Lesson 198: WORM-Pinned Rehearsal Rollup Receipt Retention and Cold Retrieval Drill (2026)

Direct answer: Lesson 193 exports rehearsal_completion_v1.json. Lesson 198 pins each approved rollup to WORM storage, records an immutable rollup_receipt_archive_pointer, runs a 48-hour cold retrieval drill, and blocks publish when rollup_receipt_retrieval_failed. Mutable release-evidence/ folders alone failed spring 2026 partner spot checks.

Why this matters now (2026 partner immutability)

Spring 2026 audits asked: “Resend the October rehearsal_completion_v1.json exactly as submitted.” Teams that only kept a live Google Drive folder returned edited JSON (timestamp bumps, manual pass_bit fixes). Yellow flags followed—not because scores were wrong, but because immutability could not be proved.

Lesson 175 archives full governance packets; this lesson narrows to rollup receipts that feed Lessons 194–199 intake and attestation.

Lesson objectives

You will implement:

• Table rollup_receipt_archive_pointer
• Job pin_rehearsal_rollup_receipt_worm_v1
• Drill script drill_rollup_cold_retrieval.sh
• Export ROLLUP_RECEIPT_RETRIEVAL.json
• Publish gate rollup_receipt_retrieval_failed

Prerequisites

• Lesson 175 — WORM pointer pattern + cold URI discipline
• Lesson 193 — rehearsal_completion_v1.json export
• Lesson 197 — rollup_schema_semver on rollups
• Lesson 176 — partner reply packets referencing archived tuple hashes

rollup_receipt_archive_pointer

CREATE TABLE rollup_receipt_archive_pointer (
  archive_id              TEXT PRIMARY KEY,
  cert_window_id          TEXT NOT NULL,
  rollup_schema_semver    TEXT NOT NULL,
  artifact_sha256         CHAR(64) NOT NULL,
  cold_storage_uri        TEXT NOT NULL,
  worm_lock_mode          TEXT NOT NULL CHECK (worm_lock_mode IN ('COMPLIANCE', 'GOVERNANCE')),
  pinned_at_utc           TIMESTAMPTZ NOT NULL,
  pinned_by               TEXT NOT NULL,
  source_export_path      TEXT NOT NULL,
  UNIQUE (cert_window_id, artifact_sha256)
);

Rule: one WORM object per approved rollup export per cert_window_id—no overwrite; new export → new archive_id.

WORM pin job

def pin_rehearsal_rollup_receipt_worm_v1(
    cert_window_id: str,
    local_path: Path,
    rollup_schema_semver: str,
) -> str:
    payload = local_path.read_bytes()
    digest = sha256_hex(payload)
    uri = upload_worm(
        key=f"rollup/{cert_window_id}/{digest}.json",
        body=payload,
        object_lock_mode="COMPLIANCE",
        retain_days=395,
    )
    insert_pointer(
        cert_window_id=cert_window_id,
        rollup_schema_semver=rollup_schema_semver,
        artifact_sha256=digest,
        cold_storage_uri=uri,
    )
    return archive_id

Fail closed: if upload succeeds but pointer insert fails, delete orphan object via ops runbook—do not leave untracked WORM blobs.

48-hour cold retrieval drill

Drill pass: wall clock ≤ 48 h from ticket open to SHA-verified JSON attached to mock partner reply.

#!/usr/bin/env bash
# drill_rollup_cold_retrieval.sh
CERT_WINDOW_ID="$1"
POINTER=$(psql -tAc "SELECT cold_storage_uri, artifact_sha256 FROM rollup_receipt_archive_pointer WHERE cert_window_id='$CERT_WINDOW_ID' LIMIT 1")
fetch_worm_object $POINTER /tmp/rollup.json
test "$(sha256sum /tmp/rollup.json | awk '{print $1}')" = "$EXPECTED_SHA"

Schedule quarterly; store logs beside Lesson 175 drill evidence.

ROLLUP_RECEIPT_RETRIEVAL.json

{
  "schema": "rollup_receipt_retrieval_v1",
  "cert_window_id": "q1_2027_meta_holiday",
  "drill_opened_at_utc": "2026-05-18T09:00:00Z",
  "drill_closed_at_utc": "2026-05-19T14:30:00Z",
  "wall_clock_hours": 29.5,
  "artifact_sha256": "abc123...",
  "cold_storage_uri": "s3://gov-rollup-worm/rollup/q1_2027_meta_holiday/abc123....json",
  "parser_contract_version": "rc_parser_v3",
  "rollup_schema_semver": "1.0.0",
  "sha256_verified": true,
  "parser_replay_ok": true,
  "pass": true
}

Pin under release-evidence/05-operations/worm-drills/rollup/.

Publish gate rollup_receipt_retrieval_failed

def validate_rollup_worm_drill(cert_window_id: str) -> None:
    last = fetch_latest_drill(cert_window_id)
    if not last or not last.pass or last.wall_clock_hours > 48:
        open_gate(
            "rollup_receipt_retrieval_failed",
            block_reason="missing or failed 48h rollup WORM drill",
            remediation="Run drill_rollup_cold_retrieval.sh; export ROLLUP_RECEIPT_RETRIEVAL.json",
        )
        raise PublishBlocked("rollup_receipt_retrieval_failed")

Require drill pass within 90 days before Q1 2027 intake promotion (pairs Lesson 199).

Procedure checklist

• [ ] Every approved rehearsal_completion_v1.json pinned after Lesson 193 export
• [ ] Pointer row SHA matches WORM object
• [ ] Quarterly drill logged with pass: true and wall clock ≤ 48h
• [ ] ROLLUP_RECEIPT_RETRIEVAL.json in evidence folder
• [ ] Lesson 194 intake folder references pointer archive_id, not mutable path
• [ ] Gate tested with stale/missing drill fixture

Troubleshooting

Mini exercise (35 minutes)

1. Export sample rollup from Lesson 193 staging.
2. Run pin_rehearsal_rollup_receipt_worm_v1.
3. Open mock partner ticket; run drill script.
4. Verify SHA + parser replay.
5. Write ROLLUP_RECEIPT_RETRIEVAL.json with pass: true.

Continuity

• Lesson 175 — generic packet WORM pattern.
• Lesson 193 — rollup source.
• Lesson 176 — partner replies citing archived hashes.
• Next: Lesson 199 — INTAKE_READINESS_ATTESTATION.json capstone.

FAQ

Does WORM replace git tags?
No—git tracks code; WORM proves submitted rollup bytes immutable.

Can we pin partner letters (Lesson 195)?
Optional separate pointer table; this lesson is JSON rollup only.

What retention days?
Example 395 days—align with partner contract; document in pointer row metadata extension.

How does Lesson 199 use this?
Attestation requires green ROLLUP_RECEIPT_RETRIEVAL.json among Lessons 194–198 receipts.

Spring 2026 taught partners to distrust mutable folders—WORM-pinned rollup receipts plus a 48-hour drill prove you can resend the exact JSON they audited.