Incomex AI Portal
KB-186F

dot-iu-cutter v0.5 — Final Bridge · Credential / GRANT Command-Review Package (doc 2)

5 min read Revision 1
dot-iu-cutterv0.5final-bridge-to-production-cut-command-reviewcredential-grantgap-c1gd-1scoped-least-privilegedieu442026-05-19

dot-iu-cutter v0.5 — Final Bridge · Credential / GRANT Command-Review Package

doc 2 of 6 · 2026-05-19 · review/design only. NOT executed. No GRANT/ REVOKE run; production privilege state UNCHANGED. Finalizes the prior bridge doc-2; live state re-verified read-only this phase (identical → still valid).

1. Live state re-verification (read-only catalog, this phase)

public.information_unit relacl : {directus=arwdDxt/directus,
  context_pack_readonly=r/directus}      # cutter_exec/cutter_verify : NONE
public.unit_version    relacl : {directus=arwdDxt/directus,
  context_pack_readonly=r/directus}      # cutter_* : NONE
public.dot_config      relacl : {directus=arwdDxt/directus,
  context_pack_readonly=r/directus}      # cutter_* : NONE
public schema USAGE: via PUBLIC pseudo-role ⇒ cutter_exec already has USAGE.
cutter_governance ledger grants: already exactly the v0.4 CD-1..CD-13 matrix
  (cutter_exec ar on executor-lane tables; cutter_verify ar on verify_result +
  shared; canonical_address_alias zero both; verify_result no cutter_exec).
⇒ GAP-C1 UNCHANGED & EXACT: the ONLY missing privilege is on public.*.

2. SECURITY-INVOKER trigger requirement (why SELECT grants are mandatory)

fn_iu_birth_gate_layer1/2 prosecdef=false (SECURITY INVOKER) — execute AS
  cutter_exec. L1 reads public.dot_config (4 vocab lookups). L2 (DEFERRED at
  COMMIT) reads public.information_unit + public.unit_version. PC-5 G-CUT-ONCE
  reads public.information_unit. ⇒ cutter_exec REQUIRES SELECT on all three.

3. Proposed GRANT delta — exact, minimal, append-only, SoD-safe

-- cutter_exec : DOT-991 lane, constitution birth writer (leg A)
GRANT SELECT, INSERT                 ON public.information_unit TO cutter_exec;
GRANT UPDATE (version_anchor_ref,
              content_anchor_ref)    ON public.information_unit TO cutter_exec;
GRANT SELECT, INSERT                 ON public.unit_version     TO cutter_exec;
GRANT SELECT                         ON public.dot_config       TO cutter_exec;
-- cutter_verify : DOT-992 lane, VERIFY (read-only on content)
GRANT SELECT                         ON public.information_unit TO cutter_verify;
GRANT SELECT                         ON public.unit_version     TO cutter_verify;

excluded (least-privilege / append-only / immutable-source):
  NO DELETE/TRUNCATE/REFERENCES/TRIGGER/DDL/GRANT-option anywhere;
  NO UPDATE on unit_version; NO UPDATE on information_unit columns other than
  the 2 anchor cols; NO write for cutter_verify on public.* (forward-comp
  write grants = a SEPARATE later gated package); cutter_ro/directus/RLS/
  ledger grants UNTOUCHED; NO source/source_version mutation.
column_scoped_UPDATE: exactly the 2 anchor cols the committed adapter
  (prod_iu_adapter._anchor_update) provably writes — verified by
  tests/test_prod_iu_adapter.py::test_leg_a_ordering_and_allowlist.

4. Rollback (exact inverse)

REVOKE SELECT, INSERT ON public.information_unit FROM cutter_exec;
REVOKE UPDATE (version_anchor_ref, content_anchor_ref)
                      ON public.information_unit FROM cutter_exec;
REVOKE SELECT, INSERT ON public.unit_version     FROM cutter_exec;
REVOKE SELECT         ON public.dot_config       FROM cutter_exec;
REVOKE SELECT         ON public.information_unit FROM cutter_verify;
REVOKE SELECT         ON public.unit_version     FROM cutter_verify;

Fully reversible; no object/role/ownership change.

5. Open decision GD-1 (sovereign, before U-W4b)

GD-1 apply principal: public.* owned by `directus`; cutter_governance owned by
  `workflow_admin`. The doc-3 §3 GRANTs must be issued by `directus` (owner) or
  a superuser. WS-Q5 precedent used `workflow_admin` as the privileged apply
  role. Sovereign must fix the exact apply principal; record it in the U-W4b
  execution log. (No ledger GRANT needed — already correct.)

6. Verification harness for the future U-W4b execution

structural (relacl re-read; expect EXACTLY): information_unit cutter_exec=
  SELECT,INSERT+UPDATE(version_anchor_ref,content_anchor_ref), cutter_verify=
  SELECT; unit_version cutter_exec=SELECT,INSERT, cutter_verify=SELECT;
  dot_config cutter_exec=SELECT; no DELETE/TRUNCATE/REFERENCES/TRIGGER tuple;
  cutter_ro/directus/ledger byte-identical to pre-state.
behavioral (isolated, part of U-W4b): cutter_exec INSERT+anchor in a ROLLED-
  BACK txn allowed; DELETE/TRUNCATE/non-anchor UPDATE → 42501; cutter_verify
  SELECT ok / write → 42501; CONNECTION_LIMIT 2 enforced.

7. Status

credential_grant_package: READY_FOR_SOVEREIGN_GATED_EXECUTION (U-W4b)
remaining_for_C1: GD-1 ruling + sovereign approval. production_privilege_mutation: NONE

doc 2 of 6. No production mutation. Self-advance PROHIBITED.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.5-final-bridge-to-production-cut-command-review/dot-iu-cutter-v0.5-credential-grant-command-review-package-2026-05-19.md