25000x · 05 — Internal Event Automation Boundary

What the boundary is

fn_iu_auto_instantiate_from_event is an in-process orchestrator invoked by the caller.

caller (script / cron / DOT / app)
  │  passes event_id + event_type + template_id + suffix + mode + actor
  ▼
fn_iu_auto_instantiate_from_event  ◄── gate: iu_core.auto_instantiate_enabled (live only)
  │                                ◄── gate: iu_core.composer_enabled (always)
  │
  ├── composes new instance (mig 031 lineage + mig 033 sidecar log row)
  └── emits OPTIONAL event row via existing `iu.template.instance_auto_composed`
      registered event_type (currently inert: NO route attached, NO worker enabled,
      `iu_core.delivery_live_routes` empty, so the event row would sit in
      event_outbox unattended even if emitted).

What is durably wired up (after 25000x)

• event_type_registry: iu.template.instance_auto_composed row exists, delivery_lane='delayed', active=true.
• iu_outbound_route / iu_sql_event_route: no route bound to the new event type. → No external delivery channel.
• iu_core.delivery_enabled = false, iu_core.route_worker_enabled = true (operational), iu_core.delivery_live_routes = '' (empty allowlist).

What is NOT wired up (by design — constitutional)

• No daemon, no cron, no worker spawned for the new orchestrator.
• No external HTTP / webhook delivery for the new event type.
• No automatic Qdrant indexing of the auto-instantiated instance content.
• No automatic envelope refresh for the new piece IUs (must be triggered explicitly via fn_iu_three_axis_envelope_refresh).

Live proof — internal event runtime fires inside TX, rolls back cleanly

Phase C9 already proved this: with piece_event_runtime.emit_enabled=false left at its post-18000x state (still false after 25000x), the orchestrator did NOT call fn_iu_piece_emit_event during the live durable run. The internal event substrate is "armed" but not triggering deliveries.

The 18000x "internal LIVE event proof" demonstrated that even when piece_event_runtime.emit_enabled=true is flipped inside a TX, the event_outbox row stays inside the TX and rolls back to zero — proving live tag is separable from external delivery.

Rollback recipes

Three independent rollback paths exist:

1. Per-event-row (TX-local). Wrap the call in BEGIN ... ROLLBACK for dry-run only.
2. Per-actor (durable). SELECT fn_iu_auto_instantiate_rollback_by_actor('<actor>', false); deletes sidecar + lineage + instance + membership for that actor. Confirm with dry_run=true first.
3. Per-substrate (catastrophic). psql -f sql/iu-core/rollback/033_auto_instantiate_from_event.rollback.sql drops the entire mig 033 surface. Refuses to drop the log table while rows exist unless SET iu_core.force_rollback_033=true.

Conclusion

The boundary is inside the DB process: events are simulated by callers, consumed by fn_iu_auto_instantiate_from_event, composed via existing fn_iu_compose, and logged in a sidecar table. No external system (Linear, Slack, webhook) is reachable from this path without an operator explicitly registering a route — forbidden by this macro's authority pack.