Incomex AI Portal
KB-4163

dot-iu-cutter v0.5 WS-Q5 — Privilege Rollback (REVOKE) Draft (exact inverse of GRANT; DO NOT EXECUTE)

7 min read Revision 1
dot-iu-cutterv0.5ws-q5privilegerevoke-draftrollbackauthoring-onlynot-executeddieu442026-05-18

dot-iu-cutter v0.5 WS-Q5 — Privilege Rollback (REVOKE) Draft

Phase: v0_5_WS_Q5_seed_and_privilege_command_authoring · Nature: authoring_only / no_execution · Date: 2026-05-18 Exact inverse of: privilege-grant-draft (this package).

⚠️ GATING BANNER — DO NOT EXECUTE

phase: privilege_rollback_authoring
revoke_executed: none ; cascade_used: false   # QG2 / no CASCADE
execution_authorized: false ; self_advance: PROHIBITED
decision_authority: GPT / User ONLY

One-to-one inverse of every GRANT in privilege-grant-draft §3. Dependency: this rollback is only valid against the FINAL role/privilege set GPT/User ratifies — if OD-PV1 (drop column UPDATE) or OD-PV2 changes the GRANT, the matching REVOKE lines must be adjusted in lockstep before any execution.

1. REVOKE draft — reverse of GRANT (DO NOT EXECUTE)

-- ============================================================================
-- WS-Q5 PRIVILEGE ROLLBACK — exact inverse of privilege-grant-draft.
-- Order: most-specific first (column UPDATE) -> INSERT/SELECT -> SELECT.
-- No CASCADE. No owner/role-membership change. DO NOT EXECUTE w/o sovereign auth.
-- ============================================================================

-- 1.1 inverse of 3.3 — cutter_exec column-scoped UPDATE(lifecycle)
REVOKE UPDATE (lifecycle) ON cutter_governance.matcher_config_registry   FROM cutter_exec;
REVOKE UPDATE (lifecycle) ON cutter_governance.address_template_registry FROM cutter_exec;
REVOKE UPDATE (lifecycle) ON cutter_governance.grammar_profile           FROM cutter_exec;
REVOKE UPDATE (lifecycle) ON cutter_governance.source_family_registry    FROM cutter_exec;
REVOKE UPDATE (lifecycle) ON cutter_governance.source_document_registry  FROM cutter_exec;
REVOKE UPDATE (lifecycle) ON cutter_governance.entity_kind_registry      FROM cutter_exec;
REVOKE UPDATE (lifecycle) ON cutter_governance.entity_reference_registry FROM cutter_exec;
REVOKE UPDATE (lifecycle) ON cutter_governance.metadata_key_registry     FROM cutter_exec;

-- 1.2 inverse of 3.2 — cutter_exec SELECT, INSERT
REVOKE SELECT, INSERT ON cutter_governance.matcher_config_registry            FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.address_template_registry          FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.grammar_profile                    FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.grammar_profile_level              FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.grammar_profile_status_marker      FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.source_family_registry             FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.source_document_registry           FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.source_document_version_registry   FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.entity_kind_registry               FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.entity_reference_registry          FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.authority_override                 FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.metadata_key_registry              FROM cutter_exec;

-- 1.3 inverse of 3.4 — cutter_verify SELECT
REVOKE SELECT ON cutter_governance.matcher_config_registry            FROM cutter_verify;
REVOKE SELECT ON cutter_governance.address_template_registry          FROM cutter_verify;
REVOKE SELECT ON cutter_governance.grammar_profile                    FROM cutter_verify;
REVOKE SELECT ON cutter_governance.grammar_profile_level              FROM cutter_verify;
REVOKE SELECT ON cutter_governance.grammar_profile_status_marker      FROM cutter_verify;
REVOKE SELECT ON cutter_governance.source_family_registry             FROM cutter_verify;
REVOKE SELECT ON cutter_governance.source_document_registry           FROM cutter_verify;
REVOKE SELECT ON cutter_governance.source_document_version_registry   FROM cutter_verify;
REVOKE SELECT ON cutter_governance.entity_kind_registry               FROM cutter_verify;
REVOKE SELECT ON cutter_governance.entity_reference_registry          FROM cutter_verify;
REVOKE SELECT ON cutter_governance.authority_override                 FROM cutter_verify;
REVOKE SELECT ON cutter_governance.metadata_key_registry              FROM cutter_verify;

-- 1.4 inverse of 3.1 — cutter_ro SELECT
REVOKE SELECT ON cutter_governance.matcher_config_registry            FROM cutter_ro;
REVOKE SELECT ON cutter_governance.address_template_registry          FROM cutter_ro;
REVOKE SELECT ON cutter_governance.grammar_profile                    FROM cutter_ro;
REVOKE SELECT ON cutter_governance.grammar_profile_level              FROM cutter_ro;
REVOKE SELECT ON cutter_governance.grammar_profile_status_marker      FROM cutter_ro;
REVOKE SELECT ON cutter_governance.source_family_registry             FROM cutter_ro;
REVOKE SELECT ON cutter_governance.source_document_registry           FROM cutter_ro;
REVOKE SELECT ON cutter_governance.source_document_version_registry   FROM cutter_ro;
REVOKE SELECT ON cutter_governance.entity_kind_registry               FROM cutter_ro;
REVOKE SELECT ON cutter_governance.entity_reference_registry          FROM cutter_ro;
REVOKE SELECT ON cutter_governance.authority_override                 FROM cutter_ro;
REVOKE SELECT ON cutter_governance.metadata_key_registry              FROM cutter_ro;

-- NOT touched: directus (pre-existing SELECT — leave intact; revoking it would
-- regress prior state) and workflow_admin (owner). Schema owner UNCHANGED.

2. Notes / dependency flags

exact_inverse: 1:1 with privilege-grant-draft §3 (44 GRANT lines -> 44 REVOKE).
no_CASCADE: yes. no owner/role-membership change.
directus_NOT_revoked: deliberate — its SELECT pre-existed this package; the
  rollback restores the PRE-PACKAGE state, which already had directus SELECT.
dependency_on_final_role_choice: if GPT/User adopts OD-PV1 (drop §3.3 col
  UPDATE) the §1.1 block must be removed; if OD-PV2 adds verify-write, add the
  matching REVOKE. Keep GRANT and REVOKE drafts in lockstep before execution.
post_rollback_expected: cutter_ro/exec/verify back to 0 grants on the 12 new
  tables; directus SELECT intact; owner workflow_admin; schema/data untouched
  by this (privilege-only) rollback.

3. Statements

  • QG2: nothing executed. No CASCADE, no owner/role change. Exact inverse, dependency on final ratified role set explicitly flagged.
  • No DML, no Directus, no vector, no CUT/VERIFY, no deploy, no git commit, no self-advance.
  • Self-advance PROHIBITED — doc 4 of 6; STOP → route GPT/User.

Companion: seed-data-draft, seed-rollback-compensation-draft, privilege-grant-draft, seed-privilege-verification-plan, seed-privilege-authoring-report.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.5-ws-q5-seed-privilege-authoring/dot-iu-cutter-v0.5-WS-Q5-privilege-rollback-draft-2026-05-18.sql.md