O7 Report 07 — Resume / idempotency and safety result

• macro: v0.6-o7-postdeploy-live-dryrun-contabo
• gates: G6 + G7
• result: PASS

G6 — Resume / idempotency / duplicate-run

Sovereign pause → resume → closeout

Run ictr-20260521T042359Z-ad3d0b97 traversed both sovereign gates via the resume handshake:

• cut() paused at AWAITING_CUT_AUTHORIZATION (STOP_APPROVAL_REQUIRED).
• resume(approval_kb_id=SG1) → ran post-SG1 phases → paused at AWAITING_LIFECYCLE_AUTHORIZATION.
• resume(approval_kb_id=SG2) → ran post-SG2 phases → CLOSEOUT_REPORTED.

The SG1/SG2 approval docs are local dry-run smoke stubs authored by the runner (clearly labelled O7-DRYRUN-SMOKE). In Mode.DRYRUN with __execution_enabled__=False they only satisfy validate_sovereign_approval's structural check and drive the simulator — they grant no production capability and were not represented as real sovereign authorizations.

Closed-out resume is idempotent

resume(run_id) on the already-closed run returned CLOSEOUT_REPORTED with stop_code=None and performed no work — idempotent re-run confirmed.

Duplicate run

A second independent cut(document_id="ICX-CONST") (ictr-20260521T042359Z-6dfed1cb) produced a distinct run_id but an identical deterministically-seeded source_version_id (live-dryrun-sv-d5e7372ff295cec0) — per-run isolation with deterministic seeding from the same live survey. No production write.

G7 — Safety / rollback / disable

No DB mutation — before/after row counts

Captured with the read-only connection, around the whole smoke:

table	before	after
public.information_unit	158	158
public.information_unit [ICX-CONST]	60	60
public.unit_version	165	165
public.iu_lifecycle_log	60	60
public.iu_lifecycle_log [ICX-CONST]	60	60

Identical before/after — zero mutation of the lifecycle tables that a real cut would write.

cutter_governance — untouched by construction

context_pack_readonly has no SELECT on cutter_governance table data (SQLSTATE 42501), so a before/after delta could not be taken with the RO role. This does not weaken the proof:

1. The smoke connection is read-only and has zero privilege on cutter_governance — it cannot write there.
2. Mode.DRYRUN issues no governance write at all (simulator only).

Supplementary current counts (read-only directus session, post-smoke reference): cut_change_set=2, cut_change_set_affected_row=61, verify_result=2, manifest_envelope=2, manifest_unit_block=61, review_decision=3, dot_pair_signature=4. These are pre-existing production rows from prior real work; the O7 smoke neither added nor changed any.

Kill-switch

__execution_enabled__ asserted False at start and end of the run, and cutter_agent/orchestrator/__init__.py:36 is unmodified.

v0.4 + v0.6 integrity

• /opt/incomex/dot/iu-cutter (v0.4): owner 501:staff, mtime 2026-05-20 06:21 — untouched.
• /opt/incomex/dot/iu-cutter-v0.6: no source file modified (newest non-pycache mtime is the O6B-deploy DEPLOY-MANIFEST.txt). Only __pycache__/*.pyc bytecode was refreshed by importing/running the package — benign, no source change.

Service state

No iu-cutter systemd unit, no root crontab entry, no Docker container. Nothing was installed, started, or restarted.

Rollback / disable plan

rm -rf /opt/incomex/dot/iu-cutter-v0.6-o7-sidecar

Removes the runner, run state, approval stubs and reports in one step. Nothing else needs reverting: kill-switch was never flipped, no service exists, the v0.6 artifact and v0.4 skeleton are byte-unchanged.