06 — DOT / No-hardcode / Five-layer

No-hardcode — PASS

Every literal in the new SQL/Python is a config key, catalog identifier or bus vocabulary:

• 013_delivery_seam.sql — no uuid literal, no secret, no api-key, no IP, no doc code. The gate keys (iu_core.delivery_enabled / iu_core.delivery_live_routes) and the consumer name (fn_iu_structure_consumer) are the delivery-seam substrate contract; sql_function is iu_outbound_route.target_kind vocabulary — classified.
• runtime/210 — bakes no uuid: the candidate is selected by a discovery query (ORDER BY created_at … LIMIT 1). Verified (test_candidate_is_discovered_not_hardcoded).
• runtime/220 — the route is restored from \gset-captured originals, not baked. \set route_code 'iu.structure_piece_deprecated.workflow' is a registry route_code identifier — classified.
• runtime/200 — config registry rows only.
• delivery_seam.py — knows only fn_iu_structure_consumer (substrate contract); no DSN, no host, no secret.
• Repo-wide scan of the new files: 0 secret / DSN / api-key / private-key / prod-IP matches; 0 uuid literals in 013/210.

DOT — PASS, 60/60

Migration 013 adds 1 table + 3 functions + 1 trigger + 2 config keys. runtime/110's SSOT inventory _iu_core_expect and the D9 verdict counts were bumped in the same commit (table 9→10, function 18→21, trigger 2→3, config 3→5) so the scan can never silently miss them. The D8 drift guard's table shape was extended with iu\_tree% so iu_tree_change_log is drift-covered.

runtime/110 live scan after all changes — D9 conformance:

class	expected	found	ok
table	10	10	t
view	6	6	t
function	21	21	t
trigger	3	3	t
config	5	5	t
event_type	7	7	t
route	8	8	t

60/60 PASS, D8 drift guard 0 rows. The test_scan_* tests assert both halves of the scan agree (sum 60).

Five-layer sync

Layer	Impact
PG	Real change: migration 013 (1 table / 3 fns / 1 trigger / CHECK→trigger swap); runtime/200 (2 config keys); 1 durable deprecate_piece op; 1 IU draft→deprecated; 1 structure_piece_deprecated event; 1 worker sent attempt; 1 iu_tree_change_log projection row. All additive/idempotent; gate-closed for the delivery code.
Directus	Data-only: one information_unit row's lifecycle_status draft→deprecated. The new iu_tree_change_log is an IU-core table, not a Directus collection — no collection/field DDL.
Nuxt	Render-only — a deprecated IU renders with deprecated status; no schema or component contract change.
AgentData / KB	This macro's 8 reports under v0.6-iu-core-60x-durable-nonreparent-delivery-autocut-open-goal/.
Qdrant / vector	No impact — no embedding, no vector collection touched; the delivery seam is metadata-only (payload_classification=safe_metadata).

Reversibility — every mutation path has a disable/rollback

• Migration 013 → rollback/013_delivery_seam.rollback.sql (restores the RAISE stub + static CHECK, drops the table/fns/trigger).
• runtime/200 → runtime/rollback/200_delivery_seam_register.rollback.sql.
• The durable deprecate_piece → fn_iu_structure_op_rollback('158a9bcf…') (compensation snapshot in impact_summary) — proven BEGIN…ROLLBACK.
• iu_tree_change_log projection row → truncatable; rebuilds from event_outbox.
• Gates: iu_core.delivery_enabled / iu_core.delivery_live_routes / iu_core.structure_ops_enabled all closed; master / worker gates closable.