dot-iu-cutter v0.5 — Lifecycle DDL Ratification · Test + Static-Check Result

doc 4 of 6 · 2026-05-20

phase    : G4 — static checks + tests
outcome  : PASS  (md5 byte-equality verified; 264/265 regression PASS;
                 1 baseline pre-existing failure, unrelated)
production_mutation : NONE this phase

1. Static check — md5(prosrc) byte-equality

A custom Python check extracts every PLPGSQL body from the committed bundle SQL files (between unique $tag$…$tag$ dollar quotes) and compares md5(body) against the live PG md5(prosrc) for the same function:

function                       len   md5(repo)                         md5(live)                         verdict
-----------------------------+------+----------------------------------+----------------------------------+--------
fn_iu_enacted_immut          1631   aeb3fa4fdb225f6ba6b7073582caa454  aeb3fa4fdb225f6ba6b7073582caa454  OK
fn_uv_enacted_immut          2415   03f035a23cbc79a9e811a6da6f5266ba  03f035a23cbc79a9e811a6da6f5266ba  OK
fn_iu_enact                  8674   6ca9bc39e2d2be93dd8a71739fa80dc4  6ca9bc39e2d2be93dd8a71739fa80dc4  OK
fn_iu_apply_edit_draft       4826   42e96b6c9e81a2d0a28b30644d178a26  42e96b6c9e81a2d0a28b30644d178a26  OK

result   : 4/4 byte-equal
verdict  : PASS
note     : This is the load-bearing guarantee — any future fresh-PG apply
           of these bundles will reproduce the live md5 pins exactly.

2. Dollar-quote safety

check    : no live body contains the literal '$$' sequence
result   : 4/4 OK
note     : bundles use unique per-function tags ($iuim$, $uvim$, $enact$, $apply$)
           so no risk of premature dollar-quote termination

3. Repo regression test suite

command          : python3 -m pytest tests/ -q --tb=short
result_summary   : 264 passed, 1 failed
return_code      : non-zero  (regression in 1 of 265 tests)
regression_from_my_changes : false

Detail on the single failure

test              : tests/test_security_boundaries.py::TestNoSecretPrinted
                    ::test_source_has_no_hardcoded_dsn_or_secret
target_file       : cutter_agent/cutwrite.py
flagged_string    : 'PGPASSWORD'
context           : Inside DB_ENV_GUARD tuple, used as an env-var NAME guard
                    (the writer REFUSES to run if PGPASSWORD is set, to prove
                    no production DB connection is possible). The string is
                    NOT a secret; it is a guard-list entry.
pre_existing      : true
documented_in     : v0.5-post-enactment-closeout-release-readiness/05-remaining-risk-and-backlog.md
                    item R-8 (INFORMATIONAL); also m4-fast-forward-merge KB
                    final-report and m4-code-ratification KB.
caused_by_this_macro : false

The same failure was present at HEAD 32cfa93 before any of my changes; the commit 1cd286e adds 11 SQL files under sql/lifecycle/ and does not modify cutter_agent/cutwrite.py. The test heuristic is overly strict for cutwrite.py and is tracked separately as a low-priority cleanup (B-DB-ENV-GUARD-BASELINE-CLEAN).

4. No production connection / no DB write

network_writes_during_this_macro : NONE
PG_writes                       : NONE  (read-only `context_pack_readonly`;
                                         all queries SELECT-only;
                                         no transaction with COMMIT against
                                         the directus database)
PG_reads                        : pg_proc.prosrc + length + md5 + base64,
                                  pg_trigger, pg_class, has_*_privilege,
                                  information_unit/unit_version/iu_lifecycle_*
                                  counts and joins (already proven in the
                                  prior post-enactment closeout)
file_writes_outside_repo        : /tmp/live_bodies/*.txt + /tmp/bodies.json
                                  + /tmp/dump_bodies.py + /tmp/ddl_extract.md
                                  (ephemeral; not committed)
repo_writes                     : sql/lifecycle/* (11 files)
git_writes                      : 1 local commit on feature branch
deploy / restart / push / tag   : NONE

5. Optional sandbox-apply check (NOT executed)

A stronger static check would be to apply the bundles into a transient PG instance and re-read md5(prosrc) from that sandbox PG. This was deliberately not performed because:

• The byte-equality of repo body vs live prosrc is already proven by the md5 comparison in §1 (which itself is sufficient: PG re-stores prosrc exactly as the apply text between dollar quotes).
• A sandbox apply would require mocking information_unit / unit_version / unit_edit_draft / unit_edit_comment / dot_config / cutter_governance schemas, the fn_iu_verify_invariants / fn_content_hash functions, and the cutter_exec / directus / context_pack_readonly / cutter_verify / workflow_admin roles — that scope is operator-runbook test harness, not ratification.
• Recovery / fresh-environment apply will exercise this path under a sovereign-approved macro.

If a future macro elects to build the sandbox harness, it should:

• Start from the M3a-retry pre-state schema
• Apply Bundles A..E in order via psql -v ON_ERROR_STOP=1 -f
• Re-query md5(prosrc) for all 4 functions and assert vs fingerprints.yaml

6. Gate disposition

G4_md5_byte_equality              : PASS  (4/4)
G4_dollar_quote_safety            : PASS
G4_regression_no_new_failures     : PASS  (1 pre-existing baseline only)
G4_no_production_connection       : PASS  (read-only role)
G4_no_PG_write                    : PASS
G4_no_deploy_restart              : PASS
G4_no_push_tag                    : PASS

7. STOP

Tests and static checks complete. Proceed to doc 05 (git status + commit result).