dot-iu-cutter v0.5 — Production Bridge · Verification / Rollback / Backup Plan

doc 6 of 7 · 2026-05-19 · DESIGNED, not executed. Applies at the gated U-W5 production CUT, after U-W4b/c/d + the C5 sovereign approval. Supersedes W-4 doc 5 with the resolved single-DB ledger location.

0. Open decision GD-1 (must be ruled before U-W4b)

GD-1 GRANT apply principal: public.information_unit/unit_version/dot_config are
  owned by `directus`; cutter_governance is owned by `workflow_admin`. The
  doc-2 GRANTs on public.* must be issued by the table owner (`directus`) or a
  superuser/owner path. WS-Q5 precedent used `workflow_admin` as the privileged
  apply role for cutter_governance DDL. Sovereign must rule the exact apply
  principal for the public.* GRANT before U-W4b. (No ledger GRANT is needed —
  already correct.) Recommendation: apply as the owner/privileged path that
  prior content-table privilege changes used; record it in the U-W4b log.

1. Prechecks — fail-closed (ALL pass before any production write)

PC-0 C5 sovereign production-write approval doc present (KB id) AND
     GD-1 ruled AND U-W4b/U-W4c/U-W4d CLOSED.
PC-1 repo branch feature/constitution-snapshot-mark-dryrun · HEAD = the
     ratified prod-composer commit · tree clean · cutwrite.py sha
     31ce88dc… (writer logic byte-unchanged).
PC-2 input identity: manifest file sha 7d56f3ce… · digest 9d908a62… ·
     candidate_count 60 · source_version icxconst-008a06… · region 17660443… ;
     recompute; any mismatch ⇒ ABORT.
PC-3 writer determinism: writer_digest == d99a31d4… (recomputed by the pure
     cutwrite factory).
PC-4 LIVE drift re-verify (read-only, SAME session as the write, immediately
     before the txn): information_unit 19 cols · unit_version 16 cols ·
     4 IU constraints (PK id, UNIQUE canonical_address, FK version_anchor_ref→
     unit_version(id) DEFERRABLE INITIALLY DEFERRED, trg_iu_birth_gate_layer2
     DEFERRED) · unit_version PK/UNIQUE(unit_id,version_seq)/FK unit_id ·
     md5(fn_iu_birth_gate_layer1)=f38c94d0043a61507a8c2e85afd59998 ·
     md5(fn_iu_birth_gate_layer2)=078ba0051ce4d894cabcc0102c4320f8 ·
     dot_config vocab keys present (unit_kind.law_unit ;
     section_type.{principle,section,article} ; publication_type.law) ;
     any mismatch ⇒ ABORT, zero writes.  (All values RE-VERIFIED PASS read-only
     this phase — current drift baseline confirmed.)
PC-5 G-CUT-ONCE pre-existence: SELECT count(*) public.information_unit WHERE
     canonical_address LIKE 'ICX-CONST%' == 0  (live = 0 this phase)  AND no
     cut_change_set for digest 9d908a62… . Non-zero ⇒ NO-OP exit 0.
PC-6 principal: post-connect current_user == 'cutter_exec'; reject cutter_ro/
     workflow_admin/directus/postgres. Grants present on public.* (U-W4b done):
     cutter_exec SELECT,INSERT info_unit + UPDATE(2 anchor cols) + SELECT,INSERT
     unit_version + SELECT dot_config; cutter_verify SELECT info_unit/unit_version.
PC-7 FRESH BACKUP (see §2) ≤ 60 min, restorability verified, checksum logged.
PC-8 no DB env leakage; secret only from approved .env; never argv/logs/KB.

2. Backup requirement (mandatory, mirrors v0.4 C_01)

scope: fresh logical backup of public.information_unit + public.unit_version
  AND the cutter_governance ledger tables written by leg B (cut_change_set,
  cut_change_set_affected_row, dot_pair_signature, decision_backlog_entry,
  decision_backlog_history, manifest_envelope, manifest_unit_block) of the
  directus DB — single DB, single backup. Taken read-only by an authorized
  operator BEFORE the write, age ≤ 60 min, restorability verified, sha recorded.
  CUT ABORTS if the backup gate is not clean. (v0.4 precedent backup sha
  da4e15e6… retained as historical disaster backstop, not a substitute.)

3. Verification after CUT (VW-1..VW-10; cutter_verify / DOT-992, SoD)

VW-1  exactly 60 information_unit + 60 unit_version for digest 9d908a62…
VW-2  0 IU for Điều 44 / draft / obsolete (DIEU-44 absent)
VW-3  100% IU.identity_profile.provenance + unit_version.content_profile bind
      icxconst-008a06… + manifest 9d908a62… + region 17660443… + span_sha256
VW-4  every canonical_address ∈ ratified 60, VERBATIM, UNIQUE
VW-5  sha256(unit_version.body) == content_hash == span_sha256 ∀ 60
VW-6  coverage ≡ cut-plan candidates; levels NT15/KT3/DIEU42
VW-7  every IU passed L1+L2; version_anchor_ref/content_anchor_ref consistent
VW-8  parent_or_container_ref per OD-W3 (flat ⇒ all top-level NULL; count 60)
VW-9  1 cut_change_set (content_hash==digest) + 1 DOT-991 executor
      dot_pair_signature (cross-ref change_set_id ONLY, NOT verify_result_id;
      signer_dot_id DOT-991) + decision_backlog_history transition;
      lane-overlap invariants hold (badxor=0, swapped=0, both_null=0,
      both_non_null=0 — v0.4 acceptance bar)
VW-10 idempotency: re-run of digest ⇒ NO new rows; writer_digest stable d99a31d4…
verdict: VERIFIED_COMPLETE iff VW-1..VW-10 PASS, run by cutter_verify/DOT-992
  (NEVER the executor). Any fail ⇒ VERIFY_FAILED_ESCALATED ⇒ STOP + §4.

4. Rollback / compensation doctrine

in-txn failure (L1/L2 raise, drift, principal/grant fail, digest mismatch):
  single atomic txn ABORT ⇒ zero rows (no partial cut, no orphan unit_version).
post-commit fault: FORWARD-COMPENSATION ONLY (cutter_verify/DOT-992):
  superseding unit_version (version_seq+1) and/or lifecycle_status change +
  governed escalation record; NEVER physical DELETE/TRUNCATE of
  information_unit/unit_version. (Forward-comp WRITE grants for cutter_verify on
  public.* are a SEPARATE later gated package — NOT in the doc-2 bridge GRANT.)
G-CUT-ONCE: retry of the same digest after a rolled-back txn ⇒ no-op.
source/snapshot immutable & pinned (9d908a62… / 17660443…); "restore" =
  re-derive from the pinned manifest via the pure factory, never hand-edit rows.
backup (§2) = last-resort operator-restore path, not an app DELETE path.

5. STOP conditions (any ⇒ STOP, preserve evidence, route GPT/User)

- GD-1 unruled · any of U-W4b/c/d open · no C5 sovereign approval
- manifest/region/writer-digest mismatch · live drift (L1/L2 md5, cols,
  constraints, vocab) · ICX-CONST pre-existence != 0
- principal != cutter_exec · any required grant missing
- backup gate not clean · any secret-logging risk
- any DELETE/TRUNCATE attempt · DOT-991/992 lane/reference mismatch
- any request to deploy/restart/merge/push/tag or to self-advance to execution

doc 6 of 7. Design only. No production mutation. Self-advance PROHIBITED.