KB-2DD4

dot-iu-cutter v0.4 Production Credential Command-Review — GPT Review

5 min read Revision 1

dot-iu-cutterreviewv0.4credential-executioncommand-review-passproduction-execution-next

dot-iu-cutter v0.4 — Production Credential Command-Review GPT Review

Date: 2026-05-17
Reviewer: GPT
Reviewed package: knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-execution/dot-iu-cutter-v0.4-production-credential-command-review-package-2026-05-17.md
Scope: Production credential command-review. This review does not itself execute production changes.

1. Verdict

v0_4_production_credential_command_review: PASS
agent_revision_needed: false
ready_for_sovereign_production_credential_execution_prompt: true
production_credential_execution_allowed_by_this_review_alone: false
secret_creation_allowed_by_this_review_alone: false
CUT_VERIFY_allowed: false
real_DB_adapter_allowed: false

The command-review package is accepted. It is ready for a separate sovereign execution prompt.

2. Accepted Command Plan

command_count: 12
commands:
  - C_01_fresh_backup
  - C_02_globals_role_state_snapshot
  - C_03_preflight
  - C_04_generate_real_strong_passwords_non_logged
  - C_05_create_secrets_in_approved_substrate_if_execution_prompt_authorizes
  - C_06_extract_and_sha_gate_sql
  - C_07_substitute_secret_placeholders_non_logged_tempfile
  - C_08_apply_credential_sql_if_execution_prompt_authorizes
  - C_09_structural_catalog_verification
  - C_10_behavioral_allow_deny_probes
  - C_11_secret_placement_audit_note
  - C_12_rollback_if_any_gate_fails

3. SHA Pins Accepted

credential_sql_sha256: 00296107e04fc8cfea536937838f720811ecb2c491eee7a81be614cb0a04d502
rollback_sql_sha256: fcba5629bb4983ad3b4cf6cf3bfc6b0b4c70d08e0c24a083436078c3981a2b14
accepted_sql_unchanged: true
accepted_rollback_unchanged: true

4. Safety Gates Accepted

safety_gates_count: 15
must_abort_on:
  - backup_failure_or_backup_age_over_60_minutes
  - production_identity_unclear
  - cutter_exec_or_cutter_verify_already_exists
  - cutter_ro_baseline_diff
  - Directus_count_diff
  - cutter_governance_not_12_tables_0_rows_12_views_19_FK
  - RLS_nonzero_or_pg_policy_diff
  - any_secret_logging_risk
  - secret_substrate_not_explicitly_authorized
  - env_edit_without_sovereign_authorization
  - SQL_or_rollback_sha_mismatch
  - structural_verification_failure
  - deny_probe_not_42501
  - connection_limit_failure
  - rollback_gate_not_clean

5. Secret Handling Accepted

secret_substrate: VPS_/opt/incomex/docker/.env
file_mode: 600
owner: root:root
secret_generation: openssl_rand_min_32_chars
secret_logging: forbidden
secret_in_argv: forbidden
secret_in_KB_or_repo: forbidden
secret_readback_print: forbidden
proposed_env_names:
  - DOT_CUTTER_EXEC_DB_USER
  - DOT_CUTTER_EXEC_DB_PASSWORD
  - DOT_CUTTER_VERIFY_DB_USER
  - DOT_CUTTER_VERIFY_DB_PASSWORD
rotation: separate_authorized_cycle
emergency_revoke: ALTER_ROLE_NOLOGIN_then_full_rollback_if_needed

6. Verification Accepted

verification_method: structural_aclexplode_set_equality
rendered_string_compare: false
behavioral_allow_probes: 20
behavioral_deny_probes: 42
expected_deny_sqlstate: 42501
connection_limit_check: true
zero_row_persistence_required: true
cutter_ro_unchanged_required: true
Directus_unchanged_required: true
RLS_unchanged_required: true

7. Rollback Accepted

rollback_model: exact_inverse_no_CASCADE
steps:
  - NOLOGIN_estop
  - terminate_writer_sessions
  - revoke_exact_grants
  - assert_memberless_owns_nothing_no_residual_privilege
  - plain_DROP_ROLE_only_if_gate_clean
  - remove_created_secrets_if_any
  - verify_baseline_restored
forbidden:
  - DROP_OWNED
  - REASSIGN_OWNED
  - CASCADE
  - blanket_REVOKE_ALL

8. Gate Effect

production_credential_command_review: closed_PASS
next_allowed_phase: production_credential_execution
requires: separate_sovereign_execution_prompt
still_forbidden_until_that_prompt:
  - create_production_roles
  - GRANT_REVOKE_in_production
  - create_or_write_real_secrets
  - edit_env
  - runtime_code_connection
  - CUT_VERIFY
  - deploy

9. Execution Prompt Recommendation

If the sovereign chooses to proceed, the prompt should explicitly authorize only:

authorized_scope:
  - execute C_01_to_C_12 exactly as reviewed
  - create cutter_exec and cutter_verify production roles
  - create approved .env secrets for these two roles only
  - apply accepted SQL SHA 00296107...
  - verify with structural + behavioral checks
  - rollback on any gate failure
non_scope:
  - real_DB_adapter
  - CUT_VERIFY
  - app_deploy
  - Directus_RLS_changes
  - any base-table row write

10. Status

ready_for_execution_prompt: true
agent_self_advance: prohibited_without_explicit_sovereign_prompt