KB-2C60
dot-iu-cutter v0.5 — Code Ratification · Code Provenance Map (G1 PASS) (doc 2 of 6)
10 min read Revision 1
dot-iu-cutterv0.5code-ratification-release-readinesscode-provenance-mapg1-passsha-pinnedno-driftdieu442026-05-20
dot-iu-cutter v0.5 — Code Ratification · Code Provenance Map
doc 2 of 6 · 2026-05-20 · M4 macro
phase : G1 — trace every production-execution code file to KB-reported sha + local + sidecar location outcome : G1 PASS — every file's sha matches its M1/M2 KB report ; no drift detected ; no fabricated provenance. production_mutation : NONE this phase
1. Canonical leg-A code (used in production CUT 2026-05-20T04:18:21.854512Z)
cutter_agent/prod_iu_adapter_canonical.py :
current_local_sha256 : 2d65dee29579d81b3c67baf7fad34c8792643531fb5cc59208e4a417491f87f4
KB_reported_sha256 : 2d65dee29579d81b3c67baf7fad34c8792643531fb5cc59208e4a417491f87f4
(per project_dot_iu_cutter_v0_5_first_controlled_cut_canonical_production_execution_pass
memory entry: 'A-4 publication_type=law patch
applied to prod_iu_adapter_canonical (sha
84db8be9 → 2d65dee2…)')
match : ✓ byte-identical
KB_report_doc : knowledge/dev/laws/dieu44-trien-khai/
v0.5-first-controlled-cut-canonical-production-execution/
(7 docs ; this is the canonical CUT execution package)
used_in_production : YES — leg-A CUT executed 2026-05-20T04:18:21.854512Z
(60 ICX-CONST IUs born via fn_iu_create)
cutter_agent/cutprod_canonical.py :
current_local_sha256 : 3a7ab605776bc793429fc677355ab8beb3a4c3bdff3d502a007a75da9402c220
KB_reported_sha256 : not explicitly pinned in KB (no per-file sha emitted
for cutprod_canonical in the canonical CUT package),
but the file is mentioned in canonical-path doc 5
(`cutter_agent/cutprod_canonical.py NEW (~7 KB)`)
and is the CLI driver used by the production CUT.
27/27 tests pass against this version.
used_in_production : YES — the production CUT command line used this
driver (--mode production-leg-a-only-canonical).
acceptance : sha-pinned at M4 commit time (3a7ab605…).
tests/test_prod_iu_adapter_canonical.py :
current_local_sha256 : 6545c30d148fb22b8dbe09aea88915c7afdb1dc6f12844eefd4ce83e19d4e270
KB_reported_count : 27/27 PASS in canonical-path doc 5 §4
AND 8/8 cutprod_canonical CLI tests (subset of 27)
test_count_now : 27 PASS (re-verified 2026-05-20 G3)
acceptance : sha-pinned at M4 commit time (6545c30d…).
2. Leg-B governed recording code (used in production 2026-05-20T05:18:20Z)
cutter_agent/ledger_v2_canonical_cut.py :
current_local_sha256 : 3270f1df4d52890edcc04e34f8e7c4a58e98d98f7424dc9132d0c4cb108ce2e9
KB_reported_sha256 : 3270f1df4d52890edcc04e34f8e7c4a58e98d98f7424dc9132d0c4cb108ce2e9
(per legB-governed-recording-execution doc 3 §1
and project memory entry)
match : ✓ byte-identical
KB_report_doc : knowledge/dev/laws/dieu44-trien-khai/
v0.5-legB-governed-recording-execution/
(7 docs ; M1 macro)
used_in_production : YES — leg-B governed recording committed
2026-05-20T05:18:20Z (+126 rows in cutter_governance.*)
tests/test_ledger_v2_canonical_cut.py :
current_local_sha256 : 7b3355c05723803ead3350dc376a4e697f1327720046251566ae08d9a4ed7b1f
KB_reported_sha256 : not pinned explicitly (only the module sha + test
count 21/21 PASS in legB doc 3 §2)
test_count_now : 21 PASS (re-verified 2026-05-20 G3)
acceptance : sha-pinned at M4 commit time (7b3355c0…).
3. Write-VERIFY / DOT-992 code (used in production 2026-05-20T06:03:30Z)
cutter_agent/ledger_v2_canonical_verify.py :
current_local_sha256 : 18ee4ca2ae28c3b21d76c3e1591b5a718123464f50b4e7f8d11e9a008b6dff97
KB_reported_sha256 : 18ee4ca2ae28c3b21d76c3e1591b5a718123464f50b4e7f8d11e9a008b6dff97
(per write-verify-dot992-execution doc 3 §1 and
project memory entry)
match : ✓ byte-identical
KB_report_doc : knowledge/dev/laws/dieu44-trien-khai/
v0.5-write-verify-dot992-execution/
(7 docs ; M2 macro)
used_in_production : YES — write-VERIFY committed 2026-05-20T06:03:30Z
(+2 rows: 1 verify_result + 1 verifier signature)
tests/test_ledger_v2_canonical_verify.py :
current_local_sha256 : c46370affaf0b357c983ccfcaf2a011e5e51512e1cf28379746024c09ff160da
KB_reported_sha256 : c46370affaf0b357c983ccfcaf2a011e5e51512e1cf28379746024c09ff160da
(per write-verify-dot992-execution doc 3 §2 and
project memory entry)
match : ✓ byte-identical
test_count_now : 30 PASS (re-verified 2026-05-20 G3)
4. Ephemeral sidecar artifacts (NOT in repo by design)
/tmp/cutter_legB_runner.py (on contabo) :
sha256 : 964c85d14d668e2cd2446f35de54b08cb9ac9e4099f1dcc37f4440b7f2964de6
KB_reported_sha256 : 964c85d14d668e2cd2446f35de54b08cb9ac9e4099f1dcc37f4440b7f2964de6
(legB doc 3 §3)
match : ✓ byte-identical
rationale_not_in_repo : sovereign-authored runner ; one-time execution ;
contains DSN/role coupling specific to contabo's
postgres container netns ; lives at /tmp by design
(no run-time secret stored ; trust-auth only).
/tmp/cutter_verify_runner.py (on laptop + contabo) :
sha256 : ac071f69bec6094e86a95b3f116572737564fb8a7d7c004d74041144ac3a8302
KB_reported_sha256 : ac071f69bec6094e86a95b3f116572737564fb8a7d7c004d74041144ac3a8302
(write-verify doc 3 §3 and project memory)
match : ✓ byte-identical
rationale_not_in_repo : same as legB runner.
/opt/incomex/dot/specs/cutter_legA_provider_20260520T031054Z.py (on contabo) :
sha256 : 26ebb918f9a0baf41ae76ba2a621ca39ab7e8b82fbfdc644045a451026d7dfd8
KB_reported_sha256 : 26ebb918f9a0baf41ae76ba2a621ca39ab7e8b82fbfdc644045a451026d7dfd8
(canonical CUT execution memory entry)
match : ✓ byte-identical
rationale_not_in_repo : connection provider authored sovereignly outside
the iu-cutter repo for the one-time canonical CUT ;
stored in /opt/incomex/dot/specs/ which is the
contabo provenance directory for sovereign-authored
specs ; explicitly recorded by KB.
5. Pinned identity (re-confirmed across M0..M2 + M4)
PIN_WRITER_DIGEST : d99a31d4a4be907c510ae15965e9f7bb3387e9e28676e9f32adf463828b1aa28
(ratified ; unchanged across all macros ; verified
by the canonical adapter's pre-txn assertion)
PIN_MANIFEST_DIGEST : 9d908a62fcf01bb88e05a1af4335b960710006ddcfd21c811ca63efb33dd324f
PIN_MANIFEST_FILE_SHA: 7d56f3ce066950ccef3de4156c5afeea81b2450b8e38393205b52c1fca012179
PIN_SOURCE_VERSION : icxconst-008a06ace23a96ea6cd456146e805c97
PIN_CANDIDATE_COUNT : 60
6. Persisted production identifiers (cross-checked against repo code)
canonical leg-A CUT :
ICX-CONST IUs born : 60
cut_committed_at_utc : 2026-05-20T04:18:21.854512Z
cut_started_at_utc : 2026-05-20T04:18:14Z (per PIN_CUT_STARTED_AT in
ledger_v2_canonical_cut.py, reused for governance)
leg-B governed recording (M1) :
change_set_id : 456c6830-a747-4b53-ac2f-665e25e12cd0
review_decision_id : 29c88a7b-60f7-41bd-af45-43cc9b9f41c0
manifest_envelope_id : 638cf363-f45a-4bb3-b9bb-928c5e24c15b
executor_signature_id : 3a249063-e33a-406a-9302-2e9e646a0938
payload_hash : 7468c7a976ab729c32d19e93001bf724f7cf2b1f59a41f5b8788ac6b627c6cfa
recorded_at_utc : 2026-05-20T05:18:20Z
write-VERIFY (M2 ; DOT-992) :
verify_result_id : 18278460-438c-4fb4-bf9c-997c82447f92
verifier_signature_id : f5c3ee34-7f9f-4af3-879d-1bdcf5508a8f
payload_hash : 51feacd5a863b2473c63c30406acb1808c671ee16334780494f949630ff85388
committed_at_utc : 2026-05-20T06:03:30Z
All of the above are encoded as PIN_M1_* constants in
cutter_agent/ledger_v2_canonical_verify.py and re-asserted by its
plan() invariants.
7. Disposition
G1 (code provenance map) : PASS
· every in-repo v0.5 file sha matches KB report : ✓
· every sidecar artifact sha matches KB report : ✓
· no fabricated provenance : ✓
· production-execution timestamps + ids pinned : ✓
production_mutation : NONE
next : G2 ratification scope
decision (doc 3)
doc 2 of 6.