Incomex AI Portal
KB-4539

dot-iu-cutter v0.5 — evidenced_by Verification & Rollback Plan (design-only)

9 min read Revision 1
dot-iu-cutterv0.5fabric-addendumevidenced_byverificationrollbackdesign-onlyno-execution

dot-iu-cutter v0.5 — evidenced_by Verification & Rollback / Compensation Plan

Phase: v0_5_evidenced_by_vocab_amend_and_cap4_extension_design · Nature: design_only · Date: 2026-05-18 Authority: Sovereign GPT ruling (OD-EB1 APPROVE, design-governance only) + P44-4A §3.3/§4.x.

⚠️ GATING BANNER

phase: design_only
verification_executed: false        # NO checks run — this is the PLAN, not the run
rollback_executed: false
sql_executed: none
schema_change: none
execution_authorized: false
self_advance: PROHIBITED

This file specifies how a future command-review would verify and roll back the vocab amend + Cap-4 extension. Nothing is executed. No SQL/code (QG2). It includes a negative test matrix (QG4) and a rollback/compensation plan (QG5).

1. Scope & preconditions

This plan applies to a future GPT/User-authorized command-review that executes (a) the §3.3 step-4 vocab amend and (b) the §3.3 step-5 Cap-4 checker extension. It is the acceptance/rollback contract for that future cycle. It is not that cycle.

preconditions_for_the_FUTURE_cycle (not satisfied/checked here):
  - sovereign APR ruling APPROVE — SATISFIED (2026-05-18)
  - vocab-amend-design + cap4-checker-extension-design — authored (this package)
  - GPT/User command-review authorization — NOT YET (required before any run)
  - backup/restore strategy for vocab framework store — to be specified at command-review

2. Structural verification checks (post-implementation — design of the checks only)

SV-1  vocab framework contains edge_type `evidenced_by` EXACTLY ONCE (no dup, no shadow).
SV-2  vocab entry: reverse_type=evidences, owner_law_code=NRM-LAW-44,
       edge_family=relation/Cap-4, default_state=proposed, provenance_required=true.
SV-3  DOT Cap-4 checker recognizes `evidenced_by` (reads it from vocab, NOT hardcoded — NT4).
SV-4  vocab set after amend = 8 Core + 3 Candidate + 1 Extension; NO Core/Candidate
       definition altered; composition (Cap-5) set untouched.
SV-5  reverse `evidences` resolvable via P44-4A §6 reverse-index (forward-only row;
       no mandatory second physical row).
SV-6  endpoint rule live: raw_entity endpoint REJECTED (R-EP5/R-NO5); both-IU OQC>=3/4
       evidence relation ACCEPTED (R-EP*).
SV-7  provenance enforced: edge without complete provenance REJECTED (R-PV*).
SV-8  lifecycle enforced: birth state=proposed; illegal transitions REJECTED (R-LC*).
SV-9  anti-drift: assembly-local "evidence-of" annotation NOT auto-promoted (R-AD7);
       no duplicate over an existing references/implements/derived_from/governed_by pair (R-AD8).
SV-10 idempotence: re-running the amend does not create a second vocab entry.
each_check_outcome: PASS | FAIL(detail)  — design of the assertion, NOT executed here

3. Negative test matrix (QG4) — misuse must route correctly

# Input relation Expected checker outcome Required alternative
NT-1 Requirement IU → raw report file path ("rpt/findings.md") REJECT(RAW_EVIDENCE_ENTITY) iu_entity_binding binding_kind=evidences (+ entity_reference_registry)
NT-2 Requirement IU → Directus item id / SQL entity / code module as evidence REJECT(RAW_ENDPOINT) iu_entity_binding binding_kind=evidences
NT-3 IU → IU, weak citation only, no attestation REJECT(WEAK_MENTION) references
NT-4 IU → IU, target is the source it was derived from (provenance) REJECT(CREATION_PROVENANCE) derived_from
NT-5 Component IU → spec IU, build-to-spec REJECT(IMPLEMENTATION) implements
NT-6 IU under normative governance of law/agency IU REJECT(GOVERNANCE) governed_by
NT-7 source=evidence_authority / target=normative_authority, no override REJECT(AUTHORITY_ROLE_MISMATCH) re-evaluate; likely references/derived_from
NT-8 valid IU↔IU attestation but provenance missing REJECT(PROVENANCE_INCOMPLETE) supply provenance, resubmit
NT-9 valid attestation but status=active at birth REJECT(ILLEGAL_LIFECYCLE) birth as proposed
NT-10 cross-layer Object↔Concept REJECT(CROSS_LAYER) undefined — out of scope (P44-4A §2.4)
NT-11 duplicate of an existing governed_by pair, same meaning REJECT(REDUNDANT) keep existing edge
NT-12 (positive control) Requirement IU → report IU, OQC≥3/4 both, provenance complete, status=proposed ACCEPT

NT-1/NT-2 enforce the evidenced_byiu_entity_binding boundary (QG3); NT-12 is the lone positive control. None of these are executed (design-only).

4. Rollback / compensation plan (QG5)

Failure-mode-driven. Each lists detection and the compensation (no execution here — plan only).

4.1 Vocab amend wrong (SV-1/SV-2/SV-4/SV-10 fail)

detect: SV-1 dup/shadow, SV-2 wrong attributes, SV-4 a Core/Candidate altered, SV-10 non-idempotent
compensation:
  - before amend: snapshot the edge_type vocab framework state (command-review must capture this)
  - rollback: restore vocab framework to pre-amend snapshot (remove evidenced_by entry /
    revert mutated attribute) — exact inverse, no CASCADE, no Core/Candidate touched
  - blast radius: vocab-only; no edge rows exist yet (vocab precedes any edge use)
  - reversibility: HIGH (additive single-entry change; clean inverse)

4.2 Checker rule wrong (SV-3/SV-6..SV-9 or any NT-* mismatched)

detect: negative test matrix mismatch (false ACCEPT or wrong REJECT), SV-3 not recognized
compensation:
  - checker change must be deployed behind a reversible toggle / versioned rule set
  - rollback: revert Cap-4 checker to prior rule version (evidenced_by unrecognized →
    relations fall back to assembly-local alt B / iu_entity_binding — WS-3 still valid)
  - no edge rows should be created until checker passes the full negative matrix
  - reversibility: HIGH (checker is stateless validation; revert = redeploy prior rules)

4.3 Edge rows incorrectly created later (post go-live data defect)

detect: periodic audit (R-AD7/R-AD8/R-LC5) finds mis-created evidenced_by rows
        (e.g. raw-entity slipped in, duplicate of governed_by, missing provenance)
compensation:
  - NOT a hard delete first: set status -> deprecated (audit trail preserved, P44-4A §4.4),
    then retired after grace period; reroute the true relation to its correct mechanism
    (iu_entity_binding / references / derived_from / implements / governed_by)
  - quarantine: stop further evidenced_by writes (disable via vocab status or checker gate)
    until root cause fixed
  - full vocab/checker rollback (4.1/4.2) only if the defect is systemic
  - reversibility: MEDIUM (data exists; compensation = lifecycle demotion + reroute,
    append-only audit, NOT silent deletion)
escalation: any ambiguous case -> STOP, route GPT/User; agent does NOT self-decide

4.4 Rollback ordering & guardrails

order_of_rollback (most-reversible first):
  1. checker rule revert (stateless)         -> 4.2
  2. vocab entry revert (additive, no rows)  -> 4.1
  3. data compensation (lifecycle demote)    -> 4.3
guardrails:
  - command-review MUST capture pre-state snapshots before any mutation
  - no destructive DELETE/CASCADE in rollback; demote-then-retire + restore-from-snapshot
  - all rollback steps are themselves command-review-gated (NOT auto-run)

5. Explicit non-execution statement

verification_executed: false
rollback_executed: false
checks_run: 0
sql_executed: none
schema_change: none
this_file_is: a verification + rollback PLAN for a future command-review
self_advance: PROHIBITED

Design only. No verification was run; no rollback was performed. Execution of the verified amend/extension and of any rollback is forbidden in this phase and requires a separate GPT/User-authorized command-review.

Companion files: vocab-amend-design, cap4-checker-extension-design, vocab-cap4-design-report.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.5-fabric-addendum-scope/dot-iu-cutter-v0.5-evidenced-by-verification-and-rollback-plan-2026-05-18.md