Incomex AI Portal
KB-2C7C

50000x · 04 — Phase F internal event boundary proof (PASS)

4 min read Revision 1
iu-core50000xevent-boundaryphase-Finternal-only

50000x · 04 — Phase F internal event boundary proof (PASS)

Goal

Promote the 25000x mig-033 "internal-only" boundary on event_type='iu.template.instance_auto_composed' from documentary ("no route attached, gate closed") to a runtime-proven, layered invariant that can be re-checked on every healthcheck tick.

Script

ops/50000x-autoscope-refresh-scaleout-event-ops-closeout/event-boundary/internal_only_proof.sql

Read-only assertion + one bounded BEGIN/ROLLBACK probe. Idempotent — safe to schedule periodically.

Three-layer invariant

Layer Check Result
L1 — Registry event_type_registry.delivery_lane <> 'live' for iu.template.instance_auto_composed delayed
L2a — Routing count(*) FROM iu_outbound_route WHERE route_code LIKE '%instance_auto_composed%' = 0 0 ✓
L2b — Routing count(*) FROM iu_sql_event_route WHERE target_event_type = 'instance_auto_composed' = 0 0 ✓
L3a — Worker dot_config 'iu_core.delivery_enabled' = 'false' false ✓
L3b — Worker dot_config 'iu_core.delivery_live_routes' = '' empty ✓

BOUNDARY_INVARIANT aggregate row returns internal_only_holds = true.

Bounded probe

BEGIN;
INSERT INTO event_outbox (event_domain, event_type, event_stream, delivery_lane,
                          event_subject_table, event_subject_ref, canonical_address,
                          actor_ref, source_system, safe_payload)
VALUES ('iu', 'template.instance_auto_composed', 'update', 'delayed',
        'iu_collection_template_instance_lineage', '50000x-boundary-probe',
        'probe:50000x:internal-boundary',
        'iu-core-50000x-boundary', 'iu-core-50000x',
        '{"probe":"50000x-internal-boundary"}'::jsonb);
-- 1 row inserted into event_outbox
-- fn_iu_delivery_enabled() returns false  (gate closed)
-- iu_route_attempt rows in last minute = 0
-- iu_route_dead_letter rows in last minute = 0
ROLLBACK;
-- post-rollback: probe row gone from event_outbox; gates unchanged.

What this proves: when the gate is closed (live default) and no route keys the event, an outbox row triggers ZERO delivery work. The boundary is enforced at the worker layer, not just at the route table.

Discovery surprises (filed as lessons)

  1. event_outbox.event_severity (not severity); safe_payload (not payload).
  2. event_outbox has a CHECK validator trigger asserting event_stream matches the registered event_stream for (event_domain, event_type). For iu.template.instance_auto_composed the registered stream is literally update (not the qualified name).
  3. iu_route_attempt uses started_at, not created_at.
  4. iu_route_dead_letter uses first_failed_at, not created_at.

Rollback path for accidental future route registration

DELETE FROM public.iu_outbound_route WHERE route_code LIKE '%instance_auto_composed%';
DELETE FROM public.iu_sql_event_route
 WHERE target_event_type = 'instance_auto_composed'
    OR target_event_domain || '.' || target_event_type = 'iu.template.instance_auto_composed';

Carry-forward: healthcheck surface integration

Promote BOUNDARY_INVARIANT from one-shot proof to green/red signal on every Mac cron / VPS systemd tick — filed as 50000x → 60000x carry-forward §F1.

Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.6-iu-core-50000x-autoscope-refresh-scaleout-event-ops-closeout-open-goal/04-p3-event-boundary-proof.md