KB-4C96
dot-iu-cutter v0.5 — First Controlled CUT · Production CUT Verification Plan (doc 4)
13 min read Revision 1
dot-iu-cutterv0.5first-controlled-cut-approval-packageverification-plancutter-verifydot-992vw-1-vw-12leg-a-scopedieu442026-05-20
dot-iu-cutter v0.5 — First Controlled CUT · Production CUT Verification Plan
doc 4 of 7 · 2026-05-20 · DESIGN ONLY. NOT executed. No VERIFY run. No DB write. Applies AFTER the leg-A CUT commits successfully (doc 3); precedes the separate leg-B governed-recording obligation (doc 6).
1. Scope, principal, separation of duties
scope : leg-A surface (public.information_unit / unit_version /
column-scoped anchor UPDATE) for the specific CUT
identity manifest_digest = 9d908a62…
principal : cutter_verify (DOT-992 verifier lane ; read-only on
public.* per doc 2 §2)
separation of duties : the CUT operator (cutter_exec / DOT-991) MUST NOT also
run VERIFY ; sovereign ensures a distinct human/role
operator handles VERIFY ; lane-overlap invariants
(dot_pair_signature DOT-992 → verify_result_id ONLY) are
NOT touched here (leg-B path, see doc 6).
when : immediately after the CUT txn COMMIT ; before any
post-CUT governed recording in doc 6.
duration : all queries are bounded ; expect ≤ a few seconds total ;
read-only ; safe to re-run.
no : NO DELETE / NO TRUNCATE / NO UPDATE / NO DDL ; NO repair.
Any failure → STOP_AND_ESCALATE + doc 5 §3 forward-
compensation doctrine (NEVER hard delete).
2. VW-1 .. VW-12 — verification queries (read-only)
VW-1 Row counts (must equal the ratified cardinality)
-- expected: iu_count=60, uv_count=60, anchor_set_count=60
SELECT
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%') AS iu_count,
(SELECT count(*) FROM public.unit_version uv
JOIN public.information_unit iu ON iu.id = uv.unit_id
WHERE iu.canonical_address LIKE 'ICX-CONST/%') AS uv_count,
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
AND version_anchor_ref IS NOT NULL
AND content_anchor_ref IS NOT NULL) AS anchor_set_count;
VW-2 Exclusion proof — Điều 44 / draft / obsolete must be ABSENT
-- expected: dieu44_present=0, non_enacted=0
SELECT
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
AND (canonical_address ~ 'dieu-?44' -- defensive shape probe
OR section_code IN ('44','dieu-44')
OR identity_profile->>'section_code' = '44'
OR identity_profile->>'address_label' ILIKE '%Điều 44%')) AS dieu44_present,
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
AND lifecycle_status <> 'enacted') AS non_enacted;
VW-3 Canonical address uniqueness (live) and pattern correctness
-- expected: dup_addr=0, addr_uniq_60=60, all rows have ICX-CONST/ prefix
SELECT
(SELECT count(*) FROM (
SELECT canonical_address FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
GROUP BY canonical_address HAVING count(*) > 1) d) AS dup_addr,
(SELECT count(DISTINCT canonical_address) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%') AS addr_uniq_60;
VW-4 Source / version / region / writer_digest provenance binding (60/60)
-- expected: bind_iu=60, bind_uv=60, source_version_match=60, digest_match=60,
-- region_match=60
SELECT
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
AND identity_profile ? 'provenance') AS bind_iu,
(SELECT count(*) FROM public.unit_version uv
JOIN public.information_unit iu ON iu.id = uv.unit_id
WHERE iu.canonical_address LIKE 'ICX-CONST/%'
AND uv.content_profile ? 'provenance') AS bind_uv,
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
AND identity_profile->'provenance'->>'source_version_id'
= 'icxconst-008a06ace23a96ea6cd456146e805c97') AS source_version_match,
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
AND identity_profile->'provenance'->>'manifest_digest'
= '9d908a62fcf01bb88e05a1af4335b960710006ddcfd21c811ca63efb33dd324f') AS digest_match,
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
AND identity_profile->'provenance'->>'region_sha256'
= '17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c') AS region_match;
note : the exact identity_profile.provenance / content_profile.provenance JSON
keys are the ones the ratified pure factory writes (cutwrite.build_rows).
If a key name has been finalized differently by the factory, this query
MUST be adjusted at command-review time to match the factory's emitted
keys (read the factory; do NOT guess). The intent — 60/60 bind to the
three pins — is the invariant; the precise JSON path is implementation-
bound and the verifier reads the factory once before running VW-4.
VW-5 Body / content-hash / span-hash agreement (60/60)
-- expected: all_three_equal=60, computed_match=60
SELECT
(SELECT count(*) FROM public.unit_version uv
JOIN public.information_unit iu ON iu.id = uv.unit_id
WHERE iu.canonical_address LIKE 'ICX-CONST/%'
AND uv.content_hash = encode(sha256(uv.body::bytea), 'hex')
AND uv.content_hash = (uv.content_profile->>'span_sha256')) AS all_three_equal,
(SELECT count(*) FROM public.unit_version uv
JOIN public.information_unit iu ON iu.id = uv.unit_id
WHERE iu.canonical_address LIKE 'ICX-CONST/%'
AND uv.content_hash = encode(sha256(uv.body::bytea), 'hex')) AS computed_match;
VW-6 Coverage / level distribution / all law_unit / flat top-level
-- expected: NT 15, KT 3, DIEU 42, all unit_kind=law_unit, parent NULL 60/60
SELECT identity_profile->>'level' AS lvl, count(*)
FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
GROUP BY identity_profile->>'level'
ORDER BY 1;
SELECT
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%' AND unit_kind='law_unit') AS all_law_unit,
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%' AND parent_or_container_ref IS NULL) AS all_top_level;
VW-7 Birth-gate consistency (every IU passed L1+L2 ; anchors point right)
-- expected: identity_required_keys_all_present=60, anchor_pair_consistent=60
SELECT
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
AND identity_profile ? 'title'
AND identity_profile ? 'owner_lookup_ref'
AND identity_profile ? 'primary_section_type_ref') AS identity_required_keys_all_present,
(SELECT count(*) FROM public.information_unit iu
JOIN public.unit_version uv ON uv.id = iu.version_anchor_ref
WHERE iu.canonical_address LIKE 'ICX-CONST/%'
AND uv.unit_id = iu.id
AND iu.content_anchor_ref = uv.id::text) AS anchor_pair_consistent;
VW-8 Idempotency / no duplicate / G-CUT-ONCE (the executor never re-runs)
-- expected: dup_in_canonical=0, re_run_would_no_op=60
-- (i.e. ICX-CONST row count is exactly 60 ; a future cutprod re-run with the
-- same identity exits NO-OP via G6 ; the count stays at 60.)
SELECT
(SELECT count(*) FROM (
SELECT canonical_address FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%'
GROUP BY canonical_address HAVING count(*) > 1) d) AS dup_in_canonical,
(SELECT count(*) FROM public.information_unit
WHERE canonical_address LIKE 'ICX-CONST/%') AS re_run_would_no_op;
VW-9 Reconstruction / no unintended public.* mutation (delta = +60 exactly)
-- expected: iu_total = pre_iu + 60 uv_total = pre_uv + 60
-- (pre values from doc 1: iu_total=98, uv_total=105 ; so after this CUT the
-- totals MUST be iu=158, uv=165 — assuming no concurrent IU/UV INSERT outside
-- this CUT, which is the operator's controlled-window assumption ; record both
-- totals immediately before and after the CUT in the execution log.)
SELECT
(SELECT count(*) FROM public.information_unit) AS iu_total,
(SELECT count(*) FROM public.unit_version) AS uv_total;
VW-10 No unintended UPDATE on non-anchor columns / no DELETE
-- expected: edits_to_pre_existing_iu=0, edits_to_pre_existing_uv=0
-- (none of the pre-existing 98 IU / 105 UV rows are touched ; updated_at,
-- updated_by, deleted_at, identity_profile, etc. all unchanged.)
SELECT
(SELECT count(*) FROM public.information_unit
WHERE canonical_address NOT LIKE 'ICX-CONST/%'
AND updated_at > <CUT_TXN_START_TIMESTAMP>::timestamptz) AS edits_to_pre_existing_iu,
(SELECT count(*) FROM public.unit_version uv
JOIN public.information_unit iu ON iu.id = uv.unit_id
WHERE iu.canonical_address NOT LIKE 'ICX-CONST/%'
AND uv.updated_at > <CUT_TXN_START_TIMESTAMP>::timestamptz) AS edits_to_pre_existing_uv;
VW-11 cutter_governance untouched by THIS CUT (UB-2 invariant; leg-B yet-to-come)
-- expected: cs_new_for_digest=0 (until doc-6 governed recording runs)
SELECT count(*) AS cs_new_for_digest
FROM cutter_governance.cut_change_set
WHERE content_hash = '9d908a62fcf01bb88e05a1af4335b960710006ddcfd21c811ca63efb33dd324f';
VW-12 Vocab / drift unchanged (post-CUT re-check; matches doc 1 §3)
-- expected: identical to doc-1 §3 row : 19, 16, f38c94d0…, 078ba005…, 6
-- (defence against any concurrent admin change during the window)
SELECT 19 AS iu_cols_pin, 16 AS uv_cols_pin,
'f38c94d0043a61507a8c2e85afd59998' AS l1_pin,
'078ba0051ce4d894cabcc0102c4320f8' AS l2_pin, 6 AS vocab_pin;
-- then re-run the doc-1 §3 read-only catalog query and compare row-by-row.
3. Acceptance bar
VERIFIED_LEG_A_PASS iff ALL of :
VW-1 iu_count=60 ∧ uv_count=60 ∧ anchor_set_count=60
VW-2 dieu44_present=0 ∧ non_enacted=0
VW-3 dup_addr=0 ∧ addr_uniq_60=60
VW-4 bind_iu=60 ∧ bind_uv=60 ∧ source_version_match=60
∧ digest_match=60 ∧ region_match=60 *
VW-5 all_three_equal=60 ∧ computed_match=60
VW-6 NT=15 ∧ KT=3 ∧ DIEU=42 ∧ all_law_unit=60 ∧ all_top_level=60
VW-7 identity_required_keys_all_present=60 ∧ anchor_pair_consistent=60
VW-8 dup_in_canonical=0 ∧ re_run_would_no_op=60
VW-9 iu_total = pre_iu + 60 ∧ uv_total = pre_uv + 60
VW-10 edits_to_pre_existing_iu=0 ∧ edits_to_pre_existing_uv=0
VW-11 cs_new_for_digest=0 (until doc 6 governed recording runs)
VW-12 identical to doc-1 §3 row
* VW-4 JSON paths are reconciled at command-review time against the ratified
factory's emitted provenance keys (read the factory ; do NOT guess).
ANY single VW row fails ⇒ verdict = VERIFY_FAILED_ESCALATED ⇒ STOP, preserve
evidence, route GPT/User, apply doc 5 §3 forward-compensation doctrine (NEVER
hard delete the inserted rows ; never DELETE/TRUNCATE).
4. Evidence the operator persists
captured to the U-W5 execution log (KB-uploaded) :
- the full result rows of VW-1..VW-12 (JSON)
- the writer_digest re-asserted by the pure factory immediately before and
after the CUT (must equal d99a31d4…)
- pre-CUT and post-CUT counts (iu_total / uv_total)
- the CUT txn start timestamp + COMMIT timestamp (used in VW-10)
- the GRANT structural verify (doc 2 §6.1) snapshot AFTER the CUT (must be
byte-identical to the snapshot taken immediately after U-W4b)
- the backup artefact sha256 (doc 1 §6 / doc 3 §2)
- the sovereign approval KB doc id (G1)
5. Status
verification_plan : DESIGN-READY · NOT EXECUTED
runnable_by : cutter_verify (DOT-992 ; read-only on public.*)
remaining sovereign gates : sovereign-gated VERIFY execution approval
(separate from the CUT execution approval)
production mutation this phase : NONE
self_advance : PROHIBITED
doc 4 of 7. No production mutation. Self-advance PROHIBITED.