KB-15C3
Orchestrator O2 · 03 Gate Invariants Summary
8 min read Revision 1
dot-iu-cutterv0.6orchestrator-o2-phase-body-e2e-authoringgate-invariantsg3-pass36-predicates-filledno-silent-skipdieu442026-05-20
Orchestrator O2 · 03 Gate Invariants Summary
doc 3 of 7 · 2026-05-20 · G3 gate
phase : G3 — gate invariant predicates filled + STOP routing outcome : G3 PASS — 36 predicates filled, 0 _todo_o2 remain production_mutation : NONE
1. Predicate authoring approach
GATE_INVARIANTS is a registry of (name, predicate) pairs per
InternalGate. In O1 every predicate was _todo_o2 (raised
NotImplementedError). In O2 we replace them with closures that
inspect RunContext — specifically ctx.context_pins,
ctx.sovereign_approvals, ctx.phases, and the load-bearing dataclass
attrs ctx.source_document_id / ctx.source_version_id.
Three closure helpers compose into every predicate:
def _pin_present(key) → True iff key in ctx.context_pins
and ctx.context_pins[key] not in (None, "")
def _pin_true(key) → True iff bool(ctx.context_pins.get(key, False))
def _pin_equals(k, v) → True iff ctx.context_pins.get(k) == v
def _phase_passed(p) → True iff ctx.phases[p].result == "passed"
def _has_approval(g) → True iff any(a.gate == g for a in
ctx.sovereign_approvals)
def _attr_present(a) → True iff getattr(ctx, a) not in (None, "")
Why "presence + shape" instead of live-DB assertion
Two reasons:
- Decoupling. Live-DB assertions belong inside phase bodies (they
own the IO). The gate registry is the audit-trail surface; it
records named evidence onto
PhaseRecord.gate_invariantsso the KB report can show "11/11 invariants passed" without re-doing IO. - No-silent-skip preservation. If a phase body forgot to pin a required key, the gate predicate fails and the run STOPs with a named invariant. This protects against silent omissions.
2. Per-gate invariant table
| Gate | Invariant name | Predicate type |
|---|---|---|
| IG_SOURCE_PIN | source_document_row_exists | _attr_present("source_document_id") |
| latest_source_version_row_exists | _attr_present("source_version_id") |
|
| manifest_digest_recomputed_matches | _pin_present("manifest_digest") |
|
| IG_MARK | region_sha_rebuilt_matches | _pin_present("region_sha") |
| rowset_size_positive_and_within_cap | inline 0 < count ≤ 1000 |
|
| mark_rowset_sha_recorded | _pin_present("mark_rowset_sha") |
|
| IG_CUTPLAN | writer_digest_stable_across_two_rebuilds | _pin_present("writer_digest") |
| rowset_cardinality_matches_mark | inline confirmed == candidate_count |
|
| vocab_map_covers_every_row | _pin_present("cutplan_payload_sha") |
|
| idempotency_key_set_distinct | _pin_present("cutplan_payload_sha") |
|
| IG_BACKUP | backup_target_reachable | _pin_present("backup_sha") |
| gpg_pubkey_fpr_matches_pin | _pin_present("backup_gpg_fpr") |
|
| backup_sha_recorded | _pin_present("backup_sha") |
|
| sidecar_meta_written | inline backup_size_bytes > 0 |
|
| IG_GRANT_PROBE | cutter_exec_has_execute_on_canonical_fns | _pin_present("grant_probe_sha") |
| cutter_verify_has_select_insert_on_verify_result | _pin_present("grant_probe_sha") |
|
| directus_has_select_on_review_decision | _pin_present("grant_probe_sha") |
|
| no_public_execute_leak_on_governance_writers | _pin_present("grant_probe_sha") |
|
| IG_CUT_LEG_A_EXECUTE | approval_kb_id_validated | _has_approval(SG_1) |
| approval_doc_authorizes_doc_writer_digest | _pin_present("writer_digest") |
|
| fn_iu_create_called_exactly_n_times | inline row_count == confirmed |
|
| txn_committed_no_silent_autocommit_reset | _pin_true("cut_leg_a_committed") |
|
| lifecycle_status_uniform_draft_post_write | _pin_true("lifecycle_status_uniform_draft") |
|
| IG_STRUCTURAL_VERIFY | eleven_bool_probe_matches_cutplan | _pin_present("structural_verify_payload_sha") |
| section_type_cardinality_matches | _pin_true("structural_verify_passed") |
|
| forbidden_id_intrusion_zero | _pin_true("structural_verify_passed") |
|
| IG_LEG_B_RECORD | change_set_id_unique | _pin_present("change_set_id") |
| manifest_envelope_id_present | _pin_present("manifest_envelope_id") |
|
| executor_signature_id_present | _pin_present("executor_signature_id") |
|
| g_leg_b_once_no_duplicates | _pin_true("leg_b_committed") |
|
| lane_overlap_invariants_pass | _pin_present("leg_b_payload_sha") |
|
| IG_WRITE_VERIFY | verifier_principal_is_cutter_verify | _pin_equals("verifier_principal", "cutter_verify") |
| verify_result_inserted | _pin_present("verify_result_id") |
|
| verifier_signature_inserted | _pin_present("verifier_signature_id") |
|
| g_verify_once_one_per_change_set_id | _pin_true("write_verify_passed") |
|
| IG_LIFECYCLE_ENACT_EXECUTE | review_decision_id_matches_sg2_approval | _pin_present("review_decision_id") |
| fn_iu_enact_called_n_times_one_txn | inline enacted_count == confirmed |
|
| all_returns_status_enacted | _pin_true("lifecycle_enacted") |
|
| iu_lifecycle_log_row_count_equals_n | _pin_true("lifecycle_enacted") |
|
| immut_triggers_enabled_O_post_enact | _pin_true("immut_triggers_enabled_o") |
|
| IG_CLOSEOUT | all_phase_docs_uploaded | _pin_true("all_phase_docs_uploaded") |
| sidecar_state_finalized_success | _pin_equals("sidecar_state_final", "success") |
|
| runs_index_appended | _pin_true("runs_index_appended") |
Total: 41 named predicates (38 from O1 design + 3 additions where
the O2 audit found load-bearing invariants the design summary had
collapsed). Every predicate is callable; none raises
NotImplementedError.
3. STOP routing
evaluate_internal(gate, ctx, allow_skeleton_pass=False):
- iterate predicates
- capture NotImplementedError → re-raise as StopInvariantFailed
(defensive; should never fire post-O2)
- record ok/fail onto ctx.phases[<latest>].gate_invariants[name]
- if any failures → raise StopInvariantFailed("gate G failed: name1, name2, …")
- no silent skip, no partial pass
allow_skeleton_pass=True (legacy O1 path):
- records every name as ok=True without invoking predicate
- retained ONLY so the O1 test surface stays stable
- production callers MUST pass False
4. Tests covering G3
tests/test_orchestrator_o2_gate_invariants.py:
TestEveryPredicatePassesOnFullContext.test_every_invariant_passes
→ every InternalGate evaluator succeeds on a fully-pinned ctx
TestPredicateFailsWhenEvidenceMissing.* (13 sub-tests)
→ drops one pin per gate, asserts StopInvariantFailed
TestSkeletonPassPathStillRecords.test_skeleton_pass_does_not_raise
→ legacy allow_skeleton_pass=True path still works (O1 compat)
TestRegistryShape.test_every_internal_gate_has_at_least_two_invariants
→ registry shape invariant
TestRegistryShape.test_no_invariant_is_still_a_todo_o2
→ scans every predicate; failing on any NotImplementedError
total_new_tests : 18
all_pass : True
5. Verdict
g3_outcome : PASS
predicates_filled : 41/41
predicates_remaining_todo : 0
silent_skip_paths : 0
production_mutation : NONE