dot-iu-cutter v0.5 — Constitution Source Version Model Policy Design

Phase: v0_5_constitution_source_snapshot_and_version_policy_design · Date: 2026-05-18 · doc 3 of 5 (OPT_3)

authority: GPT drift-triage ruling (version_model section) is binding
dml/seed/mutation: none ; checksum_persisted_or_updated: NONE
decision_authority: GPT / User ONLY ; self_advance: PROHIBITED

1. Identity model (binding, from GPT ruling)

constitution_label ("v4.6.3 BAN HÀNH"): semantic/human label — NOT sufficient identity
kb_revision_or_snapshot:                 source CAPTURE identity (AD revision / artifact)
normalized_content_checksum:             the PERSISTED source_document_version identity
rule: content change with the SAME constitution label STILL creates a NEW
  source_document_version CANDIDATE. Label sameness never authorizes reuse of an
  old version row or an in-place checksum update.

2. Drift classification taxonomy (severity → action)

Computed automatically from: candidate_B normalized checksum, marker census (✅/📋/📝/⛔ codepoint-exact), candidate_A−candidate_B span geometry, raw checksum (forensic).

CLS_1 marker_structure_changed:
  signal: marker count OR codepoint set differs from 19/1/1/1 (add/remove/reclassify)
  severity: HIGH
  action: mandatory human review ; NEW version candidate ; re-evaluate enacted_only
          scope + authority_class + Điều-44 deferral impact ; cut withheld.

CLS_2 marker_same_prose_changed:   # <-- the 2026-05-18 incident
  signal: markers 19/1/1/1 unchanged, normalized candidate_B checksum changed,
          span geometry stable
  severity: MEDIUM
  action: NEW version candidate REQUIRED ; review severity LOWERED (per GPT:
          "marker_counts_unchanged may lower review severity") but it IS a
          source-version event ; NO in-place checksum update.

CLS_3 chrome_only_changed:
  signal: change confined to breadcrumb / backlink / rev-counter, i.e. OUTSIDE
          the candidate_B authoritative span; candidate_B checksum UNCHANGED
  severity: NONE (non-event)
  action: auto-pass ; NO new version (profile span already excludes chrome) ;
          forensic note only.

CLS_4 changelog_changed:
  signal: candidate_B checksum changed AND the delta localizes to the CHANGELOG
          block (CHANGELOG is INCLUDED in normalized identity per GPT R-CL1)
  severity: MEDIUM
  action: NEW version candidate ; tag sub_type=changelog_drift ; same handling
          as CLS_2 (changelog is inside identity by ratified policy).

CLS_5 raw_nuxt_changed_normalized_same:
  signal: raw sha differs, candidate_B normalized checksum + markers IDENTICAL
  severity: NONE (non-event)
  action: auto-pass ; forensic-only ; NO version event (B6-established).

Classification is advisory to severity/automation, never to whether a new version exists: any change to the persisted normalized identity (CLS_1/2/4) = a version event. CLS_3/CLS_5 produce no new identity at all, so there is nothing to "update" — reinforcing the no-in-place-update rule from the bottom.

3. Supersede & lineage policy

on_confirmed_version_event (CLS_1/2/4):
  old_version_row:   REMAINS. No hard overwrite. No in-place content_checksum update.
  new_version:       a NEW source_document_version CANDIDATE row, new content_checksum,
                     new document_version_id derived from the new checksum.
  lineage_link:      new.supersedes -> old.document_version_id
  status_transitions (proposed; live-schema support to be re-verified read-only
                      at seed re-authoring precheck — NOT asserted here):
    new: fetched -> ratified -> active
    old: active  -> superseded
  authoritative_current = the latest version that is (ratified AND pinned AND
                           snapshot-integrity-verified).
schema_reality:
  - live schema has UNIQUE(source_document_ref, content_checksum) = uq_sdvr_doc_checksum
    -> a new checksum is naturally a new row; an in-place update is structurally
       wrong AND policy-forbidden.
  - supersedes_version_id is a DESIGN-ONLY column (not live; per GPT R-PP1
    pattern) -> lineage recorded in provenance jsonb key
    `supersedes_document_version_id` until/unless a schema amendment is ratified.
  - version_status: a status field was observed (POST-4: version_status='fetched');
    the transition vocabulary above must be re-confirmed against live schema in
    the seed re-authoring phase before any reliance (read-only; deferred).
hard_invariants:
  - NEVER UPDATE an existing version row's content_checksum (QG5)
  - NEVER retry the approved seed against the lost old checksum f9d22d05… (QG1)
  - a superseded version is retained for audit/lineage, never deleted by this policy

4. Decision table

change observed	class	new version?	review severity	in-place update?
✅/📋/📝/⛔ count or set changed	CLS_1	yes	HIGH (mandatory)	forbidden
markers same, prose/body changed	CLS_2	yes	MEDIUM (lowered)	forbidden
chrome only (outside span)	CLS_3	no (non-event)	none (auto)	n/a
CHANGELOG block changed	CLS_4	yes	MEDIUM	forbidden
raw differs, normalized same	CLS_5	no (non-event)	none (auto)	n/a

5. Statement

• Same-label/changed-checksum ruled a new version candidate (QG3); five drift classes defined with severity + supersede/lineage; no-silent-update preserved structurally and by policy (QG5); old version retained, lineage via provenance until schema amendment (QG3). Live source drift treated as real (QG1). Nothing executed/mutated (QG6).
• doc 3 of 5; STOP after 5 files → route GPT/User. Self-advance PROHIBITED.

Companions: operations-framing, options-analysis, seed-strategy-update, policy-report.