dot-iu-cutter v0.4 PG-backed Dry-run — Risk Review (2026-05-17)
dot-iu-cutter v0.4 — PG-backed Dry-run RISK REVIEW
Date: 2026-05-17 · Planning only.
1. Risk register
| ID | Risk | Inherent | Mitigation | Residual |
|---|---|---|---|---|
| R1 | Production DB write / mutation | CRITICAL | pg_dump read-only; adapter env points only at isolated DR DNS; no prod DSN ever built; G-21 prod sysid pre==post; prod container not restarted; G-10 hard abort if DR sysid==PROD | LOW |
| R2 | Secret leakage (prod or dry-run) | HIGH | dry-run-only passwords (no prod values, DR-1); _Secret redaction in accepted code; dr.env 0600 + shredded; G-23/G-24 leak & log scans; values never echoed; prod .env never read |
LOW |
| R3 | psycopg3 install blast radius | MED | install only in disposable harness container/venv; never into incomex-directus/agent-data/host site; no service restart; removed at teardown; pinned, un-vendored | LOW |
| R4 | Network port exposure | MED | no -p publish (G-07); dedicated bridge net; prod stays 127.0.0.1:5432 (unchanged) |
LOW |
| R5 | Damage to protected prior dry-run envs | HIGH | exact-name ops only; no prune/wildcard; docker inspect snapshot+compare (C-01/G-25) |
LOW |
| R6 | Harness false-negative flips a good run (recurring) | MED | structural/set comparisons (aclexplode), catalog counts, safe integer counters, NOTICE whitelist, per-statement SQL classification, sha-gated artefacts; FN must be proven structurally before any verdict flip | MED (residual — accepted, GPT-reviewed) |
| R7 | Host disk exhaustion | LOW | 32 GB free; ~2 GB footprint; G-01 df pre-gate | LOW |
| R8 | Role-name/identity-assertion mismatch | MED | DR roles named exactly cutter_exec/cutter_verify in the isolated env only; CONNECTION_LIMIT 2; adapter SELECT current_user assertion validates binding |
LOW |
| R9 | Backup integrity / partial dump | MED | sha256 on dump; restore rc + 12-table catalog + row sanity; benign-NOTICE whitelist (Note-N1) | LOW |
| R10 | Scope/self-advance creep | MED | hard boundary list; execution gated on separate GPT-authorized prompt; this package is plan-only | LOW |
| R11 | Backup artefact (contains prod data) mishandled | HIGH | never uploaded to KB; only sha referenced; shredded at teardown unless GPT directs retention; stays inside $WD (0700) |
LOW |
2. Concentration / sequencing risk
The single highest-leverage control is G-10 (DR sysid ≠ PROD 7611578671664259111) as a hard pre-write abort — it structurally prevents R1 even under operator error. It is sequenced before any harness connection, with prod-sysid re-confirmation at teardown (G-21) as the closing bookend.
3. Comparison to prior cycles
Prior v0.2/v0.3 dry-runs established: ephemeral postgres:16 + read-only pg_dump (workflow_admin) + sysid gate + structural verification + exact-name teardown = repeatable net-zero. The recurring scar is R6 harness false-negative (P0-6/P0-5 needless rollback from a string-compare; v0.3 four FN assertions). This plan front-loads structural verification and an explicit "prove the FN structurally before flipping the verdict" rule.
4. Residual risk class
STANDARD, with elevated attention on R6 (harness false-negative). No CRITICAL/HIGH residuals. Execution remains forbidden until GPT reviews this package and issues a separate sovereign authorization.