KB-1C0E
05 - Risk, Rollback & Disable Plan
6 min read Revision 1
dot-iu-cutterv0.6O5riskrollback
05 - Risk, Rollback & Disable Plan
O5 Release / Live-Production Planning · doc 5 of 6 · 2026-05-21 Risk register + rollback/disable procedures for O6 → O8.
1. Risk register
| ID | Risk | Phase exposed | Likelihood | Impact | Mitigation |
|---|---|---|---|---|---|
| R-1 | v0.6 deploy overwrites/breaks the v0.4 tree on Contabo | O6 | low | medium | pre-state sha256 anchor + timestamped artifact dir + dot repo commit = git revert-able |
| R-2 | Deployed runtime differs from dev host (Python, env, DB reach) | O7 | medium | medium | O7 post-deploy live dry-run is the dedicated detector; STOP on any divergence |
| R-3 | Accidental execution_enabled=True slips in with the deploy |
O6/O7 | low | critical | post-deploy assertion explicitly checks execution_enabled=False; static scan for __execution_enabled__ = True; Mode.LIVE refusal test |
| R-4 | Secret value leaks into repo / KB / sidecar / logs | O6+ | low | high | hardcode policy: names-only in guards; kb_reporter strips secrets; logger redacts; deploy tree carries no .env |
| R-5 | Grant matrix drifted since O4 (45d25e38…) |
O7+ | low | medium | O7 re-computes grant-matrix sha and compares to the O4 pin |
| R-6 | Production drift between O4 survey and a future live run | O7/O8 | medium | medium | every phase re-reads live drift before acting; STOP_DRIFT on mismatch |
| R-7 | BACKUP_GPG_FPR missing when pre_write_backup runs |
O8 | medium | high | GAP-3 must be CLOSED before O8; phase 4 fails closed (STOP on missing public key) if not |
| R-8 | First live cut mutates the wrong / a critical document | O8 | low | critical | OPT-5 policy: target must be small, new, non-Constitution, non-signature-critical; SG_1 binds (gate, run_id, payload_sha) |
| R-9 | Partial live write then failure (torn cut) | O8 | low | high | one atomic transaction per phase; 3-layer idempotency; GPG backup; void + rollback runbook |
| R-10 | KB upload fails mid-run → run not auditable | O6–O8 | low | medium | KB upload is a green-light gate; kb_reporter retries 3× exp-backoff; STOP if it still fails |
| R-11 | Real-crypto expectation creep into O6/O7/O8 | O6–O8 | low | medium | StubSigning is the ratified v0.6 provider (design DQ_2); real crypto is O10, explicitly out of scope |
| R-12 | Repo HEAD on dev Mac drifted from KB SSOT 6625f76 |
O6 | low | medium | O6 step 1 re-confirms dev HEAD before tagging/deploy; mismatch ⇒ STOP |
2. Disable plan — how to stop, fastest-first
level_0_kill_switch: # the primary control
action: orchestrator.__execution_enabled__ = False
effect: Mode.LIVE structurally refused; no phase can run live
scope: whole orchestrator
cost: single line; instant; no DB touch
state: currently False (default, safe)
level_1_withhold_approval: # per-run control
action: do not issue / revoke SG_1 or SG_2 approval doc
effect: `--mode live` refuses with non-zero exit at the sovereign gate
scope: one run
level_2_void_run: # mid-run / post-run cleanup
action: `cutter orchestrate void --run-id <id> --reason-kb-id <path>`
effect: clears idempotency keys safely so the run cannot silently resume
scope: one run
level_3_no_deploy: # pre-deploy control
action: do not execute the O6 deploy package
effect: v0.6 never reaches Contabo; v0.4 skeleton stays
scope: whole programme
3. Rollback procedures by macro
O6 — deploy rollback
trigger: post-deploy assertion fails, or deploy must be undone
steps:
- the deploy is a commit in /opt/incomex/dot → `git revert` / restore
the prior iu-cutter tree from the timestamped pre-state artifact
- no service to restart; no DB change to undo
- verify __version__ back to 0.4.0-dryrun-skeleton
risk: low — code-only, fully reversible
O7 — dry-run rollback
trigger: live dry-run reveals a defect
steps:
- none required — O7 is read-only (Mode.DRYRUN + context_pack_readonly +
BEGIN READ ONLY/ROLLBACK); nothing was mutated
- STOP, route the defect to GPT, do not advance
risk: none — read-only by construction
O8 — live-cut rollback (deferred macro; plan only)
trigger: a live cut produced a wrong/partial result
steps:
1. set execution_enabled=False immediately (level_0)
2. `cutter orchestrate void` the run
3. locate the per-document GPG-encrypted narrow pg_dump (sha-pinned,
written by pre_write_backup) — NEVER auto-restored
4. emergency revert is a SEPARATE sovereign macro using
sql/lifecycle/rollback_runbook.sql (must be deployed — GAP-6)
5. re-survey production counts read-only to confirm the revert
preconditions for this to be usable:
- GAP-3 (GPG key) and GAP-6 (runbook deployed + revert dry-run-tested)
MUST be closed before O8 is allowed to start
4. Pre-flight invariants every future macro must assert
before_any_macro:
- KB read + upload reachable
- dev/Contabo repo HEAD matches the KB SSOT pin
- working tree clean
- execution_enabled == False (until the dedicated O8 flip)
- Mode.LIVE refusal test passes
- tests 366/366 (or current baseline) PASS
- no hardcoded secret / runtime ID in the diff (static scan)
on_any_mismatch: STOP → route to GPT → do not self-advance
5. Residual risk after O5
residual:
- O5 is planning only: it changes no code, no config, no runtime →
residual operational risk introduced by O5 itself = NONE
- the KB now holds one probe doc + 6 O5 reports (additive, reversible)
carried_forward:
- GAP-1..8 (see doc 02 §6) remain open and are scheduled into O6/O7/O8
6. Result
G5_risk_rollback_disable: PASS
disable_levels: 4 (kill-switch / withhold-approval / void / no-deploy)
rollback_defined_for: O6 (code revert), O7 (n/a read-only), O8 (backup+runbook)
blocking_preconditions_for_O8: GAP-3 and GAP-6 must be CLOSED