IU Core MVP Sandbox — 10 Next Production Approval Package

Date: 2026-05-21 · COMMAND-REVIEW ONLY. NOT EXECUTED. Requires a separate sovereign-approved gate. This document is not approval. It supersedes authoring report 10 with sandbox evidence folded in.

Scope of the future execution macro

Apply sql/iu-core/001..005 (greenfield, additive) to the production directus database (container postgres on vmi3080463). 7 tables, 2 views, 7 functions, 0 triggers, 0 rows.

Why the sandbox evidence is sufficient

• Forward DDL 001–005 applied cleanly to restore_test (report 03).
• 25/25 verification checks + 6/6 reparent drill PASS (reports 05, 06).
• Row-loss rollback guard proven (4/4 REFUSED); full clean forward+rollback cycle proven on a pristine DB; forward DDL idempotency proven (report 06).
• Production target re-surveyed read-only (2026-05-21): 0 of 7 iu-core table names, 0 of 7 iu-core function names, 0 of 2 iu-core view names exist → no collision, surface still greenfield. Runtime dependencies information_unit, unit_version, dot_config, event_outbox, event_type_registry are all present in directus.

Why it is not yet fully sufficient (residual)

• H3 — the sandbox lacks event_outbox/event_type_registry, so the gate-OPEN fn_iu_emit_event insert path was not exercised. Mitigation: the production target has both tables; verify the gate-OPEN path post-apply under approval, with the master gate still OFF until a later macro.

Exact DDL files (sha-pin at apply time)

sql/iu-core/001_iu_sql_link.sql, 002_iu_event_routes.sql, 003_parent_child_constraints.sql, 004_structure_ops_lineage.sql, 005_trigger_contracts_and_guards.sql — at repo commit 4ce2667 (DDL unchanged since d22e361; only sandbox/ + README + tests were added).

Exact apply order (HARDENED — no -1)

psql -v ON_ERROR_STOP=1 -f sql/iu-core/001_iu_sql_link.sql
psql -v ON_ERROR_STOP=1 -f sql/iu-core/002_iu_event_routes.sql
psql -v ON_ERROR_STOP=1 -f sql/iu-core/003_parent_child_constraints.sql
psql -v ON_ERROR_STOP=1 -f sql/iu-core/004_structure_ops_lineage.sql
psql -v ON_ERROR_STOP=1 -f sql/iu-core/005_trigger_contracts_and_guards.sql

Each file self-transacts (BEGIN; … COMMIT;). Do not add -1 (finding H2 — it emits a misleading transaction-warning pair per file).

Exact rollback order (reverse)

psql -v ON_ERROR_STOP=1 -f sql/iu-core/rollback/005_trigger_contracts_and_guards.rollback.sql
psql -v ON_ERROR_STOP=1 -f sql/iu-core/rollback/004_structure_ops_lineage.rollback.sql
psql -v ON_ERROR_STOP=1 -f sql/iu-core/rollback/003_parent_child_constraints.rollback.sql
psql -v ON_ERROR_STOP=1 -f sql/iu-core/rollback/002_iu_event_routes.rollback.sql
psql -v ON_ERROR_STOP=1 -f sql/iu-core/rollback/001_iu_sql_link.rollback.sql

Each table rollback REFUSES to drop a non-empty table — drill-proven.

Seed files

• NOT for production. sql/iu-core/sandbox/010_sandbox_probe_seed.sql and 020/030 are restore-test-only (each header says SANDBOX-ONLY). Production application is DDL-only — 0 rows after apply.

Verification queries (read-only, post-apply)

SELECT tablename FROM pg_tables WHERE schemaname='public'
  AND tablename IN ('iu_sql_link','iu_sql_event_route','iu_outbound_route',
  'iu_route_attempt','iu_tree_path','iu_relation','iu_structure_operation');
SELECT viewname FROM pg_views WHERE schemaname='public'
  AND viewname IN ('v_iu_tree','v_iu_sql_link_resolved');
SELECT proname FROM pg_proc WHERE proname IN
  ('fn_iu_core_routes_enabled','fn_iu_sql_link_validate',
   'fn_iu_tree_is_descendant','fn_iu_tree_assert_acyclic','fn_iu_emit_event',
   'fn_iu_sql_link_inbound_capture','fn_iu_outbound_on_version');
SELECT count(*) FROM pg_trigger WHERE tgname LIKE 'trg_iu_%';   -- expect 0

Expected counts (production directus)

Object	Before	After
iu-core tables	0	7
iu-core views	0	2
iu-core functions	0	7
triggers attached	0	0
rows in any iu-core table	0	0
information_unit / unit_version	unchanged	identical

Preconditions (all must hold)

1. Sovereign approval recorded for IU-core DDL execution on directus.
2. Fresh pg_dump -Fc backup of directus, sha-verified.
3. Read-only re-survey confirms the 7 table / 7 function / 2 view names are still absent (no drift since 2026-05-21).
4. evt_trigger_guard_ddl reviewed — this package creates no trigger.

STOP conditions

• Sovereign approval absent ⇒ STOP.
• Re-survey shows any iu-core object already present ⇒ STOP (drift).
• Backup missing / sha unverified ⇒ STOP.
• Any forward file errors mid-apply ⇒ STOP, run the matching rollback N..001.

R1–R7 — final recommendation (sandbox evidence; ratify before triggers)

These rulings were used sandbox-only this macro. They are NOT production approval — re-affirm before the trigger/route macro:

• R1 event-type seed — keep as a separate DOT seed macro, not mixed into 001–005. Sandbox seeded dot_config only.
• R2 first trigger target — event_outbox as outbound movement; iu_route_attempt as the audit/retry sink. No trigger attached this macro.
• R3 first harmless source table — iu_core_probe_source, created only inside the sandbox by 010_sandbox_probe_seed.sql. Worked as designed.
• R4 lifecycle vocab — iu_relation.relation_status already carries superseded/retired; no production enum mutation needed.
• R5 iu_tree_path — keep as a physical table + v_iu_tree view. Both proven in the sandbox; do not convert to a materialized view now.
• R6 max containment depth — config default 32. v_iu_tree has a defensive in-query cycle guard; a dot_config depth key can be added by the structure-ops macro (no production config write performed).
• R7 contains duplication — parent_or_container_ref stays primary adjacency; iu_relation.contains is the lineage/audit record. The one-active-parent partial-unique index was drill-proven (verification E4).

Forbidden in this readiness package

No execution, no DML, no trigger attachment, no route enabling, no execution_enabled flip. Trigger attachment + route enabling remain separate, later, sovereign-gated macros.