KB-7441

dot-iu-cutter v0.5 — Canonical Path Survey · Live Trigger and Gateway Survey (S1 PASS) (doc 1 of 7)

6 min read Revision 1

dot-iu-cutterv0.5fn-iu-create-canonical-path-survey-and-redesignlive-trigger-and-gateway-surveytrg-aa-iu-gateway-write-guardtrg-aa-uv-gateway-write-guardfn-iu-gateway-write-guardpack-22-p3-p2-rev7marker-canonical-writerdieu442026-05-20

dot-iu-cutter v0.5 — Canonical Path Survey · Live Trigger and Gateway Survey

doc 1 of 7 · 2026-05-20 · read-only survey

phase             : S1 — survey live triggers + gateway policy
outcome           : PASS — full mechanism mapped
production_mutation : NONE

1. Trigger inventory on writer-path tables (read-only catalog)

1.1 public.information_unit (5 triggers)

order	trigger	timing/event	function	sec.def	function md5
1	trg_aa_iu_gateway_write_guard	BEFORE INSERT OR UPDATE	`fn_iu_gateway_write_guard`	YES	`6e716a80…185ec3`
2	trg_iu_birth_gate_layer1	BEFORE INSERT	`fn_iu_birth_gate_layer1`	NO	`f38c94d0…59998`
3	trg_iu_updated_at	BEFORE UPDATE	`fn_iu_updated_at`	NO	`4509c2fb…ef06e`
4	trg_birth_information_unit	AFTER INSERT	`fn_birth_registry_auto('__birth_synthetic_id__')`	NO	`1f729b35…17f3`
5	trg_iu_birth_gate_layer2	CONSTRAINT TRIGGER · AFTER INSERT OR UPDATE · DEFERRABLE INITIALLY DEFERRED	`fn_iu_birth_gate_layer2`	NO	`078ba005…20f8`

All five tgenabled='O' (origin-only) — active in production.

The alphabetical aa prefix on trg_aa_iu_gateway_write_guard ensures it fires FIRST among BEFORE-INSERT triggers, short-circuiting before any birth-gate or anchor logic runs.

1.2 public.unit_version (2 triggers)

order	trigger	timing/event	function	sec.def	function md5
1	trg_aa_uv_gateway_write_guard	BEFORE INSERT OR UPDATE	`fn_iu_gateway_write_guard` (SAME function as IU)	YES	`6e716a80…185ec3`
2	trg_aa_iu_notif_version	AFTER INSERT	`fn_iu_notif_version`	YES	`74f5c33d…5b540`

So direct INSERT/UPDATE on EITHER table is blocked by the same gateway function — the legacy direct-INSERT path is fail-closed on both writes.

2. Gateway function — exact mechanism (read full body)

public.fn_iu_gateway_write_guard() — SECURITY DEFINER, returns trigger.

DECLARE v_marker_key text; v_marker_value text; v_current text;
        v_allowed_csv text; v_allowed text[];
BEGIN
  SELECT value INTO v_marker_key
    FROM public.dot_config WHERE key = 'iu_create.gateway.marker_key';
  SELECT value INTO v_marker_value
    FROM public.dot_config WHERE key = 'iu_create.gateway.marker_value';
  IF v_marker_key IS NULL THEN RETURN NEW; END IF;
  v_current := current_setting(v_marker_key, true);
  SELECT value INTO v_allowed_csv
    FROM public.dot_config
    WHERE key = 'iu_create.gateway.allowed_marker_values';
  IF v_allowed_csv IS NOT NULL AND v_allowed_csv <> '' THEN
    SELECT array_agg(btrim(elem)) INTO v_allowed
      FROM unnest(string_to_array(v_allowed_csv, ',')) AS elem
      WHERE btrim(elem) <> '';
    IF v_allowed IS NOT NULL AND v_current = ANY(v_allowed) THEN
      RETURN NEW;
    END IF;
  ELSE
    IF v_current IS NOT NULL AND v_current = v_marker_value THEN
      RETURN NEW;
    END IF;
  END IF;
  RAISE EXCEPTION
    'IU Gateway blocked: direct write to % not allowed. Use canonical functions (fn_iu_create, fn_iu_apply_edit_draft). See README: %',
    TG_TABLE_NAME,
    COALESCE((SELECT value FROM public.dot_config WHERE key = 'iu_create.gateway.readme_path'),
             'knowledge/dev/laws/dieu44-trien-khai/readme/iu-create-gateway-readme.md');
END;

The guard reads app.canonical_writer (via current_setting(key, true)) and lets the write through ONLY if its value is one of the comma-separated items in iu_create.gateway.allowed_marker_values — currently 'fn_iu_create,fn_iu_apply_edit_draft'.

The marker is transaction-local (set via set_config('app.canonical_writer', 'fn_iu_create', true) inside fn_iu_create). Any code path that does not set the marker is blocked.

3. Gateway policy state (dot_config keys read 2026-05-20)

iu_create.gateway.mode                       : enforced
iu_create.gateway.marker_key                 : app.canonical_writer
iu_create.gateway.marker_value               : fn_iu_create
iu_create.gateway.allowed_marker_values      : fn_iu_create,fn_iu_apply_edit_draft
iu_create.gateway.canonical_function         : public.fn_iu_create(text,text,text,text,text,text,text,text,uuid)
iu_create.gateway.plan_function              : public.fn_iu_create_plan(text,text,text,text,text,text,text,text,uuid)
iu_create.gateway.direct_insert_policy       : block_after_guard
iu_create.gateway.exempt_policy              : none_active
iu_create.gateway.policy_doc_path            : knowledge/dev/laws/dieu44-trien-khai/design/22-p3-iu-creation-gateway-scope.md
iu_create.gateway.readme_path                : knowledge/dev/laws/dieu44-trien-khai/readme/iu-create-gateway-readme.md

exempt_policy = none_active ⇒ no path currently bypasses the gateway. The constitution CUT must travel via one of the two allowed markers.

4. Provenance — Pack 22-P3-P2 rev7 (2026-05-06)

Design : knowledge/dev/laws/dieu44-trien-khai/design/22-p3-iu-creation-gateway-scope.md
Readme : knowledge/dev/laws/dieu44-trien-khai/readme/iu-create-gateway-readme.md
Closure: knowledge/dev/laws/dieu44-trien-khai/reports/22-pack-closure-iu-native-create-and-gateway.md

The closure report confirms trg_aa_iu_gateway_write_guard (and the UV counterpart) was deployed 2026-05-06 and is in enforced mode. The v0.5 first-controlled-cut approval package was authored BEFORE this survey, so it did not encode the gateway. Survey gap closed by this report.

5. Disposition

S1                          : PASS — full mechanism understood
no_production_mutation      : confirmed (read-only catalog only)
next                        : S2 — survey canonical fn_iu_create

doc 1 of 7.