IU Core 960x — 02 Internal delivery seam controlled batch
02 — Internal delivery seam — controlled BATCH expansion
1. The gap closed
runtime/220 (the 60x macro) delivered exactly ONE structure event through
the internal sql_function consumer fn_iu_structure_consumer. Every other
structure event was logged as a dry-run decision, never projected. This macro
advances the seam to a controlled multi-event batch — and proves
idempotency.
2. runtime/300_delivery_internal_batch.sql — durable
One BEGIN … COMMIT, data-only (no DDL):
- P0/P1 — capture both structure routes' pre-state into a temp table;
discover the candidate backlog: 55 undelivered structure events
(
structure_op_applied+structure_piece_deprecatedinevent_outboxwith noiu_tree_change_logprojection row). Nothing hardcoded — the set is a liveNOT EXISTSdiscovery. - arm — open
dot_config iu_core.delivery_enabled; allowlist exactly the two structureroute_codes iniu_core.delivery_live_routes. - P2 — repoint both routes to
sql_function/fn_iu_structure_consumer,dry_run=false. Thetrg_iu_outbound_route_delivery_guardpermits the live flip ONLY because both routes are now allowlisted. - P3 — a
plpgsqlloop delivers every undelivered event throughfn_iu_route_deliver→fn_iu_structure_consumer. 55 delivered;iu_tree_change_log1 → 56. - P4 — idempotency — re-deliver the ENTIRE structure set (all 56). Every
fn_iu_structure_consumerwrite isON CONFLICT (event_ref) DO NOTHING, so the re-delivery adds 0 rows.idempotent_ok = true. - P5 — dead-letter open 0;
via_consumer = 56. - restore — both routes restored to
workflow/event_outbox,dry_run=true; delivery gate closed; allowlist emptied — all in the same transaction. - delivery success gate —
projection_after = projection_before + undelivered_before AND re-delivery idempotent, else the whole transaction\quits and rolls back. delivery_ok = true — COMMIT.
Durable footprint: exactly 55 iu_tree_change_log projection rows. No
information_unit, iu_relation, iu_piece_*, event_outbox or route
row was mutated. No iu_route_attempt row (the batch uses the
fn_iu_route_deliver delivery primitive directly — the documented internal
API — not the worker's audit path).
3. sandbox/150 — fail-closed probe, BEGIN … ROLLBACK — 9/9
| # | probe | result |
|---|---|---|
| S1 | delivery gate CLOSED → refuse | PASS |
| S2 | gate open, route not allowlisted → refuse | PASS |
| S3 | gate open, allowlisted, non-internal target → refuse (feature_not_supported) |
PASS |
| S4 | gate open + allowlisted + internal target → +1 projection row | PASS |
| S5 | re-delivery of the same event → +0 rows (idempotent) | PASS |
| S6 | a bounded batch of 10 events → +10 rows | PASS |
| S7 | re-delivery of the whole batch → +0 rows | PASS |
| S8 | projection carries operation_id / operation_type |
PASS |
| S9 | iu_route_dead_letter open = 0 |
PASS |
4. No external side effect — by construction
fn_iu_route_deliver dispatches ONLY to target_kind='sql_function' AND target_ref='fn_iu_structure_consumer'; every other target raises
feature_not_supported. The consumer touches only iu_tree_change_log. No
network, no secret, no external endpoint is reachable from this seam. The
delivery gate + allowlist are open only inside the one transaction and
closed before COMMIT — the seam ends inert.
5. Rollback
runtime/rollback/300_delivery_internal_batch.rollback.sql — DELETE FROM iu_tree_change_log WHERE delivered_by='fn_iu_structure_consumer'.
iu_tree_change_log is, by its migration-013 contract, an append-only,
idempotent, truncatable projection; it rebuilds deterministically by
re-running runtime/220 then runtime/300.