P9 Trigger Guard DROP Repair Log - 2026-04-28

Scope: patch public.fn_evt_trigger_guard_drop() on directus and incomex_metadata. Executor: Claude Code via SSH contabo. Status: FAIL at precheck §1b before mutation.

Verdict

FAIL - permission precheck stopped execution before mutation.

No ALTER FUNCTION, no smoke DDL, no Gate B/C, no TAC data mutation, no seed, no roles/permissions, no DDL guard modification, no trigger_guard_alerts schema change.

Root Cause

The configured executor is database user directus, but public.fn_evt_trigger_guard_drop() is owned by workflow_admin. Live precheck showed:

• current_user=directus
• fn_owner=workflow_admin
• current_is_superuser=false
• current_is_member_of_owner=false

Per gate §1b, EXECUTE privilege is not enough evidence for ALTER. Because current user is not owner/superuser/member of owner, execution must stop and report.

Raw Evidence

# Trigger Guard DROP Repair Gate Option A+ v0.3
timestamp=2026-04-28T11:46:05+02:00
host=vmi3080463
scope=directus,incomex_metadata fn_evt_trigger_guard_drop only

## PRECHECK directus
 current_user | current_database 
--------------+------------------
 directus     | directus
(1 row)

### 1b owner/admin privilege
 current_user |    fn_owner    | current_is_superuser | current_is_member_of_owner 
--------------+----------------+----------------------+----------------------------
 directus     | workflow_admin | f                    | f
(1 row)

GATE_FAIL: directus executor lacks ALTER privilege on fn_evt_trigger_guard_drop

Stop Point

Stopped before mutation. User/GPT must provide a governed execution path with an owner/admin-capable DB role or revise the gate.