMP>.sql                                       # V-α-16 diff vs C-03
docker exec postgres psql -U workflow_admin -d directus -tAc \
  "COPY (SELECT id, updated_at FROM public.tac_logical_unit ORDER BY id) TO STDOUT WITH CSV HEADER" \
  > $DEST/schema/prod_post_updated_at_<STAMP>.csv                                      # updated_at bump measure

Pass thresholds identical to the dry-run verification-results doc: V-α-1..16 all PASS; trailing SELECT exact; V-α-16 removed=0 (additions only).

C-09 — Rollback command (CONDITIONAL — only if C-08 fails AND explicit trigger; see §6)

# from rollback draft r2 §3, LIFO, single transaction, ON_ERROR_STOP=1:
DROP TABLE IF EXISTS cutter_governance.canonical_address_alias;
ALTER TABLE sandbox_tac.logical_unit DROP COLUMN IF EXISTS authority;
ALTER TABLE sandbox_tac.logical_unit DROP COLUMN IF EXISTS canonical_address_format_version;
ALTER TABLE public.tac_logical_unit  DROP COLUMN IF EXISTS authority;
ALTER TABLE public.tac_logical_unit  DROP COLUMN IF EXISTS canonical_address_format_version;

Production-mutating commands: exactly 1 (C-07). Conditionally-mutating: 1 (C-09, gated). All others (C-01..C-06, C-08) are read-only or write only to the backup artefact directory.

§4 — Safety Gates (abort conditions)

G-1  ABORT if C-01 fresh backup fails or dump is 0 bytes / non-restorable
G-2  ABORT if (migration start epoch − backup_epoch) > 3600 s (backup older than 60 min) → retake backup
G-3  ABORT if extracted DDL sha256 ≠ 65533e0564ee45625b43bff383252ec03f20e284a5cc506d78e1079d6f893fe3
G-4  ABORT if production identity unclear (container ≠ postgres, db ≠ directus, or any sign target is a dry-run env)
G-5  ABORT if cutter_governance.canonical_address_alias already exists
G-6  ABORT if public/sandbox authority or canonical_address_format_version columns already exist unexpectedly
G-7  ABORT if count(tac_logical_unit) ≠ 86 or count(sandbox_tac.logical_unit) ≠ 76 without a documented, GPT-acknowledged explanation
G-8  ABORT if any C-06 preflight P-1..P-10 fails
G-9  ABORT if any C-08 verification check fails (→ evaluate rollback per §6)
G-10 ABORT if the v0.2 Phase α dry-run env (pg-dry-run-v0.2-phase-alpha-2026-05-16) is unavailable OR its frozen r2 sha ≠ 65533e05… (provenance integrity)
G-11 ABORT if psql C-07 exit code ≠ 0 (atomic transaction will have self-rolled-back; no partial state)

Safety gates: 11. Any gate firing → STOP, capture evidence, escalate to GPT; agent does not self-retry or self-authorize.

§5 — updated_at Side Effect (mandatory measurement)

expected: the Step 3 (operation b) backfill UPDATE matches all 86 public.tac_logical_unit rows;
          trg_tac_birth_gate_lu sets NEW.updated_at := now() on each → all 86 updated_at bumped.
required:  capture prod_pre_updated_at CSV (C-04) and prod_post_updated_at CSV (C-08)
report:    before/after min, max, distinct count of updated_at, and rows_changed (expected 86/86)
dry-run reference: pre distinct=3 → post distinct=1; rows_changed=86/86
acceptance: this bump is ACCEPTED ONLY IF every other preflight + verification check passes.
            It is a documented, GPT-accepted side effect (not a defect) — it is the positive
            evidence that the BR-4 backfill actually executed (the rejected r1 form would
            have left rows_changed=0).
restore:   updated_at original values CANNOT be restored by the §6 rollback; only recoverable
           from the C-01 pre-migration backup (.dump).

§6 — Rollback

rollback_source: knowledge/.../v0.2-ddl-authoring/dot-iu-cutter-v0.2-phase-alpha-rollback-draft-2026-05-15.md (r2)
rollback_path (LIFO, single transaction, ON_ERROR_STOP=1):
  R-1 DROP TABLE cutter_governance.canonical_address_alias            (empty in Phase α → no row loss)
  R-2 DROP COLUMN sandbox_tac.logical_unit.authority                  (76 NULLs; no real loss)
  R-3 DROP COLUMN sandbox_tac.logical_unit.canonical_address_format_version (DEFAULT-derived; reproducible)
  R-4 DROP COLUMN public.tac_logical_unit.authority                   (86 backfilled values; reproducible from BR-4 mapping)
  R-5 DROP COLUMN public.tac_logical_unit.canonical_address_format_version (DEFAULT-derived; reproducible)
note: DROP COLUMN removes the column AND its attached DEFAULT atomically — no separate SET DEFAULT reversal.

data_loss_considerations:
  - alias table: 0 rows in Phase α → none
  - sandbox columns: NULL/DEFAULT only → none
  - public.authority: deterministically reproducible by re-running r2 on the same dataset
  - public.canonical_address_format_version: uniform DEFAULT → reproducible
  - updated_at bump: NOT restorable by rollback; recover original timestamps only from the C-01 backup .dump

rollback_trigger (NOT automatic):
  - only if a C-08 post-DDL verification gate fails (verification plan §4 production rollback trigger set)
  - requires explicit prompt naming: (a) operation=rollback, (b) environment=production, (c) which verification failed
  - decision authority: Đ32 standard path + G-4 Custodian co-sign + sovereign User acknowledgement
  - agent_self_authorize_rollback: PROHIBITED
in_transaction_failure: if C-07 errors, the single transaction self-aborts (state == pre-migration);
  the §6 rollback applies ONLY to POST-COMMIT problems detected by C-08.

§7 — Final Status

command_review_package_status: ready_for_gpt_review
production_execution_authorized: FALSE
ddl_executed: FALSE
mutation_performed: FALSE
backup_taken_in_this_step: FALSE
deploy_performed: FALSE
cut_or_verify_run: FALSE
agent_self_advance_to_execution: PROHIBITED
next_gate: GPT review of THIS package → (if PASS) explicit User production-execution prompt in a SEPARATE session

§8 — Cross-References

dry_run_gpt_review:   knowledge/dev/laws/dieu44-trien-khai/reviews/dot-iu-cutter-v0.2-phase-alpha-dry-run-gpt-review-2026-05-16.md
dry_run_exec_report:  knowledge/dev/laws/dieu44-trien-khai/v0.2-dry-run/dot-iu-cutter-v0.2-phase-alpha-dry-run-execution-report-2026-05-15.md
dry_run_verif_results:knowledge/dev/laws/dieu44-trien-khai/v0.2-dry-run/dot-iu-cutter-v0.2-phase-alpha-dry-run-verification-results-2026-05-15.md
dry_run_artefact_idx: knowledge/dev/laws/dieu44-trien-khai/v0.2-dry-run/dot-iu-cutter-v0.2-phase-alpha-dry-run-artefact-index-2026-05-15.md
ddl_draft_r2:         knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-phase-alpha-ddl-draft-2026-05-15.sql.md  (revision 2)
verification_plan_r2: knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-phase-alpha-ddl-verification-plan-2026-05-15.md
rollback_draft_r2:    knowledge/dev/laws/dieu44-trien-khai/v0.2-ddl-authoring/dot-iu-cutter-v0.2-phase-alpha-rollback-draft-2026-05-15.md
frozen_r2_sql_artefact: /opt/incomex/backups/dieu44_phase_alpha_2026-05-16/sql/dot-iu-cutter-v0.2-phase-alpha-r2.sql  (sha256 65533e0564ee45625b43bff383252ec03f20e284a5cc506d78e1079d6f893fe3)
dry_run_env (provenance, RETAIN): pg-dry-run-v0.2-phase-alpha-2026-05-16

End of Phase α production command review package (review only — not executed).

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.2-execution/dot-iu-cutter-v0.2-phase-alpha-production-command-review-package-2026-05-16.md