KB-10F5

dot-iu-cutter v0.5 — Code Ratification · Release / Merge Package (G4+G5 — feature branch committed; main merge READY but withheld pending explicit approval) (doc 5 of 6)

8 min read Revision 1

dot-iu-cutterv0.5code-ratification-release-readinessrelease-merge-packageg4-passg5-pass-conditionalfeature-branch-committedmain-merge-ready-but-withheldfast-forward-feasibleno-pushno-deploydieu442026-05-20

dot-iu-cutter v0.5 — Code Ratification · Release / Merge Package

doc 5 of 6 · 2026-05-20 · M4 macro

phase                : G4 (commit feature branch) + G5 (release / merge
                       package preparation)
outcome              : G4 PASS — 3 commits added on the feature branch ;
                       G5 READY — local fast-forward to main is feasible
                       and reversible, but is WITHHELD pending explicit
                       GPT/User approval per the prompt's "merge to main
                       only if explicitly safe and already allowed" rule.
production_mutation  : NONE (repo-only ; no remote ; no deploy)

1. G4 — feature branch commits (executed)

branch : feature/constitution-snapshot-mark-dryrun

commit 1 of 3 (M0 / canonical-path):
  sha               : 6a56bc3
  subject           : feat(canonical-path): add fn_iu_create canonical adapter
                      + cutprod_canonical + tests
  files (3)         : cutter_agent/prod_iu_adapter_canonical.py
                      cutter_agent/cutprod_canonical.py
                      tests/test_prod_iu_adapter_canonical.py
  diffstat          : 3 files changed, 1045 insertions
  KB ratified by    : dot-iu-cutter-v0.5-first-controlled-canonical-cut-pass-
                      gpt-ruling-2026-05-20.md

commit 2 of 3 (M1 / leg-B):
  sha               : 7133c44
  subject           : feat(leg-B/M1): add ledger_v2_canonical_cut governed
                      recorder + tests
  files (2)         : cutter_agent/ledger_v2_canonical_cut.py
                      tests/test_ledger_v2_canonical_cut.py
  diffstat          : 2 files changed, 932 insertions
  KB ratified by    : dot-iu-cutter-v0.5-legB-governed-recording-pass-gpt-
                      ruling-2026-05-20.md

commit 3 of 3 (M2 / write-VERIFY):
  sha               : 32cfa93
  subject           : feat(write-VERIFY/M2): add ledger_v2_canonical_verify
                      DOT-992 recorder + tests
  files (2)         : cutter_agent/ledger_v2_canonical_verify.py
                      tests/test_ledger_v2_canonical_verify.py
  diffstat          : 2 files changed, 796 insertions
  KB ratified by    : dot-iu-cutter-v0.5-write-verify-dot992-pass-gpt-ruling-
                      2026-05-20.md

post-commit state :
  HEAD              : 32cfa93
  tree              : clean
  untracked v0.5    : 0 (all 7 committed in 3 commits)

2. G5 — main merge READINESS (NOT executed)

2.1 Fast-forward feasibility

main                       : 4367c83 (untouched ; baseline)
feature/...                : 32cfa93 (HEAD ; 8 commits ahead)
main..feature              : 8 commits  (afb7bfc, d66a60d, f0120ac, 152e7db,
                                          f20c79c, 6a56bc3, 7133c44, 32cfa93)
feature..main              : 0 commits  (main is strict ancestor)
remote                     : NONE (cannot push or pull)
conflicts on merge         : impossible (linear history ; FF only)

⇒ The merge would be a pure fast-forward of main from 4367c83 to 32cfa93. No actual merge commit, no conflict resolution.

2.2 Authorization status

M2 closeout ruling           : "merge/push/tag unless M4 explicitly approves"
                                — i.e., M4 has the authority to merge IF
                                explicit approval is encoded in the prompt.
M4 prompt language           : "Merge to main only if explicitly safe and
                                already allowed by the package; otherwise
                                produce merge-ready package."
explicit "merge to main"     : NOT present in prompt
fallback per prompt          : "produce merge-ready package"
decision                     : produce merge-ready package ; do NOT auto-merge.
                                Leave main at 4367c83. The fast-forward is
                                trivial and can be performed by GPT/User in
                                one command after explicit approval.

2.3 Merge command (READY — do not execute without explicit approval)

# at /Users/nmhuyen/iu-cutter-build/repo/iu-cutter
git checkout main
git merge --ff-only feature/constitution-snapshot-mark-dryrun
# main now at 32cfa93
git checkout feature/constitution-snapshot-mark-dryrun

After this:

main = 32cfa93 (was 4367c83)
feature/... = 32cfa93 (unchanged)
working tree clean
no push (no remote configured — push is impossible by construction)
no tag (the prompt forbids tag without explicit approval)

2.4 Rollback / reset notes

If, after the merge, anything is found defective:

# Hard reset main to baseline (LOCAL ONLY — no remote to force-push to)
git checkout main
git reset --hard 4367c83
# feature/... still has all the work

This works because no remote exists ; the reset is a local pointer move. The feature branch and all its commits remain intact, so no work is lost.

If a single commit needs to be backed out instead :

# Revert one commit (creates a new commit that inverts the diff)
git revert <sha>

Either path is safe : no remote → no force-push consequences ; no deploy → no production state to undo.

3. Sidecar artifacts — re-stage instructions (for future re-execution)

Each sidecar is content-addressed by its KB-pinned sha (doc 2 §4). To re-stage them on a fresh contabo install:

# Stage cutter_agent to contabo (any version of this repo with commit 32cfa93)
ssh contabo 'mkdir -p /tmp/iu-cutter-v05-stage/cutter_agent'
scp cutter_agent/*.py contabo:/tmp/iu-cutter-v05-stage/cutter_agent/
ssh contabo 'shasum -a 256 /tmp/iu-cutter-v05-stage/cutter_agent/ledger_v2_canonical_verify.py'
# expected: 18ee4ca2ae28c3b21d76c3e1591b5a718123464f50b4e7f8d11e9a008b6dff97

The runners themselves (cutter_legB_runner.py, cutter_verify_runner.py) are recoverable from KB report doc 3 of their respective macros. The canonical CUT provider is on contabo /opt/incomex/dot/specs/ already.

4. Forbidden actions — confirmed NOT taken

git push                                : NOT TAKEN (no remote)
git tag                                 : NOT TAKEN
git reset --hard / branch -D / clean    : NOT TAKEN
hard delete of any file (incl. ledger.py): NOT TAKEN
deploy / restart                        : NOT TAKEN
production DB mutation                  : NOT TAKEN
lifecycle / source_document mutation    : NOT TAKEN
ledger_v2_*.py modification             : NOT TAKEN
silent drop of sidecar code             : NOT TAKEN (3 sidecars
                                          explicitly documented in doc 2 §4)
fabricated provenance                   : NOT TAKEN (every sha pinned to
                                          KB ; no value invented)

5. Disposition

G4 (feature branch commits)                       : PASS
  · 3 commits added (M0, M1, M2 macro split)      : ✓
  · all commits have KB-ratified ancestry         : ✓
  · tree clean ; HEAD = 32cfa93                   : ✓

G5 (release / merge package)                      : READY (withheld)
  · main FF merge command documented              : ✓
  · rollback / revert commands documented         : ✓
  · sidecar re-stage instructions documented      : ✓
  · push / tag NOT taken                          : ✓
  · auto-merge to main : NOT TAKEN — explicit approval needed
    in next ruling. Single command :
      git checkout main &&
      git merge --ff-only feature/constitution-snapshot-mark-dryrun &&
      git checkout feature/constitution-snapshot-mark-dryrun

production_mutation                               : NONE
next                                              : G6 final report (doc 6)

doc 5 of 6.