KB-648F
04 - Recommended Roadmap (O6/O7)
9 min read Revision 1
dot-iu-cutterv0.6O5roadmapO6O7
04 - Recommended Roadmap (O6 / O7 and beyond)
O5 Release / Live-Production Planning · doc 4 of 6 · 2026-05-21 Gate G4 — recommended next sequence, effort, pass criteria, forbidden actions, approval gates.
1. Recommended sequence (one-glance)
O5 release/live-production PLANNING ← this macro (high) ✅ in progress
O6 release tag + Contabo deploy command-review (high)
O7 execute reviewed deploy + post-deploy live DRY-RUN on Contabo (high)
O8 first LIVE production cut on a harmless document (xhigh, separate sovereign ruling)
O9+ batch GA → real-crypto migration (xhigh, deferred)
Each macro keeps the proven O1–O4 rhythm: author/execute the scoped work → produce a KB package → STOP → route to GPT → GPT ruling → next macro. No macro self-advances.
2. Macro O6 — Release tag + Contabo deploy command-review
macro: O6_RELEASE_TAG_AND_CONTABO_DEPLOY_COMMAND_REVIEW
effort: high
duration: <= 60 min
goal: make v0.6 (HEAD 6625f76) ready to land on Contabo with the
execution kill-switch OFF — as a reviewed package, deploy
executed only if review passes within the macro's mandate.
scope:
- re-confirm dev repo HEAD = 6625f76, clean, execution_enabled=False
- create local annotated tag (e.g. v0.6.0-O4-live-dryrun) at 6625f76 [OPT-1]
- author the Contabo deploy command-review package: [OPT-2]
* target: /opt/incomex/dot/iu-cutter (v0.4 → v0.6, vendored in dot repo)
* identity guards (compose marker, .env, expected host)
* pre-state sha256 anchors + abort-on-drift
* NO secrets in the repo tree; secrets stay in .env/.env.production
* post-deploy assertion: cutter_agent/__init__.py __version__ = 0.6.0,
orchestrator/ subdir present, execution_enabled=False
- provision (or document the exact gap for) GAP-3/4/5/6:
BACKUP_GPG_FPR, governance principal, orchestrator.* config +
/var/lib/cutter/* dirs, rollback_runbook.sql placement
pass_criteria (O6):
- local tag created at 6625f76; NOT pushed (no remote)
- deploy command-review package authored + uploaded to KB
- deploy executed ONLY within the reviewed mandate; if review needs
GPT sign-off first, deploy is deferred to start of O7
- after deploy (if executed): v0.6 code present, execution_enabled=False,
no production mutation, no service restart
- tests still 366/366 (run on the deployed copy or dev copy)
forbidden in O6:
- production mutation; live CUT/VERIFY/enact
- flipping execution_enabled
- service restart / docker recreate
- push / public remote creation
- real crypto replacement
- hardcoding secrets or runtime IDs
approval gate:
- GPT command-review PASS on the deploy package BEFORE deploy execution
- sovereign single-line approval to run O6
3. Macro O7 — Post-deploy live dry-run on Contabo
macro: O7_POST_DEPLOY_LIVE_DRYRUN_ON_CONTABO
effort: high
duration: <= 60 min
goal: prove the Contabo-deployed v0.6 artifact reproduces the O4
live dry-run exactly, and produce the execution-enable
readiness gate review.
scope:
- if O6 deferred the deploy: execute the GPT-reviewed deploy first
- run orchestrator on Contabo in Mode.DRYRUN against live read-only
(role context_pack_readonly, BEGIN READ ONLY/ROLLBACK) [OPT-3]
- reproduce: SG1 pause → resume → SG2 pause → resume → closeout →
idempotent closeout resume
- assert pre/post live counts identical (production non-mutation proof)
- assert grant-matrix sha == O4 value
(45d25e38ac2dd440d0e7fdbdd6a5a20df11afbaef715002db4e46ea60bd2d600)
- produce the "execution-enable readiness" checklist: status of
GAP-3..8 with explicit close/open verdicts
pass_criteria (O7):
- Contabo dry-run completes all 11 phases in Mode.DRYRUN
- production counts unchanged; Mode.LIVE still refused
- execution_enabled=False throughout
- readiness checklist uploaded; each gap marked CLOSED or OPEN
forbidden in O7: same forbidden list as O6 (no mutation, no kill-switch,
no restart, no push/tag-push, no real crypto)
approval gate:
- sovereign single-line approval to run O7
- O7 does NOT authorize O8; O8 needs its own ruling
4. Macro O8 — First live production cut (deferred, xhigh)
macro: O8_FIRST_LIVE_PRODUCTION_CUT
effort: xhigh
status: DEFERRED — requires a standalone GPT architectural ruling
goal: first real production mutation: one harmless small document,
all 11 phases live, SG_1 + SG_2 sovereign-supervised.
entry_conditions (ALL must hold):
- O6 + O7 PASSED
- GAP-3..8 all CLOSED:
GAP-3 BACKUP_GPG_FPR provisioned
GAP-4 governance principal pinned + grants verified
GAP-5 orchestrator.* config + /var/lib/cutter/* dirs provisioned
GAP-6 rollback_runbook.sql deployed on Contabo + revert tested in dryrun
GAP-7 standalone GPT ruling authorizing the execution_enabled flip
GAP-8 harmless target document selected (small, new, NOT the
Constitution, NOT signature-critical — OPT-5 policy)
- SG_1 + SG_2 sovereign approval docs issued with fresh review_decision UUIDs
- the execution_enabled flip is itself a reviewed, single-run-scoped
change, re-disabled immediately after the run
NOTE: O8 is explicitly OUT OF SCOPE for O5/O6/O7. It is named here so
the roadmap is complete, not to authorize it.
5. Beyond O8
O9_batch_GA: cutter orchestrate batch (quarantine default), <=5 docs/night — xhigh
O10_real_crypto: StubSigning → HSM/KMS SigningProvider — xhigh, multi-day,
needs sovereign architectural ruling (design DQ_2 / macro_O6)
6. Effort & gate-class assignment
| Macro | Effort | Gate class | Mutation |
|---|---|---|---|
| O5 planning (this) | high | high | none |
| O6 tag + deploy review | high | high | none (code deploy only, kill-switch off) |
| O7 post-deploy dry-run | high | high | none |
| O8 first live cut | xhigh | xhigh | production write |
| O9 batch GA | xhigh | xhigh | production write |
| O10 real crypto | xhigh | xhigh | new signing code |
The O4 ruling's xhigh_if is satisfied at O8 onward (enabling
production execution, live mutation orchestration, real crypto). O6 and
O7 stay high because they involve no mutation and no kill-switch
change.
7. Conditions to enable execution_enabled (future)
Consolidated trigger list — execution may be enabled only when every item is true:
enable_execution_when:
- v0.6 code deployed AND dry-run-verified on the target host (O6+O7 PASS)
- all config keys + secrets provisioned (GAP-3/4/5 closed)
- rollback_runbook.sql deployed + emergency revert tested in dry-run (GAP-6)
- a harmless, small, new, non-signature-critical target document chosen (GAP-8)
- SG_1 + SG_2 sovereign approval docs issued (fresh review_decision UUIDs)
- a standalone GPT architectural ruling authorizes the flip (GAP-7)
- the flip is scoped to ONE run and re-disabled immediately afterwards
- no `--force`; no silent retry that changes authority
8. Contabo deploy path (recommended)
target: /opt/incomex/dot/iu-cutter (vendored in /opt/incomex/dot git repo)
method: GPT-reviewed command-review shell wrapper, modelled on
/opt/incomex/docker/dot-iu-cutter-v0.4-connenv-exec.sh
guards: compose marker + .env presence + expected-host check;
pre-state sha256; abort-on-drift; timestamped artifact dir
content: v0.6 source tree at HEAD 6625f76 (no secrets, no .pyc)
post-checks: __version__=0.6.0; orchestrator/ present; execution_enabled=False;
tests 366/366
commit: record the deploy in the /opt/incomex/dot repo (local commit,
no push — that repo has no remote)
NOT done: no service install, no docker recreate, no restart
9. Release / tag policy (recommended)
remote: none today; do NOT create a public remote as part of O6/O7 —
that is a separate explicit decision (security review needed)
tag: local annotated tag at 6625f76 in O6
name suggestion: v0.6.0-O4-live-dryrun
annotation: cite the O4 main-FF ruling as provenance
push: forbidden (no remote; and forbidden by O5/O6/O7 mandate)
canonical: the KB SSOT ruling already pins 6625f76 as the O4 HEAD;
the tag is convenience hygiene, not the source of truth
10. G4 result
G4_recommended_roadmap: PASS
recommended_next: O6_RELEASE_TAG_AND_CONTABO_DEPLOY_COMMAND_REVIEW (high)
then: O7_POST_DEPLOY_LIVE_DRYRUN_ON_CONTABO (high)
deferred: O8 first live cut (xhigh), O9 batch GA, O10 real crypto