dot-iu-cutter v0.5 — S2 CUT-plan Entrypoint Implementation Report

Phase: v0_5_constitution_cut_plan_entrypoint_S2_implementation Date: 2026-05-19 · Nature: code_authoring + local CI; NOT committed (escalated)

code_written: true ; targeted_suite: 15/15 GREEN ; committed: NO (gate ambiguity escalated)
production_touched: false ; db/iu/directus/vector writes: NONE ; no production manifest run
self_advance: PROHIBITED

1. Files changed

new_untracked (2; zero existing tracked files modified — `git diff --stat` empty):
  cutter_agent/cutplan.py
    sha256: 548eabc5530260555ff448ce6f3acded9728fe51c4ae61de658e9a97c4d828f1
  tests/test_cutplan_snapshot.py
    sha256: 06e871e73496089f5a88f072fb0a1e4f5d4ac720e1cb73bd737bc12d699a578a
repo_state: branch feature/constitution-snapshot-mark-dryrun unchanged;
  HEAD afb7bfcc9b7bbb953bb00159479c9611e6ac4bd1 UNCHANGED (no commit, no merge/push/tag);
  no artifacts written inside the repo (entrypoint out-dir is /tmp scratch only).

2. Implementation — matches the accepted S1 contract

entrypoint: python3 -m cutter_agent.cutplan --mode cut-plan-only ...
import_isolation: stdlib-only (argparse, hashlib, json, os, sys, pathlib, __future__);
  does NOT import cutter_agent.db_adapter/phases/ledger/signal/canonicalization/idempotency;
  asserted by tests/test_cutplan_snapshot.py::TestNoDbImportIsolation (AST scan, same
  discipline as the ratified MARK dryrun.py). No v0.4 production-skeleton reuse.
artifact_only_by_construction: requires --no-db-write --no-cut --no-verify --exclude-dieu-44
  (each missing => exit 2 REFUSED); only mode cut-plan-only; only scope enacted_only;
  DB env vars (PG_DSN/DATABASE_URL/DIRECTUS_URL/the libpq password var/PGHOST/PGUSER) =>
  exit 2 REFUSED. Unknown/production flags rejected by argparse.
validation (fail-closed, exit 3 BLOCKED, only dryrun_report.md on block):
  manifest file sha == --expect-manifest-file-sha; recomputed manifest digest (same
  algorithm as dryrun.build_manifest) == --expect-manifest-digest AND == the manifest's
  self-declared header digest; candidate_count == --expect-candidate-count; header
  source_document_version_id / docprefix / scope_policy match; per-candidate provenance
  source_version match; reconstruction_ok re-asserted; Điều 44 never a candidate;
  no duplicate IU address (candidates ∪ excluded); no candidate span overlap; idempotency
  keys distinct; deterministic rebuild (cut_plan digest equal twice).
artifacts (exactly the 5 fixed S1 names): cut_plan.json, write_set_preview.jsonl,
  iu_mapping_preview.json, idempotency_keys_preview.json, dryrun_report.md. The would-be
  governed rows (manifest_envelope/manifest_unit_block/cut_change_set) are emitted as
  PREVIEW rows only ("preview": true, "persisted": false) — nothing inserted.
idempotency: OD-1 deterministic sha256 over canonical JSON of
  (source_document_version_id, canonical_address, content_hash); human/scenario labels
  intentionally excluded.

3. Tests run and results

Exact command (no DB env):

env -u PG_DSN -u DATABASE_URL -u DIRECTUS_URL -u <libpq-pw-var> -u PGHOST -u PGUSER \
  python3 -m unittest tests.test_cutplan_snapshot
# also: python3 -m py_compile cutter_agent/cutplan.py tests/test_cutplan_snapshot.py  -> OK

targeted_cutplan_suite (the S1 gate of record, mirroring how the MARK gate was
  tests.test_dryrun_snapshot_mark): Ran 15 tests -> OK  (15/15 GREEN)
coverage of the 10 S1-required test cases — all PASS:
  happy path (REAL pinned manifest, built in-process from the byte-exact local snapshot
    fixture via cutter_agent.dryrun) reproduces the ACCEPTED identity exactly:
    manifest_digest 9d908a62…dd324f, manifest_file_sha 7d56f3ce…012179, candidate_count 60,
    dieu_44_excluded true, reconstruction_ok true, 60 distinct idempotency keys, 5 artifacts;
  digest mismatch -> BLOCKED(3); manifest-file-sha mismatch -> BLOCKED(3);
  candidate_count mismatch -> BLOCKED(3); source_version mismatch -> BLOCKED(3);
  duplicate IU address -> BLOCKED(3); Điều 44 in candidates -> BLOCKED(3);
  missing --no-db-write / --no-cut / --no-verify / --exclude-dieu-44 / wrong mode ->
    REFUSED(2); deterministic rerun equality (cut_plan digest stable); fixed-name artifact
    contract; no-DB/credential import path (AST isolation).
determinism: cut_plan_digest_sha256 = edcae74f815fdb6dbc025c32d627de823f095489a3ba4a813eb513f05198ef6c
  stable across reruns.

4. Pre-existing baseline failure (full-discover suite) — NOT an S2 regression

observation: `python3 -m unittest discover -s tests` = 128 tests, 1 FAILURE:
  test_security_boundaries.TestNoSecretPrinted.test_source_has_no_hardcoded_dsn_or_secret
root_cause: that test asserts NO non-test *.py contains the literal libpq-password env-var
  token. The RATIFIED, already-committed MARK entrypoint cutter_agent/dryrun.py (line 474)
  ALREADY contains that token in its DB-env refusal guard. Proven: with my 2 new files
  moved aside (pure baseline afb7bfc), the same test still FAILS (12 tests, 1 failure,
  identical assertion pointing at dryrun.py).
conclusion: this failure EXISTS AT THE RATIFIED BASELINE and is unrelated to S2. The MARK
  entrypoint was ratified/committed (afb7bfc) with this latent full-suite failure; the MARK
  CI gate of record was the targeted module suite (tests.test_dryrun_snapshot_mark, 21/21),
  not full-discover. cutplan.py mirrors the SAME ratified guard pattern (an env-var NAME the
  code refuses to read — not a hardcoded secret); it therefore also trips the same
  over-broad heuristic, but introduces no new defect class.
NOT done (by discipline): did NOT edit the ratified dryrun.py (out of S2 scope); did NOT
  weaken/skip the security test (no fix-to-green); did NOT obfuscate cutplan.py to dodge a
  lint. BLOCKED/honest-report is preferred over a green-washed tree.

5. Commit decision — NOT committed; escalated

decision: DO NOT COMMIT this cycle. STOP and route to GPT/User.
why: S1 doc-4 gate_before_commit names BOTH the targeted suite (GREEN 15/15) AND "the full
  unittest suite green". The full suite is NOT green solely due to the pre-existing,
  out-of-S2-scope baseline defect in the ratified dryrun.py vs an over-broad security test.
  Resolving it requires touching ratified code and/or a security test — outside S2's
  authorization — so a GPT/User ruling is required. Committing now would either (a) commit a
  tree with a known full-suite RED, or (b) require fix-to-green on ratified/out-of-scope
  artifacts. Both violate the discipline; escalation is the correct action.
options_for_GPT_User_ruling:
  R1 ratify the targeted-suite gate (consistent with the MARK afb7bfc precedent) and approve
     the S2 commit of the 2 new files as-is; track the security-test/dryrun.py heuristic
     defect as a SEPARATE pre-existing remediation item.
  R2 authorize a minimal, separately-scoped fix to the security test (exclude env-var-name
     guard tuples) and/or dryrun.py, then re-run full CI and commit.
  R3 other direction per GPT.

6. Required confirmations

no_DB_write: CONFIRMED — db_write NONE; entrypoint import-isolated, no DB module reachable.
no_IU_write: CONFIRMED — IU rows are PREVIEW-only artifacts, never inserted.
no_Directus_write / no_vector_write: CONFIRMED — none; no such module imported.
no_production_touched: CONFIRMED — production_touched false; cli/phases/db_adapter untouched.
no_production_manifest_execution: CONFIRMED — the entrypoint was exercised ONLY through
  unit tests/fixtures: synthetic minimal manifests + the REAL manifest rebuilt in-process
  from the byte-exact LOCAL snapshot fixture (a no-DB test fixture). No accepted/production
  manifest file was fed outside tests; no network; no credentials used.
no_push_merge_tag_deploy: CONFIRMED — none. HEAD afb7bfc unchanged.
separate_command_review_ready_for_first_cut_plan_dryrun_execution:
  NO — NOT YET. It becomes appropriate only AFTER GPT/User rules on §5 and the S2 commit
  lands. Then a separate execution command-review (mirroring the MARK first-dry-run gate)
  would be authored. Do not self-advance.

7. Disposition

result: S2_CODE_AND_TESTS_AUTHORED__TARGETED_SUITE_GREEN__NOT_COMMITTED__ESCALATED
kb_report: knowledge/dev/laws/dieu44-trien-khai/v0.5-constitution-cut-plan-entrypoint-s2-implementation/
next_action: STOP. Route to GPT/User for the §5 commit-gate ruling. No commit, no execution,
  no self-advance until ruled.

Nothing committed. Nothing executed against production. Self-advance PROHIBITED.