KB-262E

O8C real-DB rollback-only proof readiness (Contabo) — 04-real-db-rollback-proof-design

6 min read Revision 1

dieu44iu-cutterv0.6o8creal-db-rollback-proofmilestone-ratifylive-execution-wiringcontabo

O8C Report 04 — Real-DB rollback-only proof design (G3)

macro: v0.6-o8c-real-db-rollback-proof-readiness
date_utc: 2026-05-21 · host: vmi3080463 (Contabo)
gate covered: G3 real-DB rollback-only proof design
result: G3 PASS — a safe, no-persistence proof path exists and is locked

1. Objective

Prove the deployed ProductionLiveExecutionAdapter can reach the real production database in a rollback-only transaction — without persistent mutation and without flipping the kill-switch.

2. Safe DB role / path already present (no secret hunting, no new secret)

/opt/incomex/docker/.env already carries dedicated, least-privilege cutter credentials — the production-intended wiring for the adapter's connection_provider:

DOT_CUTTER_DB_NAME      = directus
DOT_CUTTER_DB_PORT      = 5432            # container 'postgres' published 127.0.0.1:5432
DOT_CUTTER_DB_SSLMODE   = disable
DOT_CUTTER_EXEC_DB_USER   = cutter_exec   + DOT_CUTTER_EXEC_DB_PASSWORD   (40 chars)
DOT_CUTTER_VERIFY_DB_USER = cutter_verify + DOT_CUTTER_VERIFY_DB_PASSWORD (40 chars)

cutter_exec / cutter_verify exist as real DB roles and map exactly to the adapter's PRINCIPAL_EXEC / PRINCIPAL_VERIFY. Credentials are read from the .env at runtime and never printed / logged.

3. Hard constraint discovered — the kill-switch gates the whole adapter

Every one of the 6 ProductionLiveExecutionAdapter methods calls _assert_live_allowed → refuse_if_killswitch_off on its first line. With __execution_enabled__ = False (which O8C must not change), no adapter method body can reach a DB connection at all. Therefore the proof's faithful boundary is:

Layer	Provable in O8C (kill-switch OFF)
Kill-switch gate (all 6 methods)	YES — refuse before any connect
`connection_provider` collaborator seam → real DB	YES — invoke the seam directly
The exact SQL contracts the method bodies emit	YES — run them via the adapter's own connection, in a rollback-only txn
Method bodies end-to-end vs. the live DB	NO — requires a sovereign kill-switch flip (GAP-7) — that is the F1 residue

4. Zero-persistence safety analysis of `fn_iu_create`

public.fn_iu_create source (pg_proc.prosrc, 5443 chars, plpgsql) was inspected:

language:            plpgsql FUNCTION  -> cannot COMMIT; runs in caller txn
nextval / setval:    NONE in source
PK generation:       v_iu_id := gen_random_uuid(); v_uv_id := gen_random_uuid()
mutation surface:    INSERT information_unit, INSERT unit_version,
                     UPDATE information_unit anchors   (all UUID-keyed, no sequence)
set_config:          set_config('app.canonical_writer','fn_iu_create',true)
                     -> third arg true => transaction-local => discarded on ROLLBACK
advisory lock:       pg_advisory_xact_lock -> released at txn end

⇒ A fn_iu_create call inside a transaction that is ROLLED BACK leaves zero rows and zero sequence advancement — verifiably no persistent mutation.

5. Rollback-only transaction definition

conn = adapter._connect("cutter_exec")        # the adapter's own seam
conn.execute("BEGIN")
  count(information_unit)                       # in-txn before
  SELECT public.fn_iu_create(%s × 9)            # the EXACT cut_leg_a statement
  count(information_unit)                       # in-txn after (expect +1)
conn.execute("ROLLBACK")  +  conn.rollback()    # UNCONDITIONAL — never COMMIT

Before / after row-count probes: an independent full-privilege 9-table snapshot (docker exec postgres psql -U workflow_admin, a separate process / connection) over the adapter's documented mutation-surface tables, plus an independent read-only query_pg MCP re-count.

6. psycopg2 → psycopg3 shim (an F1 finding)

The deployed adapter expects a psycopg v3-style connection (conn.execute(sql, params) -> cursor). This host has psycopg2 2.9.11 only. The proof injects a thin Pg3Conn facade (psycopg3 API over a psycopg2 connection). A production connection_provider must do the same or install psycopg3 — recorded as part of F1 (Report 06).

7. Proof matrix (9 checks)

PROOF-1  kill-switch OFF
PROOF-2  all 6 adapter methods refused before any DB connect (real DB wired)
PROOF-3  require_live_adapter: real adapter accepted, every non-adapter refused
PROOF-4  connection_provider seam reaches the REAL directus DB (cutter_exec/verify)
PROOF-5  rollback-only txn runs the adapter's exact fn_iu_create contract
PROOF-6  adapter verify-path SQL valid on the real schema (cutter_verify)
PROOF-7  all 9 mutation-surface row counts unchanged (authoritative snapshot)
PROOF-8  post-proof counts still equal the O8B-retry Report-07 baseline
PROOF-9  kill-switch STILL OFF after the proof

8. G3 verdict

safe_role_path:        cutter_exec / cutter_verify via DOT_CUTTER_* .env  — present
secret_logging:        none — credentials read at runtime, never emitted
rollback_only_txn:     defined — unconditional ROLLBACK, never COMMIT
persistence_risk:      none — fn_iu_create is sequence-free + UUID-keyed + plpgsql
proof_executable:      YES (executed in Report 05)
g3:                    PASS