KB-513F
IU b–f Execution Readiness Refactor — 04 Gate & Law Matrix
8 min read Revision 1
iutests-b-flaw-matrixgate-matrixno-double-ownershipdieu32dieu35dieu45never-flipdocument-only2026-05-28
IU b–f Execution Readiness Refactor — 04 Gate & Law Matrix (Outcome E)
Maps every future IU macro (M-A … M-I + the U5 follow-up) to: owner law, mutation risk, approval requirement, gate requirement, rollback requirement, audit requirement, and a no-double-ownership check. Owner-law assignments are grounded in the survey §11 verified-live ownership and command-pack doc 11 self-review (both consistent).
1. Master matrix
| Macro | Exec class | Owner law(s) | Mutation risk | Approval req | Gate req | Rollback req | Audit req | No-double-ownership |
|---|---|---|---|---|---|---|---|---|
| M-A b/c axis+tree proof | C1 | Điều 38/39 (IU cut/select read) | None (SELECT only) | none | none | N/A (zero write) | none (no command invoked) | ✔ read under Đ38/39 only |
| M-B f sql-link proof | C1 | Điều 38/39 (IU↔DB link read) | None | none | none | N/A | none | ✔ link-read under Đ38/39 only |
| M-C b/c/f DOT wrappers + harness | C2 | Điều 35 (DOT pair + audit) | Low (DDL + catalog + audit rows; no IU data) | none (additive, no gate) | none | DROP FUNCTION + DELETE catalog (paired script) | dot_iu_command_run per call (mutating=false) |
✔ DOT under Đ35 only |
| M-D bounded gate protocol | C4 | Điều 32 (approval) + Điều 35 (DOT/audit) | Medium (dot_config flips; primitive only) | approval_id on opening any mutating gate | Hard-Gate-0; fail-closed; verify-close | gate auto-close; self-test in BEGIN/ROLLBACK; DROP fns | open/close write dot_iu_command_run (mutating=true) + gate-transition record |
✔ approval under Đ32, DOT under Đ35; no overlap |
| M-E split/merge review_decision + test d | C3 (needs C4) | Điều 32 (review_decision) + Điều 30 (reversibility) + Điều 38/39 (structure ops) | Medium-high (IU structure ops; first iu_split_set/merge_set) | review_decision_id (Đ32); approval_id for gate | bounded structure_ops/composer via M-D | fn_iu_structure_op_rollback; retire test IUs; gate close |
every structure op + gate flip audited | ✔ decision under Đ32, reversibility under Đ30, ops under Đ38/39 |
| M-F trigger in/out event contract + test e | C2+C3+C4 | Điều 45 (event/queue) + Điều 32 (gate approval) | Medium (event rows, route attempts, DLQ; bounded) | approval_id for delivery gate | bounded delivery_enabled (route-scoped) via M-D | gate close; retire test route/IU/events | route attempts + deliveries + DLQ + gate audited | ✔ event/queue under Đ45, gate approval under Đ32; registration is Đ45 not Đ35 |
| M-G design drift patch (U11) | C5 | doc governance (no law enactment) | None (KB doc only) | none | none | KB revision history (patch_document) | KB revision +1 | ✔ doc-only, owns nothing live |
| M-H queue/registry hardening survey (U9) | C5→C2 | Điều 45 (queue substrate) | None (survey) → Medium (later impl) | none (survey) | none (survey) | per later impl | per later impl | ✔ queue registries under Đ45 |
| M-I candidate registry survey / Gate B (U10) | C5→C2 | Điều 35 (dot_function) + Điều 28 (input form/template) | None (survey) → Medium (later impl) | none (survey) | none (survey) | per later impl | per later impl | ✔ CRS split: dot_function→Đ35, form/template→Đ28 |
| U5 cut state-machine rollback (follow-up) | C3 | Điều 30 (reversibility) + Điều 45 (state machine) | Medium (state-machine edge) | per change | bounded if it flips a gate | rollback edge IS the deliverable | transition audited | ✔ reversibility under Đ30, state under Đ45 |
2. Law ownership reference (verified-live, survey §11)
| Law | Owns | Relevant to |
|---|---|---|
| Hiến pháp | Constitutional invariants (15 NT; axis-B tag vocabulary source) | b (domain axis from Constitution) |
| Điều 0-G | Birth registry / industrial-birth contract | 4 Mothers (blocked) — not b–f |
| Điều 7 | (foundational) | context only |
| Điều 28 | UI surface = design_templates row; input forms | M-I (CRS form/template); 4 Mothers |
| Điều 30 | Reversibility — every mutating step has a rollback primitive | M-E, U5, all C3/C4 |
| Điều 31 | Audit / integrity — every command writes audit | M-C, M-D, M-E, M-F (all writing macros) |
| Điều 32 | Approval — bounded gate open needs approval_id; split/merge need review_decision_id; allow_no_review_decision NEVER flipped |
M-D, M-E, M-F |
| Điều 35 | DOT — every command is a catalog pair with correct mutating flag + audit | M-C, M-I (dot_function) |
| Điều 36 | Collection registry | 4 Mothers (blocked); test-d collection clone references it |
| Điều 37 | Governance registry (factory agency; NO human roles — those sit in Directus+Đ32) | 4 Mothers (blocked) |
| Điều 38/39 | IU cut / compose / structure ops | M-A, M-B, M-E |
| Điều 45 | Event / queue — register-before-emit, idempotency, DLQ, heartbeat, route-scoped delivery | M-F, M-H, U5 |
3. No-double-ownership verification
Each concern maps to exactly one owner law (verified live in survey §11):
- Read tests (b, c, f-read) → Điều 38/39 only. No approval, no DOT, no event concern — pure read.
- DOT command surface → Điều 35 only. The audit-row obligation it carries is Điều 31's integrity requirement satisfied through the Điều 35 DOT pair — not a second owner; Đ31 is the cross-cutting integrity law that every writing macro honours, it does not own the DOT command.
- Gate approval → Điều 32 only.
- Reversibility → Điều 30 (cross-cutting; every mutating macro must satisfy it, but Đ30 owns reversibility as a property, not the operation).
- Event/route/delivery → Điều 45 only. (Event-type registration is a Điều 45 concern — NOT Điều 35 — because it populates
event_type_registry, a queue-law artifact, not a DOT catalog.) - The only NEW owner is the 4 Mothers application layer (future Điều XX), explicitly deferred and blocked.
Cross-cutting laws (Đ30 reversibility, Đ31 audit/integrity) are NOT double-ownership. They are properties every writing macro must satisfy regardless of which law owns the operation. The matrix lists them as requirements on a macro, while "owner law" names the single law that owns the operation itself. This distinction is the correction to any reading that would count "Đ35 + Đ31 + Đ30" as triple ownership.
4. Gate inventory and the never-flip rule
The 8 dot_config gates the protocol (M-D) governs, with their safe defaults:
| Gate | Safe default | Opened by | Bounded? |
|---|---|---|---|
iu_core.composer_enabled |
false | M-E (compose/structure ops) | yes, via M-D |
iu_core.structure_ops_enabled |
false | M-E (split/merge/reparent) | yes, via M-D |
iu_core.delivery_enabled |
false | M-F (trigger-out delivery) | yes, route-scoped if possible |
iu_core.three_axis_auto_refresh_enabled |
false | (post-CUT autowire, U4) | yes |
iu_core.operator_runtime_enabled |
false | (operator surface) | yes |
queue.job_substrate.enabled |
false | (queue hardening, U9) | yes |
queue.dlq.replay_enabled |
false | (DLQ replay) | yes |
iu_enact.allow_no_review_decision |
false | NEVER | never flipped |
Plus iu_core.vector_sync_enabled = false → NEVER flipped (no vector pollution).
Absolute rule: iu_enact.allow_no_review_decision and iu_core.vector_sync_enabled are never opened in any macro. The correct response to "enact needs a decision" is to supply a real review_decision_id (M-E), never to bypass the requirement. Flipping either is a Điều 32 violation.
Gate-close guarantee: no macro may report PASS if any gate it opened reads non-default at macro end (prompt standard §6 "no gate left open" + verify-close).