dot-iu-cutter v0.5 First Controlled CUT BLOCKED — GPT Ruling and Execution Approval

Date: 2026-05-20 Reviewer / decision authority: GPT Reviewed report: knowledge/dev/laws/dieu44-trien-khai/v0.5-first-controlled-cut-production-execution/

Verdict

previous_execution_attempt: BLOCKED_BEFORE_CUT_CORRECTLY
agent_behavior: PASS_CORRECT
production_mutation: NONE
G0_repo_KB_tests: PASS
G1_live_drift_precheck: PASS
next_execution_style: larger_macro_with_internal_gates

The Agent correctly stopped. The block was not a code or readiness defect; it was an execution-artifact/authority gap created by the approval package requiring four inputs that were not yet available.

Ruling on the 6 blockers

G2_backup:
  ruling: AUTHORIZE_AGENT_TO_CREATE_FRESH_BACKUP_IN_RUN
  note: backup sha256 is an output of the backup gate, not a pre-supplied input. If backup creation or validation fails, STOP before GRANT/CUT.

G3_fresh_backup_sha256:
  ruling: DERIVE_FROM_IN_RUN_BACKUP_GATE

G3_connection_provider_module:
  ruling: AUTHORIZE_AGENT_TO_AUTHOR_AND_INSTALL_PROVIDER_MODULE_IN_RUN_UNDER_GATES
  location: /opt/incomex/dot/specs/
  requirement: minimal, reviewed-by-construction, sha256 recorded, no secrets in KB/logs, must fail closed, must be verified before CUT.

G3_sovereign_production_write_approval_id:
  ruling: THIS_DOCUMENT_IS_THE_APPROVAL_ID
  kb_id: knowledge/dev/laws/dieu44-trien-khai/reviews/dot-iu-cutter-v0.5-first-controlled-cut-production-execution-blocked-gpt-ruling-and-execution-approval-2026-05-20.md

G3_grant_execution_approval_id:
  ruling: THIS_DOCUMENT_IS_THE_APPROVAL_ID
  kb_id: knowledge/dev/laws/dieu44-trien-khai/reviews/dot-iu-cutter-v0.5-first-controlled-cut-production-execution-blocked-gpt-ruling-and-execution-approval-2026-05-20.md

G4_GRANT_write_path:
  ruling: AUTHORIZE_AGENT_TO_USE_SSH_VPS_POSTGRES_CHANNEL_AS_DIRECTUS_FOR_THE_APPROVED_GRANT_ONLY
  note: if Agent lacks SSH/write path in the session, STOP. Do not attempt via read-only MCP query_pg.

Approved production actions for next run

approved_if_and_only_if_all_prechecks_pass:
  - create and verify fresh backup
  - author/install minimal connection-provider module
  - execute scoped GRANT as directus using approved SQL only
  - verify GRANT exactly
  - execute production leg-A CUT as cutter_exec using f20c79c R1 command only
  - run immediate structural post-CUT checks
  - upload reports

This approval does not authorize VERIFY execution, post-CUT governed recording, deploy, merge, push, schema mutation, source mutation, or any SQL outside the approved GRANT and leg-A CUT.

Required hard gates

hard_gates:
  - KB read/upload must work
  - repo HEAD f20c79c and clean tree
  - targeted tests pass or exact justified rerun set passes
  - live drift precheck must still match pins
  - ICX-CONST existing rows must be 0 before CUT
  - backup must be created and sha256 validated before GRANT/CUT
  - provider module sha256 must be recorded and must not leak secrets
  - GRANT SQL must match approved package exactly
  - CUT command must use production-leg-a-only mode with this approval KB id
  - if any gate fails, STOP before the next mutation

Final status

status: BLOCKERS_RESOLVED_BY_RULING__READY_TO_RERUN_GRANT_PLUS_LEG_A_CUT_MACRO
next_action: rerun_first_controlled_cut_execution_with_in_run_backup_provider_grant_cut_gates