dot-iu-cutter v0.5 — Final Bridge · Production CUT Command-Review Package

doc 4 of 6 · 2026-05-19 · command-review contract. Runnable production CUT command WITHHELD (GAP-B1). No execution. No mutation.

1. Pinned identity (CUT operates ONLY on this)

manifest file sha256 : 7d56f3ce… (84157 B)   manifest digest : 9d908a62…
candidate_count : 60 (NT15 · KT3 · DIEU42 ; Điều 44 EXCLUDED)
source_document_version_id : icxconst-008a06…   region sha256 : 17660443…
writer_digest (ratified) : d99a31d4a4be907c510ae15965e9f7bb3387e9e28676e9f32adf463828b1aa28
repo branch feature/constitution-snapshot-mark-dryrun · HEAD 152e7db
cutwrite.py sha256 31ce88dc… (byte-unchanged)

2. CUT contract (what the future gated runnable entrypoint MUST satisfy)

principal: cutter_exec (DOT-991) via approved .env secret (never logged).
composer: cutter_agent.cutprod (BUILT, 152e7db) = cutwrite.build_rows (pure,
  ratified) + prod_iu_adapter leg-A (BUILT, guards G1..G7, append-only
  allowlists) + leg-B governed-ledger writer (GAP-B1 — NOT built).
flags (mandatory, fail-closed): --mode production --fail-closed
  --exclude-dieu-44 --manifest --expect-manifest-file-sha 7d56f3ce…
  --expect-manifest-digest 9d908a62… --expect-candidate-count 60
  --snapshot-artifact --expect-region-sha 17660443…
  --source-version-id icxconst-008a06… --expect-writer-digest d99a31d4…
  --i-have-sovereign-production-write-approval <kb-doc-id>
prechecks: doc 5 PC-0..PC-8 ALL pass.
mutation (exact, ONE atomic txn, directus DB):
  leg A (BUILT): +60 public.information_unit +60 public.unit_version
    +60 anchor UPDATE(version_anchor_ref,content_anchor_ref ONLY)
  leg B (GAP-B1): +1 manifest_envelope +60 manifest_unit_block
    +1 decision_backlog_entry +1 decision_backlog_history +1 cut_change_set
    (content_hash=9d908a62…, NOT-NULL review_decision_id/rollback_key/state/
    risk_class/version/tool_revisions/…) +60 cut_change_set_affected_row
    +1 dot_pair_signature (DOT-991 executor; xref change_set_id ONLY).
  NO other UPDATE; NO DELETE/TRUNCATE/DDL; NO alias; NO source/version write;
  NO Directus app / vector / NoSQL.
idempotency: G-CUT-ONCE (pre-existing ICX-CONST or cut_change_set for
  9d908a62… ⇒ NO-OP). rollback: in-txn fault ⇒ atomic ABORT zero rows;
  post-commit ⇒ forward-compensation by cutter_verify/DOT-992 ONLY (doc 5 §4).
VERIFY: separate, cutter_verify/DOT-992, VW-1..VW-10 (doc 5 §3).

3. Runnable command — WITHHELD

why: a runnable `python -m cutter_agent.cutprod --mode production …` cannot be
  honestly emitted while GAP-B1 holds — leg B has no committed production-
  shaped row-builder, and a public-only CUT (leg A alone) would be an
  UNGOVERNED constitution mutation (no governed change-set / DOT-991 signature
  / decision_backlog history) — forbidden. cutprod --mode production already
  fail-closes (exit 3, GAP-B1) by construction. The CONTRACT (§2) is fully
  specified; the runnable command stays WITHHELD (no fabrication).
plan-only (NON-production, available NOW, no DB):
  python -m cutter_agent.cutprod --mode plan-only --fail-closed
    --exclude-dieu-44 --manifest <pinned> --snapshot-artifact <pinned>
    --expect-manifest-digest 9d908a62… --expect-manifest-file-sha 7d56f3ce…
    --expect-candidate-count 60 --expect-region-sha 17660443…
    --source-version-id icxconst-008a06… --expect-writer-digest d99a31d4…
  ⇒ PLAN_OK iu=60 uv=60 writer_digest=d99a31d4… leg_a_statements=180
    leg_b=GAP-B1(unavailable) production=REFUSED  (verified this phase).

4. Exact unblock — UB-1 / UB-2 (sovereign / gated; NOT Agent-fabricable)

UB-1 (build): a SEPARATELY-GATED authoring+command-review cycle for a
  production-shaped governed-ledger row-builder bound to the LIVE 24-col
  cutter_governance schema (cut_change_set incl. NOT-NULL review_decision_id/
  rollback_key/state/risk_class/version/tool_revisions/emitted_at; rich
  manifest_envelope/unit_block/dot_pair_signature/decision_backlog_*), incl.
  the governed REVIEW sub-row(s) the NOT-NULL review_decision_id requires.
  Prereq: locate/recover the v0.4 production-trial row-builder (it produced
  the 2026-05-17 +15 rows) OR author against the captured live schema with a
  scratch cutter_governance-mirror integration proof (no production). Then the
  cutprod leg-B seam is filled and the runnable command becomes authorable.
UB-2 (sovereign architectural ruling): rule that the FIRST controlled
  constitution CUT is decoupled — leg A (public birth) executes under
  cutter_exec in one txn; the governed change-set + DOT-991 signature +
  decision_backlog history are recorded via the ALREADY-PASSed v0.4
  production governed path as a separate, proven step (not re-implemented
  blind). This removes GAP-B1 from the critical path without fabrication.
both are GPT/User decisions. Also still required: GD-1 (doc 2 §5), U-W4b
  (scoped GRANT execution), C5 (sovereign production-write approval, §5).

5. GAP-C5 — sovereign production-write approval REQUEST

request: GPT/User issue (or decline) an explicit KB-persisted sovereign
  production-DB-write approval scoped to: manifest digest 9d908a62… / 60
  candidates / writer_digest d99a31d4… / target directus.public.information_
  unit+unit_version (+ governed ledger once UB-1/UB-2 resolved) / ONE atomic
  txn / append-only / principal cutter_exec / Điều 44 excluded / G-CUT-ONCE /
  forward-comp only. Its KB id becomes guard-G1's value. NOT self-issuable.

6. Status

production_cut_command_review: CONTRACT_READY · RUNNABLE_WITHHELD (GAP-B1)
exact_final_gates: GAP-B1 (UB-1|UB-2) · GD-1 · U-W4b · C5. production_mutation: NONE

doc 4 of 6. No production mutation. Self-advance PROHIBITED.