02 - Production Execution Readiness Survey

O5 Release / Live-Production Planning · doc 2 of 6 · 2026-05-21 Gate G2 — what is needed to safely enable execution_enabled. Survey only — nothing enabled, nothing mutated.

1. What "enabling execution" means

Today Mode.LIVE is structurally unreachable: the module-level kill-switch orchestrator.__execution_enabled__ is False, and any --mode live invocation raises ProductionExecutionNotAuthorized before a single phase runs. "Enabling execution" = the deliberate, reviewed flip of that switch to True for one scoped run. It is the single most consequential action in the whole programme and is classified xhigh by the O4 ruling.

2. Which phases mutate production

The orchestrator runs 11 internal phases. Mutation surface:

#	Phase	Mutates production?	Target
1	source_pin	no	read-only discovery
2	mark	no	compute (candidate marking)
3	cutplan	no	compute (cut plan)
4	pre_write_backup	filesystem write	GPG-encrypted narrow pg_dump artifact (sha-pinned)
5	grant_probe	no	read-only grant-matrix probe
6	cut_leg_a	DB write	fn_iu_create → information_unit, unit_version (role cutter_exec)
7	structural_verify	no	compute / read-back
8	leg_b_record	DB write	cutter_governance cut records (cut_change_set, manifest_envelope, dot_pair_signature)
9	write_verify	DB write	cutter_governance.verify_result (role cutter_verify)
10	lifecycle_enact	DB write	fn_iu_enact → iu_lifecycle_log + lifecycle state
11	closeout	no	reporting only

Additionally, each sovereign gate creates a mutation:

• SG_1 (cut authz) and SG_2 (lifecycle authz) each require a new cutter_governance.review_decision row (fresh sovereign-issued UUID per (document, phase) — DQ_6 doctrine, never collapsed).

➡️ 6 of 11 phases are non-mutating (1,2,3,5,7,11). The mutation surface is phases 4, 6, 8, 9, 10 plus the two review_decision rows. In O4 dry-run all 11 ran in Mode.DRYRUN against live read-only facts and pre/post production counts were byte-identical (60→60).

3. Which approvals are required

Three layers, all required before any live mutation:

layer_1_kill_switch:
  what:  orchestrator.__execution_enabled__ = True
  type:  code/config change, scoped to one run, re-disabled afterwards
  authority: GPT architectural ruling + sovereign — xhigh

layer_2_sovereign_gates:
  SG_1_cut_authorization:
    artifact: sovereign-signed KB approval doc
    binds:    (gate, run_id, payload_sha), fresh review_decision UUID
    freshness: <= 24h
  SG_2_lifecycle_authorization:
    artifact: sovereign-signed KB approval doc
    freshness: <= 12h (batched)
  SG_3_failure_escalation:
    raised only on failure

layer_3_internal_gates:
  count: 11 internal gates, auto-pass with a KB receipt
  note:  "a run that did not upload its phase doc did not happen"

The CLI has no --force. --mode live without a valid SG_1 approval doc refuses with a non-zero exit.

4. Roles / secrets / config needed

4.1 Postgres roles — STATUS: PRESENT ✅

Verified on Contabo Postgres (directus database):

Role	Login	Super	Purpose	Status
context_pack_readonly	yes	no	live read-only discovery (O3/O4)	✅ present, read-only proven
cutter_exec	yes	no	canonical IU writer; EXECUTE on 2 canonical fns	✅ present
cutter_verify	yes	no	verifier; select/insert verify_result	✅ present
cutter_ro	no	no	non-login guard principal	✅ present (cannot write — by design)

cutter_governance schema is fully provisioned (review_decision, verify_result, cut_change_set, manifest_envelope, dot_pair_signature, source_document_registry, source_document_version_registry, + v_*_observe views). The production DB substrate from the v0.5 Constitution cycle is intact.

4.2 Secrets — env-file based (no GSM on Contabo)

The automation design §4 speaks of "GSM resolves at boot". Contabo has no Google Secret Manager / Vault; secrets live in env files:

/opt/incomex/docker/.env             (600 root:root)
/opt/incomex/secrets/.env.production (640 root:incomex)

Secret / config	Design name	Contabo status
executor DB creds	CUTTER_EXEC_DSN	✅ components present: DOT_CUTTER_EXEC_DB_USER / _PASSWORD
verifier DB creds	CUTTER_VERIFY_DSN	✅ components present: DOT_CUTTER_VERIFY_DB_USER / _PASSWORD
DB host/port/name/sslmode	(part of DSN)	✅ DOT_CUTTER_DB_HOST/PORT/NAME/SSLMODE present
KB upload auth	AGENT_DATA_API_TOKEN	✅ AGENT_DATA_API_KEY present
backup GPG key	BACKUP_GPG_FPR	❌ GAP — not confirmed present; required by pre_write_backup
governance read principal	DIRECTUS_SECDEF_DSN	⚠️ GAP — not confirmed; DQ_4 says reuse the directus SECDEF probe

Hardcode policy holds verbatim: env-var names may appear in refusal guards; env-var values are never written to repo, sidecar, KB, or logs. The DOT_CUTTER_DB_* env contract was already established by the GPT-reviewed v0.4 connenv exec.

4.3 v0.6 config keys — STATUS: NOT PROVISIONED ❌

The design §3 introduces new orchestrator.* config and runtime dirs. None exist on Contabo yet:

not_provisioned_on_contabo:
  - orchestrator.sidecar_root           # /var/lib/cutter/runs
  - orchestrator.batch_dir              # /var/lib/cutter/batches
  - orchestrator.global_locks_dir       # /var/lib/cutter/locks
  - orchestrator.expected_grant_matrix_sha
        # seed value available from O4: 45d25e38ac2dd440d0e7fdbdd6a5a20df11afbaef715002db4e46ea60bd2d600
  - orchestrator.backup_gpg_fpr
  - orchestrator.kb_runs_index_path
  - orchestrator.phase_soft_cap_minutes / run_hard_cap_minutes

5. Rollback / disable path that exists today

primary_disable:
  mechanism: orchestrator.__execution_enabled__ = False
  effect:    Mode.LIVE structurally refused; no phase can run live
  cost:      instant, single-line, no DB touch

per_document_backup:
  mechanism: pre_write_backup → GPG-encrypted narrow pg_dump, sha-pinned
  restore:   NEVER automatic; emergency revert is a separate sovereign macro

emergency_revert:
  runbook:   sql/lifecycle/rollback_runbook.sql   (ratified in dev repo)
  contabo:   ❌ GAP — runbook NOT deployed on Contabo

idempotency_safety:
  layers: 3  (sidecar key / DB UNIQUE constraint / module recorders)
  replay: no-op if all 3 agree; else STOP_REPLAY_CONFLICT
  void:   `cutter orchestrate void --run-id` clears idempotency safely

6. Readiness gap list (exact)

GAP-1  v0.6 orchestrator code is not on Contabo (only v0.4 skeleton).
GAP-2  No deployment path/script for v0.6 onto Contabo yet.
GAP-3  BACKUP_GPG_FPR secret not confirmed in Contabo env.
GAP-4  Governance write/read principal for review_decision + leg_b
       not pinned (cutter_exec vs directus SECDEF) — DQ_4 open item.
GAP-5  orchestrator.* config keys + /var/lib/cutter/* dirs not provisioned.
GAP-6  rollback_runbook.sql not deployed on Contabo.
GAP-7  No GPT architectural ruling yet authorizing a live cut /
       the execution_enabled flip.
GAP-8  No target "harmless document" selected for a first live cut.

None of GAP-1..8 block O5 planning — they are the content of the plan. They DO block any live execution, which is exactly why O5 stops short of it.

7. G2 result

G2_production_execution_readiness: SURVEYED — PASS (survey complete)
db_substrate:   ready (roles + cutter_governance schema present)
code_substrate: NOT ready (v0.6 absent on Contabo)
config_secrets: partially ready (DB creds yes; GPG/governance/config no)
enable_policy:  defined (kill-switch + SG_1/SG_2/SG_3 + GPT ruling)
rollback:       defined (kill-switch + GPG backup + runbook), runbook not yet deployed