02 - O4 Dry-run Feasibility and Scope

G1 inspection

Existing runner behavior:

• OrchestratorRunner.cut(..., mode=Mode.DRYRUN) does not require execution_enabled=True.
• Mode.LIVE is refused while __execution_enabled__ is false.
• Mutating phases already branch internally and use simulator paths in Mode.DRYRUN.
• State machine already supports SG1 pause, resume, SG2 pause, closeout, and idempotent resume after closeout.

O3 gap:

• LiveReadOnlyDiscoverer could survey live lifecycle state and pin it, but did not implement the full Discoverer protocol required by the runner phases.

O4 safe path selected

Build a hybrid LiveDryRunDiscoverer:

• Use LiveReadOnlyDiscoverer to query live read-only role, lifecycle state, and grant matrix.
• Seed an in-memory simulator rowset from live facts, especially the live icx_total=60 count.
• Execute the existing runner in Mode.DRYRUN only.
• Pin live facts into RunContext.context_pins during source_pin.
• Keep production mutation impossible because all phase execution after seeding uses simulator methods.

Live read-only grant feasibility

The read-only role could query privilege facts through catalogs. Live grant matrix observed during O4:

{
  "cutter_exec_execute_canonical_fns": true,
  "cutter_verify_select_insert_verify_result": true,
  "directus_select_review_decision": true,
  "no_public_execute_leak": true,
  "snapshot_sha": "45d25e38ac2dd440d0e7fdbdd6a5a20df11afbaef715002db4e46ea60bd2d600"
}

Forbidden-scope confirmation

• No production DB write path added.
• No live CUT/VERIFY/enact mutation.
• No execution_enabled=True.
• No hardcoded secret/runtime ID in repo code.
• No StubSigning replacement.

Result

G1 PASS. O4 needed a minimal code addition, not an architecture change.