RS-TKT-0A · 05 NVSZ Run-Evidence Packet Assessment
RS-TKT-0A · 05 — NVSZ Run-Evidence Packet Assessment
Lane: RS-TKT-0A · Date: 2026-06-21
Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations (KB writes only)
Authority: NON_AUTHORITY · may_gate=false · decision_effect=NONE · design-only
NVSZ = No-Vector Zone. This document assesses the existing NVSZ materials in the old TKT base pack and proposes the run-evidence packet design for a laws-new LEGO TKT. No root is designated here (that is owner/operator-only; see §7).
1. Assessment of existing NVSZ materials (REUSE)
The old base pack already contains a complete, self-verifying NVSZ model (checkers/nvsz_no_vector_evidence_policy.md, manifest.json raw_evidence block, examples/nvsz-dryrun-example.md, plus nvsz_root_requirements.json / validators under …/v0.2-hardening/review/v02-nvsz-root-provisioning-dryrun-2026-06-11/). It is reusable largely as-is.
1.1 Core rules (verbatim, non-negotiable)
- Vector KB stores the recipe —
commands.sh, checker/probe scripts, committed*_oracle.json, summaries,exit_codes.json, and pointers into the root. KB stores summary + hash + pointer + regeneration command — never raw transcripts.- The no-vector root (NVSZ) stores the artifact — raw stdout/stderr/
*.log, run packets, the hash ledger. It lives outside the vector embedding pipeline (not retrievable viasearch_knowledge).
- R0.1 Raw logs MUST NOT live in the vector KB … A Postgres
vector_excluded=truerow is a row store, not a file/object root … it does not satisfy R1.- R0.2 The root MUST NOT be invented by an agent. Only owner/operator may designate it.
- R0.3 The root is NON_AUTHORITY: storing evidence grants no gate/seal/decision power.
R1–R8 (storage / integrity / regeneration / retention / safety / interface-binding / acceptance-gate / blocker) are reusable verbatim.
1.2 Validator exit taxonomy — escrow (PINNED canonical for this design)
2absent ·3pointer/schema missing field ·4no regeneration command ·5raw-log-in-vector-KB ·6local-claims-authority ·7byte-exact mismatch ·8secret token → quarantine ·9invented root.
Open item MCB-2: a second (root-provisioning) validator uses a different numeric map (invented-root = 4, missing-field = 6, plus 10 path-traversal / 11 symlink-escape / 12 prod-violation / 13 fold-apply-while-T1-active). The laws-new design pins the escrow taxonomy above as canonical and treats the root-provisioning numbers as a separate, named validator. Owner/Codex to confirm.
1.3 Escrow record schema (required fields, verbatim)
{ "evidence_class", "claims_raw_log", "authority": "NON_AUTHORITY / NOT_PROMOTED",
"may_gate": false, "decision_effect": "NONE",
"pointer": { "target", "local_path"(optional), "hash":"sha256:<64hex>", "size",
"produced_by", "timestamp_policy":"none|recorded|policy-ref" },
"storage_location": "local_workbench | nvsz_file_root | nvsz_object_store | content_addressed_store",
"regeneration_command": "bash commands.sh",
"determinism": "byte-exact | functional",
"nvsz_root": {"designated": false, "designated_by": null} }
The live manifest.json carries two such records (gate-logs functional, exit-codes byte-exact), both nvsz_root.designated=false.
2. Proposed TKT run-evidence packet layout
When a TKT run is actually executed (a future, separately-authorized phase — not now), its raw evidence is escrowed under the designated NON_VECTOR_ROOT using the R6 layout:
<NON_VECTOR_ROOT>/tool-kiem-thu/runs/<run_id>/
README_FOR_HUMAN.md
run_manifest.json # what was run, by whom, against which packet
result.json # machine verdict (TKT_BASE_RESULT)
result.md # human verdict
commands.sh # the recipe (also mirrored in KB)
stdout.log # RAW — no-vector only
stderr.log # RAW — no-vector only
exit_codes.json # byte-exact verdict anchor
hash_manifest.sha256 # the hash ledger {path, sha256, size}
packet_tree.sha256 # tree pin = sha256(hash_manifest)
negative_tests/
result.json
stdout.log
stderr.log
KB summary only (vector KB, this folder):
knowledge/dev/laws-new/tool-kiem-thu-lego/reports/<run_id>-summary.md
The KB summary carries summary + hash + pointer + regeneration command only — never the raw logs.
Open item MCB-3: the base pack ships the ledger as HASH_MANIFEST.txt; the R6 run layout names it HASH_MANIFEST.sha256/hash_manifest.sha256. The design accepts either name and warns on mismatch; reconcile to one at approval.
3. Self-verifying skeleton (REUSE)
exit_codes.jsonis the byte-stable verdict anchor:{packet, authority:"NON_AUTHORITY / NOT_PROMOTED", gates:[{name, expected, actual, ok}]}.commands.shruns gatesG0_manifest(tree pin +shasum -c),G1_*,G2_*,G3_overclaim_guard; emits exit codes + logs only — no seal, no registry/PG/Directus write, no production action.RERUN.shreconstructs into a clean workspace and re-verifies — proving the verdict is independent of the working directory (this is the L1 proof).- Tree-pin rule:
packet_tree.sha256 = sha256(HASH_MANIFEST). Any byte change to any governed file breaks the pin.
4. Explicit fail-closed statements (required by the macro)
- Raw logs do not go into the vector KB. (R0.1) A
vector_excluded=truePG row does not satisfy this and is a forbidden PG write. /tmpis not sufficient evidence storage. Temp reconstruction dirs are disposable (R4.3 cleanup-or-retention); the store of record is the designated no-vector root, or — until one exists — a local + hashed + regenerable workbench copy. Never/tmpalone.- Summary prose does not replace raw evidence. A summary without
{hash, pointer, regeneration_command}→ FAIL (escrow exit 2/3/4). - Missing raw evidence / hash / rerun command means not Codex-ready. A packet that lacks any of these, or that parks raw transcripts only in
/tmpor in the vector KB, is non-conforming and must not be presented as evidence.
These map to the escrow exit taxonomy: 2 absent, 3 pointer/schema, 4 no-regen, 5 raw-log-in-vector-KB, 6 local-claims-authority, 7 byte-exact mismatch, 8 secret token, 9 invented root.
5. NVSZ dry-run example (what it demonstrates)
examples/nvsz-dryrun-example.md shows NVSZ evidence validated without designating or inventing a root: the root constant stays a placeholder; the root-provisioning validator passes 14/14 bad-input probes (0 fail-open); the template self-rejects (exit 3) so it can never accidentally become a real designation; byte-exact (exit_codes.json) vs functional (.log with /tmp/mktemp paths) is shown live. Load-bearing verdicts (SELFTEST_RESULT: PASS, OVERALL_RESULT: PASS) are stable regardless of cosmetic bytes.
6. The TKT-L3 NVSZ checker (links to 04)
The TKT-L3-GOVERNANCE block includes an NVSZ-completeness check: every raw-evidence pointer in a packet has {hash, pointer, regeneration_command, determinism, nvsz_root}; no raw log in the vector KB; byte-exact classes recompute identically; secret-looking tokens quarantine; nvsz_root.designated_by ∈ {owner, operator} or designated=false. Failure → L3_NVSZ_RECORD_INCOMPLETE (+ the specific escrow exit code).
7. Root-designation blocker (NEEDS_OWNER_DECISION)
Standing blocker V02-PB-NVSZ-1 (verbatim): "no designated no-vector root; owner/operator only. Until then raw evidence stays local + hashed + regenerable (honest interim). The base layer packages this as policy and a dry-run; it never designates the root."
- Current status:
nvsz_root.designated = false,designated_by = nullin every escrow record. - Who may designate: owner or operator only (R0.2; R7 requires
designated_by ∈ {owner, operator}+ validator exit 0). An agent doing so is "invented root" (escrow exit 9). - This lane does not designate a root. When one is designated later, R6 says only the single
NON_VECTOR_ROOTconstant is repointed — no code rewrite — andstorage_locationtransitions fromlocal_workbenchtonvsz_file_root | nvsz_object_store | content_addressed_store.
8. Assessment verdict
The NVSZ model is REUSE with two reconciliations (MCB-2 exit taxonomy, MCB-3 ledger filename) and one open owner action (MCB-5 root designation). It already enforces the exact separation laws-new requires. No root is invented; REGISTRATION_HOLD and the NON_AUTHORITY posture are preserved end-to-end. A run-evidence packet can prove reproduction but cannot authorize anything.