dot-iu-cutter v0.5 — Constitution source_document Seed: Rollback/Compensation + Verification Plan

Phase: v0_5_constitution_source_document_seed_authoring · Date: 2026-05-18 · doc 4 of 5

nature: PLAN ONLY — nothing executed ; dml: none ; dry_run: none
applies_to: the future, separately-gated execution of the (currently BLOCKED)
            Constitution source_document + source_document_version seed
decision_authority: GPT / User ONLY ; self_advance: PROHIBITED

These plans are authored complete (QG7) so the future execution phase is mechanical. They become live only after B6 unblocked + GPT command-review + sovereign execution authorization. Method follows the C-07 / v0.3 / WS-Q5 lesson: catalog/codepoint assertions, never rendered-string equality.

---

1. Rollback / compensation draft

The seed (when unblocked) is two rows in two empty tables, child→parent FK fk_sdvr_source_document. Rollback must be the exact inverse, child-first.

preconditions_before_rollback (all must hold):
  RB-P1 the two rows match the EXACT seed identity:
        source_document_registry.source_document_ref = 'incomex-constitution'
        AND address_docprefix = 'ICX-CONST'
        source_document_version_registry.source_document_ref = 'incomex-constitution'
        AND document_version_id = the derived icxconst-<hash> from this seed
  RB-P2 NO downstream references exist to either row:
        - no iu_provenance / IU rows bound to this document_version_id
        - no manifest_envelope / cut artifact referencing it
        - no other source_document_version row for 'incomex-constitution'
        - registered_by = 'constitution-source-seed' on both (not foreign data)
  RB-P3 row counts are exactly the seed delta (+1 doc, +1 version), no extras

rollback_path_A (preferred — clean DELETE, only if RB-P1..P3 ALL hold):
  -- child first (FK), then parent; single transaction; no CASCADE
  DELETE FROM cutter_governance.source_document_version_registry
   WHERE source_document_ref='incomex-constitution'
     AND document_version_id = <exact derived id>;
  DELETE FROM cutter_governance.source_document_registry
   WHERE source_document_ref='incomex-constitution'
     AND address_docprefix='ICX-CONST';
  -- expect: DELETE 1 ; DELETE 1 ; then COMMIT

rollback_path_B (compensation — if RB-P2 fails, i.e. downstream refs exist):
  do NOT DELETE (would break referential / audit integrity).
  instead: lifecycle retire the source_document row IF schema supports it
           UPDATE cutter_governance.source_document_registry
              SET lifecycle='deprecated'
            WHERE source_document_ref='incomex-constitution';
  note: source_document_version_registry has NO lifecycle column live ->
        a version cannot be "retired" via lifecycle; record supersession/void
        intent in provenance->>'rollback_note' instead. version_status MAY be
        set to a non-cut value (e.g. 'void') if GPT approves at command-review.
  Path B requires explicit GPT ruling at command-review (it is NOT clean rollback).

rollback_method_constraints:
  - no CASCADE, no TRUNCATE, no DROP
  - single transaction, child-before-parent
  - ON_ERROR_STOP armed
  - no GRANT/REVOKE, no schema change, no Directus mutation

---

2. Verification plan

2.1 Pre-checks (read-only, before any seed write)

PRE-1  system_identifier = 7611578671664259111                          MUST match
PRE-2  cutter_governance.source_document_registry exists (relkind 'r')   MUST exist
PRE-2  cutter_governance.source_document_version_registry exists         MUST exist
PRE-3  source_family_registry has row source_family='internal_incomex_constitution'  =1
PRE-4  grammar binding: source_family_registry row for
       internal_incomex_constitution has grammar_profile_ref
       = 'incomex-architecture-constitution-v4'                          MUST match
PRE-5  grammar_profile_status_marker rows for
       incomex-architecture-constitution-v4 = 4                          =4 (B1 closed)
       codepoint-exact: e29c85->enacted, f09f938b->controlled_draft,
       f09f939d->draft, e29b94->obsolete                                 exact set
PRE-6  source_document_registry rows = 0  (no pre-existing Constitution)  =0 (else STOP)
PRE-6  source_document_version_registry rows = 0                          =0 (else STOP)
PRE-7  no source_document_ref='incomex-constitution' present              =0
PRE-7  no address_docprefix='ICX-CONST' present                          =0
PRE-8  FK constraints present: fk_source_document_registry_family,
       fk_sdvr_source_document ; UNIQUE uq_source_document_registry_docprefix,
       uq_sdvr_doc_checksum                                              all present
PRE-9  B6 unblocked: ratified parser_profile / OD-SR2 in effect AND a
       single controlled raw GET captured  -> content_checksum concrete   MUST be true
       (if false -> STOP; do not seed — current state)

PRE-6/PRE-7 mismatch handling: if any Constitution source_document / version row already exists (unexpected vs current live facts), STOP and report — do not UPSERT, do not assume. Current live facts say 0/0; deviation = production-state mismatch → halt per governance.

2.2 Post-checks (read-only, immediately after COMMIT)

POST-1  source_document_registry rows = 1                                =1
POST-2  the row: source_document_ref='incomex-constitution'
        AND address_docprefix='ICX-CONST'
        AND source_url='https://vps.incomexsaigoncorp.vn/knowledge/dev/laws/constitution'
        AND source_family='internal_incomex_constitution'
        AND authority_class='authoritative'
        AND lifecycle='active'
        AND registered_by='constitution-source-seed'                     exact
POST-3  source_document_version_registry rows = 1                        =1
POST-4  version row: source_document_ref='incomex-constitution'
        AND document_version_id = exact derived 'icxconst-'||left(
            sha256_hex(content_checksum||'|'||source_document_ref),32)    exact
        AND content_checksum = the ratified-profile checksum (string-exact) exact
        AND source_format='html/nuxt'
        AND authoritative_version='v4.6.3 BAN HÀNH'                       exact
POST-5  FK integrity (catalog anti-join):
        version.source_document_ref orphan vs source_document = 0         =0
POST-6  UNIQUE holds: exactly 1 (source_document_ref, content_checksum)   =1
POST-6  exactly 1 address_docprefix='ICX-CONST'                          =1
POST-7  no extra documents: source_document_ref distinct count = 1 ;
        no row with source_family != 'internal_incomex_constitution' ;
        no row with registered_by != 'constitution-source-seed'          PASS
POST-8  source_url string-exact (codepoint compare, not rendered)        exact
POST-9  enacted_only scope UNCHANGED: source_family_registry.status_policy
        for internal_incomex_constitution still 'enacted_only' ;
        grammar_profile_status_marker still 4 rows codepoint-exact ;
        no marker promoted; 📋 still controlled_draft (Điều 44 deferred)  unchanged
POST-10 system_identifier 7611578671664259111 (pre == post)              match

2.3 Negative checks (any TRUE ⇒ FAIL ⇒ rollback §1)

NEG-1  >1 source_document or >1 version row created                      MUST be FALSE
NEG-2  any non-Constitution document/family seeded                       MUST be FALSE
NEG-3  any UPDATE/DELETE on grammar_profile / status_marker /
       source_family_registry / address_template                         MUST be FALSE
NEG-4  content_checksum NULL or empty or = raw_sha256 (raw used as
       identity instead of normalized)                                    MUST be FALSE
NEG-5  status marker rows changed (count != 4 or codepoint drift)         MUST be FALSE
NEG-6  schema change / GRANT / index DDL / Directus mutation              MUST be FALSE
NEG-7  ON CONFLICT / upsert used to mask a pre-existing row               MUST be FALSE
NEG-8  system_identifier changed                                         MUST be FALSE

2.4 Checksum / Nuxt-determinism verification (B6-specific)

CK-1  content_checksum was computed under the RATIFIED parser_profile
      (OD-SR2), recorded in provenance->>'parser_profile_ref'             MUST hold
CK-2  re-fetch + re-normalize + re-hash reproduces the SAME
      content_checksum (determinism proof on Nuxt source)                 MUST reproduce
CK-3  raw_sha256 recorded in provenance only (NOT used as identity)       MUST hold
CK-4  if CK-2 fails (Nuxt non-determinism) -> seed is INVALID -> rollback
      §1 + re-open OD-SR2 (do NOT keep an unreproducible version row)

---

3. Dry-run readiness implications

this_package_alone: does NOT make the first Constitution dry-run ready.
gating_chain:
  B1 marker coverage: CLOSED (live, 4 markers)
  B5 source_document/version seed: OPEN -> needs THIS seed EXECUTED (still gated)
  B6 Nuxt parser/checksum determinism: BLOCKED -> must be resolved before seed
first_constitution_dry_run_ready_when:
  - OD-SR2 ratified + parser_profile decided  (unblocks B6)
  - this seed command-reviewed + executed + verified  (closes B5)
  - scope remains enacted_only (GPT R2) ; Điều 44 📋 deferred (GPT R3)
  THEN: first Constitution dry-run package may be authored (separate phase)

4. Statement

• Rollback (clean DELETE path A + compensation path B) and full pre/post/negative/checksum verification authored complete (QG7), catalog/codepoint method (C-07 lesson). Nothing executed (QG8).
• doc 4 of 5; STOP after package → route GPT/User. Self-advance PROHIBITED.

Companion: operational-framing, grounding-and-checksum-plan, seed-DML-draft (NO-DML-DRAFT), authoring-report.