KB-3FB5
IU Core 8000x — Dependency Closure Matrix (44 rows across A–F)
14 min read Revision 1
iu-corev0.68000xdependency-closure-matrixcutter-governancefn-iu-enactfn-iu-supersedefn-iu-retiremanifest-envelopereview-decisionqdrantauthor-mode
IU Core 8000x — Dependency Closure Matrix
Each row: dependency | exists_now | required_by | live_evidence | missing_object | safe_creation_path | rollback_path | allowed_action | forbidden_action | decision.
A. PG functions / lifecycle FSM
| # | Dependency | Exists now | Required by | Live evidence | Missing object | Safe creation path | Rollback path | Allowed action | Forbidden action | Decision |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | public.fn_iu_enact |
YES | lifecycle promotion | pg_proc SELECT confirms; full body inspected |
— | — | n/a | call with valid review_decision_id | call without review_decision_id | USE |
| 2 | public.fn_iu_supersede |
NO | constitution reversibility | pg_proc SELECT returns 0 |
function | sql/iu-core/026_compensation_primitives.sql (8000x) |
sql/iu-core/rollback/026_*.rollback.sql |
apply migration 026 | call before migration applied | AUTHORED |
| 3 | public.fn_iu_retire |
NO | constitution reversibility | pg_proc SELECT returns 0 |
function | sql/iu-core/026_compensation_primitives.sql (8000x) |
sql/iu-core/rollback/026_*.rollback.sql |
apply migration 026 | call before migration applied | AUTHORED |
| 4 | public.fn_iu_verify_invariants |
YES | fn_iu_enact preflight | pg_proc SELECT confirms (call permission denied to read-role, fn_iu_enact owns it) |
— | — | n/a | (used internally) | call from read-role (denied) | OK |
| 5 | public.iu_lifecycle_vocab rows |
YES | fn_iu_enact target_lifecycle check | SELECT returns 4 codes: draft, enacted, retired, superseded | — | — | n/a | passes draft→enacted check | enact with code outside vocab | OK |
| 6 | public.iu_lifecycle_log |
YES | fn_iu_enact / supersede / retire write target | pg_attribute shows 14 cols; transition_type NOT NULL |
— | — | n/a | INSERT via canonical writer functions | direct INSERT (trigger blocks) | OK |
| 7 | public.fn_iu_enacted_immut trigger fn |
YES | blocks body update on enacted | pg_proc SELECT confirms |
— | — | n/a | rely on app.canonical_writer marker to bypass | bypass without setting marker | OK |
| 8 | public.unit_version table |
YES | fn_iu_enact dual-table update | pg_class SELECT confirms |
— | — | n/a | (used internally) | direct UPDATE | OK |
B. Governance authorship path
| # | Dependency | Exists now | Required by | Live evidence | Decision |
|---|---|---|---|---|---|
| 9 | cutter_governance schema |
YES | manifest authorship | pg_namespace confirms; read-role lacks USAGE on schema |
OK |
| 10 | cutter_governance.manifest_envelope table |
YES | review_decision FK | pg_class SELECT (relkind='r') |
OK |
| 11 | cutter_governance.manifest_unit_block table |
YES | per-IU rendering record | pg_class SELECT (relkind='r') |
OK |
| 12 | cutter_governance.review_decision table |
YES | fn_iu_enact FK probe | pg_class SELECT; column shape known from ledger_v2_canonical_cut |
OK |
| 13 | cutter_governance.cut_change_set table |
YES | optional fn_iu_enact bind | pg_class SELECT |
OK |
| 14 | cutter_governance.* write privilege |
NO (harness) | INSERT / UPDATE / DELETE | Directus REST 403; MCP query_pg read-only | BLOCKED_EXTERNAL_AUTHORITY |
| 15 | Governed authoring function (e.g. cutter_governance.fn_*) |
NO | preferred path over raw INSERT | pg_proc SELECT under cutter_governance schema returns 0 |
OK (raw deterministic INSERT is v0.5 canonical path) |
C. Candidate corpus
| # | Dependency | Exists now | Required by | Live evidence | Decision |
|---|---|---|---|---|---|
| 16 | DIEU-28 + DIEU-32 + DIEU-35 = 86 IUs | YES | promotion target | SELECT count(*) returns 27+23+36=86 | OK |
| 17 | All 86 lifecycle_status='draft' | YES | fn_iu_enact draft→enacted FSM | count(*) FILTER returns 86 draft | OK |
| 18 | All 86 have non-NULL doc_code, section_type, canonical_address, version_anchor_ref | YES | fn_iu_enact + axis policy | preflight.2 in 00_preflight.sql |
OK |
| 19 | 0 orphan parents in candidate set | YES | policy refusal axis_c_orphan_parent |
preflight.4 in 00_preflight.sql returns 0 |
OK |
| 20 | 86 distinct canonical_address | YES | policy refusal canonical_address_duplicate |
SELECT count(DISTINCT)=86 | OK |
| 21 | Candidate hash 29b36fa4… stable | computed | freeze drift guard | recomputed at write time in 01/02/03 preflights | OK |
| 22 | Per-IU fn_iu_verify_invariants PASS |
UNKNOWN (read-role denied EXECUTE) | fn_iu_enact preflight | preflight.5 runs at operator time | DEFERRED_OPERATOR |
D. Qdrant onboarding pre-conditions
| # | Dependency | Exists now | Required by | Live evidence | Decision |
|---|---|---|---|---|---|
| 23 | cutter_agent.iu_core.qdrant_onboarding module |
YES | preflight + bounded apply | repo file present (6000x macro) | USE |
| 24 | qdrant_onboarding.preflight_iu_ids |
YES | enacted-only refusal | function in module | USE |
| 25 | qdrant_onboarding.assert_enacted_only |
YES | strict refusal | function in module | USE |
| 26 | qdrant_onboarding.onboard_enacted_set(dry_run=True) |
YES | preview | function in module | USE |
| 27 | iu_core.vector_sync_enabled gate |
YES (false) | onboarding write window | dot_config SELECT returns 'false' |
USE |
| 28 | iu_core_iu_chunks Qdrant collection |
YES | target collection | healthcheck surface qdrant_collection.active |
USE |
| 29 | KT-B existing 60 enacted IUs vector preserved | YES | boundary contract | iu_vector_sync_point 60 unique units |
USE |
| 30 | production_documents untouched |
YES | boundary contract | KB doc 7000x reports 9226 pts | USE |
| 31 | Qdrant write privilege from harness | NO | upsert | no Qdrant tool in MCP surface | BLOCKED_EXTERNAL_AUTHORITY |
E. DOT / monitoring / tests
| # | Dependency | Exists now | Required by | Live evidence | Decision |
|---|---|---|---|---|---|
| 32 | DOT scan SSOT registers new functions | YES (after 8000x) | DOT 100% conformance | runtime/110 bumps function 52→54, total 146 | DONE |
| 33 | tests/test_iu_core_ddl.py EXPECTED_COUNTS |
YES | static SSOT vs migration | function=54, total=146 | DONE |
| 34 | tests/test_iu_core_8000x_compensation_primitives.py |
YES (new) | static contract on migration 026 | 25 TestCases PASS | DONE |
| 35 | Sandbox 250 probe file | YES (new) | BEGIN/ROLLBACK proof of all refusal branches | exists | READY_FOR_OPERATOR |
| 36 | Mac cron healthcheck | YES | ops monitoring | last 3 fires exit=0 ok=true (05:30/40/50 UTC) | OK |
| 37 | Healthcheck 7 surfaces all GREEN | YES | macro safety baseline | live: 7/7 GREEN incl gates inert | OK |
F. External authority (out of macro scope)
| # | Dependency | Exists now | Required by | Live evidence | Owner | Decision |
|---|---|---|---|---|---|---|
| 38 | PR #669 merge to web-test main | NOT MERGED | frontend deployment | gh pr view 669 state=OPEN/MERGEABLE |
frontend/DevOps | BLOCKED_EXTERNAL |
| 39 | VPS Linux-host cron timer | NOT INSTALLED | replace Mac cron on a 24/7 host | KB doc 6000x carry-forward | DevOps | BLOCKED_EXTERNAL |
| 40 | iu_core.retention_enabled flip true |
NOT FLIPPED | dry-run says 0 eligible until 2026-06-22 | dot_config value='false' | operator | DEFERRED |
| 41 | LARK_APP_SECRET rotation (S177) | PENDING | secret hygiene | KB doc 4500x | operator | BLOCKED_EXTERNAL |
| 42 | Operator runs migration 026 | NOT APPLIED | unblocks fn_iu_enact follow-on macros | pg_proc query | sovereign operator | BLOCKED_EXTERNAL_AUTHORITY |
| 43 | Operator runs ops/governance-promotion-package-8000x/* |
NOT APPLIED | unblocks DIEU promotion | row counts denied to read-role | sovereign operator | BLOCKED_EXTERNAL_AUTHORITY |
| 44 | Operator runs ops/qdrant-onboarding-package-8000x/run_onboarding.py |
NOT APPLIED | indexes DIEU vectors | sync_point count unchanged | sovereign operator | BLOCKED_EXTERNAL_AUTHORITY |
Summary
- 37/44 rows DONE / OK / USE / AUTHORED / READY_FOR_OPERATOR.
- 7/44 rows BLOCKED_EXTERNAL_AUTHORITY or DEFERRED — all require a sovereign-role operator with PG write access OR an external owner (frontend, DevOps).
- No row is BLOCKED with no path forward — every dependency has a documented safe creation path and rollback.