IU Core 60x Delivery/Non-reparent — 03 The route delivery seam (migration 013)
03 — The Route Delivery Seam (migration 013)
What was unbuilt
Before this macro fn_iu_route_deliver(text,uuid,jsonb) RAISEd
feature_not_supported (migration 009 stub) and the CHECK
iu_outbound_route_safe_chk (enabled=false OR dry_run=true) made an
enabled+dry_run=false route structurally impossible. The route worker could
only ever log a dry-run DECISION.
Migration 013 — objects built
013_delivery_seam.sql (one BEGIN…COMMIT, additive except the constraint
swap):
| Object | Role |
|---|---|
iu_tree_change_log (table) |
the projection target — one row per delivered structure event; append-only, UNIQUE(event_ref), truncatable |
fn_iu_delivery_enabled() |
dedicated delivery kill-switch (dot_config 'iu_core.delivery_enabled', fail-closed) |
fn_iu_structure_consumer(uuid,jsonb) |
the internal sql_function consumer — idempotent (ON CONFLICT (event_ref) DO NOTHING), records the projection |
fn_iu_route_deliver(text,uuid,jsonb) |
REPLACED the RAISE stub — a gated, allowlisted dispatcher |
fn_iu_outbound_route_delivery_guard() + trg_iu_outbound_route_delivery_guard |
config-backed BEFORE INSERT/UPDATE guard on iu_outbound_route |
(DROP) iu_outbound_route_safe_chk |
the static CHECK, swapped for the trigger |
Delivery is internal-only and triple-gated
fn_iu_route_deliver refuses unless all hold:
fn_iu_delivery_enabled()—dot_config 'iu_core.delivery_enabled'true.- the
route_codeis indot_config 'iu_core.delivery_live_routes'(per-route allowlist). - the route's
target_kind = 'sql_function'ANDtarget_ref = 'fn_iu_structure_consumer'.
Any other target_kind/target_ref → feature_not_supported. No network, no
secret, no external endpoint is reachable. A missing config key denies on every
gate — fail-closed by construction.
The CHECK → trigger swap is STRICTER, not looser
A static CHECK cannot consult dot_config. trg_iu_outbound_route_delivery _guard permits enabled+dry_run=false ONLY for a route_code in the
allowlist. With the allowlist empty (its registered default) the trigger is
behaviourally identical to the old CHECK — no route can go live. The trigger
makes a bounded, reversible, registry-backed exception possible; it never
weakens the default-deny posture.
runtime/200 — config registration
200_delivery_seam_register.sql registers both keys fail-closed and idempotent
(ON CONFLICT (key) DO NOTHING):
iu_core.delivery_enabled = 'false', iu_core.delivery_live_routes = ''.
Applied to production — INERT
Migration 013 + runtime/200 applied. fn_iu_route_deliver is fail-closed
behind the closed gate + empty allowlist; fn_iu_delivery_enabled() reports
false. The seam is built but inert.
sandbox/080 — BEGIN…ROLLBACK proof, zero durable rows
sandbox/080_delivery_seam_probe.sql — 9 probes, all pass=true:
| Probe | Result |
|---|---|
| D1 gate closed | delivery refused (insufficient_privilege) |
| D2 not allowlisted | delivery refused |
| D3 delivery ok | gated+allowlisted sql_function → projection 0→1 |
| D4 idempotent | re-deliver of same event → projection unchanged |
| D5a guard blocks | enabled+dry_run=false on a non-allowlisted route refused |
| D5b guard permits | same on an allowlisted route accepted |
| D6 unsupported target | target_kind not sql_function → refused |
| D7 worker delivers | route-worker drove deliver→consumer for 44 events — 44 projection rows, 44 sent attempts |
| D8 autocut→delivery | auto-cut-mapped add_new_piece applied, emitted structure_child_added, that event delivered |
ROLLBACK — zero durable rows from the probe.
Reversibility
rollback/013_delivery_seam.rollback.sql restores the RAISE stub + the static
CHECK and drops the table/functions/trigger. runtime/rollback/200 deletes the
two config keys. The projection table is truncatable.