KB-5A2D

dot-iu-cutter v0.5 — First Constitution Snapshot MARK Dry-run Command Readiness (repo/branch/HEAD afb7bfc verified; tree clean; 21/21 PASS; fixture region 17660443 EXACT; no DB; no execution)

8 min read Revision 1

dot-iu-cutterv0.5first-snapshot-mark-dryruncommand-readinessafb7bfc21-21-passno-executionroute-gpt-userdieu442026-05-18

dot-iu-cutter v0.5 — First Constitution Snapshot MARK Dry-run · Command Readiness

Phase: v0_5_constitution_first_snapshot_MARK_dryrun_command_review · Nature: command_review_only__no_execution · Date: 2026-05-18 · doc 1 of 5
readiness_status: READY_FOR_GPT_USER_EXECUTION_APPROVAL (no blocker; R9 gap is CLOSED — entrypoint is committed)
decision_authority: GPT / User ONLY ; self_advance: PROHIBITED ; nothing executed

1. Repo / branch / HEAD (live, read-only)

repo_path:        /Users/nmhuyen/iu-cutter-build/repo/iu-cutter   ✓ exists, is git work tree
branch:           feature/constitution-snapshot-mark-dryrun        ✓ (== expected)
HEAD:             afb7bfcc9b7bbb953bb00159479c9611e6ac4bd1         ✓ (== committed entrypoint commit, QG1)
main:             4367c83… (untouched; not merged)
working_tree:     CLEAN — git status --porcelain EMPTY (before AND after readiness checks)
remote:           none (local-only; no push/deploy needed)

2. Entrypoint integrity (committed code = SSOT for the command)

cutter_agent/dryrun.py : f1f42e83ca23ba0b328f79cf04a8391ac699d1b307eb1b22b52c305f2efa1422 (committed, unchanged)
tests/test_dryrun_snapshot_mark.py : 454d9fc84e940fdcf9da10bf29d12c5c420e21b1147ccc8da6a29a81f2843a4a (ratified, unchanged)
fixture (both committed copies) : file sha 5c76eedd…  ·  region sha 17660443…  · len 17522 · markers {19,1,1,1}
unit_test_rerun (this phase, authorized, no DB): python3 -m unittest tests.test_dryrun_snapshot_mark → 21/21 OK

The committed module is import-isolated stdlib-only (docstring + TestNoDbImportIsolation): it cannot open a DB connection, CUT, VERIFY, call fn_iu_create, or write Directus/vector — output is artifact files only. This makes the R9 "missing safe entrypoint" gap (planning doc 3) CLOSED.

3. Authoritative CLI surface (from committed `dryrun.py:444-459`)

required:        --mode  --source-version-id  --snapshot-artifact  --expect-region-sha
                 --expect-length(int)  --expect-markers  --out-dir
store_true:      --no-db-write  --no-cut  --no-verify  --fail-closed
defaulted:       --grammar-profile(=incomex-architecture-constitution-v4)
                 --parser-refimpl(=nuxt-incomex-portal-constitution-v1.refimpl.r1)
                 --scope(=enacted_only)  --docprefix(=ICX-CONST)  --emit(="")
guards (exit 2 REFUSED): mode!=mark-manifest-only ; missing any of --no-db-write/--no-cut/--no-verify ;
                 scope!=enacted_only ; any of PG_DSN/DATABASE_URL/DIRECTUS_URL/PGPASSWORD set in env
NOT ACCEPTED (argparse will error/exit-2 if passed — present in OLD design pseudo only):
  --identity-region  --exclude-markers  --address-template  --leaf-floor  --emit-levels
note: --emit is ACCEPTED but IGNORED; the 5 output files are ALWAYS written with fixed names.
      OD-G3 is RESOLVED IN CODE (docstring l.25): emits NGUYEN_TAC + KIEN_TRUC_SECTION + DIEU; DIEU = floor.

4. Source identity (KB SSOT — production-seeded, CLOSED_PASS)

source_document_ref:          incomex-constitution
source_document_version_id:   icxconst-008a06ace23a96ea6cd456146e805c97   (live, B5 CLOSED)
content_checksum:             17660443e0f23e994e1807cf8e22920951a9e70c598956dbd0e752f4f5cae80c
length:                       17522
markers:                      enacted 19, controlled_draft 1, draft 1, obsolete 1
scope:                        enacted_only   ·  excluded: Điều 44 (controlled_draft, tier_2)
parser_refimpl:               nuxt-incomex-portal-constitution-v1.refimpl.r1 (RATIFIED)
grammar_profile:              incomex-architecture-constitution-v4 (active, 4-marker map LIVE)

5. Snapshot-artifact INPUT decision (flagged micro-item → GPT, not self-decided)

fact: committed dryrun.py reads a LOCAL filesystem path: Path(--snapshot-artifact).read_text().
fact: there is NO local `knowledge/` directory — the KB path
  knowledge/dev/laws/dieu44-trien-khai/snapshots/constitution/constitution-normalized-17660443e0f23e99.md
  is MCP-only, NOT a local file. Passing it would raise FileNotFoundError (uncaught) — not runnable.
binding_identity: the snapshot_gate REHASHES the BEGIN/END region BEFORE parse and ABORTS unless
  region_sha256==17660443… AND length==17522 AND markers=={enacted:19,controlled_draft:1,draft:1,
  obsolete:1}. Identity is bound by the sha gate, NOT by the path string.
readiness_recompute (read-only, this phase; NOT the dryrun entrypoint):
  tests/fixtures/constitution-normalized-17660443e0f23e99.md → region_sha 17660443… len 17522
  markers {enacted:19,controlled_draft:1,draft:1,obsolete:1}  → EXACT match to pinned canonical.
options_for_GPT (snapshot_artifact_path provenance string):
  OPT-P1 (recommended): pass the committed byte-faithful local fixture path
     tests/fixtures/constitution-normalized-17660443e0f23e99.md ; provenance records that path;
     cryptographic identity to the KB-pinned artifact is the region sha 17660443… (gate-enforced).
     Zero risk, runnable now, no new files.
  OPT-P2: stage a local copy mirroring the KB relative path so the provenance string equals the
     manifest-contract value — adds an untracked dir; unnecessary (sha already binds identity).
  OPT-P3: code post-processing to overwrite provenance path after gate — code change, OUT OF SCOPE.
recommendation: OPT-P1. Not self-decided.

6. Out-dir decision

fact: dryrun.py writes 5 artifact files to a LOCAL --out-dir; the KB folder
  knowledge/dev/laws/dieu44-trien-khai/v0.5-constitution-first-snapshot-mark-dryrun-output/
  is MCP-only (not a local FS path) and MUST NOT be the literal --out-dir.
plan: --out-dir = ephemeral local scratch OUTSIDE the git repo (e.g.
  /tmp/icx-const-first-dryrun.<rand>/manifest , mode 0700, never git-added); the 5 produced
  artifacts are then UPLOADED to the KB output folder by the operator in the authorized run,
  and the scratch shredded at teardown. Keeps the git tree clean (no untracked artifacts).

7. Readiness verdict

R1 source_document (incomex-constitution, ICX-CONST)            : READY (B5 CLOSED)
R2 source_document_version icxconst-008a06… snapshot-bound       : READY (B5 CLOSED)
R3 snapshot region rehash 17660443…/17522/19·1·1·1               : READY (recomputed EXACT this phase)
R4 grammar profile incomex-architecture-constitution-v4          : READY (active)
R5 status-marker 4-map LIVE                                       : READY
R6 scope enacted_only                                             : READY
R7 Điều 44 excluded (controlled_draft, tier_2)                    : READY (enforced in code parse_dieu)
R8 parser refimpl.r1 ratified                                     : READY
R9 safe no-DB snapshot→manifest entrypoint EXISTS                 : CLOSED — committed afb7bfc, 21/21 PASS
no_DB_env / clean_tree / local-from-feature-branch (no deploy)    : CONFIRMED
overall: READY for GPT/User dry-run EXECUTION approval (command in doc 2; verify doc 3; risk doc 4)

Nothing executed (no cutter_agent.dryrun run, no parse, no DB, no network). doc 1 of 5. Self-advance PROHIBITED.