IU Test b–f Command Pack — 08 Bounded Gate Protocol
08 — Bounded Gate Protocol
A reusable, approval-aware protocol for opening a dot_config runtime gate for a strictly bounded test window and guaranteeing it is closed afterward. This is the single safety primitive all mutating tests (d, e, deferred-f) depend on. Designed here; not executed.
1. Principles
- Closed-by-default, fail-closed. A gate opens only inside an approved window and auto-closes on completion, timeout, or error. The proven reference is the composer gate (mig 057: open → CUT → close immediately; default exit state
false). - Approval before open. Opening a mutating gate is a Điều 32-governed action; the open carries an
approval_id. - Audited. Every open/close writes a
dot_iu_command_runrow (mutating=true, category=health/governance) and a transition record. - Write channel. Gate flips are live
dot_configwrites → require the SSHworkflow_adminchannel (ssh contabo "docker exec -i postgres psql -U workflow_admin -d directus -v ON_ERROR_STOP=1" < /tmp/gate_open.sql). MCPquery_pgis read-only and CANNOT flip gates. This is an Execution-Channel-Pack requirement for any macro that uses this protocol. - Scope minimization. Prefer route-scoped / collection-scoped enablement where the guard supports it (e.g. test e delivery to one route) over a global flip.
2. Open/close lifecycle (state machine)
requested → approved(Điều32) → opened(audit+timestamp+max_duration) → [test runs] → closing → closed(verified)
│
└─ on timeout/error → force_close → closed(verified)
Each transition is recorded; closed(verified) requires a read-back proving the live value is the safe default.
3. Per-gate protocol matrix
| Gate | Current | Target (temp) | Why | Who/what may open | Approval | Audit row | Max duration | Auto-close | Failure close | Verify close | Evidence |
|---|---|---|---|---|---|---|---|---|---|---|---|
iu_core.composer_enabled |
false | true | d1/d7 compose+render; cut | gate-protocol fn via SSH workflow_admin | Điều 32 | yes (mutating) | ≤ test window (minutes) | on harness end | on error/timeout | read-back == false | command_run + transition |
iu_core.structure_ops_enabled |
false | true | d4–d6 add/remove/reorder/split/merge | same | Điều 32 | yes | ≤ window | on end | on error | read-back false | same |
iu_core.delivery_enabled |
false | true (route-scoped if possible) | e trigger-out delivery | same | Điều 32 | yes | ≤ window | on end | on error | read-back false + no real-route delivery | same + route_attempt diff |
iu_core.three_axis_auto_refresh_enabled |
false | true | only if b/c require a fresh envelope (normally NOT needed — read tests read as-is) | same | Điều 32 | yes | ≤ window | on end | on error | read-back false | same |
iu_core.operator_runtime_enabled |
false | true | if harness invokes operator runtime path | same | Điều 32 | yes | ≤ window | on end | on error | read-back false | same |
queue.job_substrate.enabled |
false | true | only if tests dispatch jobs (not required for b–f core) | same | Điều 32 | yes | ≤ window | on end | on error | read-back false | same |
queue.dlq.replay_enabled |
false | true | e DLQ replay sub-step | same | Điều 32 | yes | ≤ window | on end | on error | read-back false | same + dead_letter diff |
iu_enact.allow_no_review_decision |
false | NEVER flipped | — | — | — | — | — | — | — | stays false | — |
Critical rule: iu_enact.allow_no_review_decision is never opened. The correct response to "enact needs a decision" is to supply a real review_decision_id (U3), not to bypass the requirement. Flipping it would be a Điều 32 violation. Same posture for iu_core.vector_sync_enabled (stays false — no vector pollution).
4. Open command shape (author-ready, not run)
-- /tmp/gate_open.sql (applied via SSH workflow_admin, single TX)
BEGIN;
-- precheck: assert current value is the safe default before flipping
-- assert approval_id exists and is approved (Điều 32)
UPDATE dot_config SET value='true' WHERE key='iu_core.structure_ops_enabled' AND value='false';
INSERT INTO dot_iu_command_run(command_name, mutating, ...) VALUES('gate.open.structure_ops', true, ...);
-- record transition with approval_id, opened_at, max_duration, expected_close_by
COMMIT;
Close is the symmetric flip back to false with a read-back assertion. A watchdog (or the harness finally block) guarantees close even on test failure.
5. Verify-close (mandatory post-check)
After every window: SELECT key, value FROM dot_config WHERE key IN (<opened gates>) must show all back at safe default. The macro's final status MUST NOT be PASS if any opened gate reads non-default (per prompt standard §6 gate-before-live-action + "no gate left open").
6. Reusability
This protocol is authored once (U2 / macro 3) and reused by macros 4 (d) and 5 (e). It is the hinge of the whole sequence: read-only tests (b/c/f-read) need it not at all; every mutating test needs it and nothing more exotic.