dot-iu-cutter v0.5 — Constitution Source Seed FROM SNAPSHOT: REVISED DML

Phase: v0_5_constitution_source_seed_from_snapshot_DML_revision · Nature: DML_revision_only__no_execution · Date: 2026-05-18 · doc 1 of 4

⚠️ EXECUTABLE-FOR-REVIEW REVISED DRAFT — NOT EXECUTED IN THIS PHASE

revises: v0.5-constitution-source-document-seed-from-snapshot-authoring/…-DML-draft-2026-05-18.sql.md
per_ruling: dot-iu-cutter-v0.5-constitution-source-seed-from-snapshot-command-review-gpt-ruling-2026-05-18.md (PASS_WITH_REQUIRED_PATCH)
patch_applied: runtime DB sha256 -> precomputed LITERAL document_version_id
dml_executed: FALSE ; rows_inserted: 0 ; dry_run: none ; cut: none ; verify: none
intended_execution_role: workflow_admin  (later, separately-gated approval)
on_conflict: NONE (justified) ; update: NONE ; delete: NONE ; other_documents: NONE
version_identity_basis: pinned snapshot artifact region sha256 (NOT live page)
decision_authority: GPT / User ONLY ; self_advance: PROHIBITED

Only change vs the authoring DML: document_version_id is now a precomputed text literal — no sha256((...)::bytea) runtime call, so the execution has no hidden dependency on pgcrypto / sha256(bytea). Snapshot rehash remains the real integrity gate. The 3 open decisions are now RULED by GPT (no longer open): version_status=snapshot_captured, retrieval_timestamp=2026-05-18T13:03:03Z, source_format=normalized_snapshot. Identity, checksum, scope, row count unchanged.

---

1. Canonical inputs (ratified — do not alter)

snapshot_artifact_path:
  knowledge/dev/laws/dieu44-trien-khai/snapshots/constitution/constitution-normalized-17660443e0f23e99.md
snapshot_revision:                   1
content_checksum (THE version identity = artifact BEGIN/END region sha256):
  17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c
normalized_content_length:           17522            # provenance only (no live column)
status_markers (integrity probe, not identity): ✅=19  📋=1  📝=1  ⛔=1
parser_profile_ref:                  nuxt-incomex-portal-constitution-v1
parser_reference_implementation:     nuxt-incomex-portal-constitution-v1.refimpl.r1
parser_reference_source: >-
  doc3 rev3 — knowledge/dev/laws/dieu44-trien-khai/v0.5-constitution-nuxt-parser-reference-implementation-authoring/dot-iu-cutter-v0.5-constitution-nuxt-parser-reference-implementation-draft-2026-05-18.md (revision 3)
reference_script_sha256 (PROVENANCE ONLY, NOT identity — GPT R-RI2):
  8f6220c9b346a21b823cc41c12c886cb5f51ef4ab557806d2137ad78a1d08e29
raw_fetch_checksum (FORENSIC ONLY, never identity, never a drift gate):
  e8aa7f93e400210e470218ca4bda98161674a6155527cca9a0f3f20e03f440b4
captured_from_live_url:              https://vps.incomexsaigoncorp.vn/knowledge/dev/laws/constitution
snapshot_captured_at:                2026-05-18T13:03:03Z
source_document_ref:                 incomex-constitution
document_version_id (PRECOMPUTED LITERAL — used verbatim in DML):
  icxconst-008a06ace23a96ea6cd456146e805c97
  derivation_rule (UNCHANGED — GPT Q2; KEPT IN COMMENTS, NOT computed in DB):
    'icxconst-' || left( sha256_hex( content_checksum || '|' || source_document_ref ), 32 )
  derivation_inputs:
    content_checksum    = 17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c
    source_document_ref = incomex-constitution
    hashed_string       = "17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c|incomex-constitution"
    sha256(hashed_string) = 008a06ace23a96ea6cd456146e805c97a64bb92f415b06f4c08ae73ba3469554
    left 32 hex          = 008a06ace23a96ea6cd456146e805c97
    => document_version_id = icxconst-008a06ace23a96ea6cd456146e805c97
  reproduced_read_only_this_phase: TRUE (local sha256, no DB function); matches expected
  identity_property: depends ONLY on (content_checksum, source_document_ref); timestamp-independent

2. LIVE target schema (KB-confirmed; PRE-re-confirmed) — unchanged from authoring

Grounding note: read-only role context_pack_readonly (db directus) sees only information_schema, pg_catalog, public (no USAGE on cutter_governance) — KB read-only-confirmed live shape used, re-confirmed by PRE-checks at execution. Adapt to LIVE columns only; design-only → provenance jsonb.

cutter_governance.source_document_registry:
  source_document_ref  text  PK  NOT NULL
  address_docprefix    text  NOT NULL  UNIQUE uq_source_document_registry_docprefix
  source_url           text  NULL
  source_family        text  NOT NULL  FK fk_source_document_registry_family -> source_family_registry(source_family)
  authority_class      text  NOT NULL
  display_vi           text  NULL
  display_en           text  NULL
  lifecycle            text  NOT NULL
  registered_by        text  NOT NULL
  registered_at              NOT NULL
  rows_now: 0

cutter_governance.source_document_version_registry:
  document_version_id   text  PK  NOT NULL
  source_document_ref   text  NOT NULL  FK fk_sdvr_source_document -> source_document_registry(source_document_ref)
  content_checksum      text  NOT NULL
  retrieval_timestamp         NOT NULL
  source_format         text  NULL
  authoritative_version text  NULL
  version_status        text  NULL
  provenance            jsonb NULL
  registered_by         text  NOT NULL
  registered_at               NOT NULL
  UNIQUE (source_document_ref, content_checksum)  uq_sdvr_doc_checksum
  rows_now: 0

3. REVISED executable-for-review seed DML (ATOMIC — one transaction, NOT executed)

-- =====================================================================
-- dot-iu-cutter v0.5 — Constitution source_document + source_document_version
-- ATOMIC SEED  (REVISED 2026-05-18; identity = PINNED SNAPSHOT artifact)
-- STATUS: NOT EXECUTED. For final GPT command-review only.
-- Intended execution role (later, separately-gated): workflow_admin
--
-- PATCH (GPT command-review ruling 2026-05-18, PASS_WITH_REQUIRED_PATCH):
--   document_version_id is now a PRECOMPUTED TEXT LITERAL.
--   No sha256((...)::bytea) is called at runtime -> NO dependency on
--   pgcrypto / sha256(bytea) availability in production.
--
-- document_version_id DERIVATION (documented; NOT executed in DB):
--   rule  : 'icxconst-' || left( sha256_hex( content_checksum || '|' || source_document_ref ), 32 )
--   inputs: content_checksum    = 17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c
--           source_document_ref = incomex-constitution
--   hashed: "17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c|incomex-constitution"
--   sha256 = 008a06ace23a96ea6cd456146e805c97a64bb92f415b06f4c08ae73ba3469554
--   left32 = 008a06ace23a96ea6cd456146e805c97
--   => document_version_id LITERAL = 'icxconst-008a06ace23a96ea6cd456146e805c97'
--
-- PRECONDITION (operator/runtime, see verification-plan §1A): the snapshot
--   artifact MUST be re-read and its BEGIN/END region rehashed == 17660443…
--   BEFORE this transaction is run. Live-URL fresh checksum is NOT the gate.
-- No ON CONFLICT (tables empty; collisions MUST surface, not be swallowed).
-- No UPDATE / no DELETE / no other documents / no schema change.
-- =====================================================================
\set ON_ERROR_STOP on

BEGIN;

-- --- Row 1: source_document_registry (parent) -----------------------
-- source_url is the DISCOVERY / current URL only (live_url_role=discovery_only).
INSERT INTO cutter_governance.source_document_registry
  (source_document_ref, address_docprefix, source_url, source_family,
   authority_class, display_vi, display_en, lifecycle,
   registered_by, registered_at)
VALUES
  ('incomex-constitution',
   'ICX-CONST',
   'https://vps.incomexsaigoncorp.vn/knowledge/dev/laws/constitution',
   'internal_incomex_constitution',
   'authoritative',
   'Hiến pháp Kiến trúc Hệ thống Incomex',
   'Internal Incomex Architecture Constitution',
   'active',
   'constitution-source-seed',
   now());

-- --- Row 2: source_document_version_registry (child, FK -> Row 1) ---
-- document_version_id: PRECOMPUTED LITERAL (see derivation comment above).
--   No DB sha256/pgcrypto call. Deterministic value, timestamp-independent.
-- retrieval_timestamp: snapshot capture instant (GPT ruling; faithful; NOT identity).
-- registered_at: now() (seed time; NOT identity).
INSERT INTO cutter_governance.source_document_version_registry
  (document_version_id, source_document_ref, content_checksum,
   retrieval_timestamp, source_format, authoritative_version,
   version_status, provenance, registered_by, registered_at)
VALUES
  ( 'icxconst-008a06ace23a96ea6cd456146e805c97',
    'incomex-constitution',
    '17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c',
    TIMESTAMPTZ '2026-05-18T13:03:03Z',
    'normalized_snapshot',
    'v4.6.3 BAN HÀNH',
    'snapshot_captured',
    jsonb_build_object(
      'identity_basis',                  'snapshot_artifact_region_sha256',
      'snapshot_artifact_path',          'knowledge/dev/laws/dieu44-trien-khai/snapshots/constitution/constitution-normalized-17660443e0f23e99.md',
      'snapshot_revision',               1,
      'snapshot_artifact_checksum',      '17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c',
      'normalized_content_length',       17522,
      'marker_counts',                   jsonb_build_object('enacted',19,'controlled_draft',1,'draft',1,'obsolete',1),
      'captured_from_live_url',          'https://vps.incomexsaigoncorp.vn/knowledge/dev/laws/constitution',
      'snapshot_captured_at',            '2026-05-18T13:03:03Z',
      'parser_profile_ref',              'nuxt-incomex-portal-constitution-v1',
      'parser_reference_implementation', 'nuxt-incomex-portal-constitution-v1.refimpl.r1',
      'parser_reference_source',         'doc3 rev3 — knowledge/dev/laws/dieu44-trien-khai/v0.5-constitution-nuxt-parser-reference-implementation-authoring/dot-iu-cutter-v0.5-constitution-nuxt-parser-reference-implementation-draft-2026-05-18.md (revision 3)',
      'reference_script_sha256',         '8f6220c9b346a21b823cc41c12c886cb5f51ef4ab557806d2137ad78a1d08e29',
      'reference_script_sha256_note',    'provenance only, NOT the version identity (GPT R-RI2)',
      'document_version_id_rule',        'icxconst- + left(sha256(content_checksum || ''|'' || source_document_ref), 32)',
      'document_version_id_value_source','precomputed_literal (no DB sha256; GPT command-review 2026-05-18)',
      'changelog_included',              true,
      'authoritative_span',              'candidate_B (H1 "HIẾN PHÁP" -> end CHANGELOG, excl trailing "Back to Knowledge Hub" backlink)',
      'raw_checksum',                    'e8aa7f93e400210e470218ca4bda98161674a6155527cca9a0f3f20e03f440b4',
      'raw_checksum_note',               'FORENSIC ONLY (fetch1/3; Nuxt-render-volatile; never identity, never a drift gate)',
      'source_title',                    'HIẾN PHÁP KIẾN TRÚC HỆ THỐNG INCOMEX — v4.6.3 BAN HÀNH',
      'observed_version_label',          'v4.6.3 BAN HÀNH',
      'live_url_role',                   'discovery_only',
      'b6_ruling',                       'CLOSED 2026-05-18',
      'sc3_disposition',                 'CLOSED_BY_REFIMPL_R1',
      'supersedes_document_version_id',  null
    ),
    'constitution-source-seed',
    now() );

-- Atomic: both rows succeed together or neither persists.
COMMIT;
-- expected: INSERT 0 1 ; INSERT 0 1 ; COMMIT

4. Diff vs authoring DML (only this changed)

- ( 'icxconst-' || left(
-       encode( sha256( ( '17660443…cae80c' || '|' || 'incomex-constitution' )::bytea ), 'hex' ), 32 ),
+ ( 'icxconst-008a06ace23a96ea6cd456146e805c97',

also_changed (documentation only, no value change):
  - header/comment: "computed in-transaction" -> "PRECOMPUTED LITERAL; no DB sha256/pgcrypto"
  - provenance: +document_version_id_rule, +document_version_id_value_source (audit trail)
unchanged:
  content_checksum, source_document_ref, source_format, version_status,
  retrieval_timestamp, authoritative_version, all source_document fields,
  provenance snapshot_*/parser_*/refimpl/live_url_role/supersedes,
  atomicity, row count (1 + 1), no ON CONFLICT, scope
ruled_now (were OPEN-DECISIONs, GPT settled — no longer open):
  version_status      = snapshot_captured        (GPT OPEN_DECISION_1)
  retrieval_timestamp = 2026-05-18T13:03:03Z      (GPT OPEN_DECISION_2)
  source_format       = normalized_snapshot       (GPT OPEN_DECISION_3)

5. Scope & safety assertions

seeds_only:               Constitution source_document + source_document_version
other_documents_seeded:   0
atomic:                   single BEGIN/COMMIT, child references parent in same tx
version_identity:         pinned snapshot region sha256 17660443…cae80c (NOT live page)
document_version_id:      LITERAL 'icxconst-008a06ace23a96ea6cd456146e805c97' (QG2)
runtime_db_sha256:        REMOVED from executable DML (QG1)
derivation_rule:          preserved in comments + provenance + this doc (QG3)
on_conflict:              NONE — justified: 0/0 rows; collisions MUST surface
update_delete:            NONE authored
execution:                NONE (QG6); intended role workflow_admin later
adapts_to_LIVE_schema_only: yes (design-only columns -> provenance)

6. Statement

• Required patch applied: runtime DB sha256() removed; document_version_id is the exact precomputed literal icxconst-008a06ace23a96ea6cd456146e805c97 (QG1, QG2). Deterministic derivation preserved in comments + provenance (QG3). Snapshot rehash precondition preserved (QG5; verification-plan §1A). Identity/checksum/scope/row-count unchanged; GPT-ruled values applied. Nothing executed (QG6).
• doc 1 of 4; STOP after 4 files → route GPT/User for final command-review. Self-advance PROHIBITED.

Companion: rollback-revised, verification-plan-revised, DML-revision-report.