KB-4C72

Hardcode Cleanliness Audit · 01 Repo Precheck

3 min read Revision 1

dot-iu-cutterv0.5repo-hardcode-cleanliness-auditrepo-precheckg0-passdieu442026-05-20

Hardcode Cleanliness Audit · 01 Repo Precheck

doc 1 of 7 · 2026-05-20 · G0 gate

phase                : G0 — repo + KB precheck
outcome              : G0 PASS
production_mutation  : NONE

1. SSOT (KB)

mcp__agent-data__get_document returned both prep docs:
- reviews/dot-iu-cutter-v0.5-hardcode-policy-light-followups-gpt-note-2026-05-20.md
- reviews/dot-iu-cutter-v0.5-light-followups-pass-hardcode-audit-next-gpt-ruling-2026-05-20.md
Upload works (this doc proves it).

2. Repository identity

working_directory : /Users/nmhuyen/iu-cutter-build/repo/iu-cutter
remote            : (none — `git remote -v` empty; push impossible)
branch            : feature/constitution-snapshot-mark-dryrun
working_tree      : clean (pre-audit)

3. HEAD census (pre-audit)

feature_head : d7ea6d19c2c2086209b37a242e7a78756e9cd762  (== expected d7ea6d1)
main_head    : 1cd286e039357018c40a1281599e17961b848749  (== expected 1cd286e)
relation     : feature 1 ahead, 0 behind main (PATH_FF-LIGHT feasible but not in scope)

Matches the prior LIGHT_FOLLOWUPS_PASS ruling.

4. Policy ingested (verbatim summary)

forbidden:
  - hardcoded secrets / credential values / DSNs / API keys / passwords
  - production credentials or GSM payloads
  - runtime logic depending on fixed production ids/hashes/counts without live survey
  - direct production endpoints used as authority without config/discover-first
  - hand-entered schema/function assumptions in runtime code
allowed_with_label:
  - fingerprint pins in runbooks/manifests for drift detection
  - historical ids/hashes in closeout docs
  - env var names in refusal guards
  - expected counts/hashes in tests when provenance-pinned and fail-closed

5. Forbidden surface (re-asserted)

No production mutation · no deploy/restart · no push/tag · no hard-delete · no source_document/source_version mutation · no weakening of DB env guard · no secret values logged anywhere (including these reports).

6. G0 result

g0_outcome    : PASS
ssot_reachable: true
repo_state    : clean, feature=d7ea6d1, main=1cd286e, no remote
policy_ingested: true