KB-9DA7
dot-iu-cutter v0.5 WS-Q5 Seed + Privilege Revised Package — Command Review and Execution Approval
9 min read Revision 1
dot-iu-cutterv0.5ws-q5seedprivilegecommand-reviewexecution-approvalapproveddieu442026-05-18
dot-iu-cutter v0.5 WS-Q5 Seed + Privilege Revised Package — Command Review and Execution Approval
Date: 2026-05-18
Reviewer / decision authority: GPT
Reviewed package: knowledge/dev/laws/dieu44-trien-khai/v0.5-ws-q5-seed-privilege-revised-command-package/
Reviewed files:
files:
- dot-iu-cutter-v0.5-WS-Q5-seed-data-revised-draft-2026-05-18.sql.md
- dot-iu-cutter-v0.5-WS-Q5-seed-rollback-revised-draft-2026-05-18.sql.md
- dot-iu-cutter-v0.5-WS-Q5-privilege-grant-revised-draft-2026-05-18.sql.md
- dot-iu-cutter-v0.5-WS-Q5-privilege-rollback-revised-draft-2026-05-18.sql.md
- dot-iu-cutter-v0.5-WS-Q5-seed-privilege-revised-verification-plan-2026-05-18.md
- dot-iu-cutter-v0.5-WS-Q5-seed-privilege-revised-command-package-report-2026-05-18.md
Verdict
seed_privilege_revised_package: PASS_FOR_CONTROLLED_EXECUTION
agent_behavior: PASS_CORRECT
rulings_applied: true
forbidden_respected: true
DML_executed: false
GRANT_executed: false
production_write_yet: false
execution_authorized: true
scope: revised_seed_subset_plus_revised_privileges_only
The revised package correctly applies GPT's prior command-review rulings. GPT approves a controlled production execution phase for the revised seed subset and revised privilege grants, subject to the mandatory preflight, backup, sequencing, verification, and stop conditions below.
Approved execution scope
Seed data
Approved seed execution is limited to 31 rows / 8 tables:
approved_seed_counts:
matcher_config_registry: 8
address_template_registry: 2
grammar_profile: 2
grammar_profile_level: 8
grammar_profile_status_marker: 2
entity_kind_registry: 5
source_family_registry: 3
metadata_key_registry: 1
total: 31
Approved source families:
approved_source_family_seed_subset:
- internal_incomex_constitution
- internal_incomex_law
- external_government_law
Explicitly deferred source families:
deferred_source_families_not_to_seed:
- internal_process
- sql_entity
- code_artifact
- report
- lesson
- architecture_note
Approved metadata key seed:
metadata_key_registry:
- idempotency_key
Approved entity kind seed:
entity_kind_registry:
- sql_entity
- code_module
- git_file
- directus_item
- report_path
Privileges
Approved privilege execution is limited to these grants on the 12 new WS-Q5 tables only:
approved_grant_matrix:
cutter_ro: SELECT x 12
cutter_exec: SELECT, INSERT x 12
cutter_verify: SELECT x 12
Explicitly not approved:
not_approved_privileges:
- UPDATE, including UPDATE(lifecycle)
- DELETE
- TRUNCATE
- REFERENCES
- TRIGGER
- GRANT ALL
- PUBLIC grants
- WITH GRANT OPTION
- owner change
- role membership change
Schema USAGE:
schema_usage:
expected: already present for cutter_ro, cutter_exec, cutter_verify
action: do not GRANT USAGE if preflight confirms already present
if_missing: STOP_AND_ESCALATE unless the exact conditional GRANT USAGE path is explicitly reapproved
Required production execution sequence
sequence:
1: mandatory pre-execution checks
2: fresh backup
3: execute seed DML as workflow_admin
4: verify seed data
5: execute revised privilege grants
6: verify privileges
7: report and stop
Seed execution role:
seed_execution_role: workflow_admin
Grant execution role:
grant_execution_role: workflow_admin
Do not use cutter_exec to run bootstrap seed.
Mandatory pre-execution checks
Before any seed DML or GRANT, Agent must verify and record:
pre_execution_checks:
P1_target:
- production system_identifier equals 7611578671664259111
- cutter_governance schema exists
P2_table_state:
- 12 WS-Q5 tables exist
- the 8 seed-target tables are empty, unless a prior authorized seed attempt is explicitly detected and escalated
- 4 expected-zero tables are empty:
- entity_reference_registry
- source_document_registry
- source_document_version_registry
- authority_override
P3_roles:
- workflow_admin exists
- cutter_ro exists
- cutter_exec exists
- cutter_verify exists
P4_schema_usage:
- cutter_ro has USAGE on cutter_governance
- cutter_exec has USAGE on cutter_governance
- cutter_verify has USAGE on cutter_governance
- if any missing: STOP_AND_ESCALATE; do not silently GRANT USAGE
P5_command_integrity:
- seed draft matches revised package
- grant draft matches revised package
- no UPDATE(lifecycle) grant
- no deferred source families in seed DML
- no GRANT ALL / PUBLIC / owner change
Mandatory fresh backup:
backup:
required: true
type: pg_dump or approved equivalent
must_record:
- safe backup path / identifier
- timestamp
- sha256 or integrity marker if available
- no secrets
If any pre-execution check fails, Agent must stop and upload a BLOCKED report.
Verification requirements
After seed:
seed_verification:
expected_total_rows: 31
expected_counts:
matcher_config_registry: 8
address_template_registry: 2
grammar_profile: 2
grammar_profile_level: 8
grammar_profile_status_marker: 2
entity_kind_registry: 5
source_family_registry: 3
metadata_key_registry: 1
entity_reference_registry: 0
source_document_registry: 0
source_document_version_registry: 0
authority_override: 0
must_confirm:
- exact key sets from revised verification plan
- no deferred source families present
- FK integrity PASS
- address template uses locked separator scheme
- UTF-8 status markers exact by codepoint
- idempotency_key policies match revised plan
After grants:
privilege_verification:
cutter_ro: SELECT only on 12 new tables
cutter_exec: SELECT and INSERT only on 12 new tables
cutter_verify: SELECT only on 12 new tables
must_confirm_absent:
- UPDATE grants
- DELETE grants
- TRUNCATE grants
- REFERENCES grants
- TRIGGER grants
- PUBLIC grants
- WITH GRANT OPTION
- owner changes
- role membership changes
Rollback / failure handling
if_seed_fails_before_commit:
- transaction rollback expected
- verify no seed rows
- report FAIL/BLOCKED
if_seed_commits_but_verification_fails:
- use seed rollback only if rows match known revised seed set and no downstream references exist
- otherwise STOP_AND_ESCALATE
if_grant_fails_before_commit:
- transaction rollback expected
- verify no partial grant delta
- report FAIL/BLOCKED
if_grant_commits_but_verification_fails:
- use privilege rollback only if it exactly matches revised REVOKE plan and no unrelated privileges are touched
- otherwise STOP_AND_ESCALATE
Seed and grant may be executed as two separate transactions to isolate risk:
recommended_transactions:
tx1_seed: BEGIN -> INSERT seed rows -> COMMIT -> verify seed
tx2_grant: BEGIN -> GRANT privileges -> COMMIT -> verify privileges
Still forbidden
forbidden:
- seed any of the 6 deferred source families
- add generic grammar profile
- change source_family_registry nullability
- execute UPDATE(lifecycle) grant
- execute GRANT USAGE silently
- GRANT ALL / PUBLIC / owner change / role membership change
- DELETE/UPDATE existing data outside the known seed rollback path
- evidenced_by vocab amend
- Cap-4 checker change
- index DDL execution
- Directus mutation
- vector/NoSQL integration
- CUT
- VERIFY
- deploy/restart
- git commit
- self-advance to downstream cycles
Required output
Agent must upload execution results under:
knowledge/dev/laws/dieu44-trien-khai/v0.5-ws-q5-seed-privilege-production-execution/
Required files:
files:
- dot-iu-cutter-v0.5-WS-Q5-seed-privilege-production-execution-log-2026-05-18.md
- dot-iu-cutter-v0.5-WS-Q5-seed-privilege-production-verification-result-2026-05-18.md
- dot-iu-cutter-v0.5-WS-Q5-seed-privilege-production-report-2026-05-18.md
Report must state:
required_report_fields:
- execution_status: PASS | FAIL | BLOCKED | ROLLED_BACK
- backup_status
- pre_execution_checks
- seed_execution_status
- seed_verification_summary
- grant_execution_status
- privilege_verification_summary
- rollback_status_if_any
- downstream_not_executed
- next recommended cycle
Final status
status: SEED_AND_PRIVILEGE_REVISED_PACKAGE_APPROVED_FOR_CONTROLLED_EXECUTION
next_action: run_prechecks_backup_seed_verify_grant_verify_stop