100000x · 08 — Ready for Real Điều 37 MARK→CUT Test

Status: GREEN-LIGHT. Pipeline operational end-to-end. Operator-supplied source can flow through unchanged.

What's live

• fn_iu_mark_create_manifest (mig 038 · 91000x)
• fn_iu_verify_mark (mig 039 · 91000x)
• fn_iu_cut_from_manifest (mig 040R · 100000x)
• fn_iu_verify_cut_result (mig 041R · 100000x)
• fn_iu_staging_cleanup (mig 037 · 91000x; 15d / 30d lifecycle)
• All 7 lifecycle states + tightened consumed-consistency CHECK (mig 037 · 91000x)

Operator runbook for Điều 37

Step 0 — Prepare source

• Có source text Điều 37 (text/markdown/từ file).
• Compute md5(source) → <source_hash>.
• Designate <source_ref> (e.g. DIEU-37-v1).

Step 1 — Build cut_manifest

A cut_manifest jsonb with:

{
  "manifest_version": "v0.6",
  "source_id": "<source_ref>",
  "source_hash": "<md5 of source>",
  "source_bytes": <octet_length of source>,
  "manifest_digest": "<32-hex deterministic digest>",
  "pieces": [
    {
      "local_piece_id": "p1",
      "parent_local_id": null,
      "unit_kind": "law_unit",
      "content_text": "<piece text>",
      "section_type": "paragraph|definition|principle|...",
      "section_code": "k1",
      "piece_role": "clause|body|step|...",
      "canonical_address": "DIEU-37-v1#k1",
      "source_position": 1
    },
    …
  ]
}

Vocab guards (live-verified):

• section_type ∈ {appendix, article, changelog, checklist, definition, governance_process, heading, instruction_block, paragraph, principle, process, section, technical_spec}. clause is NOT valid for section_type.
• piece_role ∈ {title, intro, body, step, clause, appendix, reference} (this lives on the collection-membership edge if you later add to a collection).
• unit_kind ∈ {design_doc_section, law_unit}. For real Điều 37 use law_unit.

Step 2 — MARK

SELECT fn_iu_mark_create_manifest(
  p_manifest          := <manifest jsonb>,
  p_mark_report_md    := <markdown report>,
  p_coverage_proof    := jsonb_build_object('covered_bytes', octet_length(source)),
  p_determinism_digest:= <32-hex>,
  p_source_kind       := 'user',  -- vocab {agent, user, system, import}
  p_source_ref        := 'DIEU-37-v1',
  p_idempotency_key   := 'dieu37-cut-' || extract(epoch from now())::text,
  p_actor             := 'operator-<name>'
);
-- → captures :sid

Step 3 — VERIFY-MARK (dry-run then approve)

SELECT fn_iu_verify_mark(:sid::uuid, false);  -- dry-run
SELECT fn_iu_verify_mark(:sid::uuid, true,
  'knowledge/.../approval-doc.md',  -- approval_doc_id
  'operator-<name>',
  'operator-<name>');

Verdict must be approved; lifecycle → approved.

Step 4 — Open composer gate

UPDATE dot_config SET value='true' WHERE key='iu_core.composer_enabled';

Step 5 — CUT (dry-run then apply)

SELECT fn_iu_cut_from_manifest(:sid::uuid, false, <md5(source)>, 'operator-<name>');  -- dry-run
SELECT fn_iu_cut_from_manifest(:sid::uuid, true,  <md5(source)>, 'operator-<name>');  -- apply
-- → captures :run_id from result

Apply returns {ok:true, applied:true, pieces_created_count:<n>, run_id:<uuid>, …}.

Step 6 — VERIFY-CUT

SELECT fn_iu_verify_cut_result(:run_id::uuid, 'operator-<name>');

Verdict must be verified, all axes ok, no_vector_ok:true, problems:[].

Step 7 — Close gate (if you opened it for this cut)

UPDATE dot_config SET value='false' WHERE key='iu_core.composer_enabled';

Step 8 — Post-cut healthcheck

SELECT count(*) FROM information_unit WHERE doc_code='DIEU-37-v1';
SELECT lifecycle_status, consumed_at, consumed_by_run_id FROM iu_core.iu_staging_record WHERE staging_record_id=:sid;
SELECT count(*) FROM iu_vector_sync_point WHERE unit_id IN (SELECT id FROM information_unit WHERE doc_code='DIEU-37-v1');
-- expect: piece count = manifest length; lifecycle=consumed; vsp refs=0

What this pipeline GUARANTEES

• Refusal-by-default — G1-G7 reject any cut that lacks approval, has stale digest, mismatched source hash, or finds the composer gate closed.
• Atomicity — every cut is one TX; partial failure (e.g. one fn_iu_create raises) rolls back the whole cut and the staging row stays approved (re-cuttable).
• No vectorization — 4-layer structural guarantee (see report 05). CUT never writes to iu_vector_sync_point or contacts Qdrant.
• Audit trail — every refusal AND every apply writes one dot_iu_command_run row with run_id in evidence. The same run_id is stamped on the staging row's consumed_by_run_id.
• Re-cut idempotency — once a staging row is consumed, G3 (not_approved) blocks any second cut attempt. New cut requires new MARK + new approval.

What to avoid

• Do NOT call fn_iu_cut_from_manifest against a pending_review row — it refuses with not_approved (correct, but wastes a run_id).
• Do NOT compute the manifest_digest with non-canonical whitespace (the determinism_digest must be reproducible from the source). Use the documented whitespace_collapse_v1 normalization.
• Do NOT leave the composer gate true after a cut — close it; the gate is the operator's intent signal.

Cross-links

• 80000x doctrine — MARK→REVIEW→CUT→VERIFY operating model.
• Report 04 — the proof that this runbook works (PASS).
• Report 02 / 03 — function-level contracts.