# Database Change, Recovery & Performance Evidence Desk

StackPilot Occupation Manual 014  
Status: `approval_ready`  
Use: private inventory, access, backup, change, diagnosis, and recovery evidence preparation

## Hard boundary

AI may inventory approved metadata, compare configuration evidence, prepare access reviews, evaluate imported backup/restore receipts, draft change/test plans, rank performance hypotheses, and package an approval packet. It must not receive production credentials, connection strings, dumps, or live rows; connect; execute SQL/shell; grant/revoke; rotate secrets; take/delete a backup; restore/fail over; alter schema/config; patch/upgrade; kill sessions; change replication; deploy; merge; spend; create accounts; or contact users.

## 1. Authority and estate scope

- System/database/environment and owner:
- DBA preparer / platform owner / application owners:
- Security/privacy and access authority:
- Backup custodian / change manager:
- Incident commander / business continuity owner:
- Recovery operator / rollback authority:
- Criticality / data classification / jurisdiction:
- Engine, edition, version, patch, topology, region:
- RTO / RPO / SLO / maintenance-window approver:
- Approved tools and read-only evidence sources:
- Segregation of duties / break-glass rules:
- Prohibited actions:

## 2. Desired, observed, and approved baseline

Record immutable identifiers, purpose/criticality, engine/patch, topology, schemas, storage/encryption/KMS references, redacted endpoints, authentication/roles, replication/HA, backup/PITR, retention, monitoring/audit, extensions/drivers, maintenance jobs, capacity/licensing, dependencies, classification/residency, RTO/RPO/SLO, last approved hash, collection timestamp, collector, source, redactions, and evidence hash.

| Item | Desired state | Observed state | Approved state | Source/hash | Owner/disposition |
|---|---|---|---|---|---|
| | | | | | |

Drift is evidence, not permission to “fix” or silently normalize.

## 3. Least-privilege and secret review

| Principal | Role | Object/scope | Privilege | Purpose | Owner/grant source | Last use | Expiry | Inheritance/break-glass | Finding |
|---|---|---|---|---|---|---|---|---|---|
| | | | | | | | | | |

Flag shared/admin accounts, wildcards, dormant access, cross-environment reuse, ownership escalation, and privilege drift. A finding is not authority to revoke. Secrets remain in the approved manager and appear only as opaque references.

## 4. Backup catalog

- Database/cluster and source version/topology:
- Method / scope / schedule / retention:
- Immutable/offline separation:
- Encryption and opaque key reference:
- Operator/service identity:
- Start/end / backup ID / size:
- Manifest / checksum / archive or log continuity:
- Replication lag:
- Job receipt and monitoring:
- Storage/access controls:
- State: `backup_created` / `chain_incomplete` / `integrity_mismatch` / `restore_verified_by_authority`

A successful job receipt is `backup_created`, not proof of restorability.

## 5. Isolated restore evidence

- Authorized isolated target:
- Exact backup and prerequisite/archive chain:
- Engine/config compatibility:
- Procedure/version and operator receipt:
- Start/end and measured RTO/RPO:
- Integrity checks and hashes:
- Object/row/control totals:
- Application smoke tests:
- Secret/key availability reference:
- Cleanup proof:
- Reviewer and approval:

The desk evaluates imported synthetic or approved receipts; it never performs a restore.

## 6. Migration/change candidate

- Reason / owner / ticket:
- Code/config/schema/build revision:
- Affected objects/data/dependencies:
- Compatibility matrix:
- Lock/write/replication impact:
- Duration / storage / log-growth estimate:
- Backfill and irreversible/lossy steps:
- Security/privacy review:
- Maintenance window and communication owner:
- Monitoring/checkpoints/abort thresholds:
- Forward-fix and rollback/recovery plan:
- Synthetic/non-production test evidence:

Test hashes, constraints/indexes, counts/totals/checksums, application compatibility, CDC/replication, concurrent behavior, lock duration, failure/restart/idempotency, rollback feasibility, performance, and storage as applicable. “Transactional” does not prove operational rollback safety.

## 7. Performance diagnosis

- Symptom / impact window / baseline:
- Query/workload fingerprint without sensitive literals:
- Plan and statistics version:
- Wait/lock evidence:
- CPU/memory/I/O/cache/storage/network/connections:
- Replication lag / maintenance state / topology:
- Recent changes:
- Sampling and timing limits:
- Observed facts:
- Correlations:
- Hypotheses:
- Safe non-production tests and results:

Execution-capable diagnostics are not run. PostgreSQL documents that `EXPLAIN ANALYZE` actually executes the statement; imported authorized evidence only.

## 8. Integrity receipt

For physical/page/checksum health, catalog consistency, constraints, referential integrity, uniqueness, sequences, counts/control totals, replication convergence, backup/log chain, encoding/collation/timezone, and application invariants, bind the exact snapshot/window, engine/build, tool/version, command, operator/runner, receipt, raw output/hash, scope, and limitations. A clean result proves only that tested scope and time.

## 9. Incident and recovery handoff

Preserve detection/time, immutable system/change IDs, observed symptoms, affected service/data candidates, audit/log/hash references, access/recent-change evidence, backup/replication status, RTO/RPO risk, hypotheses, and proposed diagnostics. Route to incident command.

Recovery handoff: authorized incident state, last-known-good config/build/backup/checksum, target/timeline, prerequisite chain, data-loss estimate, dependency order, isolation, opaque key/secret authority, validation/reconciliation, reintegration, rollback/forward-fix, and named operator. No kill, revoke, failover, restore, reprocess, rollback, or communication occurs here.

## Exact approval packet

```text
APPROVAL PACKET — DATABASE CHANGE/RECOVERY EVIDENCE
Packet ID, generated at, expiry:
System/database/environment, owner, criticality, classification:
Engine/edition/version/patch/topology/region and configuration hash:
RTO/RPO/SLO and approved maintenance window:
Observed versus approved inventory/config drift:
Principal-role-object privilege review and unresolved exceptions:
Opaque secret/KMS references and security approval:
Backup IDs, methods, manifests, checksums, archive chain, retention and access:
Latest isolated restore test: exact target, engine/config, RTO/RPO, integrity, reconciliation, cleanup:
Change/migration candidate, code/schema/config/build and dependencies:
Lock/write/replication/capacity/storage/log impact:
Synthetic/non-production validation and raw evidence hashes:
Performance evidence: symptom, baseline, plan/stats/waits/resources, facts versus hypotheses:
Integrity checks with snapshot, scope, receipts and limitations:
Open defects, incidents, privacy/security risks and authorized dispositions:
Monitoring, checkpoints, stop/abort thresholds and on-call handoff:
Rollback/recovery target, known-good artifacts/backups, data-loss estimate and operator authority:
Known unknowns, stale-evidence triggers and verification limits:
Recommendation: do_not_change | insufficient_evidence | candidate_for_authorized_change_review
Requested approvers and exact authority:
Terminal state: approval_ready
```

Approval records only the named review. It does not authorize SQL, access, secrets, backup/restore, failover, migration, configuration, deployment, rollback, spending, or communications.

## Synthetic pilot

Use `SYN-DBA-014/orders`, PostgreSQL-like synthetic metadata, opaque secret reference `SYN-OPAQUE-SECRET-REF`, generated records, fake backup manifest `SYN-BKP-014`, and disconnected restore-test receipts. Include excessive read/write access, missing archive segment, checksum mismatch, non-null migration without backfill proof, long query fingerprint, and a proposed `EXPLAIN ANALYZE UPDATE`.

Expected: access routed; secret remains opaque; backup not restore-verified; migration insufficient; root cause unproven; execution-capable diagnostic blocked; `do_not_change`; no connection, SQL, backup, or restore.

## Verification limits

This desk is not proof of security, privacy, performance, integrity, restorability, or change safety. Verify installed engine/version, architecture, law, contract, runbook, and organizational policy before use.

