dot-iu-cutter v0.5 — W-4 · Credential & Signing Requirements Review

doc 2 of 6 · 2026-05-19 · read-only (KB + production catalog). No mutation.

1. Ratified credential model (v0.4, accepted GPT 2026-05-16/17)

principals:
  cutter_exec   : DOT-991 lane (MARK/SWEEP/REVIEW/CUT); writes change-set + executor sig
  cutter_verify : DOT-992 lane (VERIFY/forward-compensation/escalation); writes verify_result
  cutter_ro     : read-only views only, never write
forbidden_runtime_writers: workflow_admin, directus, postgres
v0.4 ratified privilege matrix scope: schema **cutter_governance**
  cutter_exec may write: decision_backlog_{entry,history,dependency,sweep_log},
    manifest_envelope, manifest_unit_block, review_decision, cut_change_set,
    cut_change_set_affected_row, dot_pair_signature ; NOT verify_result/canonical_address_alias
  cutter_verify may write: decision_backlog_{entry,history}, dot_pair_signature,
    cut_change_set, cut_change_set_affected_row, verify_result ; NOT manifest_*/review_decision
secret model (v0.4 cmd-review PASS): VPS /opt/incomex/docker/.env (600 root:root),
  env names DOT_CUTTER_EXEC_DB_USER/PASSWORD, DOT_CUTTER_VERIFY_DB_USER/PASSWORD,
  scram_sha_256, conn_limit 2. SQL sha 00296107…, rollback sha fcba5629…
DOT lane-overlap mandate (binding): DOT-991 sig must cross-ref change_set_id only
  (never verify_result_id); DOT-992 sig must cross-ref verify_result_id only; exactly one
  cross-ref non-null; signer_dot_id matches lane; STOP on lane/reference mismatch; tests
  must fail if DOT-991/992 swapped.
signing scheme: v0.4 signing.py = StubSigning / DeferredSigning ("no production key/secret;
  deferred HIGH-risk crypto workstream"). Real signing NOT built.

2. Live production credential state (read-only catalog, directus DB)

pg_roles: cutter_exec (LOGIN, connlimit 2, no super/createdb/createrole/bypassrls) EXISTS;
  cutter_verify (LOGIN, connlimit 2, same) EXISTS; cutter_ro (NOLOGIN) EXISTS;
  workflow_admin (SUPERUSER) ; directus (LOGIN). ⇒ the v0.4 credential roles are LIVE.
role_table_grants for cutter_exec / cutter_verify in directus DB: **0 rows** (NO table
  grants at all in the DB that holds the writer target).
has_table_privilege(cutter_exec, public.information_unit, INSERT/UPDATE/SELECT) = false/false/false
has_table_privilege(cutter_exec, public.unit_version, INSERT) = false
has_table_privilege(cutter_verify, public.information_unit, SELECT) = false
has_schema_privilege(cutter_exec, public, USAGE) = true   (USAGE only; no object rights)
schema cutter_governance: ABSENT in directus AND workflow (pg_namespace: only public).

3. Requirements vs current cutwrite.py — exact gap

production CUT needs (per ledger.py + lane mandate + birth model):
  R1 a login principal with INSERT on public.information_unit + public.unit_version and
     UPDATE on information_unit (the in-txn anchor) — column/row scoped, append-only.
  R2 a governed change-set + DOT-991 executor signature row + decision_backlog_history
     transition (the cut_change_set / dot_pair_signature / decision_backlog_* ledger).
  R3 a real DOT-991 signing identity producing the executor signature with the
     lane-overlap invariants (cross-ref change_set_id only).
  R4 secret delivery (scram password) via the approved .env substrate, never logged.
current cutwrite.py provides: the row mapping + birth-gate-faithful scratch proof ONLY.
  It has NO signing, NO cut_change_set/dot_pair_signature emission, NO DB adapter, and
  by design NO credential read (import-isolated, db-isolated).
EXACT GAPS:
  GAP-C1 (controlling) cutter_exec/cutter_verify have ZERO privilege on the actual writer
    target (directus.public.information_unit/unit_version). The v0.4 grants were scoped to
    a cutter_governance schema that DOES NOT EXIST in this DB ⇒ the v0.4 credential closure
    does NOT cover the constitution writer target. A NEW, separately-gated credential/GRANT
    command-review + sovereign execution scoped to public.information_unit/unit_version
    (+ the governed ledger location) is REQUIRED.
  GAP-C2 the governed ledger substrate (cut_change_set / dot_pair_signature /
    decision_backlog_history / verify_result, schema cutter_governance) is ABSENT/
    unconfirmed in the DB holding the writer target ⇒ where the CUT change-set + DOT-991
    signature + status history are written must be reconciled (provision in directus, or
    a documented cross-DB governed-ledger architecture). Architectural decision required.
  GAP-C3 no DOT-991 executor signing built (signing.py Stub/Deferred); the lane-overlap
    invariants are unimplemented for the cutwrite path ⇒ signing capability is design-only.
  GAP-C4 no production DB adapter wired to the birth model (db_adapter.RealPostgresAdapter
    is the v0.4 ledger-shaped adapter that refuses prod; cutwrite is import-isolated).
  GAP-C5 no separate explicit sovereign production-DB-write approval for the constitution.

doc 2 of 6. Read-only. No production mutation. Self-advance PROHIBITED.