Incomex AI Portal
KB-7088

IU d/e/f-enable Governed Live-Test Suite — Appendix (2026-05-28)

10 min read Revision 1
iugoverned-live-testappendixfunction-contractstranscripts2026-05-28

IU d / e / f-enable Governed Live-Test Suite — Appendix (2026-05-28)

Verbatim channel transcripts, function contracts, and key SQL for IU_D_E_F_REMAINING_GOVERNED_LIVE_TEST_SUITE_250000X. Companion to the main report.

A1 — Channels + artifacts

  • Write/apply: ssh contabo "docker exec -i postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1 -P pager=off --echo-errors -A -F'|'" < /tmp/<file>.sql (stdin pipe; container /tmp ≠ host /tmp; macOS md5 = openssl md5).
  • Read-proof: MCP query_pg, role context_pack_readonly, READ ONLY txn, 5s timeout, LIMIT 500. cutter_governance schema is NOT visible to this role (permission denied) — governance reads/writes done via workflow_admin.
  • Branch SQL files (each a self-contained BEGIN … ROLLBACK + a post-rollback committed verify):
    • /tmp/iu_branch_d.sql — md5 43234509cb8c695cc0d097b53f5a26c5
    • /tmp/iu_branch_e.sql — md5 76611d4db111f26b81ca753bdb343560
    • /tmp/iu_branch_f.sql — md5 1a633f6269b80f6fa83190f5432805c8
    • /tmp/iu_branch_f3b.sql — md5 5baf09bac4a196580c09776752a97ce3

A2 — Hard Gate 0 transcript (verbatim extract)

current_database | current_user   | version
directus         | workflow_admin | PostgreSQL 16.13 (Debian 16.13-1.pgdg13+1) …
-- gate fns present: fn_iu_gate_close, fn_iu_gate_open, fn_iu_gate_verify_closed, fn_iu_gate_watchdog
-- write probe: BEGIN; UPDATE 1; IN_TX composer=true; ROLLBACK; AFTER_RB composer=false
-- verify_closed(NULL) -> all_safe=true, never_flip_intact=true, all_governed_closed=true
-- pg_dump --schema-only --schema=public | wc -c = 1523493

A3 — Bounded gate protocol signatures (verified live)

fn_iu_gate_open(p_gate_key text, p_approval_id uuid, p_actor text, p_reason text, p_ttl_seconds integer) -> jsonb   [VOLATILE]
fn_iu_gate_close(p_gate_key text, p_actor text, p_reason text) -> jsonb                                              [VOLATILE]
fn_iu_gate_verify_closed(p_gate_key text) -> jsonb   [STABLE]   -- call with NULL for all gates; read ->>'all_safe'
fn_iu_gate_watchdog(p_actor text) -> jsonb           [VOLATILE]

verify_closed returns a jsonb object (NOT a composite) — (fn()).all_safe errors; use fn_iu_gate_verify_closed(NULL)->>'all_safe'. Governable set = {composer, structure_ops, delivery, three_axis_auto_refresh, operator_runtime, queue.job_substrate, queue.dlq.replay}; never-flip = {iu_enact.allow_no_review_decision, iu_core.vector_sync_enabled}.

A4 — Key function contracts (verified live)

fn_iu_compose(p_collection_key,p_collection_kind,p_title,p_description,p_pieces jsonb,p_actor) -> jsonb
   p_pieces = array of {role, new_piece:{canonical_address,title,body,unit_kind,section_type}} | {role, iu_id}
   GATE: fn_iu_composer_enabled()
fn_iu_collection_add_piece / remove_piece / reorder_piece  -> all GATE on fn_iu_composer_enabled()
fn_iu_collection_render(p_collection_id) -> TABLE(piece_order,piece_role,iu_id,canonical_address,doc_code,piece_lifecycle,depth,tag_count)  [STABLE]
fn_iu_create(p_canonical_address,p_title,p_body,p_actor,p_unit_kind,p_section_type,p_owner_ref,p_publication_type,p_parent_ref) -> jsonb  [SECDEF]
   valid unit_kind: design_doc_section|law_unit ; valid section_type: paragraph|section|article|...
fn_iu_piece_split(p_source_canonical_address,p_child_specs jsonb,p_actor,p_review_decision_id,p_change_set_id,p_reason,p_tool_revision,p_dry_run) -> jsonb  [SECDEF]
   p_child_specs = array(>=2) of {canonical_address,title,body,unit_kind,section_type}; review_decision_id REQUIRED + FK-probed; NO gate check; source UNTOUCHED; no cut-state-machine
fn_iu_piece_merge(p_merged_spec jsonb,p_source_canonical_addresses text[],p_actor,p_review_decision_id,...) -> jsonb  [SECDEF]  -- symmetric to split
fn_iu_emit_event(p_event_type,p_canonical_address,p_subject_ref uuid,p_actor_ref,p_safe_payload jsonb) -> uuid   -- GATE: master only (routes_master_enabled); domain='iu'
fn_iu_piece_emit_event(... same sig ...) -> uuid   -- GATE: master AND piece_event_runtime.emit_enabled; domain='piece'
fn_iu_route_deliver(p_route_code,p_event_ref uuid,p_safe_payload) -> void  -- GATE: delivery_enabled + route in delivery_live_routes + target sql_function/fn_iu_structure_consumer
fn_iu_route_worker_run(p_worker_name,p_batch_limit) -> jsonb  -- GATE: master + route_worker_enabled; per-event try/except => failure dead-letters
fn_iu_sql_link_validate(p_link_id uuid) -> jsonb [STABLE]; fn_iu_sql_link_resolve_all() -> jsonb [STABLE]
fn_iu_sql_link_inbound_capture() -> trigger  -- on iu_sql_link AFTER INSERT only; matches enabled iu_sql_event_route by (schema,table,lower(TG_OP))
fn_iu_structure_consumer(p_event_ref uuid,p_safe_payload jsonb) -> jsonb  -- only delivery target; idempotent INSERT iu_tree_change_log

A5 — Branch D transcript (key lines)

open_composer  -> status=opened approval_id=… ttl=300
open_structops -> status=opened approval_id=… ttl=300
composer_on=t structops_on=t
D1 compose -> ok=true pieces_minted=3 pieces_attached=3   (WARNING birth gate L1 PILOT-ONLY P-pub1/P-pub2 — non-fatal)
D2 add p4 -> ok=true piece_order=3
D3 remove p2 -> ok=true (renumbered)
D4 reorder p3->0 -> ok=true new_order=0
D7 render -> 0|body|TEST/def-suite/p3 ; 1|intro|TEST/def-suite/p1 ; 2|body|TEST/def-suite/p4   (p2 gone)
gov review_decision -> rd_exists=1   (verdict=approve status=decided scope=manifest unit_local_id=NULL)
D5 split p1 -> split_recorded child_count=2 split_set_id=… review_decision_id=… (rd_bound) source untouched
D6 merge p3,p4 -> merge_recorded merged_iu_id=… (rd_bound) sources untouched
in_tx -> test_ius=7 nontest_ius=216 split_sets=1 merge_sets=1
close_composer/close_structops -> closed ; verify_in_tx all_safe=true
ledger_in_tx: composer open/close, structure_ops open/close
post_rb -> information_unit=216 split=0 merge=0 collections=45 gate_transitions=0 command_runs=55 review_decisions=4 ; final_all_safe=true

A6 — Branch E transcript (key lines)

E0 routes_master=t worker_gate=t delivery=f
E1 iu_emit -> event 8c4969ae… outbox domain=iu type=template.instance_auto_composed stream=update lane=delayed payload={"ref":"test",...}
E1b piece_emit -> outbox type=updated emit_mode=dry_run (emit_enabled flipped true then reverted false)
E2 inbound_attempt -> route_kind=inbound status=dry_run payload={op:insert,table:_iu_def_suite_intest}
E3 worker_summary -> seen=1 attempts_written=0 skipped=0 dead_lettered=1
   dlq_row -> route=iu.test_def_suite.dlq failure_code=worker_process_error detail="delivery gate closed …"
   attempt_failed -> status=failed error_code=worker_process_error
E4 open_delivery -> opened ; NOTICE "E4 refused_as_expected: real route iu.collection_created.workflow blocked (not in allowlist)"
E5 deliver_void (success) ; projection tree_change_log_rows=1
E6 close_delivery -> closed ; verify_in_tx all_safe=true ; ledger delivery open/close
post_rb -> test_outbox=0 routes=15 attempts=68 dlq=0 test_cursor=0 allowlist="" emit_enabled=false gate_trans=0 runs=55 ; final_all_safe=true

Worker isolation technique: insert a dedicated iu_route_worker_cursor named iu_def_suite_test positioned at the latest existing iu-domain event excluding the just-emitted test event, so the keyset scan (created_at,id) > cursor claims exactly the one test event. Test route iu.test_def_suite.dlq (enabled=true, dry_run=false) was pre-listed in delivery_live_routes to satisfy the route insert guard; with delivery_enabled still false, fn_iu_route_deliver RAISES → the worker's per-event EXCEPTION block writes the dead-letter.

A7 — Branch F transcript (key lines)

F0 real_links: 48bd6ac6 represents f ; c9ed8792 governs f ; e73fef17 governs f ; enabled_true=0
F1 iu created 47d4dc8c… ; test_link 6f589767…
F2 validate_before -> {resolved:true, detail:pg_class_match, object_kind:table}
   resolve_before -> total=4 resolved_true=4 all_view_eq_direct=true
F3 test_link_enabled=t ; capture_attempt = 0 rows (trigger is AFTER INSERT only)
F4 validate_after -> resolved:true
F5 test_link_disabled=f
F6 enabled_true_count=0 ; real links all f ; verify all_safe=true
post_rb -> total_links=3 enabled_true=0 test_link_remaining=0 ius=216 attempts=68 runs=55 ; final_all_safe=true
F3b (route-first, INSERT) -> capture_on_insert route_kind=inbound status=dry_run table=iu_sql_link ; real_links_enabled_true=0 ; post_rb links=3 enabled_true=0 attempts=68

A8 — Final whole-suite committed verification

FINAL.counts: iu=216 split=0 merge=0 coll=45 links=3 links_on=0 routes=15 dlq=0 etr=31 gates=0 cat=51 runs=55 rd=4
FINAL.residue: test_iu=0 test_routes=0 test_cursor=0 test_env=0
FINAL.config: delivery_live_routes="" ; vector_sync_enabled=false ; allow_no_review_decision=false ; piece_event_runtime.emit_enabled=false
FINAL.verify: all_safe=true never_flip_intact=true all_governed_closed=true
pg_dump --schema-only --schema=public | wc -c = 1523493   (== pre-suite baseline)

A9 — Forbidden-action ledger (what was NOT persisted)

No committed INSERT/UPDATE/DELETE on any IU-data / governance / event / route / link table (all Δ=0). No real-route delivery. No real iu_sql_link.enabled flip. No never-flip gate flip (would be code-refused regardless). No persisted gate open (iu_gate_transition=0). No Qdrant / Directus / Nuxt / 4-Mothers action. The emit_enabled and delivery_live_routes toggles existed only inside rolled-back transactions (both back to baseline post-rollback). Persisted writes = these two KB documents only.

Back to Knowledge Hub knowledge/dev/reports/architecture/iu-d-e-f-remaining-governed-live-test-suite-appendix-2026-05-28.md