KB-5C60

dot-iu-cutter v0.5 — First Controlled CUT Rerun · Preflight & Backup Result (G0/G1/G2 ALL PASS) (doc 1 of 7)

6 min read Revision 1

dot-iu-cutterv0.5first-controlled-cut-production-execution-rerunpreflight-and-backup-resultg0-passg1-pass-zero-driftg2-passnarrow-backuprestore-test-passdieu442026-05-20

dot-iu-cutter v0.5 — First Controlled CUT Rerun · Preflight & Backup Result

doc 1 of 7 · 2026-05-20 · rerun macro under GPT execution approval (…/reviews/…-blocked-gpt-ruling-and-execution-approval-2026-05-20.md).
phase              : preflight (G0 + G1 + G2)
outcome            : G0 PASS · G1 PASS · G2 PASS
production_mutation: NONE this phase

1. Session identity

date                : 2026-05-20
operator            : Agent (Claude Code / Opus 4.7 / 1M ctx)
working_directory   : /Users/nmhuyen
repo                : /Users/nmhuyen/iu-cutter-build/repo/iu-cutter
branch              : feature/constitution-snapshot-mark-dryrun
HEAD                : f20c79cbc867b009bc84e632bf9e23fd9d359728  (matches approval)
tree                : clean (git status --short empty)
vps_host            : contabo (vmi3080463), SSH ok as root
postgres_container  : `postgres` (postgres:16, healthy, port 127.0.0.1:5432)

2. G0 — SSOT + repo precheck — PASS

KB_read   : confirmed (GPT ruling + 7 first-controlled-cut + 4 production-legA
                        + iu-create-gateway-readme — all read full untruncated)
KB_upload : confirmed (this 7-doc rerun report set)
repo HEAD : f20c79c (matches ratified post_commit_HEAD)
tree      : clean
targeted_tests_rerun :
  command  : python3 -m unittest tests.test_prod_iu_adapter tests.test_cutwrite_snapshot
                                  tests.test_dryrun_snapshot_mark tests.test_cutplan_snapshot
  result   : Ran 95 tests in 0.128s · OK   (95/95 PASS)

3. G1 — live drift precheck — PASS · ZERO drift

db                         : directus
iu_cols                    : 19         == PIN_IU_COLS
uv_cols                    : 16         == PIN_UV_COLS
L1 md5                     : f38c94d0043a61507a8c2e85afd59998  == PIN_L1_MD5
L2 md5                     : 078ba0051ce4d894cabcc0102c4320f8  == PIN_L2_MD5
ICX-CONST rows             : 0          (G-CUT-ONCE precondition met)
public.information_unit rows : 98
public.unit_version    rows  : 105
vocab keys (6/6)           : law_unit, principle, section, article, law,
                              incomex_council — ALL PRESENT
pre-GRANT privileges       : cutter_exec / cutter_verify have ZERO privileges
                              on public.{information_unit, unit_version, dot_config}
roles_exist                : cutter_exec, cutter_verify (login=YES, conn_limit=2)
                              directus (owns public.*; not superuser)
                              context_pack_readonly (read-only catalog role)
                              workflow_admin (superuser; owns cutter_governance.*)
verdict                    : ZERO DRIFT vs 2026-05-20 morning re-verification.
                              All six pins still match.

4. G2 — backup creation + verification — PASS

authorized_by              : GPT ruling 2026-05-20 §G2
                              (AUTHORIZE_AGENT_TO_CREATE_FRESH_BACKUP_IN_RUN)
scope                      : NARROW — public.{information_unit, unit_version,
                              dot_config} only (the 3 tables on the leg-A write
                              path; matches PC-5 / doc 1 §6).
backup_path                : /opt/incomex/backups/pg/directus_legA_cut_pre_grant_20260520T031054Z.dump
backup_sha256              : 17093a7a9cf6b671545919857ec4478273d5332143daf96957549ba657228043
backup_bytes               : 74382
backup_created_utc         : 2026-05-20T03:10:54Z
backup_method              : docker exec postgres pg_dump -U directus -d directus
                              --no-owner --no-acl -Fc -t public.information_unit
                              -t public.unit_version -t public.dot_config
                              (Unix-socket trust auth inside postgres container;
                               no DSN argv leak, no PGPASSWORD)
restorability_test :
  ephemeral_target         : postgres:16 docker container (random root password,
                              ephemeral DB restore_test; --rm; torn down post-test)
  restore_method           : pg_restore -U postgres -d restore_test --no-owner
                              --no-acl --no-publications --no-subscriptions
  exit_code_observed       : 1 (non-fatal — trigger functions outside narrow
                              3-table scope cannot be re-created in ephemeral DB;
                              data restore itself completed successfully)
  row_counts_in_ephemeral  : information_unit=98, unit_version=105, dot_config=65
  match_expected           : YES (== pre-execution baseline)
  result                   : PASS
backup_age_at_CUT_attempt  : ~7 min 20 sec  (CUT attempt at 03:18:14 UTC; well
                              within PC-5 ≤60 min window)
secret_hygiene             : no PGPASSWORD/PG_DSN/DATABASE_URL written/echoed/logged

5. Disposition

G0 (SSOT + repo)       : PASS
G1 (live drift)        : PASS · ZERO drift · all six pins match
G2 (backup)            : PASS · sha 17093a7a… · restore-test row-count match
proceed_to_G3          : YES
production_mutation_this_phase : NONE (read-only catalog probes + backup; backup
                                       reads but does NOT write public.* rows)

doc 1 of 7.