KB-2D1B
12 — Single Operator Command Bundle (hashes + canonical commands)
4 min read Revision 1
operator-bundlehashescommandsrollbackidempotent2026-06-03
12 — Single Operator Command Bundle
Location: operator_bundle/. Channel: ssh contabo (root) → docker exec postgres psql -U workflow_admin -d directus.
File hashes (sha256)
| File | sha256 |
|---|---|
| 00_preflight_channel_check.sh | ef8dffedf97a1b768dd6df2db771ac52e5e0a0697deb75a8ee43bf8919f5ebaa |
| 01_apply_minimum_safety_net.sql | 20b379b43db2c98cac34829b013c81003f31d3acf91c68dc4cbab741bfed7af4 |
| 02_collect_dot_filesystem_inventory.sh | 14dd9463e120551a07728ba21d0bc7d31c392a6a63fda7de116ad6929c530853 |
| 03_load_dot_filesystem_inventory.sh | b3fbf2dbc23094501cd5237f0071fd7cc29effb025ebbd15339a8255707d6b69 |
| 04_run_birth_orphan_backfill_scan.sh | 13f3ea87a2f4dfaedb07ee81d63f4c3a460dcb5fce7283d55d650343b0c654fd |
| 05_run_rp_dot_preflight_guard.sh | 1f912523cd0df687b49375327472e829f339fabe1339b1f0e50f8b0c70f88833 |
| 06_export_evidence_bundle.sh | f769779bd2919b03df09168817859ea6f2201be7b2a53f50b984ef1299c82a3d |
| 99_rollback_minimum_safety_net.sql | 0a4e1acfedbb3f3a31d9842b6d8f003fefe708a8f23ef37ead1e68715525e9ee |
| README_RUN_ORDER.md | d266322fb15c4ea578bc7e010fad9420cb98a5a22816ef1831064f594f3fed6d |
| v_birth_backlog_triage.sql (optional) | 18eee14a26825560b57dc155fe8a063ada95fd8ff82627da4053bdeaee59deea |
Status of each step (this macro)
- 00, 01, 03, 04, 05, 06 — executed live this run (apply committed; snapshot loaded; guard proven exit 3).
- 99 — ready, not executed (net intentionally left live).
- 02 — alternative collector (TSV) for environments without on-box load.
- v_birth_backlog_triage.sql — packaged, not applied (optional read-only ledger view).
Canonical commands
Re-apply / refresh (idempotent, safe)
H=contabo
ssh $H 'docker exec -i -e PGCLIENTENCODING=UTF8 postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1' < operator_bundle/01_apply_minimum_safety_net.sql
ssh $H 'bash -s' < operator_bundle/03_load_dot_filesystem_inventory.sh
Expected: == APPLY COMPLETE == ; loaded=287 dot_prefixed=285 backups=76.
Run the gate (before any RP/DOT action)
ssh $H 'bash -s' < operator_bundle/05_run_rp_dot_preflight_guard.sh ; echo "rc=$?"
Expected now: prints 4 BLOCK rows; RESULT: BLOCKED; rc=3.
Read-only backlog scan
ssh $H 'bash -s' < operator_bundle/04_run_birth_orphan_backfill_scan.sh
Export evidence TSVs
ssh $H 'bash -s' < operator_bundle/06_export_evidence_bundle.sh # → /tmp/birth_evidence_*/
Rollback (full, reversible)
ssh $H 'docker exec -i -e PGCLIENTENCODING=UTF8 postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1' < operator_bundle/99_rollback_minimum_safety_net.sql
Expected: == ROLLBACK COMPLETE ==. Touches no business table.
Failure interpretation
| Symptom | Meaning | Action |
|---|---|---|
rc=3 from 05 |
guard BLOCKED (expected now) | do NOT run RP/DOT mutation |
fs_snapshot_present=0 |
snapshot empty/stale | re-run 03 |
ERROR … does not exist on 05 |
net not applied | run 01 |
03 prints loaded=0 |
wrong path / not on VPS | check /opt/incomex/dot/bin |
| apply errors | schema drift | inspect; do not force |
WAF/KB note
Do not paste raw multi-statement rollback SQL into the KB if Cloudflare/WAF blocks it; the SQL files live on local disk and their sha256 are recorded above.