Incomex AI Portal
KB-21C4

22-P3-P1 — IU Gateway Policy Keys + Canonical Marker Patch — Report (PASS)

4 min read Revision 1
pack-22p3p1gatewaypolicycanonical-markerreportpass

22-P3-P1 — IU Gateway Policy Keys + Canonical Marker Patch — Report

Date: 2026-05-06 | Prompt: rev6 | Status: PASS — p3p2_readiness=READY Executor: Opus (Claude Code) on VPS 38.242.240.89, container postgres, db directus Pilot canonical_address: pilot.p3.p1.20260506-070623.cbb29036

1. Final Verdict (machine-readable)

patch_state=UNPATCHED
function_replace=EXECUTED
sql_exit=0
post_exit=0
post_commit_status=PASS
leak_status=PASS
gateway_keys=9
pilot=pilot.p3.p1.20260506-070623.cbb29036
phase_status=PASS
p3p2_readiness=READY

2. Scope executed

  • Policy keys seeded into public.dot_config (9 keys, idempotent UPSERT, all under iu_create.gateway.%).
  • fn_iu_create patched to set transaction-local GUC app.canonical_writer = 'fn_iu_create' via set_config(..., true). Marker emitted only on the canonical create path (after preflight + classify, before INSERT).
  • No trigger guard created (P3-P2 scope).
  • No GRANT/REVOKE, no role separation, no Directus changes, no cleanup, no DDL on data tables.

3. Preflight

Check Result
dot_config.key unique guard constraint=1, index=1 (total=2) ✅
Pre-existing iu_create.gateway.% duplicates 0 ✅
fn_iu_create source_hash_before 5db9f7542c2e62e0cfefa01df43eb294
prosecdef / provolatile t / v
PATCH_STATE UNPATCHED (clean install of marker)

4. Transaction trace (single all-or-nothing BEGIN..COMMIT)

  1. CREATE TEMP TABLE _p3p1_trg_baseline ON COMMIT DROP — captured iu_triggers=4, uv_triggers=0.
  2. INSERT ... ON CONFLICT DO UPDATE 9 gateway policy keys.
  3. CREATE OR REPLACE FUNCTION public.fn_iu_create(...) — marker patch applied.
  4. Post-patch audit:
    • source_hash_after: 3017892a5ac605a6daeaa5348e2a6cdf
    • prosecdef=t, provolatile=v, config=search_path=pg_catalog, public
    • marker_check=MARKER_PRESENT
    • PUBLIC EXECUTE on fn_iu_create / fn_iu_create_plan: 0 ✅
    • directus has EXECUTE on both: ✅
  5. Pilot create + verify_invariants + idempotent re-call:
    • status=created, invariants_verified=true
    • information_unit = 1 row, unit_version = 1 row, birth_registry (collection=information_unit) = 1 row
    • Re-call returned status=exists_complete; row count remained 1 ✅
    • L1 birth-gate PILOT-ONLY warnings noted for P-pub1 / P-pub2 (informational, expected pre-production).
  6. Trigger drift guard: post = pre (IU=4, UV=0) ✅
  7. COMMIT.

5. Post-commit verification

Check Result
current_setting('app.canonical_writer', true) outside writer xact (not set)LEAK_STATUS=PASS
fn_iu_verify_invariants(pilot) post-commit all_pass=truePOST_STATUS=PASS
Required gateway keys present in dot_config 9 / 9

6. Final table counts after commit

Table Count
information_unit 3
unit_version 3
birth_registry (information_unit) 3

(Pre-existing rows + 1 new pilot from this run.)

7. Boundaries honored

  • ❌ No trigger guard (P3-P2)
  • ❌ No GRANT/REVOKE
  • ❌ No role separation
  • ❌ No Directus changes
  • ❌ No cleanup of pilot row
  • ❌ No DDL beyond function replace

8. Readiness for P3-P2

p3p2_readiness=READY. Gateway is in prepared mode: marker is set on the canonical path; direct INSERT remains permitted (policy block_after_guard). P3-P2 may now design and deploy the trigger guard that asserts current_setting('app.canonical_writer', true) = 'fn_iu_create' on information_unit / unit_version writes.

9. Artifacts

  • VPS log: /tmp/22-p3-p1.20260506-070623.log (+ .sql companion).
  • Pilot row retained at canonical_address = pilot.p3.p1.20260506-070623.cbb29036 (cleanup out of scope).

22-P3-P1 rev6 executed 2026-05-06 07:06:23 UTC. PASS. Ready for P3-P2 design.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/reports/22-p3-p1-iu-gateway-policy-and-canonical-marker-report.md