dot-iu-cutter v0.5 — First Constitution Snapshot MARK Dry-run · Verification Plan

Phase: v0_5_constitution_first_snapshot_MARK_dryrun_command_review · Nature: verification_design_only__no_execution · Date: 2026-05-18 · doc 3 of 5

---

1. Pre-execution checks (operator runs these BEFORE the command; all fail-closed)

P-1 repo/branch/HEAD : cd repo ; git rev-parse --abbrev-ref HEAD == feature/constitution-snapshot-mark-dryrun
                       ∧ git rev-parse HEAD == afb7bfcc9b7bbb953bb00159479c9611e6ac4bd1   (else STOP)
P-2 clean tree       : git status --porcelain EMPTY (else STOP — no stray artifacts/edits)
P-3 entrypoint sha   : shasum -a256 cutter_agent/dryrun.py == f1f42e83…2efa1422 ;
                       tests/test_dryrun_snapshot_mark.py == 454d9fc8…f2843a4a (else STOP)
P-4 no DB env        : PG_DSN / DATABASE_URL / DIRECTUS_URL / PGPASSWORD all UNSET
                       (code also self-guards: exit 2 REFUSED if any set — defense in depth)
P-5 snapshot rehash  : recompute BEGIN/END region sha of the --snapshot-artifact file ==
                       17660443…cae80c ∧ len 17522 ∧ markers {enacted:19,controlled_draft:1,
                       draft:1,obsolete:1}  (the code re-asserts this and ABORTS on mismatch)
P-6 out-dir          : "$WD/manifest" ABSENT or EMPTY before run; $WD is fresh mktemp -d,
                       mode 0700, OUTSIDE the git repo (so the tree stays clean)
P-7 unit CI (optional, authorized): python3 -m unittest tests.test_dryrun_snapshot_mark
                       → 21/21 OK (already green this phase; re-run is read-only, no DB)
P-8 command shape    : the command contains --no-db-write --no-cut --no-verify, mode
                       mark-manifest-only, scope enacted_only, and NONE of the 5 unsupported
                       flags (--identity-region/--exclude-markers/--address-template/
                       --leaf-floor/--emit-levels)

2. Expected result of an authorized run

exit_code:        0  (PASS).  2 ⇒ guard REFUSED (fix command/env, do NOT bypass).
                  3 ⇒ BLOCKED (FailClosed) — investigate; only dryrun_report.md present.
stdout:           JSON {status:"PASS", candidate_count, excluded_count, manifest_digest_sha256,
                  production_touched:false, db_write:"NONE"}
files (5, in $WD/manifest): manifest.json, review_evaluation.json, coverage_proof.json,
                  determinism_digest.md, dryrun_report.md

3. Post-run verification checklist (over the FROZEN region + emitted artifacts; fail-closed)

ID	Check	Pass criterion
V-1	snapshot rehash	manifest_header.snapshot_region_sha256 == 17660443…cae80c; length == 17522
V-2	marker census	marker_census_observed == {enacted:19,controlled_draft:1,draft:1,obsolete:1}
V-3	no live fetch	run trace shows zero HTTP / live URL; input == the snapshot file only
V-4	version binding	every candidate+excluded provenance.source_document_version_id == icxconst-008a06… (100%)
V-5	levels emitted	review_evaluation.levels_present ⊇ {NGUYEN_TAC, KIEN_TRUC_SECTION, DIEU} (OD-G3)
V-6	enacted-only purity	every candidates[*].effective_status == enacted; zero candidate from 📋/📝/⛔
V-7	Điều 44 excluded	review_evaluation.dieu_44_excluded == true; Điều 44 in excluded[], reason controlled_draft_deferred, status_basis tier_2_explicit_row_marker
V-8	exclusions itemised	Điều 34 (draft) + ⛔ obsolete entries each an excluded[] row with reason; none silently dropped
V-9	coverage closes	coverage_proof.reconstruction_ok == true; candidate∪excluded∪noncontent == every region line
V-10	no overlap	review_evaluation.no_overlap == true (code FailCloses on any double-cut)
V-11	address uniqueness	review_evaluation.address_unique == true; every address ICX-CONST/<path>; status never in address
V-12	hierarchy	every level ∈ {NGUYEN_TAC,KIEN_TRUC_SECTION,DIEU}; no foreign level / orphan
V-13	count guardrail	candidate_count ∈ [55,78]; outside ⇒ investigate, no auto-pass
V-14	determinism	determinism_digest.md re_run_equal: true; digest stable on a manual second run
V-15	reconstruction	enacted ⊕ excluded ⊕ noncontent text == full snapshot region (no gap/overlap)
V-16	NO production mutation	by construction (import-isolated, no DB module). Optional defense-in-depth: any reachable production cut/governance/source table row-count Δ == 0
V-17	no CUT/VERIFY	zero fn_iu_create; zero CUT/VERIFY; no DOT-991/992; db_write == NONE
V-18	identity unchanged	production system_identifier (7611578671664259111) + source_document_version row byte-identical pre/post (trivially true — no DB access)
V-19	no side-channel	Directus / Qdrant / NoSQL / git untouched; git status --porcelain EMPTY post-run (artifacts in $WD only)
V-20	secret hygiene	no secret/password/.env content in any artifact uploaded to KB

verdict_rule:
  PASS    iff exit 0 ∧ V-1..V-20 all PASS
  FAIL    if a correctness check (V-4..V-15) fails while no mutation occurred
  BLOCKED if exit 3 (V-1/V-2 drift, or any fail-closed guard tripped)
  REFUSED if exit 2 (mode/flags/scope/DB-env guard) — correct the command, never bypass a guard
  CRITICAL (incident) if any V-16/V-17/V-18/V-19 fails — a dry-run MUST be net-zero by construction

4. Net-zero-production proof design

structural (strongest): cutter_agent/dryrun.py imports ONLY stdlib (argparse, hashlib, json, os,
  re, sys, pathlib) — asserted by TestNoDbImportIsolation. No db_adapter/psycopg/socket/requests
  importable ⇒ a production/Directus/vector write is IMPOSSIBLE by construction, not merely unused.
behavioural: --no-db-write/--no-cut/--no-verify mandatory; mode-guard rejects anything but
  mark-manifest-only; DB-credential env-guard exits 2. No network call anywhere in the code path.
artifact-only: writes exclusively to the local --out-dir; never a DB row; git tree EMPTY post-run.

doc 3 of 5. Nothing executed. Self-advance PROHIBITED.