KB-7F16

90000x · 07 — Bounded End-to-End Proof (CARRY-FORWARD)

8 min read Revision 1

iu-core90000xend-to-end-proofcarry-forwardfixturecontrolled-source2026-05-25

90000x · 07 — Bounded End-to-End Proof

Phase: G Status: CARRY-FORWARD (cannot execute live; MCP role is context_pack_readonly) Trigger to execute: after operator applies migrations 037–041 via workflow_admin socket trust channel.

Scope rule

The macro forbids real Điều 37 cut without a controlled fixture or user-supplied source. The proof below uses a named text fixture (FIXTURE-NVSZ-PROOF-1) — a short paragraph the operator types into the script — so the proof exercises the full pipeline without using a real article.

If the user has provided a real article (link / text / file) at run-time of this proof, swap FIXTURE-NVSZ-PROOF-1 for that source and label the proof verdict as PASS-WITH-REAL-SOURCE.

The 7-step proof (operator runs each block as `workflow_admin`)

Step 0 — Pre-flight state snapshot

\timing on
\set ON_ERROR_STOP on
SELECT now() AS proof_started_at;
SELECT count(*) AS staging_records_pre FROM iu_core.iu_staging_record;
SELECT count(*) AS production_docs_pre FROM directus.production_documents;
SELECT count(*) AS vector_sync_pre FROM iu_vector_sync_point;

Step 1 — INPUT → STAGING (MARK manifest write)

WITH manifest AS (
  SELECT jsonb_build_object(
    'manifest_version', 'v0.6',
    'source_id', 'FIXTURE-NVSZ-PROOF-1',
    'source_hash', md5('Khoản 1. Đây là khoản đầu tiên.'||chr(10)||'Khoản 2. Đây là khoản thứ hai.'),
    'source_bytes', octet_length('Khoản 1. Đây là khoản đầu tiên.'||chr(10)||'Khoản 2. Đây là khoản thứ hai.'),
    'manifest_digest', md5('FIXTURE-NVSZ-PROOF-1:v0.6:2pieces:deterministic'),
    'pieces', jsonb_build_array(
      jsonb_build_object(
        'local_piece_id','p1', 'parent_local_id', NULL,
        'unit_kind','design_doc_section',
        'content_text','Khoản 1. Đây là khoản đầu tiên.',
        'section_type','clause', 'piece_role','clause',
        'canonical_address','FIXTURE-NVSZ-PROOF-1#k1',
        'source_position', 1
      ),
      jsonb_build_object(
        'local_piece_id','p2', 'parent_local_id', NULL,
        'unit_kind','design_doc_section',
        'content_text','Khoản 2. Đây là khoản thứ hai.',
        'section_type','clause', 'piece_role','clause',
        'canonical_address','FIXTURE-NVSZ-PROOF-1#k2',
        'source_position', 2
      )
    )
  ) AS m
)
SELECT fn_iu_mark_create_manifest(
  p_manifest := m,
  p_mark_report_md := '# MARK report for FIXTURE-NVSZ-PROOF-1'||chr(10)||'2 pieces, axis A dense, axis B fully tagged, axis C flat.',
  p_coverage_proof := jsonb_build_object('covered_bytes', octet_length('Khoản 1. Đây là khoản đầu tiên.'||chr(10)||'Khoản 2. Đây là khoản thứ hai.')),
  p_determinism_digest := 'fixture-determinism-v1',
  p_source_kind := 'fixture',
  p_source_ref := 'FIXTURE-NVSZ-PROOF-1',
  p_idempotency_key := 'proof-90000x-step1-' || extract(epoch from now())::text,
  p_actor := 'iu-core-90000x-proof'
) AS mark_result
FROM manifest;

Expected: {ok:true, staging_record_id:<uuid>, lifecycle_status:'pending_review', expires_at:<now+15d>, manifest_digest:<32-hex>}

Step 2 — VERIFY MARK (dry-run then approve)

-- dry-run
SELECT fn_iu_verify_mark(p_staging_record_id := :'staging_id', p_apply := false);
-- approve (operator must capture :'staging_id' from step 1)
SELECT fn_iu_verify_mark(
  p_staging_record_id := :'staging_id',
  p_apply := true,
  p_approval_doc_id := 'knowledge/dev/laws/dieu44-trien-khai/v0.6-iu-core-90000x-mark-to-cut-automated-pipeline-hardening/07-end-to-end-proof.md',
  p_approver := 'operator',
  p_actor := 'iu-core-90000x-proof'
);

Expected: {ok:true, verdict:'approved', axis_a_ok:true, axis_b_ok:true, axis_c_ok:true}.

Step 3 — Refusal proofs (must each return ok=false)

-- Re-approve attempt (lifecycle already approved): refuses
SELECT fn_iu_verify_mark(p_staging_record_id := :'staging_id', p_apply := false);
-- Refusal codes from fn_iu_cut_from_manifest BEFORE approve (in another staging row, fresh pending_review)
-- These verify G1-G7 guards from doc 05.

Step 4 — CUT (dry-run then live)

-- composer gate open
SELECT fn_iu_composer_enabled();  -- expect true; if false, operator opens via dedicated path
-- dry-run
SELECT fn_iu_cut_from_manifest(p_staging_record_id := :'staging_id', p_apply := false);
-- live
SELECT fn_iu_cut_from_manifest(
  p_staging_record_id := :'staging_id',
  p_apply := true,
  p_source_hash := md5('Khoản 1. Đây là khoản đầu tiên.'||chr(10)||'Khoản 2. Đây là khoản thứ hai.'),
  p_actor := 'iu-core-90000x-proof'
);

Expected (live): {ok:true, applied:true, run_id:<uuid>, pieces_created_count:2, pieces_created:[uuid1, uuid2]}.

Step 5 — VERIFY CUT

SELECT fn_iu_verify_cut(p_run_id := :'run_id');

Expected: {ok:true, verdict:'verified', pieces_count:2, axis_a_ok:true, axis_b_ok:true, axis_c_ok:true, no_vector_ok:true, problems:[]}.

Step 6 — CLEANUP DRY-RUN (15-day proof)

SELECT * FROM fn_iu_staging_cleanup(p_apply := false);

Expected within 15d of step 1: 0 rows in pass 1 (no pending past expiry), 0 rows in pass 2/3 (no expired/rejected/consumed past 15d/30d). All 3 existing rows + our new consumed row remain.

Step 7 — POST-STATE compare

SELECT now() AS proof_finished_at;
SELECT count(*) AS staging_records_post FROM iu_core.iu_staging_record;
SELECT count(*) AS production_docs_post FROM directus.production_documents;
SELECT count(*) AS vector_sync_post FROM iu_vector_sync_point;
-- production_documents and iu_vector_sync_point counts MUST equal pre.

Pass criteria

Check	Required value
`input_to_staging`	step 1 returns `ok:true, lifecycle_status:pending_review`
`mark`	step 1 produced 3 payload rows + 1 staging row
`verify_mark`	step 2 returns `verdict:approved` and updates `approved_at, approved_by, approval_doc_id`
`approve`	staging row `lifecycle_status='approved'`
`cut_from_approved_manifest`	step 4 live returns `applied:true, pieces_created_count=2`
`verify_cut`	step 5 returns `verdict:verified` with all axes ok
`cleanup_dry_run_15d`	step 6 returns no rows eligible (within window)
`no_vector_pollution`	step 7 `vector_sync_post == vector_sync_pre`
`production_untouched`	step 7 `production_docs_post == production_docs_pre`

If any step fails: roll back via per-actor rollback (fn_iu_auto_instantiate_rollback_by_actor pattern adapted to iu-core-90000x-proof actor on dot_iu_command_run) and mark proof FAIL.

Negative refusal matrix (additional)

Operator should also run these to confirm CUT refuses bad inputs:

Setup	Expected refusal_code
call cut on a `pending_review` row	`not_approved`
call cut on a `consumed` row	`not_approved` (lifecycle is consumed, not approved)
pass `p_source_hash := 'wrong'` to cut	`source_changed`
flip a byte of `cut_manifest` payload after approve, then call cut	`digest_changed`
disable composer gate then call cut	`composer_gate_closed`

Why this is CARRY-FORWARD, not PASS

This proof is fully scripted and deterministic, but cannot be executed from the context_pack_readonly MCP role. The operator with workflow_admin socket trust channel access executes it. Once green, this file is patched to revision 2 with PASS-WITH-FIXTURE and timestamps.