Incomex AI Portal
KB-6AE2

S177-COWORK-FINAL-READY-SEAL-AND-RUNBOOK-2500X — Final Status Report (2026-05-24)

11 min read Revision 1
s177coworklarkgatewayseal2500xdieu-30dieu-31runbookreport2026-05-24

S177-COWORK-FINAL-READY-SEAL-AND-RUNBOOK-2500X — Final Status Report

Date: 2026-05-24 Host: Nguyens-MacBook-Air.local (Darwin/arm64, macOS 25.5.0) Mission: Seal the current working Cowork ↔ LarkBase S177 Gateway state, confirm Điều 30/31 protection, update runbook/checker/evidence, and make the system safe for real work. Effort: high. Mutation: documentation only (README + this report). Result: PASS

1. Outcome

PASS — the Cowork ↔ LarkBase S177 Gateway is sealed in its current working state. All Điều 30/31 protections hold. No code/config mutation occurred in this macro; only the protection README and this report were written. No Lark write was attempted. No VPS mutation.

2. Cowork independent check result (accepted-as-given)

Cowork independently reported, prior to this macro:

  • COWORK_READY_WITH_S177_GATEWAY
  • lark-crud-gateway visible in Claude Desktop
  • 22/22 S177 tools visible
  • Official lark-mcp no longer visible
  • lark_healthcheck PASS
  • lark_records_get recvkdFceNdpcz PASS
  • Production write blocked at adapter boundary (safety_violation)
  • LARK_APP_SECRET_ROTATION_PENDING remains accepted risk

This macro independently re-verified the substrate that backs those signals from the MacBook side and the VPS side (see §3).

3. Live verification (from this Mac)

3.1 Checker — ~/bin/s177-cowork-gateway-check

Outcome: PASS=26 FAIL=0 NOTE=0 (exit 0). All 22 numbered checks PASS.

Key sub-checks (excerpt — full transcript in the macro run log):

# Gate Subject Result
1 Điều 31 claude_desktop_config.json parses PASS
2 Điều 30 lark-crud-gateway wrapper-based, no token at rest PASS
3 Điều 30 Official lark-mcp absent from active config PASS
4 Điều 30 Official lark-mcp recorded in _retired_mcpServers (audit trail) PASS
5 Điều 31 Official wrapper retired from ~/bin, archived snapshot present PASS
6 Điều 31 S177 wrapper mode 700, shape OK (GSM, http-only, no static bearer) PASS
7 Điều 30 No raw S177 token / Lark creds in active Claude Desktop config PASS
8 Điều 30 Restore script does not restore official lark-mcp PASS
9 Điều 30 VPS S177 endpoint path unchanged PASS
10 Điều 30 Public healthz returns 200 PASS
11 Điều 31 ~/.claude.json valid, no active/disabled lark-mcp / raw creds PASS
12 Điều 31 GSM S177_LARK_MCP_REMOTE_TOKEN + Lark creds readable (silent) PASS
13 Điều 31 VPS lark-mcp-remote.service active PASS
14 Điều 31 VPS nginx -t passes inside incomex-nginx container PASS
15 Điều 31 VPS internal healthz = 200 PASS
16 Điều 31 VPS audit path exists (/var/log/lark-ops) PASS
17 Điều 30 Live S177 tools/list = 22, all 22 expected names present PASS
18 Điều 31 Production write rejected at adapter boundary (safety_violation) PASS
19 Điều 31 records_search Base đệm probe returns ok=true PASS
20 Điều 30 No Bearer/Authorization tokens at rest in active mcpServers PASS
21 Điều 30 No open.feishu.cn in runtime artifacts PASS
22 Điều 31 Self-check: no full-argv process inspection invoked PASS

3.2 22 expected S177 tool names

All present per checker [17/22]:

lark_app_create, lark_app_get,
lark_fields_create, lark_fields_delete, lark_fields_list, lark_fields_update,
lark_healthcheck,
lark_records_batch_create, lark_records_batch_delete, lark_records_batch_update,
lark_records_create, lark_records_delete, lark_records_get,
lark_records_search, lark_records_update,
lark_tables_create, lark_tables_delete, lark_tables_list, lark_tables_update,
lark_views_create, lark_views_delete, lark_views_list

3.3 Configuration surface

  • claude_desktop_config.json — only lark-crud-gateway active. Official lark-mcp under _retired_mcpServers with _retired_at + _reason (audit trail). No raw tokens, no LARK_APP_ID/LARK_APP_SECRET at rest.
  • ~/.claude.json — clean. No active or disabled lark-mcp entry under $.projects."/Users/nmhuyen".mcpServers. No raw creds.
  • ~/bin/s177-lark-crud-gateway-mcp — present, mode 700, GSM-sourced, http-only transport, no static bearer in the script.
  • ~/bin/s177-official-lark-mcpabsent (intentionally; archived under …/s177-cowork-gateway-protection/archive/).
  • ~/bin/s177-cowork-gateway-check — present, exit 0.

3.4 VPS state (via ssh contabo)

Direct confirmation from this macro (checker also re-validated all of these):

  • systemctl is-active lark-mcp-remote.serviceactive
  • docker exec incomex-nginx nginx -t → syntax OK, test successful
  • Public healthz (https://vps.incomexsaigoncorp.vn/mcp/s177/ocER6C1zErepgpAe/healthz) → 200
  • Audit path /var/log/lark-ops exists
  • No code or config mutation performed on the VPS.

3.5 S177 endpoint health

  • Endpoint: https://vps.incomexsaigoncorp.vn/mcp/s177/ocER6C1zErepgpAe/mcp
  • healthz: 200
  • Live tools/list: 22 tools, all expected names present
  • Live production write probe: rejected with safety_violation (writes confined to Base đệm)
  • Live records_search Base đệm probe: ok=true

4. Constitution gates

Điều 30 (single Lark path, no creds at rest, no production live write)

  • Single Lark path active: S177 lark-crud-gateway only
  • Official lark-mcp absent from active configs
  • No raw S177 bearer / LARK_APP_ID / LARK_APP_SECRET at rest in claude_desktop_config.json or ~/.claude.json
  • Restore script will not reinstate the retired official bypass
  • VPS endpoint path unchanged; domain remains open.larksuite.com
  • Production live write rejected at adapter boundary (safety_violation)

Điều 30 status: GREEN.

Điều 31 (system integrity, GSM as source-of-truth, no secret disclosure)

  • S177 wrapper is mode 700, GSM-sourced at launch, http-only, no static bearer in the script
  • GSM S177_LARK_MCP_REMOTE_TOKEN + Lark creds readable silently (values never printed)
  • VPS service active, nginx OK, internal healthz 200, audit path exists
  • This macro performed no full-argv process inspection (ps -ef, ps aux, pgrep -fl, ps -o comm) — checker self-validates this
  • No secret printed to terminal, chat, or report

Điều 31 status: GREEN.

5. Accepted risks (explicitly carried forward — not blockers)

Risk Status Notes
LARK_APP_SECRET_ROTATION_PENDING accepted, recommended follow-up From 4500x; sealing does not require rotation. Rotation is an operator action against GSM (github-chatgpt-ggcloud / LARK_APP_SECRET).
Production live write not enabled accepted S177 adapter rejects writes outside Base đệm with safety_violation. Enabling requires a future governance macro.
lark_tables_create / lark_app_create / schema ops governed / dry-run api_caller refuses non-record operations by design until the production-governed-tools macro authorizes them.
RESIDUAL_RISK_TOKEN_IN_CHILD_PROCESS_ARGV accepted mcp-remote only accepts bearer via --header. Mitigated by mode-700 wrapper, no env export, no parent shell copy.

6. What Cowork may do now

  • Read operations on Base đệm via S177 Gateway: lark_healthcheck, lark_records_get, lark_records_search, lark_fields_list, lark_tables_list, lark_views_list.
  • Dry-run validation of writes for design / test purposes.
  • Single-record CRUD on Base đệm: lark_records_create, lark_records_update, lark_records_delete (whitelist-checked).
  • Batched record writes on Base đệm: lark_records_batch_create, lark_records_batch_update (BATCH_MAX=100).

7. What Cowork must not do yet

  • Any write to a Lark production base / table / app outside Base đệm.
  • Calling lark_tables_create, lark_app_create, lark_fields_create, lark_fields_update, lark_fields_delete, lark_views_create, lark_views_delete against production Lark — these remain governed / dry-run until the production-governed-tools macro authorizes them.
  • Re-enabling the official lark-mcp (in any config).
  • Restoring from a pre-5000x snapshot.
  • Printing the S177 bearer or LARK_APP_SECRET to terminal/chat/report.

8. Runbook updates applied

The protection README was updated in this macro:

  • New mission entry: S177-COWORK-FINAL-READY-SEAL-AND-RUNBOOK-2500X (this).
  • New Runbook — sealed state for real work (post-2500x) section consolidating: active path, expected tool count = 22, checker invocation, restore-script scope, accepted-risk wording, and explicit "may do" / "must not do" lists for Cowork and any agent.

Both lists in this report and in the README are the authoritative source of truth for downstream agents.

The system is safe for real work as scoped above. No macro is required to unlock that scope. Two optional follow-ups remain available, both opt-in and not blocking:

  1. Operator rotation: LARK_APP_SECRET — clears the LARK_APP_SECRET_ROTATION_PENDING accepted-risk. Out-of-band operator action against GSM github-chatgpt-ggcloud. Carries no code change here.
  2. S177-PRODUCTION-GOVERNED-TOOLS-MACRO — only if/when production live writes for tables_create / app_create (or fields/views) become a real need. Until then, governed / dry-run is the correct safety stance and does not block any currently scoped work.

10. Mutation accounting

  • Code changes: none.
  • Config changes: none.
  • VPS changes: none.
  • Lark writes: none.
  • Files written by this macro (documentation only):
    • …/s177-cowork-gateway-protection/README.md — appended 2500x mission entry and new "Runbook — sealed state for real work" section.
    • …/reports/s177-cowork-final-ready-seal-2026-05-24.md — this report.

11. PASS criteria summary

Criterion Result
Checker passes PASS=26 FAIL=0
S177 tools/list = 22 PASS
Official lark-mcp not active anywhere PASS
Final report written PASS — this file
Runbook updated PASS — README appended
No secret printed PASS
No Lark write PASS
No VPS mutation PASS

Final verdict: PASS.