02 - O3 Read-only Access Discovery

Gate

G1 - discover existing read-only DB/KB access path without asking User for secrets.

Discovery result

Selected live read-only path: existing SSH/docker/psql operator path using DB role context_pack_readonly.

No secret value was requested, printed, or embedded into repo code. The repo implementation owns no host, DSN, password, container, or runtime ID.

Role evidence

Live probe ran inside BEGIN READ ONLY / ROLLBACK transaction. Output:

{
  "role_is_read_only": true,
  "role": {
    "can_write_information_unit": false,
    "can_write_lifecycle_log": false,
    "can_write_unit_version": false,
    "database": "directus",
    "is_superuser": false,
    "transaction_read_only": true,
    "user": "context_pack_readonly"
  }
}

Governance schema access note

Earlier discovery showed context_pack_readonly has public read access but no cutter_governance schema usage. A more privileged role existed, but O3 selected the pure read-only role and classified governance access as inaccessible rather than using a write-capable path.

Safety classification

• Read-only credential/role: PASS.
• Transaction read-only: PASS.
• No INSERT/UPDATE/DELETE privilege on information_unit, unit_version, iu_lifecycle_log: PASS.
• No user-provided secret: PASS.
• No repo hardcoded connection path: PASS.

Result

G1 PASS with documented limitation: governance details are not read by this pure read-only role; O3 live lifecycle survey still passes using public lifecycle tables and function catalog fingerprints.