KB-76F6
dot-iu-cutter v0.5 — Lifecycle Implementation Authoring · Command-Review Package (G4+G5 PASS) (doc 5 of 6)
22 min read Revision 1
dot-iu-cutterv0.5lifecycle-enactment-implementation-authoringcommand-review-packagestatic-tests-passexecution-order-lockedapply-principal-directusstop-conditionsphase-7-separate-gatereadme-authoreddieu442026-05-20
dot-iu-cutter v0.5 — Lifecycle Implementation Authoring · Command-Review Package
doc 5 of 6 · 2026-05-20 · COMMAND-REVIEW READY
phase : G4 (static tests) + G5 (command-review package) outcome : PASS — execution can be scheduled after sovereign review production_mutation : NONE
0. Purpose
This document is the consolidated command-review package for the execution macro that will apply Bundles A..E to production. It packages:
- The G4 static-test results
- The exact execution order
- The apply principal (which role runs which statement)
- The verification probes to execute at each checkpoint
- The STOP conditions for the execution macro
- The explicit statement that Phase 7 (enacting the 60 ICX-CONST IUs) is gated SEPARATELY behind a later sovereign ruling
- The operator README that will ship with execution
The execution macro itself is a SEPARATE workflow, gated on this package's sovereign acceptance.
1. G4 — static tests / proofs (PASS)
1.1 Static smoke (executed in THIS macro, read-only)
SELECT 'syntax_smoke_test' AS test,
EXISTS(SELECT 1 FROM public.information_unit
WHERE canonical_address = 'ICX-CONST/DIEU-0') AS first_icx_const_exists,
EXISTS(SELECT 1 FROM public.tac_uv_lifecycle_vocab
WHERE code='enacted') AS tac_vocab_enacted_exists,
EXISTS(SELECT 1 FROM pg_proc
WHERE proname='fn_iu_verify_invariants'
AND pronamespace='public'::regnamespace) AS verify_fn_exists,
EXISTS(SELECT 1 FROM pg_proc
WHERE proname='fn_content_hash'
AND pronamespace='public'::regnamespace) AS hash_fn_exists,
EXISTS(SELECT 1 FROM information_schema.columns
WHERE table_schema='public' AND table_name='unit_version'
AND column_name='enacted_at') AS uv_enacted_at_col_exists,
EXISTS(SELECT 1 FROM information_schema.columns
WHERE table_schema='public' AND table_name='information_unit'
AND column_name='identity_profile') AS iu_identity_profile_col_exists;
results (executed 2026-05-20 ~ 07:15Z under context_pack_readonly):
first_icx_const_exists : true # ICX-CONST/DIEU-0 reachable for probes B-1/B-2
tac_vocab_enacted_exists : true # the canonical vocab we mirror lives
verify_fn_exists : true # fn_iu_enact step 4 dependency met
hash_fn_exists : true # fn_iu_apply_edit_draft body dep (unchanged)
uv_enacted_at_col_exists : true # fn_iu_enact step 11 dependency met
iu_identity_profile_col_exists : true # fn_iu_enact step 5 (P-pub1/P-pub2) dependency met
verdict : ALL_DEPENDENCIES_EXIST PASS
1.2 Static review checklist (reasoning proofs)
SECDEF_safety:
fn_iu_enact : SECURITY DEFINER + SET search_path = pg_catalog, public ✓
fn_iu_enacted_immut : non-SECDEF (trigger invariant) ✓
fn_uv_enacted_immut : non-SECDEF (trigger invariant) ✓
fn_iu_apply_edit_draft (patch): SECURITY DEFINER preserved + search_path preserved ✓
cross_schema_safety:
fn_iu_enact reads cutter_governance.review_decision / cut_change_set
requires directus USAGE on schema (confirmed in doc 01 §1.5: usage=true)
requires directus SELECT on tables (confirmed: s_rd=true, s_cs=true) ✓
trigger_ordering_safety:
on information_unit BEFORE UPDATE :
trg_aa_iu_gateway_write_guard (existing, fires first by 'aa' prefix)
trg_iu_enacted_immut (NEW, fires after gateway)
trg_iu_updated_at (existing, fires last)
gateway decides allowability → immutability validates semantics →
timestamp stamps → row written ✓
trigger_ordering_safety (UV):
on unit_version BEFORE UPDATE :
trg_aa_uv_gateway_write_guard (existing)
trg_uv_enacted_immut (NEW)
same composition ✓
PK_column_correctness:
cutter_governance.review_decision PK = review_decision_id (not 'id') ✓
cutter_governance.cut_change_set PK = change_set_id (not 'id') ✓
fn_iu_enact body uses these exact names (doc 02 §3.9) ✓
idempotency:
Bundle A vocab seed via ON CONFLICT DO UPDATE ✓
Bundle B trigger create via DROP IF EXISTS + CREATE ✓
Bundle C function CREATE OR REPLACE ✓
Bundle D dot_config keys via ON CONFLICT DO UPDATE ✓
Bundle D allowed_marker_values UPDATE idempotent on final value ✓
Bundle E function CREATE OR REPLACE ✓
advisory_lock_namespace:
hashtext('iu_enact:'||iu_id::text) — unique prefix; no collision risk ✓
NULL_handling:
All optional parameters NULL-safe in fn_iu_enact body ✓
identity_profile JSON->> operator returns NULL safely ✓
txn_atomicity:
fn_iu_enact runs entirely in caller's transaction; advisory lock and
set_config(...,true) auto-clear at COMMIT/ROLLBACK ✓
return_shape_stability:
fn_iu_apply_edit_draft post-patch return shapes preserve all existing
status values; adds 'base_version_enacted' (new); callers handle via
default fall-through ✓
G4_verdict : PASS — static dependencies present; SECDEF + search_path safe;
cross-schema privileges adequate; idempotency contract sound;
return-shape stable.
2. Execution order (locked)
EXEC-SEQUENCE (one psql -U directus session with autocommit=False;
each TXN-N below is one BEGIN…COMMIT)
PHASE 0 — Pre-flight (read-only, see doc 04 §1)
- P0.1..P0.6 probes
- if any FAIL: ABORT → STOP → GPT/User
- if all PASS: proceed to PHASE 1
PHASE 1 — TXN-1 — Bundle A (vocab + log + grants)
BEGIN ;
-- doc 02 §1.1 CREATE TABLE iu_lifecycle_vocab
-- doc 02 §1.2 INSERT 4 rows ON CONFLICT DO UPDATE
-- doc 02 §1.3 CREATE TABLE iu_lifecycle_log
-- doc 02 §1.4 5 CREATE INDEX statements
-- doc 02 §1.5 8 GRANT SELECT + 1 REVOKE (defense)
COMMIT ;
- A.V1 / A.V2 / A.V3 probes (doc 04 §2.1)
- if any FAIL: Bundle A rollback (doc 04 §5.1); STOP → GPT/User
PHASE 2 — TXN-2 — Bundle B (immutability)
BEGIN ;
-- doc 02 §2.1 CREATE OR REPLACE FUNCTION fn_iu_enacted_immut()
-- doc 02 §2.2 DROP TRIGGER IF EXISTS + CREATE TRIGGER trg_iu_enacted_immut
-- doc 02 §2.3 CREATE OR REPLACE FUNCTION fn_uv_enacted_immut()
-- doc 02 §2.4 DROP TRIGGER IF EXISTS + CREATE TRIGGER trg_uv_enacted_immut
COMMIT ;
- B.V1 / B.V2 / B.V3 probes (doc 04 §2.2)
- if any FAIL: Bundle B rollback (doc 04 §5.2); STOP → GPT/User
PHASE 3 — TXN-3 — Bundle C (fn_iu_enact body)
BEGIN ;
-- doc 02 §3.1..3.17 CREATE OR REPLACE FUNCTION public.fn_iu_enact(...)
COMMIT ;
- C.V1 schema probe (doc 04 §2.3)
- C.V2 dry-run smoke (single SELECT inside BEGIN…ROLLBACK)
- if FAIL: Bundle C rollback (doc 04 §5.3); STOP → GPT/User
PHASE 4 — TXN-4 — Bundle D (policy + grants)
BEGIN ;
-- doc 02 §4.1 UPDATE allowed_marker_values
-- doc 02 §4.2 INSERT 8 iu_enact.* keys ON CONFLICT DO UPDATE
-- doc 02 §4.3 REVOKE EXECUTE FROM PUBLIC + GRANT EXECUTE TO cutter_exec
COMMIT ;
- D.V1 / D.V2 / D.V3 probes (doc 04 §2.4)
- if FAIL: Bundle D rollback (doc 04 §5.4); STOP → GPT/User
PHASE 5 — TXN-5 — Bundle E (fn_iu_apply_edit_draft patch)
-- capture pre-patch body as :backup_body in operational sidecar
BEGIN ;
-- doc 03 §3 CREATE OR REPLACE FUNCTION public.fn_iu_apply_edit_draft(...)
COMMIT ;
- E.V1 / E.V2 / E.V3 probes (doc 04 §2.5)
- if FAIL: Bundle E rollback (doc 04 §5.5) using :backup_body; STOP → GPT/User
PHASE 6 — Behavioral probe suite (post-execution, ROLLBACK-only)
- B-1..B-9 probes (doc 02 §12 + doc 03 §7 B-9)
- B-10 SKIPPED (requires Phase 7)
- if any FAIL: STOP → GPT/User (rollback decision is per-bundle
judgment call)
PHASE 7 — Fingerprint + report
- capture F-01..F-15 fingerprints (doc 04 §4)
- assemble verification_report template (doc 04 §7)
- upload to KB:
knowledge/dev/laws/dieu44-trien-khai/v0.5-lifecycle-enactment-execution/
<YYYY-MM-DD>-execution-report.md
- STOP → route to GPT/User for ruling on execution outcome
NOT included in this execution macro (separate later gate):
PHASE 8 — Author repo code:
cutter_agent/lifecycle_enact_adapter.py
cutprod_canonical.py enact sub-command
repo tests
git commit + (later) git merge to main
PHASE 9 — Author + publish iu-lifecycle-enactment-readme.md to KB
(this readme is drafted in §7 of THIS doc; final placement
is in PHASE 9)
PHASE 10 — Pre-Phase-7 prerequisite macro:
record a NEW cutter_governance.review_decision row for
"enact 60 ICX-CONST IUs" (leg-B style governed recording)
PHASE 11 — Phase 7: 60 fn_iu_enact calls (one tx per IU)
GATED ON SEPARATE SOVEREIGN RULING
3. Apply principal matrix (which role runs which statement)
PHASE 0 (pre-flight):
- context_pack_readonly OR directus (SELECT-only)
PHASE 1 (Bundle A):
- directus (owner of public; required for CREATE TABLE + GRANT)
PHASE 2 (Bundle B):
- directus (owner; required for CREATE FUNCTION + CREATE TRIGGER on public tables)
PHASE 3 (Bundle C):
- directus (CREATE FUNCTION; SECDEF function inherits directus owner)
PHASE 4 (Bundle D):
- directus (UPDATE dot_config; INSERT dot_config; GRANT/REVOKE on function)
PHASE 5 (Bundle E):
- directus (CREATE OR REPLACE on existing directus-owned function)
PHASE 6 (behavioral probes):
- cutter_exec (testing the new EXECUTE grant from Bundle D)
- context_pack_readonly OR directus for SELECT/observation
PHASE 7 (fingerprints + report):
- context_pack_readonly OR directus
apply_method:
- one psql -U directus -d directus < ddl-bundle-N.sql per TXN
- autocommit=False (CUT lesson L2)
- ON_ERROR_STOP=1 (so failures abort the script not silently skip)
- probe results captured to local logs + KB upload at PHASE 7
NOT used:
- workflow_admin (not needed for any bundle in this scope)
- cutter_verify (only used in observer mode)
- cutter_ro (no role mention; obsolete)
- 'incomex' / any business role (unrelated to lifecycle)
4. STOP conditions (execution macro must STOP and route to GPT/User)
STOP-1 Pre-flight P0.* FAIL :
- no DDL applies
- upload pre_flight_fail report to KB
- route to GPT/User with the specific probe that failed
STOP-2 Any in-flight probe FAIL after a Bundle commits :
- run the matching Bundle rollback IF the safety constraint
(doc 04 §5.*) is satisfied
- upload rollback_after_fail report to KB
- route to GPT/User
STOP-3 Any behavioral probe B-1..B-9 FAIL :
- DO NOT auto-rollback (the function/DDL exists correctly but
a probe semantic is off)
- capture full payload of the failing probe (status + jsonb)
- upload behavior_anomaly report to KB
- route to GPT/User for forward-fix decision
STOP-4 Unexpected error during DDL apply (e.g. lock timeout, syntax
rejection, network drop) :
- the transaction rolls back automatically (PostgreSQL guarantee)
- capture the error code + statement
- upload exec_error report to KB
- route to GPT/User
STOP-5 Pre-flight finds a NEW lifecycle object already in place
(e.g. someone authored fn_iu_enact between this macro and the
execution macro) :
- the macro must NOT silently REPLACE other people's work
- upload schema_drift report to KB
- route to GPT/User for reconciliation decision
STOP-6 Pre-flight finds the 60-ICX-CONST baseline has shifted
(e.g. some IU now lifecycle_status='enacted') :
- lifecycle has moved out from under the design's assumptions
- upload baseline_drift report to KB
- route to GPT/User
STOP-7 fn_iu_apply_edit_draft pre-patch md5 != 22875ce25b2e2d1751cc4f3d1757252e :
- the function body has changed since design; the patch in doc 03
may not apply cleanly
- upload patch_target_drift report to KB
- route to GPT/User
no_silent_continuation_rule:
- the execution macro NEVER continues past a FAIL without a fresh
sovereign ruling. There is no "best-effort" mode. Stale-state
advancement is a Pack 22-class antipattern.
5. Phase 7 — explicit separate-gate statement
SCOPE BOUNDARY :
The execution macro for THIS implementation authoring package
applies ONLY Bundles A..E (DDL + dot_config + grants + patch).
It does NOT:
- call public.fn_iu_enact() with p_dry_run=false on any IU
- flip any row from lifecycle_status='draft' to 'enacted'
- write any row into public.iu_lifecycle_log
- touch any of the 60 ICX-CONST IUs' data
Phase 7 — the actual 60-IU enactment — is a SEPARATE macro, separately
approved, with its OWN command-review package, that runs the
cutter_agent/lifecycle_enact_adapter.py.enact_batch(...) call after
a NEW cutter_governance.review_decision row has been recorded for
the enactment event.
Approval of this implementation-authoring package implies ONLY:
(a) authorization to AUTHOR the DDL/function bodies in KB ✓ (this
macro DID author them; they live in docs 02 and 03)
(b) authorization to RUN the execution macro that applies the
Bundles to production (Phase 1..7 above)
(c) NO authorization for Phase 7 (enactment) — that is a fresh ruling
PRE-PHASE-7 PREREQUISITES (must be satisfied before Phase 7 can fire):
PRE-P7-1 : Bundles A..E applied to production (this exec macro)
PRE-P7-2 : a NEW cutter_governance.review_decision row recorded for
"enact 60 ICX-CONST IUs" (DISTINCT from the CUT approval
row 29c88a7b-60f7-41bd-af45-43cc9b9f41c0)
PRE-P7-3 : cutter_agent/lifecycle_enact_adapter.py + 'enact' sub-command
merged to main and tested in CI
PRE-P7-4 : iu-lifecycle-enactment-readme.md published to KB
PRE-P7-5 : adapter.enact_batch(..., dry_run=True) over all 60 addresses
returns 60× status='plan_ok'
PRE-P7-6 : sovereign ruling on the Phase 7 execution package
6. Operator README (authored here; final placement at PHASE 9)
final_path : knowledge/dev/laws/dieu44-trien-khai/readme/iu-lifecycle-enactment-readme.md
status : authored (full body §7 below); NOT YET placed in KB
placement_macro : PHASE 9 (separate; ships alongside cutter_agent merge)
7. iu-lifecycle-enactment-readme.md — full body
# IU Lifecycle Enactment — README
> Nếu bạn thấy lỗi 'IU Gateway blocked' khi cố UPDATE lifecycle_status
> của information_unit hoặc unit_version: đọc tài liệu này.
> Status: enforced as of v0.5-M3a-2026-05-20 (Bundles A..E shipped).
---
## Quy tắc
**KHÔNG** direct INSERT/UPDATE/DELETE vào `public.information_unit` hoặc
`public.unit_version`. Mọi lifecycle transition phải đi qua canonical
function:
```sql
SELECT public.fn_iu_enact(
p_canonical_address text,
p_actor text,
p_review_decision_id uuid,
p_target_lifecycle text DEFAULT 'enacted',
p_change_set_id uuid DEFAULT NULL,
p_reason text DEFAULT NULL,
p_tool_revision text DEFAULT NULL,
p_dry_run boolean DEFAULT false
);
Pre-flight (dry-run TRƯỚC):
SELECT public.fn_iu_enact(
'ICX-CONST/DIEU-0',
'<actor>',
'<review_decision_id>',
'enacted',
NULL, '<reason>', '<tool_revision>',
true -- p_dry_run = true
);
-- expect status='plan_ok'; would_write_rows={1,1,1}
Sau đó:
SELECT public.fn_iu_enact(
'ICX-CONST/DIEU-0',
'<actor>',
'<review_decision_id>',
'enacted',
NULL, '<reason>', '<tool_revision>',
false -- p_dry_run = false
);
-- expect status='enacted' (or 'already_enacted' if idempotent re-call)
Vocab — public.iu_lifecycle_vocab
| code | name | sort |
|---|---|---|
| draft | Bản nháp | 10 |
| enacted | Đã ban hành | 20 |
| superseded | Bị thay | 30 |
| retired | Đã rút | 40 |
FSM transitions implemented now (enact):
draft → enacted
FSM transitions reserved (returns transition_not_yet_implemented
until follow-on macros author them):
draft → retired(futurefn_iu_retire)enacted → superseded(futurefn_iu_supersede)enacted → retired(futurefn_iu_retire)superseded → retired(futurefn_iu_retire)
All other transitions return fsm_denied.
Status return values
Success: enacted, superseded, retired, already_enacted,
already_superseded, already_retired, plan_ok
Refusal (no rows written): invalid_input, invalid_target_lifecycle,
iu_not_found, fsm_denied, invariant_failed,
review_decision_not_found, change_set_not_found,
transition_not_yet_implemented
Những điều KHÔNG được làm
- Không
UPDATE public.information_unit SET lifecycle_status=...trực tiếp → bịtrg_aa_iu_gateway_write_guardchặn. - Không
UPDATE public.unit_version SET lifecycle_status=...hoặcSET enacted_at=...trực tiếp → bịtrg_aa_uv_gateway_write_guardtrg_uv_enacted_immutchặn.
- Không tự
SET app.canonical_writer='fn_iu_enact'rồi UPDATE — marker là speed bump, không phải cấp quyền. Tự set marker = bypass có chủ đích, sẽ bị detector phát hiện (khi L3 ship). - Không UPDATE row đã enacted (body/title/identity/anchor): trigger
trg_iu_enacted_immut/trg_uv_enacted_immutsẽ raise. - Không DELETE row đã enacted: trigger sẽ raise.
- Không call
fn_iu_enactvớip_review_decision_idcủa CUT (29c88a7b-…) cho enactment thật — đó là approval của CREATION, không phải ENACTMENT. Phải có review_decision MỚI.
Bất biến sau khi enacted
Khi lifecycle_status='enacted':
- IU: không thể UPDATE canonical_address, unit_kind, owner_ref, version_anchor_ref, content_anchor_ref, identity_profile, parent_or_container_ref. Chỉ có thể UPDATE lifecycle_status → 'superseded' hoặc 'retired'.
- UV: không thể UPDATE body, title, description, content_profile, content_hash, unit_id, version_seq. Chỉ có thể UPDATE lifecycle_status → 'superseded' hoặc 'retired'.
- Không thể DELETE row đã enacted.
Để chỉnh sửa nội dung sau enactment: dùng supersede path (tạo version
mới qua fn_iu_create_edit_draft_for_supersede — backlog item).
Audit
Mọi enactment được ghi vào public.iu_lifecycle_log (UUID-keyed,
append-only, no UPDATE/DELETE bởi bất kỳ role nào). Soft-FK đến
cutter_governance.review_decision.review_decision_id (HARD REQUIRE)
và cutter_governance.cut_change_set.change_set_id (OPTIONAL).
Probe lịch sử:
SELECT to_status, from_status, transition_type, performed_at,
performed_by, review_decision_id, change_set_id, reason
FROM public.iu_lifecycle_log
WHERE canonical_address = 'ICX-CONST/DIEU-0'
ORDER BY performed_at DESC;
Adapter CLI
python -m cutprod_canonical enact \
--canonical-address-pattern 'ICX-CONST%' \
--actor 'ops:<id>' \
--review-decision-id '<new-rd-uuid>' \
--reason 'Phase 7 enactment of constitution snapshot' \
--tool-revision 'iu-enact@v0.5-M3a-2026-05-20' \
--dry-run \
--connection-provider-module 'cutter_agent.providers:default_provider'
Exit codes:
0: all-pass (or dry-run plan_ok for every IU)1: at least one IU returned non-success2: preflight aborted (gateway not configured, vocab missing)3: connection/auth failure4: forbidden boundary breached5: reserved
## 8. Phase 7 readiness checklist (for the future Phase 7 macro)
```yaml
Pre-Phase-7 checklist:
[ ] Bundles A..E applied via the execution macro of THIS package
[ ] verification_report uploaded with all probes PASS
[ ] cutter_agent/lifecycle_enact_adapter.py merged to main
[ ] cutprod_canonical.py 'enact' sub-command tested in CI
[ ] iu-lifecycle-enactment-readme.md published to KB
[ ] NEW cutter_governance.review_decision recorded for enactment
(governance_event_kind appropriate for enactment,
decided_by sovereign, verdict='approved')
[ ] (optional) NEW cutter_governance.cut_change_set linking the
60-IU enactment batch
[ ] adapter.enact_batch(addresses=[60 ICX-CONST],
dry_run=True,
review_decision_id=<new>)
returns 60× status='plan_ok'
[ ] sovereign ruling on Phase 7 execution package
9. G4 + G5 disposition
G4_static_tests_and_proofs : PASS — all static dependencies verified
G5_command_review_package : PASS — execution sequence locked,
STOP conditions defined,
README authored,
Phase 7 explicitly separate-gated
production_mutation : NONE
delivered:
- G4 static smoke probe (6 dependencies verified)
- G4 static review checklist (10 invariants)
- PHASE 0..7 execution sequence (5 TXN bundles + verify probes + report)
- apply principal matrix (directus for DDL; cutter_exec for behavioral)
- 7 STOP conditions
- Phase 7 separate-gate explicit statement
- Phase 9 readme authored (full body §7)
- Phase 7 readiness checklist (8 items)
next:
- G6 — final implementation authoring report
[[dot-iu-cutter-v0-5-06-final-implementation-authoring-report-2026-05-20]]
Related KB documents in this package:
- [[dot-iu-cutter-v0-5-01-live-recheck-and-scope-lock-2026-05-20]]
- [[dot-iu-cutter-v0-5-02-fn-iu-enact-ddl-package-2026-05-20]]
- [[dot-iu-cutter-v0-5-03-fn-iu-apply-edit-draft-patch-package-2026-05-20]]
- [[dot-iu-cutter-v0-5-04-verification-rollback-compensation-plan-2026-05-20]]
- [[dot-iu-cutter-v0-5-06-final-implementation-authoring-report-2026-05-20]]