KB-7306
dot-iu-cutter v0.4 — Production Credential Execution Report
9 min read Revision 1
dot-iu-cutterv0.4credential-executionproductiondieu44success-liveharness-false-negative
dot-iu-cutter v0.4 — Production Credential Execution Report
document_path: knowledge/dev/laws/dieu44-trien-khai/v0.4-credential-execution/dot-iu-cutter-v0.4-production-credential-execution-report-2026-05-17.md
revision: r1
date_executed: 2026-05-17 (UTC work_dir tag 20260517T021349Z)
author: Agent (Claude Code CLI, Opus 4.7 1M)
sovereign: User / anh Huyền
verifier: GPT (review pending — this report routes the execution result in)
phase: v0.4 — PRODUCTION CREDENTIAL EXECUTION (C-01..C-12)
opened_by: GPT command-review PASS + explicit User production-execution prompt.
status: SUCCESS_LIVE (substantive) — one cosmetic harness false-negative in the
G-09 self-check; NO rollback; credentials correctly live; production safe.
Executed ONLY the GPT-reviewed C-01..C-12 sequence. No CUT/VERIFY, no runtime adapter, no app code, no deploy, no Directus/RLS/cutter_ro change, no base-table row write, no Qdrant. Accepted SQL artefact applied byte-identical (sha 00296107…d502). No secret printed/logged/argv/KB/commit.
§1 — Outcome
substantive_execution_status: SUCCESS_LIVE
script_self_reported_status: FAIL / ABORTED_NO_APPLY # WRONG — see §4
roles_created: cutter_exec, cutter_verify (LIVE in production)
sql_applied: true (BEGIN/COMMIT rc=0)
rollback_performed: false (correctly — execution succeeded)
real_privilege_leak: false
secret_leaked_to_disk: false (independently proven)
production_safe: true (sysid/cutter_ro/Directus/RLS/0-rows all unchanged)
fail_count: 1 (G-09 disk-hygiene SELF-CHECK harness bug only — cosmetic)
next: GPT review of this execution report
agent_self_advance: PROHIBITED
§2 — Environment
vps: 38.242.240.89 prod_container: postgres (postgres:16, PG 16.13)
db: directus superuser: workflow_admin
prod_system_identifier: 7611578671664259111 (PRE == POST, unchanged)
work_dir (VPS): /opt/incomex/tmp/dieu44_v0_4_cred_prod_20260517T021349Z
console: /opt/incomex/tmp/dieu44_v04_cred_stage/console_prod.out
§3 — Command Sequence Result (C-01..C-12)
| Cmd | Action | Result |
|---|---|---|
| C-06pre | sha-gate accepted artefacts | PASS — SQL 00296107…d502, rollback fcba5629…2b14 |
| C-01 | fresh read-only pg_dump -Fc + globals |
PASS — sha 1621c67ef45dc86739bf6a6999cc0103820e1bd7ff735ee2cd49388a7f81afc4, 66,292,436 B; globals sha 42504396… |
| C-02 | PRE snapshot (no hash bodies) | sysid 7611578671664259111; cutter_ro 13/NOLOGIN; Directus 164/1173/9/8/9; RLS 0 |
| C-03 | preflight gates G-03..G-08 | ALL PASS — roles absent, cutter_ro ok, Directus ok, cg 12 tbl/12 vw/19 FK/0 rows, RLS 0 |
| C-04 | generate real passwords (40-char, not logged) | PASS (G-09 strength) |
| C-05 | create/update .env secrets |
PASS — 4 keys written, backup /opt/incomex/docker/.env.bak.20260517T021349Z, perms 600 root:root |
| C-06 | recheck sha + backup freshness | PASS — sha stable, backup age 22 s < 3600 s |
| C-07 | substitute real secrets (non-logged temp) | PASS — 0 residual placeholders |
| C-08 | apply accepted credential SQL in production | PASS — BEGIN / CREATE ROLE×2 / GRANT×24 / COMMIT, rc=0 |
| C-09 | structural catalog verification V-01..V-17 | ALL PASS — V-06 missing={} extra={}, V-07 exactly 3 col tuples, V-13 cutter_ro unchanged, V-14 Directus unchanged, cg still 0 rows |
| C-10 | production-safe probes | 20/20 allow PASS, 42/42 deny = SQLSTATE 42501, D-20 conn-limit refused 3rd session, post-probe cg 0 rows |
| C-11 | secret placement/audit note (no values) | written |
| C-12 | rollback | NOT triggered (no real gate failure) |
§4 — The One "FAIL": G-09 Self-Check Harness False-Negative (not a real failure)
symptom: |
./dieu44_v04_cred_prod.sh: line 346: [: 0\n0: integer expression expected
FAIL >>> G-09 secret hygiene (files_left=0 pwtok=0\n0)
root_cause: the G-09 disk-hygiene SELF-CHECK used
PWTOK=$(grep -c "PASSWORD '" apply.log || echo 0)
`grep -c` prints "0" AND exits 1 when there are zero matches, so `|| echo 0`
appends a second "0" -> PWTOK="0\n0" -> the `[ "$PWTOK" -eq 0 ]` integer
test errors -> spurious fail() -> OVERALL=FAIL -> status-derivation logic
(which requires OVERALL=PASS for SUCCESS_LIVE) mislabeled
execution_status=ABORTED_NO_APPLY even though SQL_APPLIED=1.
classification: HARNESS false-negative in a post-hoc hygiene SELF-CHECK only.
Identical pattern to the dry-run run-1 harness defects. It did NOT affect any
production action, did NOT trigger rollback, and the hygiene property it was
meant to assert is independently TRUE (see §5).
fix: PWTOK=$(grep -c "PASSWORD '" apply.log 2>/dev/null); [ -z "$PWTOK" ] &&
PWTOK=0 — corrected script stored for provenance as
/opt/incomex/tmp/dieu44_v04_cred_stage/dieu44_v04_cred_prod.sh.g09fixed
(NOT re-executed; re-running is unnecessary and would wrongly fail G-04
roles-absent now that the credentials are correctly live).
accepted_sql_or_rollback_modified: NO (sha unchanged 00296107…/fcba5629…).
§5 — Independent Post-Execution Re-Verification (read-only, separate from the run)
roles: cutter_exec & cutter_verify — login=true conn=2 super=false
createrole=false createdb=false repl=false bypassrls=false (exact spec)
password_storage: both SCRAM-SHA-256 (prefix only; hash body never read)
table_privilege_tuples: 33 (EXACT accepted matrix: 18 exec + 15 verify)
column_update_tuples: 3 exactly:
cutter_exec.decision_backlog_entry.status,
cutter_verify.decision_backlog_entry.status,
cutter_exec.review_decision.superseded_by_review_decision_id
grant_option: 0 destructive(DEL/TRUNC/REF/TRIG): 0 out_of_schema: 0
membership: 0 object_ownership: 0
cutter_ro: 13 grants, rolcanlogin=false (UNCHANGED)
directus: 164,1173,9,8,9 (UNCHANGED) rls: 0 (UNCHANGED)
cutter_governance_total_rows: 0 (no base-table row written)
apply.log: only BEGIN / CREATE ROLE×2 / GRANT×24 / COMMIT — grep -c PASSWORD = 0
(psql -f does not echo SQL; NO secret on disk)
work_dir_sensitive_files: only globals.err (0 B) + secret-placement-audit-note
(no values); prod.dump / globals.sql / .secrets / .cred_apply.sql SHREDDED
.env: chmod 600 root:root; 4 DOT_CUTTER_* keys present (values never shown)
prod_sysid: 7611578671664259111 PRE == POST
verdict: production credential set is EXACTLY the GPT-accepted least-privilege
matrix; live; safe; no leak. The substantive execution is a clean SUCCESS.
§6 — Secret Handling (C-11; no values anywhere)
generation: openssl rand -base64 36 -> alnum -> 40 chars (≥32), in-shell only
substrate: /opt/incomex/docker/.env (CD-4; chmod 600 root:root; not in DB dumps)
keys: DOT_CUTTER_EXEC_DB_USER=cutter_exec, DOT_CUTTER_EXEC_DB_PASSWORD=<secret>,
DOT_CUTTER_VERIFY_DB_USER=cutter_verify, DOT_CUTTER_VERIFY_DB_PASSWORD=<secret>
prior_env_backup: /opt/incomex/docker/.env.bak.20260517T021349Z (root-600)
never: secret value echoed, in argv, in shell history, in any log/KB/repo/commit
rotation: ALTER ROLE … PASSWORD + synchronized .env update (separate cycle)
emergency_revoke: ALTER ROLE … NOLOGIN → rollback artefact fcba5629…2b14
runtime_use: NONE this cycle (roles created, bound to no adapter)
audit_note: work_dir/secret-placement-audit-note.txt (no values)
§7 — Rollback Status
rollback_performed: false
reason: no real gate failed. C-08 apply rc=0; all V-01..V-17 PASS; all 62
probes PASS; conn-limit enforced; cutter_ro/Directus/RLS/0-rows invariant.
The only fail() was the cosmetic G-09 self-check (§4), which is not a
production-state failure and (correctly) does not set ROLLBACK_NEEDED.
rollback_artefact: fcba5629…2b14 staged + sha-gated; available for emergency
revoke; NOT applied.
§8 — Production-State Confirmation
production_writes: only the authorized CREATE ROLE×2 + GRANT×24 in
cutter_governance (the accepted artefact) + .env secret keys.
not_touched: Directus objects, RLS, cutter_ro, base-table rows (0), Qdrant,
app code, services (no deploy/restart), no runtime adapter bound.
prod_sysid: 7611578671664259111 unchanged. directus 164/1173/9/8/9 unchanged.
backups_retained (VPS, no secrets): run.log, summary.txt,
secret-placement-audit-note.txt, prior .env backup. prod.dump/globals SHREDDED.
§9 — Open Blockers / Next
B-1 GPT review of THIS production credential execution report. OPEN
B-2 real-DB-adapter design cycle (still blocked until reviewed). OPEN
production_CUT_VERIFY / deploy / runtime binding: STILL BLOCKED
next_recommended_step: GPT review of this execution report.
agent_self_advance: PROHIBITED (no adapter/CUT/VERIFY/deploy/code/Qdrant).
End of production credential execution report — substantive SUCCESS_LIVE; one cosmetic G-09 self-check harness false-negative documented and independently disproved; no rollback; production safe; next = GPT review; self-advance PROHIBITED.