Incomex AI Portal
KB-8EFE

dot-iu-cutter v0.5 — First Constitution Snapshot CUT · Pre-execution Checks + VERIFY Plan (doc 3 of 5)

5 min read Revision 1
dot-iu-cutterv0.5first-snapshot-cutprechecksverify-planfail-closedseparation-of-dutydieu442026-05-19

dot-iu-cutter v0.5 — First Constitution Snapshot CUT · Pre-execution Checks + VERIFY Plan

doc 3 of 5 · review_design_only__no_execution · 2026-05-19

1. Pre-execution checks — fail-closed (required item 3)

All checks must PASS before ANY CUT-class command (dry-run 1a or, later, production 1b). Any failure ⇒ STOP, upload BLOCKED report, route GPT/User. Never patch code to pass a guard.

C-0 capability gate (controlling): a ratified snapshot-manifest→CUT entrypoint exists,
      committed, sha-pinned, CI-green. TODAY: FAILS ⇒ only the dry-run contract is reviewable;
      production CUT is BLOCKED here.
C-1 repo/branch/HEAD: branch feature/constitution-snapshot-mark-dryrun ∧
      HEAD afb7bfcc9b7bbb953bb00159479c9611e6ac4bd1 (or the future CUT-entrypoint commit,
      once separately ratified) ; git status --porcelain EMPTY
C-2 MARK entrypoint identity: cutter_agent/dryrun.py sha256 == f1f42e83…2efa1422
C-3 input identity (PINNED): manifest digest == 9d908a62fcf01bb88e05a1af4335b960710006ddcfd21c811ca63efb33dd324f
      ∧ manifest_json file sha256 == 7d56f3ce…012179 ∧ candidate_count == 60 ∧
      excluded_count == 4 ∧ source_document_version_id == icxconst-008a06… . The manifest is
      regenerated from the pinned deterministic command (re_run_equal:true) and re-digested;
      mismatch ⇒ ABORT (snapshot/manifest drift).
C-4 snapshot region rehash == 17660443…cae80c / 17522 / {enacted:19,controlled_draft:1,
      draft:1,obsolete:1} (re-assert the source identity behind the manifest)
C-5 Điều 44 exclusion present: manifest excluded[] contains Điều 44 (UOSL controlled_draft,
      tier_2_explicit_row_marker, reason controlled_draft_deferred); it is NOT in candidates[]
C-6 idempotency: no prior cut_change_set / IU rowset for this manifest digest exists
      (G-CUT-ONCE). A second CUT of the same digest must be a no-op, never duplicate rows.
C-7 credential/principal (production 1b only): cutter_exec principal + DOT-991 lane present,
      separation-of-duty enforced, post-connect SELECT current_user matches bound principal;
      cutter_ro never used. TODAY: credential cycle NOT built ⇒ FAILS for production.
C-8 DB-write authorization (production 1b only): explicit separate GPT/User production-write
      approval on record. TODAY: ABSENT ⇒ production CUT FAILS this gate.
C-9 out-dir (dry-run): $WD = mktemp -d, mode 0700, OUTSIDE the git repo; empty/new.

2. VERIFY plan after CUT (required item 7)

VERIFY is a separate, separately-gated phase (cutter_verify principal / DOT-992 lane, separation of duty — never the executor). Designed here, not executed.

trigger: only after a production CUT reached state cut_applied with a cut_change_set row.
verify_principal: cutter_verify (≠ cutter_exec) ; lane DOT-992 ; phases.verify() requires
  status == S_CUT_APPLIED else GuardFailure ; writes an append-only verify_result row
  (verifier_signature_id on verify_result, never back-filled onto cut_change_set — OD-6).
VR-1  row cardinality: exactly 60 IU rows created for this manifest digest (== candidate_count)
VR-2  no Điều 44 IU: zero IU whose source maps to Điều 44 / the 3 excluded rows
VR-3  provenance binding: 100% of created IU rows carry source_document_version_id
      icxconst-008a06… and the pinned snapshot_region_sha256 / manifest digest 9d908a62…
VR-4  address integrity: every IU address == ICX-CONST/<path>, unique, status never in address
VR-5  content fidelity: each IU content/span hash == the manifest candidate's span_sha256
VR-6  coverage parity: created-IU set ≡ manifest candidates[] set (no extra, none missing)
VR-7  ledger chain: cut_change_set.manifest content_hash == pinned digest; executor signature
      valid on DOT-991; verify_result chained; decision_backlog_history transition consistent
VR-8  append-only: zero DELETE/TRUNCATE; only sanctioned write-once superseded_by_* stamps
VR-9  idempotency: a re-CUT of the same digest produced no new rows (G-CUT-ONCE held)
VR-10 determinism: IU rowset derivable byte-equivalently from the pinned manifest
verdict_rule:
  VERIFIED_COMPLETE iff VR-1..VR-10 all PASS
  VERIFY_FAILED_ESCALATED if any VR fails ⇒ STOP, escalate, forward-compensate (doc 4); never
    "fix to green", never silent row deletion.

doc 3 of 5. Nothing executed. Self-advance PROHIBITED.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.5-constitution-first-snapshot-cut-command-review/dot-iu-cutter-v0.5-first-snapshot-cut-prechecks-and-verify-plan-2026-05-19.md