Incomex AI Portal
KB-172A

dot-iu-cutter v0.5 WS-Q5 Production Apply — Reauthorization with workflow_admin

6 min read Revision 1
dot-iu-cutterv0.5ws-q5registry-substrateproduction-applyreauthorizationworkflow_adminapproveddieu442026-05-18

dot-iu-cutter v0.5 WS-Q5 Production Apply — Reauthorization with workflow_admin

Date: 2026-05-18 Reviewer / decision authority: GPT Reviewed blocked apply package: knowledge/dev/laws/dieu44-trien-khai/v0.5-ws-q5-registry-substrate-production-apply/

Reviewed files:

files:
  - dot-iu-cutter-v0.5-WS-Q5-production-apply-execution-log-2026-05-18.md
  - dot-iu-cutter-v0.5-WS-Q5-production-apply-verification-result-2026-05-18.md
  - dot-iu-cutter-v0.5-WS-Q5-production-apply-report-2026-05-18.md

Verdict on blocked attempt

blocked_attempt_handling: PASS_CORRECT
agent_behavior: PASS_CORRECT
opus_review: CORRECT
production_changed: false
tables_created: 0
rollback_required: false
root_cause: apply_role_directus_lacks_CREATE_on_schema
DDL_defect: false
schema_drift: false

Agent handled the failed attempt correctly: no improvisation, no role switch, no GRANT, no ALTER OWNER, no retry, and STOP_AND_ESCALATE. Production remains unchanged.

Sovereign decision

selected_option: A_REAUTHORIZE_APPLY_AS_SCHEMA_OWNER_WORKFLOW_ADMIN
production_apply_reauthorized: true
allowed_apply_role: workflow_admin
artifact: same_DDL_artifact
DDL_change_authorized: false
privilege_change_authorized: false

GPT approves re-running the same WS-Q5 production apply using the schema owner / privileged apply role workflow_admin, subject to mandatory safeguards below.

Reason:

reason:
  - DDL artifact is already design-reviewed, command-reviewed, isolated-dry-run PASS, and production-preflight PASS
  - failure was at statement 1 due to insufficient CREATE privilege for directus
  - production is unchanged, with zero created objects
  - schema is owned by workflow_admin, so using workflow_admin is the smallest safe remedy
  - GRANTing CREATE to directus would introduce a new privilege change and is less desirable

Required re-apply procedure

Agent must run the same production apply package with only the connection/apply role changed to workflow_admin.

Before apply, Agent must rerun all mandatory checks:

mandatory_pre_apply_rerun:
  P1_readonly_preflight:
    required: true
    must_confirm:
      - production system_identifier equals 7611578671664259111
      - cutter_governance schema exists
      - all 12 target table names are still absent
      - no relevant drift since prior failed attempt

  P2_fresh_backup:
    required: true
    note: prior backup is useful but not sufficient if time has passed
    must_record:
      - safe backup identifier/path
      - timestamp
      - sha256 or integrity marker if available
      - no secrets

  P3_command_integrity:
    required: true
    must_confirm:
      - same DDL artifact / same approved SQL body
      - no CREATE SCHEMA line
      - exactly 12 CREATE TABLE statements
      - BEGIN...COMMIT transaction boundary present
      - ON_ERROR_STOP=1 or equivalent
      - connection/apply role is workflow_admin

Authorized command delta:

only_authorized_change:
  from: psql -U directus
  to: psql -U workflow_admin

No other package edit is authorized.

Rollback / failure handling

on_success:
  - run production verification command package immediately
  - require expected delta: +12 tables, +12 PK, +8 FK, +4 UNIQUE
  - require no unintended CHECK/trigger/DEFAULT/enum
  - write execution + verification + report files
  - stop and route to GPT/User

on_failure:
  - do not improvise
  - if no objects created, report BLOCKED/FAILED and stop
  - if some objects created but transaction did not commit, verify unchanged and stop
  - if committed but verification fails and rollback assumptions hold, use rollback package only if safe
  - otherwise STOP_AND_ESCALATE

Still forbidden

forbidden:
  - GRANT / role change
  - ALTER SCHEMA OWNER
  - DDL artifact modification except role invocation outside SQL body
  - any object outside the 12 allowed tables
  - DML seed execution
  - evidenced_by vocab amend
  - Cap-4 checker change
  - index DDL execution
  - Directus mutation
  - vector/NoSQL integration
  - CUT
  - VERIFY
  - data backfill
  - deploy/restart
  - git commit
  - self-advance to downstream cycles

Required output

Append or create a new reauthorized apply package under:

knowledge/dev/laws/dieu44-trien-khai/v0.5-ws-q5-registry-substrate-production-apply/

Required files:

files:
  - dot-iu-cutter-v0.5-WS-Q5-production-apply-reauthorized-execution-log-2026-05-18.md
  - dot-iu-cutter-v0.5-WS-Q5-production-apply-reauthorized-verification-result-2026-05-18.md
  - dot-iu-cutter-v0.5-WS-Q5-production-apply-reauthorized-report-2026-05-18.md

Report must state:

required_report_fields:
  - reauthorized_apply_status: PASS | FAIL | BLOCKED | ROLLED_BACK
  - apply_role_used: workflow_admin
  - preflight_rerun_result
  - fresh_backup_status
  - command_integrity_result
  - tables_created
  - verification_summary
  - rollback_status_if_any
  - downstream_not_executed

Final status

status: REAUTHORIZE_PRODUCTION_APPLY_WITH_WORKFLOW_ADMIN
next_action: rerun_P1_P2_P3_then_apply_same_artifact_as_workflow_admin
Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/reviews/dot-iu-cutter-v0.5-WS-Q5-production-apply-reauthorization-workflow-admin-2026-05-18.md