dot-iu-cutter v0.5 — Production Bridge · Credential / GRANT Command-Review Package

doc 2 of 7 · 2026-05-19 · review/design only. NOT executed. This is a command-review package for a future sovereign-gated GRANT execution (U-W4b). No GRANT/REVOKE was run; production privilege state is unchanged.

1. Current grant state (relacl-verified, read-only, this phase)

ACL letters: a=INSERT r=SELECT w=UPDATE d=DELETE D=TRUNCATE x=REFERENCES t=TRIGGER U=schema USAGE C=schema CREATE.

directus.public.information_unit  acl: {directus=arwdDxt/directus,
  context_pack_readonly=r/directus}                      # cutter_* : NONE
directus.public.unit_version      acl: {directus=arwdDxt/directus,
  context_pack_readonly=r/directus}                      # cutter_* : NONE
directus.public.dot_config        acl: {directus=arwdDxt/directus,
  context_pack_readonly=r/directus}                      # cutter_* : NONE
directus.public (schema)          acl: {... ,=U/pg_database_owner, ...}
  ⇒ PUBLIC pseudo-role has schema USAGE ⇒ cutter_exec/cutter_verify ALREADY
    have USAGE on schema public (no schema GRANT needed; documented only).
directus.cutter_governance (schema) acl: cutter_exec=U, cutter_verify=U,
  cutter_ro=U  ⇒ ledger schema USAGE ALREADY present.
roles: cutter_exec  LOGIN connlimit 2  NOSUPER/NOCREATEDB/NOCREATEROLE/NOBYPASSRLS
       cutter_verify LOGIN connlimit 2  (same flags)
       cutter_ro     NOLOGIN (views-only; unchanged)
ledger grants already correct (relacl, directus.cutter_governance):
  cut_change_set              cutter_exec=ar  cutter_verify=ar
  cut_change_set_affected_row cutter_exec=a   cutter_verify=ar
  dot_pair_signature          cutter_exec=ar  cutter_verify=ar
  decision_backlog_entry      cutter_exec=ar  cutter_verify=ar
  decision_backlog_history    cutter_exec=ar  cutter_verify=ar
  decision_backlog_dependency cutter_exec=ar
  decision_backlog_sweep_log  cutter_exec=a
  manifest_envelope           cutter_exec=ar  cutter_verify=r
  manifest_unit_block         cutter_exec=ar  cutter_verify=r
  review_decision             cutter_exec=ar  cutter_verify=r
  verify_result               cutter_verify=ar  (cutter_exec NONE — SoD correct)
  canonical_address_alias     cutter_exec/verify NONE (zero access — correct)
⇒ The v0.4 ratified ledger matrix is LIVE and exactly matches CD-1..CD-13.
  The ONLY missing privilege is on the public content tables (GAP-C1).

2. Why these exact privileges (birth model + SECURITY-INVOKER triggers)

The sanctioned birth transaction (from ratified cutwrite.py apply_in_scratch/update_anchor, f0120ac) is, per IU, in ONE txn: INSERT public.information_unit → INSERT public.unit_version (unit_id=IU.id) → UPDATE public.information_unit SET version_anchor_ref, content_anchor_ref → COMMIT (deferred L2 fires per IU).

Both birth-gate trigger functions are prosecdef=false (SECURITY INVOKER) — they execute as cutter_exec, so the invoker must hold read on what they touch:

fn_iu_birth_gate_layer1 (BEFORE INSERT, runs as cutter_exec):
  reads public.dot_config 4× (vocab.unit_kind.* / vocab.section_type.* /
  vocab.publication_type.*) ⇒ cutter_exec REQUIRES SELECT on public.dot_config.
fn_iu_birth_gate_layer2 (DEFERRED at COMMIT, runs as cutter_exec):
  SELECT * FROM information_unit WHERE id=NEW.id; SELECT 1 FROM unit_version …
  ⇒ cutter_exec REQUIRES SELECT on public.information_unit AND public.unit_version.
G-CUT-ONCE / PC-5 pre-existence: SELECT count(*) information_unit WHERE
  canonical_address LIKE 'ICX-CONST%' (same session, before write)
  ⇒ reinforces cutter_exec SELECT on public.information_unit.
note: live L1 only RAISE WARNING (not EXCEPTION) for missing publication refs;
  the writer supplies both (publication_type_ref='law',
  publication_authority_ref='incomex_council') so it satisfies the stricter
  scratch contract too — no behavioural risk.

3. Proposed GRANT delta — exact, minimal, append-only, SoD-safe

Apply role = workflow_admin (owner of nothing in public; public.* is owned by directus). Open decision GD-1 (doc 6): the public content tables are owned by directus, so the GRANT statements must be issued by directus (owner) or a superuser. Recommended apply principal = the schema/ table owner path used for prior content-table privilege changes; the WS-Q5 precedent used workflow_admin as the privileged apply role. The sovereign ruling must fix the apply principal before U-W4b.

-- ==== cutter_exec : DOT-991 lane, constitution birth writer ====
GRANT SELECT, INSERT                       ON public.information_unit TO cutter_exec;
GRANT UPDATE (version_anchor_ref,
              content_anchor_ref)          ON public.information_unit TO cutter_exec;
GRANT SELECT, INSERT                       ON public.unit_version     TO cutter_exec;
GRANT SELECT                               ON public.dot_config       TO cutter_exec;

-- ==== cutter_verify : DOT-992 lane, VERIFY (read-only on content) ====
GRANT SELECT                               ON public.information_unit TO cutter_verify;
GRANT SELECT                               ON public.unit_version     TO cutter_verify;
-- (optional, minimal: cutter_verify SELECT on dot_config only if VERIFY
--  re-checks vocab binding; omitted to stay least-privilege — VW-1..VW-10
--  read created rows, not dot_config.)

explicitly_excluded (least-privilege, append-only, immutable-source):
  - NO DELETE / TRUNCATE anywhere
  - NO REFERENCES / TRIGGER / DDL / GRANT-option
  - NO UPDATE on unit_version (versions are append-only; supersede via new row)
  - NO UPDATE on information_unit columns other than the 2 anchor columns
  - NO write of any kind for cutter_verify on public.* (VERIFY is read-only;
    forward-compensation WRITE grants are a SEPARATE, later, gated package —
    NOT bundled here, keeping the bridge minimal)
  - NO change to cutter_ro, directus, RLS, or the cutter_governance ledger
    grants (already correct — untouched)
  - NO source_document/source_version mutation
column_scoped_UPDATE: mirrors v0.4 CD-1 discipline (only the anchor columns the
  writer provably touches).

4. Rollback (exact inverse, for the future U-W4b execution)

REVOKE SELECT, INSERT            ON public.information_unit FROM cutter_exec;
REVOKE UPDATE (version_anchor_ref, content_anchor_ref)
                                 ON public.information_unit FROM cutter_exec;
REVOKE SELECT, INSERT            ON public.unit_version     FROM cutter_exec;
REVOKE SELECT                    ON public.dot_config       FROM cutter_exec;
REVOKE SELECT                    ON public.information_unit FROM cutter_verify;
REVOKE SELECT                    ON public.unit_version     FROM cutter_verify;

Fully reversible; no object created/dropped; no role change; no ownership change.

5. Verification harness for the future execution (catalog + behavioral)

structural (relacl re-read after apply, expect EXACTLY):
  information_unit: cutter_exec = SELECT,INSERT + UPDATE(version_anchor_ref,
    content_anchor_ref); cutter_verify = SELECT
  unit_version:     cutter_exec = SELECT,INSERT; cutter_verify = SELECT
  dot_config:       cutter_exec = SELECT
  no DELETE/TRUNCATE/REFERENCES/TRIGGER tuple for either role on public.*
  cutter_ro / directus / ledger grants byte-identical to pre-state
behavioral (post-grant, isolated/controlled — part of U-W4b, not now):
  cutter_exec: INSERT IU+uv+anchor in a txn that is ROLLED BACK → allowed
  cutter_exec: DELETE/TRUNCATE/UPDATE non-anchor col → 42501 denied
  cutter_verify: SELECT ok; INSERT/UPDATE/DELETE on public.* → 42501 denied
  connection-limit 2 still enforced

6. Status

credential_grant_package: READY_FOR_SOVEREIGN_GATED_EXECUTION (U-W4b)
gap_remaining_for_C1: only the GD-1 apply-principal ruling + sovereign approval
production_privilege_mutation: NONE (this is review/design only)

doc 2 of 7. No production mutation. Self-advance PROHIBITED.