dot-iu-cutter v0.5 — Constitution Source Snapshot Capture: Operations-First Framing

Phase: v0_5_constitution_source_snapshot_capture_authoring · Nature: authoring_only__no_execution · Date: 2026-05-18 · doc 1 of 5

authority: GPT ruling reviews/dot-iu-cutter-v0.5-constitution-source-snapshot-version-policy-gpt-ruling-2026-05-18
  verdict PASS_WITH_RULINGS ; Q1 APPROVE Option B captured snapshot artifact (immediate path)
dml: none ; seed: none ; snapshot_write: none ; checksum_persisted_or_updated: NONE
capture_executed: false ; dry_run/cut/verify: none ; mutation: none (KB authoring of 5 docs only)
decision_authority: GPT / User ONLY ; self_advance: PROHIBITED

This is doc 1 of 5. Per the binding operating principle (operating-objectives §3: operational goal → state machine → marking/review → safety → schema), operations are framed before mechanism. Companion docs derive the artifact spec, capture procedure, seed strategy + verification, and the report.

---

1. The operational goal this phase protects

Operator: "Cắt Hiến pháp"

The system must cut/verify exactly the bytes that were captured, pinned, and command-reviewed — never whatever the live Nuxt page renders at execution time. The Constitution source is a living AD→Directus→Nuxt article (knowledge/dev/laws/constitution.md, AD revision 44; AD = upstream SSOT). It can be edited between ratification and seed/cut. That race already fired on 2026-05-18 (ratified f9d22d05…/17791 → Codex fresh 17660443…/17522, markers 19/1/1/1); Codex blocked correctly at QG1.

2. How a captured snapshot artifact makes "Cắt Hiến pháp" race-free

mechanism:
  - capture live ONCE under parser_profile nuxt-incomex-portal-constitution-v1
  - freeze the exact normalized authoritative bytes into a CHECKSUM-ADDRESSED,
    WRITE-ONCE KB artifact (filename embeds the normalized content checksum)
  - source_document_version.content_checksum := the artifact's normalized checksum
  - every later seed / dry-run / production cut REHASHES the artifact and binds
    to it — it NEVER re-fetches the live page for identity
why_race_free:
  - the thing operated on is immutable bytes, not a moving URL
  - live page may drift freely afterwards: drift is DETECTED (new-version
    candidate per version policy) but the pinned seed/cut is NOT invalidated
  - rehash-before-use turns "did the source change under us?" into a local,
    offline, deterministic gate (no network at seed/cut time)

3. Operator flow (state machine)

S1 live_source:        discovery / current URL on source_document (live, mutable)
   --> read-only GET (capture phase, gated)
S2 capture_snapshot:   normalize under nuxt-incomex-portal-constitution-v1 ;
   compute checksum/length/marker-census ; (gated write) freeze artifact
   --> write-once at checksum-addressed path
S3 verify_snapshot:    immediately re-read artifact, re-extract content region,
   recompute sha256 ; assert == metadata == filename-prefix == computed
   --> PASS unlocks identity ; BLOCKED halts (fail-closed)
S4 seed_source_version: source_document + source_document_version (atomic),
   content_checksum := snapshot checksum ; provenance carries snapshot identity
   --> separately command-reviewed + gated execution
S5 dry_run_later:      binds to the registered version's PINNED artifact, rehash
   gate first ; live re-fetch only for drift DETECTION, never as cut input
each transition: separately gated ; no self-advance ; report PASS/FAIL/BLOCKED

4. Stop conditions (fail-closed)

SC1 snapshot_path_collision_diff_content: target checksum-addressed path exists
    with DIFFERENT content/checksum -> STOP_AND_ESCALATE (never overwrite)
SC2 rehash_mismatch: re-read artifact checksum != metadata != filename-prefix
    != originally-computed -> BLOCKED (artifact untrustworthy)
SC3 marker_census_shift_at_capture: ✅/📋/📝/⛔ count or codepoint set differs
    from the capture-time census recorded in metadata -> STOP (review severity
    per version policy CLS_1/CLS_2)
SC4 parser_profile_unavailable_or_changed: profile != nuxt-incomex-portal-
    constitution-v1 -> STOP (Q3 binding)
SC5 pre_existing_source_rows: source_document/version rows for
    incomex-constitution already present (live facts: 0/0) -> STOP, do not
    UPSERT, do not assume
SC6 live_unreachable_or_non_200 at capture: STOP, no partial artifact
note: SC1/SC2 are the snapshot-integrity gates that REPLACE the old
  live-refetch QG1. They are local + offline + deterministic.

5. Automatic vs stop-for-review

automatic_no_human:
  - read-only fetch + normalize + checksum + marker census
  - checksum-addressed path derivation + collision precheck
  - rehash-after-write integrity gate
  - binding seed/dry-run/cut to the pinned artifact
  - detecting (not acting on) later live drift vs the pinned snapshot
  - concise PASS / FAIL / BLOCKED operator report
stop_for_human_review:
  - authorizing the artifact WRITE (gated execution phase)
  - authorizing the source seed execution (separate command-review)
  - any marker-structure change vs capture census (CLS_1)
  - any SC1..SC6 stop condition
forbidden_regardless:
  - retry seed against old checksum f9d22d05…
  - silent in-place content_checksum update
  - seed from unpinned live page
  - overwrite/delete a snapshot artifact

6. Statement

• Operations framed before mechanism; snapshot capture shown to make "Cắt Hiến pháp" race-free; operator flow S1→S5 and stop conditions SC1..SC6 defined. Option B direction implemented (QG1). Live drift treated as real; old checksum never retried; no-silent-update preserved. Nothing executed/written/mutated (QG5).
• doc 1 of 5; STOP after 5 files → route GPT/User. Self-advance PROHIBITED.

Companions: artifact-spec, capture-procedure-draft, seed-strategy-and-verification-plan, capture-authoring-report.