KB-3523
dot-iu-cutter v0.5 — Canonical CUT Execution · GRANT/REVOKE + Verification (G4 PASS byte-exact 11-bool probe) (doc 3 of 7)
5 min read Revision 1
dot-iu-cutterv0.5first-controlled-cut-canonical-production-executiongrant-revoke-execution-and-verificationg4-passbyte-exact-probe-matchrevoke-legacy-direct-grantsgrant-execute-fn-iu-createdieu442026-05-20
dot-iu-cutter v0.5 — Canonical CUT Execution · GRANT/REVOKE + Verification
doc 3 of 7 · 2026-05-20
phase : G4 — canonical GRANT/REVOKE delta + verify outcome : PASS — 11-bool probe byte-exact match production_mutation : relacl deltas on 3 tables + 1 function (sovereign-approved scope)
1. Apply principal (GD-1)
principal : directus (owns public.* ; GD-1 unchanged)
channel : SSH contabo → docker exec -i postgres psql -U directus -d directus
via Unix socket (trust auth ; no PGPASSWORD argv)
mode : ON_ERROR_STOP=1 in single transaction (BEGIN; … COMMIT)
2. SQL issued (verbatim from survey package doc 4 §3)
BEGIN;
REVOKE INSERT ON public.information_unit FROM cutter_exec;
REVOKE UPDATE (version_anchor_ref, content_anchor_ref) ON public.information_unit FROM cutter_exec;
REVOKE INSERT ON public.unit_version FROM cutter_exec;
GRANT EXECUTE ON FUNCTION
public.fn_iu_create(text,text,text,text,text,text,text,text,uuid)
TO cutter_exec;
COMMIT;
3. psql output (verbatim)
BEGIN
REVOKE
REVOKE
REVOKE
GRANT
COMMIT
4. Acceptance gate — 11-bool probe (doc 4 §5)
4.1 SQL
SELECT
has_table_privilege ('cutter_exec', 'public.information_unit', 'SELECT') AS ce_iu_S,
has_table_privilege ('cutter_exec', 'public.information_unit', 'INSERT') AS ce_iu_I,
has_table_privilege ('cutter_exec', 'public.information_unit', 'DELETE') AS ce_iu_D,
has_column_privilege('cutter_exec', 'public.information_unit',
'version_anchor_ref', 'UPDATE') AS ce_iu_upd_van,
has_column_privilege('cutter_exec', 'public.information_unit',
'content_anchor_ref', 'UPDATE') AS ce_iu_upd_can,
has_table_privilege ('cutter_exec', 'public.unit_version', 'SELECT') AS ce_uv_S,
has_table_privilege ('cutter_exec', 'public.unit_version', 'INSERT') AS ce_uv_I,
has_table_privilege ('cutter_exec', 'public.dot_config', 'SELECT') AS ce_dc_S,
has_function_privilege('cutter_exec',
'public.fn_iu_create(text,text,text,text,text,text,text,text,uuid)',
'EXECUTE') AS ce_fn_exec,
has_table_privilege ('cutter_verify','public.information_unit', 'SELECT') AS cv_iu_S,
has_table_privilege ('cutter_verify','public.unit_version', 'SELECT') AS cv_uv_S;
4.2 Observed (verbatim psql -A -F'|' -t)
t|f|f|f|f|t|f|t|t|t|t
4.3 Match against expected (survey package doc 4 §5)
| col | observed | expected | match |
|---|---|---|---|
| ce_iu_S | t | t | ✓ |
| ce_iu_I | f | f | ✓ (REVOKED) |
| ce_iu_D | f | f | ✓ |
| ce_iu_upd_van | f | f | ✓ (REVOKED) |
| ce_iu_upd_can | f | f | ✓ (REVOKED) |
| ce_uv_S | t | t | ✓ |
| ce_uv_I | f | f | ✓ (REVOKED) |
| ce_dc_S | t | t | ✓ |
| ce_fn_exec | t | t | ✓ (NEWLY GRANTED) |
| cv_iu_S | t | t | ✓ |
| cv_uv_S | t | t | ✓ |
All 11 columns match — GRANT delta verified byte-exact.
5. Side-effect boundary
no_changes_to_other_relacl :
context_pack_readonly : unchanged
directus / workflow_admin : unchanged (still owns public.* / cutter_governance.*)
cutter_ro : unchanged
cutter_governance.* : unchanged (v0.4 CD-1..CD-13 matrix)
other fn_iu_* EXECUTE : unchanged (only fn_iu_create granted to cutter_exec)
no_DDL / DROP / TRUNCATE : NONE
no_role / membership / password change : NONE
no_pg_hba_change : NONE
6. Disposition
G4 (GRANT/REVOKE execution) : PASS · 11-bool probe byte-exact
production_mutation : exactly the approved delta — REVOKE 3 direct-write
grants + GRANT 1 function EXECUTE
self_advance : NO — proceed to G5 only as part of the same
authorized canonical CUT macro
doc 3 of 7.