dot-iu-cutter v0.5 — Final Bridge · Backup / Drift / Verification / Rollback Plan

doc 5 of 6 · 2026-05-19 · DESIGNED, not executed. Applies at the gated production CUT, after GAP-B1 (UB-1|UB-2) + GD-1 + U-W4b + C5 all CLOSED.

1. Prechecks — fail-closed (ALL pass before any production write)

PC-0 GAP-B1 closed (UB-1 leg-B builder reviewed-PASS, OR UB-2 sovereign
     decoupling ruling) ∧ GD-1 ruled ∧ U-W4b GRANT executed+verified ∧ C5
     sovereign production-write approval doc present (KB id).
PC-1 repo branch feature/constitution-snapshot-mark-dryrun · HEAD = ratified
     composer commit · tree clean · cutwrite.py sha 31ce88dc… (unchanged).
PC-2 input identity recompute: manifest file sha 7d56f3ce… · digest 9d908a62…
     · count 60 · source_version icxconst-008a06… · region 17660443… ; any
     mismatch ⇒ ABORT (enforced by prod_iu_adapter G2).
PC-3 writer_digest == d99a31d4… recomputed by the pure factory (adapter G3).
PC-4 LIVE drift re-verify (read-only, SAME session, immediately before txn —
     adapter G5): information_unit 19 cols · unit_version 16 cols · IU 4
     constraints · md5(L1)=f38c94d0043a61507a8c2e85afd59998 ·
     md5(L2)=078ba0051ce4d894cabcc0102c4320f8 · dot_config vocab 6/6 ;
     mismatch ⇒ ABORT. (ALL re-verified PASS read-only THIS phase.)
PC-5 G-CUT-ONCE (adapter G6): count(public.information_unit canonical_address
     LIKE 'ICX-CONST%')==0 (live=0 this phase) ∧ no cut_change_set for
     9d908a62… ⇒ else NO-OP exit 0, never re-insert.
PC-6 principal (adapter G4): post-connect current_user=='cutter_exec'; reject
     cutter_ro/workflow_admin/directus/postgres; public.* grants present
     (U-W4b done): cutter_exec SELECT,INSERT info_unit+UPDATE(2 anchor)+SELECT,
     INSERT unit_version+SELECT dot_config; cutter_verify SELECT info_unit/uv.
PC-7 FRESH BACKUP (§2) ≤60 min, restorable, sha logged (adapter G7 gate).
PC-8 no DB env leakage; secret only from approved .env; never argv/logs/KB
     (cutprod refuses on any PG_DSN/DATABASE_URL/DIRECTUS_URL/PGHOST/PGUSER/
     PGPASSWORD — verified).

2. Backup requirement (mandatory; mirrors v0.4 C_01)

scope: fresh logical backup of public.information_unit + public.unit_version
  AND (post-UB-1/UB-2) the cutter_governance ledger tables leg B writes, of
  the directus DB — single DB, single backup, by an authorized operator,
  read-only, BEFORE the write, age ≤60 min, restorability verified, sha
  recorded in the execution log; CUT ABORTS if the backup gate is unclean.
  (v0.4 backup sha da4e15e6… = historical disaster backstop, not a substitute.)

3. Verification after CUT (VW-1..VW-10; cutter_verify/DOT-992, SoD)

VW-1 exactly 60 information_unit + 60 unit_version for digest 9d908a62…
VW-2 0 IU for Điều 44/draft/obsolete (DIEU-44 absent)
VW-3 100% IU.identity_profile.provenance + unit_version.content_profile bind
     icxconst-008a06… + 9d908a62… + region 17660443… + span_sha256
VW-4 every canonical_address ∈ ratified 60, VERBATIM, UNIQUE
VW-5 sha256(unit_version.body)==content_hash==span_sha256 ∀60
VW-6 coverage ≡ cut-plan candidates; levels NT15/KT3/DIEU42
VW-7 every IU passed L1+L2; version_anchor_ref/content_anchor_ref consistent
VW-8 parent_or_container_ref per OD-W3 (flat ⇒ all top-level NULL; count 60)
VW-9 1 cut_change_set (content_hash==digest) + 1 DOT-991 dot_pair_signature
     (xref change_set_id ONLY, NOT verify_result_id; signer_dot_id DOT-991) +
     decision_backlog_history transition; lane-overlap badxor=0/swapped=0/
     both_null=0/both_non_null=0 (v0.4 acceptance bar; enforced in code by
     prod_iu_adapter.assert_lane_overlap_invariants — unit-tested)
VW-10 idempotency: re-run of digest ⇒ NO new rows; writer_digest stable d99a31d4…
verdict: VERIFIED_COMPLETE iff VW-1..VW-10 PASS, by cutter_verify/DOT-992
  (NEVER the executor). Any fail ⇒ VERIFY_FAILED_ESCALATED ⇒ STOP + §4.

4. Rollback / compensation doctrine

in-txn failure (L1/L2 raise, drift, principal/grant fail, digest mismatch):
  single atomic txn ABORT ⇒ zero rows (no partial cut, no orphan unit_version).
post-commit fault: FORWARD-COMPENSATION ONLY (cutter_verify/DOT-992):
  superseding unit_version (version_seq+1) and/or lifecycle_status change +
  governed escalation; NEVER physical DELETE/TRUNCATE. (cutter_verify public.*
  write grants = SEPARATE later gated package, not the doc-2 GRANT.)
G-CUT-ONCE: retry of same digest after a rolled-back txn ⇒ no-op.
source/snapshot immutable & pinned (9d908a62…/17660443…); "restore" = re-derive
  via the pure factory, never hand-edit rows. Backup (§2)=operator last resort.

5. Production execution checklist (future, gated; for the operator)

[ ] PC-0..PC-8 all green   [ ] backup taken+verified, sha logged
[ ] cutprod --mode plan-only re-run ⇒ PLAN_OK, writer_digest d99a31d4…
[ ] sovereign approval doc id supplied to --i-have-sovereign-…-approval
[ ] run as cutter_exec via approved .env (secret never echoed)
[ ] ONE atomic txn; on ANY guard/L1/L2 raise ⇒ ABORT, confirm zero rows
[ ] post-commit: cutter_verify/DOT-992 runs VW-1..VW-10 (SoD)
[ ] STOP + route GPT/User on any fail; preserve evidence; no self-advance

6. STOP conditions

any GAP-B1/GD-1/U-W4b/C5 open · identity/writer-digest mismatch · live drift
(L1/L2 md5, cols, constraints, vocab) · ICX-CONST≠0 · principal≠cutter_exec ·
grant missing · backup unclean · secret-logging risk · DELETE/TRUNCATE attempt
· DOT lane/reference mismatch · any deploy/restart/merge/push/tag or self-advance.

doc 5 of 6. Design only. No production mutation. Self-advance PROHIBITED.