O8A Report 04 — Code authoring summary

• macro: v0.6-o8a-live-execution-wiring-authoring
• date_utc: 2026-05-21 · host: vmi3080463 (Contabo)
• gate covered: G3 code authoring
• workspace: /opt/incomex/dot/iu-cutter-v0.6-o8a-staging/ (deployed tree untouched)

1. Change set — 9 files (7 modified, 2 new)

File	Δ	Purpose
orchestrator/__init__.py	mod	add execution_enabled() fn + __live_wiring__ marker
orchestrator/live_execution.py	new (520 L)	the live-execution adapter seam
orchestrator/runner.py	mod	cut() live gate: kill-switch fn + adapter required
orchestrator/phases/backup.py	mod	Mode.LIVE branch → adapter.pre_write_backup
orchestrator/phases/cut_leg_a.py	mod	Mode.LIVE branch → adapter.cut_leg_a
orchestrator/phases/leg_b_record.py	mod	Mode.LIVE branch → adapter.leg_b_record
orchestrator/phases/write_verify.py	mod	Mode.LIVE branch → adapter.write_verify
orchestrator/phases/lifecycle_enact.py	mod	Mode.LIVE branch → adapter.lifecycle_enact
tests/test_orchestrator_o8a_live_wiring.py	new (574 L)	sandbox / fake-DB proof (Report 05)

__version__ / __milestone__ are deliberately left at 0.6.0-O4 / O4 — they are pinned by three milestone-gated tests and are bumped at O8A deploy/ratify (Report 07), not in an authoring macro. The additive marker __live_wiring__ = "O8A-authoring-staging" records the wiring honestly without disturbing that suite.

2. Kill-switch: value-import → function

orchestrator/__init__.py:

__execution_enabled__ = False   # backing constant — flipped only by sovereign ruling

def execution_enabled() -> bool:
    """Kill-switch state, evaluated at call time (not value-imported)."""
    return __execution_enabled__

The runner and all five mutating phases now call execution_enabled(), so the switch is always read freshly (and a sandbox test can exercise the ON path without monkey-patching internals).

3. The seam — live_execution.py

def refuse_if_killswitch_off(ctx, phase_name) -> None:
    if ctx.mode == Mode.LIVE and not execution_enabled():
        raise ProductionExecutionNotAuthorized(...)   # no adapter entered

def require_live_adapter(db_provider, phase_name) -> LiveExecutionAdapter:
    if not isinstance(db_provider, LiveExecutionAdapter):
        raise ProductionExecutionNotAuthorized(...)   # never falls back to simulator
    return db_provider

class LiveExecutionAdapter(abc.ABC):          # the contract — 6 methods
    pre_write_backup / cut_leg_a / leg_b_record /
    verify_result_count_for / write_verify / lifecycle_enact

class ProductionLiveExecutionAdapter(LiveExecutionAdapter):
    # construction never connects; 4 injected collaborator seams:
    #   connection_provider(role)->conn   backup_runner(spec)->dict
    #   governance_writer(conn,ctx)->dict verify_writer(conn,ctx)->dict
    # all four DEFAULT to a refusing stub (no DSN/.env/secret here).

ProductionLiveExecutionAdapter behaviour:

• cut_leg_a — full implementation: BEGIN; per row SELECT public.fn_iu_create(%s×9); assert status='created'; collect iu_id/uv_id; COMMIT. Reuses the proven SQL contract of prod_iu_adapter_canonical.leg_a_in_txn_canonical. Fails closed if a cutplan row lacks body/title.
• lifecycle_enact — full implementation: BEGIN; per IU SELECT public.fn_iu_enact(%s×8); assert status='enacted'; post-enact trigger + iu_lifecycle_log survey; COMMIT.
• pre_write_backup — delegates to the injected backup_runner (narrow pg_dump --table + GPG); validates the {sha256,size_bytes,gpg_fpr} envelope.
• leg_b_record / write_verify — own the atomic txn here (the O8A-delivered, sandbox-proven seam) and delegate the governed writes to the injected governance_writer / verify_writer. The default writers REFUSE; a production writer wraps the (Constitution-N-pinned) v0.5 LegBRecorder / VerifyRecorder — that wrapper + the N-generalisation is the documented O8A follow-up.
• every method begins with _assert_live_allowed (defence-in-depth kill-switch + Mode.LIVE re-check); any error ⇒ ROLLBACK + re-raise.

4. The five phase bodies

Each mutating phase now has the uniform shape:

ctx.begin_phase(...)
refuse_if_killswitch_off(ctx, "<phase>")          # kill-switch
... approval + pin pre-checks (unchanged) ...
if ctx.mode == Mode.LIVE:
    adapter = require_live_adapter(db_provider, "<phase>")
    result  = adapter.<phase>(ctx, ...)            # LIVE → real adapter
else:
    result  = discoverer.simulate_<phase>(...)     # DRYRUN → simulator
... pin evidence (unchanged gate invariants) ...

• Mode.LIVE never reaches discoverer.simulate_* — proven in Report 05.
• cut_leg_a pins cut_leg_a_simulated = (mode == DRYRUN) so the audit trail records which path ran.
• the Mode.DRYRUN cut_leg_a now projects each cutplan dict onto the CutplanRow fields, so a content-enriched cutplan pin (body/title, which the live path needs) still feeds the simulator cleanly.

5. Runner live gate (runner.py)

def cut(self, *, document_id, mode=Mode.DRYRUN, actor=...):
    if mode == Mode.LIVE:
        if not execution_enabled():                # kill-switch first
            raise ProductionExecutionNotAuthorized(...)
        if not isinstance(self.db_provider, LiveExecutionAdapter):
            raise ProductionExecutionNotAuthorized(  # adapter mandatory
                "live mode requires a LiveExecutionAdapter ...")

6. Authoring constraints honoured

mode_live_never_simulator:   enforced (require_live_adapter; no fallback)
mode_dryrun_still_simulator: yes (the else-branch)
kill_switch_off_refuses:     yes (refuse_if_killswitch_off, before any adapter)
execution_enabled_default:   False (unchanged backing constant)
hardcoded_secrets/PINs:      none (no module-level PIN_*; injected collaborators)
real_crypto_replacement:     none (StubSigning interface untouched)

G3 = PASS. Full code inventory above; the verbatim modules live in the staging tree and travel with the Report 07 deploy command-package.