KB-2FD4
dot-iu-cutter v0.5 WS-Q5 — Privilege GRANT Draft (12 new tables only; least-privilege; DO NOT EXECUTE)
11 min read Revision 1
dot-iu-cutterv0.5ws-q5privilegegrant-draftauthoring-onlynot-executedleast-privilegedieu442026-05-18
dot-iu-cutter v0.5 WS-Q5 — Privilege GRANT Draft
Phase:
v0_5_WS_Q5_seed_and_privilege_command_authoring· Nature:authoring_only / no_execution· Date: 2026-05-18 Scope: the 12 new WS-Q5 tables only. No schema-owner change, noGRANT ALL, noPUBLICgrant, no privilege execution (QG3).⚠️ GATING BANNER — DO NOT EXECUTE
phase: privilege_authoring grant_executed: none ; revoke_executed: none # QG2 grant_all: false ; public_grant: false ; owner_change: false # QG3 roles_grounded_by_readonly_catalog: true # QG4 execution_authorized: false ; self_advance: PROHIBITED decision_authority: GPT / User ONLY
1. Role grounding (read-only production catalog — QG4, no mutation)
roles_confirmed_present (pg_roles, read-only):
cutter_ro : EXISTS rolcanlogin=false rolsuper=false # read role
cutter_exec : EXISTS rolcanlogin=true rolsuper=false # executor/write role
cutter_verify : EXISTS rolcanlogin=true rolsuper=false # verifier role
workflow_admin : EXISTS rolcanlogin=true rolsuper=true # schema owner (NO change)
directus : EXISTS rolcanlogin=true rolsuper=false # app role
schema_owner(cutter_governance): workflow_admin (UNCHANGED — not modified)
current_grants_on_12_new_tables (observed):
- workflow_admin : owner (implicit ALL) # not re-granted
- directus : SELECT on all 12 (PRE-EXISTING — likely ALTER DEFAULT
PRIVILEGES; NOT introduced or widened by this draft)
- cutter_ro / cutter_exec / cutter_verify : NONE (0 grants) -> this draft adds them
existing_cutter_governance_pattern (baseline 12 tables, for consistency):
cutter_ro : SELECT broad
cutter_exec : SELECT + INSERT (+ narrow column-scoped UPDATE per v0.4)
cutter_verify : SELECT (+ narrow INSERT on audit tables only)
2. Target table set (the 12 new WS-Q5 tables)
T12: matcher_config_registry, address_template_registry, grammar_profile,
grammar_profile_level, grammar_profile_status_marker,
source_family_registry, source_document_registry,
source_document_version_registry, entity_kind_registry,
entity_reference_registry, authority_override, metadata_key_registry
lifecycle_bearing (have a `lifecycle` column — for column-scoped UPDATE):
matcher_config_registry, address_template_registry, grammar_profile,
source_family_registry, source_document_registry, entity_kind_registry,
entity_reference_registry, metadata_key_registry # 8 tables
no_lifecycle_col: grammar_profile_level, grammar_profile_status_marker,
authority_override, source_document_version_registry (has version_status)
3. GRANT draft — least privilege, separated by role (DO NOT EXECUTE)
-- ============================================================================
-- WS-Q5 PRIVILEGE GRANT DRAFT — 12 new tables only. No GRANT ALL / PUBLIC /
-- owner change. Mirrors the established cutter_governance role pattern.
-- DO NOT EXECUTE until separate GPT/User sovereign approval.
-- ============================================================================
-- 3.1 cutter_ro — read role: SELECT on all 12 (consistent with baseline pattern)
GRANT SELECT ON cutter_governance.matcher_config_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.address_template_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.grammar_profile TO cutter_ro;
GRANT SELECT ON cutter_governance.grammar_profile_level TO cutter_ro;
GRANT SELECT ON cutter_governance.grammar_profile_status_marker TO cutter_ro;
GRANT SELECT ON cutter_governance.source_family_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.source_document_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.source_document_version_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.entity_kind_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.entity_reference_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.authority_override TO cutter_ro;
GRANT SELECT ON cutter_governance.metadata_key_registry TO cutter_ro;
-- 3.2 cutter_exec — executor/write role: SELECT + INSERT on all 12 (register
-- config rows). NO table-wide UPDATE, NO DELETE, NO TRUNCATE, NO REFERENCES.
GRANT SELECT, INSERT ON cutter_governance.matcher_config_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.address_template_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.grammar_profile TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.grammar_profile_level TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.grammar_profile_status_marker TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.source_family_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.source_document_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.source_document_version_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.entity_kind_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.entity_reference_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.authority_override TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.metadata_key_registry TO cutter_exec;
-- 3.3 cutter_exec — column-scoped UPDATE(lifecycle) ONLY, to support the
-- append-only deprecate-not-delete compensation doctrine (no broad UPDATE).
-- ⚠ OPEN OD-PV1: grant now vs defer to first compensation need.
GRANT UPDATE (lifecycle) ON cutter_governance.matcher_config_registry TO cutter_exec;
GRANT UPDATE (lifecycle) ON cutter_governance.address_template_registry TO cutter_exec;
GRANT UPDATE (lifecycle) ON cutter_governance.grammar_profile TO cutter_exec;
GRANT UPDATE (lifecycle) ON cutter_governance.source_family_registry TO cutter_exec;
GRANT UPDATE (lifecycle) ON cutter_governance.source_document_registry TO cutter_exec;
GRANT UPDATE (lifecycle) ON cutter_governance.entity_kind_registry TO cutter_exec;
GRANT UPDATE (lifecycle) ON cutter_governance.entity_reference_registry TO cutter_exec;
GRANT UPDATE (lifecycle) ON cutter_governance.metadata_key_registry TO cutter_exec;
-- (source_document_version_registry: optional UPDATE (version_status) — see OD-PV1.)
-- 3.4 cutter_verify — verifier role: SELECT on all 12 (read-only verification).
-- NO write needed for registry verification (least privilege). ⚠ OPEN OD-PV2.
GRANT SELECT ON cutter_governance.matcher_config_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.address_template_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.grammar_profile TO cutter_verify;
GRANT SELECT ON cutter_governance.grammar_profile_level TO cutter_verify;
GRANT SELECT ON cutter_governance.grammar_profile_status_marker TO cutter_verify;
GRANT SELECT ON cutter_governance.source_family_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.source_document_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.source_document_version_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.entity_kind_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.entity_reference_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.authority_override TO cutter_verify;
GRANT SELECT ON cutter_governance.metadata_key_registry TO cutter_verify;
-- NO action on directus (pre-existing SELECT, not widened) and NO action on
-- workflow_admin (owner). NO USAGE re-grant (schema USAGE already held by
-- these roles for the existing 12 cg tables — confirm at command-review G).
4. Privilege matrix (authoritative for verification cross-check)
cutter_ro : SELECT x 12 tables
cutter_exec : SELECT, INSERT x 12 tables
+ UPDATE(lifecycle) col-scoped x 8 lifecycle-bearing tables
cutter_verify : SELECT x 12 tables
NOT granted (QG3): DELETE, TRUNCATE, REFERENCES, TRIGGER, table-wide UPDATE,
GRANT ALL, PUBLIC, WITH GRANT OPTION, any owner/role membership change.
directus : unchanged (pre-existing SELECT only)
workflow_admin: unchanged (owner)
5. Open decisions / flags (NOT self-resolved — route GPT/User)
OD-PV1: cutter_exec column-scoped UPDATE(lifecycle) — grant now (enables
compensation PATH_R-B without a later grant cycle) vs defer until first
retire is actually needed (tighter least-privilege). Draft includes it;
GPT/User decides keep vs drop §3.3 (+ optional version_status).
OD-PV2: cutter_verify SELECT-only proposed (registry verification is
read-only). Baseline cutter_verify has narrow INSERT on audit tables only;
WS-Q5 registries need none. GPT confirms no verify-write.
OD-PV3: USAGE on schema cutter_governance for cutter_ro/exec/verify is
presumed already held (they operate on the existing 12 cg tables). To be
re-confirmed read-only at command-review G-gate; no USAGE grant drafted
unless that check shows it missing.
OD-PV4: seed-execution role (which role runs seed-data-draft) is an
execution-phase decision (cutter_exec post-grant, or workflow_admin) —
OUT OF SCOPE here; flagged for the future command-review.
6. Statements
- QG3: no GRANT ALL / PUBLIC / owner change / WITH GRANT OPTION; privileges separated per role; only the 12 new tables. QG4: all role names grounded by read-only catalog (not assumed). QG2: nothing executed.
- No DML, no Directus, no vector, no CUT/VERIFY, no deploy, no git commit, no self-advance.
- Self-advance PROHIBITED — doc 3 of 6; STOP → route GPT/User.
Companion: seed-data-draft, seed-rollback-compensation-draft, privilege-rollback-draft, seed-privilege-verification-plan, seed-privilege-authoring-report.