KB-3795
23-P3A — IU Gateway Allow-list Patch — Execution Report
5 min read Revision 1
pack-23p3areportgatewayallow-listpass
23-P3A — IU Gateway Allow-list Patch — Execution Report
Date: 2026-05-07 04:03:49 UTC Executor: Opus (Claude) Prompt:
knowledge/dev/laws/dieu44-trien-khai/prompts/23-p3a-iu-gateway-allow-list-patch-prompt.mdrev4 Log:/tmp/23-p3a.20260507-040349.log(VPS 38.242.240.89)
Final Verdict
| Field | Value |
|---|---|
| phase_status | PASS |
| p3b_readiness | READY |
| patch_status | OK |
| preflight_status | PASS |
| rollback_status | N/A (not triggered) |
| test_fail_count | 0 |
Hash transition
| Hash | |
|---|---|
| source_hash_before | 68928bcdd86325955f817b03a41b4b4f |
| source_hash_after | 6907fa4e5e46b5617d7dfecbd86326d7 |
Hash changed → patch applied. Function metadata preserved (owner=directus, SECURITY DEFINER=t, search_path includes pg_catalog, PUBLIC EXECUTE = 0).
Backup: /tmp/p3a-guard-backup-20260507-040349.sql (VPS).
Preflight (all gates PASS)
- Guard count = 1 (public, 0 args)
- Marker config:
app.canonical_writer=fn_iu_create✓ - Triggers enabled = 2 (
trg_aa_iu_gateway_write_guard,trg_aa_uv_gateway_write_guard) - Allow-list key did NOT exist before → fresh seed
- No duplicate
iu_create.gateway.%keys - Guard not yet patched → ALREADY_PATCHED=false
- Single-column unique index on
dot_config.keyexists fn_iu_createsignature discovered with 4 required named params:fn_iu_create(text,text,text,text,text,text,text,text,uuid)- args:
p_canonical_address text, p_title text, p_body text, p_actor text, p_unit_kind text DEFAULT NULL, p_section_type text DEFAULT NULL, p_owner_ref text DEFAULT NULL, p_publication_type text DEFAULT NULL, p_parent_ref uuid DEFAULT NULL
- Counts before: IU=5, UV=5
- Existing UV id captured for T5B:
6c2f01c6-2bb0-4357-a0d6-735945d35b5b
Patch transaction
BEGIN
INSERT 0 1 -- dot_config: iu_create.gateway.allowed_marker_values = fn_iu_create,fn_iu_apply_edit_draft
CREATE FUNCTION -- fn_iu_gateway_write_guard() rewritten with allow-list logic
REVOKE -- PUBLIC EXECUTE revoked
COMMIT
PATCH_EXIT=0
Test results
| Test | Result | Detail |
|---|---|---|
T1 — guard source contains allowed_marker_values |
PASS | prosrc LIKE check ✓ |
| T2 — dot_config key exact match | PASS | value = fn_iu_create,fn_iu_apply_edit_draft |
T3 — fn_iu_create real pilot (named params) |
PASS | status=created, pilot=test/p3a/gateway-verify-20260507-040349, IU 5→6, UV 5→6 |
| T4 — direct IU INSERT blocked | PASS | gateway error message returned |
| T5 — direct UV INSERT blocked | PASS_GATEWAY_BLOCKED | guard fires before FK |
| T5B — direct UV UPDATE blocked | PASS_GATEWAY_BLOCKED_UPDATE | proves UPDATE guard active |
T6 — fn_iu_apply_edit_draft marker accepted (rollback) |
PASS_GATEWAY_ACCEPTED_INSERT_ROLLED_BACK | new marker recognized by allow-list |
T7 — unknown marker fn_unknown_bad_actor blocked |
PASS | gateway error |
T8 — error message contains fn_iu_create + README ref |
PASS | guidance present |
| T9 — both gateway triggers still enabled | PASS | count=2 |
| T10 — function metadata preserved + PUBLIC not broadened | PASS | owner=directus, secdef=t, public_grant=0 |
| T11 — row-leak (rolled-back rows must not exist) | PASS | leak count = 0 |
T3 birth-gate WARNINGs (P-pub1 missing, P-pub2 missing) are L1 PILOT-ONLY notices unrelated to gateway behavior — informational only.
Required assertions (per task acceptance)
| Requirement | Status |
|---|---|
phase_status=PASS |
✓ |
p3b_readiness=READY |
✓ |
patch_status=OK (or SKIPPED_ALREADY_PATCHED) |
✓ OK |
fn_iu_create real pilot PASS |
✓ T3 created |
| direct IU blocked | ✓ T4 |
| UV UPDATE blocked | ✓ T5B |
marker fn_iu_apply_edit_draft accepted in rollback test |
✓ T6 |
| unknown marker blocked | ✓ T7 |
| row-leak = 0 | ✓ T11 (count=0) |
| PUBLIC not broadened | ✓ T10 (public_grant=0) |
Artifacts
- VPS log:
/tmp/23-p3a.20260507-040349.log - VPS backup of pre-patch function:
/tmp/p3a-guard-backup-20260507-040349.sql - Pilot IU retained at canonical_address
test/p3a/gateway-verify-20260507-040349 - IU/UV counts: 5 → 6 (single pilot row from T3)
Hard boundaries respected
- ✗ No table DDL
- ✗ No new functions (only
CREATE OR REPLACEof existingfn_iu_gateway_write_guard) - ✗ No trigger changes
- ✗ No vector mutation
- ✗ No cleanup
- ✗ No Pack 2C work
Next step
P3A complete and PASS. Ready to proceed to P3B schema-only for unit_edit_draft, unit_edit_comment, sort_order.
23-P3A Report | 2026-05-07 | All 12 tests PASS | rev4 prompt executed cleanly