KB-30B6
dot-iu-cutter v0.5 WS-Q5 — Privilege GRANT REVISED Draft (SELECT/INSERT only; no UPDATE(lifecycle); DO NOT EXECUTE)
9 min read Revision 1
dot-iu-cutterv0.5ws-q5privilegegrant-revisedcommand-packageauthoring-onlynot-executedleast-privilegedieu442026-05-18
dot-iu-cutter v0.5 WS-Q5 — Privilege GRANT REVISED Draft
Phase:
v0_5_WS_Q5_seed_privilege_revised_command_package· Nature:command_package_revision_only / no_execution· Date: 2026-05-18 Authority: GPT command-review rulings OD-PV1 (defer UPDATE(lifecycle)), OD-PV2 (cutter_verify SELECT-only), OD-PV3 (USAGE recheck, add only if missing & explicitly listed), OD-PV4 (workflow_admin seed exec).⚠️ GATING BANNER — DO NOT EXECUTE
phase: privilege_revision ; grant_executed: none ; revoke_executed: none # QG8 grant_all: false ; public_grant: false ; owner_change: false # QG3-style update_lifecycle_grant: REMOVED (OD-PV1) # QG3 cutter_verify: SELECT_only (OD-PV2) # QG4 execution_authorized: false ; self_advance: PROHIBITED decision_authority: GPT / User ONLY
0. Revision vs prior privilege-grant-draft
removed: ALL `GRANT UPDATE (lifecycle)` lines (8) — OD-PV1 DEFER_FROM_BATCH_1
kept: cutter_ro SELECT x12 ; cutter_exec SELECT+INSERT x12 ;
cutter_verify SELECT x12 (OD-PV2 APPROVE_SELECT_ONLY)
added: explicit read-only schema USAGE preflight + conditional listed
GRANT USAGE (OD-PV3) — NOT silently added
grant_statement_count: 36 (12 ro + 12 exec + 12 verify) ; column grants: 0
1. Schema USAGE preflight (READ-ONLY — run first; OD-PV3, QG6)
-- READ-ONLY check (no mutation). Re-run immediately before any GRANT exec.
SELECT r AS role, has_schema_privilege(r,'cutter_governance','USAGE') AS has_usage
FROM (VALUES ('cutter_ro'),('cutter_exec'),('cutter_verify')) v(r);
observed_2026-05-18 (read-only, this revision phase):
cutter_ro USAGE = true
cutter_exec USAGE = true
cutter_verify USAGE = true
(CREATE = false for all 3 — correct; owner cutter_governance = workflow_admin)
ruling_application (OD-PV3):
USAGE already present for all 3 -> NO `GRANT USAGE` proposed/needed.
§2 below is the EXPLICITLY-LISTED conditional command that is to be run
ONLY IF the execution-time preflight shows USAGE missing for a role.
It is NOT silently added; it is gated on the preflight result.
2. Conditional schema USAGE GRANT — listed, NOT active (run ONLY if preflight shows missing)
-- ⚠ DO NOT RUN unless §1 preflight at execution time returns has_usage=false
-- for that specific role. As of 2026-05-18 ALL three already have USAGE, so
-- this block is INERT. Listed explicitly per OD-PV3 (no silent USAGE add).
-- GRANT USAGE ON SCHEMA cutter_governance TO cutter_ro; -- only if missing
-- GRANT USAGE ON SCHEMA cutter_governance TO cutter_exec; -- only if missing
-- GRANT USAGE ON SCHEMA cutter_governance TO cutter_verify; -- only if missing
3. GRANT draft — 12 new tables only (DO NOT EXECUTE)
-- ============================================================================
-- WS-Q5 PRIVILEGE GRANT (REVISED). 12 new tables only. No GRANT ALL / PUBLIC /
-- owner change / WITH GRANT OPTION / column UPDATE. DO NOT EXECUTE w/o sovereign approval.
-- ============================================================================
-- 3.1 cutter_ro — SELECT x12 (read role)
GRANT SELECT ON cutter_governance.matcher_config_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.address_template_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.grammar_profile TO cutter_ro;
GRANT SELECT ON cutter_governance.grammar_profile_level TO cutter_ro;
GRANT SELECT ON cutter_governance.grammar_profile_status_marker TO cutter_ro;
GRANT SELECT ON cutter_governance.source_family_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.source_document_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.source_document_version_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.entity_kind_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.entity_reference_registry TO cutter_ro;
GRANT SELECT ON cutter_governance.authority_override TO cutter_ro;
GRANT SELECT ON cutter_governance.metadata_key_registry TO cutter_ro;
-- 3.2 cutter_exec — SELECT, INSERT x12 (executor/write; NO UPDATE/DELETE/TRUNCATE)
GRANT SELECT, INSERT ON cutter_governance.matcher_config_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.address_template_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.grammar_profile TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.grammar_profile_level TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.grammar_profile_status_marker TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.source_family_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.source_document_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.source_document_version_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.entity_kind_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.entity_reference_registry TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.authority_override TO cutter_exec;
GRANT SELECT, INSERT ON cutter_governance.metadata_key_registry TO cutter_exec;
-- 3.3 cutter_verify — SELECT x12 ONLY (OD-PV2; no verify-write this batch)
GRANT SELECT ON cutter_governance.matcher_config_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.address_template_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.grammar_profile TO cutter_verify;
GRANT SELECT ON cutter_governance.grammar_profile_level TO cutter_verify;
GRANT SELECT ON cutter_governance.grammar_profile_status_marker TO cutter_verify;
GRANT SELECT ON cutter_governance.source_family_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.source_document_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.source_document_version_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.entity_kind_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.entity_reference_registry TO cutter_verify;
GRANT SELECT ON cutter_governance.authority_override TO cutter_verify;
GRANT SELECT ON cutter_governance.metadata_key_registry TO cutter_verify;
-- NO UPDATE(lifecycle) (OD-PV1 deferred). NO action on directus (pre-existing
-- SELECT, unchanged) or workflow_admin (owner). NO USAGE grant (already held).
4. Revised privilege matrix (authoritative for verification)
cutter_ro : SELECT x 12 tables
cutter_exec : SELECT, INSERT x 12 tables
cutter_verify : SELECT x 12 tables
column_grants : NONE (UPDATE(lifecycle) DEFERRED — OD-PV1)
schema_USAGE : already present (cutter_ro/exec/verify) -> NO grant issued
NOT granted : UPDATE (any), DELETE, TRUNCATE, REFERENCES, TRIGGER,
GRANT ALL, PUBLIC, WITH GRANT OPTION, owner/role change
directus : unchanged (pre-existing SELECT) workflow_admin: unchanged (owner)
seed_exec_role: workflow_admin (OD-PV4 — used to run seed, not via cutter_exec)
5. Open decisions still deferred
OD-PV1 UPDATE(lifecycle) deferred to a SEPARATE later privilege cycle when
lifecycle retirement/compensation is operationalized (not batch 1).
OD-PV3 USAGE: present now; conditional grant listed (§2) but inert.
no item self-resolved; execution remains separately gated.
6. Statements
- QG3: no GRANT ALL/PUBLIC/owner change; UPDATE(lifecycle) removed. QG4: cutter_verify SELECT-only. QG6: schema USAGE handled explicitly (read-only preflight + observed present + conditional listed grant, never silent). QG8: nothing executed.
- No DML, no schema ALTER, no Directus, no CUT/VERIFY, no deploy, no git commit, no self-advance.
- Self-advance PROHIBITED — doc 3 of 6; STOP → route GPT/User.
Companion: seed-data-revised-draft, seed-rollback-revised-draft, privilege-rollback-revised-draft, seed-privilege-revised-verification-plan, seed-privilege-revised-command-package-report.