dot-iu-cutter v0.5 — Final CI Standard & Remaining Blocker Review

Phase: …_implementation_readiness_audit · Nature: analysis_only · Date: 2026-05-18 · doc 4 of 5 · satisfies QG5 (CI standard) + QG6 (blockers listed)

---

1. Final CI standard

1.1 Exact test commands

# Full identity suite (required for full-green / pre-commit of the patch)
python3 -m unittest tests.test_dryrun_snapshot_mark -v

# Non-fixture regression subset (interim acceptance only)
python3 -m unittest \
  tests.test_dryrun_snapshot_mark.TestFailClosedSynthetic \
  tests.test_dryrun_snapshot_mark.TestNoDbImportIsolation -v

# Module compiles
python3 -m py_compile cutter_agent/dryrun.py

(pytest is absent in the environment; python3 -m unittest is the runner of record. No network, no DB, no env DSN.)

1.2 PASS criteria

FULL_GREEN (required before patch commit):
  - 21/21 PASS, 0 ERROR, 0 FAIL
  - cutter_agent/dryrun.py sha256 == f1f42e83…2efa1422 (byte-exact)
  - tests/test_dryrun_snapshot_mark.py sha256 == the GPT-ratified hash
    (recommended 454d9fc8…f2843a4a — doc 3 §1.3)
  - byte-identity fixture present at the test-resolved path; region rehash
    == 17660443… len 17522 markers {enacted:19,controlled_draft:1,draft:1,
    obsolete:1} (TestGate/TestManifest pass over the REAL pinned region)
  - py_compile OK

INTERIM (NOT sufficient for commit; status reporting only):
  - 7/7 non-fixture PASS (TestFailClosedSynthetic 4 + TestNoDbImportIsolation 3)
  - documents code correctness + import isolation but NOT real-snapshot identity

1.3 Are fixture-bound tests required before commit?

required_before_commit: YES. Full 21/21 (incl. TestGate + TestManifest over the
  pinned region) is mandatory before committing the patch to the feature branch
  / proposing merge. Rationale: TestGate/TestManifest are the ONLY proof that
  the segmentation logic behaves correctly on the REAL Constitution identity
  (15 NT + 3 KT + 42 DIEU, Đ44 controlled_draft tier_2 exclusion, coverage
  closure, determinism). Committing on 7/7 alone would commit unproven
  real-snapshot behavior.
interim_7of7_acceptable: ONLY as a transparent status checkpoint while the
  base64 fixture transport (doc 2/3 strategy A) is being provisioned under a
  separate gate. It does NOT authorize commit. GPT may explicitly elect a
  "7/7-interim, fixture-deferred" posture, but that is a sovereign decision,
  not a default.

1.4 How to prove no DB access (no-DB / no-side-effect proof)

structural (already implemented & unit-asserted):
  - TestNoDbImportIsolation.module_imports_only_stdlib: AST walk asserts
    imports ⊆ stdlib; NO cutter_agent / psycopg / socket / requests /
    sqlalchemy / directus reachable from cutter_agent/dryrun.py
  - cli_refuses_wrong_mode: --mode cut ⇒ exit 2 (refused)
  - cli_refuses_without_no_db_flags: missing --no-db-write/--no-cut/--no-verify
    ⇒ exit 2
environmental (CI runner contract):
  - assert no PG_DSN / DATABASE_URL / DIRECTUS_URL / PGPASSWORD in env; the
    entrypoint refuses (exit 2) if any is set
  - run with no network/DB reachable; build_manifest used in-memory only;
    main() NOT invoked on the artifact (that = the gated first dry-run)
report_line: every manifest/report path emits db_write: NONE,
  production_touched: false (verified by tests, not asserted by fiat)

2. Remaining blockers before the first Constitution dry-run

B-AUDIT (this phase): readiness audit + transport standard — IN PROGRESS
  (this 5-doc package); must be GPT-ratified before any retry.  STATUS: open

B-TEST-HASH: KB hash-of-record for the test file is 31143968 but the only
  obtainable artifact is 454d9fc8 (≡ verbatim, unrecoverable otherwise).
  Needs GPT ruling (recommend ratify 454d9fc8 — doc 3 §1.3).  STATUS: open

B-FIXTURE-IDENTITY: no byte-identity pinned fixture in repo (transport
  corrupts region to 86d6aea7 ≠ 17660443). Needs base64 blob (strategy A)
  produced by a byte-trusted path + gated decode.  STATUS: open (hard blocker)

B-FIXTURE-PATH: test resolves ART at REPO ROOT; provisioned non-identity copy
  is at tests/fixtures/. Path/ART coupling must be ruled with the test-hash
  decision (root-path vs tests/fixtures/).  STATUS: open

B-CI-GREEN: full 21/21 cannot go green until B-TEST-HASH + B-FIXTURE-IDENTITY
  + B-FIXTURE-PATH resolve. Currently 7 OK / 14 ERROR.  STATUS: open

B-COMMIT: patch NOT committed (GPT: commit only on later explicit approval
  AND after green CI). Both conditions unmet.  STATUS: open

B-DRYRUN-CMDREVIEW: the first-dry-run command-review package exists
  (exact command + PRE-gate) but the first Constitution dry-run is a SEPARATE
  GPT/User authorization, NOT yet granted.  STATUS: open

B-RETRY-FREEZE: GPT froze further patch/fixture/CI retries until this audit is
  ruled.  STATUS: active (lift only by GPT ruling on this package)

non_blockers (already CLOSED, for clarity):
  - dryrun.py authenticity (byte-exact f1f42e83 — ACCEPTED)
  - code semantics (7/7 + in-memory 15/3/42 evidence)
  - source identity B1/B5/B6/SC3 ; pinned artifact identity ; design OD-*
  - git baseline (4367c83 CLOSED_PASS) ; branch exists

doc 4 of 5. Self-advance PROHIBITED.