dot-iu-cutter v0.5 — Constitution Hardtest Risk & Gate Plan

Date: 2026-05-17 Phase: v0_5_constitution_hardtest_and_information_unit_factory_master_plan Nature: DESIGN ONLY.

Parent: dot-iu-cutter-v0.5-constitution-hardtest-master-plan-2026-05-17.md

---

1. Risk register

risks:
  R-SRC-1 (HIGH): configured source is internal "Hiến pháp Kiến trúc Hệ thống
    Incomex v4.6.3" (KB-7294 rev44), NOT the national 2013 Constitution. Any
    pipeline assuming Chương/Khoản/Điểm grammar will mis-cut.
    mitigation: grammar-profile registry; OD-G1 escalated; no hardcoded grammar.
  R-GRM-1 (HIGH): living document with mixed ✅ ENACTED / 📋 CONTROLLED DRAFT
    nodes (Điều 44 draft). Cutting a draft node as if enacted = authority error.
    mitigation: enacted_only_policy + authority gate (ingestion doc §4); OD-S1.
  R-SRC-2 (MED): source is Directus-rendered HTML; cosmetic re-renders could
    fork versions spuriously.
    mitigation: content_checksum (normalized) is identity basis, not raw_checksum.
  R-VOL-1 (MED): handoff volume estimate (300–500 IU) assumed wrong grammar;
    batch sizing off that number is unsafe.
    mitigation: re-estimate only after OD-G2 leaf granularity ruled.
  R-IDX-1 (MED): full-document/bulk without the 7 indexes => O(n²) hot paths.
    mitigation: index dry-run+exec (Q1/Q2) is hard prerequisite to Q3/Q8/Q9.
  R-COL-1 (MED): canonical_address collision with existing DIEU_28/32/35.
    mitigation: docprefix namespacing in address + iu_id (canonicalization §4/§5).
  R-DQ-1 (MED): DIEU_32/DIEU_35 blank tier; unsafe as scale fixture as-is.
    mitigation: separate tier-normalization read-review-write cycle (Q4).
  R-MAN-1 (MED): switching to document-level manifest silently breaks the
    validated +15/IU invariant.
    mitigation: OD-M1 escalated; default stays per-IU envelope.
  R-IDP-1 (MED): non-idempotent resume => duplicate cuts at volume.
    mitigation: deterministic iu_id/entry_id + cut-once guard + delta-0 rerun test.
  R-PRJ-1 (LOW): treating vector/NoSQL as authority.
    mitigation: SQL SSOT invariant; projection rebuildable, non-authoritative.
  R-HARD-1 (MED): hardcoded URL/label/key/grammar leaking into runtime later.
    mitigation: anti-hardcoding rules binding in every sub-doc; design-asserted A7.
  R-RBK-1 (HIGH): attempting document-wide delete rollback on a multi-IU cut.
    mitigation: forward-compensation only; document-wide delete is FORBIDDEN.

---

2. Gate plan (sovereign, sequential)

gates:
  G0: GPT review of THIS design package (design only) — current gate
  G1: index dry-run PASS (isolated env, structural verification)
  G2: index command-review + sovereign approval -> production index exec + backup verify
  G3: dry-run-at-volume PASS (invariant + resume + no-dup + perf)
  G4: tier-normalization cycle PASS (if DIEU_32/35 used as fixture)
  G5: label/metadata registry design + (later) schema cycle PASS
  G6: source registry + ingestion design PASS; OD-S1 ruled
  G7: grammar profile incomex-architecture-constitution-v4 validated; OD-G1/G2 ruled
  G8: Hiến pháp dry-run-at-volume PASS (real doc, isolated env)
  G9: staged production small-batch sovereign approval (per batch)
rule: no gate may be skipped; each gate is an explicit GPT/User decision;
      Agent self-advance across any gate is PROHIBITED.

---

3. Forward-compensation policy (binding)

forward_compensation:
  principle: corrections are NEW append-only ledger rows; history is never deleted
  multi_IU: a defective IU is compensated individually; the document is NEVER
            bulk-reverted or document-wide deleted
  audit: every compensation records cause, target iu_id, approving authority
  source_IU rows (public.tac_logical_unit): never mutated by CUT/VERIFY (P2)
prohibited:
  - document-wide delete rollback
  - DELETE/UPDATE of ledger history
  - reverting a whole document to "uncut"

---

4. Stop conditions

stop_if:
  - row-delta invariant breached in any dry-run
  - rerun delta != 0 (idempotency broken)
  - seq-scan on any of the 7 hot paths at volume
  - any IU lacking source_span provenance
  - grammar detection ambiguous and not human-resolved
  - 📋 CONTROLLED DRAFT node about to be cut without OD-S1 waiver
  - any hardcoded URL/label/key/grammar discovered in proposed runtime path
action: halt batch, no auto-continue, escalate to GPT/User.

---

5. Open decisions (risk-linked)

open_decisions: [OD-G1, OD-G2, OD-S1, OD-A1, OD-M1, OD-V1, OD-I1,
                 OD-L1..L5, OD-P1..P4, OD-R1]
must_rule_before_constitution_dry_run: [OD-G1, OD-G2, OD-S1, OD-M1]

---

6. Do not run yet

No execution of any kind. Forbidden list = master plan §10.

---

7. Git

git: { branch: main, HEAD: e93424b5ff7fa5e4b8406131977ce4339cd0856a,
       status_short_iu_cutter: clean, code_changed: false, commit_made: false }