dot-iu-cutter v0.5 — Cutwrite DB-Isolated Writer · Verification + Rollback Result

doc 4 of 5 · 2026-05-19 · verification of the W-3 DB-isolated dry-run against the ratified VW-1..VW-10 plan (scratch evidence; production VERIFY remains W-4/W-5, separate).

1. VW checklist — scratch evidence (DB-isolated)

VW-1  cardinality: PASS — 60 information_unit + 60 unit_version (== candidate_count;
      NT 15 + KT 3 + DIEU 42).
VW-2  no excluded leakage: PASS — dieu_44_present=false; build_rows hard-rejects any
      number==44 or non-enacted candidate (exit 3); excluded[] never mapped.
VW-3  provenance binding: PASS — every IU identity_profile.provenance +
      unit_version.content_profile bind source_document_version_id icxconst-008a06…,
      manifest_digest 9d908a62…, snapshot_region_sha256 17660443…, span_sha256.
VW-4  address integrity: PASS — all canonical_address ICX-CONST/<seg>, VERBATIM,
      UNIQUE (scratch UNIQUE backstop), status never in address.
VW-5  content fidelity: PASS — sha256(unit_version.body) == candidate.span_sha256 for
      all 60 (fail-closed gate in build_rows; the run PASSed ⇒ held ×60).
VW-6  coverage parity: PASS — created-IU set ≡ cut-plan candidates set; levels match
      the accepted MARK identity; reconstruction stays closed (planner already proved
      229+10+69=308; all-IU OD-W1 mapping preserves it).
VW-7  birth-gate satisfied: PASS — L1 (fields+vocab) ×60 and L2 (deferred anchor
      consistency) ×60 all passed at commit.
VW-8  hierarchy: PASS — parent_or_container_ref by address path; flat ICX-CONST/<seg>
      ⇒ all 60 top-level NULL; no synthetic root; count == 60 (OD-W3).
VW-9  idempotency: PASS — idempotent_rerun_noop=true; OD-1 keys 60 distinct;
      pre-existing ICX-CONST set ⇒ status NOOP_ALREADY_APPLIED (G-CUT-ONCE) by design.
VW-10 determinism: PASS — writer_digest d99a31d4… stable across in-test and /tmp runs
      and across the in-process double build (content-addressed, excludes uuids).
verdict: ALL VW-1..VW-10 PASS in the DB-isolated harness. (Production VERIFY under
  cutter_verify/DOT-992 is a SEPARATE W-4/W-5 step — not run here.)

2. Rollback / compensation — proven in scratch

all-or-nothing (R-pre): PROVEN — TestRollbackAtomicity: one bad row mid-txn ⇒
  BirthGateReject ⇒ rollback ⇒ 0 information_unit / 0 unit_version. Also
  test_l2_missing_anchor_rejects_at_commit: L2 RAISE at commit ⇒ rollback ⇒ 0 rows.
  No partial cut, no orphan unit_version possible (single txn; L2 deferred to commit).
idempotency (R-id): re-applying the same manifest digest against a populated store ⇒
  pre-existence check returns the 60 ⇒ NO-OP (status NOOP_ALREADY_APPLIED), zero new rows.
post-commit doctrine (R-post, design — not exercised, production-only): forward-
  compensation only (superseding unit_version version_seq+1 / lifecycle change),
  NEVER physical DELETE/TRUNCATE; runs under the governed principal; cutter_verify/
  DOT-992 owns verify+escalation (separation of duty). Source/snapshot immutable & pinned.
scratch cleanup: rm -rf $WD ⇒ zero residue; net-zero by construction.

3. Residual risk after W-3

R-W2 birth-gate runtime reject: DOWNGRADED — the scratch harness proved L1+L2 pass for
  all 60 with the ratified mapping and re-verified vocab. residual: LOW (production
  re-confirmation of dot_config + schema at W-5 still required — drift precheck).
fidelity to production: the harness is a FAITHFUL re-implementation of the captured
  plpgsql gates + constraints, NOT the live triggers. residual risk that production
  trigger logic differs from the 2026-05-19 capture ⇒ W-5 must re-verify the live
  fn_iu_birth_gate_layer1/2 + UNIQUE/FK definitions read-only before any production CUT.
overall: writer correctness EVIDENCED in isolation; production write remains multi-gate
  (W-4 credential/signing → W-5 prod CUT command-review + separate prod-write approval).

doc 4 of 5. Scratch verification only. No production mutation. Self-advance PROHIBITED.