O8E Report 02 — Runtime dirs & non-sensitive config readiness (G2 / GAP5)

• macro: v0.6-o8e-pre-production-hardening-bundle
• date_utc: 2026-05-21 · host: Contabo vmi3080463
• gate covered: G2 — GAP5 runtime directories + config
• result: G2 PASS — GAP5 CLOSED (filesystem-only, non-sensitive, reversible)

1. Survey

/var/lib/cutter:        DID NOT EXIST before this gate
/opt/incomex/dot/config: credentials.example.json + environment.sh only
                         — no orchestrator runtime config
code path-binding:      the orchestrator is PATH-AGNOSTIC. StateStore(sidecar_root)
                        and DryRunReporter(sidecar_root) receive their root as a
                        constructor argument; NO module hardcodes /var/lib/cutter.
                        GAP5 is therefore a deployment-convention task: establish
                        a stable, well-permissioned runtime root for the first
                        orchestrator-managed run.

Runtime contract (from orchestrator/state_store.py, kb_reporter.py): each run materialises as <sidecar_root>/<run_id>/{state.json, state.lock, kb/}.

2. Changes applied — /var/lib/cutter runtime tree

Created with install -d -o root -g root -m 0750 (empty directories only):

/var/lib/cutter/            root:root 0750
├── runs/                   orchestrator run sidecar root (StateStore/DryRunReporter)
├── approvals/              SG_1/SG_2 approval packages + consumed-approval records
├── artifacts/              cutplan artifacts, pinned snapshots, write-set previews
├── backups/                pre_write_backup output (encrypted pg_dump — F4)
├── rollback/               per-cut revert/compensation + before-run snapshots (GAP6)
├── reports/                staged KB report bundles
└── locks/                  global orchestrator single-run mutex

Verified: 7 directories, all root:root 0750, 0 non-directory files.

3. Non-sensitive config authored

/var/lib/cutter/orchestrator.config.json   root:root 0640
/var/lib/cutter/README.md                  root:root 0640

orchestrator.config.json is non-sensitive by construction: it contains ZERO secret values. Every credential is a pointer to an environment-variable name resolved at runtime from /opt/incomex/docker/.env:

• runtime_root + the 7-dir layout map, sidecar_root = /var/lib/cutter/runs
• DB wiring as env-var NAMES — DOT_CUTTER_DB_HOST/PORT/NAME/SSLMODE, DOT_CUTTER_EXEC_DB_USER/PASSWORD, DOT_CUTTER_VERIFY_DB_USER/PASSWORD
• driver note — host has psycopg2 only ⇒ wrap via Psycopg2ConnectionShim
• backup — BACKUP_GPG_FPR env-name pointer, flagged NOT PROVISIONED (F4)
• execution_enabled explicitly NOT configurable here — it is the source constant __execution_enabled__; flipping it is a sovereign GAP7 action.

No code change loads this file automatically; the first-run sidecar runner / command package reads it to resolve paths + DB wiring.

4. Exact changes & rollback

created_dirs:   /var/lib/cutter + {runs,approvals,artifacts,backups,rollback,reports,locks}
created_files:  /var/lib/cutter/orchestrator.config.json  (non-sensitive)
                /var/lib/cutter/README.md
secrets_written: NONE
db_touched:      NONE
service_touched: NONE
rollback:        rm -rf /var/lib/cutter
                 — the tree holds no data; this is a clean, complete rollback
                   until the first production run writes a run sidecar.

5. Verdict

gap5_runtime_dirs:   CLOSED — 7 dirs created, root:root 0750, empty
gap5_config:         CLOSED — non-sensitive config + README authored
mutation_class:      filesystem-only, reversible (rm -rf /var/lib/cutter)
secrets:             none written
g2:                  PASS