Hardcode Cleanliness Audit · 04 Runbook / Fingerprint Scan
Hardcode Cleanliness Audit · 04 Runbook / Fingerprint Scan
doc 4 of 7 · 2026-05-20 · G3 gate
phase : G3 — runbook + fingerprint manifest scan outcome : G3 PASS (one minimal rename applied) production_mutation : NONE (yaml-only)
1. sql/lifecycle/fingerprints.yaml header — already correct
# SOURCE : KB v0.5-lifecycle-enactment-execution-m3a-retry/doc 05
# + v0.5-post-enactment-closeout-release-readiness/doc 01
# PURPOSE : Pin md5(prosrc) and structural counts so that any
# reproduction of Bundles A..E can be byte-equality-verified.
# USE : Compare against output of verify_postapply.sql.
# DRIFT POLICY : If live md5 differs from these pins, STOP and route to
# sovereign — do not silently patch the repo to match.
Header explicitly labels every pin as drift-detection / provenance, not runtime truth. No change required.
2. Per-function entries — provenance check
| Entry | md5_prosrc | Provenance labelled? | In-scope flag |
|---|---|---|---|
| fn_iu_enact | 6ca9bc39… | implicit (top header) | in-scope of M3a |
| fn_iu_enacted_immut | aeb3fa4f… | implicit | in-scope |
| fn_uv_enacted_immut | 03f035a2… | implicit | in-scope |
| fn_iu_apply_edit_draft (pre/post) | 22875ce2… / 42e96b6c… | implicit | in-scope |
| fn_iu_create | 3017892a… | EXPLICIT (captured_utc, source_of_pin, drift_origin, drift_disposition — added by prior B-FN-IU-CREATE-FINGERPRINT-NOTE follow-up at d7ea6d1) | in_scope_of_m3a: false |
| fn_iu_gateway_write_guard | 6907fa4e… | implicit | in_scope_of_m3a: false |
3. One precision defect found + fixed
3.1 Defect
After the prior macro, fn_iu_create had a field:
prior_md5_prosrc: "dcade99a (truncated) — pre-A-4 patch baseline …"
The key name prior_md5_prosrc looks machine-readable. A future
drift-detector tool that iterates functions.*.prior_md5_prosrc could
mistakenly try to byte-compare an 8-hex prefix against a 32-char md5
and either (a) match nothing and trigger a false STOP, or (b) silently
treat the prefix as canonical. Both are bad.
3.2 Fix (commit 0a64a61)
Renamed to a clearly non-machine field and shortened the value:
prior_md5_prosrc_display_only: "dcade99a…" # 8-hex prefix only — DO NOT compare; full md5 lives in KB v0.5-fn-iu-create-canonical-path-survey-and-redesign/doc 02 (S2 contract survey). Stored under *_display_only to keep machine drift-detectors from matching against a partial hash.
The full prior md5 still lives in KB
v0.5-fn-iu-create-canonical-path-survey-and-redesign/doc 02 — the
audit-trail value is unchanged; only the runtime-safety presentation
changes.
3.3 YAML validity verified
$ python3 -c "import yaml; d=yaml.safe_load(open('sql/lifecycle/fingerprints.yaml')); print(d['functions']['fn_iu_create'])"
{'md5_prosrc': '3017892a5ac605a6daeaa5348e2a6cdf', 'in_scope_of_m3a': False,
'captured_utc': '2026-05-20', 'source_of_pin': '…',
'prior_md5_prosrc_display_only': 'dcade99a…',
'drift_origin': '…', 'drift_disposition': '…', 'note': '…'}
4. Other runbook artefacts in sql/lifecycle/
README.md
bundle_a_vocab_and_log.sql
bundle_b_immutability.sql
bundle_c_fn_iu_enact.sql
bundle_d_gateway_and_grants.sql
bundle_e_fn_iu_apply_edit_draft_patch.sql
fingerprints.yaml (edited above)
rollback_runbook.sql
verify_behavioral_probes.sql
verify_postapply.sql
verify_preflight.sql
Each .sql file carries the canonical header described in
KB v0.5-lifecycle-ddl-ratification-runbook/03-runbook-artifact-summary
(SOURCE / APPLIED / LIVE STATE / WARNING / FINGERPRINT / DEPENDS ON).
No additional hardcode debt was found in these.
5. Truncated-hash sweep outside fingerprints.yaml
grep -rnE '\(truncated\)|truncated\)' sql/
sql/lifecycle/fingerprints.yaml:58 (the entry already fixed above — no other hits)
Only the one entry — already remediated.
6. Verdict
g3_outcome : PASS
header_drift_policy_labelled : YES
per_function_pins_labelled : YES (in-scope flag + provenance in fn_iu_create)
truncated_hashes_under_machine_keys : 1 → 0 (renamed to *_display_only)
yaml_parse : OK
runtime_consumes_fingerprints_yaml : NO (verify by operator only)