IU Core MVP Sandbox — 07 Hardening Patches
IU Core MVP Sandbox — 07 Hardening Patches
Date: 2026-05-21 · Branch 6. Patches authored from sandbox findings.
H1 — seed anchor selection + rollback coupling (FIXED)
Found: the first 010_sandbox_probe_seed.sql selected child/sibling with
WHERE id<>v_parent and OFFSET 1/2, double-skipping rows (it picked the
1st/3rd/~5th IU, not 1st/2nd/3rd). The companion rollback recomputed anchors
with a different ORDER BY … OFFSET, so it could orphan the depth-1
iu_tree_path row (iu_tree_path has no created_by to match on).
Fix:
- Seed uses one explicit
row_number() OVER (ORDER BY canonical_address, id)ranking — ranks 1/2/3 = parent/child/sibling. - Rollback derives the exact probe anchor IUs from the probe's own
iu_structure_operationrow (parent_unit_id+unnest(target_unit_ids)), deletingiu_tree_pathrows byunit_idbefore the operation row is removed. No re-derivation of an ordering; cleanup is data-driven.
Verified: the fixed rollback cleaned the buggy seed perfectly; the fixed seed re-applied; re-running is a proven no-op.
H2 — psql -1 conflicts with self-transacted files (FIXED in docs)
Found: every forward/rollback file already wraps itself in
BEGIN; … COMMIT;. The apply form recommended by authoring report 10
(psql -1 -f) adds a redundant outer transaction → two misleading warnings
per file (there is already a transaction in progress /
there is no transaction in progress). Atomicity is unaffected.
Fix: sql/iu-core/README.md gains an explicit Apply command section —
use psql -v ON_ERROR_STOP=1 -f and do NOT add -1. The next production
approval package (report 10 of this macro) drops -1 from its command block.
H3 — sandbox lacks event tables (RESIDUAL, documented; not a code defect)
Found: restore_test has no event_outbox / event_type_registry, so
the gate-OPEN path of fn_iu_emit_event (an actual event_outbox
insert) could not be exercised. The gate-CLOSED fail-closed path was
proven (verification C5). The production directus DB does have both
tables (confirmed read-only), so the dependency is satisfied at the real
target. Recommendation carried to the next macro: exercise the gate-OPEN
path either on a fuller restore that includes the event tables, or as a
post-apply step on the production target after sovereign approval.
Repo changes (commit 4ce2667)
| File | Change |
|---|---|
sql/iu-core/sandbox/010_sandbox_probe_seed.sql |
NEW — additive probe seed |
sql/iu-core/sandbox/010_sandbox_probe_seed.rollback.sql |
NEW — exact cleanup |
sql/iu-core/sandbox/020_sandbox_verification.sql |
NEW — non-mutating verification |
sql/iu-core/sandbox/030_drill_reparent_behaviour.sql |
NEW — non-mutating tree drill |
sql/iu-core/README.md |
apply-command note + sandbox/ section |
tests/test_iu_core_ddl.py |
+6 TestSandboxPackage tests |
Not changed — and why
The DDL (001..005) and rollback (rollback/001..005) files needed no
patch: they applied cleanly, every constraint/guard behaved as designed,
the row-loss guards refused correctly, and forward DDL is idempotent. The
cutter_agent/iu_core/ helpers were unchanged (covered by the existing +
new static tests). No production mutation, no trigger attached, no deploy.