dot-iu-cutter v0.5 — Writer Open Decisions + Risk Register

doc 4 of 5 · 2026-05-19 · decisions GPT/User must rule before writer code-authoring (W-3).

1. Open decisions (each blocks W-3 code authoring until ruled)

OD-W1 NGUYEN_TAC / KIEN_TRUC_SECTION granularity (N-2):
  options: (a RECOMMENDED) all 60 become information_unit rows, unit_kind=law_unit,
    differentiated by primary_section_type_ref (principle/section/article) +
    parent_or_container_ref hierarchy — keeps cardinality 60 + reconstruction closure;
    (b) NGUYEN_TAC/KIEN_TRUC as container IU rows only; (c) exclude NGUYEN_TAC/KIEN_TRUC
    from IU, cut 42 DIEU only — CONTRADICTS pinned candidate_count==60 (I-4); needs an
    explicit invariant-change ruling. Recommendation: (a).
OD-W2 DIEU unit_kind: recommended "law_unit" (in vocab; matches 86 existing law rows).
  Alternative dedicated kind (e.g. constitution_article) ⇒ requires a separately gated
  dot_config vocab seed. Recommendation: law_unit (no new seed).
OD-W3 parent/container representation: parent_or_container_ref (uuid → information_unit.id)
  per the manifest address path; doc-root container IU vs NULL-parent for top NGUYEN_TAC.
  Decision: confirm whether a synthetic ICX-CONST doc-root IU is created (1 extra row,
  would change count to 61) or top-level units carry NULL parent (keeps 60). Rec: NULL
  parent for top-level, NO synthetic root ⇒ count stays 60.
OD-W4 canonical_address: keep manifest ICX-CONST/<path> VERBATIM (N-4). Confirm no
  Directus-collection-style re-addressing. Recommendation: verbatim (no transform).
OD-W5 idempotency/collision: OD-1 key (source_version_id, canonical_address, content_hash)
  + UNIQUE(canonical_address) + a persisted per-IU idempotency ledger + pre-existence
  check keyed on manifest_digest. Confirm the ledger table/location for the writer.
OD-W6 vocab dot_config: under the recommended mapping NO seed is required (law_unit /
  article|principle|section / law / incomex_council all already present). Confirm: is the
  mapping accepted as-is, or does GPT want different vocab (⇒ separately gated seed = a
  production write, its own approval)?
OD-W7 signing / credential: writer runs under cutter_exec principal + DOT-991 lane; real
  signing scheme is the deferred HIGH-risk crypto workstream (v0.4 = Stub/Deferred).
  Decide: production signing built before W-3, or W-3 authors a no-prod writer first
  (DB-isolated dry-run against a scratch schema) then credential cycle, then prod.
OD-W8 lifecycle_status / conformance_status values: recommended enacted / open. Confirm
  the governance-correct values for an enacted Constitution unit.
OD-W9 title / body source: title from the manifest unit heading; body = the byte-pinned
  snapshot text slice by source_span. Confirm the manifest carries (or the writer derives
  deterministically from the pinned region) a usable title + body per unit.

2. Risk register (writer track)

R-W1 wrong granularity (OD-W1) ⇒ cardinality ≠ 60 / reconstruction broken.
  mitigation: recommended option (a) preserves I-4 + 308 reconstruction; VERIFY VR-1/VR-6.
  residual: LOW once OD-W1 ruled.
R-W2 birth-gate REJECT at runtime (missing identity_profile field / vocab miss).
  mitigation: §3 mapping uses only seeded vocab; a no-prod DB-isolated dry-run against a
  scratch schema validates L1/L2 before any production attempt. residual: MEDIUM until
  the writer is built+dry-run-proven.
R-W3 collision / double-cut (UNIQUE(canonical_address)).
  mitigation: pre-existence check + OD-1 idempotency ledger + single atomic txn +
  G-CUT-ONCE. residual: LOW by design.
R-W4 partial cut (some of 60 inserted, then abort).
  mitigation: ONE atomic txn, deferred L2 at COMMIT ⇒ all-or-nothing. residual: LOW.
R-W5 Điều 44 / draft / obsolete leakage.
  mitigation: writer consumes ONLY cutplan candidates[] (Điều 44 already excluded,
  --exclude-dieu-44 enforced upstream); VERIFY VR-2. residual: LOW.
R-W6 provenance drift (IU not bound to pinned source_document_version / manifest digest).
  mitigation: identity_profile.provenance + content_profile bind icxconst-008a06… +
  9d908a62… + span_sha256; VERIFY VR-3. residual: LOW.
R-W7 signing/credential not ready ⇒ premature production attempt.
  mitigation: OD-W7; cli/db_adapter refuse production; W-3 builds a DB-isolated dry-run
  writer first; production CUT gated at W-5 with separate write approval. residual: LOW.
R-W8 vocab/schema drift between design and W-3 authoring.
  mitigation: W-3 must re-confirm schema + vocab read-only at authoring time
  (this brief's facts are 2026-05-19 read-only snapshots). residual: LOW.
overall_writer_track_risk: MEDIUM-HIGH (first irreversible governed production write) —
  must remain a multi-gate track: W-1 ruling → W-3 design+author+CI (DB-isolated) →
  W-4 credential/signing → W-5 prod CUT command-review + separate prod-write approval.

3. Minimal unblock order (writer track) — fewest gates

W-1  GPT/User rule OD-W1..OD-W9 (this doc) — mapping + granularity + vocab + signing posture
W-2  (only if OD-W6 picks non-seeded vocab) separately gated dot_config seed (prod write)
W-3  design → author → CI → commit a DB-ISOLATED manifest→IU/unit_version writer + a
     scratch-schema birth-gate dry-run proving L1/L2 pass (mirror MARK/S2 lineage; feature
     branch only; no production)
W-4  cutter_exec/cutter_verify credential + production signing cycle build + GPT review
W-5  production CUT command-review + SEPARATE explicit production-DB-write approval +
     governed VERIFY plan for the birth-gated model
note: P-3 (first cut-plan dry-run execution command-review of the now-committed planner)
  is independent and can proceed in parallel; it never writes production.

doc 4 of 5. Design only. No production mutation. Self-advance PROHIBITED.