KB-4EBC

dot-iu-cutter v0.5 — Code Ratification · Targeted Test Result (G3 PASS) (doc 4 of 6)

6 min read Revision 1

dot-iu-cutterv0.5code-ratification-release-readinesstest-resultg3-pass173-of-173-regression264-of-265-discoverpre-existing-baseline-failureno-production-connectiondieu442026-05-20

dot-iu-cutter v0.5 — Code Ratification · Targeted Test Result

doc 4 of 6 · 2026-05-20 · M4 macro

phase                : G3 — run targeted + regression + discover tests
outcome              : G3 PASS — 173/173 on the targeted regression bundle ;
                       264/265 on full discover (the 1 failure is a known
                       pre-existing baseline; not caused by M4).
production_mutation  : NONE (all tests are no-DB / scratch-only)

1. py_compile (syntax sanity)

$ python3 -m py_compile \
    cutter_agent/cutprod_canonical.py \
    cutter_agent/prod_iu_adapter_canonical.py \
    cutter_agent/ledger_v2_canonical_cut.py \
    cutter_agent/ledger_v2_canonical_verify.py

Result: OK (zero output ; exit 0). All four newly-committed v0.5 modules compile clean.

2. New M2 module — `tests.test_ledger_v2_canonical_verify`

test_count : 30
result     : OK (30 PASS, 0 FAIL, 0 ERROR, 0.002s)
classes    :
  TestConstruction       (2) — construct + no-psycopg AST scan
  TestPinsAreRatified    (3) — M1 ids ; writer_digest ; SoD distinct
  TestPlanValidation    (12) — missing keys, wrong M1 ids, cardinality,
                                section_type, lifecycle, publication_type
  TestPlannedRowShape    (8) — XOR ; NOT NULL no-default ; FK targets ;
                                manifest_version=writer_digest ; findings ;
                                payload_hash canonical ; chained prior sig
  TestRecordEmits        (3) — 1 SELECT + 2 INSERTs in order ; refuse on
                                collision ; linkage returned
  TestStubSigning        (1) — DOT-991 vs DOT-992 placeholder distinct

3. M1 module — `tests.test_ledger_v2_canonical_cut`

test_count : 21
result     : OK (21 PASS)
classes    :
  TestConstruction       (2)
  TestPinsAreRatified    (1)
  TestPlanValidation     (8)
  TestPlannedRowShape    (7)
  TestRecordEmits        (2)
  TestStubSigning        (1)

4. Canonical adapter — `tests.test_prod_iu_adapter_canonical`

test_count : 27
result     : OK (27 PASS)
classes    :
  TestNoConnectGuarantees    (3)
  TestPinsAreRatified         (2)
  TestPreConnectGuards        (5)
  TestConnectedGuards         (4)
  TestLegAInTxnCanonical      (4)
  TestExecuteLegAOnlyCanonical (1)
  TestCutprodCanonicalCli     (8)

5. Regression bundle (legacy + new — 7 suites)

$ python3 -m unittest \
    tests.test_prod_iu_adapter \
    tests.test_cutwrite_snapshot \
    tests.test_dryrun_snapshot_mark \
    tests.test_cutplan_snapshot \
    tests.test_prod_iu_adapter_canonical \
    tests.test_ledger_v2_canonical_cut \
    tests.test_ledger_v2_canonical_verify

Result: Ran 173 tests in 0.149s — OK. Zero failures across the combined regression bundle.

6. Full discover (everything under `tests/`)

$ python3 -m unittest discover tests

Result: Ran 265 tests in 0.155s — FAILED (failures=1).

6.1 The single failure

FAIL: test_source_has_no_hardcoded_dsn_or_secret
  (tests.test_security_boundaries.TestNoSecretPrinted)
File "tests/test_security_boundaries.py", line 118:
  self.assertNotIn("PGPASSWORD", text,
AssertionError: 'PGPASSWORD' unexpectedly found in
  '…' (in cutter_agent/cutwrite.py)

6.2 Classification — pre-existing baseline

Source: cutter_agent/cutwrite.py (RATIFIED at commit f0120ac — present on main's ancestor chain ; NOT a file added or modified by M4).
Cause: cutwrite.py defines DB_ENV_GUARD = ("PG_DSN", "DATABASE_URL", "DIRECTUS_URL", "PGPASSWORD", "PGHOST", "PGUSER") — a tuple of env var names used as a REFUSE-guard (the file declines to run if any of these env vars are SET). This is a safety feature, not a hardcoded secret.
The test's literal-scan does not distinguish env-var-name string literals from secret values.
Per memory (S2 macro): discover 128/1 (pre-existing baseline only, R1) — the 1/N baseline failure has been a known phenomenon across multiple v0.5 macros and was explicitly classified as a pre-existing test defect, not a code defect.

6.3 Decision

DO NOT modify cutwrite.py to silence the test (it is RATIFIED and the env-guard is the correct behavior). DO NOT modify the test (it is RATIFIED and a test refactor is out of M4 scope). RECORD the failure as a known baseline ; recommend an N-1 follow-up to either:

improve test_source_has_no_hardcoded_dsn_or_secret to allow ALL-CAPS env var names in a recognized GUARD tuple, OR
relocate the env-var name list to a separate constant module imported by cutwrite.py and excluded from the literal scan,

whichever path is preferred at M5 / automation macro time.

7. Production-connection safety (re-asserted by tests)

no_psycopg_at_module_load_of_ledger_v2_canonical_cut    : AST scan PASS
no_psycopg_at_module_load_of_ledger_v2_canonical_verify : AST scan PASS
no_psycopg_at_module_load_of_prod_iu_adapter_canonical  : AST scan PASS
all_three_recorder_modules_DB-agnostic                  : ✓ (rely on a conn
                                                          object's .execute)
runner-only modules (sidecar) own the DB driver         : ✓ (out-of-repo)
test_security_boundaries (other 11 tests)               : PASS

8. Disposition

G3 (targeted test result)                          : PASS
  · py_compile (4 new modules)                     : OK
  · 30+21+27 = 78 PASS on new modules               : ✓
  · 173/173 PASS on regression bundle (7 suites)    : ✓
  · 264/265 PASS on full discover                   : ✓ (1 pre-existing)
  · no-psycopg-at-module-load enforced              : ✓ (3 AST scans)
production_mutation                                : NONE
next                                               : G4 commits already
                                                     applied — proceed to
                                                     G5 release package (doc 5)

doc 4 of 6.