Incomex AI Portal
KB-41C2

dot-iu-cutter v0.3 — Read-Observability Rollback Draft (2026-05-16)

6 min read Revision 1
dot-iu-cutterdieu44v0.3ddl-authoringrollback-draftdesign-only

dot-iu-cutter v0.3 — Read-Observability Rollback Draft

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.3-ddl-authoring/dot-iu-cutter-v0.3-read-observability-rollback-draft-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.3 — DDL AUTHORING (rollback draft; authoring only — NOT executed)
status: authored_for_gpt_review

⛔ AUTHORING ONLY. This rollback is the exact reverse of the DDL draft, to be used ONLY on a TRUE post-execution verification failure (not a string-prefix false-negative) or an explicit prompt, within an authorized chain.

§1 — Rollback Order & Rationale

order: REVOKE grants → DROP 12 views → DROP ROLE cutter_ro (only if no members)
why: revoke before drop so privileges are cleanly removed; drop views before
  role so no dependency on the role; drop role last and only if memberless
  (B-4 deferred member binding ⇒ expected memberless).
no_CASCADE: plain DROP VIEW / DROP ROLE — NO CASCADE. The views have no
  dependents (nothing was built on them in v0.3); CASCADE is NOT justified and
  is explicitly NOT used. If an unexpected dependent appears → STOP/ESCALATE,
  do not force CASCADE.
never: DROP/ALTER any of the 12 base tables; touch Directus; disable/enable
  RLS; drop public/sandbox_tac objects.

§2 — Canonical Rollback SQL (proposed; r1)

-- dot-iu-cutter v0.3 read-observability ROLLBACK — reverse of the DDL draft.
-- AUTHORING ONLY. Single transaction. NO CASCADE. Base tables/Directus untouched.
BEGIN;

-- 1) Revoke privileges (idempotent; IF EXISTS-safe via explicit objects)
REVOKE SELECT ON cutter_governance.v_canonical_address_alias_observe       FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_cut_change_set_observe                FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_cut_change_set_affected_row_observe   FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_decision_backlog_dependency_observe   FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_decision_backlog_entry_observe        FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_decision_backlog_history_observe      FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_decision_backlog_sweep_log_observe    FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_dot_pair_signature_observe            FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_manifest_envelope_observe             FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_manifest_unit_block_observe           FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_review_decision_observe               FROM cutter_ro;
REVOKE SELECT ON cutter_governance.v_verify_result_observe                 FROM cutter_ro;
REVOKE USAGE ON SCHEMA cutter_governance FROM cutter_ro;

-- 2) Drop the 12 views (NO CASCADE)
DROP VIEW IF EXISTS cutter_governance.v_canonical_address_alias_observe;
DROP VIEW IF EXISTS cutter_governance.v_cut_change_set_observe;
DROP VIEW IF EXISTS cutter_governance.v_cut_change_set_affected_row_observe;
DROP VIEW IF EXISTS cutter_governance.v_decision_backlog_dependency_observe;
DROP VIEW IF EXISTS cutter_governance.v_decision_backlog_entry_observe;
DROP VIEW IF EXISTS cutter_governance.v_decision_backlog_history_observe;
DROP VIEW IF EXISTS cutter_governance.v_decision_backlog_sweep_log_observe;
DROP VIEW IF EXISTS cutter_governance.v_dot_pair_signature_observe;
DROP VIEW IF EXISTS cutter_governance.v_manifest_envelope_observe;
DROP VIEW IF EXISTS cutter_governance.v_manifest_unit_block_observe;
DROP VIEW IF EXISTS cutter_governance.v_review_decision_observe;
DROP VIEW IF EXISTS cutter_governance.v_verify_result_observe;

-- 3) Drop the role ONLY if it owns nothing and has no members
--    (B-4: no member binding created in v0.3 ⇒ expected memberless).
--    If members exist → DO NOT DROP; STOP/ESCALATE.
DROP ROLE IF EXISTS cutter_ro;

COMMIT;

§3 — Post-Rollback Expected State (== pre-v0.3 baseline)

cutter_ro: absent
v_*_observe views: 0
grants from v0.3: none
cutter_governance base tables: 12, 0 rows, unchanged (PK 12 / FK 19)
RLS: still disabled on all cg tables
Directus: collections/roles/policies/permissions unchanged (0 cg collections)
prod system_identifier: 7611578671664259111 (unchanged)
data: zero rows written or removed (tables were and remain empty)

§4 — Safety Guard Before DROP ROLE (execution-time rule)

pre_drop_role_check:
  SELECT count(*) FROM pg_auth_members m JOIN pg_roles r ON r.oid=m.roleid
  WHERE r.rolname='cutter_ro';   -- must be 0
  AND   SELECT count(*) FROM pg_shdepend d JOIN pg_roles r ON r.oid=d.refobjid
        WHERE r.rolname='cutter_ro';  -- owns nothing
if_nonzero: skip DROP ROLE, keep views dropped + grants revoked, STOP/ESCALATE
  (scope breach — member binding was deferred, so members should not exist).

§5 — Non-Scope

executed: NONE (rollback authored, not run). No CASCADE. Base tables/Directus/
  RLS never touched. self_advance: PROHIBITED

End of v0.3 read-observability rollback draft.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.3-ddl-authoring/dot-iu-cutter-v0.3-read-observability-rollback-draft-2026-05-16.md