Incomex AI Portal
KB-53D8

GPT Review — Backup Fix Execution Gate A+D

4 min read Revision 1
gptgovernancebackupg6sandbox_tacgrantscript-hardeningexecution-gatereview

GPT Review — Backup Fix Execution Gate A+D

Date: 2026-04-27
Scope: Review Opus BACKUP FIX EXECUTION GATE — OPTION A + D.

Verdict

PASS WITH REQUIRED PATCHES BEFORE AUTHORIZATION.

The gate is directionally correct and finally compact: restore backup integrity via narrow GRANT + backup script hardening, with no G6 retry and no unrelated mutation. However, because this gate includes production DDL and script mutation, several safety details must be patched before User authorization.

Law / constitutional check

Rule Result Finding
Hiến pháp / Zero Trust PASS with patches Need baseline capture and precise rollback to avoid over-revoking pre-existing privileges.
Đ32 PASS with patches GRANT/script patch remains gated; no execution yet.
Đ33 PASS with patches Production DDL/script mutation requires pre-check, action log, rollback, post-verify.
Đ35 / 100% DOT-AI PASS No manual human psql; Claude Code governed execution is acceptable if explicitly authorized.
Đ24 PASS No taxonomy/entity-label mutation.

Required patches

  1. Fix authorization wording.
    The header says GPT R21 gate PASS, but GPT is reviewing this gate now. Change to GPT R21/R22 review: PENDING or similar until this review is applied. Keep User authorize: PENDING.

  2. Baseline privilege capture before GRANT.
    Before mutation, capture current schema/table/sequence privileges for directus. Rollback must reverse only newly introduced privileges where possible. Do not blindly revoke table/sequence privileges if some existed before.

  3. Exact rollback should include all granted objects.
    If using Option A exact SQL, rollback section should include schema, tables, and sequences. Prefer baseline-aware rollback, but at minimum list all reverse operations:

    • REVOKE USAGE ON SCHEMA sandbox_tac FROM directus;
    • REVOKE SELECT ON ALL TABLES IN SCHEMA sandbox_tac FROM directus;
    • REVOKE USAGE, SELECT ON ALL SEQUENCES IN SCHEMA sandbox_tac FROM directus;

  4. Backup script patch pre-checks are incomplete.
    Add before editing:

    • no backup job currently running;
    • disk space sufficient;
    • script owner/mode captured;
    • script snapshot copy created locally with SHA-256;
    • bash -n syntax check on original script if applicable.

  5. Script hardening must require bash -n after patch.
    Before running the backup script, verify patched script syntax and permissions/owner unchanged or intentionally preserved.

  6. Post-verify should include failure-path hygiene.
    If backup fails after patch, verify incomplete temp/current bad output is cleaned or quarantined and action log records no new 20-byte file marked as success.

  7. DOT/OR pre-check result should be recorded, not just performed.
    Action log must state whether a suitable registered DOT was found. If none, record DOT coverage gap and that this execution proceeded as a governed AI execution gate with explicit User/GPT authorization.

  8. Effort high is correct.
    Keep high. No need xhigh if gate is patched and scoped.

Direction

Opus should patch the A+D execution gate once with the above changes and then present the final authorization request. Do not dispatch Claude Code until the patched gate is reviewed/accepted by GPT/User. No GRANT, script patch, backup run, G6 retry, or PF-07 wrapper patch is authorized yet.