01 — Macro frame · gates · target state

• Macro: IU_CORE_2000X_QDRANT_BOUNDED_REINDEX_DIRECTUS_APPLY_NUXT_ASSEMBLY_ACCEPTANCE_OPEN_GOAL
• Date: 2026-05-23
• Host: MacBook/dev /Users/nmhuyen/iu-cutter-build/repo/iu-cutter
• Production: VPS vmi3080463 (contabo), container postgres (postgres:16), DB directus; container incomex-qdrant (qdrant/qdrant) at http://qdrant:6333 on docker network docker_incomex; container incomex-agent-data carries OPENAI_API_KEY + QDRANT_API_KEY (+ QDRANT_URL, QDRANT_COLLECTION); container incomex-directus carries ADMIN_EMAIL/ADMIN_PASSWORD/PUBLIC_URL.
• Outcome: IU_CORE_2000X_QDRANT_REINDEX_DIRECTUS_APPLY_EXTERNAL_PASS (with one Directus permission-quirk external blocker recorded).

1. What this macro closed

The 1500x closeout left IU Core "externally-integration-ready":

• Migration 021 + iu_qdrant_collection_registry durable.
• Live empty iu_core_iu_chunks collection (1536/Cosine/green/0 points).
• OpenAIEmbedder + apply_iu_set + ensure_collection authored, unit- tested with a fake poster, but never run against a live OpenAI key + live Qdrant.
• Directus registration package authored, never applied.
• Nuxt assembly contract authored, never built end-to-end against the production envelope.

2000x closes those externals where safely possible in one block.

2. Live initial state (verified before any mutation)

relation	count
information_unit (active)	151
v_ui_iu_three_axis_envelope	163
iu_piece_collection	3
iu_piece_membership	8
dot_iu_command_run	18
iu_tree_change_log	56
iu_route_attempt / dead-letter	68 / 0
iu_vector_sync_point	3 (1500x dryrun grandfather rows)
dot_iu_runtime_lease	0
iu_qdrant_collection_registry (active)	1 (iu_core_iu_chunks 1536 Cosine openai:text-embedding-3-small)
iu_tree_path	158

All gates inert at start (composer / delivery / structure_ops / operator_runtime / vector_sync = false; routes_master / route_worker = true).

Qdrant live (via API-key authenticated GET):

collections      ["production_documents", "iu_core_iu_chunks"]
iu_core_iu_chunks size=1536 distance=Cosine status=green points=0

3. Mandatory gates — all PASS

1. Host = MacBook with psql + pg_dump + ssh contabo ✓
2. Target identity = directus DB on postgres container ✓
3. Fresh pg_dump -Fc backup /opt/incomex/backups/directus-pre-iucore-2000x-20260523T033615Z.dump, 77 194 461 bytes, sha256 812803183870538208a6d5e4816139e0f6ef019e0ac3647f0df61f9ded4dec84 ✓
4. 1500x objects all present (migration 021 + runtime/310 effects: table iu_qdrant_collection_registry, view v_iu_qdrant_collection_active, view v_ui_iu_directus_registration_envelope, fns fn_iu_qdrant_collection_register / _retire, fn fn_iu_vector_sync_record_v2) ✓
5. Three-axis envelope returns 163 rows ✓
6. Vector-boundary rule enforced at three layers (app + fn + DB CHECK) ✓
7. UI assembly boundary preserved (no Nuxt business logic; no direct PG from Nuxt) ✓
8. Secrets discovered safely: OPENAI_API_KEY (164 chars) + QDRANT_API_KEY (27 chars) present in incomex-agent-data; Directus admin login token (321 chars) live in incomex-directus — no value ever logged ✓
9. Bounded operation (3–10 IUs target; 5 IUs selected → 6 points) ✓
10. Rollback authored before apply (gate close + Qdrant DELETE /collections + Directus DELETE /collections/<name> + registry fn_iu_qdrant_collection_retire) ✓
11. Commands/events/vocabulary stay registry/config/DOT-backed ✓
12. Semantic taxonomy registry-backed ✓
13. OperatorRuntime not used in this macro — composer / structure / operator gates stayed closed ✓
14. Vector sync cannot destructively overwrite production_documents (separate collection) ✓
15. Vector sync cannot cross IU boundary (three-layer enforcement intact; +2 regression tests prove it) ✓
16. Qdrant + embedder secret not guessed/hardcoded — env-only ✓
17. Qdrant collection plan discovered from v_iu_qdrant_collection_active (DB SSOT) ✓
18. Directus registration read-only by construction (collection meta- only insert; permission grant is READ; reversible) ✓
19. Delivery remains controlled — internal only ✓
20. Text-as-code remains fail-closed ✓
21. UI/surface change required no deploy/restart ✓
22. PG → Directus → Nuxt assembly path only ✓
23. AgentData upload/list/search verification path executed (doc 07 §16) ✓

4. Target end-state reached

• Migration set unchanged (no new DDL; 1500x already authored 021).
• Qdrant iu_core_iu_chunks now holds 6 live points covering 5 IUs (one IU split into 2 chunks under the boundary rule) — embedded via openai:text-embedding-3-small at dim 1536, Cosine.
• PG iu_vector_sync_point now carries 6 sync_status='indexed' rows for those points (gate flipped during apply, closed afterwards).
• Directus collection v_ui_iu_three_axis_envelope registered as a managed collection (schema=null, view-backed). Field/items access blocked by Directus v11 permission quirk on view-backed schema:null collections — recorded as exact external blocker.
• Nuxt assembly contract built end-to-end against the live envelope: 16 fields, 10 axis filters, 5 tab groups (primary, axis_a, axis_b, axis_c, meta), 5 rules (4 MUST-NOT + 1 MUST positive constraint). No Nuxt code written, no deploy.
• TWO durable defect-fixes in cutter_agent/iu_core/vector_sync.py:
  1. point_id_for(point_key) — deterministic UUIDv5 — Qdrant point id wire format. Closes a real HTTP 400 the 1500x suite never exercised.
  2. record_plan accepts status='indexed'. Closes a Python guard that contradicted apply_iu_set's documented contract.
• +10 new tests (tests/test_iu_core_2000x_qdrant_id_and_indexed_apply. py + 2 updated). 1093 tests total (1083 → 1093, +10 net).
• DOT/no-hardcode/five-layer remain clean (no new DDL; the Qdrant point id namespace is a single named constant in vector_sync.py).