KB-4A72

O7 postdeploy live dry-run (Contabo) — 05-runner-or-cli-authoring-result

3 min read Revision 1

dieu44iu-cutterv0.6o7postdeploylive-dryruncontabo

O7 Report 05 — Runner / CLI authoring result

macro: v0.6-o7-postdeploy-live-dryrun-contabo
gate: G4
result: PASS — minimal read-only sidecar runner authored

What was authored

A single sidecar file:

/opt/incomex/dot/iu-cutter-v0.6-o7-sidecar/o7_live_dryrun_runner.py

Plus a runtime runs/ tree (run state, local KB docs, approval stubs, o7-smoke-summary.json) and a reports/ tree (these 8 reports).

Why a sidecar, not a CLI change

cli.py is the v0.4 entrypoint with no orchestrate subcommand (report 02). Rather than mutating the deployed v0.6 artifact (which would break the DEPLOY-MANIFEST.txt artifact_sha256 integrity), the runner is a sidecar: it sys.path.inserts /opt/incomex/dot/iu-cutter-v0.6 and imports the orchestrator package unchanged. The deployed artifact stays byte-identical. Macro G4 explicitly permits "documented sidecar".

Scope and hard guarantees (enforced in the runner)

Read-only DB only. Connects as PG_USER_RO (context_pack_readonly) and additionally set_session(readonly=True) — the connection is structurally unable to write.
Kill-switch untouched. Imports and asserts orchestrator.__execution_enabled__ is False; never assigns it.
Mode.LIVE refused. The runner explicitly attempts a Mode.LIVE cut and asserts it raises ProductionExecutionNotAuthorized.
Mutation impossible. Every phase runs in Mode.DRYRUN against the in-memory simulator (LiveDryRunDiscoverer extends InMemoryDiscoverer).
No secrets in code/logs. Credentials are read at runtime from /opt/incomex/secrets/.env.production; never echoed.
No source_document/source_version mutation, no real crypto, no service install.

Code-change scope and test impact

The sidecar imports the v0.6 package read-only and does not modify any tested module. The v0.6 stdlib unittest suite was nonetheless run on Contabo as a regression baseline: Ran 366 tests ... OK (366/366, Python 3.12.3).

Removal / disable

rm -rf /opt/incomex/dot/iu-cutter-v0.6-o7-sidecar

Single-directory delete; removes the runner, all run state, approval stubs and reports. The deployed v0.6 artifact and v0.4 skeleton are untouched by construction.