IU Production-Hardening & Durable Governed-Run Bundle (PASS, 2026-05-28)
IU Production-Hardening & Durable Governed-Run Bundle (2026-05-28)
Macro:
IU_PRODUCTION_HARDENING_AND_DURABLE_GOVERNED_RUN_BUNDLE_500000XExecution class: C3 GOVERNED LIVE APPLY + C4 gate-protocol hardening — the first durable, committed (non-ROLLBACK) governed IU run plus five production-hardening branches. Apply channel: SSHworkflow_admin→docker exec -i postgres psql -U workflow_admin -d directus(stdin pipe). Read-proof: MCPquery_pg(rolecontext_pack_readonly). Companion appendix:iu-production-hardening-and-durable-governed-run-bundle-appendix-2026-05-28.md. Precursors:iu-d-e-f-remaining-governed-live-test-suite-2026-05-28.md(+ appendix),iu-mutation-safety-foundation-for-d-e-f-enable-live-apply-2026-05-28.md,iu-b-c-f-additive-dot-wrapper-and-harness-live-apply-2026-05-28.md,iu-core-process-brick-readiness-and-gap-survey-2026-05-28.md.
1. Final status — PASS
| Branch | Verdict | One-line |
|---|---|---|
| A — durable governed IU operation | PASS (committed + lawfully retired) | birth → governed split (real test review_decision) → cross-connection durability proof → lawful fn_iu_retire of all 3 test IUs. Production 216 IUs untouched. |
| B — DLQ replay | PASS (committed, isolated) | forced test DLQ on a dedicated dry_run test route → fn_iu_route_dead_letter_replay resolved it (dry_run decision) → fixtures cleaned. No real route touched. |
| C — birth-gate L1 hardening | PASS (decision: authority pack) | proved structural anti-orphan/phantom/nhầm-chuồng gate ALREADY hard-blocks (5/5 negative tests); P-pub1/P-pub2 stay warn — exact authority pack delivered (§9). Live trigger untouched (sovereign choice). |
D — piece_event_runtime.emit_enabled safety |
PASS (integrated) | added to the bounded gate protocol governable set in all 4 protocol functions; now approval+TTL+watchdog+verify_closed-covered. Default false=safe. |
| E — review_decision row-builder / TD-P1 | PASS (test-only builder + prod authority pack) | committed fn_iu_test_review_decision_create (test_scope-tagged, NOT a prod Điều 32 approval) + catalog row; production builder → authority pack (§9.2). |
| F — production-readiness closeout | DELIVERED | §8 board: a–f all PASS; IU Core = Limited-Production-Pilot ready; 4 Mothers stays BLOCKED. |
This macro is the first to commit durable governed mutations outside BEGIN…ROLLBACK, proving the IU substrate persists a safe governed lifecycle and lawfully cleans it via retire — something the prior all-rollback suites could not demonstrate. Every consequential write was test-scoped, validated by a full dress-rehearsal in BEGIN…ROLLBACK first, and is reversible (emergency hard-delete rollback dry-run proven). No gate left open; both never-flip keys false; no production law IU mutated; no real route delivered; no real SQL link enabled. 4 Mothers remains BLOCKED.
2. Source matrix
| # | Source | Found | Used for |
|---|---|---|---|
| S1 | iu-d-e-f-remaining-governed-live-test-suite-2026-05-28.md (+ appendix) |
KB | Predecessor PASS state, backlog B-1…B-6, substrate findings (split/merge need no gate; emit_enabled outside whitelist; birth-gate PILOT warn) |
| S2 | iu-mutation-safety-foundation-…-2026-05-28.md (+ appendix) |
local | Gate-protocol signatures + governable/never-flip sets, channel pattern |
| S3 | iu-def-pass-gpt-next-production-hardening-bundle-2026-05-28.md |
KB | GPT direction → this 500000X bundle |
| S4 | Live DB directus (pg_proc bodies, pg_constraint, schemas) |
live | Authoritative contracts — corrected several assumptions (§7): the gateway allowlist gap, fn_iu_create has no publication_authority_ref, DLQ replay gated only by master routes gate |
| S5 | iu-b-c-f-additive-dot-wrapper-…, iu-core-process-brick-readiness-… |
KB/local | DOT catalog, b/c/f read proofs, substrate inventory |
| S6 | Laws Hiến pháp / Đ0-G / Đ7 / Đ30 / Đ31 / Đ32 / Đ35 / Đ36 / Đ37 / Đ38-39 / Đ45; Master Design Rev5 | auto-memory | Owner-law map, never-flip absolutes, refs-only payload, retire/supersede lawfulness, birth registry |
| S7 | Prompt standard prompt-muc-tieu-mo-for-claude-code.md |
auto-memory | PASS/PARTIAL/BLOCKED, underload rule, evidence requirements |
Source gaps: none blocking. Two read-list reports (#1 d/e/f suite, #3 GPT direction) were KB-only — fetched via KB.
3. Hard Gate 0 — result (PASS)
| Check | Result |
|---|---|
| Host | contabo VPS (ssh contabo → vmi3080463); container postgres Up 5 weeks (healthy) |
| Container | postgres (postgres:16) |
| Database | directus |
| Read channel | query_pg = context_pack_readonly @ directus |
| Write channel (SELECT-first) | workflow_admin @ directus |
| Gate protocol present | fn_iu_gate_open / close / verify_closed / watchdog all present |
fn_iu_gate_verify_closed(NULL) pre-start |
all_safe=true, all_governed_closed=true, never_flip_intact=true (9 gates) |
| Rollback prepared before apply | Emergency hard-delete rollback authored + dry-run proven; every durable write dress-rehearsed in BEGIN…ROLLBACK first |
Sovereign confirmed (in-session) the two judgment calls: leave lawfully-retired durable trail (Branch A) and authority-pack-only, don't touch live birth trigger (Branch C).
4. Baseline snapshot (pre-bundle)
Gates all safe: composer/structure_ops/delivery/three_axis_auto_refresh/operator_runtime/queue.job_substrate/queue.dlq.replay=false; never-flip allow_no_review_decision=false, vector_sync_enabled=false; delivery_live_routes="", routes_master_enabled=true, route_worker_enabled=true, emit_enabled=false, dry_run_only=true.
Counts: information_unit=216, unit_version=223, iu_piece_collection=45, iu_piece_membership=227, iu_split_set=0, iu_merge_set=0, iu_structure_operation=72, iu_sql_link=3 (0 enabled), event_type_registry=31, event_outbox≈149,095, iu_outbound_route=15, iu_route_attempt=68, iu_route_dead_letter=0, iu_gate_transition=0, dot_iu_command_catalog=51, dot_iu_command_run=55, review_decision=4, manifest_envelope=3. Gateway allowlist=fn_iu_create,fn_iu_apply_edit_draft,fn_iu_enact,fn_iu_structure_op. Schema --schema-only=1,628,568 B.
5. Branch results
5A. Branch A — durable governed IU operation (PASS, committed + retired)
Three-connection durable lifecycle: A.1 mint test review_decision via fn_iu_test_review_decision_create (449bf297…); A.2 fn_iu_create('TEST/hardening/durable-src') (draft); A.3 fn_iu_piece_split → 2 draft children (split_set ed83a8a2…, source untouched); A.4 COMMIT then read in fresh connection (3 IUs persist, split_set=1, review_decision=5, manifest=4 → durability proven); A.5 fn_iu_retire×3 (all retired, 3 iu_lifecycle_log rows); A.7 emergency hard-delete rollback dry-run → baseline (216/0/4/3) → ROLLBACK → trail retained.
Key enabler discovered + fixed: fn_iu_retire's UPDATE was config-blocked by fn_iu_gateway_write_guard() — the gateway allowlist omitted fn_iu_retire/fn_iu_supersede. Appended them (additive, reversible); the lawful retire/supersede lifecycle path was previously non-functional. Production nontest IU stayed 216 throughout.
5B. Branch B — DLQ replay (PASS, committed + isolated)
Dedicated test route iu.test_hardening.dlq (enabled=true, dry_run=true) + forced test DLQ → fn_iu_route_dead_letter_replay → {replayed, dry_run, resolved:true}; COMMIT; fresh-connection verify (DLQ resolved durably; 15 real routes dry_run=true, untouched); fixtures deleted → exact baseline. Finding: replay is gated only by the master routes gate (not queue.dlq.replay_enabled); the dry_run route resolved it without calling fn_iu_route_deliver.
5C. Branch C — birth-gate L1 hardening (PASS, decision = authority pack)
Negative tests (BEGIN…ROLLBACK, 0 residue): uncontrolled direct-insert → BLOCKED (gateway); bad unit_kind → BLOCKED; bad section_type → BLOCKED; empty title → BLOCKED; phantom/orphan (no anchor) → BLOCKED (L2 U5 at COMMIT); valid+P-pub-missing → created (warn-only pilot). Decision (sovereign-confirmed): do not promote P-pub1/P-pub2 now and do not touch the live trigger — fn_iu_create has no publication_authority_ref param, so an unconditional block would break every birth. Structural anti-orphan/phantom/nhầm-chuồng guarantees are already hard. Authority pack §9.1.
5D. Branch D — emit_enabled safety (PASS, integrated)
Added piece_event_runtime.emit_enabled to the governable set in fn_iu_gate_open/close/watchdog/verify_closed. Rehearsed open→all_safe=false→close→all_safe=true→ROLLBACK→committed-open denied; then committed. Committed verify_closed = 10 gates, all_safe=true, value false. Closes backlog B-3; removes the prior gap where verify_closed reported all_safe=true even if emit_enabled were left true.
5E. Branch E — review_decision row-builder / TD-P1 (PASS)
Committed fn_iu_test_review_decision_create(p_actor,p_reason,p_manifest_tag) (SECURITY DEFINER) + catalog row dot_iu_test_review_decision_create (lifecycle). Mints a test_scope=true-tagged manifest_envelope + review_decision(verdict=approve) for cloned TEST/* IUs only; explicitly NOT a production Điều 32 approval. Consumer = Branch A. Production builder → authority pack §9.2.
5F. Branch F — closeout → §8.
6. Gates opened/closed ledger
No governable gate persisted open. Branch D opened emit_enabled only inside a ROLLBACK rehearsal; committed change = function defs only, gate left false. Committed iu_gate_transition=0. Never-flip keys never targeted.
7. Substrate corrections / findings
- Gateway allowlist omitted lifecycle writers (FIXED).
fn_iu_gateway_write_guard()allows writes only ifcurrent_setting('app.canonical_writer')∈dot_config.iu_create.gateway.allowed_marker_values; baseline CSV lackedfn_iu_retire/fn_iu_supersede→ lawful retire/supersede path was non-functional. Added (committed).fn_iu_piece_mergemay need its marker added when it UPDATEs information_unit (split only INSERTs). fn_iu_createhas nopublication_authority_refparameter and never sets it → P-pub1/P-pub2 can only WARN today.- DLQ replay checks only the master routes gate, not
queue.dlq.replay_enabled.dry_runroute → resolve without real delivery. fn_iu_retireFSM = {draft,enacted,superseded}→retired; requires review_decision_id; writes iu_lifecycle_log.fn_iu_enacted_immutrestricts only enacted rows.fn_iu_piece_splitadditive (children draft via fn_iu_create, source untouched, iu_split_set row, no gate, no cut-state-machine).- dot_iu_command_catalog.category CHECK ∈ {collection,piece,lifecycle,read,health} (no
governance). - cutter_governance.{manifest_envelope,review_decision} no CHECK;
manifest_unit_local_id=NULLskips composite FK.
8. Production-readiness closeout board (Branch F)
| Test | Capability | Status | Evidence |
|---|---|---|---|
| a | substrate readiness | PASS | gap survey + Hard Gate 0 |
| b | axis-B / domain filter (read) | PASS | b/c/f read-proof + DOT (prior) |
| c | subtree / structure read | PASS | fn_iu_subtree (prior) |
| d | compose / structure ops (split/merge/retire) | PASS + durable | governed split committed here; retire path fixed + exercised |
| e | trigger in/out + DLQ | PASS + durable DLQ replay | prior suite + committed DLQ replay |
| f | SQL-link validate/enable/capture | PASS | prior suite; real links still 0 enabled |
IU Core verdict: LIMITED-PRODUCTION-PILOT READY. Not yet full-production until (i) birth-gate P-pub promotion (§9.1) enforces publication policy, (ii) a production review_decision authoring path under Điều 32 exists (§9.2), (iii) durable run/DLQ observed under load + queue.dlq.replay_enabled batch path exercised.
4 Mothers: remains BLOCKED — sit above IU; must not start until IU production-readiness (incl. both authority packs) + candidate/tier/gov-ops surveys close. No 4-Mothers object touched.
9. Authority packs
9.1 Birth-gate L1 P-pub promotion (warn → block)
Why not now: fn_iu_create never populates publication_authority_ref; promoting today breaks every birth incl. split children. Required work (ordered): (1) extend fn_iu_create signature with p_publication_authority_ref (+ keep p_publication_type), set both into identity_profile; update split/merge child-spec + Đ35 DOT catalog + iu_create.gateway.canonical_function; (2) add vocab.publication_authority.* keys; L1 validates membership; (3) backfill the 216 existing IUs before enabling; (4) Điều 38/39 + Điều 32 sign-off recorded in cutter_governance; (5) replace the two RAISE WARNING with a config-gated branch (dot_config iu_birth.publication_policy_enforced, default false) — flip true only after 1–4; (6) rollback = revert trigger to warn-only body + set flag false (signature change is additive/backward-compatible); (7) safe-promote conditions: signature shipped + vocab populated + 216 backfilled+verified + governance approval + pilot warn-dry-run zero misses + rollback rehearsed.
9.2 Production review_decision row-builder (TD-P1)
The committed builder is test-only. A production review_decision is a Điều 32 approval artifact and must not be auto-fabricated; needs a real manifest/cut binding, human/sovereign reviewer identity (not automated_agent), cross-sign workflow, risk-class assessment, and Đ32 governance flow. Until then, production split/merge/retire requires an operator-supplied genuinely-reviewed review_decision_id. allow_no_review_decision stays never-flip false.
10. Before/after row-count delta (committed)
| Table | Baseline | Final | Δ |
|---|---|---|---|
| information_unit | 216 | 219 | +3 (retired TEST/hardening/*) |
| information_unit (production/nontest) | 216 | 216 | 0 |
| unit_version | 223 | 226 | +3 |
| iu_split_set | 0 | 1 | +1 |
| iu_lifecycle_log (test) | 0 | 3 | +3 |
| review_decision | 4 | 5 | +1 (test) |
| manifest_envelope | 3 | 4 | +1 (test) |
| dot_iu_command_catalog | 51 | 52 | +1 (builder) |
| dot_iu_command_run | 55 | 55 | 0 |
| iu_gate_transition | 0 | 0 | 0 |
| iu_outbound_route | 15 | 15 | 0 |
| iu_route_attempt | 68 | 68 | 0 |
| iu_route_dead_letter | 0 | 0 | 0 |
| iu_sql_link (enabled) | 3 (0) | 3 (0) | 0 |
| event_type_registry | 31 | 31 | 0 |
| schema bytes | 1,628,568 | 1,631,561 | +2,993 |
Durable persisted changes: (1) fn_iu_test_review_decision_create + catalog row; (2) gateway allowlist +fn_iu_retire,+fn_iu_supersede; (3) 4 gate functions gain emit_enabled governable; (4) Branch A retained trail (3 retired test IUs + 3 versions + 1 split_set + 1 test review_decision + 1 test manifest + 3 lifecycle_log + 3 birth_registry).
11. Cleanup / retire / supersede proof
- Branch A test IUs lawfully retired via
fn_iu_retire(Đ30+Đ32+Đ31) — retained audited trail (sovereign choice), not deletion. - Branch B: ephemeral routing fixtures deleted → exact baseline.
- Emergency rollback dry-run proven (deletes all TEST/hardening/* + test governance under
SET CONSTRAINTS ALL DEFERRED→ baseline → ROLLBACK kept trail).
12. Law / no-double-ownership review
A: Đ38/39 (IU lifecycle) + Đ32 (review_decision) + Đ0-G (birth) + Đ31 audit + Đ30 reversibility (cross-cutting). B: Đ45. C: Đ0-G/Đ44 gateway + Đ38/39 (authority pack defers to Đ38/39+Đ32). D: Đ35 + Đ32 + Đ45. E: Đ32 (test builder marked non-production). Never-flip absolutes stayed false. 4 Mothers stays BLOCKED.
13. Forbidden-compliance statement
No production law IU mutated (production nontest IU=216 unchanged; only 3 TEST/hardening/* clones, all retired). No real route delivery (DLQ resolved via dry_run test route; 15 real routes untouched). No real iu_sql_link enabled. allow_no_review_decision / vector_sync_enabled never true. No Qdrant/vector write. No Directus/Nuxt/4-Mothers. No unregistered event emitted. No payload body/secret/vector. No gate left open (committed all_safe=true, gate_transition=0). No test route left in allowlist. No silent deletion where retire required. No final OSS selection. No law enactment. Only persisted writes = the four documented durable changes + these KB docs.
14. Next macro recommendation
IU_BIRTH_GATE_PPUB_PROMOTION_AND_PROD_REVIEW_DECISION_AUTHORITY_60000X — execute authority pack §9.1 + design §9.2 production review_decision path; then under-load durable-run + DLQ-replay-batch observation before reconsidering 4 Mothers. 4 Mothers stays BLOCKED.
15. Underload self-check
All branches A–F executed; ≥1 governed op committed durably + cross-connection proven; DLQ replay committed+isolated; birth-gate structural proven-hard + P-pub authority pack; emit_enabled integrated; review_decision test builder committed + prod authority pack; closeout board produced; all gates closed (committed all_safe=true, gate_transition=0); no unsafe residue. Final verdict: PASS. 4 Mothers remains BLOCKED.