O8E Report 06 — Safe target discovery & acceptance criteria (G6 / GAP8)

• macro: v0.6-o8e-pre-production-hardening-bundle
• date_utc: 2026-05-21 · host: Contabo vmi3080463
• gate covered: G6 — GAP8 safe target discovery
• result: G6 PASS — candidate space surveyed; acceptance criteria defined; intake package produced

1. Discovery — what is registered (read-only, public schema)

public.information_unit breakdown (158 IUs, by document root × lifecycle):

ICX-CONST:        60 units — ALL 'enacted'   (the M1 Constitution cut — DONE)
test:              7 units — 'draft'
D38-DIEU28-*:    ~26 units — 'draft'  (1 unit each, ~26 distinct roots)
D38-DIEU32-*:    ~24 units — 'draft'  (1 unit each)
D38-DIEU35-*:    ~36 units — 'draft'  (1 unit each)
pilot.*:           5 units — 'draft'
TOTAL:           158  (60 enacted + 98 draft)  — matches the O8D baseline

2. Discovery limitation — registry not readable by the RO role

The orchestrator cuts a source document version identified in cutter_governance.source_document_registry / source_document_version_registry. The read-only query_pg MCP role is privilege-denied on the entire cutter_governance schema (SQLSTATE 42501 — permission denied for schema cutter_governance).

⇒ The exact source-document-version candidate cannot be enumerated from this macro's read-only path. It needs a privileged read as cutter_exec (see §5). This is the exact reason a concrete registry candidate is not named here — not an absence of candidates.

3. Target acceptance criteria (GAP8)

A document is an acceptable first orchestrator-managed production-run target iff ALL hold:

C1  not ICX-CONST          — unless an explicit sovereign approval names it
                             (ICX-CONST is already enacted; re-cutting it is
                              out of scope for a first run)
C2  has a source snapshot  — a pinned normalized snapshot artifact exists
                             (the cutplan input; sha-addressable)
C3  dry-runnable first     — Mode.DRYRUN over the snapshot completes green
                             BEFORE any Mode.LIVE attempt
C4  small                  — 1–3 information units for the first run
                             (bounds blast radius; bounds Compensation A)
C5  rollback feasible      — every resulting IU stays 'draft' until a separate
                             enact decision; Compensation A/B (Report 04) apply
C6  low stakes             — not a load-bearing legal instrument; ideally a
                             synthetic/fixture document authored for the run
C7  fresh change_set       — a new change_set_id (not the M1 pinned id) — which
                             also exercises the F3 generalization (Report 05)

4. Candidate assessment

ICX-CONST:   REJECT  — C1 (already enacted; sovereign-named only)
test / pilot.*: WEAK — likely C2-fail (ad-hoc rows, provenance unclear); a
                       privileged read is needed to confirm a source snapshot
D38-DIEU*:   UNKNOWN — these are draft IUs already in public.information_unit;
                       whether each maps to a registered source_document_version
                       with a snapshot needs the §5 privileged read. If one does
                       and is 1–3 units, it satisfies C4/C5/C6.
RECOMMENDED: a NEW synthetic low-stakes document authored specifically for the
             first run — 1–3 units, deterministic snapshot — best satisfies
             C1–C7 and keeps the first run fully controlled.

5. Privileged discovery query (operator / next macro — cutter_exec)

-- run as cutter_exec (creds: DOT_CUTTER_EXEC_* in /opt/incomex/docker/.env)
SELECT v.id AS source_version_id, d.id AS source_document_id,
       d.canonical_key, v.snapshot_sha256, v.created_at
  FROM cutter_governance.source_document_version_registry v
  JOIN cutter_governance.source_document_registry d
    ON d.id = v.source_document_id
 WHERE d.canonical_key NOT LIKE 'ICX-CONST%'
 ORDER BY v.created_at DESC;
-- a row with a non-null snapshot_sha256 and an estimated 1-3 unit cut
-- satisfies C2/C4 and becomes the dry-run candidate.

6. Target creation / intake package (if no registry candidate qualifies)

1. Author a small normalized snapshot artifact (1-3 law units, BEGIN/END
   sentinels per the dryrun region contract) — synthetic, low-stakes.
2. Register it: insert source_document_registry + source_document_version_registry
   rows (cutter_exec) — this is registration metadata, NOT an IU cut.
3. Mode.DRYRUN the orchestrator over the snapshot → cutplan + write-set preview;
   confirm green, capture writer_digest.
4. Pair the dry-run-proven target with the GAP7 approval package (Report 07)
   for the first authorised Mode.LIVE run.

Step 2 (registry insert) is content/intake metadata, not an IU production mutation, and is not performed by this macro.

7. Verdict

discovery:            DONE — 158 IUs surveyed; ICX-CONST enacted; 98 draft
registry_candidate:   NOT NAMED — exact reason: cutter_governance is RO-privilege
                      denied; needs the §5 cutter_exec query
acceptance_criteria:  DEFINED — C1..C7
recommendation:       new synthetic low-stakes 1-3-unit document, or a §5
                      registry hit confirmed by the next macro
intake_package:       PRODUCED (§6) — no production mutation performed
g6:                   PASS