dot-iu-cutter v0.5 — Production Bridge · Governed-Ledger & DOT-991 Signing Package

doc 3 of 7 · 2026-05-19 · evidence + design. No code authored. No mutation.

1. GAP-C2 — governed-ledger location: RESOLVED (not a gap)

finding: the v0.4 governed ledger is LIVE in schema directus.cutter_governance
  (same DB as the constitution writer target directus.public.*). The W-4
  "absent/unconfirmed/possibly cross-DB" conclusion was a probe-role artifact
  (W-4 used information_schema under a role without USAGE on cutter_governance;
  this phase used the world-readable catalog: pg_namespace/pg_class/relacl).
evidence (read-only this phase):
  directus.pg_namespace: public, cutter_governance(owner workflow_admin),
    sandbox_tac
  cutter_governance: 24 base tables + 12 *_observe views incl. the full v0.4
    ledger family (cut_change_set, cut_change_set_affected_row,
    dot_pair_signature, decision_backlog_{entry,history,dependency,sweep_log},
    verify_result, manifest_envelope, manifest_unit_block, review_decision,
    canonical_address_alias) — these are exactly the tables ledger.py writes.
  grants ALREADY present & exactly the v0.4 ratified CD-1..CD-13 matrix
    (relacl, see doc 2 §1): cutter_exec write+read on the executor-lane tables;
    cutter_verify on verify_result + shared tables; canonical_address_alias
    zero for both; verify_result has NO cutter_exec (SoD intact).
  WS-Q5 closeout (2026-05-18, GPT PASS) independently confirms the same schema
    grew 12→24 tables in production cutter_governance.
consequence:
  - the constitution production CUT can write information_unit + unit_version
    (public) AND cut_change_set + dot_pair_signature + decision_backlog_history
    (cutter_governance) in ONE atomic transaction inside the directus DB.
  - NO ledger provisioning, NO new ledger GRANT, NO cross-DB design needed.
  - the ONLY missing privilege is on public.* (GAP-C1, doc 2).
note ledger-shape vs birth-shape: ledger.py/db_adapter.py
  (RealPostgresAdapter) bind the cutter_governance ledger model. The
  constitution CUT additionally needs the public birth-model writer
  (information_unit/unit_version) — that is the GAP-C4 adapter (doc 4). The
  ledger writes themselves reuse the already-correct v0.4 grants.

2. GAP-C3 — DOT-991 signing: decision + design

2.1 Evidence-grounded decision

v0.4 precedent (binding): the First Controlled Production CUT/VERIFY trial
  2026-05-17 (GPT review = PASS, SUCCESS_LIVE) wrote dot_pair_signature +2 rows
  with DOT-lane verification PASS (badxor=0, swapped=0, both_null=0,
  both_non_null=0) — i.e. a real production CUT/VERIFY has ALREADY shipped on
  the StubSigning placeholder with the lane-overlap invariants enforced.
signing.py state (repo f0120ac, unchanged):
  - DeferredSigning.sign/verify → raise SigningDeferred (production crypto is a
    deferred HIGH-risk workstream; no key/secret).
  - StubSigning: deterministic NON-crypto placeholder; enforces lane separation
    (distinct identity + digest per lane); is_production=False.
recommendation (RD-C3):
  StubSigning + enforced lane-overlap invariants is the RATIFIED controlled-CUT
  signing posture (matches the accepted v0.4 production precedent). Real
  cryptographic DOT-991 signing remains a SEPARATE deferred HIGH-risk workstream
  and is NOT a blocker for the constitution controlled CUT.
  → C3's minimal bar before CUT = wire StubSigning + the lane-overlap invariant
    tests into the constitution CUT path (design §2.2). NOT new crypto.
sovereign_override: the User/GPT MAY require real signing before the
  constitution CUT (higher bar than the v0.4 IU trial because the Constitution
  is foundational). This is a sovereign decision, surfaced — not assumed away.

2.2 Lane-overlap invariant integration (design — for the gated adapter build U-W4d)

Binding source: …/reviews/dot-iu-cutter-v0.4-dot-lane-overlap-prevention-gpt-mandate-2026-05-17.

on the constitution CUT change-set, the executor signature row MUST:
  - signer_dot_id / lane = DOT-991 (executor)
  - cross-reference change_set_id ONLY; verify_result_id MUST be NULL
  - exactly one cross-ref non-null; signer_dot_id matches lane
  - prior_signature_id forms the per-lane append-only chain
the future VERIFY (cutter_verify/DOT-992) writes verify_result with the verifier
  signature: cross-ref verify_result_id ONLY; change_set_id MUST be NULL.
mandatory negative tests (must FAIL the contract):
  swapped lane (DOT-991 with verify_result_id) ; both cross-refs non-null ;
  both cross-refs null ; signer_dot_id≠lane ; lane≠reference-kind.
runtime posture: lane explicit (never inferred from free text); STOP on any
  lane/reference mismatch; no auto-repair; no cross-lane fallback.
status: DESIGN ONLY. The wiring + tests are authored as part of the gated
  guarded-adapter build (doc 4 / U-W4d), NOT this phase. signing.py unchanged.

3. Combined status

GAP-C2: RESOLVED — no work product needed beyond this evidence record.
GAP-C3: DECIDED (RD-C3, Stub-with-invariants; real crypto deferred) — pending
  one sovereign ruling (accept RD-C3 vs require real signing) = gate U-W4c.
no signing/ledger code authored; signing.py / ledger.py byte-unchanged at f0120ac.
production_mutation: NONE.

doc 3 of 7. No production mutation. Self-advance PROHIBITED.