Điều 45 Phase 3B — Queue Cutter Hardening (PASS, 2026-05-26)

Mission: DIEU45_PHASE_3B_QUEUE_CUTTER_HARDENING_FN_IU_CREATE_HEARTBEAT_D30_D31 Mode: LIVE APPLY + REGRESSION HARDENING Channel: SSH contabo → docker exec postgres → psql workflow_admin@directus (PG 16.13) Result: DIEU45_PHASE_3B_QUEUE_CUTTER_HARDENING_PASS

Outcome (executive)

Closed the two reliability gaps Phase 3 surfaced:

1. fn_iu_create vocab gap — dot_config vocab.section_type.* widened from 13→18 keys; all 17 governed values from tac_section_type_vocab now in_sync; orphan section documented; fn_iu_create md5 unchanged (dcade99af1ef096892748c9f14082e11) — fix is data-side, not code-side.
2. Heartbeat caller gap — created fn_queue_heartbeat_ping_external(executor_name,executor_kind,status,metadata) SECURITY DEFINER wrapper with: 7-vocab executor_kind pre-check, 3-vocab status pre-check, gate-off respected, metadata audit-pinned (ping_actor/ping_origin/ping_at/ping_function), and hard refusal for iu_outbound_default (preserves the §15.5 silent-gap marker — no false-heal).

Pinned the queue-specific Điều 30 regression and Điều 31 integrity/refusal pack as official protection for future queue/cut runs.

What was added (durable)

Object	Kind	Notes
vocab.section_type.invariant_list	dot_config row	Phase 3B sync
vocab.section_type.matrix	dot_config row	Phase 3B sync
vocab.section_type.open_decision_list	dot_config row	Phase 3B sync
vocab.section_type.rationale	dot_config row	Phase 3B sync
vocab.section_type.reference_mapping	dot_config row	Phase 3B sync
v_iu_section_type_vocab_sync	VIEW	Drift detector tac↔dot_config
fn_iu_section_type_vocab_sync_check()	FUNCTION	Returns PASS/FAIL_GOVERNED_GAP jsonb
fn_queue_heartbeat_ping_external(text,text,text,jsonb)	FUNCTION (DEFINER)	Safe external operator heartbeat caller

What was NOT changed

• fn_iu_create body — md5 unchanged.
• tac_section_type_vocab table or CHECKs — untouched.
• MARK/CUT alias bodies (fn_iu_op_mark_file, fn_iu_op_verify_mark, fn_iu_op_cut, fn_iu_op_verify_cut, fn_iu_op_cleanup_dry_run, fn_iu_cut_from_manifest) — md5 unchanged.
• event_outbox row count: 134,803 → 134,803 (zero phase3b-origin).
• information_unit: 192 → 192 (zero durable pollution; probes all BEGIN/ROLLBACK).
• iu_vector_sync_point: 152 → 152.
• iu_route_worker_cursor.iu_outbound_default.last_run_at: still 2026-05-22 11:31:41 (silent gap preserved, intentionally).
• queue_heartbeat.iu_outbound_default: still 2026-05-22 11:31:41, ticks_total=0, warn, legacy_silent_passive (protected from false-heal).
• pg_extension: {btree_gist,pgcrypto,plpgsql,postgres_fdw} (pg_cron still NOT installed).
• production_documents: still ABSENT.
• All risk-bearing gates (queue.job_substrate.enabled, queue.worker.enabled, queue.notify.enabled, queue.dlq.replay_enabled, queue.lease.reaper_enabled, iu_core.composer_enabled): false at exit.

pg_dump

Stage	Size (bytes)	sha256
pre-apply	83,241,085	28c2a683a3c3ca6b6898d57862702410cc582f4b00d40322528dd2bf7483ddf3
post-apply	83,249,241	fd3549d8f62361f0b499cd400c40e81dc6c80aec40e0999b567bcc891653068b
delta	+8,156	5 dot_config rows + 1 view + 2 fns + comments

Verification highlights

• Phase B end-to-end probe (BEGIN/ROLLBACK): 17 governed section_type values via fn_iu_create → 17 pass / 0 fail; invalid value definitely_not_valid_zzz raised section_type: Not in vocab. Available: ... (18-value list); orphan section still accepted (no behavior change).
• Phase C heartbeat caller: REFUSALS — iu_outbound_default (protected_legacy_silent_passive), invalid kind (executor_kind_not_in_vocab), invalid status (status_not_in_vocab), empty name (executor_name_required), gate-off (queue.heartbeat.enabled=false). POSITIVE tick on synthetic phase3b_synthetic_external ticks=1, metadata pinned with ping_actor=workflow_admin, ping_origin=external_operator. fn_queue_stale_check still reports iu_outbound_default stale (age 360,812s) — silent gap remains visible.
• D30 regression 10/10 PASS — event_outbox, IU, vsp, gates, extensions, MARK/CUT aliases md5s, fn_iu_create md5, prod_docs absent, pg_cron absent, worker cursor frozen.
• D31 integrity 9/9 PASS — body/vector/secret/token denylist (queue + heartbeat); job_enqueue gate-off; lease owner mismatch refused (refused=true reason=lease_owner_mismatch expected=owner_A got=owner_B_WRONG); DLQ replay gate-off (would_action: refused: queue.dlq.replay_enabled=false); iu_outbound_default protection; unapproved cut refused (refusal_code=not_approved, inner_result.live=pending_review).
• Phase 3 Điều 37 read-back: fn_iu_op_verify_cut(run_id=a64340fe-96ea-428a-a860-32e8b471b496) → verdict=verified, all 4 axes ok, pieces_count=17, problems=[]; reconstruct by doc_code returns 17 pieces; all 17 IUs have version_anchor_ref and content_anchor_ref.

Carry-forward

See 08-next-main-workflow-return-plan.md. Highlights:

• The §15.5 silent gap is now operationally surfaced + visibly protected, but still NOT closed durably (no real heartbeat tick wired for any production worker). Closing it requires hooking fn_iu_route_worker_run to call fn_queue_heartbeat_ping_external for a separate executor name (NOT iu_outbound_default).
• section orphan in dot_config is documented but not removed; could be deprecated alongside cutter contract that retires the remap-to-section pattern.
• Phase 3B did not widen the fn_iu_create SECURITY DEFINER body to read tac_section_type_vocab directly; that "preferred refactor" is deferred to a later pack — current data-sync approach already passes the mission gate.

Cross-links

• Parent: [[project-dieu45-phase3-mark-cut-queue-pilot-dieu37-write-channel-pass-2026-05-26]]
• Parent: [[project-dieu45-phase2-heartbeat-activation-lease-governance-pass-2026-05-26]]
• Parent: [[project-dieu45-phase1-minimal-job-substrate-live-apply-pass-2026-05-26]]
• Law: [[project-dieu45-v1-0-enacted-2026-05-26]]
• Resolved: [[feedback-fn-iu-create-section-type-vocab-13-item-internal-narrower-than-tac-vocab-17]]
• Surfaces (not closes): [[feedback-dieu45-silent-gap-violation-post-enactment]]