O8 Report 04 — execution_enabled toggle design

• macro: v0.6-o8-production-run-readiness-command-package
• date_utc: 2026-05-21 · host: vmi3080463 (Contabo)
• gate covered: G4 execution_enabled toggle design (design only — NOT applied)

1. Current mechanism

cutter_agent/orchestrator/__init__.py:

__execution_enabled__ = False   # flipped to True only by later sovereign ruling

A module-level global boolean. The runner and all five mutating phase bodies read it as from . import __execution_enabled__ and refuse Mode.LIVE while it is False.

2. The decisive problem — the toggle is necessary but NOT sufficient

The kill-switch guard is if mode == Mode.LIVE and not __execution_enabled__: raise. After that guard, the phase bodies have only the simulator path (discoverer.simulate_iu_creates(...), simulate_fn_iu_enact(...), …).

Therefore, flipping __execution_enabled__ = True and running Mode.LIVE would:

1. skip the ProductionExecutionNotAuthorized refusal, then
2. fall through to the in-memory simulator, producing a run labelled live that mutates nothing.

That is a structural false-PASS hazard — worse than "too risky". The global bool is not the gap; the missing live code path is (GAP-9, Report 01 §G1). The toggle must not be flipped while GAP-9 is open.

3. Recommended toggle design (for AFTER GAP-9 is closed)

A global module constant edited in place is a poor production control (non-reversible-by-design, not run-scoped, easy to leave ON — O5 R-3). The recommended replacement, when the live path exists:

design: run-id-scoped, reversible, fail-closed
  - replace the bare bool read with:
        execution_authorized(run_id, gate) -> bool
    default False; never True at module scope.
  - authorization source: an explicit, sovereign-signed,
    single-run authorization artifact (KB approval doc id) carrying
        run_id, target_document_id, TTL, allowance: explicit
    re-validated at runner construction AND before each mutating phase.
  - scope: exactly ONE run_id; the runner refuses any other run_id.
  - auto-expire: TTL enforced; expired => fail-closed to refusal.
  - post-run: no persistent ON state to "remember"; the next run
    starts refused again with zero manual revert.
  - no `--force`, no env-var override, no silent retry.
properties:
  reversible:        yes — nothing persists ON
  run-id scoped:     yes
  kill-switch left ON after run: impossible by construction

This is a minimal, additive patch (one predicate function + call sites), not an architecture change. It is documented here, not applied — applying it is pointless and unsafe while GAP-9 is open, and flipping/altering the switch is forbidden without an explicit sovereign ruling.

4. This macro's action on the toggle

execution_enabled_state_before: False
execution_enabled_state_after:  False   (UNCHANGED — not flipped, not patched)
toggle_patch_applied:           NO
reason: GAP-9 (no live code path) + GAP-7 (no approval) + GAP-3/5/6/8 open

G4 = DESIGN DELIVERED; toggle NOT flipped and NOT patched.