dot-iu-cutter v0.5 — W-4 · Production CUT Command Readiness / Gap

doc 4 of 6 · 2026-05-19 · Outcome: BLOCKED_WITH_EXACT_GAP. No runnable production CUT command is authored (would be fabrication against unresolved credential/ledger targets). Exact gaps + minimal unblock below.

1. Exact gap (evidence-grounded; docs 2 & 3)

GAP-C1 (CONTROLLING) credential↔target mismatch:
  cutter_exec/cutter_verify roles are LIVE but have ZERO grants on the actual writer
  target directus.public.information_unit / unit_version (has_table_privilege all false;
  role_table_grants 0 rows). The v0.4 ratified grant matrix is scoped to schema
  cutter_governance, which is ABSENT in directus & workflow. ⇒ the v0.4 credential
  closure does NOT make the constitution writer runnable. A NEW, separately-gated
  credential/GRANT command-review + sovereign execution scoped to
  public.information_unit (INSERT, column-scoped UPDATE for anchor) + public.unit_version
  (INSERT) is REQUIRED. Likelihood: certain (verified). Impact: high if assumed solved.
GAP-C2 governed-ledger substrate absent/unconfirmed: cut_change_set / dot_pair_signature /
  decision_backlog_history / verify_result (schema cutter_governance) not present/visible
  in the directus DB ⇒ the CUT change-set + DOT-991 signature + status-history write
  target is undefined. Architectural reconciliation required (provision in directus OR a
  ratified cross-DB governed-ledger design).
GAP-C3 DOT-991 signing not built: signing.py is Stub/Deferred ("no production key/secret;
  deferred HIGH-risk crypto"). The lane-overlap invariants (cross-ref change_set_id only,
  signer_dot_id=DOT-991, swapped-lane negative test) are unimplemented for cutwrite.
GAP-C4 no production adapter for the birth model (doc 3 §2); code WITHHELD (premature
  until C1/C2 ruled — would be guessing the grant/ledger surface).
GAP-C5 no separate explicit sovereign production-DB-write approval for the constitution.
classification: IMPLEMENTATION + AUTHORIZATION gap (schema/structure NOT drifted; the
  block is missing grants + missing ledger target + unbuilt signing + missing approval).

2. Production CUT command — WITHHELD (contract only, NOT runnable)

why_withheld: a runnable `python -m cutter_agent.<prod-writer> --production …` cannot be
  honestly written while GAP-C1 (no grant target), GAP-C2 (no ledger target), GAP-C3
  (no signing) hold. Fabricating it = the exact failure the project forbids. The CONTRACT
  the future gated entrypoint must satisfy is specified; the command itself is WITHHELD.
contract (future, after C1..C5 ruled): cutter_exec principal; --manifest (digest
  9d908a62…, file sha 7d56f3ce…, 60 cands); --snapshot-artifact (region 17660443…);
  --expect-writer-digest d99a31d4…; --i-have-sovereign-production-write-approval <kb-id>;
  one atomic txn = 60 INSERT information_unit + 60 INSERT unit_version + 60 UPDATE anchor
  + 1 cut_change_set + DOT-991 dot_pair_signature + decision_backlog_history; fail-closed.

3. Minimal unblock sequence (each a SEPARATE GPT/User + sovereign gate)

U-W4a  GPT/User ruling on GAP-C1/C2: (i) confirm the constitution governed write target =
       directus.public.information_unit + unit_version; (ii) decide the governed-ledger
       location (provision cutter_governance ledger in directus, OR ratify a cross-DB
       design). Output: a credential/GRANT command-review package scoped to the ruled
       target (column-scoped INSERT/UPDATE; append-only; no DELETE/DDL; SoD preserved).
U-W4b  (after U-W4a) sovereign-gated credential/GRANT EXECUTION (mirrors the v0.4
       12-command C_01..C_12 discipline: fresh backup, preflight, sha-gated SQL, apply,
       structural+behavioral verify, rollback on any gate). Re-confirm cutter_exec then
       has INSERT/UPDATE on the ruled target; cutter_ro/forbidden writers unchanged.
U-W4c  DOT-991 signing build + GPT review (real signing identity + lane-overlap invariant
       tests; swapped-lane negative test must fail). Separately gated (HIGH-risk crypto).
U-W4d  gated build of the guarded production adapter (doc 3 §3) + a scratch/txn-rollback
       integration proof; feature branch only; still no production write.
U-W5   production CUT command-review + a SEPARATE explicit sovereign production-DB-write
       approval + the live drift re-verify (L1 md5 f38c94d0… / L2 md5 078ba005… /
       19·16 cols / 4 constraints / vocab 6/6 / ICX-CONST==0). Only then is a runnable
       production CUT command authorable.
note: P-track (cut-plan dry-run) + W-3 (writer) already CLOSED_PASS; nothing here is
  blocked on writer correctness — the block is purely the production bridge (grants/
  ledger/signing/approval).

doc 4 of 6. No production mutation. Self-advance PROHIBITED.