Incomex AI Portal
KB-534F

Pack 22 Closure — IU Native Create + Gateway

4 min read Revision 1
pack-22closurecompletefn-iu-creategatewayenforced

Pack 22 Closure — IU Native Create + Gateway

Date: 2026-05-06 | Status: COMPLETE Pack: 22 (Điều 44 triển khai) Scope: fn_iu_create canonical writer + IU Creation Gateway enforcement

Final Status: COMPLETE

Pack 22 đã deliver đầy đủ: canonical IU creation function + gateway enforcement chặn direct writes.

Phase Summary

Phase Status Deliverable Report
P1 COMPLETE 5 helper functions: preflight, verify_invariants, classify_existing, resolve_default, content_hash (inline P2 report)
P2 COMPLETE fn_iu_create (complete-or-nothing) + fn_iu_create_plan (dry-run) reports/22-p2-iu-native-create-main-functions-report.md
P3-P0 COMPLETE Read-only inspection (51 queries, core evidence) reports/22-p3-p0-iu-creation-gateway-inspection-report.md
P3-P1 COMPLETE 9 policy keys + canonical_writer marker patch reports/22-p3-p1-iu-gateway-policy-and-canonical-marker-report.md
P3-P2 COMPLETE Trigger guard enforced on IU + UV reports/22-p3-p2-iu-gateway-trigger-guard-report.md
README COMPLETE Gateway README readme/iu-create-gateway-readme.md

Runtime State (on VPS)

Object State
public.fn_iu_create(...) Production — SECDEF, canonical_writer marker, invariant verify
public.fn_iu_create_plan(...) Production — SECDEF, dry-run
public.fn_iu_gateway_write_guard() Production — SECDEF, reads policy from dot_config
trg_aa_iu_gateway_write_guard Enabled — BEFORE INSERT OR UPDATE on information_unit
trg_aa_uv_gateway_write_guard Enabled — BEFORE INSERT OR UPDATE on unit_version
dot_config.iu_create.gateway.mode enforced
Pilot rows 4 IU, 4 UV, 4 birth (P2 + P3-P1 + P3-P2 pilots, retained)

What Was Built (nôm na)

Phòng sinh chuẩn (fn_iu_create) + biển tên (9 policy keys) + thẻ ra vào (canonical_writer marker) + barie (trigger guard) + hướng dẫn (README). Ai tạo IU → gọi fn_iu_create. Ai đi sai cửa → chặn + chỉ về README.

Hard Boundaries Honored Throughout

  • No raw birth INSERT — birth via PG trigger
  • No hardcode — policy từ dot_config
  • No global set -e — always report
  • No manual placeholder substitution
  • No Directus permission changes
  • No role separation (deferred)
  • No DOT registration
  • No Pack 2C

Deferred Items (không block closure)

Item Reason When
L3 Detector Phát hiện bypass cố ý / privileged / spoof marker Khi có use case hoặc scale lớn hơn
Role separation Security boundary thật (revoke direct INSERT từ non-owner) Khi Directus dependency cho phép
DOT wrapper Agent đã gọi fn_iu_create trực tiếp qua psql Khi cần standardize cho nhiều callers
system_health_checks Schema mismatch cần re-read columns Khi health check infrastructure refresh

Tùy User/GPT quyết định:

  1. P10D (Nuxt Laws Page) — render layer cho IU content, tree view + reader/review/debug modes
  2. TAC pipeline tiếp — tạo IU content qua canonical path (fn_iu_create)
  3. Điều 44 enacted — formalize IU creation governance thành luật
  4. L3 Detector — nếu ưu tiên security hardening trước feature

Pack 22 Closure | 2026-05-06 | COMPLETE | Gateway enforced

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/reports/22-pack-closure-iu-native-create-and-gateway.md