KB-7C10
dot-iu-cutter v0.5 — Leg-B Live Schema Survey (G0/G1 PASS) (doc 1 of 7)
10 min read Revision 1
dot-iu-cutterv0.5legB-governed-recording-executionlive-schema-surveyg0-passg1-passcutter-governance-confirmedno-fk-no-triggerscutter-exec-insert-confirmeddieu442026-05-20
dot-iu-cutter v0.5 — Leg-B Live Schema Survey
doc 1 of 7 · 2026-05-20 · M1 macro · post first controlled canonical CUT
phase : G0 + G1 outcome : G0 PASS · G1 PASS · cutter_governance shape confirmed production_mutation : NONE this phase (read-only catalog + privilege probes) audit_debt_window : CUT committed 2026-05-20T04:18:21.854512Z → expires 2026-05-21T04:18:22Z session_start_utc : 2026-05-20T05:13:00Z (≈22.9h remaining at G7 close)
1. G0 — SSOT + live state still PASS
mcp_kb_read : confirmed (M1 ruling + 6-doc post-CUT package read)
mcp_kb_upload : confirmed (this 7-doc report set ; doc 1 = this file)
mcp_query_pg_role : context_pack_readonly (read-only via MCP)
ssh_directus_role : directus (read-only schema inspection)
ssh_cutter_exec_role : cutter_exec (write — via host trust-auth inside
postgres container netns)
live ICX-CONST state (unchanged from post-CUT verify) :
ICX_CONST_law_units_total : 60
ICX_CONST_DIEU : 42
ICX_CONST_NT (principle) : 15
ICX_CONST_KT (section) : 3
ICX_CONST_anchored_UV_v1 : 60
ICX_CONST_distinct_content_hash : 60
ICX_CONST_lifecycle_status=draft : 60 / 60 (A-3 uniform)
ICX_CONST_creator : cutter_exec/DOT-991/constitution-cut
ICX_CONST_max(created_at) : 2026-05-20 04:18:21.854512+00 (pin)
total_information_unit : 158 (98 pre-CUT + 60 canonical CUT)
repo_pins :
laptop_iu_cutter_HEAD : f20c79c (unchanged ; 3 canonical files
untracked per ratification)
contabo_/opt/incomex/dot HEAD : e93424b (v0.4 baseline ; v0.5 code is
NOT pushed to contabo repo —
v0.5 lives only on the laptop)
leg-A provider on contabo : /opt/incomex/dot/specs/
cutter_legA_provider_20260520T031054Z.py
sha256 26ebb918f9a0baf41ae76ba2a621ca39ab7e8b82fbfdc644045a451026d7dfd8
2. G1 — cutter_governance schema & privileges (SSH-as-directus survey)
2.1 Schema visibility
cutter_governance_present_in_directus_db : YES (35 base tables + views)
visible_via_MCP_query_pg : NO (context_pack_readonly lacks USAGE)
SSH-as-directus visibility : YES
schema_USAGE :
cutter_exec : YES
cutter_verify : YES
directus : YES
workflow_admin : YES (owner ; CREATE)
2.2 Leg-B target tables (verified via SSH psql)
target_tables :
cutter_governance.decision_backlog_entry
cutter_governance.decision_backlog_history
cutter_governance.manifest_envelope
cutter_governance.manifest_unit_block
cutter_governance.review_decision
cutter_governance.dot_pair_signature
cutter_governance.cut_change_set
cutter_governance.cut_change_set_affected_row
pre-existing rows (v0.4 trial baseline ; UNTOUCHED this macro) :
decision_backlog_entry : 1
decision_backlog_history : 5
manifest_envelope : 1
manifest_unit_block : 1
review_decision : 1
dot_pair_signature : 2 (executor + verifier ; v0.4 trial)
cut_change_set : 1
cut_change_set_affected_row : 1
2.3 NOT NULL / no-default columns per leg-B table
review_decision (25 cols):
NOT NULL no-default :
governance_event_kind, manifest_id, manifest_version, review_scope,
status, verdict, findings (jsonb), reviewer_class,
reviewer_identity (jsonb), risk_class_assessment, decision_at, decided_by,
cross_signed_by_dot_verifier (bool), version, created_at, updated_at
manifest_envelope (12 cols):
NOT NULL no-default :
envelope_id, operation_kind, status, source_doc_ref, created_by, created_at
manifest_unit_block (14 cols):
NOT NULL no-default :
envelope_id, unit_local_id, block_role, source_span (jsonb),
render_order (numeric), created_at
PK : (envelope_id, unit_local_id)
decision_backlog_entry (6 cols):
NOT NULL no-default :
kind (status defaults to 'open' ; emitted_at defaults to now())
decision_backlog_history (9 cols):
NOT NULL no-default :
history_id, entry_id, entry_version_after, change_kind, changed_by,
changed_at
dot_pair_signature (17 cols):
NOT NULL no-default :
signature_kind, signer_dot_id, signer_tool_revision, payload_hash,
payload_envelope (jsonb), signature_payload
CHECK : cross_reference_change_set_id IS NOT NULL XOR
cross_reference_verify_result_id IS NOT NULL
cut_change_set (24 cols):
NOT NULL no-default (7) :
rollback_key, manifest_id, manifest_version, review_decision_id,
executor_tool_revision, verifier_tool_revision, emitted_by
UNIQUE : rollback_key, idempotency_key
cut_change_set_affected_row (8 cols):
NOT NULL no-default :
change_set_id, target_table, target_row_id, operation_kind
2.4 No FK enforcement, no triggers (huge derisk)
foreign_key_constraints_among_legB_tables : 0 (verified via
information_schema.referential_constraints + table_constraints)
triggers_on_legB_tables : 0 (verified via pg_trigger ;
NOT t.tgisinternal AND nspname='cutter_governance' → 0 rows)
Cross-references between leg-B rows are logical / application-level, not DB-enforced. This means INSERT order can be chosen for forward consistency only; an out-of-order INSERT will NOT abort. The recorder uses pre-generated UUIDs so every cross-reference is resolvable in any INSERT order.
2.5 cutter_exec table privileges (pg_class ACL — definitive)
verification_method : pg_class.relacl + has_table_privilege() as cutter_exec
note : information_schema.role_table_grants UNDERREPORTED
(does not surface owner-driven ACLs reliably). Use
pg_class.relacl + has_table_privilege() for the truth.
cutter_exec INSERT on cutter_governance.* leg-B tables :
cut_change_set : t
cut_change_set_affected_row : t
manifest_envelope : t
manifest_unit_block : t
dot_pair_signature : t
decision_backlog_entry : t
decision_backlog_history : t
review_decision : t
verify_result : f (DOT-992 lane only — out of M1)
cutter_exec SELECT (writes need a sentinel-read pre-write) :
public.information_unit : t (read 60 IU rows)
public.unit_version : t (read 60 anchored UV rows)
public.birth_registry : f (not needed for leg-B)
cutter_governance.cut_change_set : t (G-LEG-B-ONCE idempotency probe)
acl_signature : workflow_admin=arwdDxt/workflow_admin
directus=r/workflow_admin
cutter_exec=ar/workflow_admin ← a (INSERT) + r (SELECT)
cutter_verify=ar/workflow_admin
⇒ v0.4 CD-1..CD-13 grant matrix IS in place ; no GRANT delta needed for M1.
2.6 Existing v0.4-trial row patterns (READ-only inspection)
v0.4 trial cut_change_set (change_set_id=7c963f27-…) :
rollback_key : rbk:26a8c4e8-…:7c963f27-…
manifest_version : 0.4.0-dryrun-skeleton
state : pending
affected_unit_count : 0
emitted_by : cutter_exec
v0.4 trial review_decision :
status : decided
verdict : approve
reviewer_class : automated_agent
decision_at : 1970-01-01 (sentinel)
v0.4 trial manifest_envelope :
operation_kind : cut
status : proposed
source_doc_ref : 26a8c4e8-… (UUID-as-text)
v0.4 trial dot_pair_signature :
executor : DOT-991 ; payload_envelope = {lane,is_production:false,signer_identity}
verifier : DOT-992 (cross_reference_verify_result_id set ; consistent with XOR)
v0.4 trial decision_backlog_history :
change_kind values used : 'mark', 'sweep_promote', etc.
The v0.4 trial rows confirm the column SEMANTICS used in production. The M1 canonical CUT recording reuses the same semantics with M1-distinct values (manifest_version = ratified writer_digest pin ; state='committed' ; affected_unit_count=60 ; payload_envelope adds full provenance pinning).
3. Disposition
G0 (SSOT + live state) : PASS
G1 (live governance schema survey) : PASS
· cutter_governance present : YES
· 8 leg-B target tables present : YES
· NOT NULL no-default inventory mapped : YES
· FK / triggers : 0 / 0 (no surprises)
· cutter_exec INSERT on all 8 tables : YES
· v0.4 trial row patterns inspected : YES
production_mutation : NONE
next : G2 (existing-impl review ; doc 2)
doc 1 of 7.