Incomex AI Portal
KB-18AE

Phase 3B — Queue D31 Integrity Pack

7 min read Revision 1
dieu45phase-3bd31integrityrefusaldenylistleasedlqunapproved-cut2026-05-26

Phase 3B — Queue D31 Integrity Pack

Official queue-specific Điều 31 integrity / refusal suite. 9/9 PASS.

All probes run via SSH→docker→psql workflow_admin@directus; mutating probes wrapped in BEGIN; … ; ROLLBACK; so no durable state changes.

# Invariant Probe summary Result Status
I1 job_queue payload denylist refuses body Enqueue with payload_json='{"body":"x"}' (gate ON in TX) ERROR new row for relation "job_queue" violates check constraint "job_queue_payload_safe_check" PASS
I2 job_queue payload denylist refuses vector Enqueue with payload_json='{"vector":[1,2]}' same CHECK violation PASS
I3 job_queue payload denylist refuses secret Enqueue with payload_json='{"secret":"x"}' same CHECK violation PASS
I4 queue_heartbeat metadata denylist refuses token fn_queue_heartbeat_ping_external('phase3b_d31_executor','external_worker','ok','{"token":"x"}') ERROR ... "queue_heartbeat_metadata_safe_check" PASS
I5 Gate-off refusal for fn_job_enqueue (queue.job_substrate.enabled=false) Enqueue without flipping gate {"job_id":null,"reason":"queue.job_substrate.enabled=false","refused":true} PASS
I6 Lease owner mismatch refused Enqueue → fn_job_claim(p_lease_owner:='owner_A',…)fn_job_ack(p_lease_owner:='owner_B_WRONG',…) {"got":"owner_B_WRONG","job_id":"…","reason":"lease_owner_mismatch","refused":true,"expected":"owner_A"} PASS
I7 DLQ replay disabled by default INSERT synthetic job_dead_letter row → fn_job_dead_letter_requeue_dry_run(p_dead_letter_id:=…) with gate=false {"...,"would_action":"refused: queue.dlq.replay_enabled=false","replay_gate_enabled":false}; flip gate=true in same TX → would_action:"preview_only: Phase 2 ships no apply-side requeue"; ROLLBACK restores gate=false PASS
I8 Stale worker not falsely healthy (iu_outbound_default protection) fn_queue_heartbeat_ping_external('iu_outbound_default','PG_worker','ok','{}') {"reason":"protected_legacy_silent_passive","message":"…","refused":true}; row state unchanged PASS
I9 Cannot cut unapproved manifest BEGIN; fn_iu_op_mark_file(…) to create staging → immediately fn_iu_op_cut(p_apply:=true,…) without fn_iu_op_verify_mark approval {"refusal_code":"not_approved","inner_result":{"ok":false,"live":"pending_review",…},"applied":null} PASS

Pinned refusal contract

Future queue runs MUST observe these refusal shapes; any drift = D31 regression failure.

Refusal payload contract (per fn)

Function Trigger Required refusal jsonb shape
fn_job_enqueue gate queue.job_substrate.enabled=false {"refused":true,"reason":"queue.job_substrate.enabled=false","job_id":null}
fn_job_enqueue payload contains denylist key (body/content/raw/vector/embedding/secret/token/password/ssn/personal_data) RAISE via table CHECK job_queue_payload_safe_check
fn_job_ack p_lease_owner != stored lease_owner {"refused":true,"reason":"lease_owner_mismatch","expected":"<stored>","got":"<passed>","job_id":"<uuid>"}
fn_job_dead_letter_requeue_dry_run gate queue.dlq.replay_enabled=false {"refused":not present;"would_action":"refused: queue.dlq.replay_enabled=false","replay_gate_enabled":false,…}
fn_queue_heartbeat_ping_external executor_name='iu_outbound_default' {"refused":true,"reason":"protected_legacy_silent_passive","message":"..."}
fn_queue_heartbeat_ping_external executor_kind ∉ 7-vocab {"refused":true,"reason":"executor_kind_not_in_vocab","value":"...","allowed":["DOT","Agent","Hermes","Codex","PG_worker","external_worker","future_Kestra_adapter"]}
fn_queue_heartbeat_ping_external p_status ∉ {ok,warn,error} {"refused":true,"reason":"status_not_in_vocab","value":"..."}
fn_queue_heartbeat_ping_external gate queue.heartbeat.enabled=false {"refused":true,"reason":"queue.heartbeat.enabled=false"}
fn_queue_heartbeat_ping_external metadata contains denylist key RAISE via table CHECK queue_heartbeat_metadata_safe_check (defense in depth)
fn_iu_op_cut (alias) staging not approved (no fn_iu_op_verify_mark approval) {"refusal_code":"not_approved","inner_result":{"ok":false,"live":"pending_review","run_id":"<uuid>","refusal_code":"not_approved"},…,"applied":null}

Denylist 10-key vocab (mirror of event_outbox.safe_payload_check)

body, content, raw, vector, embedding, secret, token, password, ssn, personal_data

Enforced on:

  • job_queue.payload_json (CHECK job_queue_payload_safe_check)
  • job_dead_letter.payload_json (CHECK job_dead_letter_payload_safe_check)
  • queue_heartbeat.metadata (CHECK queue_heartbeat_metadata_safe_check)

Executor kind 7-vocab (CHECK queue_heartbeat_kind_check, MOT excluded per §11.5)

DOT, Agent, Hermes, Codex, PG_worker, external_worker, future_Kestra_adapter

fn_queue_heartbeat_ping_external enforces the same vocab via pre-check before reaching the table CHECK.

Heartbeat status 3-vocab (CHECK queue_heartbeat_status_check)

ok, warn, error

Audit metadata contract for ping wrapper

Every successful fn_queue_heartbeat_ping_external call pins the following four keys into queue_heartbeat.metadata:

key source purpose
ping_origin hardcoded external_operator distinguishes wrapper-emitted ticks from direct fn_queue_heartbeat_tick calls
ping_actor current_setting('app.heartbeat_actor', true) ?? session_user::text audit who emitted the tick
ping_at now() audit when
ping_function hardcoded fn_queue_heartbeat_ping_external audit which entry point

Caller-supplied ping_* keys are stripped before merge so callers cannot spoof identity.

Post-D31 state

All gates restored to safe defaults at end of test pack:

queue.dlq.replay_enabled    | false
queue.job_substrate.enabled | false
iu_core.composer_enabled    | false
queue.worker.enabled        | false
queue.notify.enabled        | false
queue.lease.reaper_enabled  | false
queue.heartbeat.enabled     | true   -- governance armed (Phase 2 baseline)

No durable mutation from any D31 probe.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.6-dieu45-phase-3b-queue-cutter-hardening/05-queue-d31-integrity-pack.md