KB-1EAB
dot-iu-cutter v0.4 PG-backed Dry-run — Command Review (2026-05-17)
5 min read Revision 1
dot-iu-cutterv0.4db-adapterdry-runcommand-reviewdieu44
dot-iu-cutter v0.4 — PG-backed Dry-run COMMAND REVIEW
Date: 2026-05-17 · Status: NOTHING EXECUTED — every command below is PROPOSED and requires a separate explicit authorization after GPT review.
Boundaries: no execution, no production connection/secret, no .env edit, no commit, no deploy, no CUT/VERIFY in prod, no self-advance.
Conventions
- Throwaway work dir:
WD=/opt/incomex/dot/iu-cutter/.dryrun-v0.4-2026-05-17(created at C-02, shredded at teardown; under.gitignorescope, nevergit add-ed). - All multi-line SQL/python = sha256-gated script artefacts scp'd in (per project rule), never inline SSH heredoc; psql via
-f file(never< /dev/null+ heredoc on one cmd — clobber lesson). - Identity guards precede every state-changing command; abort on any gate fail → jump to rollback-plan teardown.
- Names are exact; no
docker prune, no wildcard, no-A.
Proposed command sequence
| Cmd | Action | Identity / safety guard | Expected |
|---|---|---|---|
| C-01 | Pre-flight: df -h /; docker ps -a --format '{{.Names}}'; assert new env name absent; record docker inspect Id+StartedAt of the 3 protected prior dry-run containers |
G-01 disk ≥ 5 GB free; G-02 name collision-free; G-03 protected envs snapshot captured | clean preconditions |
| C-02 | mkdir -p $WD (0700); generate dry-run-only secrets (superuser, cutter_exec, cutter_verify) via openssl rand; write $WD/dr.env (0600) |
G-04 perms 0600; values never echoed; $WD not under git index |
secrets staged, unprinted |
| C-03 | Acquire fresh prod backup: docker exec postgres pg_dump -U workflow_admin -d directus -Fp -f /tmp/dr_src.sql then copy out; sha256sum → record |
G-05 read-only (pg_dump); G-06 record PROD system_identifier==7611578671664259111; prod not restarted |
prod-directus-<ts>.sql + sha |
| C-04 | Create docker network dr-net-v0.4-2026-05-17; run pg-dry-run-v0.4-db-adapter-2026-05-17 (postgres:16, --network dr-net-v0.4…, no -p, POSTGRES_PASSWORD from dr.env) |
G-07 no published port (docker inspect Ports == {}) |
isolated DB up |
| C-05 | Restore: copy dump into DR container; psql -U postgres -d directus -f /tmp/dr_src.sql |
G-08 restore rc==0; benign role … does not exist/context_pack_readonly NOTICEs allowed (Note-N1) |
schema+data restored |
| C-06 | Apply roles+matrix: scp sha-gated $WD/dr_roles_matrix.sql (CREATE ROLE cutter_exec/cutter_verify LOGIN CONNECTION LIMIT 2 NOSUPERUSER NOBYPASSRLS PASSWORD <dr-only> SCRAM; reapply 33 table-priv + 3 col-UPDATE; cutter_ro NOLOGIN + 13 view grants); psql -f |
G-09 aclexplode set-equality vs frozen matrix (structural, not string compare); grant_option==0 |
matrix == frozen |
| C-07 | sysid gate: psql -tAc "select system_identifier from pg_control_system()" on DR |
G-10 DR sysid ≠ 7611578671664259111 (hard abort if equal) |
distinct sysid |
| C-08 | Provision harness: ephemeral python:3.12-slim container on dr-net-v0.4, disposable venv, pip install "psycopg[binary]==<pin>"; mount /opt/incomex/dot/iu-cutter read-only |
G-11 no install into incomex-* / host site; G-12 no service restart; iu-cutter mount :ro |
harness ready |
| C-09 | Deploy sha-gated $WD/dr_harness_v0_4.py into harness container; sha verify |
G-13 sha match; imports cutter_agent read-only; uses explicit env= dict (no real .env/prod os.environ) |
harness staged |
| C-10 | Run scenarios S1–S12 (design-master §5) writing structured redacted JSON logs to $WD/logs/ |
per-scenario gates (verification-plan); password string must never appear (safe grep, not `grep -c | |
| C-11 | Verification battery (verification-plan): 12-table catalog inventory, row-count matrix, privilege re-assert, no-prod-touch, secret-leak scan | G-14…G-22 (verification-plan) | all PASS |
| C-12 | Capture artefacts: redacted logs, SQL trace, sha manifest → stage for KB report | G-23 no secret in any artefact | evidence set |
| C-13 | Teardown (rollback-plan): rm harness container; docker rm -f DR pg by exact name; docker volume rm; docker network rm; shred dr.env; rm -rf $WD/venv; keep redacted artefacts |
G-24 protected prior dry-run containers' docker inspect Id+StartedAt unchanged vs C-01; G-25 prod sysid re-read == C-03 value |
net-zero; isolated env gone |
Abort matrix
Any gate fail → STOP, do not proceed, run C-13 teardown only, file failure in report. 42501 reaching client in S9 is the expected proof (not an abort). A system_identifier equal to PROD at G-10 = immediate hard abort, no harness write.
What is NOT here
No production write/connect, no prod secret read, no .env edit, no git commit, no deploy/restart of any incomex-* service, no CUT/VERIFY against production, no modification of the accepted iu-cutter source (mounted read-only). Execution gated on GPT review + separate sovereign prompt.