dot-iu-cutter v0.5 — Code Ratification · Repo State Survey

doc 1 of 6 · 2026-05-20 · M4 macro

phase                : G0 — repo state DISCOVER-FIRST
outcome              : G0 PASS — single local repo, single feature branch,
                       main is a strict ancestor, NO remote, 7 untracked
                       v0.5 canonical files (3 macros' worth) to ratify.
production_mutation  : NONE this phase (read-only git inspection)

1. Repo location

repo_root          : /Users/nmhuyen/iu-cutter-build/repo/iu-cutter
filesystem         : darwin (laptop)
git_state          : git repo (tree clean BEFORE M4 commits ; only untracked
                     files at the start of the macro)
working_directory  : /Users/nmhuyen (parent ; CWD is not the repo root)
contabo_repo       : /opt/incomex/dot HEAD e93424b (v0.4 baseline ; v0.5
                     code has NEVER been pushed to contabo. Production CUT
                     was executed via /tmp-staged sidecar copies. This is
                     documented in the M1 + M2 reports.)

2. Branches and remotes

current_branch     : feature/constitution-snapshot-mark-dryrun
HEAD (pre-M4)      : f20c79c
HEAD (post-M4)     : 32cfa93 (after 3 new ratification commits)
main_head          : 4367c83 (baseline: ratified iu-cutter v0.4 skeleton
                     before snapshot MARK entrypoint)
remotes            : NONE (git remote -v returns empty)

⇒ push is impossible by construction.
⇒ local merge to main is the only release path ; would be a fast-forward
   (main is a strict ancestor of HEAD ; main..HEAD = 8 ; HEAD..main = 0).

3. Branch graph (post-M4 commits)

main (4367c83)
  │
  ├─ afb7bfc  feat: add snapshot MARK dry-run entrypoint
  ├─ d66a60d  feat: add S2 no-DB CUT-plan dry-run planner (cutplan) + tests
  ├─ f0120ac  feat: add W-3 DB-isolated constitution writer (cutwrite) + tests
  ├─ 152e7db  feat: add GUARDED leg-A prod IU birth adapter (prod_iu_adapter+cutprod)+tests
  ├─ f20c79c  feat(R1): add --mode production-leg-a-only + execute_leg_a_only seam (UB-2)
  ├─ 6a56bc3  feat(canonical-path): add fn_iu_create canonical adapter + cutprod_canonical + tests   ← M4 commit 1
  ├─ 7133c44  feat(leg-B/M1): add ledger_v2_canonical_cut governed recorder + tests                    ← M4 commit 2
  └─ 32cfa93  feat(write-VERIFY/M2): add ledger_v2_canonical_verify DOT-992 recorder + tests           ← M4 commit 3 / HEAD

4. Pre-M4 untracked file inventory

seven untracked v0.5 files (verified via `git status --short`) :
  cutter_agent/cutprod_canonical.py             3a7ab605776bc793429fc677355ab8beb3a4c3bdff3d502a007a75da9402c220
  cutter_agent/ledger_v2_canonical_cut.py       3270f1df4d52890edcc04e34f8e7c4a58e98d98f7424dc9132d0c4cb108ce2e9
  cutter_agent/ledger_v2_canonical_verify.py    18ee4ca2ae28c3b21d76c3e1591b5a718123464f50b4e7f8d11e9a008b6dff97
  cutter_agent/prod_iu_adapter_canonical.py     2d65dee29579d81b3c67baf7fad34c8792643531fb5cc59208e4a417491f87f4
  tests/test_ledger_v2_canonical_cut.py         7b3355c05723803ead3350dc376a4e697f1327720046251566ae08d9a4ed7b1f
  tests/test_ledger_v2_canonical_verify.py      c46370affaf0b357c983ccfcaf2a011e5e51512e1cf28379746024c09ff160da
  tests/test_prod_iu_adapter_canonical.py       6545c30d148fb22b8dbe09aea88915c7afdb1dc6f12844eefd4ce83e19d4e270

5. Existing ratified files (untouched by M4)

cutter_agent/__init__.py                       (ratified ; DOT lane identities)
cutter_agent/canonicalization.py               (ratified)
cutter_agent/cutplan.py                        (d66a60d)
cutter_agent/cutprod.py                        (152e7db ; R1 patch f20c79c)
cutter_agent/cutwrite.py                       (f0120ac ; DB-isolated writer)
cutter_agent/db_adapter.py                     (ratified)
cutter_agent/dryrun.py                         (afb7bfc + later edits)
cutter_agent/idempotency.py                    (ratified)
cutter_agent/ledger.py                         (v0.4 dry-run skeleton ;
                                                incompatible with live shape
                                                ; ledger_v2_* SUPERSEDES the
                                                two methods it would have
                                                covered — kept for v0.4
                                                back-compat / not deleted)
cutter_agent/phases.py                         (ratified)
cutter_agent/prod_iu_adapter.py                (152e7db ; R1 patch f20c79c)
cutter_agent/signal.py                         (ratified)
cutter_agent/signing.py                        (ratified ; supports both
                                                DOT-991 + DOT-992 lanes via
                                                StubSigning)
cutter_agent/state_machine.py                  (ratified)
cli.py                                         (ratified)
constitution-normalized-17660443e0f23e99.md    (source fixture, pinned)
tests/test_*.py (existing)                     (all pre-existing)

6. Ephemeral / out-of-repo sidecar artifacts (DOCUMENTED, NOT committed)

laptop /tmp :
  /tmp/cutter_verify_runner.py
    sha256 : ac071f69bec6094e86a95b3f116572737564fb8a7d7c004d74041144ac3a8302
    role   : M2 write-VERIFY runner (smoke + commit modes)
    auth   : trust-auth as cutter_verify via container netns share
    why_ephemeral : sovereign-authored, executed once, no business logic ;
                    written to dedicated runner-only path to avoid
                    coupling production credentials to repo code.

contabo /tmp :
  /tmp/cutter_legB_runner.py
    sha256 : 964c85d14d668e2cd2446f35de54b08cb9ac9e4099f1dcc37f4440b7f2964de6
    role   : M1 leg-B recorder runner (smoke + commit modes)
    auth   : trust-auth as cutter_exec via container netns share
    why_ephemeral : same reason as cutter_verify_runner.py.
  /tmp/cutter_verify_runner.py
    sha256 : ac071f69bec6094e86a95b3f116572737564fb8a7d7c004d74041144ac3a8302
    (identical copy of laptop sidecar, staged for M2 execution)

contabo /opt/incomex/dot/specs :
  cutter_legA_provider_20260520T031054Z.py
    sha256 : 26ebb918f9a0baf41ae76ba2a621ca39ab7e8b82fbfdc644045a451026d7dfd8
    role   : connection provider module for canonical leg-A CUT
             (psycopg2 autocommit=False ; _NOW sentinel→NOW() swap)
    why_ephemeral : sovereign-authored specifically for the one-time CUT
                    execution ; lives in the specs/ provenance directory
                    on contabo for audit ; NOT a long-lived module.

contabo /tmp/iu-cutter-v05-stage/ :
  full v0.5 cutter_agent stage (sidecar import root for the M1/M2 runners)
  All staged files have sha256 == matching laptop / repo file. Re-stagable
  at any time by `scp cutter_agent/*.py contabo:/tmp/iu-cutter-v05-stage/...`

These sidecar artifacts are recorded in the M1 + M2 execution-log reports (docs 4 of those packages). Their KB provenance is preserved.

7. Disposition

G0 (repo state survey)                            : PASS
  · single repo, single feature branch            : YES
  · main is strict ancestor (fast-forward viable) : YES (8/0)
  · NO remote (push impossible)                   : confirmed
  · 7 untracked v0.5 canonical files identified   : YES
  · sidecar / out-of-repo artifacts documented    : YES (3 ephemeral files)
production_mutation                               : NONE
next                                              : G1 code provenance map (doc 2)

doc 1 of 6.