Incomex AI Portal
KB-2C3D

dot-iu-cutter v0.3 — Read-Observability DDL Draft (role + 12 views + grants; NOT executed) (2026-05-16)

10 min read Revision 1
dot-iu-cutterdieu44v0.3ddl-authoringddl-draftread-observabilitydesign-onlynot-executed

dot-iu-cutter v0.3 — Read-Observability DDL Draft

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.3-ddl-authoring/dot-iu-cutter-v0.3-read-observability-ddl-draft-2026-05-16.sql.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
sovereign: User / anh Huyền
verifier: GPT (PENDING)
phase: v0.3 — DDL AUTHORING ONLY (MODEL-C, PG-first views)
status: ddl_authored_for_gpt_review
ddl_executed: false
mutation_performed: false

AUTHORING ONLY — NOT EXECUTED. No role created, no view created, no GRANT run, no production mutation. The SQL below is the proposed canonical artefact for GPT review → dry-run → command-review → (separate) execution. Agent self-advance PROHIBITED.

§1 — Scope of This Artefact

creates (proposed): 1 PG role (cutter_ro, NOLOGIN group) + 12 read-only views
  in schema cutter_governance + 1 GRANT USAGE + 12 GRANT SELECT (views only)
single_transaction: BEGIN … COMMIT (ON_ERROR_STOP=1 at execution time)
does_NOT: grant SELECT on base tables; create RLS; create triggers/DEFAULT/
  CHECK; INSERT/seed/mutate data; touch Directus (collections/roles/policies/
  permissions); create cutter_ro_full; create login/member binding; tighten
  the existing `directus` app role; ALTER/ DROP any pre-existing object
base_tables_unchanged: the 12 cutter_governance tables are referenced read-only
  by the views; no ALTER on them

§2 — Design Notes Binding the SQL

- views run with DEFAULT view semantics (security_invoker = false). This is
  INTENTIONAL: the view executes with the view OWNER's rights on the base
  tables, so cutter_ro needs NO privilege on base tables — only SELECT on the
  views. (If PG RLS is ever introduced — separate workstream — revisit and set
  security_invoker per the RLS doc.)
- view owner at execution = the migration superuser (workflow_admin), which
  already can read the base tables.
- NO `ALTER DEFAULT PRIVILEGES`: grants are an exactly-enumerated set of 13
  (1 USAGE + 12 view SELECT). Future tables/objects are intentionally NOT
  auto-granted (prevents silent scope creep onto base tables).
- CREATE ROLE has no IF NOT EXISTS in PostgreSQL; the verification/command
  plan includes a hard preflight gate asserting cutter_ro is ABSENT before
  execution (abort on presence).
- redaction = ratified Agent list + REVIEW fields REDACTED (B-2). Narrative
  free-text (rationale, *_reason, verdict_rationale, scenario_ref) and all
  flagged jsonb are EXCLUDED from every view. Per-table projection: §4 +
  the view-projection-spec doc.

§3 — Canonical SQL (proposed; r1)

-- dot-iu-cutter v0.3 read-observability — MODEL-C PG-first
-- AUTHORING ONLY. Do NOT execute outside an authorized dry-run / command-review
-- chain. Target schema: cutter_governance (12 base tables, 0 rows).
BEGIN;

-- 1) Read-only NOLOGIN group role (least privilege; no login, no member binding)
CREATE ROLE cutter_ro
  NOLOGIN
  NOSUPERUSER
  NOCREATEDB
  NOCREATEROLE
  NOREPLICATION
  NOBYPASSRLS;
COMMENT ON ROLE cutter_ro IS
  'dot-iu-cutter v0.3 read-observability: NOLOGIN group role; SELECT only on cutter_governance.v_*_observe views; no base-table/write/Directus access.';

-- 2) Twelve read-only projection views (sensitive/REVIEW columns omitted)
CREATE VIEW cutter_governance.v_canonical_address_alias_observe AS
  SELECT alias_id, target_unit_id, alias_text, alias_kind,
         valid_from, valid_until, created_by
  FROM cutter_governance.canonical_address_alias;

CREATE VIEW cutter_governance.v_cut_change_set_observe AS
  SELECT change_set_id, manifest_id, manifest_version, review_decision_id,
         executor_tool_revision, verifier_tool_revision, tool_revision_match,
         executor_signature_id, verifier_signature_id, state,
         cut_started_at, cut_committed_at, rolled_back_at,
         affected_unit_count, rollback_initiated_by, decision_backlog_entry_id,
         emitted_by, version, risk_class
  FROM cutter_governance.cut_change_set;

CREATE VIEW cutter_governance.v_cut_change_set_affected_row_observe AS
  SELECT affected_row_id, change_set_id, target_table, target_row_id,
         operation_kind, applied_at
  FROM cutter_governance.cut_change_set_affected_row;

CREATE VIEW cutter_governance.v_decision_backlog_dependency_observe AS
  SELECT dependency_id, from_entry_id, to_entry_id, dependency_kind,
         created_at, created_by
  FROM cutter_governance.decision_backlog_dependency;

CREATE VIEW cutter_governance.v_decision_backlog_entry_observe AS
  SELECT entry_id, kind, status, emitted_at
  FROM cutter_governance.decision_backlog_entry;

CREATE VIEW cutter_governance.v_decision_backlog_history_observe AS
  SELECT history_id, entry_id, entry_version_before, entry_version_after,
         change_kind, changed_by, changed_at
  FROM cutter_governance.decision_backlog_history;

CREATE VIEW cutter_governance.v_decision_backlog_sweep_log_observe AS
  SELECT sweep_id, swept_at, swept_by, trigger_kind,
         entries_evaluated_count, entries_re_surfaced_count,
         escalations_routed_count, mirror_regenerated_at, mirror_path
  FROM cutter_governance.decision_backlog_sweep_log;

CREATE VIEW cutter_governance.v_dot_pair_signature_observe AS
  SELECT signature_id, signature_kind, signer_dot_id, signer_tool_revision,
         signed_at, cross_reference_change_set_id,
         cross_reference_verify_result_id, validation_state,
         revoked_at, revoked_by, prior_signature_id
  FROM cutter_governance.dot_pair_signature;

CREATE VIEW cutter_governance.v_manifest_envelope_observe AS
  SELECT envelope_id, operation_kind, status, source_doc_ref,
         escalation_ref, cut_change_set_ref, created_by, created_at,
         reviewer, reviewed_at, superseded_by_envelope_id
  FROM cutter_governance.manifest_envelope;

CREATE VIEW cutter_governance.v_manifest_unit_block_observe AS
  SELECT envelope_id, unit_local_id, block_role, render_order,
         target_unit_id, proposed_canonical_address, proposed_authority,
         decision_backlog_ref, created_at
  FROM cutter_governance.manifest_unit_block;

CREATE VIEW cutter_governance.v_review_decision_observe AS
  SELECT review_decision_id, governance_event_kind, manifest_id,
         manifest_version, review_scope, manifest_unit_local_id, status,
         verdict, reviewer_class, risk_class_assessment, escalation_ref,
         cut_change_set_ref, prior_review_decision_id,
         superseded_by_review_decision_id, decision_at, decided_by,
         tool_revision, review_duration_ms, cross_signed_by_dot_verifier,
         version, created_at, updated_at
  FROM cutter_governance.review_decision;

CREATE VIEW cutter_governance.v_verify_result_observe AS
  SELECT verify_result_id, change_set_id, manifest_id, manifest_version,
         review_decision_id, verify_kind, axis_1_status, axis_1_drift_count,
         axis_1_drift_unit, axis_2_status, verdict, executor_signature_id,
         verifier_signature_id, executor_tool_revision, verifier_tool_revision,
         tool_revision_match, escalation_ref, verified_at, state,
         rollback_triggered, rollback_change_set_id_triggered,
         prior_verify_result_id, canonicalization_rule_used
  FROM cutter_governance.verify_result;

-- 3) Least-privilege grants (EXACTLY enumerated; views only; no base tables)
GRANT USAGE ON SCHEMA cutter_governance TO cutter_ro;
GRANT SELECT ON cutter_governance.v_canonical_address_alias_observe       TO cutter_ro;
GRANT SELECT ON cutter_governance.v_cut_change_set_observe                TO cutter_ro;
GRANT SELECT ON cutter_governance.v_cut_change_set_affected_row_observe   TO cutter_ro;
GRANT SELECT ON cutter_governance.v_decision_backlog_dependency_observe   TO cutter_ro;
GRANT SELECT ON cutter_governance.v_decision_backlog_entry_observe        TO cutter_ro;
GRANT SELECT ON cutter_governance.v_decision_backlog_history_observe      TO cutter_ro;
GRANT SELECT ON cutter_governance.v_decision_backlog_sweep_log_observe    TO cutter_ro;
GRANT SELECT ON cutter_governance.v_dot_pair_signature_observe            TO cutter_ro;
GRANT SELECT ON cutter_governance.v_manifest_envelope_observe             TO cutter_ro;
GRANT SELECT ON cutter_governance.v_manifest_unit_block_observe           TO cutter_ro;
GRANT SELECT ON cutter_governance.v_review_decision_observe               TO cutter_ro;
GRANT SELECT ON cutter_governance.v_verify_result_observe                 TO cutter_ro;

COMMIT;

§4 — Object & Privilege Summary

roles_created: 1   (cutter_ro — NOLOGIN, NOSUPERUSER, NOCREATEDB,
                     NOCREATEROLE, NOREPLICATION, NOBYPASSRLS)
views_created: 12  (cutter_governance.v_*_observe — one per base table)
grants: 13  (1 GRANT USAGE ON SCHEMA + 12 GRANT SELECT on views)
base_table_grants: 0   (views only — default posture honored)
write_privileges: 0   (no INSERT/UPDATE/DELETE/TRUNCATE/REFERENCES/TRIGGER)
rls / triggers / DEFAULT / CHECK / seed / data: 0
directus_objects_touched: 0
cross_schema_privilege (public / sandbox_tac / directus_*): 0
transaction: single BEGIN…COMMIT; reversible (see rollback-draft doc)

§5 — Non-Scope (this artefact)

executed: NONE (authoring only)
cutter_ro_full: NOT authored/created
login_or_member_binding: NOT included (B-4 deferred)
directus_registration / role / policy / permission: NOT included
existing_directus_app_role_tightening: NOT included (B-5 deferred)
ALTER DEFAULT PRIVILEGES: intentionally EXCLUDED (exact-enumerated grants)
self_advance: PROHIBITED — awaiting GPT review

End of v0.3 read-observability DDL draft (authored; NOT executed).

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.3-ddl-authoring/dot-iu-cutter-v0.3-read-observability-ddl-draft-2026-05-16.sql.md