dot-iu-cutter v0.5 — W-4 · Verification / Rollback / Precheck Plan (future Production CUT)

doc 5 of 6 · 2026-05-19 · DESIGNED, not executed. Applies only at the gated W-5 production CUT, after GAP-C1..C5 are ruled + a separate sovereign production-write approval.

1. Prechecks — fail-closed (ALL must PASS before any production write)

PC-0 sovereign production-write approval doc present (KB id) + GAP-C1..C5 ruled CLOSED.
PC-1 repo: branch feature/constitution-snapshot-mark-dryrun ∧ the ratified prod-writer
     commit HEAD ∧ git status clean ∧ cutwrite.py sha 31ce88dc… (writer logic unchanged).
PC-2 input identity: manifest file sha 7d56f3ce… ∧ digest 9d908a62… ∧ candidate_count 60
     ∧ source_document_version_id icxconst-008a06… ∧ region sha 17660443… ; recompute,
     mismatch ⇒ ABORT.
PC-3 writer determinism: writer_digest == d99a31d4a4be907c510ae15965e9f7bb3387e9e28676e9f32adf463828b1aa28.
PC-4 LIVE drift re-verify (read-only, same session as the write, immediately before txn):
     information_unit 19 cols ∧ unit_version 16 cols ∧ 4 constraints ∧
     md5(fn_iu_birth_gate_layer1)=f38c94d0043a61507a8c2e85afd59998 ∧
     md5(fn_iu_birth_gate_layer2)=078ba0051ce4d894cabcc0102c4320f8 ∧ vocab 6/6 ; any
     mismatch ⇒ ABORT (no writes).
PC-5 G-CUT-ONCE pre-existence: SELECT count(*) public.information_unit WHERE
     canonical_address LIKE 'ICX-CONST%' == 0 (and no cut_change_set for digest 9d908a62…).
     Non-zero ⇒ treat as already-applied ⇒ NO-OP, never re-insert.
PC-6 principal: post-connect SELECT current_user == 'cutter_exec' (DOT-991 lane);
     cutter_ro/workflow_admin/directus/postgres ⇒ ABORT. Grants verified present on the
     ruled target (GAP-C1 closed).
PC-7 FRESH BACKUP (see §2) taken ≤ 60 min before, verified restorable; absent/stale ⇒ ABORT.
PC-8 no DB env leakage / no secret in argv or logs; secret only from approved .env.

2. Backup requirement (mandatory, mirrors v0.4 C_01 discipline)

scope: a fresh logical backup of public.information_unit + public.unit_version (+ the
  governed-ledger tables once GAP-C2 located) of the directus DB, taken read-only by an
  authorized operator BEFORE the write, age ≤ 60 min, restorability verified, checksum
  recorded in the execution log. The CUT must ABORT if the backup gate is not clean.

3. Verification after production CUT (VW-1..VW-10; cutter_verify / DOT-992, SoD)

VW-1 cardinality: exactly 60 information_unit + 60 unit_version for digest 9d908a62…
VW-2 no excluded: 0 IU for Điều 44 / draft / obsolete (DIEU-44 absent).
VW-3 provenance: 100% IU identity_profile.provenance + unit_version.content_profile bind
     icxconst-008a06… + manifest 9d908a62… + region 17660443… + span_sha256.
VW-4 address: every canonical_address ∈ the ratified 60, VERBATIM, UNIQUE.
VW-5 content fidelity: sha256(unit_version.body) == span_sha256 (==content_hash) ∀ 60.
VW-6 coverage parity: created set ≡ cut-plan candidates; levels NT15/KT3/DIEU42.
VW-7 birth-gate: every IU passed L1+L2; version_anchor_ref/content_anchor_ref consistent.
VW-8 hierarchy: parent_or_container_ref per OD-W3 (flat ⇒ all top-level NULL; count 60).
VW-9 ledger/signature: 1 cut_change_set (content_hash == digest) + a DOT-991 executor
     dot_pair_signature (cross-ref change_set_id only, NOT verify_result_id; signer_dot_id
     DOT-991) + decision_backlog_history transition; lane-overlap invariants hold.
VW-10 idempotency/determinism: re-run of the same digest ⇒ NO new rows (G-CUT-ONCE);
     writer_digest stable d99a31d4….
verdict: VERIFIED_COMPLETE iff VW-1..VW-10 all PASS, run by cutter_verify/DOT-992 (never
  the executor). Any fail ⇒ VERIFY_FAILED_ESCALATED ⇒ STOP + forward-compensation (§4).

4. Rollback / compensation doctrine

in-txn failure (L1/L2 raise, drift, principal/grant fail): single atomic txn ABORT ⇒
  zero rows (no partial cut, no orphan unit_version). Restore not needed.
post-commit fault: FORWARD-COMPENSATION ONLY (cutter_verify/DOT-992): superseding
  unit_version (version_seq+1) and/or lifecycle_status change + governed escalation
  record; NEVER physical DELETE/TRUNCATE of information_unit/unit_version. Backup (§2) is
  the last-resort operator-restore path, not an app DELETE.
G-CUT-ONCE: a retry of the same manifest digest after a rolled-back txn is a no-op.
source/snapshot immutable & pinned (9d908a62… / 17660443…); "restore" = re-derive from
  the pinned manifest, never hand-edit rows.

5. STOP conditions (any ⇒ STOP, preserve evidence, route GPT/User)

- any GAP-C1..C5 unresolved ; no sovereign production-write approval
- manifest/region/writer-digest mismatch ; live drift (L1/L2 md5, cols, constraints, vocab)
- ICX-CONST pre-existence != 0 (already applied) ; principal != cutter_exec ; grant missing
- backup gate not clean ; any secret-logging risk
- any DELETE/TRUNCATE attempt ; lane-overlap (DOT-991/992) reference mismatch
- any request to deploy/restart/merge/push/tag or to self-advance to production execution

doc 5 of 6. Design only. No production mutation. Self-advance PROHIBITED.