dot-iu-cutter v0.5 — W-4 · Production Adapter & Schema Drift Review

doc 3 of 6 · 2026-05-19 · live PostgreSQL probed READ-ONLY (read-only role). No DDL/write.

1. Schema drift vs the W-3 captured contract — NO STRUCTURAL DRIFT

public.information_unit:  19 columns (W-3: 19)  · 4 constraints (W-3: PK + UNIQUE
  canonical_address + FK version_anchor_ref->unit_version + birth-gate L2 trigger)  ⇒ MATCH
public.unit_version:      16 columns (W-3: 16)  ⇒ MATCH
birth-gate function fingerprints (NEW W-4 drift baseline; pin for W-5 re-verify):
  md5(pg_get_functiondef fn_iu_birth_gate_layer1) = f38c94d0043a61507a8c2e85afd59998
  md5(pg_get_functiondef fn_iu_birth_gate_layer2) = 078ba0051ce4d894cabcc0102c4320f8
dot_config vocab: 6/6 required keys present (vocab.unit_kind.law_unit,
  vocab.section_type.{principle,section,article}, vocab.publication_type.law,
  vocab.publication_authority.incomex_council)  ⇒ writer mapping still valid (OD-W6).
pre-existence: public.information_unit total=98, ICX-CONST=0; unit_version total=105.
  ⇒ 0 ICX-CONST collision STILL HOLDS — the 60 Constitution IUs remain a clean insert.
verdict: the writer's scratch birth-gate contract still faithfully mirrors production
  structure as of 2026-05-19. (The L1/L2 md5 fingerprints are the drift pins W-5 must
  re-assert read-only immediately before any production CUT.)

2. Production adapter readiness — NOT READY (no adapter for the birth model)

db_adapter.RealPostgresAdapter (committed v0.4): a psycopg3 DBAdapter over the v0.4
  cutter_governance LEDGER shape (decision_backlog_entry.status CAS + INSERT ledger);
  REFUSES production connect in the v0.4 cycle (no DSN/env/secret), NOT wired into any
  runtime, exercised only via fake-connection unittests. It is NOT a writer for the
  public.information_unit + unit_version birth-gate model and does NOT do the
  INSERT-IU -> INSERT-unit_version -> UPDATE-anchor transaction.
cutwrite.py: import-isolated, NO DB adapter (db-isolated scratch only).
⇒ there is NO production adapter that can perform the constitution birth transaction.
  Building one now is PREMATURE and would be guessing, because:
  - the credential/GRANT target is unresolved (GAP-C1: cutter_exec has 0 grants on the
    target; cutter_governance absent) — the adapter's connect principal + grant surface
    are undefined until a new credential command-review fixes them;
  - the governed-ledger location (GAP-C2) is unresolved — the adapter's change-set/
    signature write target is undefined.
  Authoring adapter code against undefined grants/schema would violate the project's
  "no fabrication / fail-closed" discipline. ⇒ adapter is specified as a DESIGN contract
  (doc 4 §3), code WITHHELD until GAP-C1/C2 are ruled.

3. Guarded production-adapter design contract (for the future, gated W-5 build)

shape: a SEPARATE module (e.g. cutter_agent/prod_iu_adapter.py) NOT imported by cutwrite's
  db-isolated path; cutwrite gains a production mode ONLY in a future gated cycle.
hard guards (fail-closed, all required before a single connect):
  - explicit --i-have-sovereign-production-write-approval flag AND a matching KB approval
    doc id; absent ⇒ exit 2 (never connect);
  - principal MUST be cutter_exec (post-connect: SELECT current_user = 'cutter_exec';
    cutter_ro/workflow_admin/directus/postgres ⇒ abort);
  - read-only drift precheck inside the same session BEFORE any write: information_unit
    19 cols / unit_version 16 cols / 4 constraints / L1 md5 f38c94d0… / L2 md5 078ba005… /
    vocab 6/6 / ICX-CONST count == 0; any mismatch ⇒ abort, zero writes;
  - one atomic transaction; the writer_digest must equal the ratified d99a31d4… before
    commit; DOT-991 executor signature attached to the cut_change_set (lane-overlap
    invariants enforced); rollback on any birth-gate L1/L2 raise.
  - secret via the approved .env (DOT_CUTTER_EXEC_DB_*), never logged, never in argv/KB.
status: DESIGN ONLY. No code authored this phase. Build is gated at W-5 (after GAP-C1/C2/
  C3/C5 are ruled and a fresh backup + sovereign approval exist).

doc 3 of 6. Read-only. No production mutation. Self-advance PROHIBITED.