dot-iu-cutter v0.4 PG-backed Dry-run RERUN#2 — EXECUTION FAIL: dot_pair_signature_check XOR violation (accepted-code↔deployed-schema mismatch) (2026-05-17)
dot-iu-cutter v0.4 — PG-backed Dry-run RERUN#2 — EXECUTION FAIL
Date: 2026-05-17 · Verdict: honest FAIL (NOT PASS). · execution_status = FAIL:G_HARNESS_HAPPY
Authorized by: GPT (STOP=PASS/CORRECT; Finding 1 & 2 accepted; orchestrator patch allowed; iu-cutter code change & git commit forbidden; rerun authorized after remediation 1–4 PASS).
Accepted code commit: db4aa58b50a95a8df2655073effde3a0ed0eede6 (CUT/VERIFY UUID-safe DOT signing body fix).
Plan: command-review r1 · verification-plan r3 · rollback-plan r1 · risk-review r1.
1. Pre-run remediation (GPT-authorized steps 1–4) — all PASS
| Step | Action | Result |
|---|---|---|
| 1 | Shred stale prior prod dump $WD/prod-directus-20260517T112308Z.sql (exact path, no wildcard) |
ABSENT_OK; pre-shred sha e14089005192085b8766d64243e5e8de8fdb3897fc36059bb3517d04440dc3a3, 680066849 B |
| 2 | Patch gitignored orchestrator run_dryrun_v0_4.sh only: (a) ACCEPTED 6060e1a…688be → db4aa58…eede6; (b) teardown shreds current-run $DUMP (${DUMP:-}-guarded) on all exit paths |
applied; bash -n OK |
| 3 | SHA256 corrected orchestrator | pre 5e30e9ca552070e36b5094e38b0984ae1e01ee73b64da17e301dce9a331c5f78 → post d6478497901d5eed534a7b1204e9b09024250953fda4c8ac52191647a3ca0cb2 |
| 4 | Scope confirm | iu-cutter HEAD db4aa58…eede6, branch main, git status --short -- iu-cutter clean; orchestrator gitignored/untracked (no SSOT change, no commit); 3 protected envs snapshotted; prod sysid 7611578671664259111 / StartedAt 2026-04-17T05:35:18.48439927Z |
2. Run timeline (C-01 → C-13)
C-01 OK head=db4aa58…eede6
C-02 OK roles.sql sha=2a409696… harness sha=ddf14a94…
C-03 OK dump sha=0c2019417866c3ca5fb6f6ad90a2fe99d1166f5e11df40abe44e16b9ffa983d4 size=681098412 prod_sysid=7611578671664259111
C-04 OK no published host port (PortBindings={})
C-05 OK cg tables=12 views=12
C-06 OK matrix exec=18 verify=15 ro=12 ro_login=f
C-07 OK dr_sysid=7640834717320212523 != prod 7611578671664259111
C-08 OK harness sha verified=ddf14a94…
C-10a harness happy -> GATE FAIL G_HARNESS_HAPPY
C-13 teardown (exact-name only); STOP (honest FAIL, DR env torn down only)
3. Failure — accepted-code ↔ deployed-schema contract mismatch (NOT a harness false-negative)
harness_happy.out: failures=['S7_VERIFY']. Scenario progression: S1/S2/S3_neg/S4_MARK/SWEEP/S5_REVIEW = PASS; S7_VERIFY = FAIL.
The db4aa58 UUID-JSON fix is effective: the prior RERUN#1 error "Object of type UUID is not JSON serializable" is gone. The signing body now serializes and the dot_pair_signature INSERT is reached — proving forward progress past the fixed defect.
New distinct blocking defect — server-side CHECK rejection (happy.json S7_VERIFY.why):
new row for relation "dot_pair_signature" violates check constraint "dot_pair_signature_check"
DETAIL: Failing row contains (5c2373c0-f248-4f48-8ac6-dc0ad236f4ea, executor, DOT-991,
0.4.0-dryrun-skeleton, 0115ee4f…, {"lane": "DOT-991", "is_prod… )
Deployed prod schema constraint (read-only catalog, pg_get_constraintdef, sanctioned C-03/C-07 workflow_admin path):
dot_pair_signature_check =
CHECK ( (cross_reference_change_set_id IS NOT NULL AND cross_reference_verify_result_id IS NULL)
OR (cross_reference_change_set_id IS NULL AND cross_reference_verify_result_id IS NOT NULL) )
XOR: exactly one cross-reference column must be non-NULL. The accepted code, writing the exec/DOT-991 signature row during VERIFY, does not populate cross_reference_change_set_id to reference its cut_change_set row → row fails the XOR → server dot_pair_signature_check violation → PhaseStop → in-txn ROLLBACK. Real defect, server-enforced — not a string-compare / harness FN. Same class as prior EXECUTION-BLOCKED-2-schema-contract-mismatch.
Consequence vs verification-plan r3 §2: the canonical MARK→SWEEP→REVIEW→CUT→VERIFY flow cannot reach the exact 15-row baseline (dot_pair_signature target =2 unreachable; VERIFY rolls back). Run = FAIL per §4 verdict rule.
4. Net-zero / safety proof (post-FAIL)
| Asset | State |
|---|---|
DR container pg-dry-run-v0.4-db-adapter-2026-05-17 |
DR_GONE_OK (exact-name docker rm -f -v) |
DR network dr-net-v0.4-2026-05-17 |
NET_GONE_OK (exact-name) |
Current-run prod dump prod-directus-20260517T122039Z.sql (sha 0c201941…) |
CURRENT_RUN_DUMP_ABSENT_OK — shredded by patched teardown on the fail path (R11 patch validated) |
| 3 protected prior dry-run envs | PROTECTED_BYTE_IDENTICAL (Id+StartedAt+Status pre==post) |
| Production | sysid pre==post 7611578671664259111; StartedAt 2026-04-17T05:35:18.48439927Z unchanged; pg_dump read-only only; no write/CUT/VERIFY; not restarted |
| iu-cutter SSOT | HEAD db4aa58…eede6, git status --short -- iu-cutter clean; no code change, no git commit |
| Secrets | openssl-generated dry-run-only; dr.env/dr.harness.env shredded at teardown; retained artefacts (orch.log/happy.json/sql_trace/harness_happy.out) manually confirmed secret-free (only UUIDs/hashes/sha/verbs). Formal C-12 secret-leak gate not reached (run STOPped at C-10a). |
5. Artefact index (SHA256)
| Artefact | SHA256 / value |
|---|---|
Corrected orchestrator run_dryrun_v0_4.sh |
d6478497901d5eed534a7b1204e9b09024250953fda4c8ac52191647a3ca0cb2 |
Harness dr_harness_v0_4.py (unchanged) |
ddf14a94438a6b8ed621329d2f3b62ca7da2b58724d6fd363136a0f1c8d3aa96 |
Roles matrix dr_roles_matrix.sql (unchanged) |
2a409696dc3f60cb6328a77afd345e7638685f8d70cb5c0995b40f5841a57584 |
| Stale prior prod dump (shredded, sha reference only) | e14089005192085b8766d64243e5e8de8fdb3897fc36059bb3517d04440dc3a3 |
| Current-run prod dump (shredded at teardown, sha reference only) | 0c2019417866c3ca5fb6f6ad90a2fe99d1166f5e11df40abe44e16b9ffa983d4 |
| Retained redacted artefacts | RESULT.json, logs/orch.log, logs/protected_before.txt, logs/protected_after.txt, out/happy.json, out/sql_trace.txt, logs/harness_happy.out |
6. Hardcode / label control statement
No fixed IP/DSN/password/vector-collection introduced. DR DB host = container name via dr.harness.env (dry-run-only env, not hardcoded). Passwords openssl-generated at runtime, shredded. Container/network names are intentional exact-name safety identifiers per command-review/rollback (exact-name teardown — required, not a forbidden hardcode). The one hardcode issue (stale ACCEPTED pin) was the GPT-accepted Finding 1 and was the authorized remediation, not an improvisation. No runtime label/key hardcoding, no metadata/label schema change, no vector/NoSQL integration.
7. Verdict & next (no self-advance)
RERUN#2 = honest FAIL. UUID-JSON fix confirmed effective; blocked by a separate real defect: the exec/DOT-991 dot_pair_signature write omits cross_reference_change_set_id, violating the deployed dot_pair_signature_check XOR. NOT marked PASS. No code change / commit / deploy / production write performed. Remediation (code fix to populate the exec-signature cross-reference, e.g. in cutter_agent/ledger.py/phases.py CUT/VERIFY signature write) requires a new explicit GPT-reviewed authorization — out of scope here. Self-advance PROHIBITED.