dot-iu-cutter v0.5 — Main FF After DDL Ratify · Test + Static Result

doc 2 of 5 · 2026-05-20

phase    : G2 — tests + static checks before FF
outcome  : PASS  (264/265 regression, 1 known baseline; 4/4 fingerprint byte-equality)
production_mutation : NONE  (no DB connection from tests)

1. Regression suite

command  : python3 -m pytest tests/ -q
result   : 264 passed, 1 failed in 0.26s
new_regression_caused_by_this_macro : false  (this macro has NOT changed code)

Single failure detail (pre-existing baseline R-8)

test         : tests/test_security_boundaries.py::TestNoSecretPrinted
               ::test_source_has_no_hardcoded_dsn_or_secret
target_file  : cutter_agent/cutwrite.py
flagged      : 'PGPASSWORD'
context      : inside DB_ENV_GUARD tuple as an env-var NAME guard
               (the writer REFUSES to run if PGPASSWORD is set;
                the string is a guard-list entry, NOT a secret)
pre_existing : true
documented_in:
  - v0.5-post-enactment-closeout-release-readiness/05-remaining-risk-and-backlog.md (R-8)
  - v0.5-lifecycle-ddl-ratification-runbook/04-test-static-check-result-2026-05-20.md
backlog_item : B-DB-ENV-GUARD-BASELINE-CLEAN  (LOW; deferred)
caused_by_this_macro : false  (no .py file modified)

The same failure was present at every recent HEAD (32cfa93 ← 7133c44 ← 6a56bc3 ← … ← 4367c83 baseline). Fast-forwarding main from 32cfa93 to 1cd286e does NOT introduce it; both points already carry it.

2. sql/lifecycle/ inventory

README.md                                        5,431
bundle_a_vocab_and_log.sql                       4,855
bundle_b_immutability.sql                        6,867
bundle_c_fn_iu_enact.sql                        11,571
bundle_d_gateway_and_grants.sql                  3,535
bundle_e_fn_iu_apply_edit_draft_patch.sql        7,104
fingerprints.yaml                                5,856
rollback_runbook.sql                             7,642
verify_behavioral_probes.sql                     3,900
verify_postapply.sql                             7,376
verify_preflight.sql                             3,016
                                                ------
11 files                                        67,153 B

All 11 files documented in the prior ratification closeout are present and unmodified since commit 1cd286e.

3. Function body fingerprint check (md5 byte-equality vs live pg_proc.prosrc)

function                       len   md5(extracted)                    verdict
-----------------------------+------+----------------------------------+--------
fn_iu_enacted_immut          1631   aeb3fa4fdb225f6ba6b7073582caa454  OK
fn_uv_enacted_immut          2415   03f035a23cbc79a9e811a6da6f5266ba  OK
fn_iu_enact                  8674   6ca9bc39e2d2be93dd8a71739fa80dc4  OK
fn_iu_apply_edit_draft       4826   42e96b6c9e81a2d0a28b30644d178a26  OK

Extraction uses regex AS \$tag\$(.*?)\$tag\$\s*; on the committed bundle SQL files (B/C/E). All four function bodies remain byte-equal to the live PG prosrc.

4. No production touch this gate

PG_writes              : NONE
PG_reads               : NONE  (this macro reads ONLY git + KB + filesystem;
                                no PG connection issued)
file_writes_outside_repo : NONE
repo_writes            : NONE this gate (writes happen in G3)
git_writes             : NONE this gate
deploy/restart/push/tag : NONE

5. Gate disposition

G2_regression_no_new_failures : PASS (R-8 baseline, pre-existing)
G2_sql_lifecycle_artifacts    : PASS (11/11 files present)
G2_fingerprint_byte_equality  : PASS (4/4 functions)
G2_no_PG_or_deploy_touched    : CONFIRMED

6. STOP

Tests + static checks pass. Proceed to doc 03 (FF execution log).