KB-3D0C
dot-iu-cutter v0.5 — Write-VERIFY · Authoring & Local Test Result (G3 — 30/30 PASS) (doc 3 of 7)
12 min read Revision 1
dot-iu-cutterv0.5write-verify-dot992-executionauthoring-and-testg3-pass30-of-30-testsno-psycopg-importlive-shape-correctstub-signing-dot992dieu442026-05-20
dot-iu-cutter v0.5 — Write-VERIFY · Authoring & Local Test Result
doc 3 of 7 · 2026-05-20 · M2 macro
phase : G3 — author ledger_v2_canonical_verify + fake-conn tests outcome : PASS — 30 / 30 unit tests green (0.002s) ; no DB production_mutation : NONE this phase
1. Authored module — cutter_agent/ledger_v2_canonical_verify.py
location_local : /Users/nmhuyen/iu-cutter-build/repo/iu-cutter/cutter_agent/
ledger_v2_canonical_verify.py
location_stage : /tmp/iu-cutter-v05-stage/cutter_agent/
ledger_v2_canonical_verify.py (contabo ; staged for sidecar)
sha256 : 18ee4ca2ae28c3b21d76c3e1591b5a718123464f50b4e7f8d11e9a008b6dff97
size : ~380 LOC (recorder + plan + _insert helper)
no_psycopg : verified by AST scan in the unit test
(TestConstruction.test_module_does_not_import_psycopg).
import_surface : stdlib only + cutter_agent.* (DOT_VERIFIER_LANE,
prod_iu_adapter pins, signing.StubSigning).
1.1 Public surface
class VerifyRecorder :
__init__(*, signer=None) # default StubSigning() on DOT-992
plan(live_state) -> dict # pure ; no DB ; row-builder + UUID gen
record(conn, live_state) -> dict # 1 SELECT (G-VERIFY-ONCE) + 2 INSERTs
inside caller-owned txn
exceptions :
VerifyLiveStateMismatch # bad live_state shape / pin mismatch
VerifyAlreadyRecorded # G-VERIFY-ONCE refusal
1.2 plan() invariants (14)
required keys : change_set_id, review_decision_id,
manifest_envelope_id, executor_signature_id,
iu_count, uv_count, anchored_exact,
distinct_canonical_address, distinct_content_hash,
section_type_cardinality, dieu_44_intrusion,
body_hash_match_60, lifecycle_uniform_draft,
publication_type_uniform_law
pin checks :
change_set_id == 456c6830-a747-4b53-ac2f-665e25e12cd0
review_decision_id == 29c88a7b-60f7-41bd-af45-43cc9b9f41c0
manifest_envelope_id == 638cf363-f45a-4bb3-b9bb-928c5e24c15b
executor_signature_id == 3a249063-e33a-406a-9302-2e9e646a0938
cardinality / quantitative :
iu_count == 60
uv_count == 60
anchored_exact == 60
distinct_canonical_address == 60
distinct_content_hash == 60
body_hash_match_60 == 60
dieu_44_intrusion == 0
section_type_cardinality == {principle:15, section:3, article:42}
uniform invariants :
lifecycle_uniform_draft is True (A-3)
publication_type_uniform_law is True (A-4)
1.3 Pinned identity (reused from M1 / canonical-CUT pins)
PIN_WRITER_DIGEST : d99a31d4a4be907c510ae15965e9f7bb3387e9e28676e9f32adf463828b1aa28
PIN_MANIFEST_DIGEST : 9d908a62fcf01bb88e05a1af4335b960710006ddcfd21c811ca63efb33dd324f
PIN_MANIFEST_FILE_SHA : 7d56f3ce066950ccef3de4156c5afeea81b2450b8e38393205b52c1fca012179
PIN_SOURCE_VERSION : icxconst-008a06ace23a96ea6cd456146e805c97
PIN_CANDIDATE_COUNT : 60
PIN_EXECUTOR_TOOL_REVISION : iu-cutter@f20c79c+canonical-A4-patch+autocommit-fix
PIN_VERIFIER_TOOL_REVISION : iu-cutter@f20c79c+write-verify-dot992-stub
⇒ executor != verifier ⇒ tool_revision_match=false ⇒ SoD invariant preserved.
PIN_M1_CHANGE_SET_ID : 456c6830-a747-4b53-ac2f-665e25e12cd0
PIN_M1_REVIEW_DECISION_ID : 29c88a7b-60f7-41bd-af45-43cc9b9f41c0
PIN_M1_MANIFEST_ENVELOPE_ID: 638cf363-f45a-4bb3-b9bb-928c5e24c15b
PIN_M1_EXECUTOR_SIGNATURE_ID: 3a249063-e33a-406a-9302-2e9e646a0938
PIN_M1_PAYLOAD_HASH : 7468c7a976ab729c32d19e93001bf724f7cf2b1f59a41f5b8788ac6b627c6cfa
1.4 Row values (highlights)
dot_pair_signature (verifier ; DOT-992) :
signature_kind : 'verifier'
signer_dot_id : 'DOT-992'
signer_tool_revision : PIN_VERIFIER_TOOL_REVISION
payload_envelope (canonical JSON, sha256 → payload_hash) :
verify_result_id (pre-gen), change_set_id, review_decision_id,
manifest_envelope_id, executor_signature_id, executor_payload_hash,
writer_digest, manifest_digest, manifest_version (=writer_digest),
source_version_id, candidate_count=60, docprefix='ICX-CONST',
verifier_tool_revision, executor_tool_revision, tool_revision_match=false,
verify_kind='axis_1_round_trip', verdict='pass',
axis_1_status='pass', axis_1_drift_count=0, axis_2_status='pass',
findings_summary{iu_count:60, uv_count:60, anchored_exact:60,
body_hash_match_60:60, section_type{15/3/42},
dieu_44_intrusion:0, lifecycle_uniform_draft:true},
lane='DOT-992', is_production=false (StubSigning),
signer_identity='stub-verify-identity',
canonicalization_rule_used='canon-md-v0.1.0'
signature_payload : <StubSigning sha256(lane|identity|digest|prior=M1 exec sig)>
cross_reference_change_set_id : NULL
cross_reference_verify_result_id : <pre-gen verify_result_id> (XOR ✓)
prior_signature_id : PIN_M1_EXECUTOR_SIGNATURE_ID (cross-lane chain)
scenario_ref : v0.5-first-controlled-canonical-cut
verify_result :
verify_result_id : <pre-gen UUID>
change_set_id : M1 change_set_id (FK ✓)
manifest_id : M1 manifest_envelope_id (logical → envelope_id)
manifest_version : PIN_WRITER_DIGEST
review_decision_id : M1 review_decision_id
verify_kind : 'axis_1_round_trip'
axis_1_status : 'pass' ; axis_1_drift_count : 0
axis_2_status : 'pass'
findings (jsonb) : 22 verified facts (see §1.5)
verdict : 'pass'
verdict_rationale : "first controlled canonical Constitution CUT
structurally verified (60 IU / 60 UV / 60 anchored ;
body_hash_match=60 ; NT15·KT3·DIEU42 ; Điều 44 absent ;
lifecycle=draft uniform per A-3 ; publication_type=law
uniform per A-4) ; reconstruction PASS ; writer_digest
equivalence PASS ; SoD invariant preserved
(executor_tool_revision != verifier_tool_revision)"
executor_signature_id : PIN_M1_EXECUTOR_SIGNATURE_ID (FK ✓)
verifier_signature_id : <sig_id from step 1> (FK ✓)
executor_tool_revision : PIN_EXECUTOR_TOOL_REVISION
verifier_tool_revision : PIN_VERIFIER_TOOL_REVISION
tool_revision_match : false
state : 'complete'
rollback_triggered : false
canonicalization_rule_used: 'canon-md-v0.1.0'
scenario_ref : v0.5-first-controlled-canonical-cut
1.5 findings payload (canonical JSON ; jsonb in DB)
findings :
change_set_id, review_decision_id, manifest_envelope_id,
executor_signature_id, writer_digest, manifest_digest, manifest_file_sha256,
source_version_id,
iu_count=60, uv_count=60, anchored_exact=60,
distinct_canonical_address=60, distinct_content_hash=60,
section_type{principle:15, section:3, article:42},
dieu_44_intrusion=0, body_hash_match_60=60,
lifecycle_uniform_draft=true, publication_type_uniform_law=true,
reconstruction='pass', writer_digest_equivalence='pass',
axis_1_round_trip='pass', axis_2_structural_boundaries='pass',
canonicalization_rule_used='canon-md-v0.1.0'
2. Authored tests — tests/test_ledger_v2_canonical_verify.py
sha256 : c46370affaf0b357c983ccfcaf2a011e5e51512e1cf28379746024c09ff160da
test_count : 30
classes : 6
TestConstruction (2) construct + AST scan for no-psycopg
TestPinsAreRatified (3) M1 ids pin / writer_digest pin / SoD pin
TestPlanValidation (12) missing keys, wrong M1 ids, cardinality 60/60/60,
section_type, lifecycle, publication_type
TestPlannedRowShape (8) XOR, NOT NULL no-default, FK targets,
manifest_version=writer_digest, findings,
payload_hash canonical, chained prior sig
TestRecordEmits (3) 1 SELECT + 2 INSERTs in order, refuses on
collision, linkage returned
TestStubSigning (1) DOT-991 vs DOT-992 placeholder signatures differ
fake_conn : _FakeCursor + _FakeConn record (sql, params) ;
G-VERIFY-ONCE probe returns (0,) so record() proceeds.
run :
$ python3 -m unittest tests.test_ledger_v2_canonical_verify -v
Ran 30 tests in 0.002s — OK
3. Runner module — /tmp/cutter_verify_runner.py
authored : in-session 2026-05-20 (sovereign-authored ephemeral artifact)
location : /tmp/cutter_verify_runner.py (laptop ; staged to contabo)
sha256 : ac071f69bec6094e86a95b3f116572737564fb8a7d7c004d74041144ac3a8302
modes :
--mode rollback-only-smoke BEGIN ; recorder.record() ; ROLLBACK ; exit 0
--mode commit BEGIN ; recorder.record() ; COMMIT ; exit 0
connection :
psycopg2 ; DSN = host=127.0.0.1 port=5432 dbname=directus user=cutter_verify
trust-auth via pg_hba 'host all all 127.0.0.1/32 trust' (works ONLY when the
process shares the postgres container's network namespace ; same model as
leg-A + leg-B runners).
guards (pre-write) :
G4 : current_user = 'cutter_verify' (raise on mismatch)
G4b : cut_change_set row 456c6830-… present
AND dot_pair_signature row 3a249063-… (executor) present
G6 : SELECT count(*) FROM verify_result WHERE change_set_id=456c6830-… == 0
G5 : read live VERIFY facts via 1 CTE query :
· iu_count = 60
· uv_count = 60
· anchored_exact = 60 (version_anchor_ref::text == content_anchor_ref)
· distinct_canonical_addr = 60
· distinct_content_hash = 60
· body_hash_match = 60 (content_hash == sha256(body))
· NT=15 KT=3 DIEU=42
· dieu_44_intrusion = 0
· not_draft_count = 0 (lifecycle uniform draft)
· not_law_count = 0 (publication_type uniform law)
Any deviation aborts before INSERT.
forbidden (per GPT M1 closeout ruling — enforced by runner code) :
· no lifecycle / source_document / source_version mutation
· no deploy/restart/merge/tag
· no SQL emitted outside the recorder body + G4/G4b/G5/G6 read-only probes
4. Disposition
G3 (local proof) : PASS — 30/30 ; no DB ; ratified pins ; live shape correct
production_mutation: NONE
next : G4 execution precheck (rollback-only smoke ; doc 4 §1)
doc 3 of 7.