dot-iu-cutter v0.4 — Credential Dry-Run Execution Report
dot-iu-cutter v0.4 — Credential Dry-Run Execution Report
document_path: knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-dry-run/dot-iu-cutter-v0.4-credential-dry-run-execution-report-2026-05-16.md
revision: r1
date_executed: 2026-05-17
cycle_date_label: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
sovereign: User / anh Huyền
verifier: GPT (review pending — this report routes the dry-run result in)
phase: v0.4 — credential-cycle DRY-RUN EXECUTION (isolated, non-production)
opened_by: GPT v0.4 credential dry-run AUTHORING review = PASS
(agent_revision_needed=false; isolated credential dry-run execution may open)
+ explicit User dry-run-EXECUTION sovereign prompt.
status: DRY-RUN COMPLETE — OVERALL = PASS (corrected re-run clean)
⛔ DRY-RUN ONLY. No production role/GRANT/REVOKE/secret/.env/CUT/VERIFY/deploy. Production touched read-only for
pg_dump/globals + sysid catalog reads ONLY. All role/grant/probe/rollback strictly inside an ephemeral isolated postgres container, destroyed at teardown. Accepted SQL artefacts were NOT modified (sha-pinned, byte-identical to the GPT-accepted package).
§1 — Outcome
dry_run_status: PASS
fail_count: 0
warn_count: 0
real_privilege_leak_found: false
accepted_sql_modified: false # sha 00296107…d502 unchanged
accepted_rollback_modified: false # sha fcba5629…2b14 unchanged
production_untouched: true # read-only pg_dump + sysid only
runs: 2 (run-1 surfaced harness false-negatives; run-2 corrected = clean PASS)
next: GPT review of this dry-run result package
agent_self_advance: PROHIBITED
§2 — Authorization & Scope
GPT credential dry-run AUTHORING review (reviews/dot-iu-cutter-v0.4-credential-dry-run-authoring-gpt-review-2026-05-16.md) = PASS, opening v0_4_credential_dry_run_execution. Forbidden set (production_role_creation, production_GRANT_REVOKE, secret_creation, .env_edit, runtime_code_production_connection, CUT_VERIFY, deploy, changing accepted SQL without STOP+report) was honored in full. The 6 controlling files were read in full before execution.
§3 — Environment
vps: 38.242.240.89 (vmi3080463)
prod_db_container: postgres (postgres:16, PG 16.13) DB=directus
prod_superuser: workflow_admin (rolsuper; bootstrap role 'postgres' absent in prod)
prod_system_identifier: 7611578671664259111 (PRE == POST, both runs)
dry_run_container: pg-dry-run-v0.4-credential-2026-05-16 (postgres:16, --network none)
protected_envs_untouched: pg-dry-run-v0.2-p0-2-2026-05-16,
pg-dry-run-v0.2-phase-alpha-2026-05-16, pg-dry-run-hb05-2026-05-15
§4 — Command Sequence Executed (command-plan C-01..C-10)
| Step | Action | Gate | Result (run-2) |
|---|---|---|---|
| C-01 | Fresh read-only pg_dump -Fc directus + pg_dumpall --globals-only --no-role-passwords; record sha+size; read PRE sysid |
G-01 | PASS — sysid 7611578671664259111; dump 66,278,854 B |
| C-02 | Spin ephemeral postgres:16 container, --network none |
G-02 | PASS — up + isolated (network=none) |
| C-03 | Restore globals+dump; baseline fidelity; DR_SYSID≠prod | G-03 | PASS — 12 tbl/12 views/19 FK/0 rows/cutter_ro present; DR_SYSID 7640672946682011694 |
| C-04 | Mint throwaway passwords in-container (never echoed); confirm password_encryption=scram-sha-256 |
G-04 | PASS |
| C-05 | sha-gate + substitute placeholders + apply accepted credential SQL | G-05 | PASS — artefact sha 00296107…d502; BEGIN/COMMIT rc=0 |
| C-06 | Catalog verification V-01..V-17 (structural aclexplode set-equality) | G-06 | PASS — all 17 + V-13/V-14 before/after equality |
| C-07 | Allow-probes (20) + deny-probes (42) + CONNECTION LIMIT 2 | G-07 | PASS — 20/20 allow, 42/42 deny=42501, 3rd session refused |
| C-08 | Apply sha-pinned rollback artefact (RB-1..RB-3), RB-4 gate, RB-5 DROP; RBV-1..RBV-6 | G-08 | PASS — gate clean, roles dropped, baseline restored, no CASCADE |
| C-09 | Teardown container; re-assert prod sysid POST==PRE; protected envs | G-09 | PASS — sysid unchanged; env gone; protected envs running/untouched |
| C-10 | Write 3 KB result docs | — | this package |
§5 — Two-Run History (transparency: harness false-negative discipline)
Run-1 (work_dir …_20260517T014700Z, OVERALL=FAIL, 6 fails) — all 16 catalog checks PASSED (authoritative structural proof clean: V-06 missing={} extra={}, V-07 exactly 3 col-UPDATE tuples, V-13 cutter_ro 13 grants byte-unchanged). The 6 failures were two harness defects in the orchestration wrapper, not the accepted SQL and not a privilege leak:
- D-5/D-7/D-7v → SQLSTATE 42703 (
undefined_column) — the deny-probe SQL guessed column names (decisiononreview_decision,idoncut_change_set) that do not exist; PostgreSQL raised a parse-timeundefined_columnbefore reaching the privilege check. The underlying privilege absence was already proven structurally by V-06/V-07/V-08 (no UPDATE oncut_change_setfor either role;review_decisionUPDATE only onsuperseded_by_review_decision_idforcutter_exec). Fix: real column names (verdict,state). - RB-4 gate not clean / RBV-1 / RBV-2 — the rollback wrapper combined a here-doc with
< /dev/null; the/dev/nullredirection clobbered the here-doc stdin, so RB-1..RB-3 ran on empty input (no-op). The RB-4 safety gate then correctly refused to DROP roles that still held privileges (fail-safe worked exactly as designed). The accepted rollback artefact itself (fcba5629…2b14) was sound but went unexercised. The ephemeral container was force-destroyed in C-09 regardless → zero residue anywhere; production never touched.
Per the controlling rule “if harness false-negative is suspected: distinguish clearly from real privilege failure; do not mark PASS unless corrected re-run is clean”, the harness (and only the harness) was corrected — accepted SQL/rollback artefacts left byte-identical (sha re-confirmed unchanged) — and the dry-run was re-run on a fresh env.
Run-2 (work_dir …_20260517T015259Z, OVERALL=PASS, 0 fail, 0 warn) — clean across the full C-01..C-09 sequence. Rollback now applied from the sha-pinned artefact (psql -f, no stdin clobber; gated split RB-1..RB-3 → RB-4 evaluate → RB-5 DROP); RB-4 gate members=0 owned=0 residual_priv=0; RBV-1..RBV-6 all PASS.
§6 — Privilege Conclusion
The granted privilege set in the isolated env is EXACTLY the GPT-accepted least-privilege matrix — structurally (aclexplode symmetric difference = ∅) and behaviourally (every allow succeeds, every deny is SQLSTATE 42501, connection-limit 2 enforced). cutter_ro is byte-identical before/after; Directus (164/1173/9/8/9) and RLS (0) unchanged; no ownership, no membership, no GRANT OPTION, no out-of-schema/observe-view/alias grant, no destructive privilege. Rollback is exact-inverse, gated, no-CASCADE, and restores baseline. No real privilege leak exists.
§7 — Production-Untouched Confirmation
prod_writes: NONE
prod_contact: read-only pg_dump + pg_dumpall + pg_control_system() sysid reads only
prod_sysid_pre: 7611578671664259111
prod_sysid_post: 7611578671664259111 (== PRE, both runs)
prod_role/grant/secret/.env/CUT/VERIFY/deploy: NONE
ephemeral_env: created --network none, destroyed at C-09 (docker rm -f)
sensitive_artefacts (prod.dump, globals.sql, substituted SQL): shredded post-run
persisted_on_vps: run.log + summary.txt only (no secrets, no dump)
protected_dry_run_envs: untouched (still running)
§8 — Open Blockers (unchanged; none satisfied/introduced by this cycle)
B-1 GPT PASS of THIS credential dry-run result package. OPEN
B-2 separate real-DB-adapter design cycle satisfying this matrix. OPEN
B-3 command-review package + sovereign prompt for prod credential chain. OPEN
B-4 secret substrate (CD-4 = VPS .env) operationalised — no secret yet. OPEN
production_credential_execution: STILL BLOCKED
§9 — Next Recommended Step
GPT review of this dry-run result package (this report + verification-results + artefact-index). Production credential creation remains forbidden. Self-advance PROHIBITED.
End of credential dry-run execution report (dry-run only; production untouched; OVERALL=PASS; next = GPT review; self-advance PROHIBITED).