KB-284E rev 2

IU Core 500x — 05 DOT, no-hardcode, five-layer, observability, rollback

5 min read Revision 2

dieu44iu-core-mvp500xdotno-hardcodefive-layerrollbackv0.62026-05-22

05 — DOT / no-hardcode / five-layer / observability / rollback

1. DOT — 106 → 113

class	500x	500x + migration 018
table	14	16
view	14	16
function	38	40
trigger	3	3
config	6	7
event_type	15	15
route	16	16
total	106	113

Migration 018 adds dot_iu_command_catalog + dot_iu_command_run (tables), v_dot_iu_command_registry + v_dot_iu_command_run_health (views), fn_dot_iu_operator_runtime_enabled + fn_dot_iu_command_log (functions), iu_core.operator_runtime_enabled (config). runtime/110's _iu_core_expect SSOT, the D1/D2/D3/D5 echoes, the D8 drift guard (extended to dot_iu_% tables + v_dot_iu_% views) and the D9 verdict VALUES were all bumped in the SAME commit. Live production runtime/110: 113/113, every D9 class ok=true, D8 drift guard 0 rows. 7 DOT-count test files updated.

2. No-hardcode — PASS

018 / rollback/018 / runtime/280 / runtime/rollback/280 / sandbox/130 / sandbox/140 / operator_runtime.py — 0 password / DSN / IP / :5432 / api_key literal (scanned).
fn_dot_iu_operator_runtime_enabled reads the gate from dot_config — no literal value baked in.
operator_runtime.py's psql_executor takes ssh_host / container / db_user / db_name as ARGUMENTS — no host / container / DB hardcoded.
runtime/280's catalog rows (command names + governed function names) are registry-backed domain vocabulary, generated FROM dot_commands.DOT_ COMMANDS and locked to it by a test — same status as runtime/260's event-type strings.
GATE_BY_FUNCTION maps governed functions to dot_config gate keys — classified vocabulary, the required-gate set is derived from it, not a hardcoded per-command list.
The ledger stores an md5 params_digest, never raw values — no secret logging path exists.

3. Five-layer sync

Layer	Impact
PG	Real, applied: migration 018 (2 tables / 2 views / 2 functions / 1 config), `runtime/280` (17 catalog rows). All additive / reversible. Durable proof: 4 `dot_iu_command_run` ledger rows. `information_unit` unchanged at 160; `iu_piece_collection` 2.
Directus	No collection/field DDL — the operator-runtime objects are sidecar `dot_iu_*` tables, not Directus collections. No Directus-managed data touched.
Nuxt	Render-only — `v_dot_iu_command_registry` / `v_dot_iu_command_run_health` are read surfaces for a future operator-console UI; `dot_commands.py` is the command vocabulary that UI would call through `OperatorRuntime`. No component contract change.
AgentData / KB	This macro's 7 reports under `v0.6-iu-core-500x-integrated-autocut-operator-runtime-open-goal/`, uploaded + list/read/search-verified.
Qdrant / vector	No impact. The `iu-tree/` manifests remain natural deterministic vector-index units (carried forward).

4. Observability

Surface	Source
operator command registry + run aggregates	`v_dot_iu_command_registry` (018)
operator-runtime run health	`v_dot_iu_command_run_health` (018)
composer event backlog + delivery state	`v_iu_composer_event_backlog` (016)
collection text-as-code export status	`v_iu_collection_export_status` (016)
route attempt summary	`v_iu_route_attempt_summary` (009)
dead-letter	`v_iu_route_dead_letter_open` (009)
DOT conformance	`runtime/110` — 113/113

5. Rollback / disable readiness

Every mutation path is reversible:

migration 018 → rollback/018 (drops 2 views, 2 functions, 2 tables, the config key); runtime/280 → runtime/rollback/280 (clears the catalog).
Disable path: close iu_core.operator_runtime_enabled (the runtime APPLY path refuses; plan/verify/audit still work) OR close iu_core.composer_enabled (every composer mutator refuses) OR iu_core.routes_master_enabled (emission stops bus-wide).
The durable proof's 4 ledger rows are reversible by DELETE … WHERE actor='runtime_540x_proof'.
Soft-delete remains reversible by one command (dot_iu_restore_piece), surfaced by OperatorRuntime.reversal.

6. End-state gates

iu_core.composer_enabled=false (inert), iu_core.delivery_enabled=false (external delivery blocked), iu_core.operator_runtime_enabled=false (inert — the runtime APPLY path refuses), iu_core.structure_ops_enabled=false, iu_core.routes_master_enabled=true (emission live, controlled), iu_core.route_worker_enabled=true. Every composer route dry_run=true. External delivery structurally impossible. No production CUT. No execution_enabled flip.