dot-iu-cutter v0.5 WS-Q5 Registry Substrate — Reauthorized Production Apply Execution Log

Phase: v0_5_WS_Q5_registry_substrate_production_apply__REAUTHORIZED · Date: 2026-05-18 Authority consumed (NOT reopened): GPT reauthorization …WS-Q5-production-apply-reauthorization-workflow-admin-2026-05-18 → selected_option: A_REAUTHORIZE_APPLY_AS_SCHEMA_OWNER_WORKFLOW_ADMIN, allowed_apply_role: workflow_admin, artifact: same_DDL_artifact, DDL_change_authorized: false, privilege_change_authorized: false.

⚠️ GATING BANNER

phase: production_apply_reauthorized
apply_status: PASS                     # 12 tables created; transaction committed
apply_role_used: workflow_admin        # ONLY authorized delta vs blocked attempt
tables_created: 12
production_changed: true               # additive-only: +12 empty registry tables
rollback_executed: false               # NOT needed (verification ALL PASS)
ddl_body_edited: false ; create_schema: 0 ; dml_seed: none ; grant_role_change: none
alter_schema_owner: none ; index_ddl: none ; directus_mutation: none
cut_verify: none ; deploy_restart: none ; git_commit: false ; secrets_recorded: none
improvisation: NONE ; self_advance: PROHIBITED ; decision_authority: GPT / User ONLY

---

1. Authorized command delta (the ONLY change vs the blocked attempt)

from: psql -U directus       # blocked: permission denied for schema cutter_governance
to:   psql -U workflow_admin # schema owner; has CREATE
ddl_artifact: UNCHANGED (same approved SQL body, byte-identical sha256)
package_edits_other_than_role: NONE

2. Access method

access: SSH alias 'contabo' -> docker exec postgres -> psql -U workflow_admin -d directus
container: postgres (Up, healthy)
secrets: NONE recorded (no password/DSN printed)

3. Mandatory pre-apply rerun (P1 / P2 / P3)

P1 — Re-run read-only production preflight (run AS workflow_admin = apply identity, SELECT-only)

P1_connected_as: workflow_admin                      # apply identity verified to connect
P1_SYSID: 7611578671664259111                        # == required 7611578671664259111 -> PASS
P1_cutter_governance_schema_exists: yes (count=1)    -> PASS
P1_cg_table_count: 12
P1_existing_tables: [canonical_address_alias, cut_change_set,
  cut_change_set_affected_row, decision_backlog_dependency,
  decision_backlog_entry, decision_backlog_history,
  decision_backlog_sweep_log, dot_pair_signature, manifest_envelope,
  manifest_unit_block, review_decision, verify_result]   # == baseline -> NO DRIFT
P1_target_12_present: NONE                           # 0 collision -> PASS
P1_baseline_constraints: c=1 f=19 p=12 u=2
P1_baseline_relkinds:   i=18 r=12 v=12
P1_has_CREATE(workflow_admin,cutter_governance): true   # the prior gap (directus=false) RESOLVED
P1_schema_owner: workflow_admin                      # consistent with reauthorization root-cause
P1_result: PASS

P2 — Fresh production backup (read-only; same pg_dump -U directus -Fc method GPT marked PASS_CORRECT)

command (redacted): docker exec postgres pg_dump -U directus -d directus -Fc > <backup_path>
backup_timestamp_utc: 20260518T065011Z
backup_path (safe): <VPS:redacted-home>/wsq5_reauth_backup_20260518T065011Z/prod-directus-preWSQ5-reauth-20260518T065011Z.dump
backup_format: PostgreSQL custom dump (-Fc); header verified "PGDMP" magic
backup_bytes: 68314813
backup_sha256: 583d8a7ada2d3653e611a50802e7ef3d285e69965d920fb041e4b6f8592bfe92
prior_blocked_backup_sha256 (superseded, retained): c95f1da871f27dc2a38d8fb0dfbd277e6f77fdf24a5d9e1021907dbf5f228f3c
secrets_recorded: none
P2_result: PASS

P3 — Apply command integrity (same DDL artifact; only invocation role changed)

staged_artifact (safe): <VPS:redacted-home>/wsq5_apply/wsq5_production_apply.sql
artifact_sha256: 1ab61204ff7b358942c5d15a61957fb5378294b5984cb26dcf2f27508b2c723f
artifact_bytes: 10985
sha_vs_prior_approved: IDENTICAL  # same approved SQL body, ZERO edit to DDL
create_schema_count: 0                                            -> PASS (QG2)
create_table_statements: 12 (^CREATE TABLE cutter_governance.*)    -> PASS
  (grep -c "CREATE TABLE"=13 includes 1 header-comment line; real statements=12)
created_table_names (sorted): address_template_registry, authority_override,
  entity_kind_registry, entity_reference_registry, grammar_profile,
  grammar_profile_level, grammar_profile_status_marker,
  matcher_config_registry, metadata_key_registry, source_document_registry,
  source_document_version_registry, source_family_registry  # == authorized 12
begin_count: 1 (line 8) ; commit_count: 1 (line 224)             -> PASS (txn boundary wraps all 12)
dml_insert_update_delete: 0 ; grant_revoke: 0 ; alter_schema/table: 0
create_index/trigger/type: 0
psql_flag: -v ON_ERROR_STOP=1 (applied at invocation)            -> PASS
apply_role: workflow_admin                                       -> PASS (authorized delta)
P3_result: PASS

mandatory_pre_apply_overall: ALL PASS (P1, P2, P3)

4. Authorized apply execution

copy_to_container: docker cp <host>.sql postgres:/tmp/wsq5_production_apply.sql
integrity_across_copy:
  host_sha256:      1ab61204ff7b358942c5d15a61957fb5378294b5984cb26dcf2f27508b2c723f
  container_sha256: 1ab61204ff7b358942c5d15a61957fb5378294b5984cb26dcf2f27508b2c723f
  match: YES
command (redacted): docker exec postgres psql -U workflow_admin -d directus
                    -v ON_ERROR_STOP=1 -f /tmp/wsq5_production_apply.sql < /dev/null
apply_start_utc: 2026-05-18T06:51:40Z
apply_end_utc:   2026-05-18T06:51:41Z
apply_rc: 0
psql_output: |
  BEGIN
  CREATE TABLE / COMMENT   (x12 — one CREATE TABLE + one COMMENT per registry table)
  COMMIT
interpretation: single transaction opened (BEGIN), all 12 CREATE TABLE +
  12 COMMENT executed with no error, COMMIT reached. ON_ERROR_STOP=1 was
  armed and never triggered. 12 of 12 tables created. No partial state.
apply_result: SUCCESS -> phase status PASS

5. Post-apply state (catalog read-only — see verification-result for full matrix)

POST_SYSID: 7611578671664259111            # == pre -> UNCHANGED (correct target / identity untouched)
POST_cg_table_count: 24                    # 12 baseline + 12 new
POST_target_12_present: ALL 12
POST_constraints: c=1 f=27 p=24 u=6        # +0 CHECK, +8 FK, +12 PK, +4 UNIQUE
POST_relkinds:   i=34 r=24 v=12            # r +12 ; i +16 (12 PK + 4 UNIQUE backing indexes) ; v unchanged
POST_new_table_rows: 0 for all 12          # no DML seed
existing_12_tables: intact / unchanged (additive-only; no ALTER side-effect)

6. Rollback evaluation (NOT executed)

verification_outcome: ALL PASS
rollback_trigger (per reauthorization on_failure): NOT met -> rollback NOT executed
rollback_package_used: none
production_state: committed as designed (+12 empty registry tables)

7. Apply result

reauthorized_apply_status: PASS
apply_role_used: workflow_admin
tables_created: 12
rollback_status: NOT_APPLICABLE (verification ALL PASS; nothing to invert)
production_changed: true (additive-only; 12 empty tables; zero data loss)
backup_status: PASS (fresh pre-apply backup; sha256 recorded)
secrets_in_log: none

8. Statements

• Mandatory P1/P2/P3 all PASS. Apply executed exactly as the approved package directs, with the single GPT-authorized change psql -U directus → psql -U workflow_admin. No DDL-body edit, no GRANT, no ALTER SCHEMA OWNER, no improvisation.
• No DML/seed, no GRANT/role change, no index DDL, no evidenced_by vocab amend, no Cap-4 checker change, no Directus mutation, no vector/NoSQL, no CUT, no VERIFY, no data backfill, no deploy/restart, no git commit.
• Self-advance PROHIBITED — doc 1 of 3; STOP after package complete → route GPT/User.

Companion files: reauthorized-verification-result, reauthorized-report.