Incomex AI Portal
KB-608A

dot-iu-cutter v0.5 WS-Q5 — Privilege Rollback REVISED (REVOKE) Draft (1:1 inverse; DO NOT EXECUTE)

7 min read Revision 1
dot-iu-cutterv0.5ws-q5privilegerevoke-revisedrollbackauthoring-onlynot-executeddieu442026-05-18

dot-iu-cutter v0.5 WS-Q5 — Privilege Rollback REVISED (REVOKE) Draft

Phase: v0_5_WS_Q5_seed_privilege_revised_command_package · Nature: command_package_revision_only / no_execution · Date: 2026-05-18 Exact inverse of: privilege-grant-revised-draft §3 (this package).

⚠️ GATING BANNER — DO NOT EXECUTE

phase: privilege_rollback_revision ; revoke_executed: none ; cascade_used: false
usage_revoke_included: false   # no USAGE grant proposed -> no USAGE revoke (OD-PV3)
execution_authorized: false ; self_advance: PROHIBITED   # QG8
decision_authority: GPT / User ONLY

36 REVOKE = 1:1 inverse of the 36 GRANT in the revised grant draft. No column-UPDATE inverse (none granted — OD-PV1). USAGE revoke is intentionally absent because the revised grant proposes NO USAGE grant (all 3 roles already hold it; revoking would regress pre-package state).

1. REVOKE draft — reverse of revised GRANT (DO NOT EXECUTE)

-- ============================================================================
-- WS-Q5 PRIVILEGE ROLLBACK (REVISED). Exact inverse of grant-revised §3.
-- No CASCADE. No owner/role change. No USAGE revoke (no USAGE grant proposed).
-- DO NOT EXECUTE without separate sovereign authorization.
-- ============================================================================

-- 1.1 inverse of 3.2 — cutter_exec SELECT, INSERT
REVOKE SELECT, INSERT ON cutter_governance.matcher_config_registry            FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.address_template_registry          FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.grammar_profile                    FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.grammar_profile_level              FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.grammar_profile_status_marker      FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.source_family_registry             FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.source_document_registry           FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.source_document_version_registry   FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.entity_kind_registry               FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.entity_reference_registry          FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.authority_override                 FROM cutter_exec;
REVOKE SELECT, INSERT ON cutter_governance.metadata_key_registry              FROM cutter_exec;

-- 1.2 inverse of 3.3 — cutter_verify SELECT
REVOKE SELECT ON cutter_governance.matcher_config_registry            FROM cutter_verify;
REVOKE SELECT ON cutter_governance.address_template_registry          FROM cutter_verify;
REVOKE SELECT ON cutter_governance.grammar_profile                    FROM cutter_verify;
REVOKE SELECT ON cutter_governance.grammar_profile_level              FROM cutter_verify;
REVOKE SELECT ON cutter_governance.grammar_profile_status_marker      FROM cutter_verify;
REVOKE SELECT ON cutter_governance.source_family_registry             FROM cutter_verify;
REVOKE SELECT ON cutter_governance.source_document_registry           FROM cutter_verify;
REVOKE SELECT ON cutter_governance.source_document_version_registry   FROM cutter_verify;
REVOKE SELECT ON cutter_governance.entity_kind_registry               FROM cutter_verify;
REVOKE SELECT ON cutter_governance.entity_reference_registry          FROM cutter_verify;
REVOKE SELECT ON cutter_governance.authority_override                 FROM cutter_verify;
REVOKE SELECT ON cutter_governance.metadata_key_registry              FROM cutter_verify;

-- 1.3 inverse of 3.1 — cutter_ro SELECT
REVOKE SELECT ON cutter_governance.matcher_config_registry            FROM cutter_ro;
REVOKE SELECT ON cutter_governance.address_template_registry          FROM cutter_ro;
REVOKE SELECT ON cutter_governance.grammar_profile                    FROM cutter_ro;
REVOKE SELECT ON cutter_governance.grammar_profile_level              FROM cutter_ro;
REVOKE SELECT ON cutter_governance.grammar_profile_status_marker      FROM cutter_ro;
REVOKE SELECT ON cutter_governance.source_family_registry             FROM cutter_ro;
REVOKE SELECT ON cutter_governance.source_document_registry           FROM cutter_ro;
REVOKE SELECT ON cutter_governance.source_document_version_registry   FROM cutter_ro;
REVOKE SELECT ON cutter_governance.entity_kind_registry               FROM cutter_ro;
REVOKE SELECT ON cutter_governance.entity_reference_registry          FROM cutter_ro;
REVOKE SELECT ON cutter_governance.authority_override                 FROM cutter_ro;
REVOKE SELECT ON cutter_governance.metadata_key_registry              FROM cutter_ro;

-- NO USAGE revoke (none granted). NOT touched: directus (pre-existing SELECT —
-- leave intact; restores PRE-package state), workflow_admin (owner). No CASCADE.

2. Conditional USAGE revoke (INERT — present only for completeness)

-- ONLY relevant IF the execution-time preflight had found USAGE missing AND
-- the conditional §2 GRANT USAGE in the grant draft had actually been run for
-- a role. As of 2026-05-18 USAGE is already present -> NO grant -> NO revoke.
-- (If a USAGE grant is ever activated, add the matching REVOKE here in lockstep.)
-- REVOKE USAGE ON SCHEMA cutter_governance FROM <role>;   -- inert / not applicable

3. Notes / dependency flags

exact_inverse: 36 GRANT -> 36 REVOKE, 1:1. No column-UPDATE inverse (OD-PV1).
no_CASCADE ; no owner/role-membership change.
directus_NOT_revoked: deliberate — restores pre-package state (directus SELECT
  pre-existed). 
dependency: if GPT/User changes the final grant set, adjust REVOKE in lockstep.
post_rollback_expected: cutter_ro/exec/verify back to 0 grants on the 12 new
  tables; USAGE unchanged (was pre-existing); directus SELECT intact; owner
  workflow_admin; schema/data untouched by this privilege-only rollback.

4. Statements

  • QG8: nothing executed. Exact inverse; no CASCADE; USAGE revoke included only conditionally (no USAGE grant proposed → none active).
  • No DML, no schema ALTER, no Directus, no CUT/VERIFY, no deploy, no git commit, no self-advance.
  • Self-advance PROHIBITED — doc 4 of 6; STOP → route GPT/User.

Companion: seed-data-revised-draft, seed-rollback-revised-draft, privilege-grant-revised-draft, seed-privilege-revised-verification-plan, seed-privilege-revised-command-package-report.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.5-ws-q5-seed-privilege-revised-command-package/dot-iu-cutter-v0.5-WS-Q5-privilege-rollback-revised-draft-2026-05-18.sql.md