Incomex AI Portal
KB-9387

RS-TKT-0A · 07 Conversion Roadmap and Stop States

7 min read Revision 1
tool-kiem-thulegolaws-newrs-tkt-0aroadmapstop-statesphasesnon-authorizing2026-06-21

RS-TKT-0A · 07 — Conversion Roadmap and Stop States

Lane: RS-TKT-0A · Date: 2026-06-21 Gate: REGISTRATION_HOLD · REGISTRATION_CAN_PROCEED = NO · 0 runtime mutations (KB writes only) Authority: NON_AUTHORITY · may_gate=false · decision_effect=NONE · design-only

The roadmap from old Tool-Kiem-Thu → laws-new LEGO TKT. Each phase is separately authorized. Reaching the end of one phase does not authorize the next; the Owner must explicitly open it. REGISTRATION_HOLD is never cleared by a phase boundary.

Phase 0 — Survey / Recovery ← (this lane, RS-TKT-0A)

  • goal: survey old TKT + laws-new LEGO; produce the conversion plan (00–08).
  • inputs: old TKT corpus; laws-new SSOT; RS5A/RS5B + Codex reviews; NVSZ materials.
  • outputs: the nine RS-TKT-0A deliverables.
  • allowed: read-only KB; KB design-doc writes under tool-kiem-thu-lego/.
  • forbidden: runtime, production mutation, validators/registrars, Owner/scope/APR/register_dot, clearing HOLD, semantic/production PASS.
  • evidence required: files read list; files produced list; self-check.
  • stop states: RS_TKT_0A_READY_FOR_GPT_REVIEW (success) · …HOLD_SOURCE_INVENTORY_INCOMPLETE · …HOLD_LAWS_NEW_CONTEXT_INSUFFICIENT · …HOLD_NVSZ_UNRESOLVED · …HOLD_SCOPE_TOO_BROAD · …REJECT_RUNTIME_DRIFT · …REJECT_AUTHORITY_OVERCLAIM.
  • review: GPT → Codex → Owner.

Phase 1 — TKT Base design package

  • goal: turn 03/04 into a complete, reviewable TKT Base design package (L0–L3 block contracts, output schema, packet skeleton spec) — design, not code.
  • inputs: Phase-0 plan; old base pack as reference.
  • outputs: TKT Base design spec + block contracts + bad-input catalog (P1–P10 ∪ BAD-1..15).
  • allowed: KB design writes; read-only KB.
  • forbidden: writing the harness; running anything; any runtime.
  • evidence required: block contracts complete; composition contract; self-consistency.
  • stop states: READY_FOR_REVIEW / HOLD_DESIGN_INCOMPLETE / REJECT_SCOPE_DRIFT.
  • review: GPT → Codex → Owner.

Phase 2 — MVP Read/Report Inspector

  • goal: the first runnable TKT — a read-only inspector that runs L0–L3 + the RS pre-Codex profile against a KB packet and emits TKT_BASE_RESULT + findings. Read/report only.
  • inputs: Phase-1 design; an authorized execution surface.
  • outputs: the inspector + a run on a real RS packet (e.g. RS5B) producing a packet of evidence.
  • allowed (only after Owner authorizes): read KB; write a report packet; run probes in a disposable workspace.
  • forbidden: any production/registry/PG mutation; gating; sealing; clearing HOLD; semantic PASS.
  • evidence required: NVSZ run-evidence packet (05); fail-closed probes pass; positive control passes.
  • stop states: MVP_PASS (engineering only) / HOLD_NO_EXEC_SURFACE / REJECT_FAIL_OPEN / REJECT_RUNTIME_DRIFT.
  • review: GPT → Codex → Owner. Note: Phase 2 requires an authorized, deny-by-default execution surface; until then it stops at HOLD_NO_EXEC_SURFACE (the old B4′ blocker, deferred).

Phase 3 — NVSZ Run Evidence Packet

  • goal: wire run evidence to a designated NON_VECTOR_ROOT; KB holds summary+hash+pointer+regen only.
  • inputs: Phase-2 inspector; an owner/operator-designated root (blocker V02-PB-NVSZ-1).
  • outputs: escrowed run packets under <NON_VECTOR_ROOT>/tool-kiem-thu/runs/<run_id>/; KB summaries.
  • allowed (after designation): write to the designated root; KB summary.
  • forbidden: inventing the root; raw logs in vector KB; /tmp-only evidence.
  • evidence required: escrow validator exit 0; designated_by ∈ {owner, operator}.
  • stop states: EVIDENCE_PACKET_PASS / HOLD_NVSZ_ROOT_UNDESIGNATED / REJECT_INVENTED_ROOT.
  • review: GPT → Codex → Owner.

Phase 4 — Controlled Execution Verifier (after Call Contract)

  • goal: a verifier that executes the thing under test — only after a Call Contract exists defining how to invoke it safely (revives the old sandbox/B4′ pattern, re-scoped).
  • inputs: Phase-3 evidence; an approved Call Contract; deny-by-default sandbox.
  • outputs: execution-evidence (not just existence-evidence) packets.
  • allowed (after Owner + Call Contract): sandboxed execution.
  • forbidden: production mutation; gating; sealing.
  • evidence required: Call Contract; sandbox attestation; execution evidence with hash+regen.
  • stop states: EXEC_VERIFIER_PASS / HOLD_NO_CALL_CONTRACT / REJECT_SANDBOX_ESCAPE.
  • review: GPT → Codex → Owner.

Phase 5 — Integration / Evidence Sink

  • goal: connect TKT outputs to a durable evidence sink and the review-lane workflow (still non-gating).
  • inputs: Phases 2–4 outputs.
  • outputs: an integrated evidence sink + review-lane integration.
  • allowed (after Owner): write to the evidence sink.
  • forbidden: becoming a production gate; auto-approval.
  • evidence required: sink integrity; no-gate proof.
  • stop states: INTEGRATION_PASS / HOLD_SINK_UNDEFINED / REJECT_HIDDEN_GATE.
  • review: GPT → Codex → Owner.

Phase 6 — CI / OPA / Squawk / Advanced Tooling

  • goal: advanced policy tooling (CI checks, OPA policies, Squawk-style linters) only if justified and still non-authority.
  • inputs: stable Phases 1–5.
  • outputs: CI/OPA/policy integrations.
  • allowed (after Owner): CI integration that reports, not gates production.
  • forbidden: auto-fix of production; becoming the SSOT authority.
  • evidence required: each tool is non-authority; reversible.
  • stop states: TOOLING_PASS / HOLD_UNJUSTIFIED / REJECT_AUTO_FIX.
  • review: GPT → Codex → Owner.

Phase 7 — Full Operational Testing Program

  • goal: the steady-state operating program (L4–L6 may be in scope here, only once IU/semantic inputs exist).
  • inputs: all prior phases; the New IU thin Subject Contract (for L4/L5).
  • outputs: the operating testing program.
  • allowed (after Owner): operate the program.
  • forbidden: claiming L5 semantic PASS without verified IU inputs.
  • evidence required: IU inputs exist and are checker-consumable; semantic oracle committed.
  • stop states: PROGRAM_PASS / HOLD_IU_INPUTS_ABSENT / REJECT_SEMANTIC_OVERCLAIM.
  • review: GPT → Codex → Owner.

Cross-phase invariants

  1. No phase clears REGISTRATION_HOLD — only a separate, explicitly authorized Owner decision can.
  2. Engineering PASS is never upgraded to authority/runtime/registration/production PASS.
  3. No mega-X — every phase output is a LEGO brick (born/tested/changed/rolled-back separately).
  4. Silent caps are forbidden — any sampling/top-N/no-retry bound must be log()-ed; "we checked everything" must be true.
  5. Default = HOLD — ambiguity stops at a HOLD stop-state, never a PASS.
Back to Knowledge Hub knowledge/dev/laws-new/tool-kiem-thu-lego/07-conversion-roadmap-and-stop-states-2026-06-21.md