dot-iu-cutter v0.4 — MARK → REVIEW → CUT → VERIFY Flow Design

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.4-design/dot-iu-cutter-v0.4-mark-review-cut-verify-flow-design-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.4 — Tier 2 flow DESIGN (companion to design-master)
status: design_only_pending_gpt_review

⛔ DESIGN ONLY. No code, no SQL, no write, no CUT, no VERIFY. The four phases below are a target runtime, not an executable.

---

§1 — Phase MARK

trigger: an external signal (signal router placeholder — doc 6) asserts an
  Implementation-Unit (IU) needs cutting, OR a sweep pass re-surfaces a
  deferred entry.
intent: durably register the work item; make it idempotent and sweepable.
artefacts written (TXN-MARK, see write-path doc §3):
  decision_backlog_entry:
    entry_id      = generated uuid
    kind          = 'cut_request'   (text; documented allowed value)
    status        = 'marked'
    payload jsonb = { idempotency_key, signal_source, iu_ref, proposed_cut_spec }
    emitted_at    = now()
    scenario_ref  = scenario/law tag (e.g. dieu44 context)
  decision_backlog_history: ∅→marked transition row (FK entry_id)
  decision_backlog_dependency: 0..N edges (from_entry_id=this, to_entry_id=
    blocker) IF this IU depends on other unresolved entries — CUT is gated
    until all to_entry_id dependencies are verified_complete (guard G-DEP)
  decision_backlog_sweep_log: one row per sweep pass (soft uuid refs, no FK):
    records that this pass scanned/created/promoted N entries; the cadence
    ledger that proves liveness of the backlog drain.
guards:
  G-MARK-IDEM: read-before-write on payload.idempotency_key → duplicate
    signal returns the existing entry, no second row.
exit: status=marked, awaiting REVIEW (sweep promotes marked→review_pending).

§2 — Phase REVIEW

intent: turn a marked request into an APPROVED, fully-specified plan, or
  reject/defer it — WITHOUT touching any real target (plan, not effect).
manifest build (the plan):
  manifest_envelope: one row = the cut manifest header (envelope_id, scope,
    content hash, source entry ref in its body columns).
  manifest_unit_block: 1..N rows, composite PK (envelope_id, unit_local_id)
    = each canonical unit the CUT will produce; this is the unit-addressing
    key CUT/VERIFY will quote.
decision:
  review_decision: one row binding the decision to the manifest pair —
    FK manifest_id→manifest_envelope, composite FK (manifest_id,
    manifest_unit_local_id)→manifest_unit_block; decision ∈
    {approve, reject, defer} (text, documented values).
    re-review: NEW review_decision; prior_review_decision_id → old row;
    old row stamped superseded_by_review_decision_id (append-only lineage).
entry update: decision_backlog_entry.status →
  approve→reviewed_approved | reject→reviewed_rejected (terminal) |
  defer→reviewed_deferred (re-enters backlog; next sweep may re-MARK→REVIEW)
history: transition row for the review outcome (+ decision id + reviewer).
guards:
  G-REVIEW-MANIFEST: review_decision MUST reference a manifest pair
    committed in the SAME txn (TXN-REVIEW) — no dangling decision.
  G-REVIEW-AUTH: the reviewing principal is the review authority (human/GPT
    loop or designated reviewer principal — doc 5); the agent does NOT
    self-approve its own MARK without the review authority's decision.
exit (approve): status=reviewed_approved, eligible for CUT.

§3 — Phase CUT

precondition guards:
  G-CUT-APPROVED: a non-superseded review_decision with decision='approve'
    exists for this entry's manifest.
  G-CUT-DEPS:    every decision_backlog_dependency.to_entry_id for this
    entry is verified_complete (DAG gate).
  G-CUT-ONCE:    no existing non-rolled-back cut_change_set for this
    (entry, approved review_decision) — enforced by IK-CUT + row guard.
intent: apply the approved manifest; record exactly what changed.
artefacts written (TXN-CUT):
  cut_change_set: header — FK decision_backlog_entry_id, FK
    executor_signature_id (the DOT-991 signature created in this txn),
    verifier_signature_id LEFT NULL (filled conceptually by VERIFY's
    independent signature — see note), manifest ref + content hash in body.
  cut_change_set_affected_row: 1..N — one per row the CUT touched
    (FK change_set_id); the granular effect ledger VERIFY re-checks.
  dot_pair_signature (executor / DOT-991 lane): signs the change-set
    content; prior_signature_id chains to the executor's previous signature
    if this is a retry/extension; payload = canonical signed bytes.
  decision_backlog_entry.status → cut_applied ; history transition row.
note_on_verifier_signature_id: cut_change_set carries BOTH
  executor_signature_id and verifier_signature_id FKs. v0.4 design: CUT
  sets executor_signature_id only; verifier_signature_id is populated by
  the VERIFY phase's append (an UPDATE of that single FK column on the
  change-set row is an OPEN DECISION — alternative: VERIFY records the
  verifier signature solely on verify_result.verifier_signature_id and
  cut_change_set.verifier_signature_id stays NULL. Recommend the latter
  to preserve the "CUT writes only CUT, VERIFY writes only VERIFY"
  separation — OD-6, see report).
exit: status=cut_applied, awaiting independent VERIFY.

§4 — Phase VERIFY

intent: an INDEPENDENT principal re-derives the expected effect from the
  manifest and compares it to cut_change_set_affected_row; attest the result.
precondition guards:
  G-VERIFY-CUT: a cut_change_set exists for this entry, with a valid
    executor signature (DOT-991) that verifies against its content.
  G-VERIFY-SOD: verifier principal ≠ executor principal (separation of
    duty, doc 5) — the verify signature must be independently produced.
artefacts written (TXN-VERIFY):
  verify_result: FK change_set_id, FK executor_signature_id (the one it
    checked), FK verifier_signature_id (the DOT-992 signature it creates),
    outcome ∈ {pass, fail} (+ detail columns), prior_verify_result_id →
    previous verify on re-verify (append-only).
  dot_pair_signature (verifier / DOT-992 lane): independent attestation of
    the verify outcome; prior_signature_id chains the verifier lane.
  on PASS:
    decision_backlog_entry.status → verified_complete (TERMINAL SUCCESS)
  on FAIL:
    compensating cut_change_set + affected_row INSERTed (forward rollback);
    verify_result.rollback_change_set_id_triggered → that compensating set;
    verify_result.escalation_ref → a NEW decision_backlog_entry
      (kind='escalation', status='marked') so the failure is itself tracked;
    decision_backlog_entry.status → verify_failed_escalated (MANUAL
      escalation state — a human/GPT loop owns the next move)
  history: transition row for pass/fail + verify_result id + verifier.
exit: verified_complete (success terminal) OR verify_failed_escalated
  (manual escalation; the escalation entry re-enters the backlog).

§5 — Table-by-Table Usage Map

decision_backlog_entry    : the spine — one row per work item; status is the
                            single mutable scalar; escalations are new entries
decision_backlog_history  : append-only audit; EVERY phase transition writes one
decision_backlog_dependency: DAG gate for G-CUT-DEPS (from→to entry edges)
decision_backlog_sweep_log: liveness ledger of sweep passes (cadence, doc 6)
manifest_envelope         : the cut plan header (REVIEW writes; CUT/VERIFY read)
manifest_unit_block       : per-unit plan, composite key CUT/VERIFY address by
review_decision           : approve/reject/defer bound to manifest pair;
                            prior/superseded self-FK = decision lineage
cut_change_set            : the applied (or compensating) change header
cut_change_set_affected_row: granular per-row effect; VERIFY's comparison input
verify_result             : independent outcome; carries rollback + escalation
                            + prior self-FK for re-verify lineage
dot_pair_signature        : executor(DOT-991)/verifier(DOT-992) attestation
                            chain; prior_signature_id links the per-lane chain
canonical_address_alias   : DEFERRED in v0.4 (OD-2) — flow neither reads nor
                            writes it; integration point reserved (doc 6)

§6 — Failure & Manual-Escalation Summary

reject (REVIEW)            : terminal reviewed_rejected; no CUT; history closed
defer (REVIEW)             : reviewed_deferred → re-MARK on a later sweep
dependency unmet (CUT gate): entry waits; G-CUT-DEPS keeps it pre-CUT
cut transient failure      : TXN-CUT rolls back; retry per write-path §5
verify FAIL                : compensating change set + escalation entry +
                             verify_failed_escalated (manual loop owns it)
retries exhausted          : escalated state; agent never silently drops

End of v0.4 MARK→REVIEW→CUT→VERIFY flow design (design only; nothing built).