Incomex AI Portal
KB-44BC

dot-iu-cutter v0.3 — Read-Observability DDL-Authoring Report (rollup; ready for GPT review) (2026-05-16)

6 min read Revision 1
dot-iu-cutterdieu44v0.3ddl-authoringddl-authoring-reportready-for-gpt-reviewdesign-only

dot-iu-cutter v0.3 — Read-Observability DDL-Authoring Report (rollup)

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.3-ddl-authoring/dot-iu-cutter-v0.3-read-observability-ddl-authoring-report-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
sovereign: User / anh Huyền
verifier: GPT (PENDING)
phase: v0.3 — DDL AUTHORING ONLY rollup / report
status: ready_for_gpt_review
ddl_executed: false
mutation_performed: false

⛔ DDL AUTHORING ONLY. Nothing executed: no role, no view, no GRANT/REVOKE, no RLS, no Directus change, no data, no production mutation, no dry-run env. Production was NOT touched in this step (no SQL run at all — authored from the prior read-only inspection). Self-advance PROHIBITED.

§1 — Package (6 docs, all r1, v0.3-ddl-authoring/)

1. dot-iu-cutter-v0.3-read-observability-ddl-draft-2026-05-16.sql.md
2. dot-iu-cutter-v0.3-read-observability-view-projection-spec-2026-05-16.md
3. dot-iu-cutter-v0.3-read-observability-verification-plan-2026-05-16.md
4. dot-iu-cutter-v0.3-read-observability-rollback-draft-2026-05-16.md
5. dot-iu-cutter-v0.3-read-observability-risk-review-note-2026-05-16.md
6. dot-iu-cutter-v0.3-read-observability-ddl-authoring-report-2026-05-16.md (this)
basis: GPT v0.3 design PASS; ratified B-1..B-6 (MODEL-C PG-first views;
  Agent redaction list + REVIEW REDACTED; no v0.3 audit; cutter_ro NOLOGIN
  group, binding deferred; defer app-role tightening; PG views, Directus
  field perms deferred)

§2 — DDL Summary

single_transaction: BEGIN … COMMIT
objects_created (proposed): 1 role (cutter_ro) + 12 views (cutter_governance.v_*_observe)
role cutter_ro: NOLOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION NOBYPASSRLS
NOT included: base-table grants, RLS, triggers, DEFAULT, CHECK, seed/data,
  Directus objects, cutter_ro_full, login/member binding, ALTER DEFAULT
  PRIVILEGES, any ALTER/DROP of a pre-existing object

§3 — View Projection Summary

12 views, one per base table; sensitive + REVIEW columns omitted
totals: 164 base columns → 134 VISIBLE / 30 REDACTED
redacted set: signature_payload, payload_envelope, payload_hash, rollback_key,
  idempotency_key, before/after_state_snapshot, reviewer_identity,
  reviewer_independence_evidence, decision_backlog_entry.payload, all findings,
  change_diff, source_span, payload_summary, candidate_edges, report_summary,
  all rationale, rollback_reason, revocation_reason, verdict_rationale,
  all scenario_ref
mechanism: PG views, default semantics (security_invoker=false) so cutter_ro
  needs NO base-table privilege — only SELECT on the views

§4 — Grants Summary

GRANT USAGE ON SCHEMA cutter_governance TO cutter_ro            (×1)
GRANT SELECT ON each cutter_governance.v_*_observe TO cutter_ro (×12)
total: 13 privilege statements; 0 on base tables; 0 write; 0 cross-schema

§5 — Verification Summary

preflight gates: PG-G1..PG-G6 (prod identity, role absent, views absent,
  base 12/0-rows, no RLS baseline, DDL sha pinned)
post checks: V-01..V-18 — role exists+flags, no membership, 12 views,
  SELECT on views (12), NO SELECT on base (12), NO write (96), schema USAGE
  scoped, redacted columns ABSENT (30), visible columns exact (134),
  no view re-exposes redacted, Directus authz counts unchanged (9/8/1173/9),
  no RLS, 0 rows, base tables unchanged (PK12/FK19), additive-only, identity
  unchanged, rollback rehearsed
method: catalog/boolean (has_*_privilege, pg_roles) not rendered-string —
  avoids the P0-6 false-negative class

§6 — Rollback Summary

single-txn reverse: REVOKE 13 → DROP VIEW IF EXISTS ×12 (NO CASCADE) →
  DROP ROLE IF EXISTS cutter_ro (guarded: memberless & owns-nothing)
post-rollback == pre-v0.3 baseline (no role/views/grants; base tables,
  Directus, RLS untouched; 0 rows; identity unchanged)
trigger: TRUE post-exec failure or explicit prompt only (no false-negative
  rollback); CASCADE not used / not justified

§7 — Risk

risk_class: STANDARD (auth-layer, read-only, empty tables, reversible)
register: R-1..R-7 each mitigated (projection leak, base-grant, escalation,
  Directus/RLS collateral, rollback over-drop, false-negative, name collision)

§8 — Readiness & Next Step

ready_for_gpt_review: YES
nothing_executed: true
production_touched: NO (authored from prior read-only inspection; no SQL run
  in this step)
next_step: GPT review of this 6-doc DDL-authoring package. If PASS →
  (separate authorization) dry-run on ephemeral isolated env → GPT dry-run
  review → production command-review → GPT command-review → explicit User
  production-execution prompt → separate execution session.
agent_self_advance: PROHIBITED

§9 — Hard Boundaries (honored)

ddl_authoring_only: TRUE
sql_executed: FALSE     role_created: FALSE     view_created: FALSE
grant_revoke_run: FALSE rls_created: FALSE      directus_touched: FALSE
collection_registered: FALSE   cutter_ro_full: FALSE   member_binding: FALSE
data_written: FALSE     production_mutated: FALSE   deploy: FALSE
CUT_or_VERIFY: FALSE    dry_run_env_provisioned: FALSE
self_advance: PROHIBITED
output_form: v0_3_read_observability_ddl_authoring_report

End of v0.3 read-observability DDL-authoring report (ready for GPT review).

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.3-ddl-authoring/dot-iu-cutter-v0.3-read-observability-ddl-authoring-report-2026-05-16.md