KB-601D
dot-iu-cutter v0.5 — First Controlled CUT · Final Production CUT Report (Result B BLOCKED_BEFORE_CUT; STOP → GPT/User; OPT-1 recommended) (doc 6 of 6)
15 min read Revision 1
dot-iu-cutterv0.5first-controlled-cut-production-executionfinal-production-cut-reportblocked-before-cutblocked-with-exact-gapstop-and-escalateopt-1-recommendedstop-route-gpt-userdieu442026-05-20
dot-iu-cutter v0.5 — First Controlled CUT · Final Production CUT Report
doc 6 of 6 · 2026-05-20 · STOP → GPT/User
macro_goal : first controlled Constitution CUT (UB-2 leg-A only), execution under sovereign GRANT+CUT approval final_result : B — BLOCKED_BEFORE_CUT (BLOCKED_WITH_EXACT_GAP) kb_read : confirmed (8 approval docs read fully ; 3 GPT rulings + 7 first-controlled-cut + 4 production-legA) kb_upload : this 6-doc report set production_mutation : NONE self_advance : PROHIBITED
1. Final result
result : B — BLOCKED_BEFORE_CUT
why : The macro-execution surface that the approval package depends on
(sovereign-operator-authored connection-provider module, sovereign-
operator-taken fresh backup, KB-resolvable approval doc ids,
write-capable PostgreSQL access as apply principal `directus`) is
**not present in this session**. Three independent gates
(G2 backup, G3 command integrity, G4 GRANT execution) fail-closed
simultaneously, each for reasons that the package itself forbids
the Agent from resolving (PC-5, PC-7, GD-1 apply-principal,
non-fabrication of authority).
2. What the Agent did succeed at this phase (positive evidence)
G0 SSOT + env precheck :
KB_read_via_batch_read : 8 docs · all untruncated · all consumed in main ctx
repo_path : /Users/nmhuyen/iu-cutter-build/repo/iu-cutter (present)
branch : feature/constitution-snapshot-mark-dryrun (matches approval)
HEAD : f20c79c (matches ratified post_commit_HEAD)
working_tree : clean
unexpected_code_change : none
targeted_tests_rerun : Ran 95 tests in 0.129s · OK (matches 95/95 ratified)
G1 live drift (read-only as context_pack_readonly via query_pg MCP) :
current_database : directus
IU columns : 19 == PIN_IU_COLS
UV columns : 16 == PIN_UV_COLS
L1 md5 : f38c94d0043a61507a8c2e85afd59998 == PIN_L1_MD5
L2 md5 : 078ba0051ce4d894cabcc0102c4320f8 == PIN_L2_MD5
ICX-CONST rows : 0 (G-CUT-ONCE precondition met)
IU total rows : 98
UV total rows : 105
vocab keys : 6/6 PRESENT (law_unit, principle, section, article, law, incomex_council)
grants on writer targets : ALL FALSE (cutter_exec + cutter_verify) — as expected, GAP-C1 still open
roles exist : cutter_exec, cutter_verify (login=YES, conn_limit=2)
verdict : ZERO DRIFT vs 2026-05-19 / 2026-05-20 pins
3. STOP_AND_ESCALATE — structured
3.1 Exact blockers
| # | Gate | Blocker | Source |
|---|---|---|---|
| B-1 | G2 (backup) | No fresh logical backup of directus.public.{information_unit, unit_version, dot_config} exists for this session. Agent is explicitly forbidden from taking it. |
first-controlled-cut doc 1 §6 ; production-legA doc 3 §3.4 PC-5 ; rollback doc 5 §4 — quoted verbatim in our doc 1 §4. |
| B-2 | G3 (command integrity) — --fresh-backup-sha256 |
Depends on B-1. | production-legA doc 3 §3.1 + §3.3 (exit 2 if missing or not 64-hex). |
| B-3 | G3 (command integrity) — --connection-provider-module |
The sovereign-operator-authored Python module that returns a Callable[[dict], conn] bound to cutter_exec credentials from the approved secret store does not exist in this repo or in the Agent's reach. The package explicitly forbids the repo from containing it and forbids the Agent from authoring it. |
production-legA doc 1 §6 + doc 3 §3.4 PC-7 ; first-controlled-cut doc 3 §3 R1/R2 description. |
| B-4 | G3 (command integrity) — --i-have-sovereign-production-write-approval <kb-doc-id> |
No KB doc id exists that the adapter's _g1_approval resolver can verify as a true sovereign production-write approval scoped to manifest_digest 9d908a62…, candidate_count 60, writer_digest d99a31d4…, principal cutter_exec, target directus.public.{IU,UV}, single atomic txn, append-only, G-CUT-ONCE, forward-compensation-only. Existing approval-ready docs state CUT_authorized: not_yet. Fabricating an id would violate "không bịa authority". |
production-legA doc 3 §3.1 ; final-approval-report doc 7 §3 (A-4 C5) ; GPT ruling 2026-05-20. |
| B-5 | G3 (command integrity) — --i-have-grant-execution-approval-kb-id <kb-doc-id> |
No GRANT-execution KB doc id exists ; U-W4b has not been performed (B-6). | production-legA doc 3 §3.1 ; first-controlled-cut doc 2 §6.1 (the verification log would be the KB doc). |
| B-6 | G4 (GRANT) | The only PostgreSQL surface available to the Agent in this session is the read-only context_pack_readonly role via mcp__claude_ai_Incomex_VPS__query_pg (AST-validated, READ ONLY transaction, no writes/DDL). The required apply principal per GD-1 is directus. The Agent has no credentialed write path to act as directus. |
tool description quoted in our doc 2 §4 ; GD-1 ruling in production-legA doc 3 §2 + first-controlled-cut doc 2 §3. |
3.2 Evidence verified
e-1 : 95/95 targeted tests PASS on HEAD f20c79c
(Ran 95 tests in 0.129s · OK)
e-2 : repo path / branch / HEAD / clean tree confirmed via git
e-3 : 8 approval-package docs read in full (untruncated) via mcp__agent-data__batch_read
e-4 : live PG read-only catalog probe confirms ZERO drift vs ratified pins
(IU 19, UV 16, L1 f38c94d0…, L2 078ba005…, vocab 6/6, ICX-CONST=0, IU=98, UV=105)
e-5 : live PG read-only ACL probe confirms cutter_exec/cutter_verify have ZERO
privileges on public.information_unit / unit_version / dot_config
e-6 : reader_role = context_pack_readonly (confirmed by `SELECT current_user`)
e-7 : tool description verbatim states query_pg is read-only ; no write/DDL path
e-8 : the approval package verbatim forbids the Agent from authoring the
connection-provider module (PC-7) and from taking the backup (PC-5).
3.3 Why the Agent cannot self-decide further
each_blocker_falls_under_a_STOP_AND_ESCALATE_criterion :
B-1 backup : the Agent acting as the backup-taker would violate
spec-stated separation of duties (PC-5) — this is the
user's stated "không bịa authority" rule and also the
"production write ... chưa được approve" rule (a backup
action is itself a production-side privileged action).
B-3 provider module : the Agent authoring a DSN-bearing provider module
would change architecture+permissions+production-access
shape ; the package's PC-7 forbids it in this repo, and
the operator wrapper (R2) is itself a sovereign-gated
artifact in /opt/incomex/dot/specs/. Acting here would
require multi-impact architectural decisions — the
user's "nhiều hướng xử lý có impact" criterion.
B-4 sovereign approval id : fabricating one would directly violate "không
bịa authority". The adapter's G1 resolver is designed
specifically to refuse non-KB-resolvable ids.
B-5 GRANT approval id : symmetric to B-4.
B-6 write-PG access : "thiếu authority/SSOT" criterion. The Agent has no
credentialed write path. Acquiring one would itself
require sovereign production-credential provisioning.
every_option_other_than_STOP_either_requires_fabrication_or_violates_PC-5/PC-7 .
3.4 Resolution options (presented for sovereign ruling)
OPT-1 (Recommended) — *sovereign-driven 5-step operator execution*
step actor action
----- ----------------------- ----------------------------------------------
1 sovereign DB operator take fresh logical backup of
directus.public.{information_unit, unit_version,
dot_config} ; test-restore to scratch ; record
sha256 ; upload backup manifest to KB.
2 GPT/User author and publish the sovereign-operator
connection-provider module to a path OUTSIDE
the iu-cutter repo (e.g. /opt/incomex/dot/specs/
cutter_legA_provider.py) ; record its sha256
in KB ; verify it sources cutter_exec DSN from
the approved secret store only.
3 GPT/User publish two KB-resolvable approval docs :
(a) GRANT execution approval (resolves
--i-have-grant-execution-approval-kb-id)
(b) sovereign production-write approval for
leg-A CUT (resolves
--i-have-sovereign-production-write-approval)
— both scoped to the six pins of the package.
4 sovereign DB operator issue the doc 2 §2 GRANT delta as principal
`directus` ; run the §6.1 verification ;
capture the result ; if it matches the
expected 18-bool row, log the approval id ;
otherwise REVOKE (doc 2 §4) and stop.
5 sovereign DB operator run the cutprod R1 command (production-legA
doc 3 §3.1) with the four values filled in
from steps 1+2+3+4. Capture STDOUT
CUT_OK_LEG_A line and exit code 0.
trade_off : preserves all package guarantees (SoD, fail-closed, append-only,
non-fabrication). Requires sovereign side-actions on 3 fronts
(backup, provider, KB approvals). This is the path the package
was designed for.
OPT-2 — *delegate the whole macro to a sovereign-operator session*
Hand this macro to a sovereign-operator (human or harness) that has
pre-provisioned : the directus-credential GRANT path, the
connection-provider module, and authority to author KB approvals. That
session executes G2→G4→G6 in one motion ; the Agent role becomes review
only.
trade_off : faster end-to-end but moves more state outside the Agent's
audit lens. Recommended only if the user prefers human-driven
execution.
OPT-3 — *redesign the approval surface so the Agent CAN execute G4/G6*
(NOT recommended without sovereign discussion)
Re-do the gating so that the Agent is granted a one-shot, time-boxed,
scope-limited credential path (e.g. an MCP that exposes a single
GRANT-and-CUT pre-baked SQL transaction signed by GPT/User out of band).
This would require new tooling and is a multi-week architecture change.
trade_off : keeps "operator-runs-CUT" out of human hands but invalidates
PC-5/PC-7/GD-1 invariants ; needs a full sovereign re-review of
the whole UB-2 doctrine.
3.5 Agent's recommendation
recommend : OPT-1 (sovereign-driven 5-step operator execution).
reason :
- OPT-1 preserves every invariant the package was designed to enforce
(SoD, fail-closed, append-only, non-fabrication, secret hygiene).
- The remaining work is exactly the four sovereign approvals already
enumerated in first-controlled-cut doc 7 §3 (A-1..A-4) — three of which
were ruled closed in the 2026-05-20 GPT ruling (A-1 via R1, A-2 via
directus) and one of which (A-4 C5 / U-W5) is the explicit gate the
package was awaiting. OPT-1 simply *operationalizes* those four
rulings ; it does not re-decide anything.
- The Agent already verified zero drift, 95/95 tests, grants absent — so
the operator's job in steps 4 and 5 of OPT-1 is mechanical and the
same drift catalog can be re-confirmed by the operator just before
cutting.
3.6 Shortest next step after GPT/User rule
shortest_next_step :
GPT/User issues, in a single response, the four artifacts of OPT-1 :
(i) the 64-hex sha256 of the fresh backup (+ a one-liner "operator X took
the dump at HH:MM ; restore-test PASS ; KB doc id <id>")
(ii) the `<pkg.mod>:<callable>` string of the installed connection-provider
module + its sha256 (+ a one-liner "module installed at /opt/incomex/
dot/specs/cutter_legA_provider.py ; sha256 <hex>")
(iii) the KB doc id of the GRANT-execution approval (string)
(iv) the KB doc id of the sovereign-production-write approval for leg-A CUT
(string)
the Agent (next session, or now if extended) then :
- re-verifies drift one more time (G1 catalog re-run, ≤5 read SELECTs)
- re-verifies the test suite (95/95)
- if the operator has performed steps 1-4 of OPT-1, fills the four
placeholders into the cutprod R1 command and runs step 5
- records the CUT_OK_LEG_A line and exit code
- performs G7 immediate structural verification (SELECTs in our doc 4 §2)
- STOPS before VERIFY and before post-CUT governed-recording (per the
prompt's explicit boundary)
4. Boundaries honored this session
forbidden_actions_NOT_taken :
- did NOT execute VERIFY (cutter_verify VW-1..VW-12)
- did NOT execute post-CUT governed-recording (leg-B 126 rows)
- did NOT deploy / restart / rebuild containers
- did NOT merge / push / tag the feature branch
- did NOT mutate source_document / source_document_version
- did NOT run any unapproved SQL (only read-only catalog SELECTs)
- did NOT hard-delete anything
- did NOT self-advance beyond leg-A CUT (could not even reach it)
- did NOT fabricate KB approval doc ids
- did NOT fabricate backup sha256
- did NOT author the connection-provider module
- did NOT touch any DB env var (PG_DSN / DATABASE_URL / DIRECTUS_URL /
PGHOST / PGUSER / PGPASSWORD)
- did NOT echo / log / argv-leak any secret
5. Status
status : BLOCKED_BEFORE_CUT (BLOCKED_WITH_EXACT_GAP)
gates_closed_this_phase : G0 PASS · G1 PASS
gates_blocked : G2 (backup) · G3 (command integrity, 4 missing values) ·
G4 (GRANT execution surface absent)
gates_NA : G5 · G6 · G7 (downstream of G2/G3/G4)
reports_uploaded : 6 (this report set) — see §3 of doc 0 of the upload
production_mutation : NONE
self_advance : PROHIBITED
next_action : route → GPT/User ; await ruling on OPT-1 vs OPT-2 vs OPT-3
and the four artifacts in §3.6.
doc 6 of 6. No production mutation. Self-advance PROHIBITED.