07 — 3000x final report + next macro package

1. Status

IU_CORE_3000X_NUXT_REDEPLOY_AUTO_REFRESH_RETRIEVAL_PARTIAL_WITH_EXACT_GAP

• 16 acceptance-matrix rows DONE (incl. 4 new in 3000x: auto-refresh hook + drift status view + Qdrant retrieval smoke + external operator commands).
• 1 row BLOCKED outside IU Core scope (Nuxt frontend authoring — see doc 04). The block is explicit, measured, and not an IU Core code or deploy gap.
• 0 unsafe state at end. All write gates false. Backup anchor live.

2. What changed

2.1 Code (commits ad0a36a + c426de4 on main, parent 4dff566)

• sql/iu-core/023_three_axis_envelope_auto_refresh_hook.sql (new): audit-log table + refresh-if-stale wrapper + status view + reserved gate.
• sql/iu-core/rollback/023_three_axis_envelope_auto_refresh_hook.rollback.sql (new): drops view → fn → config row → table in safe order.
• sql/iu-core/runtime/330_three_axis_envelope_auto_refresh_smoke.sql (new): dry-run + live drift-gated smoke + fail-closed assertion.
• sql/iu-core/runtime/rollback/330_…rollback.sql (new): delete-by-actor for the smoke run.
• sql/iu-core/sandbox/220_three_axis_envelope_auto_refresh_probe.sql (new): 8-probe BEGIN/ROLLBACK probe.
• sql/iu-core/runtime/110_iu_core_dot_conformance_scan.sql updated: SSOT inventory +4 rows (table / view / function / config); D9 VALUES bumped 20→21 / 21→22 / 49→50 / 8→9; total 132 → 136.
• cutter_agent/iu_core/dot_commands.py: new external category + 7 read-only operator commands (refresh wrapper, drift_check, status, directus_verify, nuxt_config_verify, qdrant_collection_status, external_healthcheck). Total registry: 17 governed + 7 external = 24.
• tests/test_iu_core_3000x_auto_refresh_external_surface.py (new): 38 tests across 7 contract classes (migration 023 contract + rollback, runtime/330 smoke + rollback, sandbox/220 probe, runtime/110 SSOT extension, external dot commands, vector boundary preservation).
• 9 existing tests get mechanical DOT-count bumps (120x, 240x, 480x, 500x, 540x, 60x, 1k_vector_sync_lease, 1500x, 1k_plus, 2400x, ddl).

2.2 Production durable changes

• Migration 023 applied to live directus DB on container postgres (vmi3080463). CREATE TABLE / FUNCTION / VIEW / INDEX + 1 INSERT into dot_config.
• Runtime/330 ran: 2 audit log rows (actor='iu_core_3000x_runtime_330_smoke', outcomes dry_run + skipped_in_sync). No IU mutated.
• DOT scan re-run on prod: all 7 layers ok=true (21 / 22 / 50 / 3 / 9 / 15 / 16 = 136).

2.3 Production transient

• None. The new gate (iu_core.three_axis_auto_refresh_enabled) was inserted with default false and never toggled.

3. Backup

pg_dump -Fc against the live postgres container, taken BEFORE any mutation:

• File: /opt/incomex/backups/directus-pre-iucore-3000x-20260523T071027Z.dump
• Size: 77 599 842 bytes
• sha256: 95dd1d871b351d08fb076a43ccd6ee20dcdc290d06324f35f2666402cc5253cc
• Recovery: docker exec postgres pg_restore -U directus -d directus -c against the dump.

4. Tests

• tests/test_iu_core_3000x_auto_refresh_external_surface.py — 38 passed (migration / rollback / runtime / sandbox / DOT SSOT / external dot commands / vector boundary contract classes).
• 9 existing tests updated for the DOT-count bump (mechanical, no behaviour change).
• Full suite: python3 -m pytest tests/ -q --ignore=tests/_orchestrator_o2_harness.py → 1152 passed in 0.68 s (+38 net over 2400x).

5. Five-layer sync (rolled up from doc 06)

layer	impact
PG	migration 023 (+1 table / +1 view / +1 function / +1 config); runtime/330 (2 audit rows); gate stays false
Directus	none — 2400x state preserved (iu_three_axis_envelope collection + Administrator READ)
Nuxt	none — explicit blocker recorded (doc 04); no env flip, no restart
AgentData	+7 KB reports (this directory)
Qdrant	none — read-only retrieval/payload audit; production_documents untouched

6. Rollback / disable readiness

layer	rollback
Migration 023	sql/iu-core/rollback/023_three_axis_envelope_auto_refresh_hook.rollback.sql
Runtime/330 audit rows	sql/iu-core/runtime/rollback/330_…rollback.sql (delete-by-actor)
Auto-refresh gate	already false; toggling is a no-op (no trigger installed)
Audit log	TRUNCATE iu_three_axis_envelope_refresh_log is safe (cache-side data only)
External dot commands	git revert the dot_commands.py hunk; or remove the 7 entries from _REGISTRY
DOT SSOT	revert runtime/110 to the 2400x state (D9 VALUES + 4 inventory rows)
022 / 020 / earlier	unchanged — every prior rollback still works

7. DOT / no-hardcode / five-layer status

• DOT 132 → 136 / 136 PASS (table 20→21, view 21→22, function 49→50, config 8→9; trigger/event_type/route unchanged).
• No hardcoded literal introduced. Every collection name / host / secret / field discovered from registry/config/env (doc 06 §3).
• Five-layer impact classified above; no layer skipped.

8. KB / AgentData

The 7 reports in this directory have been uploaded to AgentData with mcp__agent-data__upload_document and verified via list_documents + get_document + search_knowledge. Per-report metadata + content sizes are recorded in the upload log.

9. Decision — IU Core readiness

IU Core remains externally integrated. 3000x added the operational hardening layer the 2400x report flagged:

• a drift-gated, audited refresh wrapper for the promoted three-axis cache (so it stays fresh without operator memory);
• a one-row status view + operator command (so health is a single query, not three);
• read-only retrieval smoke against Qdrant (so the per-IU boundary is re-proven any time the operator asks);
• a packaged operator surface for the three external layers (so future operators do not need to know raw SQL / curl / docker steps).

The only carry-forward is frontend authoring of the Nuxt admin screen against the existing 1500x assembly contract — which is outside IU Core scope.

10. Exact blocker carried forward (single)

NUXT_FRONTEND_AUTHORING_FOR_THREE_AXIS_ADMIN_SCREEN — see doc 04 §3.

When the frontend ships, the deploy step is one compose env addition + single-container restart, and dot_iu_nuxt_config_verify confirms it reached the running container.

11. Recommended next macro

IU_CORE_3200X_AUTO_REFRESH_TRIGGER_AND_HEALTHCHECK_AUTOMATION

Slice A (additive, gated):

1. Migration 024 — install a row-level AFTER UPDATE trigger on unit_version keyed on enacted_at flip; trigger fires only when iu_core.three_axis_auto_refresh_enabled = true and calls fn_iu_three_axis_envelope_refresh_if_stale(actor='iu_lifecycle_trigger', p_dry_run=false, p_force=false).
2. Flip the gate false → true inside try/finally for a controlled pilot; capture audit log; flip back if anything is unsafe.

Slice B (additive, read-only):

1. An ops-side scheduled call (operator's existing cron) that runs dot_iu_three_axis_envelope_drift_check every N minutes and posts the result to a dashboard.
2. dot_iu_external_healthcheck integrated with an external monitor (e.g. uptime-kuma) for at-a-glance status.

Neither slice modifies the Nuxt boundary.

12. Alternative smaller slices

• IU_CORE_3100X_AUDIT_LOG_RETENTION_POLICY — add a partition or retention CLI for iu_three_axis_envelope_refresh_log (delete rows older than 90 days, gated, dry-run by default). No new DDL beyond one fn + one operator command.
• IU_CORE_3500X_DIRECTUS_PROVENANCE_FIELDS_REGISTRATION — add the two provenance columns (refreshed_at, refreshed_by) to the Directus field metadata so they appear in the admin UI without manual field-management.

13. Verification gate before the next macro

The next macro should start only after GPT/User has verified via AgentData list_documents + search_knowledge that the 7 reports in this directory are present and searchable, AND that production reports:

• iu_three_axis_envelope carries 163 rows with drift in_sync=true;
• iu_three_axis_envelope_refresh_log carries at least the 2 smoke rows (id ≥ 7 after 3000x);
• dot_config.iu_core.three_axis_auto_refresh_enabled = false;
• DOT scan returns 136/136;
• 1152 tests passing on the 3000x commit.