dot-iu-cutter v0.4 — PG-backed Dry-run ROLLBACK PLAN

Date: 2026-05-17 · Planning only. Defines the abort/teardown contract for a future authorized run.

1. Rollback layers

Layer	Trigger	Action	Net effect
L0 — in-txn	S11 induced failure, any phase exception, S2/S3-neg/S8/S9	the adapter's own transaction() ROLLBACK (no DELETE/TRUNCATE/DDL — append-only invariant)	that phase leaves zero rows
L1 — scenario abort	a scenario gate fails	stop scenario sequence, mark FAIL, proceed directly to L3	no further writes
L2 — preflight/identity abort	G-01…G-13 fail (esp. G-10 DR sysid == PROD)	hard STOP before any harness write; no DB created/connected	nothing provisioned
L3 — env teardown	end of run (PASS or FAIL)	ordered destruction (below)	isolated env gone, net-zero

2. Ordered teardown (L3) — exact-name only

1. docker rm -f the ephemeral harness container (exact name).
2. docker rm -f pg-dry-run-v0.4-db-adapter-2026-05-17 (exact name — never prune, never wildcard).
3. docker volume rm the DR volume (exact name/anon-vol id captured at C-04).
4. docker network rm dr-net-v0.4-2026-05-17 (exact name).
5. shred -u $WD/dr.env; rm -rf $WD/venv $WD/dr_src.sql; keep only redacted logs + sha manifest + SQL trace.
6. Re-docker inspect the 3 protected prior dry-run containers; assert Id + State.StartedAt identical to the C-01 snapshot (G-25).
7. Re-read PROD system_identifier; assert == C-03 value (G-21) — confirms prod untouched.

3. Protected-asset guarantees

• Prod DB: never written (pg_dump read-only; harness env points only at the DR container DNS on the isolated net; no prod DSN ever constructed). Prod container not restarted. sysid pre==post.
• Prior dry-run envs (pg-dry-run-v0.2-p0-2-2026-05-16, pg-dry-run-v0.2-phase-alpha-2026-05-16, pg-dry-run-hb05-2026-05-15): never targeted; teardown operates on exact new names only; inspected before+after.
• Accepted code: 56d3732 untouched; iu-cutter mounted read-only; no git add/commit; $WD outside the committed tree and never staged.
• Secrets: dry-run-only values, generated in-env, shred-ded; production /opt/incomex/docker/.env never read or edited.
• Runtime: no incomex-* service restarted; psycopg3 only in the disposable harness container/venv, removed at teardown.

4. Failure-state handling

• Teardown is idempotent and unconditional — runs on success, failure, or partial provisioning (each step || true guarded but logged; a teardown step failing never deletes a non-matching object).
• If teardown cannot complete (e.g. docker daemon issue): STOP, do not improvise broad cleanup (prune/wildcard forbidden), report exact residual objects by name for manual review — never risk a protected asset.
• Backup artefact prod-directus-<ts>.sql: per DR-8, retained encrypted-at-rest only as sha reference in the report (the file itself shredded at teardown unless GPT directs retention); it contains prod data → never uploaded to KB, never left in $WD post-teardown.

5. Net-zero assertion (closure criterion)

Run is "cleanly closed" iff: DR container/volume/network removed · $WD secrets shredded · prod sysid pre==post · 3 protected envs byte-identical pre/post · accepted commit 56d3732 and iu-cutter tree unchanged · no incomex-* restart · zero secret in retained artefacts.