IU b/c/f Additive DOT Wrapper + Harness — Live Apply (2026-05-28)
IU b/c/f Additive DOT Wrapper + Harness — Live Apply (2026-05-28)
Macro:
IU_B_C_F_ADDITIVE_DOT_WRAPPER_AND_HARNESS_LIVE_APPLY_100000XExecution class: C2 ADDITIVE_IMPLEMENTATION (creates functions + DOT catalog rows + audit rows; no IU-data mutation, no gate flip) Apply channel: SSHworkflow_admin→docker exec -i postgres psql -U workflow_admin -d directus· Read-proof channel: MCPquery_pg(rolecontext_pack_readonly) Status: PASS — b PASS, c PASS, f PASS (through the new DOT-callable path; parity with the pure read-only proof; zero IU-data mutation) Companion:iu-b-c-f-additive-dot-wrapper-and-harness-live-apply-appendix-2026-05-28.md· Precursor:iu-b-c-f-pure-readonly-live-proof-2026-05-28.md
This converts the live-proven b/c/f read-only proofs into reusable, DOT-callable, evidence-producing automation. Five STABLE/VOLATILE functions and five Điều-35 DOT catalog rows were added via the workflow_admin write channel, then exercised twice through the DOT path. The wrappers reuse the existing fn_iu_subtree / fn_iu_sql_link_validate / fn_dot_iu_command_log — nothing was re-implemented.
1. Source verification matrix
| # | Source | Found | Used for |
|---|---|---|---|
| S1 | iu-b-c-f-pure-readonly-live-proof-2026-05-28.md + query appendix |
✅ local | The exact SELECTs to wrap; the expected anchors (b=16, c=8, f=3/3) |
| S2 | iu-b-to-f-execution-readiness-refactor-2026-05-28/03-authority-prompts.md (Prompt 3) |
✅ local | This macro's exact C2 spec (functions + catalog rows + harness) |
| S3 | iu-b-to-f-execution-readiness-refactor-2026-05-28/01-readonly-vs-mutation-correction-matrix.md |
✅ local | Why this is C2 not C1: audit-row + DDL + catalog row are the expected additive writes |
| S4 | Live DB (directus) catalog/run schema, constraints, function inventory, triggers |
✅ live | Conventions to match; no-duplicate verification |
| S5 | Master Design Rev5, laws (Hiến pháp, Đ7/30/31/32/35/38-39/45), prompt std | ✅ KB/auto-memory | Điều 35 DOT-pair + audit requirement; forbidden boundaries |
Source gaps (non-blocking): the core survey, GPT-review-next, and prompt-standard files were not present at the literal knowledge/... local paths in this environment; their content was available via auto-memory and the local refactor pack, which carried the needed specs. No gate/authority decision depended on the missing copies.
2. Hard Gate 0 — live apply preflight (PASS)
| Check | Result |
|---|---|
Read channel identity (query_pg) |
context_pack_readonly @ directus, 172.19.0.3 |
| Write channel | docker exec postgres container Up 5 weeks (healthy) |
workflow_admin identity |
current_user=workflow_admin, current_database=directus |
| Write probe (BEGIN/ROLLBACK) | INSERT into dot_iu_command_catalog → 43 inside TX → ROLLBACK → back to 42 ✓ (write capability + reversibility proven without persisting) |
| Rollback readiness | rollback script authored before apply (/tmp/rollback_bcf_dot_wrappers.sql, md5 a7b812e8964b05d7c4e469cbe80560de) |
| Backup readiness | pg_dump --schema-only works; baseline 1,603,851 bytes |
| Object-ownership clarity | all 5 target names confirmed absent from the 42-row catalog & pg_proc (no duplicates) |
| Gate-flip needed? | No — additive read wrappers need a write channel, not a gate |
No no-go condition triggered.
3. Existing-object inspection (reuse, no duplication)
dot_iu_command_catalogcolumns:command_name(PK),category,mutating,reversible,target_functions text[],registered_at. CHECK:category ∈ {collection,piece,lifecycle,read,health}.dot_iu_command_runcolumns:run_id(PK),command_name,category,run_mode,run_status,mutating,params_digest,gate_snapshot jsonb,evidence jsonb,actor,created_at. CHECK:run_mode ∈ {plan,apply,verify},run_status ∈ {planned,applied,verified,refused,failed}.- Canonical audit writer found:
fn_dot_iu_command_log(command,category,run_mode,run_status,mutating,params_digest,gate_snapshot,evidence,actor)→uuid(VOLATILE). It is fail-closed: once the catalog is seeded, it refuses any command not indot_iu_command_catalog. ⇒ catalog rows must exist before the harness logs runs (they do — migration commits first). - No triggers on either table ⇒ catalog INSERT is side-effect-free. No FK run→catalog ⇒ rollback ordering is unconstrained.
- Reused unchanged:
fn_iu_subtree(uuid)STABLE,fn_iu_sql_link_validate(uuid)STABLE,v_iu_sql_link_resolvedview,fn_dot_iu_command_log.
4. Objects created (the additive footprint)
4.1 Functions (5)
| Function | Volatility | Returns | Purpose | Reuses |
|---|---|---|---|---|
fn_iu_filter_axis_b(p_tag_key text, p_sample_limit int) |
STABLE | jsonb | b: NULL→vocabulary/coverage summary; tag_key→filtered IU set + source-doc distribution + normalized↔denormalized consistency | — |
fn_iu_filter_axis_c_subtree(p_root uuid, p_sample_limit int) |
STABLE | jsonb | c: subtree nodes + global integrity (orphan/cycle/dangling/stale-depth) + linkage check | fn_iu_subtree (authoritative) |
fn_iu_sql_link_validate_all() |
STABLE | jsonb | f: validate all links per-row | fn_iu_sql_link_validate |
fn_iu_sql_link_resolve_all() |
STABLE | jsonb | f: resolve via view + cross-check view==direct fn | view + fn_iu_sql_link_validate |
fn_iu_bcf_harness_run(p_actor, p_b_tag_key, p_c_root, p_b_expected_iu, p_c_expected_nodes) |
VOLATILE | jsonb | orchestrates b+c+f; logs 5 audit rows; returns one bundle | all four wrappers + fn_dot_iu_command_log |
All four wrapper bodies are SELECT-only (LANGUAGE sql, STABLE) — proven read-only by being callable by the context_pack_readonly role inside a READ ONLY transaction (§6). The harness is VOLATILE only because it writes its own audit rows via the canonical logger; it performs no IU-data write.
4.2 DOT catalog rows (5) — all category=read, mutating=false, reversible=true
| command_name | target_functions |
|---|---|
dot_iu_filter_axis_b |
{fn_iu_filter_axis_b} |
dot_iu_subtree |
{fn_iu_filter_axis_c_subtree, fn_iu_subtree} |
dot_iu_sql_link_validate |
{fn_iu_sql_link_validate_all, fn_iu_sql_link_validate} |
dot_iu_sql_link_resolve |
{fn_iu_sql_link_resolve_all, fn_iu_sql_link_validate} |
dot_iu_test_harness_run |
{fn_iu_bcf_harness_run} |
mutating=false is correct per the correction matrix (the flag describes IU-data effect; the audit-row INSERT is the acknowledged additive footprint of a C2 macro).
5. Apply transcript + object diff
- Dry-run (final
COMMIT→ROLLBACK):BEGIN → DO(guard) → 5×CREATE FUNCTION → INSERT 0 5 → DO(post-check) → ROLLBACK; post-dry-run baseline still 42 / 45. ⇒ migration valid and reversible. - Real apply: same sequence ending in
COMMIT. Migration md54df7599fe385f33389fc01ac5994f2f3. - Schema diff:
pg_dump --schema-only1,603,851 → 1,617,882 bytes (+14,031 = the 5 function definitions; catalog rows are data, not schema). No other object changed. - Object diff: exactly +5 functions (4 STABLE, 1 VOLATILE — confirmed via
pg_proc.provolatile) and +5 catalog rows (confirmedcategory=read, mutating=f, reversible=t). Nothing else.
6. Before/after row-count matrix (required evidence #2)
| Table | Before | After | Δ | Note |
|---|---|---|---|---|
| information_unit | 216 | 216 | 0 | IU data untouched |
| iu_three_axis_envelope | 216 | 216 | 0 | |
| iu_metadata_tag | 536 | 536 | 0 | |
| iu_tree_path | 199 | 199 | 0 | |
| iu_relation | 60 | 60 | 0 | |
| iu_sql_link | 3 | 3 | 0 | no link enabled, none created |
| iu_split_set | 0 | 0 | 0 | no split |
| iu_merge_set | 0 | 0 | 0 | no merge |
| event_outbox | 149,095 | 149,095 | 0 | background table; wrappers never write it |
| iu_route_attempt | 68 | 68 | 0 | background table; wrappers never write it |
| iu_outbound_route | 15 | 15 | 0 | 15 real routes untouched |
| dot_iu_command_catalog | 42 | 47 | +5 | the 5 additive DOT pairs (expected C2) |
| dot_iu_command_run | 45 | 55 | +10 | 2 harness runs × 5 audit rows (expected C2 audit footprint), all run_status=verified, actor=iu_bcf_harness |
Every IU-data table delta = 0. The only changes are the additive catalog rows (+5) and the audit ledger (+10) — both the explicitly-allowed footprint of a C2 additive macro.
7. Harness runs + 3-way parity (required evidence #5–9)
7.1 Harness through the DOT path (workflow_admin), run twice
| Field | Run #1 | Run #2 | Pure read-only proof | Match |
|---|---|---|---|---|
| overall_verdict | PASS | PASS | (b/c/f PASS) | ✓ |
| b verdict / iu_count / consistent | PASS / 16 / true | PASS / 16 / true | 16 / consistent | ✓ |
| c verdict / node_count / max_depth | PASS / 8 / 2 | PASS / 8 / 2 | 8 nodes, depth 0→2 | ✓ |
| f verdict / resolved / total / view==direct | PASS / 3 / 3 / true | PASS / 3 / 3 / true | 3/3 resolved, view==direct | ✓ |
Identical across both runs ⇒ stable. Each run logged 5 audit rows; breakdown after 2 runs: dot_iu_filter_axis_b, dot_iu_subtree, dot_iu_sql_link_validate, dot_iu_sql_link_resolve, dot_iu_test_harness_run = 2 each, all verified.
7.2 Read-only parity (wrappers called directly by context_pack_readonly)
Calling the four STABLE wrappers in a READ ONLY transaction returned: b iu_count=16, consistent=true; c node_count=8, max_relative_depth=2, orphan=0, depth0_with_parent_stale=23; f total=3, resolved=3, view_eq_direct=true.
This is a 3-way parity: bare-SELECT proof values == harness (workflow_admin) output == read-only-role wrapper call. It also proves the wrappers are genuinely SELECT-only/STABLE (a write would be impossible for that role/txn) and that the read-only role holds EXECUTE on them (reusable read-only).
7.3 Stale-axis_c_depth caveat handling (required evidence #9)
The c-wrapper surfaces global_integrity.depth0_with_parent_stale = 23 and stored_depth_parent_mismatch = 23, and carries the caveat string: "stored axis_c_depth stale … (three_axis_auto_refresh OFF); fn_iu_subtree relative_depth is authoritative." The wrapper computes structure from fn_iu_subtree (live parent recursion), not from the stale stored column — exactly as the read-only proof prescribed. The 23-figure reproduced precisely.
8. Rollback (required evidence #10)
/tmp/rollback_bcf_dot_wrappers.sql (md5 a7b812e8964b05d7c4e469cbe80560de), single TX, authored before apply, dry-run-equivalent verified via the pre-apply BEGIN/ROLLBACK probe. It:
DELETEthe 10 audit rows bounded toactor='iu_bcf_harness'(restoresdot_iu_command_runto 45 — the ledger is normally append-only; deletion here only to reach the exact baseline);DELETEthe 5 catalog rows (→ 42);DROP FUNCTIONthe 5 new functions (existing reused functions untouched);- assert catalog=42 and 0 new functions, else abort.
Rollback verification is possible at any time by re-reading catalog/run counts + pg_proc.
9. Acceptance criteria
| Criterion | Result |
|---|---|
| Hard Gate 0 passes | ✅ |
| Rollback prepared before apply | ✅ |
| No duplicate function/catalog rows | ✅ (5 names verified absent first) |
| Existing objects reused | ✅ (fn_iu_subtree, fn_iu_sql_link_validate, view, fn_dot_iu_command_log) |
| b/c/f run through the new DOT-callable path | ✅ (harness ×2) |
| b/c/f match the pure read-only proof | ✅ (3-way parity) |
| No IU data tables mutate | ✅ (8 IU tables Δ=0) |
| No gates change | ✅ |
| No event delivery / split / merge | ✅ |
| Evidence uploaded to KB | ✅ (this report + appendix) |
| PASS/PARTIAL/BLOCKED per b/c/f | b PASS · c PASS · f PASS |
| All changed objects listed | ✅ (§4) |
| Rollback verification possible | ✅ (§8) |
10. Self-review (underload rule)
- Verify host/channel? Yes — read + write channel both proven; BEGIN/ROLLBACK write probe.
- Inspect existing objects before creating? Yes — schema, constraints, triggers, FK, the fail-closed logger, and name-collision checks.
- Avoid duplicate catalog rows? Yes — guarded by a pre-insert
EXISTScheck that aborts on any pre-existing target name. - Implement b, c, and f (not one)? Yes — 4 wrappers + harness; all three tested.
- Run the harness twice? Yes — identical PASS both runs.
- Prove before/after deltas? Yes — full matrix, IU-data Δ=0.
- Prepare rollback? Yes — before apply, single TX, asserted.
- Enough evidence for GPT to review without trusting the summary? Yes — see appendix for verbatim SQL, transcripts, and extracted JSON.
Final verdict: PASS. b PASS, c PASS, f PASS through a new DOT-callable path; output parity with the pure read-only proof; zero IU-data mutation; only the additive catalog (+5) and audit (+10) footprint expected of a C2 macro.
11. Next recommended macro
IU_BOUNDED_GATE_PROTOCOL_AUTHORITY_PACK_50000X (Prompt 4, class C4 with a design-first C5 phase). It is the single safety primitive every mutating IU test (d, e, f-enable) depends on: bounded gate open/close/verify-close/watchdog with approval (Điều 32), fail-closed, with the never-flip list (iu_enact.allow_no_review_decision, iu_core.vector_sync_enabled). Its Phase-2 live implementation runs only after its own Hard-Gate-0. After it lands and is approved, proceed to Prompt 5 (split/merge review_decision wiring, C3) and Prompt 6 (trigger in/out event contract, C2+C3+C4). 4 Mothers remains BLOCKED until b–f + W5 complete.
12. Forbidden-compliance statement
No IU-data INSERT/UPDATE/DELETE (8 IU tables Δ=0). No dot_config/gate flip. No iu_enact.* touch. No event-type registration. No event emission/delivery. No split/merge/compose. No composer/structure_ops/delivery gate. No iu_sql_link.enabled flip. No fingerprint/inbound-capture. No Qdrant/vector write. No Directus mutation. No schema/table/template/collection creation beyond the 5 authored functions + 5 catalog rows. No law enactment. No 4-Mothers work. No hardcoded Nuxt/UI. No final OSS/tool selection. The only writes were: 5 CREATE FUNCTION, 5 catalog INSERT, 10 audit INSERT (via the canonical fail-closed logger) — the explicitly-allowed C2 additive footprint — plus these KB documents.