IU Core Production DDL — 10 Next runtime-activation approval package

Date: 2026-05-21 · COMMAND-REVIEW ONLY. NOT EXECUTED. Requires a separate sovereign-approved gate. This document is not approval.

Scope of the next macro

Activate the iu-core runtime layer on production directus, in staged, separately-gated steps. The DDL substrate (001..005) is already applied and inert.

Exact apply order

# Step 0 — reconcile the H3 fix (idempotent CREATE OR REPLACE):
psql -v ON_ERROR_STOP=1 -f sql/iu-core/005_trigger_contracts_and_guards.sql
# Step 1:
psql -v ON_ERROR_STOP=1 -f sql/iu-core/runtime/010_event_type_seed.sql
# Step 2:
psql -v ON_ERROR_STOP=1 -f sql/iu-core/runtime/020_route_seed.sql
# Step 3 (only after ruling on the parallel-path decision below):
psql -v ON_ERROR_STOP=1 -f sql/iu-core/runtime/030_trigger_attach.sql
# Verify after each step (read-only):
psql -f sql/iu-core/runtime/040_runtime_verification.sql

Files at repo commit 4601d83. Connection: docker exec -i postgres psql -U directus -d directus on vmi3080463.

Decision required before Step 3

unit_version already has trg_aa_iu_notif_version writing version_applied to iu_notification_event. 030 adds trg_iu_out_version writing the same event to event_outbox. Rule: keep both sinks, or unify.

Steps gated as their own later macros

• Route enable — staged enabled=true,dry_run=true → review iu_route_attempt → dry_run=false.
• Master-gate open — dot_config 'iu_core.routes_master_enabled'='true'. This is the only step that changes behaviour.

Preconditions

1. Sovereign approval recorded for the runtime activation steps.
2. Fresh pg_dump -Fc backup of directus, sha-verified.
3. evt_trigger_guard_ddl / evt_trigger_guard_drop confirmed to permit the iu-core trigger names (trg_iu_out_version, trg_iu_sql_in_iu_sql_link).
4. Re-survey: iu-core objects still present and unchanged; routes still enabled=false.

STOP conditions

• Approval absent ⇒ STOP.
• Backup missing / unverified ⇒ STOP.
• Any forward file errors mid-apply ⇒ STOP, run the matching rollback.
• DDL event-trigger guard blocks a CREATE TRIGGER ⇒ STOP.

Forbidden in the next macro until separately gated

No master-gate flip, no dry_run=false, no execution_enabled flip, no deploy/restart.

Other open items (not blocking)

• F4 BACKUP_GPG_FPR — iu-core backups here used plain pg_dump -Fc + sha (no GPG). A GPG-encrypted backup layer remains a separate hardening item.
• Structure-op event types (iu_split, iu_merged, …) — register only when their emitters are wired; not seeded now.