O11 Report 09 — Filesystem scaffold result (BRANCH 8)

• macro: v0.6-o11-automation-agent-sandbox-program-bundle
• date_utc: 2026-05-21 · host: Contabo vmi3080463 · gate: BRANCH 8
• result: PASS — scaffold judged SAFE and created; empty working dirs + governance docs only

1. Safety decision

question:  can /opt/incomex/dot/iu-cutter-agent-sandbox be created safely now?
checks:    touches no DENY path                                  OK
           contains no code, no secrets, no DB wiring             OK
           does not modify iu-cutter-v0.6 (active tree)           OK
           does not modify iu-cutter (v0.4 skeleton)              OK
           does not touch /var/lib/cutter runtime state           OK
           trivially reversible (rm -rf the new dir)              OK
decision:  SAFE — scaffold created.

2. Created tree

/opt/incomex/dot/iu-cutter-agent-sandbox/
├── README.md            what this is + security boundary summary
├── RULES.md             allowed/forbidden ops; full security boundary
├── PATCH-CONTRACT.md    patch-as-information-unit metadata contract (Report 06)
├── AGENT-RULES.md       per-role instruction templates (Report 07)
├── drafts/.gitkeep      external-agent code drafts
├── patches/.gitkeep     <id>.patch.diff + <id>.patch.meta.yaml
├── tests/.gitkeep       agent-authored tests
└── reports/.gitkeep     <id>.report.md

3. What was NOT done

code authored into the sandbox:        NONE
secrets / .env / keys written:         NONE
DB wiring / credentials:               NONE
isolation runner (OS user, mount,      NOT provisioned — operator step
  network policy):                       (RULES.md §4/§5, Report 05 §6)
external agent granted access:         NO — gated on the isolation runner
v0.6 active tree modified:             NO
v0.4 skeleton modified:                NO
service / cron / docker change:        NONE
git add / commit / push:               NONE — the dir is untracked, as intended

4. State

scaffold:          PRESENT — 4 governance docs + 4 empty working dirs
contains_code:     NO
contains_secrets:  NO
production_link:   NONE
agent_access:      NOT GRANTED — requires the operator isolation runner first
reversal:          rm -rf /opt/incomex/dot/iu-cutter-agent-sandbox

5. Operator step to make the sandbox usable (not done here)

provision the isolation runner (RULES.md §4):
  - a dedicated low-privilege OS user (never root, never a cutter DB role)
  - filesystem pinning so the four DENY paths are not readable
  - no network route to the production DB host or the .env store
  - a clean environment (no DOT_CUTTER_*, BACKUP_GPG_FPR, AGENT_DATA_API_KEY)
then: a Claude-supervised dry exercise before any open-source agent is attached.

6. Verdict

scaffold:   SAFE + CREATED — dirs + README/RULES/contracts only, no mutation
branch_8:   PASS