KB-1B89
dot-iu-cutter v0.5 — First Controlled CUT · GRANT Execution & Verification Result (NOT EXECUTED — G4 blocked at execution surface) (doc 2 of 6)
7 min read Revision 1
dot-iu-cutterv0.5first-controlled-cut-production-executiongrant-execution-and-verification-resultg4-blockedno-write-pg-accessgrants-still-absentstop-route-gpt-userdieu442026-05-20
dot-iu-cutter v0.5 — First Controlled CUT · GRANT Execution & Verification Result
doc 2 of 6 · 2026-05-20
phase : GRANT execution + verification (G4) outcome : NOT EXECUTED — BLOCKED before G4 attempt production_mutation: NONE (no privilege state change ; relacl byte-identical to pre-state) self_advance : PROHIBITED
1. Scope of this report
This report documents why the scoped GRANT delta (doc 2 of first-controlled-cut package · doc 3 §2 of production-legA package) was not executed in this session, despite the prompt's policy-level approval to proceed if prechecks PASS. The blocker is at the execution surface, not the approval policy.
2. Privilege state observed — unchanged
observation_time : this session, just before the BLOCKED determination
role : context_pack_readonly (the read-only role exposed by the
`claude_ai_Incomex_VPS::query_pg` MCP ; statement_timeout 5s ;
READ ONLY transaction)
cutter_exec / public.information_unit :
has_table_privilege SELECT : false
has_table_privilege INSERT : false
has_table_privilege DELETE : false
has_column_privilege version_anchor_ref UPDATE : false
has_column_privilege content_anchor_ref UPDATE : false
cutter_exec / public.unit_version :
has_table_privilege SELECT : false
has_table_privilege INSERT : false
cutter_exec / public.dot_config :
has_table_privilege SELECT : false
cutter_verify / public.information_unit :
has_table_privilege SELECT : false
cutter_verify / public.unit_version :
has_table_privilege SELECT : false
roles_exist :
cutter_exec : YES (login=YES, conn_limit=2 — unchanged)
cutter_verify : YES (login=YES, conn_limit=2 — unchanged)
This is exactly the "grants still absent" state ratified in first-controlled-cut doc 1 §4 and production-legA doc 4 §1.
3. What G4 would have done if unblocked
apply_principal : directus (GD-1 RULED ; production-legA doc 3 §2)
target_db : directus
target_schema : public
SQL_to_apply (byte-for-byte from production-legA doc 3 §2 / first-controlled-cut doc 2 §2):
GRANT SELECT, INSERT ON public.information_unit TO cutter_exec;
GRANT UPDATE (version_anchor_ref,
content_anchor_ref) ON public.information_unit TO cutter_exec;
GRANT SELECT, INSERT ON public.unit_version TO cutter_exec;
GRANT SELECT ON public.dot_config TO cutter_exec;
GRANT SELECT ON public.information_unit TO cutter_verify;
GRANT SELECT ON public.unit_version TO cutter_verify;
verification_query : first-controlled-cut doc 2 §6.1 (relacl + 18-bool probe row)
expected_row :
ce_iu_S=t ce_iu_I=t ce_iu_D=f ce_iu_T=f
ce_iu_upd_van=t ce_iu_upd_can=t ce_iu_upd_idp=f ce_iu_upd_caddr=f
ce_uv_S=t ce_uv_I=t ce_uv_U=f ce_uv_D=f
ce_dc_S=t ce_dc_I=f
cv_iu_S=t cv_iu_I=f cv_uv_S=t cv_uv_I=f
4. Why G4 was NOT attempted in this session — execution-surface BLOCKED
blocker_1 : write-capable PostgreSQL access not available to the Agent
evidence :
- available MCP tool `mcp__claude_ai_Incomex_VPS__query_pg` description :
"Run a single read-only SELECT against PostgreSQL. AST-validated, executed
in a READ ONLY transaction as a read-only role, statement_timeout 5s,
hard LIMIT 500. No writes/DDL."
- probed current_user : context_pack_readonly (read-only catalog role)
- no SSH-with-directus-credential path provided in this prompt or session
- no psql client locally configured with directus credentials
consequence : the Agent cannot, with the tools available, issue GRANT as the
ratified apply principal `directus` (the public.* owner per GD-1).
blocker_2 : GRANT execution prerequisite (G2 backup) not satisfied (doc 1 §4)
per spec : `R-1 (pre-connect refused)` requires the operator to have a fresh
backup before attempting any of {G2 backup, GRANT, CUT}. The
approval package treats backup as a prerequisite for the whole
execution macro, not just for CUT.
forbidden_alternatives (explicitly NOT taken) :
- ssh-ing to a host to "find" directus credentials :
PC-7 forbids reading the DSN/credentials anywhere except an approved secret
store sourced inside the operator's connection-provider module ; never
argv ; never KB ; never logs.
- attempting to use cutter_exec / cutter_verify as the apply principal :
they do NOT own public.* ; they do not have GRANT OPTION ; this would
violate GD-1 (directus is the ruled principal).
- skipping verification §6.1 :
the package explicitly states "any deviation ⇒ STOP and rollback §4"
and the prompt explicitly forbids skipping internal gates.
5. Disposition
G3 (command integrity) — independently blocking even if G2/G4 were unblocked :
see doc 3 of this report set ; the CUT command cannot be byte-for-byte
assembled because four required argv values are unobtainable from this
session :
--fresh-backup-sha256 : depends on G2 (BLOCKED ; doc 1)
--connection-provider-module : sovereign-operator authored (PC-7) ; not in repo ;
not by Agent
--i-have-sovereign-production-write-approval <kb-doc-id> :
no operationally-resolvable KB approval doc id
exists for THIS CUT (existing readiness docs
set CUT_authorized=not_yet ; the user prompt
is policy-level, not a KB-recorded approval
doc that the adapter's G1 resolver can verify)
--i-have-grant-execution-approval-kb-id <kb-doc-id> :
no GRANT-execution KB doc id created
(would be U-W4b output ; U-W4b not yet run)
G4 status : NOT EXECUTED — BLOCKED at execution surface
relacl_change_this_phase : NONE
REVOKE_rollback_state : N/A (no GRANT issued, nothing to revoke)
production_mutation : NONE
self_advance : PROHIBITED
next_action : route → GPT/User per doc 6 final report
doc 2 of 6. No production mutation. Self-advance PROHIBITED.