Hardcode Cleanliness Audit · 03 Runtime Hardcode Scan
Hardcode Cleanliness Audit · 03 Runtime Hardcode Scan
doc 3 of 7 · 2026-05-20 · G2 gate
phase : G2 — runtime hardcode scan outcome : G2 PASS — every PIN_* is a fail-closed drift detector, not runtime business logic production_mutation : NONE
1. PIN_* and EXPECTED_* census (production code, cutter_agent/*.py)
| File | Constant | Value | Class |
|---|---|---|---|
| prod_iu_adapter.py:49 | PIN_MANIFEST_FILE_SHA | sha256 (7d56f3ce…) | live drift pin |
| prod_iu_adapter.py:51 | PIN_MANIFEST_DIGEST | sha256 (9d908a62…) | live drift pin |
| prod_iu_adapter.py:53 | PIN_CANDIDATE_COUNT | 60 | live drift pin |
| prod_iu_adapter.py:54 | PIN_SOURCE_VERSION | icxconst-008a06ace23a96ea6cd456146e805c97 | live drift pin |
| prod_iu_adapter.py:55 | PIN_REGION_SHA | sha256 (17660443…) | live drift pin |
| prod_iu_adapter.py:57 | PIN_WRITER_DIGEST | sha256 (d99a31d4…) | live drift pin |
| prod_iu_adapter.py:61 | PIN_IU_COLS | 19 | live schema pin |
| prod_iu_adapter.py:62 | PIN_UV_COLS | 16 | live schema pin |
| prod_iu_adapter.py:63 | PIN_L1_MD5 | md5 (f38c94d0…) | live trigger fn drift pin |
| prod_iu_adapter.py:64 | PIN_L2_MD5 | md5 (078ba005…) | live trigger fn drift pin |
| ledger_v2_canonical_cut.py:60-72 | PIN_WRITER_DIGEST / PIN_MANIFEST_*… | imported from prod_iu_adapter (_P) |
re-exports |
| ledger_v2_canonical_cut.py:69 | PIN_CUT_COMMITTED_AT | 2026-05-20T04:18:21.854512+00:00 | leg-B M1 payload pin |
| ledger_v2_canonical_cut.py:72 | PIN_CUT_STARTED_AT | 2026-05-20T04:18:14+00:00 | leg-B M1 payload pin |
| ledger_v2_canonical_verify.py:76-77 | PIN_CUT_COMMITTED_AT / PIN_LEGB_COMMITTED_AT | … | M2 verify payload pin |
| ledger_v2_canonical_verify.py:101-105 | PIN_M1_CHANGE_SET_ID / REVIEW_DECISION_ID / MANIFEST_ENVELOPE_ID / EXECUTOR_SIGNATURE_ID / PAYLOAD_HASH | UUIDs / sha256 | M2 verify payload pin |
| ledger_v2_canonical_verify.py:185 | EXPECTED_SECTION_TYPE | {principle:15, section:3, article:42} | live cardinality pin (sums to 60) |
2. Why these are ALLOWED under the policy
Policy excerpt:
allowed_with_conditions — "expected counts/hashes in tests when provenance-pinned and fail-closed"
Each PIN is consumed by _require_uuid / _require_int /
_require_dict_equal helpers in ledger_v2_canonical_verify.py, which
raise VerifyLiveStateMismatch on the slightest deviation. Concretely
(lines 203-225):
_require_uuid(live_state, "change_set_id", PIN_M1_CHANGE_SET_ID)
_require_uuid(live_state, "review_decision_id", PIN_M1_REVIEW_DECISION_ID)
…
_require_int(live_state, "iu_count", PIN_CANDIDATE_COUNT)
_require_int(live_state, "uv_count", PIN_CANDIDATE_COUNT)
_require_int(live_state, "anchored_exact", PIN_CANDIDATE_COUNT)
_require_int(live_state, "dieu_44_intrusion", 0)
_require_dict_equal(live_state, "section_type_cardinality",
self.EXPECTED_SECTION_TYPE)
This is fail-closed verification, not runtime business logic. The runtime never trusts the PINs to compute anything; it refuses if the live state disagrees.
Provenance is explicit at point of use:
# ---- live drift pins (read-only catalog precheck, captured 2026-05-19) ----
PIN_IU_COLS = 19
…
and the equivalent # Pinned M1 ids — caller MUST supply the exact values that M1 persisted. comment in ledger_v2_canonical_verify.py.
3. os.environ usage in runtime
cutter_agent/cutwrite.py:480 if os.environ.get(bad): # DB_ENV_GUARD refusal
cutter_agent/cutprod.py:148 if os.environ.get(bad): # DB_ENV_GUARD refusal
cutter_agent/cutprod_canonical.py:141 if os.environ.get(bad): # DB_ENV_GUARD refusal
cutter_agent/cutplan.py:285 if os.environ.get(bad): # DB_ENV_GUARD refusal
cutter_agent/dryrun.py:475 if os.environ.get(bad): # DB_ENV_GUARD refusal
cutter_agent/db_adapter.py:495,589,632 e = env if env is not None else os.environ # injectable env (test-friendly)
All 6 usages are either env-guard refusals or injectable-env helpers —
no os.environ["KEY"] accesses with default-fallback to a hardcoded
secret. PASS.
4. Long-hex / UUID literals in runtime — exhaustive list
cutter_agent/ledger_v2_canonical_verify.py:106 PIN_M1_PAYLOAD_HASH = "7468c7a9…6cfa"
cutter_agent/prod_iu_adapter.py:50 PIN_MANIFEST_FILE_SHA = "7d56f3ce…"
cutter_agent/prod_iu_adapter.py:52 PIN_MANIFEST_DIGEST = "9d908a62…"
cutter_agent/prod_iu_adapter.py:56 PIN_REGION_SHA = "17660443…"
cutter_agent/prod_iu_adapter.py:58 PIN_WRITER_DIGEST = "d99a31d4…"
cutter_agent/ledger_v2_canonical_verify.py:101 PIN_M1_CHANGE_SET_ID = "456c6830-…"
cutter_agent/ledger_v2_canonical_verify.py:102 PIN_M1_REVIEW_DECISION_ID = "29c88a7b-…"
cutter_agent/ledger_v2_canonical_verify.py:103 PIN_M1_MANIFEST_ENVELOPE_ID = "638cf363-…"
cutter_agent/ledger_v2_canonical_verify.py:104 PIN_M1_EXECUTOR_SIGNATURE_ID = "3a249063-…"
Every one is a PIN consumed by a _require_* fail-closed check. None
is a credential / token / API key. None is used as a source of truth
for runtime decisions — only as a refusal threshold.
Cross-reference: the same UUIDs are recorded in the KB post-enactment-closeout (doc 02 governance chain) — so the runbook audit trail and runtime fail-closed surface are aligned.
5. Things that COULD be hardcode but aren't
- No
_SCHEMA = "public"reliance for write paths: schema name is pinned_SCHEMA = "public"inprod_iu_adapter.py:67and used as an identifier allowlist (defence-in-depth identifier allowlists). This is a safety allowlist, not an assumption that the live schema is public — the adapter still surveys columns before writing. - No hardcoded function md5s used as runtime decisions:
fingerprints.yaml(KB-tracked) holds md5 pins; runtime never imports/reads it for decision-making. - No hardcoded SQL bodies inside Python: lifecycle DDL lives in
sql/lifecycle/*.sqland is operator-runbook (never auto-applied by CI).
6. Verdict
g2_outcome : PASS
hardcoded_runtime_logic : 0
pin_constants_total : 15
pin_constants_fail_closed : 15 (100%)
pin_constants_unprovenanced: 0
os_environ_unsafe_uses : 0
schema_identifiers_used : as allowlists only (not assumed)
No remediation action required for G2.