KB-4409

dot-iu-cutter v0.5 — First Controlled CUT Rerun · GRANT Execution & Verification Result (G5 PASS byte-exact) (doc 3 of 7)

6 min read Revision 1

dot-iu-cutterv0.5first-controlled-cut-production-execution-rerungrant-execution-and-verification-resultg5-passbyte-exact-probe-matchdirectus-apply-principalstop-route-gpt-userdieu442026-05-20

dot-iu-cutter v0.5 — First Controlled CUT Rerun · GRANT Execution & Verification Result

doc 3 of 7 · 2026-05-20

phase              : execute approved scoped GRANT delta + verify (G5)
outcome            : G5 PASS · 18-bool probe row byte-exact match
production_mutation: relacl on 3 tables (cutter_exec + cutter_verify scoped grants)

1. Execution

authorized_by  : GPT ruling 2026-05-20 §G4_GRANT_write_path
                  (AUTHORIZE_AGENT_TO_USE_SSH_VPS_POSTGRES_CHANNEL_AS_DIRECTUS_FOR_THE_APPROVED_GRANT_ONLY)
apply_principal: directus  (GD-1 ruled; owns public.*)
channel        : SSH contabo → docker exec -i postgres psql -U directus -d directus
                  via Unix socket (trust auth; no PGPASSWORD)
mode           : ON_ERROR_STOP=1 in single transaction (BEGIN; … COMMIT;)

1.1 SQL issued (byte-match doc 3 §2 of production-legA / doc 2 §2 of first-controlled-cut)

BEGIN;
GRANT SELECT, INSERT                 ON public.information_unit TO cutter_exec;
GRANT UPDATE (version_anchor_ref, content_anchor_ref) ON public.information_unit TO cutter_exec;
GRANT SELECT, INSERT                 ON public.unit_version     TO cutter_exec;
GRANT SELECT                         ON public.dot_config       TO cutter_exec;
GRANT SELECT                         ON public.information_unit TO cutter_verify;
GRANT SELECT                         ON public.unit_version     TO cutter_verify;
COMMIT;

1.2 psql output (verbatim)

BEGIN
GRANT
GRANT
GRANT
GRANT
GRANT
GRANT
COMMIT

All six GRANT statements applied atomically.

2. §6.1 Structural verification — PASS · byte-exact

SELECT
  has_table_privilege ('cutter_exec',  'public.information_unit', 'SELECT')        AS ce_iu_S,
  has_table_privilege ('cutter_exec',  'public.information_unit', 'INSERT')        AS ce_iu_I,
  has_table_privilege ('cutter_exec',  'public.information_unit', 'DELETE')        AS ce_iu_D,
  has_table_privilege ('cutter_exec',  'public.information_unit', 'TRUNCATE')      AS ce_iu_T,
  has_column_privilege('cutter_exec',  'public.information_unit',
                       'version_anchor_ref',  'UPDATE')                            AS ce_iu_upd_van,
  has_column_privilege('cutter_exec',  'public.information_unit',
                       'content_anchor_ref',  'UPDATE')                            AS ce_iu_upd_can,
  has_column_privilege('cutter_exec',  'public.information_unit',
                       'identity_profile',    'UPDATE')                            AS ce_iu_upd_idp,
  has_column_privilege('cutter_exec',  'public.information_unit',
                       'canonical_address',   'UPDATE')                            AS ce_iu_upd_caddr,
  has_table_privilege ('cutter_exec',  'public.unit_version',     'SELECT')        AS ce_uv_S,
  has_table_privilege ('cutter_exec',  'public.unit_version',     'INSERT')        AS ce_uv_I,
  has_table_privilege ('cutter_exec',  'public.unit_version',     'UPDATE')        AS ce_uv_U,
  has_table_privilege ('cutter_exec',  'public.unit_version',     'DELETE')        AS ce_uv_D,
  has_table_privilege ('cutter_exec',  'public.dot_config',       'SELECT')        AS ce_dc_S,
  has_table_privilege ('cutter_exec',  'public.dot_config',       'INSERT')        AS ce_dc_I,
  has_table_privilege ('cutter_verify','public.information_unit', 'SELECT')        AS cv_iu_S,
  has_table_privilege ('cutter_verify','public.information_unit', 'INSERT')        AS cv_iu_I,
  has_table_privilege ('cutter_verify','public.unit_version',     'SELECT')        AS cv_uv_S,
  has_table_privilege ('cutter_verify','public.unit_version',     'INSERT')        AS cv_uv_I;

2.1 Observed row (verbatim psql `-A -F'|' -t` output)

t|t|f|f|t|t|f|f|t|t|f|f|t|f|t|f|t|f

2.2 Comparison to expected (doc 2 §6.1 of approval package)

col	observed	expected	match
ce_iu_S	t	t	✓
ce_iu_I	t	t	✓
ce_iu_D	f	f	✓
ce_iu_T	f	f	✓
ce_iu_upd_van	t	t	✓
ce_iu_upd_can	t	t	✓
ce_iu_upd_idp	f	f	✓
ce_iu_upd_caddr	f	f	✓
ce_uv_S	t	t	✓
ce_uv_I	t	t	✓
ce_uv_U	f	f	✓
ce_uv_D	f	f	✓
ce_dc_S	t	t	✓
ce_dc_I	f	f	✓
cv_iu_S	t	t	✓
cv_iu_I	f	f	✓
cv_uv_S	t	t	✓
cv_uv_I	f	f	✓

All 18 columns match expected — GRANT verified byte-exact.

3. Side-effect boundary check

context_pack_readonly_relacl : unchanged (still has SELECT on public.*)
directus_relacl              : unchanged (still owns public.*)
workflow_admin_relacl        : unchanged (still owns cutter_governance.*)
cutter_governance.* ACL      : unchanged (v0.4 CD-1..CD-13 matrix intact)
roles cutter_exec/cutter_verify: unchanged (login=YES, conn_limit=2)
ALTER ROLE / ALTER OWNER     : NONE issued
DDL / DROP / TRUNCATE        : NONE issued

4. Disposition

G5 (GRANT execution) : PASS · 18-bool probe byte-exact match
G6 (final pre-CUT)   : queued — re-verify drift after GRANT (see doc 4)
production_mutation  : 6 relacl deltas on 3 tables, exactly as specified by
                        package doc 2 §2 / doc 3 §2
self_advance         : NO — proceed to G6 only as part of the same authorized
                        macro execution

doc 3 of 7.