KB-7EFE
dot-iu-cutter v0.5 WS-Q5 — Seed + Privilege Production Verification Result (catalog/data; ALL PASS; NPV-8 false-positive resolved via attacl)
10 min read Revision 1
dot-iu-cutterv0.5ws-q5seed-privilegeproduction-executionverification-resultcatalog-levelall-passdieu442026-05-18
dot-iu-cutter v0.5 WS-Q5 — Seed + Privilege Production Verification Result
Phase:
v0_5_WS_Q5_seed_privilege_production_execution· Date: 2026-05-18 Method: data +pg_catalog/information_schema; catalog/codepoint checks preferred over rendered-string equality and overinformation_schemaview misinterpretation (C-07 / v0.3 lesson, mandated by the revised verification plan).verification_executed: true seed_verification: PASS privilege_verification: PASS outcome_vocabulary: PASS | FAIL(detail)
1. Seed verification — REVISED expected state
1.1 Expected row counts (exact) — PASS
| table | expected | observed | result |
|---|---|---|---|
| matcher_config_registry | 8 | 8 | PASS |
| address_template_registry | 2 | 2 | PASS |
| grammar_profile | 2 | 2 | PASS |
| grammar_profile_level | 8 | 8 | PASS |
| grammar_profile_status_marker | 2 | 2 | PASS |
| entity_kind_registry | 5 | 5 | PASS |
| source_family_registry | 3 | 3 | PASS |
| metadata_key_registry | 1 | 1 | PASS |
| entity_reference_registry | 0 | 0 | PASS |
| source_document_registry | 0 | 0 | PASS |
| source_document_version_registry | 0 | 0 | PASS |
| authority_override | 0 | 0 | PASS |
| TOTAL seeded | 31 | 31 | PASS |
no_extra_seed_principal: PASS (0 rows with registered_by/created_by
!= 'ws-q5-seed-bootstrap' across all seeded tables)
1.2 Exact key sets (SV-K1..K7) — PASS
SV-K1 matcher_ref = {mc.icx.dieu, mc.icx.kien_truc, mc.icx.nguyen_tac,
mc.vn.chuong, mc.vn.diem, mc.vn.dieu, mc.vn.doan, mc.vn.khoan} PASS (8)
SV-K2 address_template_ref = {at.icx.const.v4, at.vn.law} PASS (2)
SV-K3 grammar_profile_ref = {incomex-architecture-constitution-v4,
vn-national-law} PASS (2)
SV-K4 entity_kind = {code_module, directus_item, git_file, report_path,
sql_entity} PASS (5, WS-2 D5)
SV-K5 source_family = {external_government_law,
internal_incomex_constitution, internal_incomex_law} PASS (EXACTLY 3)
SV-K6 metadata_key = {idempotency_key} PASS (1)
SV-K7 NEGATIVE: deferred families present count = 0
(none of internal_process/sql_entity/code_artifact/report/
lesson/architecture_note) PASS
1.3 FK integrity (catalog anti-join) — PASS
FKV-1 grammar_profile.address_template_ref orphan = 0 PASS
FKV-2 grammar_profile_level.grammar_profile_ref orphan = 0 PASS
FKV-3 grammar_profile_level.matcher_ref orphan = 0 PASS
FKV-4 grammar_profile_status_marker.grammar_profile_ref = 0 PASS
FKV-5 source_family_registry.grammar_profile_ref orphan = 0 PASS
FKV-5b binding map (observed):
internal_incomex_constitution -> incomex-architecture-constitution-v4
internal_incomex_law -> incomex-architecture-constitution-v4
external_government_law -> vn-national-law PASS
1.4 Address separator scheme (BR-A1 locked) — PASS
CAV-S1 docprefix_separator = '/' both rows PASS
CAV-S2 level_separator = '-' both rows PASS
CAV-S3 encodes_status = false both rows PASS
CAV-S4 template_pattern = '<DOCPREFIX>/<L1>-<L2>-...-<Lk>' both PASS
1.5 Grammar level / status-marker / lifecycle — PASS
GLV-1 levels for incomex-architecture-constitution-v4 = 3 PASS
GLV-2 levels for vn-national-law = 5 PASS
GLV-3 level_seq gap-free: profile A min1 max3 cnt3 distinct3 ;
profile B min1 max5 cnt5 distinct5 PASS
GLV-4 profile A levels = NGUYEN_TAC,KIEN_TRUC_SECTION,DIEU ;
profile B levels = CHUONG,DIEU,KHOAN,DIEM,DOAN PASS
SMV-2 UTF-8 codepoint (hex, NOT glyph):
enacted = e29c85 (U+2705 ✅) PASS
controlled_draft = f09f938b (U+1F4CB 📋) PASS
SMV-3 vn-national-law status_marker rows = 0 PASS
LCV-1 non-active lifecycle rows across seeded tables = 0 PASS
LCV-2 idempotency_key policies = text | single | immutable |
promoted_index | namespace=lineage PASS
SYSID 7611578671664259111 unchanged (pre==post) PASS
seed_PASS: TRUE (PRE checks PASS AND counts exact AND SV-K1..7 AND
FKV-1..6 AND CAV-S1..4 AND GLV/SMV/LCV all PASS)
2. Privilege verification — REVISED matrix (catalog-level)
2.1 Expected grants present — PASS
PV-1 cutter_ro : exactly SELECT on each of 12 tables (relacl 'r') PASS
PV-2 cutter_exec : exactly SELECT,INSERT on each of 12 (relacl 'ar') PASS
PV-3 cutter_verify : exactly SELECT on each of 12 (relacl 'r') PASS
PV-4 derived grant set == grant-revised §4 matrix (row totals:
cutter_ro=12, cutter_exec=24, cutter_verify=12; SUM=48) PASS
PV-5 schema USAGE has_schema_privilege = true for cutter_ro/exec/verify
(pre-existing; NOT granted by this package) PASS
relacl_authoritative (every one of the 12 tables):
cutter_exec=ar/workflow_admin ; cutter_ro=r/workflow_admin ;
cutter_verify=r/workflow_admin (no '*', no w/d/D/x/t) PASS
2.2 Negative checks (any TRUE = FAIL) — ALL FALSE → PASS
NPV-1 UPDATE granted to cutter_exec (table OR column incl lifecycle)
-> NONE (relacl has no 'w'; column_privileges distinct types =
SELECT/INSERT only) PASS
NPV-2 DELETE/TRUNCATE/REFERENCES/TRIGGER to cutter_ro|exec|verify
-> empty result set PASS
NPV-3 cutter_verify holds anything other than SELECT -> none PASS
NPV-4 PUBLIC grant on the 12 -> 0 PASS
NPV-5 WITH GRANT OPTION (is_grantable=YES) for cutter_* -> 0
(relacl has no '*') PASS
NPV-6 USAGE granted while preflight showed present -> NOT executed PASS
NPV-7 privilege change on baseline / existing-12 tables -> none
(grants strictly scoped to the 12 new WS-Q5 tables) PASS
NPV-8 explicit column-level grant present -> NONE
authoritative pg_attribute.attacl referencing cutter_* = 0 ;
ANY non-null attacl on the 12 = 0 (no column GRANT ever issued) PASS
NPV-8 false-positive resolution (catalog vs view — C-07/v0.3 lesson):
information_schema.column_privilegesfirst returned1009forcutter_*, because (a) PostgreSQL decomposes table-level grants into per-column rows and (b) the unscoped query also swept pre-existing v0.3cutter_roview privileges. Restricted to the 12 tables:404 = 4 × 101 columns(cutter_ro SELECT 101 + cutter_verify SELECT 101 + cutter_exec SELECT 101 + INSERT 101), pure table-grant decomposition, distinct privilege types only SELECT/INSERT (no UPDATE column). The authoritative discriminatorpg_attribute.attaclreturns 0 explicit column ACLs (and 0 non-nullattaclat all on the 12). Conclusion: no column-level grant exists; NPV-8 = PASS. This is exactly the misinterpretation class the revised verification plan required to be resolved at catalog level, not by view counts.
2.3 Owner / pre-existing unchanged — PASS
OWN-1 cutter_governance owner = workflow_admin (unchanged) PASS
OWN-2 relowner of all 12 new tables = workflow_admin (0 non-wa) PASS
OWN-3 directus on the 12 = SELECT | is_grantable NO x12, identical to
pre-package baseline snapshot (not widened, not revoked) PASS
OWN-4 pg_auth_members for cutter_ro/exec/verify = empty (no role
membership added/changed) PASS
OWN-5 system_identifier 7611578671664259111 before == after PASS
privilege_PASS: TRUE (PV-1..5 PASS AND every NPV-* FALSE AND OWN-1..5 PASS)
3. Pass criterion outcome
seed_PASS: TRUE
privilege_PASS: TRUE
overall: PASS
fail_action_invoked: none (no FAIL / no negative TRUE)
rollback_invoked: none
4. Statements
- All seed checks (counts, exact key sets, FK anti-join, address separators, UTF-8 hex codepoints, level structure, lifecycle, idempotency_key policy) PASS; SYSID unchanged.
- All privilege checks PASS via authoritative
pg_class.relacl/pg_attribute.attacl; the loneinformation_schemaanomaly (NPV-8 = 1009) was proven a benign table-grant/view decomposition, resolved at catalog level per the mandated C-07/v0.3 method — no rendered-string or view re-interpretation used to "explain away" a real defect. - No rollback executed; production committed exactly within approved scope.
- Self-advance PROHIBITED — doc 2 of 3; STOP → route GPT/User.
Companion files: seed-privilege-production-execution-log, seed-privilege-production-report.