dot-iu-cutter v0.5 — Pre-Scale Index Verification Plan

Date: 2026-05-17 · Status: PLAN ONLY — defines how a future authorized index cycle is judged. Nothing executed. Parent: index-ddl-draft.

1. Principle (mandated)

Verification uses structural catalog checks, never rendered-string compare. Do NOT gate on pg_get_indexdef() text equality (prior false-negative lesson: rendered defs vary by schema-qualification/whitespace). Gate on pg_index / pg_class / pg_am / pg_attribute / pg_namespace structural facts. pg_get_indexdef() may be recorded for the report, never used as a pass/fail predicate.

2. Expected baseline (grounded today; re-assert at run time)

• Indexes on the 6 target tables now = 8 (all PK/unique); post = 8 + 7 = 15.
• Row counts (single-trial): decision_backlog_entry=1, manifest_envelope=1, review_decision=1, cut_change_set=1, verify_result=1, dot_pair_signature=2 — must be unchanged after (index build mutates no data).

3. Per-index structural assertions (all 7)

For each proposed index I on table T, columns C[], optional partial predicate P:

Gate	Structural check (catalog)	Pass
V-1 exists	pg_class c JOIN pg_namespace n where n.nspname='cutter_governance' AND c.relkind='i' AND c.relname=I	exactly 1
V-2 valid & ready	pg_index.indisvalid AND pg_index.indisready for I's oid	both true (no INVALID leftover from a failed CIC)
V-3 right table	pg_index.indrelid = cutter_governance.T::regclass oid	match
V-4 method btree	pg_class(index).relam = pg_am.oid where amname='btree'	btree
V-5 columns & order	map pg_index.indkey → pg_attribute.attname in order	equals C[] exactly (e.g. {status,emitted_at,entry_id})
V-6 partiality	pg_index.indpred IS NOT NULL iff I is one of the 3 partial; for partial, pg_get_expr(indpred,indrelid) recorded and asserted to reference the expected column IS NOT NULL (structural: predicate present + on expected attno)	matches expected (partial for idx_ccs_dbe_id / idx_dps_xref_cs / idx_dps_xref_vr; non-partial for the other 4)
V-7 not unique / not PK / not exclusion	NOT pg_index.indisunique AND NOT indisprimary AND NOT indisexclusion	all true (additive secondary only)
V-8 not a constraint	no pg_constraint row with conindid = I's oid	none (index-only, no constraint created)

4. Aggregate (additive-only) assertions

• A-1 count delta: index count on the 6 tables == baseline + 7 (exactly; no fewer, no extra).
• A-2 zero schema drift: column set of all 12 cutter_governance tables == pre (no column/type/nullability change); pg_constraint set unchanged; no trigger/function/policy/default-privilege added (pg_trigger/pg_proc/pg_policy/pg_default_acl deltas = 0).
• A-3 zero data drift: row count of every target table == pre; (optional) a stable content hash of the trial rows unchanged.
• A-4 names deterministic: the 7 names are exactly idx_dbe_status_emitted_keyset, idx_me_source_doc_ref, idx_rd_manifest_id, idx_ccs_dbe_id, idx_vr_change_set_id, idx_dps_xref_cs, idx_dps_xref_vr — no auto-generated suffix.
• A-5 no INVALID indexes anywhere in cutter_governance (pg_index.indisvalid=false count = 0).

5. Functional efficacy (in the later dry-run-at-volume env only — not production gating here)

At volume, EXPLAIN (plan only, no ANALYZE side-effects needed) the 7 runtime predicates → assert Index Scan / Index Only Scan / Bitmap Index Scan on the expected index, not Seq Scan. Specifically the SWEEP plan uses idx_dbe_status_emitted_keyset for both filter and (emitted_at, entry_id) ordering (no Sort node). This is an efficacy check for the dry-run-at-volume phase; the index correctness gate is the structural §3/§4.

6. Verdict rule

PASS iff: every index V-1…V-8 PASS, A-1…A-5 PASS. Any structural failure ⇒ STOP + (rollback-plan) + honest report. A suspected harness false-negative must be proven structurally before any rollback decision (no "self-check flips a good run").

Boundaries / Git

Plan only — nothing executed. Git main · e93424b5ff7fa5e4b8406131977ce4339cd0856a · clean (0 lines). No hardcoding; SQL=SSOT; no vector/NoSQL. Next = GPT review.