dot-iu-cutter v0.5 — Pre-Scale Index Risk Review Note

Date: 2026-05-17 · Status: RISK REVIEW ONLY — nothing executed. Parent: index-ddl-draft.

1. Overall risk class

LOW–STANDARD. Purely additive secondary indexes; no data/column/constraint/semantic change; fully reversible by exact-name DROP INDEX. Tables are tiny today (1–2 rows) so the build itself is instant; CONCURRENTLY is specified for forward-correctness at scale.

2. Risk register

ID	Risk	Likelihood	Impact	Mitigation
R-1	CIC cannot run in a txn; harness wraps it in BEGIN → error/no-op	Med (tooling)	Build fails / silent no-op	Execution cycle runs each statement standalone, autocommit; verification A-1/V-1 catches a missing index; explicit "no BEGIN" in the artefact
R-2	CIC interrupted → INVALID index still consuming writes	Low	Slight write overhead; misleading state	V-2 (indisvalid AND indisready) + A-5 (zero INVALID) gate; rollback DROP INDEX CONCURRENTLY IF EXISTS removes it
R-3	Wrong column/order or wrong table in an index	Low	Hot path still seq-scans	V-3/V-5 structural column+table assertions (catalog, not string)
R-4	Partial predicate not used by planner (D-2)	Low	Index ignored for nullable refs	Predicate is IS NOT NULL; runtime query is col = $1 (non-null bind) which the planner treats as implying IS NOT NULL ⇒ partial is used; efficacy proven by EXPLAIN in dry-run-at-volume
R-5	Verification false-negative via rendered-string compare	Low	Needless rollback of a good build	Verification is structural catalog only; pg_get_indexdef recorded, never gating (explicit prior lesson)
R-6	Name collision with an existing index	None (checked)	—	Grounded: none of the 7 names exist on the 6 target tables; IF NOT EXISTS additionally guards
R-7	Lock contention on production during CIC	Low	Brief; SHARE UPDATE EXCLUSIVE allows DML; blocks only concurrent DDL	Tiny tables today (instant); at scale CIC is the online-safe choice; schedule in a quiet window per the execution cycle
R-8	Scope creep (a non-index object slips in)	Low	Boundary breach	Artefact is index-only; verification A-2 asserts zero trigger/func/policy/constraint/column delta
R-9	Index adds write amplification	Low	Marginal per-row write cost on the cut/verify path	Accepted/intended trade for O(n²)→O(log n) read at document scale; 7 small indexes; revisit via dry-run-at-volume timing

3. Residual risk

After mitigations: residual = LOW. The only material operational nuance is the CIC transaction model (R-1/R-2), fully documented and gated. No data-loss path exists (additive, reversible). The change is a prerequisite that reduces the dominant scale risk (the O(n²) hot paths) rather than introducing one.

4. Out-of-scope / forbidden (reaffirmed)

No index execution · no dry-run execution · no production write · no CUT/VERIFY · no second IU / bulk · no label registry · no tier-normalization write · no JSONB normalization · no vector/NoSQL · no deploy/restart · no alias writes · no code change · no commit.

Boundaries / Git

Risk review only. Git main · e93424b5ff7fa5e4b8406131977ce4339cd0856a · clean (0 lines). No hardcoding; SQL=SSOT. Next = GPT review.