04 — Test f: SQL-Link Proof Plan (READ-ONLY FIRST, then bounded enable)

Goal: Prove the link between an IU and live DB data: validate link definitions, resolve them to current rows/objects, and (later, bounded) capture an inbound link. Read-only proof runs first with zero mutation; activation is deferred and gated.

Owner law: Điều 38/39 (IU↔SQL link); Điều 33 (3-layer DB boundary); Điều 35 (DOT). Mutation: none for read proof; bounded for enable. Readiness: MEDIUM-HIGH.

1. Live substrate (verified)

• iu_sql_link (3 rows, all enabled=false, lifecycle active):
  1. represents → table public.tac_publication (bidirectional)
  2. governs → function public.fn_iu_three_axis_envelope_refresh (outbound)
  3. governs → view public.v_iu_section_type_vocab_sync (outbound)
• Columns: link_role, object_kind, object_schema, object_name, collection_name, row_pk(jsonb), function_identity, trigger_name, object_fingerprint, direction, lifecycle_status, enabled, idempotency_key, metadata.
• Functions: fn_iu_sql_link_validate, fn_iu_sql_link_inbound_capture. View: v_iu_sql_link_resolved.

2. Which SQL links to use

All 3 live rows, by object_kind class:

• table link (tac_publication) — resolve to existence + row shape (no row data dump beyond pk).
• function link (fn_iu_three_axis_envelope_refresh) — resolve to function existence + signature.
• view link (v_iu_section_type_vocab_sync) — resolve to view existence + column set.

This exercises all three object_kind branches the validator must handle.

3. Validate path (read-only)

Call fn_iu_sql_link_validate per row. Validation asserts, without mutation:

• the referenced object still exists (catalog lookup by object_schema.object_name, object_kind);
• object_fingerprint still matches the live object (drift detection);
• row_pk (for table links) resolves to ≤1 row;
• function_identity / trigger_name resolve where set.

4. Resolve path (read-only)

Read v_iu_sql_link_resolved for the 3 rows; assert each resolves to its live target with a non-null resolution and a fingerprint-match flag. Produce a resolution report {link_id, object, exists, fingerprint_match, resolved_ref}.

5. Read-only proof first (yes)

Yes — the read-only proof is the whole of test f's PASS gate. It needs no gate flip (validate/resolve are read paths over already-active rows; enabled=false only suppresses runtime delivery/capture, not validation). Inbound capture (fn_iu_sql_link_inbound_capture) — which writes — is deferred to a separate bounded step and is NOT required for test-f PASS.

6. Missing DOT commands

Need	Exists?	Proposed
validate a link	function only	dot_iu_sql_link_validate (read-only)
resolve links	view only	dot_iu_sql_link_resolve (read-only)
create/register a link	none	dot_iu_sql_link_register (mutating, deferred)
bounded inbound capture proof	function only, gated	dot_iu_sql_link_capture_probe (mutating, BEGIN/ROLLBACK proof, deferred)

See deliverable 07. The read-only two (validate, resolve) are the test-f deliverables; the mutating two are author-ready follow-ups.

7. Expected evidence

• Per-link dot_iu_command_run (mutating=false) + JSON {link_id, role, object_kind, object, validate_ok, fingerprint_match, resolved}.
• A summary {links_total:3, validated:3, drift:0}.

8. Idempotency expectation

Each iu_sql_link row carries idempotency_key. For the deferred inbound-capture probe, capture must be idempotent on idempotency_key (re-running the probe produces no duplicate capture). For the read proof, idempotency is trivially satisfied (no writes).

9. Failure modes

Mode	Detection	Handling
Linked object dropped/renamed	validate existence check	report broken link; FAIL that row; do not auto-repair
Fingerprint drift	fingerprint compare	report drift; PARTIAL
row_pk resolves to >1 / 0 rows (table link)	resolve count	FAIL that row
validator attempts write	code review + BEGIN/ROLLBACK delta	must be 0; if not, reject function

10. Exact PASS criteria

PASS iff all 3 live links validate and resolve with fingerprint_match=true and zero deltas, via DOT-callable dot_iu_sql_link_validate + dot_iu_sql_link_resolve (mutating=false). Any broken link or drift → PARTIAL with the exact row flagged. The mutating register/capture commands are explicitly out of test-f PASS scope.

11. Author-ready implementation note

Implement in macro IU_SQL_LINK_PROOF_AND_DOT_COMMAND_IMPLEMENTATION_XHIGH (deliverable 10, prompt #2): build the two read-only DOT wrappers + run the 3-link proof. Leave dot_iu_sql_link_register / _capture_probe as author-ready follow-ups (mutating; bounded gate; Điều 32 if they enable a live link). Reuse fn_iu_sql_link_validate and v_iu_sql_link_resolved — do not re-author validation logic.