03 — SENSITIVE QUARANTINE — NOT PERFORMED (held before mutation)

Status: NO MUTATION

No file was moved. No quarantine directory was created. No secret content was read or printed.

Candidate sensitive untracked items (from prior remediation packet, NOT acted on)

• .deploy-secrets.pre-rotate (secrets backup)
• prod-directus-preamend.sql.gz (production DB dump)
• dieu44 cred_* (staging credential temp)

Why deferred

Securing these is independently good hygiene, but it is a mutation of the production SSOT and several tools may reference those exact paths. Because the W7 apply is blocked at the quorum gate (file 04), there is no in-macro urgency to move them now; doing so would be an out-of-band production change unrelated to a completable apply. The conservative choice is to surface them as a recommended separate, owner-confirmed hygiene action rather than move them autonomously inside a halted apply flow.

Recommendation (for owner, separate from this halted macro)

Move the exact confirmed sensitive paths to a chmod 700 quarantine outside the repo, recording old/new path + sha256 + size + perms + reason per file, without printing contents. This should be done as its own reviewed step, not as a side effect of a blocked W7 apply.