IU Core 960x — 04 OperatorRuntime, piece flows, auto-cut
04 — OperatorRuntime coverage · piece-native flows · auto-cut
1. OperatorRuntime command-suite coverage
The 17-command dot_iu_* catalog (dot_commands.DOT_COMMANDS) is
test-locked: test_governed_plan_passes_safety_check proves every command
resolves to a DotCommandPlan whose statements are all governed
public.fn_* calls and pass OperatorRuntime._assert_governed. This macro
exercised the runtime durably and in sandbox:
| command | mode proven | where |
|---|---|---|
dot_iu_reorder_piece |
apply ×4 + refused ×1 |
durable — text_as_code_apply_operator_proof.py |
dot_iu_validate_collection |
verify ×2 |
durable — same |
dot_iu_add_piece |
governed apply | sandbox/160 T6 |
dot_iu_remove_piece |
governed apply | sandbox/160 T4 |
dot_iu_create_file_from_pieces / _checkpoint_collection |
durable apply | prior 500x (runtime/290, op proof) |
| all 17 | plan resolves + _assert_governed clean |
test_iu_core_540x_operator_runtime |
Fail-closed proven on every path: unknown command → ValueError; unsafe
plan (non-fn_ statement) → OperatorRuntimeError; shut gate → audited
refused (no plan SQL runs). Every invocation writes a dot_iu_command_run
ledger row — the runtime cannot mutate silently.
2. Piece-native production flows
Two piece-native flows were exercised against the live durable collections:
iu_core.autocut.file-001(afileof 3 birth-gate pieces) — reorder / validate / manifest-digest roundtrip, durably throughOperatorRuntime(doc 03), and add / remove / reorder insandbox/160.- add → remove → restore cycle —
sandbox/160T4/T5/T6 prove a piece detached from a collection staysaliveglobally (lifecycledraft,deleted_atNULL) and re-attaches cleanly. Remove is DETACH, never destruction.
Both flows carry: three-axis metadata (v_iu_collection_manifest joins the
axis-A/B/C envelope), composer events (piece_reordered /
collection_rendered on the delayed lane), text-as-code export
(collection_manifest_path), and a fail-closed healthcheck
(fn_iu_collection_validate, {"ok": true}).
3. Auto-cut integration
The durable collection iu_core.autocut.file-001 IS the 500x integrated
auto-cut → composer output (3 sections → fn_iu_compose → 3 birth-gate
IUs). This macro hardened it: the auto-cut output is now a first-class
text-as-code apply target — build_collection_apply_plan reconciles a
desired manifest onto the auto-cut collection, and the durable apply proof
roundtrips it byte-identical (digest 3d51e759…). Auto-cut output and
piece-native authoring therefore converge on the SAME composer model: an
ordered iu_piece_collection of governed birth-gate IUs.
A discovered (non-synthetic) auto-cut over a real source document remains the recorded next-macro slice (doc 07) — it needs a bounded real source candidate selected by live discovery, and is deferred rather than run uncontrolled. No uncontrolled production CUT executed.
4. Reversibility
- OperatorRuntime applies — self-compensating (the reorder proof ran its own inverse); ledger rows deletable by actor.
- Piece add/remove — the exact inverses are themselves one-commands
(
dot_iu_remove_piece⇄dot_iu_add_piece). - Disable — close the operator-runtime gate, the composer gate, or the master gate; each makes the corresponding apply path refuse.