Hardcode Cleanliness Audit · 05 Sidecar / Scratch Reference Scan
Hardcode Cleanliness Audit · 05 Sidecar / Scratch Reference Scan
doc 5 of 7 · 2026-05-20 · G4 gate
phase : G4 — sidecar / scratch / runner-provider scan outcome : G4 PASS — no runtime dependency on /tmp or untracked /opt/incomex/dot/specs sidecars production_mutation : NONE
1. /tmp/ references in repo
grep -rn '/tmp/' --include='*.py' --include='*.sql' --include='*.yaml' --include='*.md' .
(excluding .git/ and knowledge/)
tests/test_dryrun_snapshot_mark.py:206 …, "--out-dir", "/tmp/iucut-x"
tests/test_dryrun_snapshot_mark.py:214 …, "--out-dir", "/tmp/iucut-x"
Classification: test fixture scratch path. Used only as an output
directory for the dry-run snapshot test; never imported as a runtime
dependency by cutter_agent/*.py.
Verdict: safe. No remediation.
2. /opt/incomex/ references in repo
grep -rn '/opt/incomex' --include='*.py' --include='*.sql' --include='*.yaml' --include='*.md' .
README.md:62 cd /opt/incomex/dot
Classification: operator runbook step (README documentation of the deployment working directory). Not consumed by any Python module at import or runtime.
Verdict: safe. No remediation.
3. Runner / provider sidecars referenced from runtime
grep -rnE '(runner\.py|provider_[0-9]{8}|sidecar|legA_provider)' cutter_agent/ cli.py
→ (zero hits)
The historical sidecars enumerated in memory —
/tmp/cutter_legB_runner.py, /tmp/cutter_verify_runner.py,
/opt/incomex/dot/specs/cutter_legA_provider_20260520T031054Z.py — were
one-shot operator artefacts for M1 / M2 / leg-A. The repo never imports
them; their sha256s are pinned only in KB closeout reports for audit
trail.
Verdict: safe. The runtime path (prod_iu_adapter.build_* +
ledger_v2_canonical_*) is self-contained inside cutter_agent/ and
needs no external sidecar at runtime.
4. Cross-check: imports of cutter_agent/
python3 -c "import ast, pathlib; [print(p, [n.module for n in ast.walk(ast.parse(p.read_text())) if isinstance(n, ast.ImportFrom)]) for p in pathlib.Path('cutter_agent').glob('*.py')]" # (mental model; not executed inline)
By inspection of doc-03 §3 the only out-of-package imports are stdlib
(os, sys, json, hashlib, argparse, re, uuid, pathlib,
typing, contextlib, decimal, datetime, enum, dataclasses)
plus the in-package cutter_agent.dryrun / .phases / .signal /
.db_adapter / .ledger / .prod_iu_adapter. No /tmp or /opt
import path.
5. Verdict
g4_outcome : PASS
tmp_runtime_dependencies : 0
opt_incomex_runtime_dependencies : 0
sidecar_runner_runtime_dependencies : 0
test_fixture_tmp_paths : 1 file (acceptable)
operator_README_paths : 1 file (acceptable)
No remediation action required for G4.