Appendix — IU Production-Hardening & Durable Governed-Run Bundle (2026-05-28)

Companion to iu-production-hardening-and-durable-governed-run-bundle-2026-05-28.md. Exact apply + rollback SQL, raw evidence, channel notes.

A0. Channel + method

Apply: ssh contabo "docker exec -i postgres psql -U workflow_admin -d directus -A -F'|'" < /tmp/file.sql (stdin pipe; container /tmp ≠ host /tmp). Never nest ssh contabo "… ssh contabo …".
Read-proof: MCP query_pg (role context_pack_readonly, READ ONLY, LIMIT 500). cutter_governance.* invisible to RO role → read via workflow_admin.
Method: every durable write first dress-rehearsed in BEGIN…ROLLBACK, then committed; durability proven by reading in a fresh psql connection.

A1. Branch E + gateway fix — committed infra

BEGIN;
CREATE OR REPLACE FUNCTION public.fn_iu_test_review_decision_create(
    p_actor text, p_reason text DEFAULT NULL, p_manifest_tag text DEFAULT 'TEST/hardening'
) RETURNS jsonb LANGUAGE plpgsql SECURITY DEFINER SET search_path TO 'pg_catalog','public'
AS $bld$
DECLARE v_env uuid := gen_random_uuid(); v_rd uuid := gen_random_uuid();
BEGIN
  IF p_actor IS NULL OR btrim(p_actor)='' THEN
    RAISE EXCEPTION 'fn_iu_test_review_decision_create: actor required' USING ERRCODE='check_violation'; END IF;
  INSERT INTO cutter_governance.manifest_envelope
    (envelope_id, operation_kind, status, source_doc_ref, created_by, created_at, reviewer, reviewed_at, rationale)
  VALUES (v_env,'test_governance','test',p_manifest_tag,btrim(p_actor),now(),btrim(p_actor),now(),
     'TEST-ONLY manifest … Not a real cut.');
  INSERT INTO cutter_governance.review_decision
    (review_decision_id, governance_event_kind, manifest_id, manifest_version, review_scope,
     manifest_unit_local_id, status, verdict, findings, reviewer_class, reviewer_identity,
     risk_class_assessment, decision_at, decided_by, cross_signed_by_dot_verifier, version, created_at, updated_at)
  VALUES (v_rd,'test_review_decision',v_env,'test-1','manifest',NULL,'decided','approve',
     jsonb_build_object('test_scope',true,'builder','fn_iu_test_review_decision_create',
       'macro','IU_PRODUCTION_HARDENING_AND_DURABLE_GOVERNED_RUN_BUNDLE_500000X','reason',p_reason),
     'automated_agent',jsonb_build_object('agent','iu_hardening_macro','test',true,'actor',btrim(p_actor)),
     'standard',now(),btrim(p_actor),false,'test-1',now(),now());
  RETURN jsonb_build_object('status','test_review_decision_created','review_decision_id',v_rd,
     'manifest_envelope_id',v_env,'note','TEST-ONLY. Not a production Dieu 32 approval.');
END $bld$;
INSERT INTO public.dot_iu_command_catalog (command_name, category, mutating, reversible, target_functions)
 VALUES ('dot_iu_test_review_decision_create','lifecycle',true,true,'{fn_iu_test_review_decision_create}');
UPDATE public.dot_config SET value = value || ',fn_iu_retire,fn_iu_supersede'
 WHERE key = 'iu_create.gateway.allowed_marker_values'
   AND value = 'fn_iu_create,fn_iu_apply_edit_draft,fn_iu_enact,fn_iu_structure_op';
COMMIT;

Result: builder live; catalog 51→52; gateway allowlist → …,fn_iu_retire,fn_iu_supersede.

A2. Branch A — durable split + retire

Split: DO block → fn_iu_test_review_decision_create → fn_iu_create('TEST/hardening/durable-src') → fn_iu_piece_split('TEST/hardening/durable-src',[{durable-c1},{durable-c2}],rd_id) → COMMIT. Output: review_decision_id=449bf297-0ea9-4588-812e-a4e426a60ddc, split_set_id=ed83a8a2-…; nontest_ius=216.
Durability proof (fresh conn pid 3554264): 3 test IUs draft, split_set=1, review_decision=5, manifest=4.
Retire: look up review_decision_id from iu_split_set, fn_iu_retire×{durable-c1,c2,src} → all retired; 3 iu_lifecycle_log rows.

A3. Emergency rollback — Branch A trail (dry-run proven; replace final ROLLBACK with COMMIT to actually remove)

BEGIN;
SET CONSTRAINTS ALL DEFERRED;
DELETE FROM public.iu_lifecycle_log WHERE canonical_address LIKE 'TEST/hardening/%';
DELETE FROM public.iu_split_set    WHERE source_canonical_address LIKE 'TEST/hardening/%';
DELETE FROM public.iu_metadata_tag WHERE iu_id IN (SELECT id FROM public.information_unit WHERE canonical_address LIKE 'TEST/hardening/%');
DELETE FROM public.iu_piece_membership WHERE iu_id IN (SELECT id FROM public.information_unit WHERE canonical_address LIKE 'TEST/hardening/%');
DELETE FROM public.iu_tree_path WHERE unit_id IN (SELECT id FROM public.information_unit WHERE canonical_address LIKE 'TEST/hardening/%')
   OR parent_id IN (SELECT id FROM public.information_unit WHERE canonical_address LIKE 'TEST/hardening/%')
   OR root_unit_id IN (SELECT id FROM public.information_unit WHERE canonical_address LIKE 'TEST/hardening/%');
DELETE FROM public.birth_registry  WHERE canonical_address LIKE 'TEST/hardening/%';
DELETE FROM public.unit_version    WHERE unit_id IN (SELECT id FROM public.information_unit WHERE canonical_address LIKE 'TEST/hardening/%');
DELETE FROM public.information_unit WHERE canonical_address LIKE 'TEST/hardening/%';
DELETE FROM cutter_governance.review_decision  WHERE governance_event_kind='test_review_decision';
DELETE FROM cutter_governance.manifest_envelope WHERE operation_kind='test_governance';
COMMIT;  -- (dry-run used ROLLBACK)

Dry-run: DELETE 3/1/0/0/0/0/3/3/1/1; in-tx assert ius=216,splits=0,rds=4,manifests=3; after ROLLBACK test_ius_retained=3. (SET CONSTRAINTS ALL DEFERRED defers circular information_unit.version_anchor_ref→unit_version; gateway guard fires only on INSERT/UPDATE; fn_iu_enacted_immut allows DELETE of non-enacted.)

A4. Other rollback scripts (infra)

DROP FUNCTION IF EXISTS public.fn_iu_test_review_decision_create(text,text,text);
DELETE FROM public.dot_iu_command_catalog WHERE command_name='dot_iu_test_review_decision_create';
UPDATE public.dot_config SET value='fn_iu_create,fn_iu_apply_edit_draft,fn_iu_enact,fn_iu_structure_op'
 WHERE key='iu_create.gateway.allowed_marker_values';
-- Branch D: revert 4 gate fns to the 7-gate governable set (remove 'piece_event_runtime.emit_enabled'
--   from c_governable in open/close/watchdog + the VALUES list of verify_closed).
--   Original bodies in iu-mutation-safety-foundation-…-2026-05-28.md §5 + appendix.

A5. Branch B — DLQ replay

-- commit_B1
BEGIN;
INSERT INTO public.iu_outbound_route (route_code,event_domain,event_type,event_stream,target_kind,target_ref,enabled,dry_run,created_by,updated_by)
VALUES ('iu.test_hardening.dlq','iu','structure_op_applied','update','sql_function','fn_iu_structure_consumer',true,true,'iu_hardening_macro','iu_hardening_macro');
INSERT INTO public.iu_route_dead_letter (worker_name,event_ref,event_domain,event_type,event_stream,route_code,idempotency_key,failure_code,failure_detail,attempts)
VALUES ('test_hardening_worker',gen_random_uuid(),'iu','structure_op_applied','update','iu.test_hardening.dlq','TEST/hardening/dlq-1','test_forced_failure','forced test failure',1)
RETURNING id AS dl_id \gset
SELECT public.fn_iu_route_dead_letter_replay(:'dl_id');  -- {replayed, dry_run, resolved:true}
COMMIT;
-- commit_B2 cleanup (after fresh-conn verify)
BEGIN;
DELETE FROM public.iu_route_attempt     WHERE idempotency_key='TEST/hardening/dlq-1';
DELETE FROM public.iu_route_dead_letter WHERE idempotency_key='TEST/hardening/dlq-1';
DELETE FROM public.iu_outbound_route    WHERE route_code='iu.test_hardening.dlq';
COMMIT;  -- → routes=15, dlq=0, attempt=68

A6. Branch D — emit_enabled integration

4× CREATE OR REPLACE adding 'piece_event_runtime.emit_enabled' to c_governable in fn_iu_gate_open/close/watchdog and the VALUES list of fn_iu_gate_verify_closed. Rehearsal: open→all_safe=false→close→all_safe=true→ROLLBACK→committed-open denied (fail-closed). Committed verify_closed: 10 gates, all_safe=true, value false.

A7. Branch C — negative-test evidence (all BEGIN…ROLLBACK)

TEST1 uncontrolled-birth BLOCKED: IU Gateway blocked: direct write to information_unit not allowed…
TEST2 nham-chuong(bad unit_kind) BLOCKED: unit_kind: Not in vocab. Available: design_doc_section, law_unit
TEST3 nham-chuong(bad section_type) BLOCKED: section_type: Not in vocab…
TEST4 incomplete-identity(empty title) BLOCKED: title required
TEST5 phantom/orphan(no version+content anchor) BLOCKED: Birth gate L2: U5 content_anchor_ref required at COMMIT
TEST6 valid-create(P-pub missing): status=created (warn-only PILOT posture)
neg_residue = 0

A8. Final committed end-state (raw)

verify_closed: all_safe=true | all_governed_closed=true | never_flip_intact=true | gate_count=10
never-flip: allow_no_review_decision=false | vector_sync_enabled=false | emit_enabled=false | delivery_live_routes=""
counts: iu=219 nontest=216 test_hardening=3 test_retired=3 unit_version=226 split_set=1 merge_set=0
        test_lifecycle_log=3 sql_link=3(0 enabled) event_types=31 routes=15 route_attempt=68 dead_letter=0
        gate_transition=0 dot_catalog=52 dot_run=55
governance: review_decisions=5 (test_rds=1) manifests=4 (test_manifests=1)
gateway_allowlist: fn_iu_create,fn_iu_apply_edit_draft,fn_iu_enact,fn_iu_structure_op,fn_iu_retire,fn_iu_supersede
retained trail: TEST/hardening/durable-{c1,c2,src} = retired
schema bytes: 1,631,561 (baseline 1,628,568, +2,993)

A9. Key function facts (verified live)

fn_iu_gateway_write_guard() — config-driven allowlist on app.canonical_writer via dot_config iu_create.gateway.allowed_marker_values; BEFORE INSERT/UPDATE only (not DELETE).
fn_iu_create(p_canonical_address,p_title,p_body,p_actor,p_unit_kind,p_section_type,p_owner_ref,p_publication_type,p_parent_ref) — no publication_authority_ref param; lifecycle default draft; no gate.
fn_iu_piece_split(p_source_ca,p_child_specs jsonb,p_actor,p_review_decision_id,p_change_set_id,p_reason,p_tool_revision,p_dry_run) — ≥2 children, review_decision FK-probe, source untouched, no gate.
fn_iu_retire(p_canonical_address,p_actor,p_review_decision_id,p_change_set_id,p_reason,p_tool_revision,p_dry_run) — FSM {draft,enacted,superseded}→retired; writes iu_lifecycle_log.
fn_iu_route_dead_letter_replay(uuid) — master-gate only; dry_run route ⇒ resolve without fn_iu_route_deliver.
fn_iu_birth_gate_layer1() — hard-blocks U2/U3/U4/U7/U10 + vocab(unit_kind,section_type) + P-id1/2/3; WARN-only P-pub1(publication_authority_ref)/P-pub2(publication_type_ref). fn_iu_birth_gate_layer2() — deferred constraint trigger; hard-blocks U5/U6 anchor integrity at COMMIT.