dot-iu-cutter v0.4 — Cutter-Agent DESIGN Report

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.4-design/dot-iu-cutter-v0.4-cutter-agent-design-report-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
sovereign: User / anh Huyền
verifier: GPT (this report routes the package INTO that review)
phase: v0.4 — Tier 2 cutter-agent DESIGN cycle — REPORT / hand-to-GPT
authorization: GPT v0.3 closeout PASS (§5 next_design) + explicit User v0.4
  Tier 2 DESIGN prompt. DESIGN ONLY.
status: design_package_complete_ready_for_gpt_review

⛔ DESIGN ONLY — NOTHING BUILT. No code, no SQL, no data write, no CUT, no VERIFY, no Qdrant/vector, no deploy, no credential/role/GRANT, no Directus/RLS change, no login/member binding, no schema migration, no self-advance. This report closes the design authoring step and routes the package to GPT review. Nothing downstream is authorized.

---

§1 — Deliverables (paths + revisions)

all under knowledge/dev/laws/dieu44-trien-khai/v0.4-design/ , all revision r1:
  1 dot-iu-cutter-v0.4-cutter-agent-design-master-2026-05-16.md
  2 dot-iu-cutter-v0.4-cutter-agent-write-path-design-2026-05-16.md
  3 dot-iu-cutter-v0.4-mark-review-cut-verify-flow-design-2026-05-16.md
  4 dot-iu-cutter-v0.4-runtime-state-machine-design-2026-05-16.md
  5 dot-iu-cutter-v0.4-credential-and-principal-strategy-design-2026-05-16.md
  6 dot-iu-cutter-v0.4-canonicalization-signing-signal-integration-plan-2026-05-16.md
  7 dot-iu-cutter-v0.4-risk-and-dry-run-test-plan-2026-05-16.md
  8 dot-iu-cutter-v0.4-cutter-agent-design-report-2026-05-16.md (this doc)
package_size: 8/8 authored, internally cross-checked, grounded in the LIVE
  v0.2 structural-schema + v0.3 read-observability inventories.

§2 — Recommended Runtime Flow

signal → [MARK] decision_backlog_entry(marked) +history +dependency +sweep_log
       → [REVIEW] manifest_envelope + manifest_unit_block + review_decision
                  (approve|reject|defer); status→reviewed_*
       → [CUT] cut_change_set + cut_change_set_affected_row + executor
               dot_pair_signature(DOT-991); status→cut_applied
       → [VERIFY] verify_result + verifier dot_pair_signature(DOT-992)
               pass → verified_complete (TERMINAL SUCCESS)
               fail → compensating cut_change_set +
                      rollback_change_set_id_triggered + escalation entry
                      → verify_failed_escalated (MANUAL)

key_properties:
  - each phase = ONE atomic PG transaction; phases independently resumable
  - append-only ledger; the ONLY mutable scalar is
    decision_backlog_entry.status (mirrored by a same-txn history append)
  - retries converge via deterministic idempotency keys; semantic re-tries
    create NEW rows chained by prior_*/superseded_by_* (never mutate)
  - rollback is a FORWARD compensating change set, never a physical delete
  - every transition writes decision_backlog_history; every CUT/VERIFY
    writes a DOT signature; every sweep writes a sweep_log row
  - canonical_address_alias DEFERRED (untouched in v0.4)

§3 — Recommended Writer Principal Strategy

recommendation: TWO least-privilege LOGIN writer principals (DESIGN ONLY —
  not created here):
    cutter_exec   → MARK/REVIEW/CUT family + executor DOT-991 lane
    cutter_verify → VERIFY family + verifier DOT-992 lane
  cutter_ro stays READ-ONLY and MUST NOT write — unchanged from v0.3.
why two: real separation of duty at the DB-identity layer makes the VERIFY
  attestation an independent control, mirroring the established project
  DOT-…-EXECUTOR ↔ DOT-…-EXECUTOR-VERIFY pattern.
privilege: INSERT only (+ table UPDATE with status-only enforced by
  app/BATCH-1 invariant); NO DELETE/TRUNCATE/DDL/GRANT; no reuse of
  workflow_admin/directus; distinct per-principal secrets in the
  /opt/incomex/docker/.env custody pattern. Creation = a SEPARATE
  GPT-gated credential cycle, NOT now.

§4 — Key Risks / Blockers

HIGH (deferred, must not be improvised in v0.4):
  - canonicalization/alias semantics
  - signing-scheme cryptography
  - first non-zero semantic write into the governance ledger (bounded by
    independent VERIFY + DOT attestation + dry-run induced-failure proof)
gating chain (no skips, no self-advance):
  GPT design review → resolve open decisions → (authorized) code authoring
  → code review → dry-run harness design+review → (authorized) dry-run on
  ISOLATED env → dry-run PASS → credential cycle (own chain) →
  command-review → fresh sha backup+restore test → (sovereign-prompted)
  prod CUT/VERIFY
carry-forward lesson: dry-run/verify assertions MUST be schema-qualified /
  structural (pg_get_constraintdef false-negative class from P0-6/P0-5).

§5 — Open Decisions for GPT

OD-1  idempotency key location: payload.idempotency_key (rec) vs scenario_ref
OD-2  canonical_address_alias: full deferral from v0.4 (rec) vs read-only stub
OD-3  writer principal count: 2 = cutter_exec/cutter_verify (rec) vs 1 vs 3
OD-4  signal source contract: separate later design (rec) — confirm out-of-scope
OD-5  retry model: append-only chained rows + superseded_by (rec) vs status flip
OD-6  cut_change_set.verifier_signature_id: leave NULL (rec) vs VERIFY backfill
OD-SM-1 concurrency guard: compare-and-set on status (rec) vs advisory lock
OD-SM-2 S5/S7 in-flight states: conceptual/txn-internal (rec) vs persisted
OD-SM-3 sweep promotion authority: same agent, logged pass (rec) vs separate
OD-CR-1 secret custody substrate: .env-pattern (rec) vs dedicated secrets store

§6 — Readiness

design_package: COMPLETE (8/8, r1)
internally_consistent: yes (flow ⇄ state machine ⇄ write path ⇄ principals)
grounded: yes (LIVE v0.2 schema + v0.3 observability inventories)
nothing_built: confirmed — 0 code / 0 SQL / 0 write / 0 credential / 0
  Directus / 0 Qdrant / 0 schema change / 0 dry-run / 0 CUT / 0 VERIFY
ready_for_gpt_review: TRUE
the_only_next_thing: GPT review of this v0.4 design package
agent_self_advance: PROHIBITED

End of v0.4 cutter-agent design report (design only; package complete; ready for GPT review; self-advance PROHIBITED).