dot-iu-cutter v0.5 — Cutwrite DB-Isolated Writer · Test Result

doc 2 of 5 · 2026-05-19 · local CI, no DB env, net-zero.

1. Suites (env -u PG_DSN/DATABASE_URL/DIRECTUS_URL/PGPASSWORD/PGHOST/PGUSER)

tests.test_cutwrite_snapshot   : Ran 22 tests … OK   (22/22 GREEN — W-3 gate of record)
tests.test_dryrun_snapshot_mark: Ran 21 tests … OK   (21/21 — MARK precedent intact)
tests.test_cutplan_snapshot    : Ran 15 tests … OK   (15/15 — S2 planner intact)
unittest discover -s tests     : Ran 150 tests … FAILED (failures=1)
py_compile cutwrite.py + test  : OK

2. The single discover failure = KNOWN PRE-EXISTING BASELINE (not a W-3 regression)

failing_test: tests/test_security_boundaries.py::TestNoSecretPrinted
  ::test_source_has_no_hardcoded_dsn_or_secret  (assertNotIn "PGPASSWORD" in non-test *.py)
classification: PRE-EXISTING at ratified baseline afb7bfc — the RATIFIED committed
  cutter_agent/dryrun.py:474 contains the DB-env REFUSAL guard tuple
  ("PG_DSN","DATABASE_URL","DIRECTUS_URL","PGPASSWORD"). Proven in prior phases by moving
  S2 files aside (pure afb7bfc still failed the identical test). cutwrite.py:DB_ENV_GUARD
  mirrors the SAME ratified guard idiom (an env-var NAME the code refuses to read — not a
  hardcoded secret) → trips the same over-broad heuristic; no new defect class.
discover count: 128 (pre-S2) → 150 (now) = +15 cutplan +21? No: +22 cutwrite tests
  added since the S2-committed baseline (128 was pre-cutplan-commit; cutplan added 15,
  cutwrite added 22; MARK 21 etc.). The failure count stays exactly 1, same test.
precedent: identical to the GPT-ratified R1 gate for MARK (afb7bfc) and S2 (d66a60d) —
  commit gate of record is the targeted module suite; the security-test heuristic remains
  a SEPARATE, already-tracked pre-existing remediation item.

3. Coverage of test_cutwrite_snapshot (22)

TestHappyPathRealManifest (4): builds the REAL pinned manifest in-process from the
  byte-exact fixture; identity (60 cands, digest 9d908a62…, file sha 7d56f3ce…);
  db-isolated dry-run PASS + 5-artifact contract + 60 IU/60 uv/60 anchors +
  levels NT15·KT3·DIEU42 + all law_unit + all top-level NULL parent + no DIEU-44 +
  provenance.span_sha256 == unit_version.content_hash; determinism (writer_digest equal).
TestBirthGateHarness (6): L1 rejects missing title / unit_kind∉vocab / missing
  publication_authority; UNIQUE(canonical_address) reject; L2 rejects missing anchor at
  commit (rollback ⇒ 0 rows); L2 anchor-pass commits (1,1).
TestRollbackAtomicity (1): one bad row ⇒ whole txn rolls back ⇒ 0 IU / 0 uv.
TestFailClosed (11): digest / file-sha / candidate-count / source-version / region-sha
  mismatch ⇒ exit 3; Điều-44-in-candidates ⇒ exit 3; body-span-hash-tamper ⇒ exit 3;
  wrong mode / missing --no-production / missing --exclude-dieu-44 / DB env set ⇒ exit 2.
TestNoDbImportIsolation (1): AST-only — top imports ⊆ stdlib∪{cutter_agent};
  the only cutter_agent submodule imported is `dryrun`; bans psycopg/psycopg2/socket/
  requests/sqlalchemy/db_adapter/phases/ledger/signal/signing.

doc 2 of 5. Net-zero local CI. No production mutation. Self-advance PROHIBITED.