IU b–f Execution Readiness Refactor — 02 Revised Macro Sequence + Waves (Outcome C)

Splits the b–f execution path into five safe waves by execution class (doc 00 §2). Each macro is fully classed: allowed actions, forbidden actions, required channel, rollback, acceptance criteria, output path. Waves are ordered so that no mutating step ever runs before its proof and its gate protocol exist.

---

1. Wave overview

Wave	Theme	Execution class	Gate?	Can start when	Macros
Wave 1	Pure read-only proofs	C1	none	now (no dependency)	M-A (b/c axis+tree), M-B (f sql-link) — run in parallel
Wave 2	Additive DOT wrappers/catalog	C2	none (write channel only)	after Wave 1 proofs PASS	M-C (b/c/f read-only wrappers + harness core)
Wave 3	Bounded gate protocol	C4	Hard-Gate-0	after Wave 1 PASS; design phase can start now	M-D (gate protocol design → impl)
Wave 4	Governed mutating tests	C3 (+C2/C4 sub-phases)	bounded gate + approval	after Wave 3 approved + Wave 2 wrappers exist	M-E (split/merge review_decision + test d), M-F (trigger in/out + test e)
Wave 5	Production hardening	C2/C3/C5	per item	after b–f demonstrable	M-G (design drift patch), M-H (queue/registry hardening), M-I (candidate registry survey)

Critical path to "b–f demonstrable": M-A ∥ M-B → M-C → M-D(approved) → M-E + M-F. Tests b, c, f-read are PASS-able at the end of Wave 1 alone (no wrappers, no gates needed). Wave 2 only adds operator ergonomics (DOT commands); it is not required for the b/c/f-read PASS, only for a repeatable harness.

4 Mothers remains BLOCKED through all five waves. Wave 5 is IU substrate hardening, still upstream of 4 Mothers.

---

2. Per-macro specification

M-A — IU_B_C_AXIS_TREE_PURE_READONLY_PROOF (Wave 1)

• Execution class: C1 — PURE_READ_ONLY_PROOF.
• Tests covered: b (domain/professional axis filter), c (parent/child/grandchild tree axis).
• Allowed: bare parameterised SELECT over iu_three_axis_envelope, iu_metadata_tag (axis-b tags: legal_domain/topic/sectype/doc/kind), iu_relation, iu_tree_path; calling existing STABLE functions (fn_iu_subtree) inside a SELECT (read path only); producing a result contract + sample JSON of returned rows.
• Forbidden: any CREATE FUNCTION; any DOT command invocation (would write an audit row); any INSERT/UPDATE/DELETE; any catalog row; any gate touch; running via dot_iu_* wrappers (those are Wave 2).
• Channel: MCP query_pg (read-only) is sufficient and preferred. No SSH needed.
• Rollback: N/A (genuinely zero write — provable because no command is invoked and no DDL is issued).
• Acceptance: axis-b filter returns the correct IU set for ≥3 distinct domain values; tree filter returns correct subtree for ≥2 roots at depth ≥3; zero-delta confirmed on all candidate tables including dot_iu_command_run (delta must be 0 because nothing was invoked); evidence = the actual SELECT scripts + row counts + sample JSON.
• Output: knowledge/dev/reports/architecture/iu-b-c-axis-tree-pure-readonly-proof-<date>/.

M-B — IU_F_SQL_LINK_PURE_READONLY_PROOF (Wave 1)

• Execution class: C1 — PURE_READ_ONLY_PROOF.
• Tests covered: f (SQL link between IU and current DB data) — validate + resolve read paths only.
• Allowed: call fn_iu_sql_link_validate and read v_iu_sql_link_resolved as bare SELECTs over the 3 live iu_sql_link rows (all enabled=false — note: enabled=false suppresses runtime delivery/capture only; validate/resolve read paths remain valid); confirm the validator is STABLE/SELECT-only by code inspection, not by a write probe.
• Forbidden: flipping any iu_sql_link.enabled; running fn_iu_sql_link_inbound_capture (writes); creating wrappers/catalog rows; any DOT invocation; any gate touch.
• Channel: MCP query_pg (read-only).
• Rollback: N/A (zero write).
• Acceptance: all 3 links validate with a clear pass/fail verdict each; resolve returns the joined live-DB shape for each link; zero-delta on all tables incl. dot_iu_command_run; evidence = validate output per link + resolved JSON + the inspected function body confirming STABLE/no-write.
• Output: knowledge/dev/reports/architecture/iu-f-sql-link-pure-readonly-proof-<date>/.

M-C — IU_B_C_F_ADDITIVE_DOT_WRAPPER_IMPLEMENTATION (Wave 2)

• Execution class: C2 — ADDITIVE_IMPLEMENTATION.
• Purpose: make the Wave-1 proofs repeatable as operator DOT commands + a harness orchestrator.
• Allowed: CREATE FUNCTION filter_axis_b, filter_axis_c_subtree (STABLE, SELECT-only bodies); CREATE the read-only sql-link wrapper functions; INSERT DOT catalog rows for dot_iu_filter_axis_b, dot_iu_subtree, dot_iu_sql_link_validate, dot_iu_sql_link_resolve, dot_iu_test_harness_run (Điều 35 pairs, mutating=false); these wrappers write dot_iu_command_run audit rows by design — that is the expected additive footprint, NOT a violation.
• Forbidden: any IU-data mutation; any gate flip; touching iu_enact.*; split/merge/compose; event emission; the mutating sql-link commands (_register, _capture_probe — those are Wave 4/deferred C3).
• Channel: SSH workflow_admin (DDL + catalog INSERT) — ssh contabo "docker exec -i postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1" < /tmp/mig_NNN.sql. MCP query_pg cannot create functions.
• Rollback: each object created has a paired DROP FUNCTION + DELETE FROM dot_iu_command_catalog WHERE …; macro provides a sibling restore script; pg_dump --schema-only before/after diff.
• Acceptance: before/after object diff shows exactly the N new functions + N new catalog rows and nothing else changed; each wrapper, run once, returns the same result as the Wave-1 bare SELECT (parity check); BEGIN/ROLLBACK dry-run proves the catalog+function creation is reversible; mutating=false flag correct on every new catalog row.
• Output: knowledge/dev/reports/architecture/iu-b-c-f-additive-dot-wrapper-<date>/.

M-D — IU_BOUNDED_GATE_PROTOCOL_AUTHORITY_PACK (Wave 3)

• Execution class: C4 — GATE_PROTOCOL_IMPLEMENTATION (with an explicit design-first phase that is C5 until Hard-Gate-0 passes).
• Purpose: the single safety primitive every mutating test depends on — open a dot_config gate for a bounded window with guaranteed auto-close.
• Allowed: Phase 1 (C5, always allowed): author the protocol design — open/close/verify-close/watchdog function signatures, approval model, fail-closed semantics, the 8-gate matrix, never-flip list. Phase 2 (C4, only after Hard-Gate-0 passes): create the gate-protocol function(s) writing dot_config + dot_iu_command_run + a gate-transition record; require an approval_id (Điều 32) on open of any mutating gate; a self-test that flips one gate true→false inside BEGIN/ROLLBACK and proves verify-close.
• Forbidden: opening any gate outside the protocol; flipping iu_enact.allow_no_review_decision or iu_core.vector_sync_enabled (NEVER); leaving any gate open at macro end; running d/e tests; creating live gate functions before Hard-Gate-0 passes.
• Channel: SSH workflow_admin. Hard-Gate-0 (before any deep/live work): prove SSH write channel with a BEGIN/ROLLBACK probe; confirm dot_config writable by workflow_admin; confirm pg_dump backup available. If the channel fails → drop to AUTHOR_MODE_ONLY (design only), do not author hours of unrequested docs.
• Rollback: gate auto-close on completion/timeout/error; the self-test runs inside BEGIN/ROLLBACK so it persists nothing; function creation rolled back via DROP.
• Acceptance: protocol design complete + reviewed; (if Phase 2) the open/close/verify-close functions exist, the self-test proves a gate returns to its safe default, and no gate reads non-default at macro end (mandatory — macro is not PASS otherwise).
• Output: knowledge/dev/reports/architecture/iu-bounded-gate-protocol-<date>/.

M-E — IU_SPLIT_MERGE_REVIEW_DECISION_WIRING_AUTHORITY_PACK (Wave 4)

• Execution class: C3 — GOVERNED_MUTATION_TEST (depends on M-D approved + M-C wrappers).
• Tests covered: d (compose / add / remove / reorder / split / merge), specifically the d5/d6 split/merge paths blocked on review_decision wiring (U3).
• Allowed: privileged read of cutter_governance.review_decision to confirm shape (RO role is denied — use workflow_admin); commit the review sub-pipeline + row-builder that issues a real review_decision_id; wire fn_iu_piece_split/merge to require it; open structure_ops_enabled (+composer_enabled if needed) via the M-D protocol with an approval_id; run d5/d6 on isolated test IUs (cloned, lifecycle=testing); produce the durable first-use of iu_split_set/iu_merge_set; rollback via fn_iu_structure_op_rollback; close gates.
• Forbidden: flipping allow_no_review_decision (the correct response to "enact needs a decision" is to supply a real review_decision_id, never to bypass); splitting/merging production law IUs on first run; leaving gates open; running without a review_decision_id; 4 Mothers work.
• Channel: SSH workflow_admin.
• Rollback: fn_iu_structure_op_rollback; retire test IUs; gate auto-close; pre-run pg_dump. Prerequisite U5 (cut state-machine mark_verified→mark_rejected rollback edge) for d's failure path — author the 6th prompt (U5) first if d5/d6 route through the cut state machine.
• Acceptance: d1–d4/d7 pass (compose/add/remove/reorder/render) on test IUs; d5/d6 pass with a real review_decision_id and produce committed iu_split_set/iu_merge_set rows; rollback verified; all opened gates closed; audit rows present.
• Output: knowledge/dev/reports/architecture/iu-split-merge-review-decision-wiring-<date>/.

M-F — IU_TRIGGER_IN_OUT_EVENT_CONTRACT_AUTHORITY_PACK (Wave 4)

• Execution class: C2 (event-type registration) + C3 (delivery) + C4 (delivery gate) — depends on M-D approved.
• Tests covered: e (trigger-in + trigger-out per IU).
• Allowed: Sub-phase 1 (C2): register iu.trigger_in.received, iu.trigger_out.emitted, iu.route.delivered, iu.route.failed in event_type_registry (JSON schema, compat_mode=forward, refs-only payload, register-before-emit). Sub-phase 2 (C3+C4): create a test route + test IU; open delivery_enabled (route-scoped if supported) via the M-D protocol with an approval_id; run trigger-in (fn_iu_sql_link_inbound_capture) + trigger-out (fn_iu_piece_emit_event → event_outbox → iu_route_attempt); force a failure → DLQ (iu_route_dead_letter); close gate.
• Forbidden: emitting unregistered events; delivering to any of the 15 real live routes; leaving delivery_enabled open; payloads carrying body/secret/vector (MP-D8 deny-list); 4 Mothers.
• Channel: SSH workflow_admin. Dependency Closure Pack: confirm event_type_registry, fn_iu_emit_event, fn_iu_piece_emit_event, iu_outbound_route (15), iu_sql_event_route (1), fn_iu_route_deliver, fn_iu_route_worker_run, iu_route_dead_letter (0), fn_iu_route_dead_letter_replay; inventory the 15 live routes so the bounded delivery flip cannot deliver a real route.
• Rollback: gate auto-close; retire test route + test IU + test event rows; pre-run pg_dump. Event-type registration is additive (kept) but reversible via DELETE if the test contract changes.
• Acceptance: 4 event types registered with schemas; trigger-in capture recorded for a test IU; trigger-out emits an outbox row + route attempt; forced failure lands in DLQ; delivery_enabled reads false at macro end; no real route delivered.
• Output: knowledge/dev/reports/architecture/iu-trigger-in-out-event-contract-<date>/.

M-G / M-H / M-I — Wave 5 (production hardening, after b–f demonstrable)

• M-G — IU_DESIGN_PG_MAXIMIZATION_MAP_DRIFT_PATCH (C5 → surgical doc patch, U11): re-label verified-live artifacts mislabeled "paper" in 00-master-design-rev2.md §10; rename iu_kg_edge→iu_relation; reclassify G2 as "exists, not auto-wired". Doc governance only; risk none; patch via patch_document (replay edits), not full re-upload.
• M-H — IU_QUEUE_REGISTRY_HARDENING_SURVEY (C5 survey → later C2, U9): survey executor_class_registry, state_machine_registry, idempotency_registry, retry_policy_registry, dlq_replay_request. Not required for b–f PASS; required for production e + 4 Mothers.
• M-I — IU_CANDIDATE_REGISTRY_SURVEY (Gate B) (C5 survey → later C2, U10): survey field_registry, input_form_registry, output_table_registry, dot_function_registry, tier_registry. MOIT/MOUT depend on these — this is the gate into 4 Mothers, still blocked.

---

3. Backlog → wave mapping (from command-pack doc 09 U1–U11)

Backlog	Subject	Wave	Macro	Class
U1	Read-only test harness (b/c + f-read)	1 (proof) + 2 (harness)	M-A/M-B (proof, C1) + M-C (harness, C2)	C1+C2
U2	Bounded gate protocol	3	M-D	C4
U3	Split/merge review_decision wiring	4	M-E	C3
U4	Post-CUT autowire	5 (independent, follows M-A)	(own macro, C3)	C3
U5	Cut state-machine rollback edge	4 (prereq of M-E failure path)	6th prompt	C3
U6	iu.* event-type registration	4	M-F sub-phase 1	C2
U7	DOT filter + sql-link commands	2	M-C	C2
U8	IU process-binding layer	5+ (4 Mothers, blocked)	deferred	C3
U9	Queue-hardening registries	5	M-H	C5→C2
U10	Candidate registries (CRS)	5 (Gate B into 4 Mothers)	M-I	C5→C2
U11	Design PG-Maximization-Map reconciliation	5 (anytime)	M-G	C5

---

4. Sequencing guarantees (the safety invariants)

1. No mutation before its proof. M-C (wrappers) cannot run before M-A/M-B (proofs) PASS. M-E/M-F (mutating tests) cannot run before M-C exists and M-D (gate protocol) is approved.
2. No gate flip outside the protocol. Every flip in Wave 4 goes through M-D's open/close/verify-close, carries an approval_id, and is verified closed at macro end.
3. Never-flip list is absolute. iu_enact.allow_no_review_decision and iu_core.vector_sync_enabled are never opened in any wave.
4. 4 Mothers stays blocked until b–f are demonstrable (end of Wave 4) AND IU substrate readiness (Wave 5 surveys) is closed or explicitly accepted with known gaps.
5. Live-ready = use, not rewrite. Existing live functions (fn_iu_subtree, fn_iu_piece_split/merge, fn_iu_sql_link_validate, fn_iu_post_cut_axis_materialize, the 9 d-commands, the 5-command operator cut surface) are reused, never re-implemented.