dot-iu-cutter v0.3 — Read-Observability Inventory

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.3-execution/dot-iu-cutter-v0.3-read-observability-inventory-2026-05-16.md
revision: r1
date: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.3 — CLOSEOUT inventory (read-only production introspection)
source: live production (container postgres / db directus / sysid 7611578671664259111), read-only @ 2026-05-16T23:33Z UTC
schema: cutter_governance | base_tables: 12 | observe_views: 12 | total_rows: 0

Read-only catalog snapshot of the LIVE v0.3 read-observability layer. No mutation performed to produce this inventory.

---

§1 — 12 Base Tables (unchanged from v0.2; LIVE)

#	Base table	Source phase	Cols	Rows	Primary Key
1	decision_backlog_entry	v0.1	6	0	(entry_id)
2	dot_pair_signature	v0.1	16	0	(signature_id)
3	cut_change_set	v0.1	24	0	(change_set_id)
4	cut_change_set_affected_row	v0.1	8	0	(affected_row_id)
5	verify_result	v0.1	26	0	(verify_result_id)
6	canonical_address_alias	Phase α	9	0	(alias_id)
7	manifest_envelope	P0-2	12	0	(envelope_id)
8	manifest_unit_block	P0-2	13	0	(envelope_id, unit_local_id)
9	review_decision	P0-6	25	0	(review_decision_id)
10	decision_backlog_history	P0-5-rem	9	0	(history_id)
11	decision_backlog_dependency	P0-5-rem	6	0	(dependency_id)
12	decision_backlog_sweep_log	P0-5-rem	10	0	(sweep_id)

base_table_count: 12   PK: 12   FK: 19 (in-schema; 0 cross-schema)
all_base_tables_rows: 0
base_tables_unchanged_by_v0_3: true (v0.3 added NO base-table object;
  per-table column counts == v0.2 inventory)

§2 — 12 Observe Views (NEW in v0.3; LIVE)

#	View cutter_governance.<name>	Over base table	Visible cols
1	v_canonical_address_alias_observe	canonical_address_alias	7
2	v_cut_change_set_observe	cut_change_set	19
3	v_cut_change_set_affected_row_observe	cut_change_set_affected_row	6
4	v_decision_backlog_dependency_observe	decision_backlog_dependency	6
5	v_decision_backlog_entry_observe	decision_backlog_entry	4
6	v_decision_backlog_history_observe	decision_backlog_history	7
7	v_decision_backlog_sweep_log_observe	decision_backlog_sweep_log	9
8	v_dot_pair_signature_observe	dot_pair_signature	11
9	v_manifest_envelope_observe	manifest_envelope	11
10	v_manifest_unit_block_observe	manifest_unit_block	9
11	v_review_decision_observe	review_decision	22
12	v_verify_result_observe	verify_result	23

observe_view_count: 12 (exactly one per base table)
rows_each: 0 (base tables empty)

§3 — Visible / Redacted Column Counts

per_view_visible_columns: [7,19,6,6,4,7,9,11,11,9,22,23]
total_visible_columns: 134
total_redacted_columns: 30
  (absent from every view by construction; information_schema.columns
   confirms 0 redacted columns present; pg_get_viewdef scan = 0 leak of
   any of the 15 sensitive base column names)
redaction_mechanism: column projection in the view definition
  (redacted base columns are simply not selected; no masking function)

§4 — cutter_ro Privileges (LIVE)

role: cutter_ro — NOLOGIN group role, 0 memberships
  (NOSUPERUSER, NOCREATEROLE, NOCREATEDB, NOREPLICATION, NOBYPASSRLS)
schema:    USAGE on cutter_governance = GRANTED (has_schema_privilege=t)
views:     SELECT on each of the 12 v_*_observe views = GRANTED (12/12)
base_tab:  SELECT on cutter_governance base tables = 0 (NONE — views-only)
writes:    INSERT/UPDATE/DELETE/TRUNCATE/REFERENCES/TRIGGER = 0 (NONE)
total_grants_to_cutter_ro: 13 (1 schema USAGE + 12 view SELECT)
public_schema_USAGE: inherited (PostgreSQL cluster default for ALL roles;
  NOT v0.3-introduced; grants no object/data privilege — v0.3 created no
  object in schema `public`; NOTE only, not revoked — carry note N-1)

§5 — Directus State (UNCHANGED by v0.3)

directus_collections: 164  (== v0.2/C-04 baseline)
directus_permissions: 1173 (== baseline)
directus_roles: 9          (== baseline)
directus_policies: 8       (== baseline)
directus_access: 9         (== baseline)
verdict: Directus authz UNCHANGED — v0.3 made no collection/role/policy/
  permission/access creation or edit. The cutter_governance tables & views
  remain UNregistered in Directus (invisible to the Directus API by design;
  PG is the control plane for the read layer — MODEL-C, Directus
  registration deferred).

§6 — RLS State (UNCHANGED by v0.3)

cutter_governance_tables_with_relrowsecurity: 0
verdict: RLS UNCHANGED — no RLS created / enabled / disabled / policy on any
  cutter_governance object. v0.3 isolation is achieved purely via the
  views-only grant model (no base-table grant), not via RLS.

§7 — Notes for Future Login / Member Binding (informational; NOT authorized)

- cutter_ro is intentionally NOLOGIN with 0 memberships (B-4 deferred). To
  make the read layer consumable by a service, a SEPARATE authorized
  workstream must either: (a) create a LOGIN role and GRANT cutter_ro to it,
  or (b) ALTER cutter_ro WITH LOGIN PASSWORD (less preferred — group roles
  should stay NOLOGIN). Neither is authorized here.
- Binding design must decide credential custody (PG password vs Directus app
  role reuse) — see the Tier 2 routing note (credential strategy area).
- The 12 views are owned by workflow_admin (security_invoker=false): a
  consumer needs ONLY the 12 view SELECT grants — no base-table privilege.
  Any future LOGIN principal must inherit cutter_ro, NOT receive base grants.
- Redaction is structural (column projection). Adding a column to a base
  table does NOT auto-expose it; the view must be re-authored (a future
  authorized DDL cycle) to surface or redact new columns.
- Directus registration of the cutter_governance read layer remains deferred
  (MODEL-C). If UI/API exposure is later wanted, that is a distinct
  design→review→execution chain (Directus collection metadata + read policy).
- All base tables are empty; first writes must come through the authorized
  cutter-agent write path (Tier 2), never ad-hoc INSERT.

End of v0.3 read-observability inventory.