dot-iu-cutter v0.5 WS-Q5 Registry Substrate — Production Apply Execution Log

Phase: v0_5_WS_Q5_registry_substrate_production_apply · Date: 2026-05-18 Authority consumed (NOT reopened): GPT sovereign approval …WS-Q5-registry-substrate-production-apply-sovereign-approval-2026-05-18 → production_apply_authorized: true, scope WS-Q5 only, mandatory P1–P3.

⚠️ GATING BANNER

phase: production_apply
apply_status: BLOCKED                 # apply attempted, failed on privilege; zero objects
tables_created: 0
production_changed: false             # baseline reconfirmed identical post-attempt
rollback_executed: false              # NOT applicable (nothing created)
dml_seed: none ; grant_role_change: none ; index: none ; directus_mutation: none
cut_verify: none ; deploy_restart: none ; git_commit: false ; secrets_recorded: none
improvisation: NONE — no role switch, no GRANT, no package edit
self_advance: PROHIBITED ; decision_authority: GPT / User ONLY

---

1. Mandatory pre-apply checks

P1 — Re-run read-only production preflight (immediately before apply)

method: SSH alias 'contabo' -> docker exec postgres -> psql -U directus -d directus (SELECT-only)
P1_SYSID: 7611578671664259111            # == required 7611578671664259111  -> PASS
P1_cutter_governance_schema_exists: yes  # information_schema.schemata = 1     -> PASS
P1_cg_table_count: 12
P1_existing_tables: [canonical_address_alias, cut_change_set,
  cut_change_set_affected_row, decision_backlog_dependency,
  decision_backlog_entry, decision_backlog_history,
  decision_backlog_sweep_log, dot_pair_signature, manifest_envelope,
  manifest_unit_block, review_decision, verify_result]   # matches baseline -> no drift
P1_target_names_present: NONE            # all 12 WS-Q5 names absent          -> PASS
P1_baseline_constraints: p=12 f=19 u=2 c=1
P1_baseline_relkinds:   r=12 v=12 i=18
P1_result: PASS

P2 — Fresh production backup (read-only)

command (redacted): docker exec postgres pg_dump -U directus -d directus -Fc > <backup_path>
backup_timestamp_utc: 20260518T054609Z
backup_path (safe): <VPS:redacted-home>/wsq5_apply_backup_20260518T054609Z/prod-directus-preWSQ5-20260518T054609Z.dump
backup_format: PostgreSQL custom dump (-Fc), header verified "PostgreSQL custom database dump - v1.15-0"
backup_bytes: 68250747
backup_sha256: c95f1da871f27dc2a38d8fb0dfbd277e6f77fdf24a5d9e1021907dbf5f228f3c
secrets_recorded: none (no password/DSN printed; only non-secret POSTGRES_USER/DB known)
P2_result: PASS

P3 — Apply command integrity

staged_artifact (safe): <VPS:redacted-home>/wsq5_apply/wsq5_production_apply.sql
artifact_sha256: 1ab61204ff7b358942c5d15a61957fb5378294b5984cb26dcf2f27508b2c723f
artifact_bytes: 10985
create_schema_count: 0          # QG2 — NO CREATE SCHEMA                       -> PASS
create_table_count: 12          # exactly the 12 authorized tables             -> PASS
created_table_names (sorted): address_template_registry, authority_override,
  entity_kind_registry, entity_reference_registry, grammar_profile,
  grammar_profile_level, grammar_profile_status_marker,
  matcher_config_registry, metadata_key_registry, source_document_registry,
  source_document_version_registry, source_family_registry   # == authorized 12
begin_count: 1 ; commit_count: 1          # transaction boundary present       -> PASS
dml_insert_update_delete: 0 ; grant_revoke_role: 0 ; alter_table: 0 ; create_index: 0
trigger_or_enum_DDL: 0          # the single "trigger" grep hit = header
  comment line "-- ... No trigger" (line 4); 0 real CREATE TRIGGER/TYPE..ENUM
psql_flag: -v ON_ERROR_STOP=1   # confirmed in apply invocation              -> PASS
fidelity_note: structural DDL (tables/columns/types/PK/FK/UNIQUE) byte-faithful
  to the approved production-apply-command-package. ONLY COMMENT string
  literals were ASCII-normalized for safe transport (e.g. "§"->"section",
  unicode angle-brackets removed). Zero structural difference; comments are
  not asserted by catalog verification. Disclosed transparently.
P3_result: PASS

mandatory_pre_apply_overall: ALL PASS (P1, P2, P3)

2. Authorized apply execution

copy_to_container: docker cp <host>.sql postgres:/tmp/wsq5_production_apply.sql
integrity_across_copy:
  host_sha256:      1ab61204ff7b358942c5d15a61957fb5378294b5984cb26dcf2f27508b2c723f
  container_sha256: 1ab61204ff7b358942c5d15a61957fb5378294b5984cb26dcf2f27508b2c723f
  match: YES
command (redacted): docker exec postgres psql -U directus -d directus
                    -v ON_ERROR_STOP=1 -f /tmp/wsq5_production_apply.sql < /dev/null
apply_start_utc: 2026-05-18T05:49:43Z
apply_end_utc:   2026-05-18T05:49:43Z
apply_rc: 3
psql_output: |
  BEGIN
  psql:/tmp/wsq5_production_apply.sql:20: ERROR:  permission denied for schema cutter_governance
  LINE 1: CREATE TABLE cutter_governance.matcher_config_registry (
                       ^
interpretation: |
  Transaction opened (BEGIN). First DDL statement (CREATE TABLE
  matcher_config_registry) rejected with "permission denied for schema
  cutter_governance". ON_ERROR_STOP=1 halted psql at statement 1. No COMMIT
  reached; the open transaction was aborted and rolled back when the psql
  session closed. ZERO of the 12 tables created. No partial state.
apply_result: FAIL_PERMISSION_DENIED -> phase status BLOCKED

3. Root cause (read-only diagnosis — no change made)

schema_owner(cutter_governance): workflow_admin
apply_connection_role: directus  (current_user = directus)
has_schema_privilege(directus, cutter_governance, USAGE):  true   # why preflight/read worked
has_schema_privilege(directus, cutter_governance, CREATE):  false  # why CREATE TABLE denied
root_cause: the approved production-apply-command-package + preflight pinned
  the connection as psql -U directus (a USAGE/SELECT-capable role). The
  schema cutter_governance is OWNED by workflow_admin; only an owner/privileged
  role can CREATE TABLE in it. The package did not pin the privileged apply
  role. This is an authorization-scoping gap in the approved package, NOT a
  DDL defect and NOT schema drift.
prior_art: consistent with project history "pg_dump / DDL needed
  workflow_admin (rolsuper), not directus" (v0.x migrations).
not_done (FORBIDDEN / would be improvisation): switching to workflow_admin,
  GRANT CREATE TO directus, ALTER SCHEMA OWNER, editing the package, or any
  privilege/role change. None performed.

4. Post-attempt state (read-only — production unchanged)

POST_SYSID: 7611578671664259111                 # == pre  -> UNCHANGED
POST_cg_table_count: 12                          # == baseline 12 -> UNCHANGED
POST_target_names_present: NONE                  # 0 of 12 created
POST_constraints: c=1 f=19 p=12 u=2              # == baseline -> UNCHANGED
POST_relkinds:   i=18 r=12 v=12                  # == baseline -> UNCHANGED
transaction_left_open: no (fresh session shows clean baseline; server
  rolled back the aborted txn on psql disconnect)
zero_data_loss: yes ; production_changed: false

5. Rollback evaluation (NOT executed)

rollback_package_assumption: "12 registry tables freshly CREATED and EMPTY"
actual_state: 0 tables created (apply aborted at statement 1)
assumption_match: NO  -> rollback package is NOT applicable (there is nothing
  to invert; its 12 DROP TABLE would themselves error "table does not exist")
auto_rollback_criteria (per sovereign approval): require failure state to
  match rollback package assumptions -> NOT met -> auto-rollback NOT taken
decision: STOP_AND_ESCALATE  (correct per approved procedure step 5)
rollback_executed: false

6. Apply result

production_apply_status: BLOCKED
apply_attempt: FAILED_PERMISSION_DENIED (RC=3, transaction aborted at stmt 1)
tables_created: 0
rollback_status: NOT_APPLICABLE_NO_OBJECTS_CREATED
production_changed: false
backup_status: PASS (taken before attempt; sha256 recorded)
secrets_in_log: none

7. Statements

• Mandatory P1/P2/P3 all PASS. Apply executed exactly as the approved package directs (psql -U directus, ON_ERROR_STOP=1); it failed on a privilege the package did not provision. No improvisation, no role/GRANT change, no package edit, no self-fix.
• No DML/seed, no GRANT/role, no index, no evidenced_by vocab, no Cap-4, no Directus, no vector, no CUT/VERIFY, no backfill, no deploy/restart, no git commit.
• Self-advance PROHIBITED — doc 1 of 3; STOP after package complete → route GPT/User for re-authorization of the apply privileged-role question.

Companion files: production-apply-verification-result, production-apply-report.