KB-21DF
dot-iu-cutter v0.5 — Post-CUT · Release / Automation Readiness Plan (G5 — path from current to "one-command automatic cut"; lessons + sequenced macros) (doc 5 of 6)
10 min read Revision 1
dot-iu-cutterv0.5post-cut-verify-governed-recording-release-readinessrelease-automation-readiness-plannext-macro-sequencelessons-survey-firstmacro-task-45-60mincanonical-adapter-commit-pendingdieu442026-05-20
dot-iu-cutter v0.5 — Post-CUT · Release / Automation Readiness Plan
doc 5 of 6 · 2026-05-20
phase : G5 — release/automation readiness plan outcome : sequence of next macros + open architectural decisions production_mutation : NONE this phase (plan only)
1. Where we are vs "one-command automatic cut" target
current_state :
HEAD : f20c79c on feature/constitution-snapshot-mark-dryrun
committed_path : legacy direct-INSERT (cutprod / prod_iu_adapter) —
fail-closed by gateway since 2026-05-06
canonical_path : authored in this session series ;
cutter_agent/prod_iu_adapter_canonical.py +
cutprod_canonical.py + tests
(UNTRACKED on feature branch ; 122/122 tests PASS)
provider_module : /opt/incomex/dot/specs/cutter_legA_provider_20260520T031054Z.py
sha 26ebb918f9a0baf41ae76ba2a621ca39ab7e8b82fbfdc644045a451026d7dfd8
(autocommit=False after the in-scope fix)
GRANT_state : canonical-shape — REVOKE direct writes ;
GRANT EXECUTE on fn_iu_create (per the survey
package doc 4 §3 ; applied this macro series)
cutter_governance : schema + grants in place (v0.4 CD-1..CD-13) ;
ledger.py = dry-run SKELETON ≠ live shape
60_ICX_CONST_IUs : LIVE in production (committed 2026-05-20T04:18:21Z)
via canonical fn_iu_create ; lifecycle='draft'
VERIFY : read-only structural VERIFY PASS (this macro doc 2)
write_VERIFY : gated on leg-B (this macro doc 2 §4)
leg_B_governed_recording: PACKAGED (this macro doc 3) ; NOT executed
lifecycle_enactment : not addressed (this macro doc 4 ; sovereign
OPT-E1 recommended)
automated_orchestrator : does not exist ; current path is multi-macro
with sovereign gates between phases.
target_state ("one-command automatic cut") :
- operator invokes a single CLI / cron / API endpoint
- the system performs : backup → drift precheck → GRANT precheck →
fn_iu_create-loop CUT → leg-B governed recording →
VERIFY → lifecycle enactment (if approved) →
post-cut audit pack — all in one sovereign-gated
orchestrated flow
- rollback is also one-command on detected failure
2. Distance from current to target — gated next macros
macro_M1 — "leg-B governed recording author + execute"
scope : author cutter_agent/ledger_v2_canonical_cut.py (doc 3 §3) ;
fake-conn tests ; rollback-only smoke ; single atomic txn execute ;
capture FK ids ; reports
size : 45–60 min
audit_debt : MUST run within remaining 24h budget (expires
2026-05-21T04:18:22Z, ≥23h remaining as of this report)
gates_remaining : sovereign approval + GPT/User ruling on row shapes
in doc 3 §2
macro_M2 — "write-VERIFY (verify_result + DOT-992 signature)"
scope : cutter_verify writes verify_result + dot_pair_signature (verifier
lane) into cutter_governance ; same single-txn pattern ; reports
size : 30–45 min
gates_remaining : M1 must complete first (FK dependency)
macro_M3 — "lifecycle enactment workflow"
scope : sovereign architectural decision OPT-E1/E2/E3 (this macro doc 4)
+ if OPT-E1 then DB-team authors fn_iu_enact + cutter_agent
adapter to call it for the 60 IUs
size : multi-macro (architectural + DB + cutter_agent + execute)
gates_remaining : pre-flight architectural ruling
macro_M4 — "canonical code commit + merge to main"
scope : git commit the 3 untracked canonical files ; targeted-tests gate ;
push feature branch (if remote configured) ; merge to main per
PR review process (separate sovereign gate)
size : 15–30 min (just commit + merge, no DB action)
gates_remaining : commit-gate ruling, PR review, main-branch merge approval
macro_M5 — "automation orchestrator"
scope : design + author a CLI / DOT-registered task that runs the entire
canonical cycle end-to-end with internal gates ; documentation ;
rollback ; observability hooks
size : larger ; multi-macro design+author+test+approval cycle
gates_remaining : everything above M1..M4
ordering_constraint : M1 → M2 (FK) ; M3 can be parallel-track (DB team) ;
M4 can happen any time after M1 stabilizes the code ;
M5 only after M1..M4 stable.
3. Lessons learned (this macro series)
L1 survey-first vs blind execution :
evidence : the direct-INSERT execution macro hit `trg_aa_iu_gateway_write_guard`
at G7 because the approval package was authored BEFORE the
gateway was deployed. The cut was atomic-rolled-back ; zero
rows persisted ; but the macro time was spent.
lesson : EVERY production mutation prompt MUST include a "live trigger /
function / policy survey" gate before any write. The
"fn_iu_create canonical-path survey + redesign" macro
demonstrated this correctly.
L2 psycopg2 autocommit semantics :
evidence : provider authored with `autocommit=True` ; conn.commit() became
a NO-OP ; server-side ROLLBACK on disconnect ; 0 rows persisted
despite cutprod claiming COMMITTED.
lesson : when wrapping psycopg2 in a custom provider, use the default
`autocommit=False` so that conn.commit() emits libpq COMMIT.
For wrappers that need explicit BEGIN/COMMIT, the wrapping
pattern must still respect psycopg2's own state-tracking.
codified : the canonical provider module now has autocommit=False (post
in-scope fix this macro series).
L3 _NOW = "__SQL_NOW__" sentinel :
evidence : prod_iu_adapter uses `_NOW = "__SQL_NOW__"` as a sentinel
expected to be swapped by "the composer" at runtime ; the
original composer didn't swap. The canonical provider
instead intercepts and swaps the sentinel to NOW() at the
wrapper level.
lesson : sentinel patterns require explicit handling in the actual
writer ; a comment-only contract is insufficient.
L4 A-4 publication_type='law' defensive :
evidence : L1 PILOT-MODE warnings "P-pub1/P-pub2 missing —
production sẽ BLOCK" surfaced during the rollback-only
test of fn_iu_create. The defensive patch to pass
p_publication_type='law' eliminated the warning for the
60 ICX-CONST rows.
lesson : when a SECURITY DEFINER function is in PILOT mode and warns
about a future production-strict change, defensively supply
values that satisfy the upcoming strict mode.
L5 GAP-B1 ledger.py is dry-run skeleton :
evidence : write_cut_change_set builds 6-key dict ; live cut_change_set
has 24 cols + 6 NOT NULL no-default ; ledger.py supplies
one column (content_hash) absent in live shape.
lesson : design-time row-builders are useful for shape sketching but
they MUST be re-validated against live schema before
production execution. The repo's ledger.py has been a known
skeleton for months ; the production-shaped builder is the
ledger_v2 work in macro_M1.
L6 macro_task_size 45–60 min is the right granularity :
evidence : each prior macro fit comfortably in 45–60 min when the prompt
listed clear objective + survey-first + internal gates +
forbidden list. Mega-macros (everything in one prompt) lost
clarity.
lesson : prefer 45–60 min macros with strict gates over one giant
multi-hour macro.
L7 DISCOVER-FIRST :
evidence : the canonical CUT macro discovered an existing valid provider
module from the prior macro ; the survey-and-redesign macro
discovered the existing gateway trigger ; this macro
discovered the cutter_governance schema + grants already in
place. None of these required creating new infrastructure.
lesson : always check existing artifacts before creating new ones.
L8 no-user-artifact-requests :
evidence : the macros derived backup sha, provider sha, approval ids,
pin values, etc. all from in-session work + existing KB /
system state — never asked the user to paste any artifact.
lesson : agents should treat artifact creation/discovery as their
responsibility within the goal scope ; not delegate to user
for low-effort operational items.
4. Disposition
G5 (release/automation readiness) : PASS — plan authored
recommended_next_macro : M1 (leg-B governed recording author +
execute) ; ≤24h audit-debt budget
permits ≥23h headroom
production_mutation_this_phase : NONE
self_advance : PROHIBITED — STOP → GPT/User
doc 5 of 6.