KB-5428
Hardcode Cleanliness Audit · 06 Test + Commit Result
4 min read Revision 1
dot-iu-cutterv0.5repo-hardcode-cleanliness-audittest-commit-resultg5-g6-g7-pass265-of-265no-push-no-tagdieu442026-05-20
Hardcode Cleanliness Audit · 06 Test + Commit Result
doc 6 of 7 · 2026-05-20 · G5 + G6 + G7 gates
phase : G5 (apply minimal fix) · G6 (run tests) · G7 (commit) outcome : ALL PASS — one yaml rename, 12/12 + 265/265, commit 0a64a61 production_mutation : NONE
1. G5 — Minimal fix applied
The only defect identified by G1..G4 was the prior_md5_prosrc /
*_display_only field-rename in sql/lifecycle/fingerprints.yaml
(see doc 04 §3). One line touched. No production behaviour, no DDL,
no test logic. Diff:
- prior_md5_prosrc: "dcade99a (truncated) — pre-A-4 patch baseline, recorded in KB v0.5-fn-iu-create-canonical-path-survey-and-redesign/doc 02 (S2 contract survey)"
+ prior_md5_prosrc_display_only: "dcade99a…" # 8-hex prefix only — DO NOT compare; full md5 lives in KB v0.5-fn-iu-create-canonical-path-survey-and-redesign/doc 02 (S2 contract survey). Stored under *_display_only to keep machine drift-detectors from matching against a partial hash.
DB env guard NOT touched. PIN_* runtime constants NOT touched. No schema/function assumptions added.
2. G6 — Tests
2.1 Targeted: tests.test_security_boundaries
$ python3 -m unittest tests.test_security_boundaries -v
…
Ran 12 tests in 0.010s
OK
12/12 PASS — confirms the rename did not regress the security boundary surface.
2.2 Full: python3 -m unittest discover -s tests
Ran 265 tests in 0.162s
OK
265/265 PASS — same clean baseline as after d7ea6d1.
2.3 YAML parse sanity
$ python3 -c "import yaml; d=yaml.safe_load(open('sql/lifecycle/fingerprints.yaml')); print(list(d['functions']['fn_iu_create'].keys()))"
['md5_prosrc', 'in_scope_of_m3a', 'captured_utc', 'source_of_pin',
'prior_md5_prosrc_display_only', 'drift_origin', 'drift_disposition', 'note']
The renamed key is present; the original prior_md5_prosrc key is
gone; YAML structure remains valid.
3. G7 — Commit
$ git add sql/lifecycle/fingerprints.yaml
$ git commit -m "chore(fingerprints): rename prior_md5_prosrc truncated value to display_only key ..."
[feature/constitution-snapshot-mark-dryrun 0a64a61] chore(fingerprints): rename prior_md5_prosrc truncated value to display_only key
1 file changed, 1 insertion(+), 1 deletion(-)
Post-commit state:
post_commit_log:
- 0a64a61 chore(fingerprints): rename prior_md5_prosrc truncated value to display_only key
- d7ea6d1 chore(light-followups): enrich fn_iu_create fingerprint note + refine DB env-guard baseline test
- 1cd286e feat(sql/lifecycle): ratify M3a lifecycle DDL bundles A..E into operator-runbook track
heads:
feature : 0a64a61 (was d7ea6d1)
main : 1cd286e (UNCHANGED)
relationship:
feature_ahead_of_main : 2
feature_behind_main : 0
ff_to_main_feasible : YES (linear; 1cd286e → 0a64a61 would land both follow-ups + this audit fix in one FF)
ff_to_main_executed : NO (out of scope; package forbids push/tag/deploy)
4. Forbidden surface — final attestation
| Forbidden action | Status |
|---|---|
| Production DDL | NOT EXECUTED |
| Production DB mutation | NOT EXECUTED |
| Lifecycle mutation | NOT EXECUTED |
| Deploy / restart | NOT EXECUTED |
| Push | NOT EXECUTED (no remote anyway) |
| Tag | NOT EXECUTED |
| Hard delete | NOT EXECUTED |
| Source_document mutation | NOT EXECUTED |
| DB env guard weakened | NO |
| Secret logged | NO |
5. Verdict
g5_outcome : PASS (1 yaml rename, no behavioural change)
g6_outcome : PASS (12/12 targeted, 265/265 discover, yaml parse OK)
g7_outcome : PASS (commit 0a64a61 on feature only; no push/tag/deploy)