Incomex AI Portal
KB-34D7 rev 2

22-P3-P2 — IU Gateway Trigger Guard Deployment Report (rev7 PASS)

5 min read Revision 2
pack-22p3p2gatewaytrigger-guardreportpassrev7enforced

22-P3-P2 — IU Gateway Trigger Guard Deployment Report (rev7)

Date: 2026-05-06 09:27 UTC | Prompt rev: 7 | phase_status=PASS | p3p3_readiness=READY Result: Guard deployed + tests PASS + mode=enforced. No cleanup needed. Rev7 fix: trigger prefix trg_aa_ → guard fires before birth/business gates (fixes rev6 ordering issue).

Verdict (machine-parseable)

tx1_exit=0
canonical_exit=0
canonical_status=PASS
block_exit=0
iu_insert_block=PASS
uv_insert_block=PASS
iu_update_block=PASS
uv_update_block=PASS
mode_exit=0
trigger_count=PASS
post_exit=0
post_status=PASS
leak_status=PASS
gateway_mode=enforced
cleanup_done=false
cleanup_reason=NOT_RUN
rollback_status=NOT_RUN
pilot=pilot.p3.p2.20260506-092734.32ffb654
phase_status=PASS
p3p3_readiness=READY

Environment

  • VPS: 38.242.240.89, container postgres, db directus
  • Log: /tmp/22-p3-p2.20260506-092734.log (on VPS)
  • PILOT canonical_address: pilot.p3.p2.20260506-092734.32ffb654

Phases

Preflight — PASS

  • marker_in_fn=OK (fn_iu_create chứa set_config('app.canonical_writer'…))
  • guard_fn_exists=f, guard_trg_count=0 — clean slate (sau cleanup rev6)

TX1 Deploy — PASS (TX1_EXIT=0)

  • 9 dot_config gateway keys hiện diện
  • Pre-deploy trigger baseline: IU=4, UV=0
  • CREATE FUNCTION public.fn_iu_gateway_write_guard() — SECURITY DEFINER, search_path=pg_catalog,public
  • REVOKE ALL … FROM PUBLIC
  • 2 trigger created với prefix mới:
    • trg_aa_iu_gateway_write_guard ON information_unit (BEFORE INSERT OR UPDATE, FOR EACH ROW)
    • trg_aa_uv_gateway_write_guard ON unit_version (BEFORE INSERT OR UPDATE, FOR EACH ROW)
  • Post-deploy trigger count: IU=5 (=4+1), UV=1 (=0+1) → TRIGGER_COUNT_OK
  • [TRIGGER-GUARD] DDL detected audit warnings (expected)

Canonical Create — PASS (CAN_EXIT=0)

  • fn_iu_create(pilot, …)status=created, invariants_verified=true
  • fn_iu_verify_invariants(pilot)all_pass=true
  • count(*) WHERE canonical_address=pilot = 1
  • Idempotency call → status=exists_complete
  • 2 WARNING Birth gate L1 PILOT-ONLY: P-pub1/P-pub2 missing (expected, pilot mode)
  • → Marker app.canonical_writer=fn_iu_create BYPASS guard correctly.

Direct Block Tests — ALL PASS (BLOCK_EXIT=0)

Test Result Note
IU_INSERT_BLOCK PASS Direct INSERT vào information_unit (no marker) → guard fires đầu tiên với IU Gateway blocked: …, no leak
UV_INSERT_BLOCK PASS Direct INSERT vào unit_version → blocked, no leak
IU_UPDATE_BLOCK PASS Direct UPDATE → blocked, updated_by không đổi
UV_UPDATE_BLOCK PASS Direct UPDATE → blocked, created_by không đổi

→ Trigger prefix trg_aa_ đã đảm bảo gateway guard fire trước Birth gate L1 và các business gate khác. Caller nhận được hướng dẫn canonical/README chuẩn thay vì domain error.

Mode Update — PASS (MODE_EXIT=0)

  • dot_config.iu_create.gateway.mode = 'enforced'

Final Verify — PASS

  • LEAK_STATUS=PASS (app.canonical_writer not set in fresh session)
  • POST_STATUS=PASS (fn_iu_verify_invariants(pilot).all_pass=true)
  • gateway_mode=enforced (final)
  • Counts: information_unit=4, unit_version=4, birth_iu=4 (pilot rows preserved)

Boundaries Honored

  • ✅ Không GRANT/REVOKE ngoài REVOKE ALL ON FUNCTION fn_iu_gateway_write_guard FROM PUBLIC
  • ✅ Không role separation
  • ✅ Không Directus changes
  • ✅ Không detector / DOT / adapter / Pack 2C
  • ✅ Không cleanup pilots
  • ✅ phase_status=PASS — guard ENFORCED, ready cho P3-P3

Final State (post-run, on VPS)

Object State
public.fn_iu_gateway_write_guard() EXISTS — SECDEF, search_path locked, no PUBLIC EXECUTE
trg_aa_iu_gateway_write_guard ON information_unit EXISTS, ENABLED, BEFORE INSERT OR UPDATE
trg_aa_uv_gateway_write_guard ON unit_version EXISTS, ENABLED, BEFORE INSERT OR UPDATE
dot_config.iu_create.gateway.mode enforced
Trigger fire order gateway (trg_aa_*) → birth gate → business gates
Pilot IU/UV/birth preserved (4/4/4)

Diff vs rev6 (FAIL → PASS)

  • Only change: trigger names trg_iu_*trg_aa_iu_* / trg_aa_uv_*. Function body, GUC marker, dot_config keys, READMEs unchanged.
  • Why this fixed it: PostgreSQL fires BEFORE-row triggers in alphabetical order by trigger name. Gateway guard với prefix trg_aa_ đứng trước trg_iu_birth_* → caller làm direct INSERT thiếu trường (e.g. title) sẽ nhận IU Gateway blocked: … (đúng wrong-door error) thay vì Birth gate L1: P-id1 title required (domain error gây nhiễu).

Next Step

P3-P3 (theo readiness flag p3p3_readiness=READY).

Generated 2026-05-06 09:28 UTC. Log on VPS: /tmp/22-p3-p2.20260506-092734.log. Supersedes rev6 FAIL run từ 09:09 UTC.