KB-6F2C
dot-iu-cutter v0.4 — Credential-Cycle Design Master
9 min read Revision 1
dot-iu-cutterv0.4credential-designdieu44design-only
dot-iu-cutter v0.4 — Credential-Cycle Design (MASTER)
document_path: knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-design/dot-iu-cutter-v0.4-credential-cycle-design-master-2026-05-16.md
revision: r1
date_authored: 2026-05-17
cycle_date_label: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
sovereign: User / anh Huyền
verifier: GPT (design review pending — this package routes in)
phase: v0.4 — Tier 2 CREDENTIAL-CYCLE DESIGN (master / index)
authorization: GPT v0.4 cutter-agent FINAL CODE REVIEW = PASS (commit 689e53e,
defects none, revision false) + explicit User credential-cycle-design prompt.
DESIGN ONLY.
status: design_only_pending_gpt_review
⛔ DESIGN ONLY. NO role created. NO credential/secret minted. NO GRANT/REVOKE. NO
.envedit. NO production DB connection. NO DB dry-run executed. NO CUT/VERIFY. NO code modification. NO deploy. NO self-advance. Every principal, privilege, and secret named here is a target for a SEPARATE, explicitly-authorized, GPT-gated credential cycle.
§1 — Why This Cycle Exists
trigger: v0.4 cutter-agent skeleton (commit 689e53e) GPT-PASSed; the code
hard-refuses production (ProductionDBAdapter raises on construct, no DSN/
env/secret access, in-memory only). The real DB adapter and any PG-backed
dry-run CANNOT be planned safely until the writer-principal / privilege /
secret model is designed and GPT-reviewed.
this_cycle_output: a writer-principal + privilege + secret-custody + dry-run
+ rollback specification. NOTHING is created or executed.
gate_chain (from final code review §6):
code_authoring_cycle ............... closed_PASS (done)
credential_cycle_design ............ THIS CYCLE (design only)
credential_creation_execution ...... still_blocked (separate, GPT-gated)
real_DB_adapter_authoring .......... blocked until credential strategy PASS
production_dry_run ................. still_blocked
production_CUT_VERIFY .............. still_blocked
§2 — Document Set (this package)
1 master ........... this file — index, recommendation rollup, gate state
2 cutter_exec ....... cutter_exec principal design (MARK/REVIEW/CUT, DOT-991)
3 cutter_verify ..... cutter_verify principal design (VERIFY, DOT-992)
4 privilege_matrix .. 2 principals × 12 tables × {SELECT/INSERT/UPDATE(col)},
append-only invariant, no-DELETE/DDL/GRANT enforcement
5 secret_custody .... storage substrate, rotation, revocation, audit, e-stop
6 dry_run_plan ...... isolated-env role creation + allow/deny probe matrix
7 risk_and_rollback . risk class, REVOKE→DROP gates, no-CASCADE, no base touch
8 report ............ routing report → GPT review (paths, revisions, blockers)
all_revisions: r1
upload_target_prefix: knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-design/
§3 — Recommended Credential Model (rollup)
principal_count: TWO (OD-3 option B — restated & re-recommended)
cutter_exec LOGIN, least-privilege, DOT-991 executor lane,
drives MARK / sweep / REVIEW-persistence / CUT
cutter_verify LOGIN, least-privilege, DOT-992 verifier lane,
drives VERIFY (+ compensating cut + escalation on failure)
cutter_ro UNCHANGED from v0.3 — NOLOGIN, 0 memberships, SELECT-only on
12 observe views; NEVER on any write path
rejected_for_runtime_writes: workflow_admin, directus (app role), postgres
(superuser) — privilege blast radius + audit ambiguity (P-6).
role_attributes (both writers, TARGET — not created here):
LOGIN, NOSUPERUSER, NOCREATEDB, NOCREATEROLE, NOREPLICATION,
NOBYPASSRLS, INHERIT-irrelevant (no group membership), CONNECTION LIMIT
bounded (value = open decision CD-9), scram-sha-256 password auth.
separation_of_duty: enforced at THREE layers —
(a) DB identity: distinct PG roles, distinct passwords;
(b) process: distinct secret keys, executor process cannot read verifier
secret and vice-versa (SC-3);
(c) crypto/code: DOT-991 vs DOT-992 distinct signing identities
(G-VERIFY-SOD; D-3 from the strategy design).
secret_substrate (recommended): VPS-side env file, established
/opt/incomex/docker/.env convention, two SEPARATE keys; GCP Secret
Manager kept as open decision CD-4 pending an availability check in a
later authorized step (NOT probed in this design cycle).
§4 — Recommended Privilege Posture (rollup; full matrix = doc 4)
shape: per-table, per-operation least privilege, scoped strictly to schema
cutter_governance. Each writer gets exactly: SELECT only on the tables it
must read for guards/idempotency/lineage; INSERT only on the tables it
appends to; column-scoped UPDATE only on the two append-only stamp/state
columns it owns. Nothing else.
the_only_two_UPDATEs_in_the_system:
- decision_backlog_entry.status (state-machine CAS transition)
- review_decision.superseded_by_review_decision_id (write-once forward
lineage stamp; OD-5)
append_only_enforcement (recommended): column-level UPDATE GRANT
(GRANT UPDATE (status) ... / GRANT UPDATE (superseded_by_review_decision_id)
...) so the DB itself denies any UPDATE to any other column — defense in
depth ON TOP OF the code state-machine + write-once ledger. No CHECK / no
trigger / no DEFAULT is added (consistent with BATCH-1: invariants stay
app/agent-enforced; the column-level grant is an access control, not a
data constraint). This is open decision CD-1.
hard_denials (both principals, all 12 tables): NO DELETE, NO TRUNCATE,
NO REFERENCES, NO TRIGGER, NO DDL, NO GRANT/REVOKE, NO ownership,
NO ALTER DEFAULT PRIVILEGES, NO privilege on schema public or any
non-cutter_governance object, NO base-table or view privilege belonging
to cutter_ro.
canonical_address_alias: NO ACCESS for either writer in v0.4 (OD-2 alias
fully deferred; the Stub is alias-free; no grant of any kind).
§5 — Risk Class
this_design_cycle_risk: NONE-to-PRODUCTION (read-only file authoring +
Agent Data upload; zero DB/role/secret/.env touch).
future_credential_execution_risk (assessed, for the SEPARATE cycle):
STANDARD — consistent with prior dieu44 cycles. It creates 2 LOGIN roles
+ a bounded enumerated grant set in an empty schema, mintable/revocable,
no DDL on data objects, no superuser, no RLS. Elevated vs a pure read
cycle (it introduces write-capable identities) but bounded, reversible,
and gated. NOT high-risk PROVIDED the dry-run (doc 6) proves the
allow/deny matrix before any production role exists.
§6 — Blockers Before Any Credential EXECUTION
B-1 GPT review PASS of THIS design package (all 8 docs).
B-2 Real-DB-adapter design cycle (separate; defines exactly which
SELECT/INSERT/UPDATE calls the adapter issues per phase — the privilege
matrix here is the contract that design must satisfy / may refine).
B-3 Resolution of open decisions CD-1..CD-9 by GPT (doc 4 / doc 8).
B-4 Secret-substrate decision CD-4 settled (VPS .env vs GCP SM) + an
availability check performed in a later AUTHORIZED step (not now).
B-5 Successful ISOLATED dry-run of role creation + allow/deny probe matrix
(doc 6) with GPT PASS — NO production role before this.
B-6 Explicit sovereign prompt + GPT command-review for the credential
execution chain itself (mirrors the v0.2/v0.3 design→review→cmd-review
→execution discipline).
none_of_B-1..B-6_is_satisfied_by_this_cycle.
§7 — Hard Boundaries Honored By This Cycle
role_creation: NONE GRANT/REVOKE: NONE secret_creation: NONE
env_file_touched: NONE production_DB_connection: NONE
DB_dry_run_executed: NONE code_modified: NONE deploy: NONE
CUT_or_VERIFY: NONE cutter_ro_changed: NONE Directus/RLS_changed: NONE
sysid/prod_DB_contacted: NONE
output_of_this_cycle: 8 design documents (this package) only.
§8 — Status
v0_4_credential_cycle_design: AUTHORED (8 docs r1)
ready_for_gpt_review: TRUE
ready_for_credential_creation: FALSE (B-1..B-6 all open)
the_only_next_thing: GPT review of this design package
agent_self_advance: PROHIBITED
End of v0.4 credential-cycle design master (design only; no credential created; ready for GPT review; self-advance PROHIBITED).