dot-iu-cutter v0.5 — First Controlled CUT Rerun · Rollback / Compensation Status

doc 6 of 7 · 2026-05-20

phase           : R-state determination + REVOKE decision
outcome         : R-2 atomic rollback (automatic) ; NO compensation needed ;
                  GRANTs LEFT IN PLACE (REVOKE deferred to sovereign ruling)
production_mutation : NONE persisted (R-2) ; GRANTs from G5 remain in catalog

1. Failure regime — R-2 (pre-commit ROLLBACK)

Per rollback doctrine doc 5 §1 of approval package:

Regime	Condition	This run
R-1	pre-connect guard fails ; no connect	NO — G3 cutter_exec connection opened
R-2	connection opened ; in-txn guard fails OR trigger raises ; atomic ROLLBACK ; zero rows persisted	YES — trg_aa_iu_gateway_write_guard raised; psycopg2 rolled back the txn; zero rows persisted
R-3	COMMIT succeeded ; out-of-band anomaly later ; forward-compensation only	NO — no COMMIT happened

2. R-2 atomic rollback — automatic by construction

The adapter's execute_leg_a_only (production-legA doc 1 §3) wraps the leg-A SQL in:

conn.execute("BEGIN")
try:
    self._g5_drift(conn)
    self._g6_cut_once(conn)
    result = self.leg_a_in_txn(conn, iu, uv)
    conn.commit()
except Exception:
    try: conn.rollback()
    except Exception: pass
    raise

When _iu_insert raised psycopg2.errors.RaiseException from the gateway trigger, the except clause caught it, called conn.rollback(), and re-raised. psycopg2 sent ROLLBACK to the server, ending the transaction without committing any row. Verified post-mortem:

public.information_unit row count : 98    (== pre-execution baseline)
public.unit_version    row count  : 105
ICX-CONST address rows            : 0
max(updated_at) on IU             : 2026-05-14 14:46:49+00 (UNCHANGED)
max(created_at) on UV             : 2026-05-14 14:46:49+00 (UNCHANGED)

No row, no anchor update, no side-effect. R-2 satisfied.

3. Compensation — NOT NEEDED

R-3 doctrine (forward-compensation only; never hard delete) applies only when a COMMIT succeeded and an out-of-band anomaly is discovered later. Here, no COMMIT happened ⇒ no rows exist that would need superseding. The compensation flowchart is not entered.

4. REVOKE decision — DEFERRED TO SOVEREIGN RULING

The package's GRANT-rollback procedure (doc 2 §4 / doc 3 §2 R1) authorizes REVOKE in two cases:

(i)  §6 verification fails on any row     [NOT triggered — G5 §6.1 PASSED]
(ii) CUT execution is postponed and the privileges should not idle exposed

Case (ii) is plausibly active (the rerun macro halted before a successful CUT). However the REVOKE statement is qualified as "sovereign-issued only on STOP or postpone" (production-legA doc 3 §2). The GPT ruling of 2026-05-20 explicitly authorized GRANT execution but did not pre-authorize REVOKE.

Per the prompt's binding instruction

"Nếu bất kỳ gate nào fail: STOP before next mutation. Upload BLOCKED/FAIL report. Do not improvise."

issuing a fresh REVOKE in this session — even if textually within the package's pre-approved SQL menu — is an additional sovereign-issued production mutation that the rerun macro is not explicitly authorized for after G7 failure. The conservative path is to leave the GRANTs in place and route the REVOKE decision to GPT/User along with the redesign decision (see doc 7 §3 OPT-X).

Risk of leaving GRANTs idle (≈ doc 2 §4 (ii) concern):

attack_surface : cutter_exec can SELECT/INSERT/anchor-UPDATE on
                 public.{information_unit, unit_version}; cutter_verify can
                 SELECT on the two tables. Both roles can authenticate ONLY
                 via pg_hba trust auth from the postgres container's loopback
                 (127.0.0.1 inside the container's netns).
exposure       : limited to actors with root SSH on contabo who can `docker
                 exec postgres …` OR `docker run --network container:postgres`.
                 The same actor population can already invoke pg_dump as
                 directus and read everything; the GRANT delta does not
                 materially widen exposure for any external actor.
mitigation     : the next macro (after sovereign ruling) will either issue
                 the package REVOKE (doc 2 §4) or update the GRANT delta to
                 EXECUTE on `fn_iu_create` and remove the now-unused
                 INSERT/UPDATE column privileges on the IU/UV tables.

For an audit-conservative reading: REVOKE byte-inverse (doc 2 §4) is the recommended sovereign next action if the redesign will take >24 h to land. Its SQL is verbatim:

REVOKE SELECT, INSERT ON public.information_unit FROM cutter_exec;
REVOKE UPDATE (version_anchor_ref, content_anchor_ref)
                      ON public.information_unit FROM cutter_exec;
REVOKE SELECT, INSERT ON public.unit_version     FROM cutter_exec;
REVOKE SELECT         ON public.dot_config       FROM cutter_exec;
REVOKE SELECT         ON public.information_unit FROM cutter_verify;
REVOKE SELECT         ON public.unit_version     FROM cutter_verify;

If sovereign issues "REVOKE now", the Agent can execute it in the next authorized macro and re-verify the 18-bool probe returns all f for the column/table pairs in §6.1.

5. Invariants preserved this run

no_physical_DELETE                                   : honored
no_TRUNCATE                                          : honored
no_DDL / DROP / ALTER (table/role/owner)             : honored
no_GRANT outside the approved doc 2 §2 delta         : honored
no_UPDATE on unit_version                            : honored (no rows touched)
no_UPDATE on information_unit non-anchor columns     : honored (no rows touched)
no_source_document_* mutation                        : honored
no_Directus / vector / NoSQL write                   : honored
no_deploy / restart / docker rebuild                 : honored
                                                       (sidecar python:3.12-slim
                                                        was --rm ephemeral; the
                                                        postgres container itself
                                                        was untouched)
no_merge / push / tag                                : honored (feature branch
                                                        HEAD f20c79c unchanged
                                                        locally; no remote
                                                        configured)
no_secret_echo / argv_leak / log_leak                : honored
no_VERIFY                                            : honored (cutter_verify
                                                        VW-1..VW-12 not run)
no_post_CUT_governed_recording                       : honored (leg-B not run)

6. Disposition

rollback_required          : already happened (R-2 atomic, by construction)
compensation_required      : NO (no COMMIT ; R-3 doctrine not engaged)
REVOKE_issued_this_session : NO (deferred to sovereign ruling — see doc 7 §3)
backup_preserved_for_audit : YES — /opt/incomex/backups/pg/directus_legA_cut_pre_grant_20260520T031054Z.dump
                              sha 17093a7a9cf6b671545919857ec4478273d5332143daf96957549ba657228043
provider_module_preserved  : YES — /opt/incomex/dot/specs/cutter_legA_provider_20260520T031054Z.py
                              sha 503af2f1d000b126cd21abe3540bf80e13e0194887708e15d6a97b76c3d76ef4
                              (zero side-effect when not imported; the trust-auth
                               DSN works only from the postgres container's netns)
staging_dir_preserved      : YES — /tmp/iu-cutter-cut-f20c79c-20260520T031054Z/
                              (will age out on next /tmp cleanup; preserve as
                               audit evidence until GPT ruling on redesign)
production_mutation_state  : G5 GRANTs in place ; nothing else changed
self_advance               : PROHIBITED — route → GPT/User

doc 6 of 7.