KB-C14A
dot-iu-cutter v0.4 — Production Credential Command-Review Package
14 min read Revision 1
dot-iu-cutterv0.4credential-executioncommand-reviewdieu44production-blocked
dot-iu-cutter v0.4 — Production Credential Command-Review Package
document_path: knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-execution/dot-iu-cutter-v0.4-production-credential-command-review-package-2026-05-17.md
revision: r1
date_authored: 2026-05-17
cycle_date_label: 2026-05-17
author: Agent (Claude Code CLI, Opus 4.7 1M)
sovereign: User / anh Huyền
verifier: GPT (review pending — this package routes the command-review in)
phase: v0.4 — production credential COMMAND-REVIEW (authoring only)
opened_by: GPT v0.4 credential dry-run result review = PASS
(ready_for_production_credential_command_review=true;
production_credential_execution_allowed=false; secret_creation_allowed=false)
+ explicit User command-review-ONLY sovereign prompt.
status: COMMAND-REVIEW ONLY — NOTHING EXECUTED — production still blocked
⛔ COMMAND-REVIEW ONLY. This document executes nothing. No production role, no GRANT/REVOKE, no secret, no
.envedit, no runtime connection, no CUT/VERIFY, no deploy, no Directus/RLS/cutter_ro/base-row change, no Qdrant/vector. It specifies the EXACT future production runbook for review. The accepted SQL/rollback artefacts are referenced by sha and are not reproduced or modified here. Self-advance PROHIBITED.
§1 — Scope (what the FUTURE authorized execution cycle will do)
in_scope_future_execution:
- create production roles cutter_exec and cutter_verify (LOGIN, NOSUPERUSER,
NOCREATEDB, NOCREATEROLE, NOREPLICATION, NOBYPASSRLS, CONNECTION LIMIT 2,
scram-sha-256, memberless) — verbatim from accepted credential SQL artefact
- apply the EXACT accepted grant set (privilege matrix, byte-identical
artefact sha 00296107…d502)
- verify EXACT privileges (structural aclexplode set-equality + safe probes)
- prepare/stage the EXACT rollback (artefact sha fcba5629…2b14)
- NO runtime use yet (no app/adapter binds these roles in this cycle)
authority_basis: GPT dry-run review 2026-05-17 = PASS; this command-review must
itself be GPT-PASSed AND a separate sovereign execution prompt issued before
ANY production action.
§2 — Non-Scope (explicitly forbidden in this and the execution cycle)
forbidden:
- CUT / VERIFY of any kind
- real DB-adapter / runtime code connection to these roles
- any application code change
- any deploy / restart of services for runtime use
- Directus object/collection/policy/permission change
- RLS / pg_policy / relrowsecurity change
- cutter_ro alteration (its 13 grants stay byte-identical)
- any base-table row write in cutter_governance (0 rows preserved)
- Qdrant / vector / embedding operation
- changing the accepted SQL or rollback artefact (STOP + report instead)
- secret creation / .env edit IN THIS COMMAND-REVIEW CYCLE (only proposed)
§3 — Production Command Sequence (target runbook; NOT executed)
environment_constants (verified read-only during the dry-run session):
prod_container: postgres prod_db: directus
prod_superuser: workflow_admin (rolsuper; bootstrap role 'postgres' absent)
prod_system_identifier: 7611578671664259111
pg_version: 16.13
baseline: cutter_governance = 12 base tables + 12 v_*_observe views + 19
in-schema FK + 0 rows; cutter_ro = NOLOGIN, 13 grants (1 schema USAGE +
12 view SELECT); Directus = collections 164 / permissions 1173 / roles 9 /
policies 8 / access 9; RLS = 0; cutter_exec/cutter_verify ABSENT.
| Cmd | Action | Bound gate(s) |
|---|---|---|
| C-01 | Fresh production backup: pg_dump -Fc directus + pg_dumpall --globals-only --no-role-passwords as workflow_admin (read-only); record sha256 + byte size + UTC timestamp |
G-01, G-03 |
| C-02 | Globals/role-state snapshot: capture pre-state of all roles (pg_roles/pg_authid flags, no hash bodies), cutter_ro aclexplode set, Directus counts, RLS count, prod sysid → PRE baseline file (root-600) |
G-02 |
| C-03 | Preflight asserts: cutter_exec/cutter_verify absent; cutter_ro byte-identical to v0.3 inventory (13 grants, NOLOGIN); Directus 164/1173/9/8/9; cutter_governance exactly 12 tables / 0 rows / 12 views / 19 FK; RLS 0; prod sysid == 7611578671664259111 | G-03..G-08 |
| C-04 | Generate two real strong passwords (openssl rand, ≥32 chars) inside a non-logged shell var / root-600 tmpfile only; never echoed, never in argv, never in history |
G-09 |
| C-05 | Create secrets in the approved substrate (VPS /opt/incomex/docker/.env, §5) ONLY IF a later production-execution prompt authorizes it — NOT in this cycle, NOT by this command-review |
G-10, G-11 |
| C-06 | Extract accepted credential SQL artefact; sha-gate: assert sha256 == 00296107e04fc8cfea536937838f720811ecb2c491eee7a81be614cb0a04d502; assert rollback artefact sha256 == fcba5629bb4983ad3b4cf6cf3bfc6b0b4c70d08e0c24a083436078c3981a2b14 |
G-12 |
| C-07 | Substitute placeholder tokens → real secrets in a non-logged temp file (root-600, shred -u after apply); the sha-pinned placeholder artefact is unchanged (sha computed on placeholder form) |
G-09, G-12 |
| C-08 | Apply the credential SQL in production (psql -f, BEGIN/COMMIT, workflow_admin) ONLY IF the future execution prompt authorizes — blocked here |
G-ALL |
| C-09 | Structural catalog verification V-01..V-17 (aclexplode set-equality, no string compare) against production | G-13 |
| C-10 | Behavioural probes — production-safe: allow-probes wrapped BEGIN; DO $$…$$; ROLLBACK; (privilege held iff result ≠ 42501; zero rows persist, schema stays 0-row), deny-probes (must be SQLSTATE 42501), connection-limit (3rd session refused). 20 allow / 42 deny / 1 conn-limit, identical to dry-run set |
G-13, G-14 |
| C-11 | Write secret placement/audit note (substrate path, perms, var names, rotation, revoke, audit trail) — no secret value ever written | G-09 |
| C-12 | Rollback commands if ANY gate fails — apply sha-pinned rollback artefact (RB-1 NOLOGIN → RB-2 terminate → RB-3 exact REVOKE → RB-4 gate → RB-5 plain DROP), remove any created secret, verify baseline restored, no CASCADE | G-15 |
§4 — Safety Gates (abort conditions; all must hold or STOP+report)
G-01 backup taken successfully (pg_dump rc=0) AND backup age < 60 minutes at C-08.
G-02 PRE role/globals/cutter_ro/Directus/RLS/sysid snapshot captured.
G-03 production identity unambiguous: sysid == 7611578671664259111 (PRE) — abort if unclear.
G-04 roles cutter_exec AND cutter_verify ABSENT — abort if either exists unexpectedly.
G-05 cutter_ro byte-identical to v0.3 inventory (NOLOGIN, 13 grants) — abort on any diff.
G-06 Directus counts == 164/1173/9/8/9 — abort on diff.
G-07 cutter_governance == exactly 12 tables / 0 rows (+12 views / 19 FK) — abort on diff.
G-08 RLS == 0 (relrowsecurity & pg_policy) — abort on diff.
G-09 NO password/secret ever logged, echoed, in argv, in shell history, or in
any KB/repo/.env-readback — abort the instant a secret could be exposed.
G-10 secret creation occurs ONLY in the approved substrate AND ONLY under a
later explicit execution authorization — abort otherwise.
G-11 `.env` edit ONLY if explicitly authorized by a future sovereign prompt —
abort if attempted without that authorization.
G-12 credential SQL sha == 00296107…d502 AND rollback sha == fcba5629…2b14 —
abort on any mismatch (no execution of an unverified artefact).
G-13 every structural verification V-01..V-17 PASS (symmetric difference = ∅) —
abort/rollback on any FAIL; distinguish harness false-negative from leak.
G-14 every deny-probe == SQLSTATE 42501 (not 42P01/42703); conn-limit refuses
3rd session; zero rows persisted by any probe — abort/rollback otherwise.
G-15 rollback gate clean: roles memberless AND own nothing AND no residual
privilege before any DROP; no CASCADE — else leave roles intact + escalate.
safety_gates_count: 15
§5 — Secret Handling Plan (proposed; NOT created/written this cycle)
generation: openssl rand -base64 36 | tr -d '/+=' | cut -c1-40 (≥32 chars,
high-entropy, generated on the VPS host into a shell var / root-600 tmpfile)
never_print: secret never echoed, never in argv, never in shell history
(use a here-string into a 0600 tmpfile or PGPASSWORD via env, then shred),
never in any KB doc, log, console, or repo, never read back from .env.
substrate: VPS /opt/incomex/docker/.env (CD-4 closed decision — the existing
approved secret substrate; same file already holds the Agent Data cloud key).
file_permissions: /opt/incomex/docker/.env must be chmod 600, owner root:root;
no group/other read; verified before and after.
backup_exclusion: pg_dump/pg_dumpall never include OS-file secrets;
--no-role-passwords keeps role hashes out of globals dumps; .env is NOT in
any DB dump and MUST be excluded from any filesystem backup that ships off-box.
rotation_plan: rotate via ALTER ROLE … PASSWORD (new openssl secret) +
synchronized .env update, on a fixed cadence and on any suspected exposure;
rotation is itself a separately-authorized cycle.
emergency_revoke: ALTER ROLE cutter_exec NOLOGIN; ALTER ROLE cutter_verify
NOLOGIN; (instant containment, reversible) → then full rollback artefact if
required; zeroise the .env keys.
audit_trail: app-side decision_backlog_history ledger + DOT pair-signature
chain provide principal-keyed audit independent of PG logs; optional
role-scoped log_connections (CD-12) is a separately-reviewed line, not here.
proposed_env_variable_names (PROPOSED ONLY — NOT written, NOT exported):
- DOT_CUTTER_EXEC_DB_USER = cutter_exec
- DOT_CUTTER_EXEC_DB_PASSWORD = <real secret, set only in future exec cycle>
- DOT_CUTTER_VERIFY_DB_USER = cutter_verify
- DOT_CUTTER_VERIFY_DB_PASSWORD = <real secret, set only in future exec cycle>
(DSN host/port/db reuse existing Directus PG connection constants; no new
network exposure; names are a proposal for GPT review, written nowhere.)
§6 — Verification Plan (production; same discipline as dry-run)
method: structural aclexplode() SET-equality, symmetric difference = ∅; NEVER
a rendered-string / pg_get_*def() / \dp compare (carries the P0-6/P0-5
schema-qualifier false-negative lesson).
catalog: V-01 role flags; V-02 CONNECTION LIMIT=2; V-03 no membership;
V-04 no object ownership (pg_shdepend deptype='o'); V-05/V-16 exact schema
USAGE, no CREATE; V-06 exact table-priv set; V-07 exact column-priv set
(exactly 3 UPDATE tuples); V-08 no extra UPDATE; V-09 no
DELETE/TRUNCATE/REFERENCES/TRIGGER; V-10 no observe-view grant; V-11 no
canonical_address_alias grant; V-12 no out-of-schema priv; V-13 cutter_ro
byte-identical (13 grants); V-14 Directus 164/1173/9/8/9; V-15 RLS 0;
V-17 SCRAM prefix (no hash body printed).
behavioural: 20 allow-probes (BEGIN/DO/ROLLBACK, privilege held iff ≠42501,
zero-row-persistence on the empty schema = production-safe equivalent);
42 deny-probes (must be SQLSTATE 42501, distinguished from 42P01/42703);
connection-limit (3rd session refused with role-specific error).
guards: no ownership, no membership, no extra privilege, no base-table row
persisted, no GRANT OPTION; false-negative explicitly distinguished from a
real leak — PASS withheld unless a clean run (or GPT-accepted) result.
§7 — Rollback Plan (exact-inverse; gated; no CASCADE)
artefact: sha-pinned fcba5629…2b14, applied verbatim via psql -f, gated split.
RB-1 ALTER ROLE cutter_exec/cutter_verify NOLOGIN (instant e-stop, reversible).
RB-2 pg_terminate_backend for cutter_exec/cutter_verify sessions (not self).
RB-3 REVOKE the EXACT grant set (inverse of artefact §3; no blanket REVOKE ALL).
RB-4 GATE per role: memberless AND owns nothing (pg_shdepend deptype='o' = 0)
AND no residual privilege (aclexplode = 0) — else STOP, do NOT drop,
escalate (roles left intact).
RB-5 DROP ROLE cutter_exec; DROP ROLE cutter_verify; — plain, NEVER CASCADE,
never DROP OWNED / REASSIGN OWNED.
RB-6 remove any created secret: zeroise the .env keys (only if C-05 created
them in a future exec cycle); shred temp substituted-SQL file.
RB-7 verify baseline restored: roles gone, 0 aclexplode residue, cutter_ro
byte-identical, 12 tables/12 views/0 rows, Directus 164/1173/9/8/9,
RLS 0, prod sysid unchanged. No CASCADE side effect.
§8 — Open Blockers (none satisfied or introduced by this command-review)
B-1 GPT PASS of THIS production credential command-review package. OPEN
B-2 separate sovereign PRODUCTION-EXECUTION prompt (post B-1). OPEN
B-3 separate real-DB-adapter design cycle (still blocked until cred path). OPEN
B-4 secret substrate operationalised — NO secret exists yet. OPEN
production_credential_execution: STILL BLOCKED
§9 — Output Summary
command_count: 12 (C-01..C-12)
credential_sql_artefact_sha256: 00296107e04fc8cfea536937838f720811ecb2c491eee7a81be614cb0a04d502
rollback_artefact_sha256: fcba5629bb4983ad3b4cf6cf3bfc6b0b4c70d08e0c24a083436078c3981a2b14
safety_gates_count: 15 (G-01..G-15)
secret_substrate_recommendation: VPS /opt/incomex/docker/.env (CD-4 closed),
chmod 600 root:root, backup-excluded, proposed var names DOT_CUTTER_EXEC_*/
DOT_CUTTER_VERIFY_* (proposed only; written nowhere this cycle)
production_execution_still_blocked: TRUE (NOTHING executed; no role/GRANT/
secret/.env/runtime/CUT/VERIFY/deploy)
accepted_sql_unchanged: TRUE accepted_rollback_unchanged: TRUE
ready_for_gpt_review: TRUE
agent_self_advance: PROHIBITED
End of production credential command-review package (command-review only; nothing executed; production still blocked; next = GPT review; self-advance PROHIBITED).