KB-7057
O8F implement F2/F3/GAP6 deploy+proof — 05-gap6-compensation-helper-result
4 min read Revision 1
dieu44iu-cutterv0.6o8fgap6compensationrevert
O8F Report 05 — GAP6 compensation helper result (G4)
- macro:
v0.6-o8f-implement-f2-f3-gap6-deploy-proof - date_utc: 2026-05-21 · gate: G4 — implement GAP6 · result: G4 PASS — GAP6 CLOSED
1. New module — cutter_agent/orchestrator/compensation.py
Non-mutating by construction: no DB connection, no SQL execution, no destructive action. It plans and emits SQL text.
plan_compensation(failed_phase, lifecycle_enact_committed=False):
-> CompensationPlan(committed_phases, ordered steps, hold_required).
Maps the mutating-phase order (pre_write_backup -> cut_leg_a ->
leg_b_record -> write_verify -> lifecycle_enact) onto per-failure
compensation per O8E Report 04: backup-discard / draft-IU revert /
governance-ledger compensation / sovereign escalation.
build_compensating_review_decision(...):
Compensation B — builds (NOT executes) a sovereign-signed compensating
review_decision row (verdict='revert', governance_event_kind=
'cut_reverted') cross-referencing the original via
prior_review_decision_id. APPEND-ONLY — deletes_rows=False; the governance
ledger is never mutated, only extended.
draft_iu_soft_revert_plan(change_set_id, soft_revert_status='superseded'):
Compensation A — returns SQL TEXT only: an enacted-row guard, the DEFAULT
soft-revert UPDATE (rows + audit lineage preserved), and a hard-delete
escalation block. hard_delete_is_default=False — hard delete is a
separate sovereign-only, draft-only, guard-gated escalation.
pre_run_snapshot_queries(): read-only count SQL for the before-run baseline.
compose_hold_state(run_id, reason): the disable/HOLD bundle (kill-switch
re-arm, STOPPED state, HOLD lock, post.json, route to sovereign).
2. Per-failure compensation matrix (from plan_compensation)
| Failed phase | Committed phases | Steps |
|---|---|---|
pre_write_backup |
none | NONE — failing txn rolled back; re-run clean |
cut_leg_a |
backup | discard backup artifact (non-mutating) |
leg_b_record |
backup, cut_leg_a | discard + enacted guard + soft-revert (sovereign) |
write_verify |
+ leg_b_record | + governance-ledger compensation (Compensation B) |
lifecycle_enact (rolled back) |
+ write_verify | as write_verify + 2× ledger compensation |
lifecycle_enact (committed) |
all | run succeeded — no compensation |
3. Tests — tests/test_orchestrator_o8f_gap6_compensation.py (20 PASS)
plan cases: cut / governance / verify / lifecycle-rolled-back /
lifecycle-committed / backup — all assert correct
committed_phases + step kinds
hard delete: hard_delete_default is False for every failure phase
Compensation B: append-only revert row; single INSERT statement; no
DELETE/UPDATE/DROP; cross-references prior decision;
refuses empty ids
Compensation A: default = soft_revert (UPDATE, rows preserved);
enacted-row guard + sovereign required; hard-delete text
present but explicitly gated
snapshot + HOLD: snapshot queries all read-only; HOLD re-arms kill-switch
4. Non-mutating validation (VPS — PROOF-4)
pre_run_snapshot: public baseline read read-only -> 158 / 165 / 60 (match)
compensation plans: cut/leg_b/write_verify/lifecycle planned — step counts
1/3/4/5; hard_delete_default False for all four
db_write: NONE — read-only snapshot only
5. Verdict
gap6_status: CLOSED — non-mutating planner + Compensation A (soft-revert,
no hard-delete default) + Compensation B (append-only ledger
row builder) + snapshot + HOLD bundle, 20 tests, VPS
non-mutating validation. Executing a real compensation
remains a separately sovereign-gated action (by design).
g4: PASS