KB-5CA8
dot-iu-cutter v0.5 — Constitution Source Seed FROM SNAPSHOT: REVISED Verification Plan (literal == rule, no DB sha256; snapshot rehash preserved; NOT executed)
14 min read Revision 1
dot-iu-cutterv0.5constitution-fixturesource-seed-from-snapshotverification-plan-revisedliteral-document-version-idno-db-sha256snapshot-rehash-prechecknot-executeddieu442026-05-18
dot-iu-cutter v0.5 — Constitution Source Seed FROM SNAPSHOT: REVISED Verification Plan
Phase:
v0_5_constitution_source_seed_from_snapshot_DML_revision· Date: 2026-05-18 · doc 3 of 4revises: v0.5-constitution-source-document-seed-from-snapshot-authoring/…-verification-plan-2026-05-18.md per_ruling: dot-iu-cutter-v0.5-constitution-source-seed-from-snapshot-command-review-gpt-ruling-2026-05-18.md changes: - POST-4 / CK-4: remove DB sha256 self-consistency expression - add: stored document_version_id LITERAL == icxconst-008a06ace23a96ea6cd456146e805c97 - add: literal == documented deterministic-rule value (recompute OUTSIDE DB or compare to doc) - NEG-9 reworded: no DB sha256 dependency - snapshot rehash precheck RH-1..RH-8 PRESERVED verbatim nature: PLAN ONLY — nothing executed ; dml: none ; dry_run: none method: snapshot rehash + catalog/codepoint assertions, never rendered-string equality decision_authority: GPT / User ONLY ; self_advance: PROHIBITED
1A. Snapshot rehash precheck (identity gate — PRESERVED, runs BEFORE PRE / DML)
The version identity is the pinned snapshot artifact, so the artifact MUST be re-read and rehashed before any seed/dry-run/cut. The live-URL fresh checksum is not the version-identity gate.
RH-1 read artifact at EXACT path:
knowledge/dev/laws/dieu44-trien-khai/snapshots/constitution/constitution-normalized-17660443e0f23e99.md MUST exist
RH-2 artifact KB revision = 1 MUST equal 1
RH-3 exactly ONE BEGIN sentinel line "<<<BEGIN-NORMALIZED-CONTENT-DO-NOT-EDIT"
and exactly ONE END sentinel "END-NORMALIZED-CONTENT-DO-NOT-EDIT>>>" exactly 1 each
RH-4 region = bytes STRICTLY BETWEEN the sentinels, sentinels EXCLUDED,
no trailing newline; sha256(region) =
17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c MUST equal
RH-5 region byte length = 17522 MUST equal
RH-6 region marker census: ✅ enacted=19, 📋 controlled_draft=1,
📝 draft=1, ⛔ obsolete=1 (codepoint-exact U+2705/U+1F4CB/U+1F4DD/U+26D4) exact
RH-7 artifact metadata header self-consistent:
normalized_content_checksum == RH-4 ; normalized_content_length == 17522 ;
marker_counts == 19/1/1/1 ; filename first16 == 17660443e0f23e99 MUST hold
RH-8 RH-4 value == the content_checksum about to be seeded (revised DML) MUST equal
miss_any: STOP E3a/E3b (snapshot unavailable / integrity failure); do NOT seed.
explicitly_NOT_a_gate: a fresh live-URL GET checksum differing from RH-4 is a
discovery/drift signal only (live_url_role=discovery_only); never the identity.
note: RH-4 sha256 is computed OUTSIDE the database (artifact rehash by the
operator/runtime over KB bytes), not by a DB function — unchanged by this revision.
1. Pre-checks (read-only, AFTER RH-* passes, BEFORE any seed write)
PRE-1 system_identifier = 7611578671664259111 MUST match
PRE-2 cutter_governance.source_document_registry exists (relkind 'r') MUST exist
PRE-2 cutter_governance.source_document_version_registry exists MUST exist
PRE-3 source_family_registry has row source_family='internal_incomex_constitution' =1
PRE-4 that source_family row resolves grammar_profile
'incomex-architecture-constitution-v4' MUST match
PRE-5 grammar_profile_status_marker rows for
incomex-architecture-constitution-v4 = 4 ; codepoint-exact
U+2705->enacted, U+1F4CB->controlled_draft, U+1F4DD->draft,
U+26D4->obsolete =4 exact (B1 closed)
PRE-6 source_document_registry rows = 0 =0 (else STOP)
PRE-6 source_document_version_registry rows = 0 =0 (else STOP)
PRE-7 no source_document_ref='incomex-constitution' present =0
PRE-7 no address_docprefix='ICX-CONST' present =0
PRE-8 constraints present: fk_source_document_registry_family,
fk_sdvr_source_document, uq_source_document_registry_docprefix,
uq_sdvr_doc_checksum all present
PRE-9 E1 snapshot CLOSED_PASS (GPT closeout 2026-05-18) AND RH-* PASS AND
content_checksum 17660443… / len 17522 / markers 19/1/1/1 /
refimpl.r1 are the ratified inputs MUST hold
PRE-10 (NEW) DB sha256/pgcrypto availability is NOT required by the revised
DML (document_version_id is a literal). No precheck on sha256(bytea). N/A by design
PRE-6/PRE-7 mismatch handling: if any Constitution
source_document/version row already exists (live facts say 0/0), STOP and report — do not UPSERT, do not assume. Deviation = production-state mismatch → halt.
2. Post-checks (read-only, immediately after COMMIT)
POST-1 source_document_registry rows = 1 =1
POST-2 the row exactly: source_document_ref='incomex-constitution'
AND address_docprefix='ICX-CONST'
AND source_url='https://vps.incomexsaigoncorp.vn/knowledge/dev/laws/constitution'
AND source_family='internal_incomex_constitution'
AND authority_class='authoritative'
AND lifecycle='active'
AND registered_by='constitution-source-seed' exact
POST-3 source_document_version_registry rows = 1 =1
POST-4 version row exactly (LITERAL equality only — NO DB sha256):
source_document_ref='incomex-constitution'
AND content_checksum='17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c'
AND document_version_id='icxconst-008a06ace23a96ea6cd456146e805c97'
AND source_format='normalized_snapshot'
AND authoritative_version='v4.6.3 BAN HÀNH'
AND version_status='snapshot_captured' exact (GPT-ruled values)
POST-4b document_version_id LITERAL matches the deterministic RULE value
(verified OUTSIDE the DB or by comparison to the documented value):
rule : icxconst- + left(sha256(content_checksum||'|'||source_document_ref),32)
inputs : 17660443…cae80c | incomex-constitution
sha256 : 008a06ace23a96ea6cd456146e805c97a64bb92f415b06f4c08ae73ba3469554
left32 : 008a06ace23a96ea6cd456146e805c97
expected document_version_id == 'icxconst-008a06ace23a96ea6cd456146e805c97'
stored value MUST equal this documented expected value MUST equal
method: recompute with an external tool (e.g. shasum/python) OR compare
to this documented expected value. DB sha256 NOT required.
POST-5 provenance exact:
provenance->>'identity_basis' = 'snapshot_artifact_region_sha256'
AND provenance->>'snapshot_artifact_path' =
'knowledge/dev/laws/dieu44-trien-khai/snapshots/constitution/constitution-normalized-17660443e0f23e99.md'
AND (provenance->>'snapshot_revision')::int = 1
AND provenance->>'snapshot_artifact_checksum' =
'17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c'
AND (provenance->>'normalized_content_length')::int = 17522
AND provenance->'marker_counts' =
'{"enacted":19,"controlled_draft":1,"draft":1,"obsolete":1}'::jsonb
AND provenance->>'captured_from_live_url' =
'https://vps.incomexsaigoncorp.vn/knowledge/dev/laws/constitution'
AND provenance->>'parser_profile_ref' = 'nuxt-incomex-portal-constitution-v1'
AND provenance->>'parser_reference_implementation' =
'nuxt-incomex-portal-constitution-v1.refimpl.r1'
AND provenance->>'parser_reference_source' LIKE 'doc3 rev3 — %(revision 3)'
AND provenance->>'document_version_id_value_source' LIKE 'precomputed_literal%'
AND (provenance->>'changelog_included')::bool = true
AND provenance->>'live_url_role' = 'discovery_only'
AND provenance ? 'supersedes_document_version_id'
AND provenance->>'supersedes_document_version_id' IS NULL exact
POST-6 FK integrity (catalog anti-join):
version.source_document_ref with no matching source_document = 0 =0
POST-7 UNIQUE holds: exactly 1 (source_document_ref, content_checksum) =1
POST-7 exactly 1 address_docprefix='ICX-CONST' =1
POST-8 no extra documents: distinct source_document_ref count = 1 ;
no row with source_family != 'internal_incomex_constitution' ;
no row with registered_by != 'constitution-source-seed' PASS
POST-9 source_url codepoint-exact (not rendered-string compare) exact
POST-10 enacted_only scope UNCHANGED: source_family_registry.status_policy
for internal_incomex_constitution still 'enacted_only' ;
grammar_profile_status_marker still 4 rows codepoint-exact ;
no marker promoted; 📋 still controlled_draft (Điều 44 still deferred) unchanged
POST-11 system_identifier 7611578671664259111 (pre == post) match
POST-12 no dry-run / CUT / VERIFY artifact rows created (manifest_envelope,
manifest_unit_block, IU/iu_provenance unchanged from pre) unchanged
POST-13 pinned snapshot artifact UNCHANGED by the seed: still revision 1,
same path, RH-4 rehash still 17660443… (write-once respected) unchanged
3. Negative checks (any TRUE ⇒ FAIL ⇒ rollback per doc 2)
NEG-1 >1 source_document OR >1 version row created MUST be FALSE
NEG-2 any non-Constitution document/family seeded MUST be FALSE
NEG-3 any UPDATE/DELETE on grammar_profile / status_marker /
source_family_registry / address_template / snapshot artifact MUST be FALSE
NEG-4 content_checksum NULL/empty, != pinned snapshot 17660443…cae80c,
OR equal to a raw fetch hash, OR equal to the prior never-persisted
live-page f9d22d05… value MUST be FALSE
NEG-5 status marker rows changed (count != 4 or codepoint drift) MUST be FALSE
NEG-6 schema change / GRANT / REVOKE / index DDL / Directus mutation MUST be FALSE
NEG-7 ON CONFLICT / upsert used to mask a pre-existing row MUST be FALSE
NEG-8 system_identifier changed MUST be FALSE
NEG-9 document_version_id != literal 'icxconst-008a06ace23a96ea6cd456146e805c97'
OR != the documented deterministic-rule value (NOTE: verified by
external recompute / documented value — NOT by a DB sha256 call) MUST be FALSE
NEG-10 live-URL fresh checksum used as the version-identity gate (instead of
the snapshot rehash) anywhere in the path MUST be FALSE
NEG-11 (NEW) executable DML calls sha256()/pgcrypto for document_version_id MUST be FALSE
4. Checksum / parser-profile verification (confirm, not re-prove)
CK-1 content_checksum stored == pinned snapshot region sha256
17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c MUST hold
CK-2 provenance->>'parser_profile_ref' = nuxt-incomex-portal-constitution-v1
AND provenance->>'parser_reference_implementation'
= nuxt-incomex-portal-constitution-v1.refimpl.r1 MUST hold
CK-3 provenance.raw_checksum is forensic-only (NOT equal to content_checksum) MUST hold
CK-4 document_version_id LITERAL == documented deterministic-rule value
'icxconst-008a06ace23a96ea6cd456146e805c97' ; reproduce the rule with
an EXTERNAL sha256 tool (shasum/python) over
"17660443…cae80c|incomex-constitution" -> left32 -> compare.
DB sha256/pgcrypto NOT used and NOT required. MUST reproduce
CK-5 snapshot rehash RH-4 == CK-1 == stored content_checksum (one identity) MUST hold
note: E1 snapshot determinism + B6 + SC3 already CLOSED by GPT. This phase
asserts the ratified pinned value + the precomputed literal were
persisted unchanged; it does not re-run capture or re-fetch live page.
5. Dry-run readiness implications
this_package_alone: does NOT make the first Constitution dry-run ready.
gating_chain:
B1 marker coverage: CLOSED (live, 4 markers)
B6 Nuxt parser/checksum determinism: CLOSED (GPT 2026-05-18)
SC3 parser reproduction: CLOSED_BY_REFIMPL_R1 ; E1 snapshot: CLOSED_PASS (pinned)
B5 source_document/version seed: OPEN -> needs THIS revised snapshot-bound seed
command-reviewed (final) + EXECUTED + verified
first_constitution_dry_run_ready_when:
- RH-* + this revised seed final-command-reviewed + executed + post/neg/CK verified (closes B5)
- scope remains enacted_only (GPT R2) ; Điều 44 📋 deferred (GPT R3)
THEN: first Constitution dry-run package may be authored (separate phase)
6. Statement
- Verification updated so it does not require DB sha256 (QG4): POST-4 split into literal equality (POST-4) + documented/external rule-equality (POST-4b); CK-4 reproduces the rule with an external tool; NEG-11 added forbidding DB sha256 in DML; NEG-9 reworded. Snapshot rehash precheck RH-1..RH-8 preserved verbatim (QG5). enacted_only / Điều 44 deferral unchanged (POST-10). Nothing executed (QG6).
- doc 3 of 4; STOP after 4 files → route GPT/User. Self-advance PROHIBITED.
Companion: DML-revised, rollback-revised, DML-revision-report.