03 — IU Limited-Production Pilot Operating Controls (Branch C)

Verdict: PASS — operator-usable. Turns the pilot protocol into concrete controls: checklists, health queries (read-only, runnable today via query_pg), stop-condition matrix, DLQ/incident procedure, audit package, and start/pause/stop authority. Live control records (pilot-scope config rows) are deferred — they would flip runtime behavior, so they belong to a gated build, not this bundle.

1. Pilot scope (what the pilot IS)

IU Core = LIMITED-PRODUCTION-PILOT. Allowed in-pilot: create/edit-draft/enact/retire/supersede via gateway-canonical functions; structure compose/split/merge under review_decision; read-only KG + projection; governed BEGIN..ROLLBACK live tests. Forbidden in-pilot: composer/operator_runtime/delivery/auto_instantiate runtime ON; vector sync; allow_no_review_decision=true; any gate left committed-open; 4 Mothers runtime; Nuxt UI.

2. Operator daily checklist

1. Gate safety — run H1 (below); require all_safe=true.
2. Forbidden flags — run H2; require both never-flip = false.
3. DLQ depth — run H3; require dead_lettered backlog == expected (0 in pilot).
4. Run-log growth — run H4; confirm only expected actors wrote.
5. KG integrity — run H5; confirm projection identity holds.
6. Lifecycle anomalies — run H6; no unexpected retired/superseded spikes.

3. Health-check queries (read-only, copy-paste)

-- H1 gate safety
SELECT fn_iu_gate_verify_closed();
-- H2 never-flip
SELECT key,value FROM dot_config WHERE key IN ('iu_core.vector_sync_enabled','iu_enact.allow_no_review_decision');
-- H3 DLQ depth (route attempts dead-lettered)
SELECT count(*) FILTER (WHERE status='dead_lettered') AS dlq, count(*) AS attempts FROM iu_sql_route_attempt;
-- H4 run-log growth + actor sanity
SELECT count(*) AS runs, count(DISTINCT actor) AS actors FROM dot_iu_command_run;
-- H5 KG projection identity
SELECT (SELECT count(*) FROM v_kg_edges_all) AS view,
       (SELECT count(*) FROM iu_relation)+(SELECT count(*) FROM universal_edges) AS sum_sot;  -- must be equal
-- H6 lifecycle distribution
SELECT lifecycle_status, count(*) FROM information_unit GROUP BY lifecycle_status ORDER BY 2 DESC;

A daily-health SQL function (fn_iu_pilot_health() returning a jsonb of H1–H6) is spec-ready but deferred to a gated build (creating a function is a C2 mutation; see doc 10 Prompt 3).

4. Weekly review checklist

• Reconcile run-log actors vs allowed canonical writers (iu_create.gateway.allowed_marker_values).
• Diff dot_iu_command_catalog count vs last week (new commands must trace to an approved macro).
• Review any iu_gate_transition rows: every open must have a matching close within TTL; none committed-open.
• Confirm birth_registry growth has provenance (no orphan births).
• KG: sample 5 new edges for provenance/confidence/assertion_mode completeness (Đ39).

5. Stop-condition matrix

Condition	Signal	Action
Gate unsafe	H1 all_safe=false	STOP — close open gate via protocol, freeze writes
Never-flip flipped	H2 any =true	EMERGENCY STOP — revert flag, incident review
DLQ backlog grows	H3 dlq>0 unexpectedly	PAUSE — run DLQ procedure §6
Unknown writer	H4 actor not in allowlist	PAUSE — audit run-log, revoke
KG SoT divergence	H5 view≠sum	PAUSE — investigate hidden SoT/dup
Lifecycle spike	H6 retired/superseded jump	PAUSE — review operations

6. DLQ / incident procedure

1. Detect: H3 shows dead_lettered > expected.
2. Triage: SELECT * FROM iu_sql_route_attempt WHERE status='dead_lettered' ORDER BY updated_at DESC LIMIT 20;
3. Root cause: check route gate (iu_core.routes_master_enabled), worker (route_worker_enabled), target allowlist (iu_core.delivery_live_routes).
4. Replay: gated by master routes gate (NOT queue.dlq.replay_enabled, which governs a different path) — use fn_iu_route_dead_letter_replay(...) in dry_run first, then resolved.
5. Never open delivery gate to clear a DLQ; fix the route definition.
6. Record incident in audit package §7.

7. Audit / evidence package (per pilot period)

• gate verify snapshots (daily H1) + any iu_gate_transition rows.
• dot_iu_command_run deltas with actor + verified flag.
• lifecycle_log entries (create/enact/retire/supersede).
• KG projection identity proof (H5) each day.
• DLQ incidents + resolutions.
• birth_registry provenance sample. Store under knowledge/dev/reports/operations/iu-pilot-<period>/.

8. Start / Pause / Stop authority

Action	Who	Mechanism
Start pilot	Council (Đ32)	record approval artifact; pilot is already in allowed-ops mode — no gate flip needed
Pause pilot	Operator + Council notify	freeze write macros; gates stay closed; reads continue
Stop pilot	Council/Sovereign	freeze all governed writes; produce final audit package
Open a runtime gate	Sovereign + Council + manifest	bounded gate protocol only (fn_iu_gate_open/close in-tx); never left committed-open

Pilot-scope config (e.g. pilot.active=true, pilot.period) is spec-ready as dot_config keys; setting them is reversible but is a deliberate control record — deferred to the pilot-adoption gated build.

9. Advance vs prior state

Prior bundles described pilot-readiness and a protocol. This doc makes it operable today: 6 copy-paste read-only health queries, a stop-condition matrix mapped to those signals, a concrete DLQ runbook tied to the real gate names, and an explicit start/pause/stop authority table. An operator can run the pilot from this page without further design.