Incomex AI Portal
KB-181A

dot-iu-cutter v0.4 — Credential Dry-Run Artefact Index

6 min read Revision 1
dot-iu-cutterv0.4credential-dry-runartefact-indexdieu44

dot-iu-cutter v0.4 — Credential Dry-Run Artefact Index

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-dry-run/dot-iu-cutter-v0.4-credential-dry-run-artefact-index-2026-05-16.md
revision: r1
date_executed: 2026-05-17
cycle_date_label: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.4 — credential-cycle DRY-RUN EXECUTION (artefact / sha index)
status: index of dry-run inputs, outputs, checksums, persistence

Provenance & integrity index. The two GPT-accepted SQL artefacts were applied verbatim, byte-identical; their sha256 is the authoritative pin. Password placeholder substitution (doc §2 / CD-6) is the designed apply-time mechanism, not an artefact modification — sha is computed on the placeholder artefact.

§1 — Accepted SQL Artefacts (sha-pinned; UNCHANGED across both runs)

credential_sql_artefact:
  source_doc: knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-authoring/dot-iu-cutter-v0.4-credential-dry-run-sql-draft-2026-05-16.sql.md  (§3 fenced block, verbatim incl. §3.5 comment block)
  sha256: 00296107e04fc8cfea536937838f720811ecb2c491eee7a81be614cb0a04d502
  applied: verbatim; only __DRY_RUN_THROWAWAY_EXEC_PW__ / __DRY_RUN_THROWAWAY_VERIFY_PW__
           replaced by in-container minted throwaway passwords (never echoed/persisted)
rollback_sql_artefact:
  source_doc: …/v0.4-credential-authoring/dot-iu-cutter-v0.4-credential-dry-run-rollback-draft-2026-05-16.md  (§2 fenced block, verbatim)
  sha256: fcba5629bb4983ad3b4cf6cf3bfc6b0b4c70d08e0c24a083436078c3981a2b14
  applied: verbatim via psql -f; gated split RB-1..RB-3 | RB-4 evaluate | RB-5 DROP
modification: NONE to either artefact (sha re-confirmed identical run-1 & run-2)

§2 — Per-Run Provenance

run_1:
  work_dir: /opt/incomex/tmp/dieu44_v0_4_cred_dryrun_20260517T014700Z   (VPS)
  dr_sysid: 7640671430959583276
  prod.dump sha256: ebbf33fb3293a902ce1b95fe77e4e1fa79081e8096678017fcb63b9ccd1fb451 (66,278,861 B)
  globals.sql sha256: 0824183432447916deffc99c805fd26e9013a6f6720583c4e1b00271d98a74e1
  outcome: OVERALL=FAIL (6) — 16/16 catalog PASS; 6 fails = HARNESS defects only
           (D-5/D-7/D-7v wrong column names → 42703; rollback heredoc clobbered
           by `< /dev/null`, RB-4 fail-safe correctly blocked DROP). No real leak.
run_2 (authoritative):
  work_dir: /opt/incomex/tmp/dieu44_v0_4_cred_dryrun_20260517T015259Z   (VPS)
  dr_sysid: 7640672946682011694
  prod.dump sha256: a296702a912aab1b61b3d7d472a209963fa3f9441407cb2a0a4b8de7a04115a7 (66,278,854 B)
  globals.sql sha256: 9e823a04b35afdb5148373e0e3d3c74440def6bad1971f87589c007d2386a6b3
  outcome: OVERALL=PASS — 0 fail / 0 warn (C-01..C-09 all gates PASS)
note: prod.dump differs run-1↔run-2 (fresh pg_dump each run, expected — live
      Directus cluster, tiny byte delta); both read-only; cutter_governance 0 rows both.

§3 — Orchestration Harness (script artefact, scp'd; not sovereign-pinned)

stage_dir (VPS): /opt/incomex/tmp/dieu44_v04_cred_stage/
files:
  dieu44_v04_cred_artefact.sql   sha256 00296107…d502  (= §1 credential pin)
  dieu44_v04_cred_rollback.sql   sha256 fcba5629…2b14  (= §1 rollback pin)
  dieu44_v04_cred_dryrun.sh      orchestrator (run-1 v then corrected run-2 v)
harness_corrections_run1→run2 (HARNESS ONLY; accepted SQL untouched):
  1. deny-probe column names: review_decision 'decision'→'verdict';
     cut_change_set 'id'→'state'  (real columns via prod read-only introspection)
  2. rollback: replaced heredoc-over-stdin (clobbered by `< /dev/null`) with
     sha-gated `psql -f` of the accepted rollback artefact, gated-split
     RB-1..RB-3 / RB-4 evaluate / RB-5 DROP
discipline: feedback_vps_script_artefact (scp+sha256+identity guards+logs, no
  complex inline SSH heredoc); feedback_pg_constraintdef_schema_qualified
  (structural set-equality, no string-compare false-negative).

§4 — Persistence / Destruction

destroyed_at_teardown:
  - dry-run container pg-dry-run-v0.4-credential-2026-05-16 (docker rm -f, both runs)
  - prod.dump, globals.sql, substituted credential SQL  (shred -u)
  - in-container minted throwaway passwords (gone with container; never logged)
persisted_on_vps (no secrets, no dump):
  - {work_dir}/run.log  + {work_dir}/summary.txt   (both run dirs)
  - stage_dir console.out (run-1) / console2.out (run-2)
persisted_in_KB_SSOT (this package, knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-dry-run/):
  - dot-iu-cutter-v0.4-credential-dry-run-execution-report-2026-05-16.md
  - dot-iu-cutter-v0.4-credential-dry-run-verification-results-2026-05-16.md
  - dot-iu-cutter-v0.4-credential-dry-run-artefact-index-2026-05-16.md  (this)
never_persisted: any password value, any pg_dump content, any role hash body

§5 — Identity / Safety Invariants Held

prod_system_identifier: 7611578671664259111  (PRE==POST, both runs; read-only)
dr_system_identifier:   distinct each run (76406714… / 76406729…) ≠ prod
isolation: dry-run container --network none (no prod network path)
protected_dry_run_envs: pg-dry-run-v0.2-p0-2 / v0.2-phase-alpha / hb05 — untouched
no production: role / GRANT / REVOKE / secret / .env / CUT / VERIFY / deploy

End of credential dry-run artefact index.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-dry-run/dot-iu-cutter-v0.4-credential-dry-run-artefact-index-2026-05-16.md