02 — Clone Strategy & Creation

Verdict: PASS — clone directus_gov_test_20260602 created, 0 dump/restore errors, fidelity proven.

Strategy: new database in the SAME production postgres instance, populated by in-container pg_dump | psql. Why over alternatives: separate instance (e.g. existing pg-restore-test container) lacks in-instance roles the dump references + is someone else's container — rejected; CREATE DATABASE...TEMPLATE directus requires zero connections to template, directus is live — rejected; schema/subset clone unnecessary (full clone only 1.2GB, fits 24GB free; full clone guarantees byte-fidelity of every view/constraint/function). Isolation: Postgres DBs fully isolated, no dblink/fdw; Directus binds only to directus; MCP query_pg allowlist-locked to ['directus','incomex_metadata','workflow'] and physically refuses the clone ([DENIED] database not allowed).

Creation commands executed: DROP DATABASE IF EXISTS (stale none) → CREATE DATABASE directus_gov_test_20260602 OWNER workflow_admin → docker exec postgres sh -c 'pg_dump -U workflow_admin -d directus | psql -U workflow_admin -d directus_gov_test_20260602 -v ON_ERROR_STOP=0 -q'. Channel: ssh contabo (root) → docker exec.

Result: CREATE OK; pipe completed (PIPE_DONE; all sequences restored incl birth_registry 1,102,771); dump.err=0 lines, restore.err=0 lines, 0 ERROR/FATAL. Clone size 1200MB (prod 1296MB; smaller = fresh un-bloated restore).

Production safety during creation: pg_dump = single read txn, ACCESS SHARE locks only (standard backup), no production mutation; restore writes only the new clone. Satisfies READ/BACKUP ONLY.

Drop/teardown: single statement (already proven by DROP DATABASE IF EXISTS at creation): docker exec postgres psql -U workflow_admin -d postgres -c "DROP DATABASE IF EXISTS directus_gov_test_20260602;".