KB-6E9C
Post-Enactment Closeout · 03 Repo + Release Readiness
9 min read Revision 1
dot-iu-cutterv0.5post-enactment-closeoutrepo-release-readinessg3-passdieu442026-05-20
dot-iu-cutter v0.5 — Post-Enactment Closeout · Repo + Release Readiness
doc 3 of 6 · 2026-05-20 · post-enactment closeout
phase : G3 — repo / release state survey outcome : PASS (local main aligned with KB pin; no merge/push/tag/deploy) production_mutation : NONE this phase (read-only git)
1. Local repo survey
repo_root : /Users/nmhuyen/iu-cutter-build/repo/iu-cutter
current_branch : feature/constitution-snapshot-mark-dryrun
HEAD_sha : 32cfa939ca4025242c14e5de945f2cd8d95b5205
main_sha : 32cfa939ca4025242c14e5de945f2cd8d95b5205
HEAD_equals_main : true
working_tree : clean (git status -s = empty)
remote_configured : false (git remote -v = empty)
diff_main_vs_feature : empty
2. Recent commit ladder
32cfa93 feat(write-VERIFY/M2): add ledger_v2_canonical_verify DOT-992 recorder + tests
7133c44 feat(leg-B/M1): add ledger_v2_canonical_cut governed recorder + tests
6a56bc3 feat(canonical-path): add fn_iu_create canonical adapter + cutprod_canonical + tests
f20c79c feat(R1): add --mode production-leg-a-only + execute_leg_a_only seam (UB-2)
152e7db feat: add GUARDED leg-A prod IU birth adapter (prod_iu_adapter+cutprod)+tests
f0120ac feat: add W-3 DB-isolated constitution writer (cutwrite) + tests
d66a60d feat: add S2 no-DB CUT-plan dry-run planner (cutplan) + tests
afb7bfc feat: add snapshot MARK dry-run entrypoint
4367c83 baseline: ratified iu-cutter v0.4 skeleton before snapshot MARK entrypoint
M4_FF_outcome : main fast-forwarded from 4367c83 → 32cfa93 (8 commits, linear)
M4_FF_ruling : PASS (reviews/dot-iu-cutter-v0.5-main-fast-forward-merge-pass-gpt-ruling-2026-05-20.md)
release_tag : NOT_AUTHORIZED (sovereign single-line approval required)
push_remote : NOT_POSSIBLE (no remote configured)
deploy_restart : NOT_AUTHORIZED (this task)
3. Code↔DB ratification audit
The post-enactment substrate involves two distinct artefact families:
family_A_python_application_code:
location : git (repo HEAD 32cfa93)
artefacts:
- cutter_agent/prod_iu_adapter_canonical
- cutter_agent/cutprod_canonical
- cutter_agent/ledger_v2_canonical_cut
- cutter_agent/ledger_v2_canonical_verify
- cutter_agent/cutwrite + cutplan + adapter scaffolding
status : RATIFIED (M4 + M4-FF closed both)
family_B_lifecycle_DDL_bundles:
location : applied directly to live PG via M3a-retry sidecar SQL
artefacts:
- Bundle A : iu_lifecycle_vocab + iu_lifecycle_log + 5 idx + 8 grants + 1 FK
- Bundle B : fn_iu_enacted_immut + fn_uv_enacted_immut + 2 triggers
- Bundle C : fn_iu_enact SECURITY DEFINER (8-arg, 230-line body)
- Bundle D : gateway dot_config UPDATE + 8 iu_enact.* keys + REVOKE/GRANT
- Bundle E : fn_iu_apply_edit_draft CREATE OR REPLACE patch
authoring_KB : v0.5-lifecycle-enactment-implementation-authoring/
execution_KB : v0.5-lifecycle-enactment-execution-m3a-retry/
git_tracked : false (operator-runbook DDL, sovereign-applied SQL)
fingerprint_pinned : true (md5(prosrc) recorded in M3a-retry final report,
byte-equal verified in this closeout doc 01 §6)
Recommendation on Family B ratification
recommendation_to_GPT_User:
decision_required : whether to ratify Family B DDL into git
options:
OPT_R1_keep_runbook_only:
pros : zero churn; current fingerprint pinning is sufficient evidence
cons : DDL not version-controlled; rollback would require fresh authoring
effort : zero
OPT_R2_ratify_to_repo_separate_track:
pros : version control; reproducibility; CI invariant
cons : DDL is sovereign-applied not application-applied; risk of
drift between repo and live if anyone re-applies from repo
effort : LOW (1 commit, ~5 files, ddl/lifecycle/ folder)
recommended_path : add a new sql/lifecycle/ tree marked OPERATOR-RUNBOOK
and pin md5(prosrc) in a manifest, never CI-applied
OPT_R3_full_codification_with_migrations:
pros : single source for DDL + automated apply path
cons : changes the sovereign-applied model used to date; would need
a new gate/approval architecture
effort : MEDIUM-HIGH; design + xhigh review
default_disposition_for_this_closeout : SURFACE_TO_BACKLOG (no commit here)
This closeout adds no commits. The choice is sovereign — see doc 05 backlog item B-DDL-RATIFY.
4. Release readiness assessment
constitution_CUT_pipeline_status:
source_snapshot : DONE
MARK : DONE
cutplan : DONE
canonical_CUT_leg_A : DONE
read_only_VERIFY : DONE
leg_B_governed_recording : DONE
write_VERIFY_DOT_992 : DONE
code_main_local_FF : DONE
lifecycle_DDL_substrate_M3a : DONE
lifecycle_enactment_Phase_7 : DONE
post_enactment_closeout : THIS DOCUMENT (in progress)
still_open:
release_tag : SOVEREIGN_GATE
remote_push : SOVEREIGN_GATE (also requires remote config)
contabo_v0_5_deploy : SOVEREIGN_GATE
one_command_orchestrator : DESIGN_PENDING (xhigh; see doc 04)
StubSigning_to_real_crypto : DESIGN_PENDING (sovereign; not in this closeout)
Family_B_DDL_ratification : SOVEREIGN_GATE (OPT_R1/R2/R3 above)
release_readiness_verdict : LOCAL_RELEASE_READY
- local main at canonical v0.5 ratified HEAD 32cfa93
- all 173 / 173 regression tests PASS (M4 receipt)
- py_compile PASS (M4 receipt)
- 264 / 265 full discover (1 baseline cutwrite.py DB_ENV_GUARD heuristic
issue, pre-existing, unrelated to v0.5)
- tree clean, branches aligned, no remote leak surface
remote_release_readiness : BLOCKED (no remote configured; no remote push
authorized; tag not authorized)
deploy_readiness : NOT_ASSESSED_HERE (own deploy plan required —
see step 5)
5. Contabo v0.5 deploy plan — outline only (not executed)
why_not_now:
- deploy is a sovereign gate (Phase 7 PASS ruling forbids deploy/restart)
- contabo v0.5 deploy is documented as "own deploy plan" in M4-FF closeout
- one-command orchestrator (see doc 04) should be designed first to avoid
deploying an ad-hoc pipeline that becomes the de-facto canonical path
minimum_viable_deploy_plan_skeleton (FOR FUTURE TASK):
step_1_pre_check:
- confirm 60 ICX-CONST enacted is live invariant (this closeout = baseline)
- take fresh pg dump (sha256-pinned)
- capture md5(prosrc) for all 6 lifecycle fns and the gateway fn
step_2_code_staging:
- rsync repo @ 32cfa93 to /opt/incomex/dot at contabo (currently v0.4)
- capture pre/post directory sha (or git deploy-from-bundle)
- do NOT run any DB writer
step_3_smoke:
- cutter_agent dry_run on a non-ICX sandbox IU
- confirm gateway refuses non-allowlisted writer
step_4_ratify_runtime_pointer:
- flip whatever symlink/service points at /opt/incomex/dot
step_5_rollback:
- sha-pinned previous symlink target
deploy_authorization: NOT_AUTHORIZED_HERE
6. Tag candidate (FOR FUTURE SOVEREIGN APPROVAL — NOT CREATED)
proposed_tag_name : v0.5-constitution-cut-enacted
proposed_tag_HEAD : 32cfa93
proposed_tag_msg : >
dot-iu-cutter v0.5 — first controlled Constitution CUT enacted.
Pipeline: source-snapshot → MARK → cutplan → canonical CUT (60 ICX-CONST)
→ read-only VERIFY → leg-B governed recording → DOT-992 write-VERIFY →
M4 code ratification → M4-FF main merge → M3a lifecycle DDL substrate →
Phase 7 lifecycle enactment (60 enacted). Local-only; no remote configured.
authorization_state : PENDING_SOVEREIGN_RULING
7. Gate disposition
G3_local_repo_state : PASS (HEAD = main = 32cfa93; tree clean)
G3_no_unexpected_diff : PASS
G3_lifecycle_DDL_audit : SURFACED (OPT_R1 default; backlog B-DDL-RATIFY)
G3_release_readiness : LOCAL_RELEASE_READY
G3_remote_state : NO_REMOTE_CONFIGURED (cannot push if asked)
G3_deploy_plan_outline : DRAFTED_AND_DEFERRED
G3_tag_proposal_drafted : YES (not created)
G3_no_merge_push_tag_deploy : CONFIRMED (zero git mutation this task)
8. STOP
G3 PASS. Proceed to doc 04 (automation-orchestrator next brief).