02 — Structure-op Execution Layer Package (migration 010)

The SQL-backed live counterpart of the Python StructureOpsWorkflow / InMemoryStructureStore seam. Additive only — no ALTER, no DROP.

Objects (all in sql/iu-core/010_structure_op_execution.sql)

Object	Role
fn_iu_structure_ops_enabled()	dedicated kill-switch; fail-closed (missing key => false)
fn_iu_tree_path_refresh(uuid[])	rebuild iu_tree_path for the given units + subtrees from v_iu_tree
fn_iu_structure_op_plan(...)	phase 1 — record a planned envelope; idempotent on a deterministic key; mutates no tree
fn_iu_structure_op_apply(uuid)	phase 2 — gated durable apply (reparent_piece); snapshots compensation into impact_summary
fn_iu_structure_op_verify(uuid)	phase 3 — read-only invariant verdict
fn_iu_structure_op_rollback(uuid)	phase 4 — gated compensation; retains enacted_at (H4)
v_iu_structure_operation_log	observability — one row per op + lineage-edge count

Safety contract

• Fail-closed gate: apply / rollback RAISE insufficient_privilege unless dot_config 'iu_core.structure_ops_enabled' = 'true'. The gate is registered CLOSED by runtime/120 and only opened inside the single transaction of runtime/140.
• Bounded impact: apply touches exactly one information_unit adjacency pointer and the iu_tree_path rows of that unit's subtree.
• Reversible: the compensation snapshot (prior_parent, relation_written, relation_retired) lives in impact_summary; rollback is a pure inverse needing no external input.
• Idempotent: plan dedupes on idempotency_key; apply on an enacted op and rollback on a rolled_back op are no-ops.
• MVP scope: apply / rollback implement reparent_piece; the other five operation_types RAISE feature_not_supported — fail-closed and honest.
• IU Gateway integration: apply / rollback discover the gateway marker key from dot_config and set_config(marker_key,'fn_iu_structure_op',true) (transaction-local) before their single information_unit write. runtime/120 registers fn_iu_structure_op in the gateway allowlist; without that registration apply still fails closed at the guard.

Activation / verification / disable

File	Purpose
runtime/120_structure_ops_register.sql	gate registered CLOSED + gateway-writer registered (idempotent)
runtime/rollback/120_...rollback.sql	gate => false + gateway-writer de-registered
runtime/130_structure_op_verification.sql	read-only S1–S9 verification
sandbox/050_structure_op_probe.sql	BEGIN...ROLLBACK full-envelope proof, safe on production
rollback/010_structure_op_execution.rollback.sql	drop the layer; refuses while any op is enacted

Install evidence (production)

• 010 applied — no error. runtime/120 applied — gate false, allowlist now fn_iu_create,fn_iu_apply_edit_draft,fn_iu_enact,fn_iu_structure_op.
• runtime/130 — S1 6/6 functions present, S2 view present, S3 gate false, S4 fail-closed true, S6 tree consistency 158=158=158, S8 0 stranded.
• runtime/110 DOT scan — D9 41/41, every class ok=true, D8 0 drift.
• sandbox/050 — P1 planned, P2 apply ok, P3 move shown, P4 verify ok, P5 rollback ok, P6 fully restored, P7 verify ok, P8 enacted_at retained. Zero durable rows.