00 · Summary — IU CUT operational pipeline runtime hardening (PASS, 2026-05-27)

Pack: IU_CUT_OPERATIONAL_PIPELINE_RUNTIME_HARDENING_PASS Date: 2026-05-27 (UTC 2026-05-26) Channel: ssh contabo → docker exec postgres → psql workflow_admin@directus Migration: 053 (single TX, COMMITTED) Parent: mig 052 (IU_CUT_OPERATIONAL_PIPELINE_COPY_MARK_VERIFY_CUT_PASS)

Mission

Harden the new operational cutting pipeline after the successful Điều 38 pilot, before running batch/high-frequency cutting. Close three reliability gaps:

1. cut.* jobs lacked a real heartbeat caller (only dieu45_phase3_pilot external_worker tick + legacy passive iu_outbound_default marker).
2. cleanup_scheduled_at exists on cut_request rows, but no cleanup-executor dry-run yet (existing fn_iu_op_cleanup_dry_run operates on iu_core.iu_staging_record only).
3. Điều 38 pilot required a mid-flight jsonb_set patch on iu_staging_payload.payload_json->'pieces' because pieces lacked content_text → fn_iu_cut_from_manifest raised body required. Production must generate valid MARK/CUT payloads without manual patching.

Outcome

phase	result	notes
Phase A baseline + backup	PASS	pg_dump 83,501,714 B → /tmp/pre_iu_cut_runtime_harden_20260526T170620Z.dump
Phase B body-required fix	PASS	piece-schema validation added inside fn_cut_mark_staged_file only
Phase C cut.* heartbeat caller	PASS	fn_cut_heartbeat_ping + iu_outbound_default false-heal protection
Phase D cleanup dry-run	PASS	fn_cut_cleanup_dry_run (15d TTL default, no DELETE)
Phase E regression	PASS	E.0–E.8 + D30.1–D30.8 + D31.1–D31.7 all green
Phase F KB reports	PASS	8 reports uploaded under v0.6-iu-cut-operational-pipeline-runtime-hardening/

Surface delta

• +3 functions (all additive, no alias contract change):
  • public.fn_cut_mark_staged_file(uuid,jsonb,text,text) — REPLACED with stricter pre-check; downstream pipeline behavior unchanged
  • public.fn_cut_heartbeat_ping(text,text,text,jsonb) — NEW SECURITY DEFINER wrapper over fn_queue_heartbeat_tick
  • public.fn_cut_cleanup_dry_run(int,text) — NEW dry-run-only TTL surface
• 0 tables / 0 views / 0 dot_config / 0 CHECK widenings in this migration
• MARK/CUT 6-alias prosrc md5 STABLE at 750b06b610f50065f1117961813d9df4 (fn_iu_op_mark_file, fn_iu_op_cut, fn_iu_op_verify_mark, fn_iu_op_verify_cut, fn_iu_cut_from_manifest, fn_iu_op_cleanup_dry_run)

Key behavioral changes

1. fn_cut_mark_staged_file now fails fast with piece[N].content_text is required (would cause "body required" at CUT) if any piece misses content_text or canonical_address. The error includes the piece index so operators can locate the bad row. The Agent never reaches MARK manifest creation with a malformed pieces array, so the jsonb_set payload patch pattern is no longer needed in production.
2. fn_cut_heartbeat_ping lets external operators tick a real heartbeat row for the cut pipeline (e.g. cut_pipeline_operator) without touching the §15.5 silent-passive marker iu_outbound_default (HARD REFUSAL, protected_legacy_silent_passive).
3. fn_cut_cleanup_dry_run lists cut_request rows where status='cleanup_scheduled' AND cleanup_scheduled_at <= now() - p_older_than_days*'1 day'. Today the Điều 38 cut_request 777b1297… shows 0 eligible (scheduled 2026-06-10 ≈ 14d from today). Dry-run only; no DELETE; no apply executor yet.

Live heartbeat surface after Phase E

executor_name	kind	last_tick_status	age	role
cut_pipeline_operator	external_worker	ok	0s	NEW — cut pipeline external caller
dieu45_phase3_pilot	external_worker	ok	~2h	Phase 3 pilot trace
iu_outbound_default	PG_worker	warn	~101h	§15.5 legacy silent marker, protected from false-heal

Gates at exit (unchanged)

key	value
queue.job_substrate.enabled	false
queue.heartbeat.enabled	true
queue.dlq.replay_enabled	false
queue.lease.reaper_enabled	false
iu_core.composer_enabled	false
runtime.phase	phase2_governance

Forbiddens honored (15/15)

• no broad worker start
• no pg_cron install
• no event_outbox schema mutation
• no Qdrant write/reindex
• no production_documents touch
• no law text change
• no MARK/CUT alias contract rewrite (6-alias md5 stable)
• no CHECK widening unrelated to this pipeline
• no DLQ apply
• no lease-reaper apply
• no MOT executor
• no customer/email/message runtime
• no 'body required' jsonb_set workaround treated as normal
• no manifest replay
• no Điều 38 IU mutation (still 8 IUs sort_order 1..8, lifecycle=draft)

Carry-forward

• CF-1 HIGH — cleanup APPLY executor (DELETE/anonymize past TTL) still missing. Today's dry-run-only stance is correct; design needed for explicit-apply gate.
• CF-2 HIGH — wire fn_cut_heartbeat_ping from the real cut pipeline operator process (currently it's an operator-facing helper; no automated caller yet).
• CF-3 MEDIUM — Agent prompt-template / pre-flight check for required piece fields. The DB now hard-refuses bad pieces, but UX is better if Agent surfaces the requirement up front.
• CF-4 LOW — iu_outbound_default legacy silent marker still warn-stale (101h+ since 2026-05-22 11:31:41). Phase 3C design (HC pattern Option B) still pending; this migration does not close §15.5 silent gap durably.
• CF-5 LOW — D31.1 payload-denylist live proof short-circuited on queue.job_substrate.enabled=false gate. CHECK constraint verified via catalog read (job_queue_payload_safe_check enforces 10-key denylist). Toggle-on proof deferred to Phase 5 cut substrate flip.

Cross-link

• [[project-iu-cut-operational-pipeline-copy-mark-verify-cut-pass-2026-05-26]] (parent Phase 4)
• [[project-dieu45-phase3b-queue-cutter-hardening-pass-2026-05-26]] (heartbeat caller pattern source)
• [[feedback-iu-cut-copy-to-zone-lo-export-pg-read-file-pattern]] (related: copy contract)
• [[feedback-mark-pieces-live-in-iu-staging-payload-cut-manifest-not-in-iu-staging-record-metadata]] (related: payload location of pieces)
• [[feedback-protect-legacy-silent-passive-heartbeat-from-false-heal]] (re-applied)

Rollback

Single transaction; rollback by DROP FUNCTION of the 3 new functions (fn_cut_mark_staged_file would revert to mig 052 signature via prior pg_get_functiondef snapshot, or by CREATE OR REPLACE of the original body which is preserved in mig 052 — see 02-body-required-root-cause-and-fix.md). No row deletions, no CHECK changes, no dot_config changes. Pre-apply pg_dump backup at /tmp/pre_iu_cut_runtime_harden_20260526T170620Z.dump.