dot-iu-cutter v0.5 — evidenced_by DOT Cap-4 Checker Extension Design

Phase: v0_5_evidenced_by_vocab_amend_and_cap4_extension_design · Nature: design_only · Date: 2026-05-18 Authority: Sovereign GPT ruling (OD-EB1 APPROVE, design-governance only) + P44-4A §3.3 step 5 + §4.1–§4.5 (E1–E8, INV-E1..E8) + §2.1/§4.2 OQC.

⚠️ GATING BANNER

phase: design_only
cap4_checker_code_changed: false      # NO code written/modified
sql_executed: none
schema_change: none
execution_authorized: false
self_advance: PROHIBITED

All "rules" below are logical validation specifications, not code. No executable code/SQL appears (QG2). The DOT Cap-4 checker is NOT modified by this file (P44-4A §3.3 step 5 is post-PASS, command-review-gated).

---

1. Scope

Logical design of the DOT Cap-4 (relation conformance) checker rules that must govern evidenced_by edges, so a future command-review can implement and verify them. Rules are expressed as decision logic / pseudo-rules — no language, no SQL, no DDL/DML (QG2). Boundary evidenced_by ⟂ iu_entity_binding is preserved throughout (QG3).

2. Rule families

rule_families:
  R-EP : endpoint validation (registered IU/Object + OQC + no raw_entity)
  R-AU : authority validation (source normative/requirement/claim; target evidence_authority)
  R-NO : non-overlap validation (reject reuse cases)
  R-PV : provenance validation
  R-LC : lifecycle validation
  R-AD : anti-drift / structural invariants
enforcement_point: DOT Cap-4 writer/checker at edge birth + periodic audit (P44-4A §4.2, §4.5)
outcome_vocabulary: { ACCEPT, REJECT(reason_code, required_alternative), DEFER(reason) }

3. R-EP — Endpoint validation

R-EP1  source_ref MUST resolve to a registered IU/Object (registered_object).
R-EP2  target_ref MUST resolve to a registered IU/Object (registered_object).
R-EP3  source_ref Object MUST satisfy OQC >= 3/4   (P44-4A §2.1 / §4.2 rule 4).
R-EP4  target_ref Object MUST satisfy OQC >= 3/4.
R-EP5  NEITHER endpoint may be a raw_entity (customer/contract/invoice id,
        file path, Directus item id, code module, SQL entity). A raw_entity
        fails OQC by construction → REJECT(RAW_ENDPOINT, iu_entity_binding).
R-EP6  cross-layer endpoints (Object<->Concept) FORBIDDEN (P44-4A §2.4) → REJECT(CROSS_LAYER).
R-EP7  composite ref {collection,id,code} MUST validate: collection ∈ Family
        Registry/SCMR; id exists in physical target; code (if present) matches
        canonical address (P44-4A §4.2 validation logic 1–4).
on_fail: REJECT with reason_code; if RAW_ENDPOINT → required_alternative = iu_entity_binding(binding_kind=evidences)

4. R-AU — Authority validation

Uses the WS-1/WS-2 authority_semantics roles (normative_authority | evidence_authority | implementation_authority); note these are Fabric roles, distinct from P44 owner_law tagging (carried distinction — QG7).

R-AU1  source authority_role SHOULD be normative_authority (a normative /
        requirement / claim IU). 
R-AU2  target authority_role SHOULD be evidence_authority (report / lesson /
        verification artifact / test result IU).
R-AU3  authority_role is taken from source_family default, REPLACED by a
        unit-level OR span-level authority_override when present (WS-1 §4 /
        WS-2 D4). Override is the ONLY sanctioned way to deviate from the
        source_family default.
R-AU4  If source resolves to evidence_authority/implementation_authority with
        NO override, OR target resolves to normative_authority with NO override
        → REJECT(AUTHORITY_ROLE_MISMATCH) — likely the relation is references/
        implements/derived_from/governed_by (route via R-NO).
R-AU5  Override provenance MUST be present (who/why/scope unit|span) for any
        authority_override relied on by R-AU1/R-AU2.
severity_note: R-AU1/R-AU2 are SHOULD (warn+gate via override), R-AU3/R-AU5 are MUST.

5. R-NO — Non-overlap validation (QG3, QG4)

The checker MUST reject misuse and name the correct mechanism:

R-NO1  weak mention / read-only citation, NO attestation semantics
         → REJECT(WEAK_MENTION)              required_alternative = references
R-NO2  source realizes a specification target (build-to-spec)
         → REJECT(IMPLEMENTATION)            required_alternative = implements
R-NO3  target is the source the unit was created/derived FROM (provenance)
         → REJECT(CREATION_PROVENANCE)       required_alternative = derived_from
R-NO4  source under normative governance/authority of target (law/agency)
         → REJECT(GOVERNANCE)                required_alternative = governed_by
R-NO5  evidence target is a raw evidence entity (report PATH / file / Directus
        item id / code module / SQL entity — NOT an IU)
         → REJECT(RAW_EVIDENCE_ENTITY)       required_alternative =
             iu_entity_binding(binding_kind=evidences) + entity_reference_registry
R-NO6  relation expressible by an existing Core/Candidate edge without loss of
        the attestation meaning → REJECT(REDUNDANT, name the edge)
accept_condition: ACCEPT only if NONE of R-NO1..R-NO6 fire AND R-EP* AND R-AU* pass,
  i.e. the relation is durable IU<->IU attestation ("target attests source was
  satisfied/performed/demonstrated") and nothing weaker fits.

Boundary statement (QG3/QG4): R-NO5 + R-EP5 jointly guarantee a raw evidence entity can never become an evidenced_by edge — it is always routed to iu_entity_binding with binding_kind=evidences. evidenced_by is strictly the IU↔IU graph-edge counterpart.

6. R-PV — Provenance validation (P44-4A §4.3, INV-E4)

R-PV1  provenance MUST be present (post-Đ44 INV-E4; missing → block birth, Đ44 §9.4).
R-PV2  provenance.creator   MUST be present (DOT / agent / human identity).
R-PV3  provenance.method    MUST ∈ {structural, derived, manual};
        evidenced_by typically `derived` or `manual` (NOT `structural`).
R-PV4  provenance.source_context MUST be present (artifact/run/APR-decision id).
R-PV5  provenance.timestamp MUST be ISO 8601.
R-PV6  IF E5 confidence < 1.0 THEN provenance.confidence_method MUST be present
        (e.g. embedding_cosine=…, human_attested); ELSE confidence_method optional.
on_fail: REJECT(PROVENANCE_INCOMPLETE, missing_field)

7. R-LC — Lifecycle validation (P44-4A §4.4)

R-LC1  status ∈ {proposed, active, deprecated, retired}.
R-LC2  default at birth = proposed (derived/semantic edge).
R-LC3  allowed transitions ONLY:
         proposed   -> active     (after Cap-4 verify OR human review)
         active     -> deprecated (on supersede via `supersedes`, or evidence retracted)
         deprecated -> retired    (after grace period; defer post-pilot)
R-LC4  any other transition (e.g. retired->active, proposed->retired) → REJECT(ILLEGAL_TRANSITION).
R-LC5  audit (periodic, not birth): >=2 status states MUST hold real rows in
        production (INV-E5 / OQC-2) — flagged as post-implementation audit obligation.

8. R-AD — Anti-drift / structural invariants (P44-4A §4.5)

R-AD1  INV-E1 edge_id unique.
R-AD2  INV-E2 source_ref & target_ref both resolve to valid Objects (≡ R-EP1/2/7).
R-AD3  INV-E3 edge_type ∈ vocab framework AND owner_law_code namespace = NRM-LAW-44
        object-edge; edge_type MUST be read from vocab framework, never hardcoded (NT4).
R-AD4  INV-E4 provenance complete (≡ R-PV1..R-PV6).
R-AD5  INV-E5 status enum + ≥2 real states in production (≡ R-LC1/R-LC5).
R-AD6  symmetric = false; NO second hand-written reverse row — reverse `evidences`
        served ONLY via P44-4A §6 reverse-index (no INV-E6 dual-entry requirement,
        unlike contradicts/compatible_with).
R-AD7  assembly-local "evidence-of" annotations (WS-3 alt B) MUST NOT be auto-
        promoted to persisted evidenced_by rows without the §3.3 step-4 amend
        being live AND command-review authorization (anti-silent-drift).
R-AD8  evidenced_by MUST NOT co-exist as a duplicate of an existing references/
        implements/derived_from/governed_by edge over the same ordered pair
        carrying the same meaning (dedup against semantic drift).

9. Checker decision flow (logical, non-code)

INPUT: candidate edge {source_ref, target_ref, edge_type=evidenced_by, provenance, status, confidence}
 1. edge_type recognized in vocab framework?           no  -> REJECT(UNKNOWN_EDGE_TYPE)   [needs §3.3 step-4 amend live]
 2. R-EP1..R-EP7                                        fail -> REJECT(...)  (RAW_ENDPOINT -> iu_entity_binding)
 3. R-NO1..R-NO6                                        fire -> REJECT(..., required_alternative)
 4. R-AU1..R-AU5                                        fail -> REJECT(AUTHORITY_ROLE_MISMATCH)
 5. R-PV1..R-PV6                                        fail -> REJECT(PROVENANCE_INCOMPLETE)
 6. R-LC1..R-LC4 (birth: status==proposed)              fail -> REJECT(ILLEGAL_LIFECYCLE)
 7. R-AD1..R-AD8                                        fail -> REJECT(INVARIANT_VIOLATION)
 8. all pass                                            -> ACCEPT (status=proposed)
periodic audit: re-run R-LC5, R-AD5, R-AD7, R-AD8 over production set
NOTE: this is decision LOGIC for future implementation — NOT code, NOT executed.

10. Explicit non-execution statement

cap4_checker_code_changed: false
checker_deployed: false
sql_executed: none
schema_change: none
this_file_is: logical validation-rule SPECIFICATION for future command-review
execution_path: separate GPT/User-authorized command-review — NOT this phase
self_advance: PROHIBITED

Design only. The DOT Cap-4 checker is NOT modified. These rules are a specification for a later command-review; until then evidenced_by is not enforced anywhere and not usable.

---

Companion files: vocab-amend-design, verification-and-rollback-plan, vocab-cap4-design-report.