dot-iu-cutter v0.3 — Read-Observability DDL Risk-Review Note

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.3-ddl-authoring/dot-iu-cutter-v0.3-read-observability-risk-review-note-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.3 — DDL AUTHORING (risk-review note)
risk_class: STANDARD
status: authored_for_gpt_review

---

§1 — Risk Classification

risk_class: STANDARD  (consistent with the GPT-ratified v0.3 design risk)
surface: PostgreSQL auth/permission layer (role + views + grants); READ-ONLY intent
data_exposure_blast_radius: ZERO NOW — all 12 base tables have 0 rows
reversibility: full — single-txn create; single-txn rollback (DROP views +
  REVOKE + DROP ROLE); no CASCADE; no pre-existing object touched
not_LOW_because: introduces a new PG role + grants on shared cluster auth; a
  projection error could expose a sensitive column ⇒ must be dry-run proven
not_HIGH_because: empty tables, additive, reversible, read-only, no Directus
  change, no base-table grant, no RLS, no data

§2 — Risk Register

R-1 sensitive column leaks through a view:
  mitigation: per-spec projection + verification V-09 (catalog absence of all
  30 redacted names) + V-11 (pg_get_viewdef secondary scan); dry-run blocks exec
R-2 cutter_ro accidentally gets base-table SELECT (default-priv / typo):
  mitigation: NO ALTER DEFAULT PRIVILEGES; grants exactly enumerated (views
  only); V-06 asserts false on all 12 base tables
R-3 cutter_ro gets write or escalation:
  mitigation: role flags NOLOGIN/NOSUPERUSER/NOCREATEROLE/NOBYPASSRLS (V-02),
  no membership (V-03), V-07 96 write-false assertions
R-4 collateral change to Directus or RLS:
  mitigation: artefact contains no Directus/RLS statements; V-12/V-13 assert
  unchanged authz-object counts and zero relrowsecurity
R-5 rollback drops something live (CASCADE / base table):
  mitigation: NO CASCADE; DROP VIEW IF EXISTS only on the 12 v_*_observe;
  DROP ROLE guarded by memberless/owns-nothing check (rollback §4)
R-6 false-negative verification → needless rollback (P0-6 lesson):
  mitigation: catalog/boolean checks (has_*_privilege, pg_roles flags), not
  rendered-string equality; rollback only on a TRUE failure
R-7 role name collision (cutter_ro pre-exists):
  mitigation: preflight gate PG-G2 aborts before BEGIN if role present

§3 — Execution Gating (still required after this authoring)

this_step: DDL AUTHORING ONLY — nothing executed
remaining_gates_before_production:
  1. GPT review PASS of this 6-doc DDL-authoring package
  2. dry-run on an ephemeral isolated env (restore v0.2 backup sha a432a86e…;
     postgres:16; no published port; sysid ≠ prod) running V-01..V-18 + rollback
     rehearsal; PASS
  3. GPT dry-run review PASS
  4. production command-review package authored → GPT command-review PASS
  5. explicit User production-execution prompt + separate execution session
agent_self_advance: PROHIBITED at every boundary

§4 — Residual / Deferred (documented, not in v0.3)

- B-4 login/member binding for cutter_ro (who actually connects) — deferred
- B-5 tightening the existing broad `directus` app-role SELECT — separate,
  higher-risk workstream (NOT bundled)
- B-3 dedicated read-audit (pgaudit/logging view) — not in v0.3; rely on
  existing PG logs
- Directus field-permission redaction / collection registration — deferred
  (B-6 chose PG views for v0.3)

§5 — Non-Scope

executed: NONE. self_advance: PROHIBITED — awaiting GPT review.

End of v0.3 read-observability DDL risk-review note (STANDARD).