<!-- DOC_STATUS: ACTIVE_NON_AUTHORITY -->

FIX7 P0 — Implementation Rollback / Recovery Design (2026-06-11)

• Authority: PLANNING_NON_AUTHORITY. Rollback design only. rollback_proof_status = NOT_YET_PROVEN — no rollback has been executed or proven, because no implementation/dry-run has run.
• Machine form: fix7-p0-implementation-rollback-recovery-design-2026-06-11.json (byte-identical to the packet's rollback-recovery-design.json).

Rule

No mutation may apply until its rollback path is VERIFIED before apply (operating-skill "2 khóa"). Rollback proof is produced by a future dry-run/execution — never claimed in advance. The validator fails closed on any rollback_proof_status=PROVEN in this packet.

Snapshot requirements

• KB doc revisions captured (canonicalizer rev3 @ pinned revision; operative blueprint pre-state = absent).
• registry JSON rev + 00-index rev captured before any fold.
• any future production surface: full PG/Directus snapshot before any apply (separate authorization required).

Rollback entries

id	surface	restore path	verify after rollback	approves
RB-2	operative blueprint doc (new)	unpublish / supersede (additive, no prod state)	doc absent/superseded; no references	owner/operator
RB-3	canonicalizer operative-status marker	revert marker; body → 38756 B / 49c386a9…b734d0	P7 verify_pin PASS on body	owner/operator
RB-4	governance addendum / registry fold	delete addendum / restore prior registry JSON+MD revision	registry rev == pre-fold; no orphan	owner/GPT
RB-PROD	any production surface	snapshot/restore (TBD by scoping)	prod state byte/row-identical to snapshot	owner/operator + separate prod auth

Recovery / failure handling

If a body revert leaves hash ≠ 49c386a9…b734d0 → TRUE_BLOCKER, halt, restore from snapshot revision. If a fold partially applied → restore both registry JSON and MD atomically. Production rollback failures → halt; no further apply until restore verified.