KB-187B

O11 automation+agent-sandbox bundle — 04 Approval packet final

6 min read Revision 1

dieu44iu-cutterv0.6o11automation-agent-sandboxapproval-sg1-sg2

O11 Report 04 — Sovereign approval packet, finalized (BRANCH 3)

macro: v0.6-o11-automation-agent-sandbox-program-bundle
date_utc: 2026-05-21 · host: Contabo vmi3080463 · gate: BRANCH 3
result: PASS — SG_1 / SG_2 templates finalized. NO approval is minted or assumed by this macro.

1. Status (re-confirmed this macro)

explicit valid sovereign approval:   NONE FOUND
  - knowledge_documents: no row after the O10 ruling (id 4400) authorising a run
  - /var/lib/cutter/approvals/: EMPTY
  - the strings kb:approval-sovereign-prod-write-1 / kb:approval-u-w4b-grant-1
    appear only as placeholder ids in packages/tests — never a real grant
killswitch flip authorisation:       ABSENT
consequence:                         do NOT run; do NOT flip execution_enabled

2. Two-gate model (from `approval.py` — `validate_sovereign_approval`)

SG_1_cut_authz        authorises  pre_write_backup .. write_verify
                      effect:     new IUs land in lifecycle_status = 'draft'
                      reversible: YES — soft-revert / compensation (GAP6)
                      TTL:        24h from signed_utc
SG_2_lifecycle_authz  authorises  lifecycle_enact -> 'enacted'
                      effect:     IRREVERSIBLE enactment
                      extra:      requires a review_decision_id line
                      TTL:        12h from signed_utc
recommended first run: SG_1 ONLY. Stop before lifecycle_enact. Do not mint SG_2.

3. SG_1 approval template (sovereign authors AFTER `cut()` pauses)

The run_id does not exist until the cut(mode=LIVE) call pauses at AWAITING_CUT_AUTHORIZATION. The sovereign reads the printed run_id, then writes this file to /var/lib/cutter/approvals/sg1-<run_id>.md:

# Sovereign approval — SG_1

gate: SG_1_cut_authz
run_id: <the run_id printed by the paused cut() call — copy verbatim>
signed_utc: <fresh ISO-8601 UTC, e.g. 2026-05-21T11:30:00Z — within 24h of use>
allowance: explicit
payload_sha256: <optional — the cutplan payload sha; matched if resume passes it>

scope: First orchestrator-managed production cut to lifecycle_status='draft'
       only. Authorises phases cut_leg_a .. write_verify for THIS run_id.
       Does NOT authorise lifecycle_enact. Does NOT authorise any other run.
target: <document_id or generic docprefix, e.g. "O11-FIX" — the run binds it>
stop_after: AWAITING_LIFECYCLE_AUTHORIZATION  (do not mint SG_2)
authorised_by: <sovereign identity>

Context prose around the required lines is allowed — the validator is loosely-parsed. The five required lines are: gate, run_id, signed_utc, allowance, and (for SG_2 only) review_decision_id.

4. `execution_enabled` flip — separate sovereign act (GAP7, run-scoped)

what:   edit  cutter_agent/orchestrator/__init__.py:36
        __execution_enabled__ = False   ->   True
who:    the sovereign only — NOT any macro/agent
when:   immediately BEFORE the cut(mode=LIVE) call
scope:  SINGLE-RUN. Flip back to False immediately after the run ends —
        success OR failure. NEVER leave True at rest.
defence-in-depth: execution_enabled() is read fresh at call time AND the
        adapter re-checks via _assert_live_allowed.

This flip is not an approval document — it is a code-constant change the sovereign performs by hand. It and the SG_1 doc are two distinct acts.

5. SG_2 approval template (ONLY if a later run enacts — not the first run)

# Sovereign approval — SG_2

gate: SG_2_lifecycle_authz
run_id: <same run_id>
signed_utc: <fresh ISO-8601 UTC — within 12h of use>
allowance: explicit
review_decision_id: <a fresh cutter_governance.review_decision id for this run>

scope: Authorises lifecycle_enact for THIS run_id — IRREVERSIBLE.
authorised_by: <sovereign identity>

6. Exact command flow (approval-gated points marked)

[operator] env + grants + backup selftest         (R03)
[SOVEREIGN] flip __execution_enabled__ True        <-- B2
[runner]  cut(mode=LIVE) -> runs source_pin..grant_probe
          -> PAUSES at AWAITING_CUT_AUTHORIZATION, prints run_id   (exit 0)
[SOVEREIGN] author /var/lib/cutter/approvals/sg1-<run_id>.md       <-- B1  (§3)
[runner]  resume(run_id, approval_kb_id=…/sg1-<run_id>.md)
          -> cut_leg_a..write_verify
          -> PAUSES at AWAITING_LIFECYCLE_AUTHORIZATION
[OPERATOR] SG_1-only first run: STOP HERE — IUs remain 'draft'
[SOVEREIGN] flip __execution_enabled__ False       <-- mandatory, success or fail
[operator] verification queries (R03 / O9 R06 §7)

7. STOP conditions carried into the approval packet

- backup_runner returns an incomplete envelope     -> StopInvariantFailed, abort
- grant_probe reports any matrix deviation         -> StopGrantDelta, abort
- any fn_iu_create status != 'created'             -> adapter ROLLBACK, abort
- governance/verify writer returns incomplete ids  -> ROLLBACK, abort
- row counts drift from the pre-run snapshot       -> abort, snapshot, escalate
- SG_1 doc stale (>24h) / wrong run_id / missing line -> resume refuses
- ANY unhandled error -> flip execution_enabled False, HOLD, route to GPT

8. No-assumption attestation

approval minted by this macro:        NO
approval assumed by this macro:       NO
execution_enabled flipped:            NO
SG_1 / SG_2 docs are TEMPLATES only:  YES — to be filled by the sovereign
branch_3:                             PASS