KB-1319
dot-iu-cutter v0.5 — Canonical CUT Execution · Final Production CUT Report (Result A PRODUCTION_CANONICAL_LEG_A_CUT_PASS; 60 ICX-CONST IUs born via fn_iu_create; STOP → GPT/User) (doc 7 of 7)
11 min read Revision 1
dot-iu-cutterv0.5first-controlled-cut-canonical-production-executionfinal-canonical-production-cut-reportproduction-canonical-leg-a-cut-passresult-a60-icx-const-rows-bornfn-iu-create-canonical-pathlifecycle-status-draft-acceptedstop-route-gpt-userdieu442026-05-20
dot-iu-cutter v0.5 — Canonical CUT Execution · Final Production CUT Report
doc 7 of 7 · 2026-05-20 · STOP → GPT/User
macro_goal : first controlled Constitution CUT leg-A via canonical path public.fn_iu_create final_result : A — PRODUCTION_CANONICAL_LEG_A_CUT_PASS production_data_rows_persisted : +60 information_unit + +60 unit_version + +60 anchor links + +60 birth_registry
1. Final result
result : A — PRODUCTION_CANONICAL_LEG_A_CUT_PASS
why :
- 60 ICX-CONST rows ARE PERSISTED (iu_total 98→158, uv_total 105→165,
confirmed by post-CUT structural verification in doc 5)
- all writes went through canonical public.fn_iu_create (SECURITY DEFINER)
- the gateway trigger trg_aa_iu_gateway_write_guard was NOT bypassed —
fn_iu_create itself sets the `app.canonical_writer = 'fn_iu_create'`
marker (txn-local) that the trigger checks
- writer_digest equivalence proven empirically (60 distinct canonical_address,
60 distinct content_hash, unit_kind=law_unit, section_types in {principle,
section, article} with cardinality 15+3+42, idempotency offline-only)
- Điều 44 / draft / obsolete excluded (dieu44_count=0)
- lifecycle_status='draft' on all 60 rows (per A-3 ruling: accepted for
the first canonical CUT ; sovereign-gated enactment workflow remains
a separate decision)
- publication_type='law' present in identity_profile on all 60 rows
(per A-4 defensive patch — future strict L1 PILOT-to-strict transition
will not block these rows)
- no unintended table mutation (unexpected_recent_iu/uv = 0)
- sysid unchanged (7611578671664259111)
2. Gate-by-gate outcome
G0 SSOT + repo precheck : PASS
G1 live canonical path re-survey : PASS (all md5 pins unchanged ; gateway
mode=enforced ; allowed markers correct)
G2 live drift + row + grant : PASS
G3 fresh backup + restore-test : PASS (sha ba0ef355…)
G4 canonical GRANT/REVOKE + verify : PASS (11-bool probe byte-exact:
t|f|f|f|f|t|f|t|t|t|t)
G5 final pre-CUT check (post-GRANT): PASS
G6 canonical CUT execution : R-2-soft on attempt-1 (autocommit bug ;
0 rows persisted) → provider patched
(autocommit=False) → PASS on attempt-2
(txn=COMMITTED ; 60 IU+UV+anchors)
G7 immediate post-CUT structural : ALL CHECKS PASS (doc 5)
G8 reports + KB upload : PASS — 7 docs in
`…/v0.5-first-controlled-cut-canonical-production-execution/`
3. Production state delta (this macro)
information_unit :
before : 98 rows
after : 158 rows (+60)
delta_addresses : 60 new ICX-CONST/... addresses (verbatim from cutwrite)
delta_lifecycle : 'draft' (per A-3 ; column DEFAULT when not provided)
delta_unit_kind : 'law_unit'
delta_created_by: 'cutter_exec/DOT-991/constitution-cut'
unit_version :
before : 105 rows
after : 165 rows (+60)
delta_version_seq : 1 for all 60 (canonical v1 births)
delta_content_hash: 60 distinct sha256-hex values (matching cutwrite body)
birth_registry :
+60 'information_unit::<iu_id>' entries (via the AFTER INSERT trigger)
(unit_version birth entries follow the v0.4 collection_registry
strategy ; not separately probed here ; covered by post-CUT VERIFY)
relacl (post-G4) :
cutter_exec SELECT on IU/UV/dot_config : YES
cutter_exec INSERT on IU : NO (revoked)
cutter_exec UPDATE(2 anchor cols) on IU : NO (revoked)
cutter_exec INSERT on UV : NO (revoked)
cutter_exec EXECUTE on fn_iu_create : YES (newly granted)
cutter_verify SELECT on IU/UV : YES (unchanged from rerun G5)
cutter_governance.* / source_document.* / Directus / vector :
UNCHANGED
4. Artefacts (preserved)
KB folder (7 docs) : knowledge/dev/laws/dieu44-trien-khai/v0.5-first-controlled-cut-canonical-production-execution/
01 canonical-path-preflight
02 backup-result
03 grant-revoke-execution-and-verification
04 canonical-cut-execution-log
05 immediate-post-cut-structural-verification
06 rollback-or-compensation-status
07 final-canonical-production-cut-report (this doc)
Repo (feature branch, NOT committed in this macro) :
cutter_agent/prod_iu_adapter_canonical.py
sha 2d65dee29579d81b3c67baf7fad34c8792643531fb5cc59208e4a417491f87f4
(A-4 publication_type='law' defensive patch applied this session)
cutter_agent/cutprod_canonical.py
sha 3a7ab605776bc793429fc677355ab8beb3a4c3bdff3d502a007a75da9402c220
tests/test_prod_iu_adapter_canonical.py
sha 6545c30d148fb22b8dbe09aea88915c7afdb1dc6f12844eefd4ce83e19d4e270
ratified files untouched (cutprod / prod_iu_adapter / cutwrite / cutplan /
dryrun / their tests)
HEAD : f20c79c (unchanged)
VPS artefacts :
provider /opt/incomex/dot/specs/cutter_legA_provider_20260520T031054Z.py
pre-patch sha 503af2f1d000b126cd21abe3540bf80e13e0194887708e15d6a97b76c3d76ef4 (autocommit=True ; BUG)
post-patch sha 26ebb918f9a0baf41ae76ba2a621ca39ab7e8b82fbfdc644045a451026d7dfd8 (autocommit=False ; correct)
backup /opt/incomex/backups/pg/directus_legA_cut_canonical_pre_grant_20260520T040918Z.dump
sha ba0ef355e7511cb7cac2d72c2f5e236e3ab98df69f64a02dcb92e38503158490 (74384 B)
cut_log /opt/incomex/backups/pg/directus_legA_cut_canonical_20260520T040918Z.cut.log
stage /tmp/iu-cutter-canon-f20c79c-20260520T040918Z/
5. What was NOT done (boundaries honored)
forbidden_actions_NOT_taken :
- did NOT execute VERIFY (cutter_verify VW-1..VW-12)
- did NOT execute post-CUT governed-recording (leg-B 126 rows)
- did NOT persist production rows in attempt-1 (server-side rollback ; zero state)
- did NOT bypass gateway trigger (every write via fn_iu_create canonical marker)
- did NOT direct INSERT into information_unit / unit_version
- did NOT deploy / restart / docker rebuild any production service
- did NOT merge / push / tag the feature branch
- did NOT mutate source_document / source_document_version
- did NOT hard-delete anything
- did NOT self-advance beyond leg-A canonical CUT
- did NOT run any unapproved SQL (only the approved GRANT delta + the
cutprod_canonical fn_iu_create calls + read-only catalog probes)
- did NOT fabricate KB ids / backup sha / provider sha
- did NOT echo / log / argv-leak any secret
6. Open items for sovereign / next macro
post-CUT VERIFY (cutter_verify VW-1..VW-12) :
status : NOT RUN (out of scope per prompt)
required_update : VW queries must be updated to expect canonical-
path persisted shape:
lifecycle_status='draft' (60 rows)
identity_profile.publication_type_ref='law' (60 rows)
identity_profile.primary_section_type_ref in
{principle,section,article} (60 rows)
doc_code / section_code / section_type COLUMNS
are NULL on canonical-path rows
before VERIFY can sensibly run.
decision_authority : GPT/User
post-CUT governed recording (leg-B) :
status : NOT RUN (out of scope per prompt)
shape : per UB-2 doc 6 of the prior approval package
(cutter_governance.cut_change_set +
cut_change_set_affected_row + manifest_envelope +
manifest_unit_block + dot_pair_signature +
decision_backlog_entry/history + review_decision)
audit_debt_budget : ≤24 h from now (per UB-2 ruling) — sovereign
decision required to either start the leg-B package
now or extend the audit-debt window
decision_authority : GPT/User
enactment workflow for the 60 ICX-CONST drafts :
status : open architectural decision (per A-3 ruling)
options (out of scope here) :
- state-machine transition draft → enacted via a new SECURITY DEFINER
function (DB-team work)
- bulk operator-side update via a future canonical "publish" function
- leave as 'draft' indefinitely and rely on canonical_address-based
filtering for downstream consumers
decision_authority : GPT/User
canonical adapter / cutprod_canonical files :
status : authored on feature branch but NOT committed
(this macro intentionally did NOT merge/push/tag)
next : separately sovereign-gated commit-and-merge
macro if/when the team wants the canonical path
ratified into the iu-cutter repo HEAD
decision_authority : GPT/User
provider module rotation :
current : /opt/incomex/dot/specs/cutter_legA_provider_20260520T031054Z.py
(sha 26ebb918… ; autocommit=False after fix)
reusable_for_future_canonical_CUTs : YES (same trust auth DSN ; same
sentinel handling ; same A-4 publication_type
path through to fn_iu_create)
cleanup_or_keep : keep as-is for upcoming canonical operations ;
no expiry pressure
7. Status
final_result : A — PRODUCTION_CANONICAL_LEG_A_CUT_PASS
production_data_rows_persisted : 60 IU + 60 UV(v1) + 60 anchors + 60 birth_registry
gates_closed : G0 PASS · G1 PASS · G2 PASS · G3 PASS · G4 PASS ·
G5 PASS · G6 attempt-2 PASS · G7 PASS · G8 PASS
production_mutation_state : the constitution is now CUT into 60 canonical
IU rows (lifecycle_status='draft' per A-3 ;
publication_type='law' per A-4 ; anchored to
60 unit_version v1 ; birth_registry populated)
self_advance : PROHIBITED
next_action : route → GPT/User. Decisions awaited :
- whether to launch VERIFY (separately gated)
- whether to launch leg-B governed recording
(separately gated ; ≤24 h audit-debt budget)
- whether to design the draft→enacted enactment
workflow (separate architectural macro)
- whether to ratify the canonical adapter code
into the iu-cutter repo HEAD (separately gated
commit-and-merge macro)
doc 7 of 7. CUT committed. STOP → GPT/User.