KB-6E91

dot-iu-cutter v0.4 — Credential Dry-Run Verification Results

8 min read Revision 1

dot-iu-cutterv0.4credential-dry-runverification-resultsdieu44

dot-iu-cutter v0.4 — Credential Dry-Run Verification Results

document_path: knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-dry-run/dot-iu-cutter-v0.4-credential-dry-run-verification-results-2026-05-16.md
revision: r1
date_executed: 2026-05-17
cycle_date_label: 2026-05-16
author: Agent (Claude Code CLI, Opus 4.7 1M)
phase: v0.4 — credential-cycle DRY-RUN EXECUTION (evidence)
status: ALL PASS (run-2, corrected harness; accepted SQL byte-identical)

Structural assertions are aclexplode() set-equality (symmetric difference = ∅), never rendered-string compares — carries the P0-6/P0-5 pg_get_constraintdef schema-qualifier false-negative lesson. Results below are from the clean corrected re-run (env pg-dry-run-v0.4-credential-2026-05-16, DR_SYSID 7640672946682011694, work_dir …_20260517T015259Z).

§1 — Catalog Checks (verification-plan §2)

ID	Check	Result	Evidence
V-01	role attributes (LOGIN, NOSUPER/NOCREATEDB/NOCREATEROLE/NOREPL/NOBYPASSRLS), 2 rows, 0 extra	PASS	rows=2
V-02	CONNECTION LIMIT = 2 (both)	PASS	cutter_exec:2, cutter_verify:2
V-03	no membership (neither inherits nor inherited)	PASS	rows=0
V-04	no object ownership (pg_shdepend deptype='o')	PASS	owned=0
V-05	exact schema USAGE set	PASS	{cutter_exec:USAGE, cutter_verify:USAGE}
V-06	table-privilege set-equality (core)	PASS	missing={} extra={}; is_grantable=false all
V-07	column-privilege set-equality	PASS	exactly {exec→entry.status, verify→entry.status, exec→review_decision.superseded_by_review_decision_id}
V-08	exactly 3 column-UPDATE tuples; 0 table-level UPDATE	PASS	count=3
V-09	no DELETE/TRUNCATE/REFERENCES/TRIGGER on any cg object	PASS	rows=0
V-10	no observe-view (v_*_observe) grants to writers	PASS	rows=0
V-11	no canonical_address_alias grant (table+column)	PASS	sum=0
V-12	no out-of-schema privilege (incl. schema public)	PASS	rows=0
V-13	cutter_ro byte-state = {schema USAGE}+12 view SELECT = 13, NOLOGIN	PASS	n=13 usage=1 viewsel=12 other=0
V-14	Directus counts unchanged by apply	PASS	164,1173,9,8,9 == baseline
V-15	RLS unchanged (relrowsecurity=0, 0 policies)	PASS	0
V-16	schema CREATE denied (both)	PASS	has_schema_privilege CREATE = f
V-17	password hash SCRAM-SHA-256 prefix (no hash body printed)	PASS	both 'SCRAM-SHA-256$'
V-13b	cutter_ro ACL byte-identical before vs after apply	PASS	RO_NOW == RO_BASE

§2 — Behavioural Allow-Probes (verification-plan §3) — must hold privilege

Method: connected as the named principal (local trust; object ACL still enforced); each probe wrapped BEGIN; DO $$ … $$; ROLLBACK; so nothing persists. Privilege is held iff result ≠ SQLSTATE 42501 — reaching a data-constraint error (23502 not-null on an empty 0-row table) proves the ACL check passed. Catalog V-06/V-07 is the authoritative grant proof; these corroborate.

AE-1 entry INSERT 23502  AE-2 entry UPDATE(status) EXECUTED  AE-3 entry SELECT EXECUTED
AE-4 history INSERT 23502  AE-4b dependency INSERT 23502  AE-5 sweep_log INSERT 23502
AE-6 manifest_envelope INSERT 23502  AE-6b manifest_unit_block SELECT EXECUTED
AE-7 review_decision UPDATE(superseded…) EXECUTED  AE-8 cut_change_set INSERT 23502
AE-9 cut_change_set_affected_row INSERT 23502  AE-10 dot_pair_signature SELECT EXECUTED
AV-1 verify_result INSERT 23502  AV-1b verify_result SELECT EXECUTED
AV-2 dot_pair_signature INSERT 23502  AV-3 cut_change_set INSERT 23502 (fwd compensation)
AV-4 cut_change_set_affected_row SELECT EXECUTED  AV-5 entry UPDATE(status) EXECUTED
AV-6 manifest_envelope SELECT EXECUTED  AV-6b review_decision SELECT EXECUTED

Result: 20/20 ALLOW PASS (no 42501 anywhere).

§3 — Behavioural Deny-Probes (verification-plan §4) — must be SQLSTATE 42501

D-1a exec DELETE entry           42501   D-1b verify DELETE verify_result   42501
D-2  exec TRUNCATE entry         42501   D-3  exec UPDATE entry.payload     42501
D-3v verify UPDATE entry.payload 42501   D-5  exec UPDATE review.verdict    42501
D-6  verify UPDATE review.superseded 42501  D-7  exec UPDATE cut_change_set.state 42501
D-7v verify UPDATE cut_change_set.state 42501  D-8 exec SELECT verify_result 42501
D-8i exec INSERT verify_result   42501   D-9  exec SELECT sweep_log         42501
D-10 exec SELECT cut_change_set_affected_row 42501  D-11 verify INSERT manifest_envelope 42501
D-12 verify SELECT dependency    42501   D-12s verify SELECT sweep_log      42501
D-13e exec SELECT canonical_address_alias 42501  D-13v verify same           42501
D-14 exec SELECT v_*_observe view 42501  D-15 exec SELECT directus_collections 42501
D-16 exec CREATE TABLE in cg     42501   D-17 verify CREATE ROLE            42501
D-18 exec CREATE TRIGGER on entry 42501

Result: 42/42 DENY PASS — every denied operation refused with insufficient_privilege (42501), distinguished from undefined_table/column. (Run-1 D-5/D-7/D-7v had used non-existent column names → 42703 parse error before ACL; corrected to real columns verdict/state in run-2 → all 42501.)

D-20 connection-limit: 2 held cutter_exec sessions, 3rd attempt → FATAL: too many connections for role "cutter_exec". PASS.

§4 — Rollback Verification (verification-plan §5)

Rollback applied from the sha-pinned artefact (fcba5629…2b14, in-container sha re-gated) via psql -f: RB-1..RB-3 segment → RB-4 gate → RB-5 DROP segment.

RB.sha-gate : PASS (fcba5629…2b14 == authoring sha)
RB-1..RB-3  : applied (7×REVOKE batches + COMMIT)
RB-4 gate   : members=0  owned=0  residual_priv=0  -> CLEAN
RB-5 drop   : DROP ROLE cutter_exec / cutter_verify (plain, no CASCADE)
RBV-1 roles gone .............. PASS (0)
RBV-2 no aclexplode residue ... PASS (0)
RBV-3 cutter_ro byte-identical  PASS (RO_AFTER == RO_BASE)
RBV-4 12 base tbl + 12 views .. PASS (t=12 v=12)
RBV-5 RLS 0 + Directus 164/1173/9/8/9 unchanged  PASS
RBV-6 no CASCADE side effect .. PASS (cutter_ro+objects intact)

§5 — Prod-Untouched Gate (verification-plan §6)

PU-1 dry-run sysid 7640672946682011694 != prod 7611578671664259111  (asserted)
PU-2 prod reached read-only ONLY for pg_dump/pg_dumpall/sysid catalog reads
PU-3 prod_sysid PRE==POST==7611578671664259111; ephemeral env destroyed;
     sensitive dump/globals/substituted-SQL shredded; only run.log+summary persist

§6 — False-Negative Discipline (verification-plan §7)

All privilege assertions are aclexplode() SET operations (symmetric difference), not string compares. A deny-probe is PASS iff SQLSTATE 42501 specifically (42P01/42703/etc. explicitly distinguished and would FAIL — this is exactly what surfaced and was corrected in run-1). Connection-limit PASS iff the role-specific too-many-connections error. Run-1’s 6 “fails” were correctly classified as harness defects (not real leaks) precisely because this discipline kept them visible instead of silently passing; PASS was withheld until the corrected re-run was clean.

End of credential dry-run verification results (run-2 clean; all catalog + 20 allow + 42 deny + RBV + prod-untouched PASS).