dot-iu-cutter v0.5 WS-Q5 — Seed + Privilege REVISED Verification Plan

Phase: v0_5_WS_Q5_seed_privilege_revised_command_package · Nature: command_package_revision_only / no_execution · Date: 2026-05-18 Method: data + pg_catalog/information_schema; catalog/codepoint checks preferred over rendered-string equality (C-07 / v0.3 lesson). PLAN only — nothing executed.

verification_executed: false ; checks_run: 0   # QG8
outcome_vocabulary: PASS | FAIL(detail)
run_when: ONLY in a future separately-authorized execution phase, after seed
          COMMIT and after GRANT, same production DB; seed exec role=workflow_admin.

---

0. Pre-execution checks (run BEFORE seed/grant)

PRE-1  the 12 WS-Q5 tables are LIVE and EMPTY (0 rows each) — re-confirm the
       production-apply state; guarantees plain INSERT cannot collide.
PRE-2  system_identifier = 7611578671664259111 (correct production target).
PRE-3  schema owner cutter_governance = workflow_admin (unchanged).
PRE-4  roles exist: cutter_ro, cutter_exec, cutter_verify, workflow_admin
       (SELECT rolname FROM pg_roles WHERE rolname IN (...)) — all 4 present.
PRE-5  schema USAGE preflight (OD-PV3, read-only):
         SELECT r, has_schema_privilege(r,'cutter_governance','USAGE')
         FROM (VALUES ('cutter_ro'),('cutter_exec'),('cutter_verify')) v(r);
       EXPECT has_usage=true for all 3 (observed true 2026-05-18). If any
       false -> the conditional listed GRANT USAGE (grant draft §2) applies
       and MUST be re-reviewed; do NOT proceed silently.
PRE-6  seed execution identity = workflow_admin (OD-PV4); cutter_exec is NOT
       used to run the bootstrap seed.
any PRE-* fail -> STOP, do not seed/grant.

1. Seed verification — REVISED expected state (QG7)

1.1 Expected row counts (exact)

matcher_config_registry           : 8
address_template_registry         : 2
grammar_profile                   : 2
grammar_profile_level             : 8     # Profile A=3 + Profile B=5
grammar_profile_status_marker     : 2
entity_kind_registry              : 5     # WS-2 D5 set ONLY
source_family_registry            : 3     # APPROVED subset ONLY (OD-SF1)
metadata_key_registry             : 1     # idempotency_key ONLY (OD-MK1)
entity_reference_registry         : 0
source_document_registry          : 0
source_document_version_registry  : 0
authority_override                : 0
TOTAL seeded rows                 : 31   (unchanged vs prior; 6 families now
                                          explicitly excluded, not commented)
check: count(*) per table = expected; SUM=31; the 4 zero-tables=0; NO row with
       registered_by/created_by != 'ws-q5-seed-bootstrap' (no extra seed).

1.2 Expected key values (exact PK set; EXCEPT both directions)

SV-K1 matcher_config_registry.matcher_ref = {mc.icx.nguyen_tac, mc.icx.kien_truc,
       mc.icx.dieu, mc.vn.chuong, mc.vn.dieu, mc.vn.khoan, mc.vn.diem, mc.vn.doan}
SV-K2 address_template_registry.address_template_ref = {at.icx.const.v4, at.vn.law}
SV-K3 grammar_profile.grammar_profile_ref = {incomex-architecture-constitution-v4, vn-national-law}
SV-K4 entity_kind_registry.entity_kind = {sql_entity, code_module, git_file, directus_item, report_path}
SV-K5 source_family_registry.source_family = {internal_incomex_constitution,
       internal_incomex_law, external_government_law}   -- EXACTLY 3
SV-K6 metadata_key_registry.metadata_key = {idempotency_key}
SV-K7 NEGATIVE: none of the 6 deferred families present —
       source_family ∌ {internal_process, sql_entity, code_artifact, report,
       lesson, architecture_note}  (EXPECT 0 rows)

1.3 FK integrity (catalog join / anti-join — NOT pg_get_*def string)

FKV-1 grammar_profile.address_template_ref ∈ address_template_registry        (2/2)
FKV-2 grammar_profile_level.grammar_profile_ref ∈ grammar_profile             (8/8)
FKV-3 grammar_profile_level.matcher_ref ∈ matcher_config_registry             (8/8)
FKV-4 grammar_profile_status_marker.grammar_profile_ref ∈ grammar_profile     (2/2)
FKV-5 source_family_registry.grammar_profile_ref ∈ grammar_profile            (3/3)
       (constitution+law -> ...constitution-v4 ; ext_gov_law -> vn-national-law)
FKV-6 zero orphan: NOT EXISTS anti-join each child->parent returns 0.

1.4 Address separator scheme (BR-A1 locked — QG; data assertion)

CAV-S1 address_template_registry.docprefix_separator = '/'  (both rows)
CAV-S2 address_template_registry.level_separator     = '-'  (both rows)
CAV-S3 address_template_registry.encodes_status       = false (both rows)
CAV-S4 template_pattern = '<DOCPREFIX>/<L1>-<L2>-...-<Lk>' (stored-value compare)

1.5 Grammar level / status-marker counts

GLV-1 count(level WHERE profile='incomex-architecture-constitution-v4') = 3
GLV-2 count(level WHERE profile='vn-national-law') = 5
GLV-3 level_seq gap-free 1..N per profile; UQ(profile,level) holds
GLV-4 Profile A levels={NGUYEN_TAC,KIEN_TRUC_SECTION,DIEU};
       Profile B levels={CHUONG,DIEU,KHOAN,DIEM,DOAN}
SMV-1 grammar_profile_status_marker = 2 rows, all profile='incomex-architecture-constitution-v4'
SMV-2 exact UTF-8 codepoint (OD-SM1; NOT glyph):
        encode(convert_to(marker,'UTF8'),'hex')='e29c85'  => maps_to='enacted'          (U+2705)
        encode(convert_to(marker,'UTF8'),'hex')='f09f938b'=> maps_to='controlled_draft' (U+1F4CB)
SMV-3 vn-national-law has 0 status_marker rows
LCV-1 every seeded lifecycle-bearing row lifecycle='active' (no orphan state)
LCV-2 idempotency_key: key_type='text', cardinality_policy='single',
       mutability_policy='immutable', index_policy='promoted_index'

2. Privilege verification — REVISED matrix (catalog-level)

2.1 Expected grants present

PV-1 cutter_ro   = exactly SELECT on each of the 12 new tables (12 rows;
     privilege set = {SELECT})
PV-2 cutter_exec = exactly SELECT,INSERT on each of the 12 new tables
     (privilege set = {SELECT,INSERT}; NO UPDATE/DELETE/etc.)
PV-3 cutter_verify = exactly SELECT on each of the 12 new tables
PV-4 exact-match derived grant set == grant-revised §4 matrix
     (EXCEPT both directions over (grantee,table,privilege))
PV-5 schema USAGE: has_schema_privilege(role,'cutter_governance','USAGE')=true
     for cutter_ro/exec/verify (pre-existing; not granted by this package)

2.2 Negative (any TRUE = FAIL) — revised

NPV-1 any UPDATE granted to cutter_exec (table OR column, incl. lifecycle)
      -> FAIL  (OD-PV1: UPDATE(lifecycle) MUST be absent — QG3)
NPV-2 any DELETE/TRUNCATE/REFERENCES/TRIGGER to cutter_ro|exec|verify -> FAIL
NPV-3 cutter_verify holds anything other than SELECT -> FAIL (OD-PV2 — QG4)
NPV-4 any grant to PUBLIC on the 12 -> FAIL
NPV-5 any WITH GRANT OPTION (is_grantable='YES') -> FAIL
NPV-6 any GRANT USAGE actually executed while preflight showed USAGE present
      -> FAIL (must remain inert — OD-PV3)
NPV-7 any privilege change on a baseline / existing-12 cutter_governance
      table -> FAIL (scope leak)
NPV-8 any column-level grant present (none expected this batch) -> FAIL

2.3 Owner / pre-existing unchanged

OWN-1 pg_namespace.nspowner(cutter_governance)=workflow_admin (unchanged)
OWN-2 pg_class.relowner for all 12 new tables = workflow_admin (unchanged)
OWN-3 directus retains exactly its pre-package SELECT on the 12 (diff vs
      read-only baseline = 0; not widened, not revoked)
OWN-4 no new role; no pg_auth_members change
OWN-5 system_identifier 7611578671664259111 unchanged before==after

3. Pass criterion

seed_PASS  iff: PRE-1..6 PASS AND §1.1 counts exact AND SV-K1..7 exact
  AND FKV-1..6 PASS AND CAV-S1..4 PASS AND GLV/SMV/LCV PASS
privilege_PASS iff: PV-1..5 PASS AND every NPV-* FALSE AND OWN-1..5 PASS
fail_action: ANY FAIL / negative TRUE -> DO NOT proceed; apply matching
  rollback (seed-rollback-revised §1 probe -> R-A/R-B; privilege-rollback-revised)
  ONLY under standing sovereign rollback rule; route GPT/User. No self-fix,
  no rendered-string re-interpretation.

4. Statements

• QG7: expected row counts + grant matrix updated for the revised package (8 tables/31 rows; SELECT-only ro/verify, SELECT+INSERT exec, no UPDATE, USAGE pre-existing). QG3/QG4 encoded as negative checks NPV-1/NPV-3. QG6: USAGE preflight in PRE-5. QG8: nothing executed.
• Catalog/data + hex-codepoint assertions; no pg_get_*def() string equality.
• Self-advance PROHIBITED — doc 5 of 6; STOP → route GPT/User.

Companion: seed-data-revised-draft, seed-rollback-revised-draft, privilege-grant-revised-draft, privilege-rollback-revised-draft, seed-privilege-revised-command-package-report.