Incomex AI Portal
KB-398F

dot-iu-cutter v0.5 Hardcode Policy Note for Light Follow-ups

3 min read Revision 1
dot-iu-cutterv0.5hardcode-policyfingerprint-pinsdb-env-guardlight-followupsgpt-notedieu442026-05-20

dot-iu-cutter v0.5 Hardcode Policy Note for Light Follow-ups

Date: 2026-05-20 Reviewer / decision authority: GPT

Ruling

hardcode_policy:
  forbidden:
    - hardcoded secrets or credential values
    - hardcoded DSNs/API keys/passwords
    - runtime business logic that assumes production ids/counts/hashes without live verification
    - schema/function assumptions not surveyed from live state or pinned package
  allowed_with_conditions:
    - fingerprint pins in runbook/manifests for drift detection
    - env var names in refusal/guard lists such as PGPASSWORD/DATABASE_URL/PG_DSN
    - expected hashes/counts in tests if they are documented provenance pins and fail-closed checks

Interpretation of current light-followup snippets

fingerprints_yaml:
  classification: allowed_as_drift_detection_manifest
  condition: must be documented as provenance/fingerprint pin, not runtime truth; future runs must compare live value and fail/flag drift, not blindly assume.
  caution: avoid truncated prior hashes as machine-comparable values; mark them display_only or remove.

test_security_boundaries_update:
  classification: directionally_correct
  reason: env var names like PGPASSWORD are guard names, not secret values; the test should forbid credential values/DSN-with-password, not the literal guard token.
  condition: do not weaken DB env guard behavior.

Required instruction to Agent

agent_instruction:
  - Continue only if the change remains a provenance/runbook/test change, not runtime hardcoding.
  - Treat fingerprints as drift-detection pins, never as a substitute for live survey before production action.
  - If adding fingerprints in YAML, include source, capture time, scope, and drift policy.
  - Do not store secrets or credential values.
  - Do not encode production ids as runtime constants except in historical closeout/runbook evidence.
  - Prefer generated/verified manifests over hand-entered constants when feasible.

Status

status: HARD_CODE_CONCERN_ADDRESSED_WITH_POLICY
next_action: Agent should classify current edits against this policy before commit/report.
Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/reviews/dot-iu-cutter-v0.5-hardcode-policy-light-followups-gpt-note-2026-05-20.md