teleo-infrastructure/docs/reports/leo-working-state-20260709/gcp-canonical-postgres-restore-preflight-current.md
2026-07-11 20:05:56 +02:00

40 lines
2.2 KiB
Markdown

# GCP Canonical Postgres Restore Preflight
Status: **local restore preflight passes; GCP restore and Cory replay are not proven**.
The canonical source is VPS Docker Postgres `teleo-pg/teleo`, not the legacy
SQLite pipeline database. A custom dump and full manifest were captured from
one exported, repeatable-read, read-only snapshot.
| Check | Result |
|---|---|
| Dump | 13,462,116 bytes; SHA-256 `055e9bcd8922dbbd8a600be627c5a8f2d4a1329b383c3d9f5c28f325f6db5756` |
| Dump catalog | 294 objects; 39 table-data objects; 113 constraints; 75 indexes |
| Full database | 39 tables; 52,164 rows |
| Row parity | 39/39 tables; zero count or row-hash mismatches |
| Catalog parity | schemas, columns/defaults, constraints, indexes, sequences, views, functions, triggers, types, policies, and extensions match |
| Role parity | required password-free `kb_apply` attributes match |
| Performance | four bounded claim/evidence/edge/proposal queries; zero threshold failures |
| Production safety | Leo PID `2999690`; `NRestarts=0`; state unchanged; no DB write; no Telegram send |
| Cleanup | all local disposable containers/volumes and remote temp files removed |
The first hash attempt correctly detected four apparent staging-table
mismatches that row counts missed. Investigation showed identical bytes ordered
under different libc collations. The production verifier now forces `COLLATE
"C"`, after which the exact exported snapshot restores with zero mismatches.
## GCP Gate
- `sa-artifact-builder` authenticates through GitHub WIF but is intentionally
Artifact Registry-only.
- `sa-teleo-readiness` and `sa-teleo-restore-drill` do not exist; token exchange
returns IAM 404.
- The privileged local/Console identity requires the operator's Google
password reauthentication.
- Direct SSH is closed because the current egress IP is not the configured
`/32`; IAP requires the same privileged authentication.
After legitimate authentication, the remaining canary is one bounded flow:
generated Cloud SQL database -> exact dump import -> manifest and private TLS
readback from staging compute -> no-send 34/34 Cory composition replay ->
delete generated database and object -> retain cleanup proof.