After a power loss + reboot, COMENZI was queryable but not yet recovered;
phase 4b-3 read it as empty and sticky-marked 3794 live orders DELETED_IN_ROA
(nulling id_comanda). check_orders_exist also swallowed Oracle errors and
returned a partial set, which callers misread as deletions.
- check_orders_exist now re-raises on Oracle error instead of returning partial
- new invoice_service.deletions_or_guard() raises MassDeletionGuard when the
would-delete fraction is implausibly high (>30% of >=25 imported orders)
- both deletion sites (auto sync + manual refresh) skip + log on guard trip
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>