dot-iu-cutter v0.4 — First Controlled Production CUT/VERIFY Trial — POST-EXECUTION BACKUP VERIFICATION

Date: 2026-05-17 · Verdict: backup_verification_status = PASS (all 10 required checks PASS). Method: fresh post-trial read-only pg_dump → SHA256 → restore into an ephemeral, exact-name, isolated postgres:16 → structural verification → teardown → protected-env + production-identity assertions. Script artefact: …/scripts/closeout_verify_v0_4.sh sha256 c4d5b822ccb35166c5b4cb415b916f62410dd129db6c2871a5328b0d7325717f.

Required checks (1–10)

#	Check	Result
1	Fresh post-trial backup	PASS — …/prod-directus-postv0.4trial-20260517T134709Z.sql (read-only pg_dump, workflow_admin)
2	SHA256 recorded	PASS — ff3c7d5afb2ea6dd92a729171d5a0e97d85c0cf0e26246f64f9fa442ec3c2160 · 683,370,930 B
3	Restore into isolated postgres env	PASS — ephemeral pg-restore-test-v0.4-prodtrial-2026-05-17 (no published port; restore_sysid 7640856984682475564 ≠ prod → isolation proven; torn down after)
4	Restored backup contains the +15 governance rows	PASS — restored cutter_governance total = 15, cell-for-cell exact; entry_id / change_set_id / verify_result_id all present (1/1/1)
5	TARGET_IU unchanged in tac_logical_unit	PASS — count=1, draft_only / draft / canonical-address-v1 (not mutated)
6	dot_pair_signature DOT-991/DOT-992 lane refs	PASS — executor→cross_reference_change_set_id=7c963f27… (vr NULL); verifier→cross_reference_verify_result_id=633f2c51… (cs NULL); XOR clean (badxor=0), no swap
7	canonical_address_alias remains 0	PASS — 0 rows
8	Production sysid unchanged before/after backup	PASS — pre==post==final == 7611578671664259111; prod StartedAt 2026-04-17T05:35:18.48439927Z unchanged (not restarted)
9	No protected dry-run env touched	PASS — 3 envs (pg-dry-run-v0.2-p0-2, …-phase-alpha, pg-dry-run-hb05) Id+StartedAt+Status byte-identical before==after
10	No secret values in KB/log artefacts	PASS — safe-grep of logs/out = 0 hits; .restore.pw shredded; dump is production data, retained on disk, never uploaded to KB (SHA-reference only)

Restored row matrix (isolated env)

Table	Restored	Expect
decision_backlog_entry	1	1
decision_backlog_history	5	5
decision_backlog_dependency	0	0
decision_backlog_sweep_log	1	1
manifest_envelope	1	1
manifest_unit_block	1	1
review_decision	1	1
dot_pair_signature	2	2
cut_change_set	1	1
cut_change_set_affected_row	1	1
verify_result	1	1
canonical_address_alias	0	0
TOTAL	15	15

Note N-1 (benign, fidelity unaffected)

Restoring a plain pg_dump (no cluster-global CREATE ROLE) into a fresh postgres:16 emitted 1443 role "…" does not exist GRANT/ownership ERROR lines (directus 870, context_pack_readonly 262, incomex 162, workflow_admin 112, cutter_ro/exec/verify 37). Zero reference cutter_governance; every data-fidelity gate (checks 4–7) passed. Identical known pattern to the v0.2/v0.3 closeouts — the backup is content-sound; restoring into a bare cluster simply lacks the globals.

Note N-2 (cosmetic exit)

closeout_status=PASS with all C1..C10 OK; process exit was 1 due to the trap … EXIT teardown's final [ -f <already-shredded> ] test under set -e. Not a verification failure (independently disproved by every gate line + restore-env-gone + protected byte-identical).

Net safety

Production accessed read-only only (pg_dump + sysid SELECT via workflow_admin); no production write, CUT/VERIFY, secret read/print, deploy or restart in this phase. Isolated restore env created and destroyed by exact name (no docker prune, no wildcard). 3 protected prior dry-run envs untouched. Git iu-cutter clean; no code change/commit. backup_verification_status = PASS.