dot-iu-cutter v0.5 — Constitution Source Seed FROM SNAPSHOT: Verification Plan

Phase: v0_5_constitution_source_document_seed_from_snapshot_authoring · Date: 2026-05-18 · doc 4 of 5

nature: PLAN ONLY — nothing executed ; dml: none ; dry_run: none
applies_to: the future, separately-gated execution of the doc-2 atomic snapshot-bound seed
method: snapshot rehash + catalog/codepoint assertions, never rendered-string equality (C-07 lesson)
decision_authority: GPT / User ONLY ; self_advance: PROHIBITED

---

1A. Snapshot rehash precheck (NEW identity gate — runs BEFORE PRE / DML)

The version identity is the pinned snapshot artifact, so the artifact MUST be re-read and rehashed before any seed/dry-run/cut. The live-URL fresh checksum is no longer the version-identity gate.

RH-1  read artifact at EXACT path:
      knowledge/dev/laws/dieu44-trien-khai/snapshots/constitution/constitution-normalized-17660443e0f23e99.md   MUST exist
RH-2  artifact KB revision = 1                                                  MUST equal 1
RH-3  exactly ONE BEGIN sentinel line "<<<BEGIN-NORMALIZED-CONTENT-DO-NOT-EDIT"
      and exactly ONE END sentinel "END-NORMALIZED-CONTENT-DO-NOT-EDIT>>>"       exactly 1 each
RH-4  region = bytes STRICTLY BETWEEN the sentinels, sentinels EXCLUDED,
      no trailing newline; sha256(region) =
      17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c          MUST equal
RH-5  region byte length = 17522                                                MUST equal
RH-6  region marker census: ✅ enacted=19, 📋 controlled_draft=1,
      📝 draft=1, ⛔ obsolete=1 (codepoint-exact U+2705/U+1F4CB/U+1F4DD/U+26D4)  exact
RH-7  artifact metadata header self-consistent:
      normalized_content_checksum == RH-4 ; normalized_content_length == 17522 ;
      marker_counts == 19/1/1/1 ; filename first16 == 17660443e0f23e99           MUST hold
RH-8  this rehash value == the content_checksum about to be seeded (doc-2)       MUST equal
miss_any: STOP E3a/E3b (snapshot unavailable / integrity failure); do NOT seed.
explicitly_NOT_a_gate: a fresh live-URL GET checksum differing from RH-4 is a
  discovery/drift signal only (provenance.live_url_role=discovery_only); it does
  NOT block this seed and MUST NOT be used as the version identity.

1. Pre-checks (read-only, AFTER RH-* passes, BEFORE any seed write)

PRE-1  system_identifier = 7611578671664259111                              MUST match
PRE-2  cutter_governance.source_document_registry exists (relkind 'r')       MUST exist
PRE-2  cutter_governance.source_document_version_registry exists             MUST exist
PRE-3  source_family_registry has row source_family='internal_incomex_constitution'  =1
PRE-4  that source_family row resolves grammar_profile
       'incomex-architecture-constitution-v4'                                MUST match
PRE-5  grammar_profile_status_marker rows for
       incomex-architecture-constitution-v4 = 4 ; codepoint-exact
       U+2705->enacted, U+1F4CB->controlled_draft, U+1F4DD->draft,
       U+26D4->obsolete                                                      =4 exact (B1 closed)
PRE-6  source_document_registry rows = 0                                     =0 (else STOP)
PRE-6  source_document_version_registry rows = 0                             =0 (else STOP)
PRE-7  no source_document_ref='incomex-constitution' present                 =0
PRE-7  no address_docprefix='ICX-CONST' present                              =0
PRE-8  constraints present: fk_source_document_registry_family,
       fk_sdvr_source_document, uq_source_document_registry_docprefix,
       uq_sdvr_doc_checksum                                                  all present
PRE-9  E1 snapshot CLOSED_PASS (GPT closeout 2026-05-18) AND RH-* PASS AND
       content_checksum 17660443… / len 17522 / markers 19/1/1/1 /
       refimpl.r1 are the ratified inputs                                    MUST hold

PRE-6/PRE-7 mismatch handling: if any Constitution source_document/version row already exists (live facts say 0/0), STOP and report — do not UPSERT, do not assume. Deviation = production-state mismatch → halt per governance.

2. Post-checks (read-only, immediately after COMMIT)

POST-1  source_document_registry rows = 1                                    =1
POST-2  the row exactly: source_document_ref='incomex-constitution'
        AND address_docprefix='ICX-CONST'
        AND source_url='https://vps.incomexsaigoncorp.vn/knowledge/dev/laws/constitution'
        AND source_family='internal_incomex_constitution'
        AND authority_class='authoritative'
        AND lifecycle='active'
        AND registered_by='constitution-source-seed'                         exact
POST-3  source_document_version_registry rows = 1                            =1
POST-4  version row exactly:
        source_document_ref='incomex-constitution'
        AND content_checksum='17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c'
        AND document_version_id='icxconst-008a06ace23a96ea6cd456146e805c97'
        AND document_version_id = 'icxconst-'||left(encode(sha256(
              (content_checksum||'|'||source_document_ref)::bytea),'hex'),32)  self-consistent
        AND source_format='normalized_snapshot'
        AND authoritative_version='v4.6.3 BAN HÀNH'
        AND version_status='snapshot_captured'                               exact (per OPEN-DECISION-1/3)
POST-5  provenance exact:
        provenance->>'identity_basis' = 'snapshot_artifact_region_sha256'
        AND provenance->>'snapshot_artifact_path' =
            'knowledge/dev/laws/dieu44-trien-khai/snapshots/constitution/constitution-normalized-17660443e0f23e99.md'
        AND (provenance->>'snapshot_revision')::int = 1
        AND provenance->>'snapshot_artifact_checksum' =
            '17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c'
        AND (provenance->>'normalized_content_length')::int = 17522
        AND provenance->'marker_counts' =
            '{"enacted":19,"controlled_draft":1,"draft":1,"obsolete":1}'::jsonb
        AND provenance->>'captured_from_live_url' =
            'https://vps.incomexsaigoncorp.vn/knowledge/dev/laws/constitution'
        AND provenance->>'parser_profile_ref' = 'nuxt-incomex-portal-constitution-v1'
        AND provenance->>'parser_reference_implementation' =
            'nuxt-incomex-portal-constitution-v1.refimpl.r1'
        AND provenance->>'parser_reference_source' LIKE 'doc3 rev3 — %(revision 3)'
        AND (provenance->>'changelog_included')::bool = true
        AND provenance->>'live_url_role' = 'discovery_only'
        AND provenance ? 'supersedes_document_version_id'
        AND provenance->>'supersedes_document_version_id' IS NULL              exact
POST-6  FK integrity (catalog anti-join):
        version.source_document_ref with no matching source_document = 0      =0
POST-7  UNIQUE holds: exactly 1 (source_document_ref, content_checksum)       =1
POST-7  exactly 1 address_docprefix='ICX-CONST'                              =1
POST-8  no extra documents: distinct source_document_ref count = 1 ;
        no row with source_family != 'internal_incomex_constitution' ;
        no row with registered_by != 'constitution-source-seed'              PASS
POST-9  source_url codepoint-exact (not rendered-string compare)             exact
POST-10 enacted_only scope UNCHANGED: source_family_registry.status_policy
        for internal_incomex_constitution still 'enacted_only' ;
        grammar_profile_status_marker still 4 rows codepoint-exact ;
        no marker promoted; 📋 still controlled_draft (Điều 44 still deferred) unchanged
POST-11 system_identifier 7611578671664259111 (pre == post)                  match
POST-12 no dry-run / CUT / VERIFY artifact rows created (manifest_envelope,
        manifest_unit_block, IU/iu_provenance unchanged from pre)            unchanged
POST-13 pinned snapshot artifact UNCHANGED by the seed: still revision 1,
        same path, RH-4 rehash still 17660443… (write-once respected)        unchanged

3. Negative checks (any TRUE ⇒ FAIL ⇒ rollback per doc 3)

NEG-1  >1 source_document OR >1 version row created                          MUST be FALSE
NEG-2  any non-Constitution document/family seeded                           MUST be FALSE
NEG-3  any UPDATE/DELETE on grammar_profile / status_marker /
       source_family_registry / address_template / snapshot artifact         MUST be FALSE
NEG-4  content_checksum NULL/empty, != pinned snapshot 17660443…cae80c,
       OR equal to a raw fetch hash (raw used as identity), OR equal to the
       prior never-persisted live-page f9d22d05… value                       MUST be FALSE
NEG-5  status marker rows changed (count != 4 or codepoint drift)            MUST be FALSE
NEG-6  schema change / GRANT / REVOKE / index DDL / Directus mutation        MUST be FALSE
NEG-7  ON CONFLICT / upsert used to mask a pre-existing row                  MUST be FALSE
NEG-8  system_identifier changed                                            MUST be FALSE
NEG-9  document_version_id != deterministic icxconst-008a06ace23a96ea6cd456146e805c97
       (identity dependent on a timestamp or wrong checksum input)           MUST be FALSE
NEG-10 live-URL fresh checksum used as the version-identity gate (instead of
       the snapshot rehash) anywhere in the path                             MUST be FALSE

4. Checksum / parser-profile verification (confirm, not re-prove)

CK-1  content_checksum stored == pinned snapshot region sha256
      17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c       MUST hold
CK-2  provenance->>'parser_profile_ref' = nuxt-incomex-portal-constitution-v1
      AND provenance->>'parser_reference_implementation'
          = nuxt-incomex-portal-constitution-v1.refimpl.r1                   MUST hold
CK-3  provenance.raw_checksum is forensic-only (NOT equal to content_checksum) MUST hold
CK-4  document_version_id derivation reproducible from stored content_checksum
      + source_document_ref (recompute == stored == icxconst-008a06ace23a96ea6cd456146e805c97)  MUST reproduce
CK-5  snapshot rehash RH-4 == CK-1 == stored content_checksum (one identity)  MUST hold
note: E1 snapshot determinism + B6 + SC3 were already CLOSED by GPT. This phase
      asserts the ratified pinned value was persisted unchanged; it does NOT
      re-run the capture or re-fetch the live page as an identity check.

5. Dry-run readiness implications

this_package_alone: does NOT make the first Constitution dry-run ready.
gating_chain:
  B1 marker coverage: CLOSED (live, 4 markers)
  B6 Nuxt parser/checksum determinism: CLOSED (GPT 2026-05-18)
  SC3 parser reproduction: CLOSED_BY_REFIMPL_R1 ; E1 snapshot: CLOSED_PASS (pinned)
  B5 source_document/version seed: OPEN -> needs THIS snapshot-bound seed
     command-reviewed + EXECUTED + verified
first_constitution_dry_run_ready_when:
  - RH-* + this seed command-reviewed + executed + post/negative/CK verified (closes B5)
  - scope remains enacted_only (GPT R2) ; Điều 44 📋 deferred (GPT R3)
  THEN: first Constitution dry-run package may be authored (separate phase)

6. Statement

• Snapshot rehash precheck (§1A, RH-1..RH-8) added as the identity gate (QG2); pre/post/negative/checksum authored complete with catalog/codepoint method (QG6). Live-URL fresh checksum explicitly excluded as identity (NEG-10). enacted_only scope and Điều 44 deferral asserted unchanged (POST-10, QG6). Write-once snapshot artifact asserted unchanged by the seed (POST-13). Nothing executed (QG5).
• doc 4 of 5; STOP after package → route GPT/User. Self-advance PROHIBITED.

Companion: operational-framing, DML-draft, rollback-draft, authoring-report.