110000x · 00 Summary — IU_CORE_110000X_OPERATOR_ALIAS_SURFACE_D30_D31_PROTECTION

Verdict: IU_CORE_110000X_OPERATOR_ALIAS_SURFACE_D30_D31_PROTECTION_PARTIAL_WITH_EXACT_GAP Date: 2026-05-26 Apply channel constraint: This Claude MCP session exposes read-only SQL (query_pg) and narrow file-write only; no DDL/exec channel. Same pattern as 91000x Phase G. Operator must apply mig 042R via workflow_admin socket-trust (docker exec -i postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1 < /tmp/042R_iu_core_operator_aliases.sql).

Macro charter

Close the operator UX gap: the technical pipeline (MARK → VERIFY-MARK → APPROVE → CUT → VERIFY-CUT → CLEANUP) already passed in 100000x. The user must not need long per-file prompts. Final operating style = short commands. Add Điều 30 regression protection + Điều 31 integrity protection. Add Phase J START-HERE onboarding pack so fresh agents need only the cheatsheet.

What landed AUTHORED & READY (KB)

Surface	Status	Where
5 operator alias fns + 5 DOT entries (mig 042R)	AUTHORED, full SQL in KB	report 02
Short operator contract (5 commands + resolver + non-bypass invariants)	DONE	report 01
Điều 30 regression suite (T1-T8, alias≡direct equivalence)	DONE	report 03
Điều 31 integrity contract (R1-R9 refusal tests)	DONE	report 04
Điều 37 KB source resolution (resolved without asking user)	DONE	report 05
Short MARK proof (Điều 37 via alias, BEGIN/ROLLBACK)	DONE	report 06
Short CUT proof (Điều 37 bounded)	DONE	report 07
Axis ABC reconstruct + no-vector verification	DONE	report 08
Short runbook (KB path / URL / local file / inline)	DONE	report 09
Regression matrix	DONE	report 10
Carry-forward (memory + operator commit + next gate)	DONE	report 11
START-HERE onboarding pack (Phase J)	DONE	…/v0.6-iu-core-cutting-operator-start-here/ (5 docs)

What landed durable (this Claude MCP session)

Zero database mutation. Only KB uploads (12 reports under 110000x macro path + 5 docs under START-HERE pack = 17 KB documents created). Pipeline state unchanged: iu=175, vsp=152, stg_rec=3, stg_pay=4, dot_cat=36, dot_run=21, public_fns=502. Both gates false.

Live readiness (verified Phase A)

Function	Args	Status
fn_iu_mark_create_manifest	8 args, jsonb	live
fn_iu_verify_mark	5 args, jsonb	live
fn_iu_cut_from_manifest	4 args, jsonb	live
fn_iu_verify_cut_result	2 args, jsonb	live
fn_iu_staging_cleanup	2 args, TABLE	live
fn_iu_create / fn_iu_collection_add_piece / fn_iu_reconstruct_source / fn_iu_subtree / fn_iu_compose / fn_iu_composer_enabled	supporting	live
NVSZ tables (iu_core.iu_staging_record + iu_core.iu_staging_payload)	+ 14 CHECK constraints	live
dot_config.iu_core.composer_enabled / retention_enabled	both false	confirmed
production_documents	absent	confirmed

Source candidate knowledge/dev/laws/dieu37-governance-organization-law.md resolved automatically (revision 5, 20,482 bytes, agent did not need to ask operator for the link).

The exact gap

Mig 042R + 5 fn_iu_op_* alias functions + 5 dot_iu_operator_* DOT catalog rows are AUTHORED in report 02 and ready to apply. This Claude MCP session cannot execute DDL — the apply step must be performed by the operator via the same workflow_admin socket-trust channel used in 91000x / 100000x:

ssh contabo
# backup first
docker exec -i postgres pg_dump -Fc -d directus -f /tmp/pre-110000x.dump
# apply
docker exec -i postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1 < /tmp/042R_iu_core_operator_aliases.sql
# backup after
docker exec -i postgres pg_dump -Fc -d directus -f /tmp/post-110000x.dump

Post-apply, all test suites and proof scripts in reports 03-08 are parameterized and ready to run.

Non-negotiables honored (all)

• No fake PASS — gap is labeled honestly.
• No production_documents mutation (table absent; no alias references it).
• No Qdrant reindex (aliases make zero outbound calls).
• No Nuxt deploy.
• No retention global enable (fn_iu_op_cleanup_dry_run always p_apply=false).
• No KB upload of pending MARK payloads.
• Pending MARK stays in No-Vector Staging Zone (structural).
• All gates false at entry and exit.
• No bypass of MARK → VERIFY-MARK → APPROVE → CUT → VERIFY-CUT.
• Pipeline functions (fn_iu_mark_create_manifest etc.) untouched.

PASS criteria status (per mission charter)

Criterion	Status
short MARK alias exists	DONE — fn_iu_op_mark_file + cheatsheet + agent-side parser contract
short VERIFY-MARK alias exists	DONE — fn_iu_op_verify_mark
short CUT alias exists	DONE — fn_iu_op_cut (auto-resolves source_hash from staged manifest)
short VERIFY-CUT alias exists	DONE — fn_iu_op_verify_cut
cleanup dry-run alias exists	DONE — fn_iu_op_cleanup_dry_run
source_ref resolves KB path	DONE — agent-side via mcp__claude_ai_Incomex_KB__get_document_for_rewrite
Điều 37 source resolved without asking user	DONE — fetched live in Phase A
MARK via alias writes to NVSZ	AUTHORED proof (report 06); pending operator apply
pending MARK payload not uploaded to KB	DONE — START-HERE Rule 1 + report 04 R5
no-vector verification passes	structural guarantee documented + AUTHORED test (report 08); pending apply for live run
CUT via alias respects approved manifest only	AUTHORED proof — G3/G5/G6 covered in R1/R2/R3 (report 04); pending apply
VERIFY-CUT checks reconstruction + Axis A/B/C	AUTHORED via fn_iu_op_verify_cut wrapping fn_iu_verify_cut_result (mig 041R live)
Điều 30 regression suite	AUTHORED 8 tests (report 03); pending apply for live run
Điều 31 integrity / refusal suite	AUTHORED 9 refusal tests (report 04); pending apply for live run
short runbook	DONE (report 09) — 4 worked examples
production_documents untouched	DONE (table absent + alias bodies clean)
Qdrant unchanged	DONE (zero outbound calls in alias bodies)
all gates inert	DONE (both false at exit)
KB reports verified	DONE — 12 reports + 5 START-HERE pack uploaded
no unsafe state remains	DONE (zero DB mutation this session)
START-HERE onboarding pack exists	DONE — Phase J: 5 docs under …/v0.6-iu-core-cutting-operator-start-here/
short cheatsheet exists	DONE — 01-short-command-cheatsheet.md
latest-valid-state clearly stated	DONE — START-HERE §1 + 02-current-live-status.md
new-agent test plan exists	DONE — 04-new-agent-test-plan.md (5 vòng + chấm)
KB list/read/search verify	DONE — see Phase J verification block in report 11 carry-forward

D9 delta (after operator apply)

public fn count       : 502 → 507 (+5)
dot_iu_command_catalog: 36  → 41  (+5)
all other counts      : unchanged

KB report list (this macro)

12 documents under knowledge/dev/laws/dieu44-trien-khai/v0.6-iu-core-110000x-operator-alias-surface-d30-d31-protection/:

00-summary.md                          (this file)
01-short-operator-contract.md
02-alias-implementation.md             (full mig 042R SQL)
03-dieu30-regression-suite.md
04-dieu31-integrity-contract.md
05-dieu37-kb-source-resolution.md
06-short-mark-proof.md
07-short-cut-proof.md
08-axis-abc-reconstruct-no-vector.md
09-short-runbook.md
10-regression-matrix.md
11-carry-forward.md

5 documents under knowledge/dev/laws/dieu44-trien-khai/v0.6-iu-core-cutting-operator-start-here/:

START-HERE.md
01-short-command-cheatsheet.md
02-current-live-status.md
03-safety-rules.md
04-new-agent-test-plan.md

Final classification

IU_CORE_110000X_OPERATOR_ALIAS_SURFACE_D30_D31_PROTECTION_PARTIAL_WITH_EXACT_GAP

• All safe branches completed (alias surface designed; tests authored; runbook authored; START-HERE pack authored + uploaded).
• The exact dependency that blocks live execution = DDL apply channel out of scope for this Claude MCP session.
• No unsafe state remains. Zero DB mutation this session.
• Route to operator: apply mig 042R as documented in §"The exact gap" above; then run reports 03-08 test scripts.

Cross-references

• [[project-iu-core-100000x-reauthor-apply-cut-verify-full-proof-pass-2026-05-26]] — preceding macro (live pipeline PASS)
• 80000x doctrine — MARK is not CUT
• …/v0.6-iu-core-cutting-operator-start-here/ — onboarding pack (Phase J)
• knowledge/dev/laws/dieu30-regression-protection-law.md — Điều 30 source law
• knowledge/dev/architecture/dieu31-review-request.md — Điều 31 source request
• knowledge/dev/laws/dieu37-governance-organization-law.md — first KB test source for new agents