01 - Current Release & Runtime State

O5 Release / Live-Production Planning · doc 1 of 6 · 2026-05-21 Macro: O5_RELEASE_LIVE_PRODUCTION_PLANNING · effort: high Planning / command-review only — no production mutation, no deploy, no execution kill-switch flip, no push/tag.

1. Tuyên ngôn (3 câu)

1. Vĩnh viễn: O5 chỉ lập kế hoạch và command-review cho con đường an toàn từ live dry-run (O4) sang release/deploy/live-production; không thực hiện bất kỳ mutation, deploy, hay execution nào.
2. Nhầm được không: mọi sự thật repo được lấy từ KB SSOT (ruling O4) và mọi sự thật runtime được khảo sát read-only trực tiếp trên Contabo; nếu hai nguồn mâu thuẫn thì STOP với BLOCKED.
3. 100% tự động: nếu thông tin đủ và nhất quán thì O5 tự sản xuất 6 báo cáo + roadmap O6/O7 và upload KB; nếu thiếu/ mâu thuẫn thì BLOCKED_WITH_EXACT_O5_GAP.

2. G0 — SSOT + repo verification

2.1 KB read/upload

Check	Result
KB store	agent-data-langroid v0.1.0 (Qdrant + Postgres + OpenAI), healthy; 3989 documents
KB read path	directus.knowledge_documents (durable mirror) + agent-data /api (search/RAG)
O1–O4 packages readable	YES — all 4 macro folders + GPT rulings read in full
Automation design readable	YES — v0.5-automation-orchestrator-design/ (7 docs) read
KB upload path	agent-data MCP tool upload_document (POST /documents)
KB upload probe	PASS — 00-kb-upload-probe-2026-05-21.md created (status: created, revision: 1)
directus_create MCP into knowledge_documents	DENIED (collection not in MCP write allowlist) — not used; upload_document is the sanctioned write path

G0 KB gate: PASS. Read and upload both confirmed working.

2.2 Repo / HEAD / status (via KB SSOT)

The v0.6 repository /Users/nmhuyen/iu-cutter-build/repo/iu-cutter lives on the developer workstation (macOS) and is not present on the Contabo VPS. This O5 session runs on Contabo; repo state is therefore verified from the KB SSOT — the GPT ruling reviews/dot-iu-cutter-v0.6-main-ff-after-o4-pass-gpt-ruling-2026-05-21.md (MAIN_FF_O4_TO_MAIN_PASS, dated today 2026-05-21) — cross-checked against the O4 package precheck doc 01-ssot-repo-precheck.

repo_root:        /Users/nmhuyen/iu-cutter-build/repo/iu-cutter   # developer Mac
branch:           feature/constitution-snapshot-mark-dryrun
main_HEAD:        6625f76
feature_HEAD:     6625f76
divergence:       0 / 0   (main fast-forwarded to feature after O4)
working_tree:     clean
git_remote:       <none>          # no remote configured
git_tags:         <none>          # no tag points at HEAD
execution_enabled: false
tests:            366/366 PASS

These values match the prompt's "Expected" block exactly — no contradiction. G0 repo gate: PASS (verified via KB SSOT).

Caveat recorded honestly: physical git verification of the working tree was not possible from Contabo because the v0.6 repo is not on this host. The SSOT ruling is authoritative and self-consistent; O6 should re-confirm HEAD on the developer host at the start of the next macro.

2.3 Execution kill-switch

milestone        = O4
version          = 0.6.0-O4-live-dryrun-orchestration
execution_enabled = False
Mode.LIVE        = structurally refused
  → ProductionExecutionNotAuthorized: "orchestrator.__execution_enabled__ is False"

G0 kill-switch gate: PASS — execution kill-switch is OFF.

3. G1 — Release / runtime survey (Contabo)

Surveyed directly, read-only, on the Contabo VPS this session.

3.1 Is v0.6 code on Contabo?

NO. The only iu-cutter checkout on Contabo is:

path:     /opt/incomex/dot/iu-cutter
version:  0.4.0-dryrun-skeleton          (cutter_agent/__init__.py __version__)
modules:  cutter_agent/{__init__,canonicalization,db_adapter,idempotency,
          ledger,phases,schema_binding,signal,signing,state_machine}.py
orchestrator/ subdir:  ABSENT            → v0.6 orchestrator code NOT deployed
cli.py:   "dot-iu-cutter v0.4 — local / dry-run CLI entrypoint ONLY"

This v0.4 skeleton is vendored inside the /opt/incomex/dot git repo (23 files tracked under iu-cutter/), not its own repository and not a clone of the developer's iu-cutter-build repo. It carries a v0.4 dry-run artifact directory .dryrun-v0.4-2026-05-17/.

Conclusion: the v0.6 orchestrator (O1–O4 work, HEAD 6625f76) exists only on the developer Mac. Contabo carries the older v0.4 skeleton.

3.2 Is a remote configured?

• v0.6 dev repo: no remote (KB rulings: remote_output=<empty>).
• Contabo /opt/incomex/dot repo: no remote (git remote -v empty).
• There is no GitHub/GitLab origin for iu-cutter anywhere in scope.

3.3 Service / runtime entrypoints

Surface	Finding
systemd unit for cutter	NONE
root crontab / cron.d for cutter	NONE
docker-compose.yml service for cutter	NONE (services: postgres, qdrant, directus, agent-data, nuxt, nginx, incomex)
Runtime model	Not a long-running service. iu-cutter is a CLI tool invoked manually.

3.4 Established Contabo execution pattern

Prior cutter production touches on Contabo used GPT-reviewed command-review shell wrappers — not automated services:

• /opt/incomex/docker/dot-iu-cutter-v0.4-connenv-exec.sh — executes a pre-reviewed sequence with identity guards (compose marker, .env, container presence), pre-state sha256 anchors, abort-on-drift, and a timestamped artifact dir; "no secret value ever read/printed".
• Artifact dirs from prior runs: /opt/incomex/docker/dieu44_v0_4_connenv_prod_20260517T030513Z/, /opt/incomex/docker/dieu44_v0_5_constmarker_amend_prod_20260518T081501Z/.

This is the template for any future v0.6 deploy or live run on Contabo: a reviewed, single-purpose, guard-railed script — never an ad-hoc command and never an always-on daemon.

4. Design-vs-actual macro numbering (must read)

The v0.5 automation design (v0.5-automation-orchestrator-design) planned 6 macros where design-O4 = "first LIVE new-document cut", design-O5 = batch GA, design-O6 = real crypto.

The actual execution re-sequenced more conservatively:

Actual macro	Scope	Live mutation?
O1	orchestrator authoring (skeletons + contracts)	no
O2	phase-body in-memory E2E authoring	no
O3	live read-only discovery	no
O4	live dry-run orchestration (Mode.DRYRUN)	no
O5 (this)	release / live-production planning	no

➡️ The original design's "first live cut" has not happened. The current actual-O5 is a planning macro that sits before any live production mutation. All O5/O6/O7 numbering below is the actual sequence.

5. G0 + G1 result

G0_ssot_repo:        PASS   # KB read+upload OK; repo state verified via SSOT; kill-switch OFF
G1_release_runtime:  PASS   # v0.6 NOT on Contabo; no remote; no service; CLI/command-review model
contradictions:      NONE
production_mutation: NONE
deploy:              NONE