KB-8F3D

IU Core Controlled Route — 05 Evidence loop (6 probes)

3 min read Revision 1

dieu44iu-core-mvpcontrolled-routeevidencedry-runprobesv0.62026-05-21

IU Core Controlled Route — 05 Evidence loop

Six probes run with the master gate OPEN. Every mutating probe is wrapped BEGIN … ROLLBACK — 0 durable rows. Baseline: event_outbox iu rows = 0, iu_route_attempt = 0. Post-check confirmed durable state intact.

PROBE A — outbound emit, version_seq > 1, gate open — PASS

INSERT unit_version (version_seq=2) for draft IU D38-DIEU35-ROOT. One event_outbox row appeared: event_domain=iu, event_type=version_applied, event_stream=update, delivery_lane=immediate, payload_classification=safe_metadata, source_system=iu_core, canonical_address=D38-DIEU35-ROOT, safe_payload.version_seq=2. The row was accepted by trg_event_outbox_type_validate — end-to-end proof the H3 fix holds against live event_outbox. count = 1.

PROBE B — version_seq filter deployed — PASS

pg_get_functiondef(fn_iu_outbound_on_version) contains both version_seq <= 1 and version_seq IS NULL guards. A birth version (version_seq = 1) is skipped before any emit. (Behavioural negative is structural: creating a fresh IU to insert a version_seq=1 row requires satisfying the multi-layer fn_iu_birth_gate_layer1/2 IU-creation contract — out of scope for a probe; the deployed function body is the authoritative proof.)

PROBE C — inbound route dry-run — PASS

Inside the txn the inbound route was enabled dry_run=true; an iu_sql_link insert fired trg_iu_sql_in_iu_sql_link. One iu_route_attempt row appeared: route_kind=inbound, status='dry_run', attempt_no=1, payload_snapshot.table=iu_sql_link.

PROBE C2 — inbound route disabled (durable state) — PASS

With the inbound route left enabled=false (its real durable state), an iu_sql_link insert produced 0 iu_route_attempt rows — fail-closed.

PROBE D — disable runbook L1: close master gate — PASS

Inside the txn dot_config value set to 'false' → fn_iu_core_routes_enabled() = false. A unit_version (version_seq=2) insert then produced 0 event_outbox iu rows. Closing the master gate kills emission instantly and globally.

PROBE E — disable runbook L2/L3: route disable + trigger detach — PASS

UPDATE iu_outbound_route SET enabled=false then DROP TRIGGER for both iu-core triggers → 0 iu-core triggers remaining. The log-only evt_trigger_guard_drop event trigger emitted its WARNING and permitted the drop. All rolled back; post-check shows both triggers re-attached.

Result

Evidence loop works: outbound event_outbox, inbound iu_route_attempt, trigger firing, dry-run/disabled fail-closed safety, and the disable runbook are all proven — with zero durable pollution.