KB-3820
Orchestrator O2 · 05 Security + Hardcode + Boundary Check
10 min read Revision 1
dot-iu-cutterv0.6orchestrator-o2-phase-body-e2e-authoringsecurity-hardcode-boundaryg5-passno-secret-leakno-module-pindieu442026-05-20
Orchestrator O2 · 05 Security + Hardcode + Boundary Check
doc 5 of 7 · 2026-05-20 · G5 gate
phase : G5 — hardcode/security/boundary audit on O2 surface outcome : G5 PASS — 0 secret literals, 0 module-level PIN_*, killswitch off, USER_REFUSED_ARGS enforced production_mutation : NONE
1. Module-level PIN_* audit
$ grep -rnE "PIN_[A-Z_]+\s*=" cutter_agent/orchestrator/ \
tests/test_orchestrator_o2_*.py tests/_orchestrator_o2_harness.py
(no output)
Programmatic audit via the orchestrator's own
policy.assert_no_module_level_pins:
PIN_* audit PASS — no module-level PIN_* across 11 orchestrator modules
PIN_* audit PASS — no module-level PIN_* across 11 phase modules
22 modules scanned (11 top-level + 11 phase). Zero offenders.
The O1 invariant in tests/test_orchestrator_o1_run_context.py::TestNoModuleLevelPins continues to pass on the O2-extended surface.
2. Secret / DSN / credential literal scan
$ grep -rnE "(postgres(ql)?://[^/[:space:]\"']*:[^@[:space:]\"']+@|\
PGPASSWORD[[:space:]]*=[[:space:]]*['\"]|\
DATABASE_URL[[:space:]]*=[[:space:]]*['\"]|\
PG_DSN[[:space:]]*=[[:space:]]*['\"])" \
cutter_agent/orchestrator/ \
tests/test_orchestrator_o2_*.py tests/_orchestrator_o2_harness.py
(no output)
Notes:
- The O2
backup.pycarries a placeholder constant_SIMULATED_FPR = "SIMULATED-DRYRUN-GPG-FPR-NOT-A-REAL-KEY"— a self-labelled marker, not a key. The leading underscore makes it module-private and explicitly excluded from the PIN_* audit. - The harness writes synthetic Markdown approval docs and never
embeds any credential.
_orchestrator_o2_harness.pyscan: 0 hits. - No phase body imports
psycopg, opens a connection, callssubprocess, or invokespg_dump/gpg. Live wiring is deferred to macro O4 with a fresh sovereign ruling.
grep -rn "psycopg\|connect(\|cursor(\|pg_dump\|subprocess\|os\.popen\|gpg --"
returns only docstring references describing what O4 will add.
3. Production-execution kill-switch
location : cutter_agent/orchestrator/__init__.py:29
value : __execution_enabled__ = False
unchanged_by : O2 macro (only docstring + milestone tag changed)
guards_consuming_the_flag :
- runner.py:121 (refuses Mode.LIVE in runner.cut)
- phases/backup.py:32 (refuses Mode.LIVE while False)
- phases/cut_leg_a.py:37
- phases/leg_b_record.py:35
- phases/write_verify.py:35
- phases/lifecycle_enact.py:36
total_guards : 6 (1 runner + 1 backup + 4 mutating phases)
mutating_phase_guard_coverage : 4/4 (cut_leg_a, leg_b_record, write_verify,
lifecycle_enact)
test_assertion : TestKillSwitchOff.test_kill_switch_remains_off_in_o2
flipped_in_o2 : NO
flip_authority : sovereign-only ruling in macro O4+
4. USER_REFUSED_ARGS — no-user-artifact policy
policy_module : cutter_agent/orchestrator/policy.py
size : 20 names (unchanged from O1)
categories:
secret_shaped : dsn, database_url, pg_dsn, pgpassword,
password, api_key, api_token, bearer,
token, secret
runtime_id_shaped : manifest_digest, region_sha, writer_digest,
change_set_id, review_decision_id,
manifest_envelope_id, executor_signature_id,
verify_result_id, verifier_signature_id,
candidate_count
bypass_shaped : force, skip_verify, no_backup, skip_backup,
no_drift_check, skip_drift_check
runtime_smoke_test:
- assert_no_user_artifact({"dsn":"x"}) → StopRefusedInput ✓
- assert_no_user_artifact({"pgpassword":"x"}) → StopRefusedInput ✓
- assert_no_user_artifact({"manifest_digest":"x"}) → StopRefusedInput ✓
- assert_no_user_artifact({"change_set_id":"x"}) → StopRefusedInput ✓
- assert_no_user_artifact({"review_decision_id":"x"}) → StopRefusedInput ✓
- assert_no_user_artifact({"force":True}) → StopRefusedInput ✓
- assert_no_user_artifact({"skip_verify":True}) → StopRefusedInput ✓
- assert_no_user_artifact({"no_drift_check":True}) → StopRefusedInput ✓
result : 8/8 representative names refused
o1_tests_still_pass : TestNoUserArtifactPolicy (4 cases) ✓
5. Per-run hardcode-safety (context_pins)
storage : RunContext.context_pins (per-run dict)
write_path : RunContext.pin(key, value)
secret_denylist_at_write_time : {pgpassword, password, secret, token, bearer,
dsn, database_url, pg_dsn, api_key, api_token,
private_key, gpg_secret, kms_key}
— ValueError on any key whose lower()
contains a denylist token.
serialization_strip_at_output : to_jsonable() filters context_pins by the
same denylist (belt + braces).
o2_new_pins_introduced :
- region_sha (computed; not user-supplied)
- mark_rowset_sha (computed)
- writer_digest (computed by cutplan)
- candidate_count (counted)
- candidate_count_confirmed (counted)
- cutplan_payload_sha (computed)
- cutplan_rows (rowset payload; JSON-safe)
- backup_sha (computed)
- backup_size_bytes (counted)
- backup_gpg_fpr (placeholder for DRYRUN; real fpr from
GSM in O4 via env-injection, never a literal)
- backup_mode (echo of ctx.mode.value)
- grant_probe_sha (computed from discoverer snapshot)
- change_set_id (minted by cut_leg_a; UUID4 from sha256)
- cut_leg_a_simulated (boolean)
- cut_leg_a_committed (boolean)
- cut_leg_a_row_count (counted)
- lifecycle_status_uniform_draft (boolean)
- structural_verify_payload_sha (computed)
- structural_verify_passed (boolean)
- manifest_envelope_id (deterministic UUID from change_set_id)
- executor_signature_id (deterministic UUID)
- leg_b_committed (boolean)
- leg_b_payload_sha (computed)
- verifier_principal (string literal "cutter_verify" — role name)
- verify_result_id (deterministic UUID)
- verifier_signature_id (deterministic UUID)
- write_verify_passed (boolean)
- review_decision_id (mirrored from SG_2 approval doc)
- lifecycle_enacted_count (counted)
- lifecycle_enacted (boolean)
- immut_triggers_enabled_o (boolean)
- closeout_summary_sha (computed)
- all_phase_docs_uploaded (boolean)
- sidecar_state_final (string literal "success")
- runs_index_appended (boolean)
verdict : every O2 pin is computed/counted/discovered or
a known role name — NONE is user-supplied,
NONE is a secret.
6. /tmp + /opt/incomex + runtime side-channel scan
$ grep -rn "/tmp/\|/opt/incomex" cutter_agent/orchestrator/ \
tests/test_orchestrator_o2_*.py tests/_orchestrator_o2_harness.py
tests/test_orchestrator_o2_phase_bodies.py:200: ctx.pin("change_set_id", "cs-x") # test fixture only
tests/test_orchestrator_o2_phase_bodies.py:194: ctx.record_approval(ApprovalRecord(
gate=..., approval_kb_id="/tmp/x" # test fixture only
))
Hits are test fixtures only (synthetic placeholder "/tmp/x" strings
used as opaque approval_kb_id values in unit tests; no actual file
is read at those paths). Zero references in runtime code.
7. Boundary discipline
v0_5_production_modules_touched : 0
(cutter_agent/{cutplan,cutprod,cutprod_canonical,cutwrite,
db_adapter,dryrun,ledger,ledger_v2_canonical_cut,
ledger_v2_canonical_verify,phases,prod_iu_adapter,
prod_iu_adapter_canonical,signing,state_machine}.py
bodies are UNCHANGED in O2)
sql_lifecycle_DDL_touched : 0
(sql/lifecycle/* bundles A..E remain at the M3a-ratified state on main)
source_document_or_source_version_mutation : NONE
StubSigning_replaced : NO (deferred to O6 per design DQ_2)
new_python_imports_outside_stdlib : 0
new_runtime_dependencies : 0
8. Verdict
g5_outcome : PASS
no_module_pin_breach : 22/22 modules clean
no_secret_literal : 0 hits across 5 patterns
killswitch_intact : True (False; 6 guards consuming it)
user_refused_args : 20 names; 8/8 representative refusals confirmed
v0_5_modules_touched : 0
production_mutation : NONE