dot-iu-cutter v0.5 — Writer Verification + Rollback/Compensation Plan

doc 5 of 6 · 2026-05-19 · designed, NOT executed. Applies after the W-3 writer is built and (at W-5) only with a separate explicit production-write approval.

1. Verification after the writer (VW-1..VW-10) — separation of duty

VERIFY is a separate, separately-gated step (cutter_verify principal / DOT-992 lane — never the writer/executor; W-4/W-5). Asserted against the governed store after a CUT:

VW-1  cardinality: exactly 60 information_unit + 60 unit_version rows for manifest
      digest 9d908a62… (== candidate_count; NGUYEN_TAC 15 + KIEN_TRUC_SECTION 3 + DIEU 42).
VW-2  no excluded leakage: ZERO IU mapping to Điều 44 / the 3 other excluded rows.
VW-3  provenance binding: 100% IU identity_profile.provenance + unit_version.content_profile
      bind source_document_version_id icxconst-008a06…, manifest_digest 9d908a62…,
      snapshot_region_sha256 17660443….
VW-4  address integrity: every IU canonical_address ∈ the cut-plan 60, VERBATIM, UNIQUE,
      status never encoded in the address (N-4).
VW-5  content fidelity: per IU, sha256(unit_version.body, canonicalized as in MARK) ==
      cut-plan content_hash == manifest span_sha256.
VW-6  coverage parity: created-IU set ≡ cut-plan iu_mapping set (no extra, none missing);
      reconstruction stays closed (229+10+69=308) given the OD-W1 all-IU mapping.
VW-7  birth-gate satisfied: every IU passed L1 (fields+vocab) and L2 (version_anchor_ref →
      a unit_version WHERE id=anchor AND unit_id=IU.id; content_anchor_ref == anchor::text).
VW-8  hierarchy: parent_or_container_ref consistent with the manifest address path;
      top-level NULL parent; no synthetic root (count == 60, OD-W3).
VW-9  idempotency: a re-CUT of the same manifest digest produced NO new rows (G-CUT-ONCE).
VW-10 determinism: the IU/unit_version set is byte-re-derivable from the pinned manifest
      + pinned snapshot region (cut_plan_digest edcae74f… stable).
verdict_rule: VERIFIED_COMPLETE iff VW-1..VW-10 all PASS; any fail ⇒
  VERIFY_FAILED_ESCALATED ⇒ STOP + forward-compensation (§2); never fix-to-green,
  never silent row deletion.

2. Rollback / compensation doctrine

W-3 scratch dry-run: no rollback needed (scratch schema dropped / txn rolled back;
  zero production state). Net-zero by construction.
production CUT (W-5, only if separately approved):
  R-pre   ONE atomic transaction; deferred L2 at COMMIT ⇒ any failure rolls back ALL 60
          (clean all-or-nothing; no partial cut, no orphan unit_version).
  R-post  a fault found AFTER commit ⇒ governed FORWARD-COMPENSATION only:
            - new superseding unit_version (version_seq+1) and/or lifecycle_status change
              under the proper principal;
            - append the governed change/escalation record;
            - the erroneous rows remain visible but superseded (audit-preserving).
          NEVER physical DELETE/TRUNCATE of information_unit/unit_version.
  R-id    G-CUT-ONCE makes a retry of the same manifest digest a no-op ⇒ a retry after a
          rolled-back txn cannot double-insert.
  R-snap  source/snapshot immutable & pinned (digest 9d908a62…, region 17660443…);
          "restore" = re-derive from the pinned manifest, never hand-edit rows.
  R-cred  rollback/compensation runs under the governed principal; the cutter_verify
          /DOT-992 lane (W-4) owns the verify+escalation path, distinct from the writer.

3. Risk carry-forward (from the writer risk register, post cut-plan PASS)

R-W2 birth-gate runtime reject: MITIGATED-by-design (mapping uses only re-verified seeded
  vocab; W-3 scratch dry-run proves L1/L2 before any production). residual: LOW→MEDIUM
  until the scratch dry-run actually runs.
R-W1/W5/W6 cardinality/exclusion/provenance: the cut-plan PASS this phase already proves
  60 / Điều-44-excluded / 100%-provenance / reconstruction_ok at the planner layer ⇒
  the writer inherits a verified input. residual: LOW.
R-W7 premature production: controlled by W-3 DB-isolated-first → W-4 cred → W-5 approval.
overall: planner side now EVIDENCED (cut-plan PASS); writer side remains MEDIUM-HIGH
  until built+scratch-proven; production remains multi-gate.

doc 5 of 6. Design only. No production mutation. Self-advance PROHIBITED.