dot-iu-cutter v0.4 — First Controlled Production CUT/VERIFY Trial — Execution Report (SUCCESS_LIVE, no rollback) (2026-05-17)
dot-iu-cutter v0.4 — First Controlled Production CUT/VERIFY Trial — EXECUTION REPORT
Date: 2026-05-17 · Verdict: execution_status = SUCCESS_LIVE · ORCH_EXIT=0 · NO rollback.
Authorized by: Sovereign execution prompt (2026-05-17) after GPT PASS of target-selection preflight (B1 CLOSED, B2 CLOSED).
Accepted code commit (pinned, unchanged): e93424b5ff7fa5e4b8406131977ce4339cd0856a (branch main).
Controlling plan: command-review r1 · readiness addendum r1 · target preflight r1.
Predecessor evidence: PG-backed dry-run RERUN#4 SUCCESS (isolated real-PG, restored prod schema, commit e93424b).
1. Scope honoured
Exactly one pinned IU. No bulk · no wildcard · no second IU · no reclassification · no deploy/restart · no schema migration · no index DDL · no JSONB normalisation · no label registry change · no vector/NoSQL · no alias write. Single MARK→SWEEP→REVIEW→CUT→VERIFY against production cutter_governance only.
- TARGET_IU =
04e0c674-2a71-53b7-8d30-9c1a78d6fd17 - canonical_address =
D38-DIEU28-S3-P1(DIEU-28;tier=unit, leaf,draft_only/draft) - entry_id =
26a8c4e8-c07c-5ff4-8854-ab55ef4fcf81 - change_set_id =
7c963f27-0bc1-4dd9-91ac-4d1f82f82d53 - verify_result_id =
633f2c51-9a87-4bb4-a7f6-75342bf72ac7 - final_status =
verified_complete· verify verdict =pass
2. execution_status
SUCCESS_LIVE — all preflight gates A1–A10 PASS; single CUT/VERIFY committed; all postconditions (C-secret, C1, C2, C3, C5) PASS; harness rc=0; no rollback / no forward-compensation invoked (the happy path verified pass).
3. Backup (disaster backstop only) — path + SHA
- path:
/opt/incomex/backups/dot-iu-cutter-v0.4-prodtrial-2026-05-17/prod-directus-20260517T133614Z.sql - SHA256:
da4e15e63f0da9fdc5b4a2c3142903b43da9d035294c7e7ec361e315b8318d3f - size: 683,351,052 bytes · fresh read-only
pg_dump(workflow_admin); freshness gate 28s ≤ 600s; retained as disaster backstop (NOT uploaded to KB — contains production data; sha-reference only).
4. Pre/Post row-count matrix + actual delta (cutter_governance) — independently re-verified
| Table | PRE (B) | POST (P) | Δ | EXPECT Δ |
|---|---|---|---|---|
| decision_backlog_entry | 0 | 1 | +1 | +1 |
| decision_backlog_history | 0 | 5 | +5 | +5 |
| decision_backlog_dependency | 0 | 0 | +0 | +0 |
| decision_backlog_sweep_log | 0 | 1 | +1 | +1 |
| manifest_envelope | 0 | 1 | +1 | +1 |
| manifest_unit_block | 0 | 1 | +1 | +1 |
| review_decision | 0 | 1 | +1 | +1 |
| dot_pair_signature | 0 | 2 | +2 | +2 |
| cut_change_set | 0 | 1 | +1 | +1 |
| cut_change_set_affected_row | 0 | 1 | +1 | +1 |
| verify_result | 0 | 1 | +1 | +1 |
| canonical_address_alias | 0 | 0 | +0 | +0 |
| TOTAL | 0 | 15 | +15 | +15 |
Cell-for-cell exact; matches the RERUN#4-validated verification-plan r3 baseline. All other production tables Δ0 — the target public.tac_logical_unit row is unchanged (draft_only/draft/canonical-address-v1 before == after): this trial writes only the append-only governance ledger family, it does not mutate the IU content or any enacted law.
5. DOT lane verification
Two dot_pair_signature rows, structurally verified against the deployed dot_pair_signature_check XOR:
| signature_kind | cross_reference_change_set_id | cross_reference_verify_result_id |
|---|---|---|
| executor (DOT-991) | SET → 7c963f27-0bc1-4dd9-91ac-4d1f82f82d53 |
NULL |
| verifier (DOT-992) | NULL | SET → 633f2c51-9a87-4bb4-a7f6-75342bf72ac7 |
- DOT-991 references change_set only; DOT-992 references verify_result only.
- Exactly one cross-reference column non-null per row (
badxor=0). - No swapped lane (
swapped=0); no both-null; no both-non-null. CentralisedSIGNATURE_LANE_REFERENCE_KINDmap assertedchange_set/verify_result/DOT-991/DOT-992at preflight A6.
6. No-bulk guard result
PASS. Selector is a single literal primary key (TARGET_IU = "04e0c674-…", exactly one assignment line; in-harness uuid.UUID() single-canonical-uuid assertion). Static scan of the harness for LIKE / IN ( / SQL wildcard / LIMIT n>1 / ANY / ALL / ::regclass = NONE_FOUND. Preflight A3 confirmed count(*) == 1. No bulk/wildcard selector appeared anywhere.
Honest note (harness self-check, NOT a production issue): the first run ABORTED at gate A7 (
ABORTED_NO_WRITE, exit 2) before any write — a false-positive in the orchestrator's own no-bulk scanner: the harness used Python%-string formatting and the conservative guard forbids the literal byte%. The RERUN#4-validateddr_harnessused f-strings (zero%). Fix = made the harness genuinely%-free (f-strings +chr(37)for the wildcard literal) so the strict guard stays intact and passes truthfully — the safety check was not weakened. Production was untouched by the aborted run (A1–A6 are read-only; abort preceded the A8 backup). Harness sha256 then785c6f6a787f471ced7636da38abf04cf576671ed411b7c1e0b8e1c4f64bfee4; orchestrator sha2563e54714c22761d0b74345f92c1bd3343fbd86863e72e89de345feff86276f16e.
7. Rollback / forward-compensation status
No rollback. No forward-compensation invoked. VERIFY returned pass; the +15 rows are append-only audit and remain. Policy in force (readiness addendum §9, GPT-closed B2): forward-compensation / no-delete; audit-row deletion forbidden; backup-restore reserved for disaster only. No audit row was deleted or truncated (C3: only SET/SELECT/INSERT/UPDATE verbs observed).
8. Secret scrubbing confirmation
Confirmed. The 8 DOT_CUTTER_* connection keys were staged to a 0600 env-file containing only those keys (count asserted = 8), passed to the ephemeral harness container via --env-file, then shred -u immediately after the write (file now absent). No secret value was echoed, logged, or written to any artefact. Post-write safe-grep of out/ + logs/ for any DOT_CUTTER_*_DB_PASSWORD=<value> token = zero hits (C-secret PASS). result.json / sql_trace.txt carry ids/verbs/flags only.
9. Production sysid pre/post
- pre (A1) =
7611578671664259111; post-dump (A8) =7611578671664259111; post (C5) =7611578671664259111— identical. - prod
postgrescontainerState.StartedAtbefore == after =2026-04-17T05:35:18.48439927Z— not restarted. - 3 protected prior dry-run envs (
pg-dry-run-v0.2-p0-2,…-phase-alpha,pg-dry-run-hb05) untouched.
10. Git branch / HEAD / status
- branch:
main - HEAD:
e93424b5ff7fa5e4b8406131977ce4339cd0856a(== accepted pin; before == after) git status --short -- iu-cutter: clean (0 lines) — nocutter_agent/ iu-cutter source or test change, no commit. Operational artefacts live outside the git tree at/opt/incomex/backups/dot-iu-cutter-v0.4-prodtrial-2026-05-17/; iu-cutter mounted read-only into the harness container.
11. Hardcode control statement
No fixed IP/DSN/password/container-id/vector-collection introduced. Connection params loaded by RealPostgresAdapter from the existing /opt/incomex/docker/.env at runtime (never read/printed by the trial). The only literals are the mandated auditable safety constants — prod sysid 7611578671664259111, accepted-commit pin, exact role/lane names, and the single pinned TARGET_IU recorded for audit. No STOP-class hardcode.
12. Metadata / label non-hardcode statement
No metadata or label registry schema created or changed. No label columns added. No runtime label/metadata key hardcoding. SQL / deployed cutter_governance remains SSOT; JSONB carries no hidden authority; the DOT lane↔reference binding is the centralised, schema-binding-tested SIGNATURE_LANE_REFERENCE_KIND map in accepted commit e93424b, unchanged.
13. Vector / NoSQL untouched statement
No vector / NoSQL integration. No Qdrant or any vector/NoSQL store was read or written in the cut/verify write path. Vector/NoSQL remains projection/search-only and was not part of this trial.
14. Artefacts & evidence
- Orchestrator:
…/scripts/run_prod_trial_v0_4.shsha2563e54714c22761d0b74345f92c1bd3343fbd86863e72e89de345feff86276f16e - Harness (executed):
…/scripts/prod_trial_harness_v0_4.pysha256785c6f6a787f471ced7636da38abf04cf576671ed411b7c1e0b8e1c4f64bfee4(faithful happy-path reduction of RERUN#4-validateddr_harness_v0_4.py; fixture{"u":[1]}byte-identical → exact +15) - Logs:
…/logs/orch.log,baseline.txt,postcount.txt; harness output…/out/result.json,sql_trace.txt - write window = 15s; started 2026-05-17T13:36:01Z, finished 2026-05-17T13:36:57Z
15. Standing statement / next
First controlled production CUT/VERIFY trial = SUCCESS_LIVE, one IU, append-only, no rollback, production identity stable, no source/schema/deploy/vector/alias change. Self-advance PROHIBITED. No bulk cut, no second IU, no scale run, no index DDL, no label/metadata registry, no vector/NoSQL, no alias writes, no deploy — each remains forbidden without a separate GPT review + sovereign authorization. Next = GPT review of this execution report.