O8A Report 05 — Sandbox / fake-DB proof

• macro: v0.6-o8a-live-execution-wiring-authoring
• date_utc: 2026-05-21 · host: vmi3080463 (Contabo)
• gate covered: G4 sandbox / fake-DB proof
• artifact: tests/test_orchestrator_o8a_live_wiring.py (574 L, stdlib unittest)

1. Test doubles (no real DB, no secret, no network)

Double	Role
TripwireDiscoverer	every simulate_* method raises AssertionError — proves Mode.LIVE never touches the simulator
RecordingDiscoverer	records simulator calls — proves Mode.DRYRUN still uses it
FakeLiveExecutionAdapter	records which seam methods a phase called; canned results
TripwireAdapter	adapter whose methods raise — proves Mode.DRYRUN never touches the adapter
FakeConnection	psycopg-shaped fake DB: records SQL + BEGIN/COMMIT/ROLLBACK; simulates fn_iu_create/fn_iu_enact jsonb returns; can inject a failure at row K

2. What the 28 tests prove

TestEnforcementHelpers (6):
  - execution_enabled() default False
  - refuse_if_killswitch_off blocks Mode.LIVE / no-ops Mode.DRYRUN / passes when ON
  - require_live_adapter rejects None/non-adapter, accepts an adapter

TestLiveRoutesToAdapter (6):           # kill-switch flipped ON in-test
  - each of the 5 phases in Mode.LIVE calls its adapter seam method
    while the TripwireDiscoverer proves the simulator is NOT called
  - a Mode.LIVE phase with NO adapter wired fails closed (all 5)

TestLiveRefusedWhenKillSwitchOff (1):  # kill-switch OFF (default)
  - all 5 phases in Mode.LIVE raise ProductionExecutionNotAuthorized
    AND the adapter is never entered (adapter.calls == [])

TestDryRunUnchanged (3):
  - cut_leg_a / lifecycle_enact / write_verify in Mode.DRYRUN call the
    simulator while the TripwireAdapter proves the adapter is NOT called

TestProductionAdapterTransaction (7):  # ProductionLiveExecutionAdapter + FakeConnection
  - cut_leg_a: 3 fn_iu_create calls, BEGIN…COMMIT, committed, not rolled back
  - cut_leg_a: failure at row 2 ⇒ StopInvariantFailed, ROLLBACK, not committed
  - cut_leg_a: rows without body/title ⇒ refuse BEFORE connecting
  - lifecycle_enact: 3 fn_iu_enact calls, COMMIT, triggers+log surveyed
  - lifecycle_enact: failure at IU 2 ⇒ StopInvariantFailed, ROLLBACK
  - adapter method with kill-switch OFF ⇒ refuse, connection_provider unreached
  - default (un-injected) collaborators refuse

TestApprovalGatingUnderLive (2):
  - cut_leg_a (live) still requires SG_1; lifecycle_enact still requires SG_2;
    adapter not entered when the approval is missing

TestRunnerLiveGate (3):
  - runner.cut(LIVE) refused when kill-switch OFF
  - runner.cut(LIVE) requires a LiveExecutionAdapter as db_provider
  - kill-switch is restored False after every test (no leak)

3. Result

$ python3 -m unittest tests.test_orchestrator_o8a_live_wiring
............................
Ran 28 tests in 0.015s
OK

4. Hard invariants proven

Invariant	Proven by
Mode.LIVE NEVER calls the simulator	TripwireDiscoverer across all 5 live-routing tests
Mode.LIVE + kill-switch OFF refuses before any adapter call	TestLiveRefusedWhenKillSwitchOff (adapter.calls == [])
Mode.LIVE with no adapter fails closed	test_live_phase_without_adapter_fails_closed
one atomic txn per phase; failure ⇒ ROLLBACK, never partial	FakeConnection commit/rollback assertions
Mode.DRYRUN still uses the simulator, never the adapter	TripwireAdapter
kill-switch is defence-in-depth (adapter re-checks)	test_adapter_method_refuses_when_killswitch_off
sovereign-approval gating still holds under Mode.LIVE	TestApprovalGatingUnderLive
the deployed kill-switch constant is never left flipped	test_kill_switch_restored_after_tests

G4 = PASS — 28/28 sandbox / fake-DB checks green; no production DB, no secret, no network touched.