dot-iu-cutter v0.5 — Production Bridge · Decision & State

doc 1 of 7 · 2026-05-19 · open-goal macro = PRODUCTION_BRIDGE_PACKAGE_TO_CUT_APPROVAL_READINESS (authorized by …/reviews/dot-iu-cutter-v0.5-w4-credential-signing-prod-adapter-readiness-gpt-ruling-2026-05-19).

kb_read: confirmed   kb_upload: confirmed (this doc + 6 more)
production_mutation: NONE   git: none this phase   self_advance: PROHIBITED
outcome: B — BRIDGE_PARTIALLY_READY_WITH_EXACT_FINAL_GATE

1. Headline outcome

result: BRIDGE_PARTIALLY_READY_WITH_EXACT_FINAL_GATE
summary: >
  The production bridge is materially closer than the W-4 package concluded.
  GAP-C2 (governed-ledger location) is RESOLVED by evidence — it was a false
  "absent" caused by the W-4 probe role lacking schema USAGE. GAP-C1 is now an
  EXACT, minimal, scoped GRANT delta (packaged, doc 2). C3/C4/C5 reduce to four
  small, named final gates, each requiring a sovereign decision or a gated build
  — no open-ended investigation remains.

2. Evidence correction to the W-4 package (controlling)

The W-4 docs (2/3/4, 2026-05-19) stated "schema cutter_governance ABSENT in directus AND workflow" and therefore "GAP-C2 architectural reconciliation required (possibly cross-DB)" and "GAP-C1 v0.4 grants scoped to a schema that does not exist here". Both conclusions were a read-only probe-role artifact.

Catalog-level evidence this phase (read-only; pg_namespace/pg_class/relacl are world-readable regardless of schema USAGE — unlike information_schema, which filters by privilege and is what the W-4 probe relied on):

pg_database: directus, incomex_metadata, workflow (postgres = MCP-denied)
probe_role: context_pack_readonly (read-only; NO USAGE on cutter_governance —
  this is exactly why W-4's information_schema probe saw "absent")
directus.pg_namespace (catalog, authoritative):
  public            owner pg_database_owner
  cutter_governance owner workflow_admin     # <-- LIVE, not absent
  sandbox_tac       owner workflow_admin
cutter_governance contents (directus DB): 24 base tables + 12 *_observe views,
  incl. cut_change_set, cut_change_set_affected_row, dot_pair_signature,
  decision_backlog_{entry,history,dependency,sweep_log}, verify_result,
  manifest_envelope, manifest_unit_block, review_decision,
  canonical_address_alias + the 12 WS-Q5 registry tables.

⇒ The constitution writer target (directus.public.information_unit + unit_version) and the governed ledger (directus.cutter_governance.*) are in the same database ⇒ a single atomic transaction, single DB production CUT is architecturally feasible. No cross-DB design is required. This supersedes W-4 doc 2 §2 / doc 3 §2 / doc 4 §1 GAP-C2.

3. Gap-by-gap disposition

GAP-C1 credentials  : EXACT_SMALL_GAP → PACKAGED (doc 2). cutter_exec/cutter_verify
  have ZERO grants on public.information_unit/unit_version/dot_config (confirmed
  by relacl). The needed delta is small, column-scoped, append-only, SoD-safe,
  and fully specified as a command-review package. Execution = sovereign gate U-W4b.
GAP-C2 ledger loc.  : RESOLVED (doc 3 §1). Ledger is directus.cutter_governance;
  cutter_exec/cutter_verify ALREADY hold the exact v0.4 ratified least-privilege
  grants there (relacl-verified). No provisioning, no new ledger GRANT needed.
GAP-C3 DOT-991 sign : DECIDED w/ recommendation (doc 3 §2). v0.4 production
  CUT/VERIFY trial (2026-05-17, GPT PASS) ran on StubSigning with enforced
  lane-overlap invariants. Recommendation: Stub-with-lane-invariants is the
  ratified controlled-CUT posture; real crypto stays a deferred HIGH-risk
  workstream and is NOT a CUT blocker. Sovereign may override → gate U-W4c.
GAP-C4 prod adapter : DESIGN COMPLETE, code WITHHELD by discipline (doc 4).
  Now unblockable (C1 delta exact, C2 known). Guarded-adapter build = gate U-W4d.
GAP-C5 sovereign ok : OUTSTANDING by nature (doc 5). Separate explicit
  production-DB-write approval; cannot be self-issued. Packaged as request → U-W5.
non-drift (re-verified read-only this phase, pinned for W-5):
  information_unit 19 cols · unit_version 16 cols · IU constraints 4
  (PK id, UNIQUE canonical_address, FK version_anchor_ref→unit_version(id)
   DEFERRABLE INITIALLY DEFERRED, trg_iu_birth_gate_layer2 DEFERRED)
  unit_version: PK id, UNIQUE(unit_id,version_seq), FK unit_id→information_unit(id)
  L1 md5 f38c94d0043a61507a8c2e85afd59998  (== W-4 pin, NO DRIFT)
  L2 md5 078ba0051ce4d894cabcc0102c4320f8  (== W-4 pin, NO DRIFT)
  birth-gate fns prosecdef=false ⇒ SECURITY INVOKER (drives the C1 SELECT grants)
  public.information_unit total 98 · ICX-CONST 0 · unit_version total 105
  (G-CUT-ONCE clean-insert precondition STILL HOLDS)

4. Minimum production bridge path (decision)

C1: scoped GRANT command-review package (doc 2) → sovereign-gated execution U-W4b.
C2: nothing to build — ledger live + granted in directus.cutter_governance;
    CUT writes IU+unit_version+ledger in ONE txn in the directus DB.
C3: wire existing StubSigning + lane-overlap invariants into the CUT path
    (design doc 3 §2). Real crypto deferred (separately gated, not CUT-blocking).
C4: build the guarded prod_iu_adapter per the doc-4 design contract — the ONLY
    remaining code build; gated (U-W4d) + scratch/txn-rollback integration proof.
C5: a separate explicit sovereign production-write approval doc (request: doc 5).

5. What this phase did / did NOT do

did: read-only KB reads; read-only PostgreSQL catalog/ACL/constraint/function
  probes (no schema USAGE needed — catalog only); read repo files; authored a
  7-doc production-bridge package; resolved GAP-C2; made GAP-C1 exact.
did_NOT: NO production DB write/IU · NO CUT/VERIFY · NO GRANT/REVOKE · NO DB
  connection by runtime code · NO adapter/signing code authored (design only) ·
  NO repo change (HEAD f0120ac, tree clean) · NO commit/merge/push/tag · NO
  deploy/restart · NO source/version mutation · NO invented runnable production
  command · NO self-advance.

doc 1 of 7. No production mutation. Self-advance PROHIBITED.