TKT Base Packaging Report and Guide
TKT Base — Packaging Report & Guide ("How to use TKT Base for any technical packet")
Macro: TKT_BASE_STRUCTURAL_EVIDENCE_GOVERNANCE_PACKAGING_MACRO_2026_06_11
Status contribution: Workstreams B + D. Authority: NON_AUTHORITY / NOT_PROMOTED.
Date: 2026-06-11 · Host lane: T2
1. What was packaged
A reusable TKT Base Pack at
knowledge/dev/laws/tool-kiem-thu/base/tkt-base-structural-evidence-governance-pack-2026-06-11/
(tree pin 6a6137d198e497612661810db749bc273acafb6227f78e44a3dd022d3e6715f7,
28 governed files). Contents: 4 top-level docs (README, scope/limits, output-level
policy, packet-shape spec), a 7-file packet_template/ skeleton, 7 checkers/
policies, an executable harness/, 3 read-only examples/, 2 limitations/ docs,
and the pack-level commands.sh/RERUN.sh/exit_codes.json/manifest.json/
HASH_MANIFEST.txt/packet_tree.sha256.
2. How to use TKT Base for any technical packet
Step 1 — create a packet
cp -r packet_template/ /path/to/my-new-packet/
cd /path/to/my-new-packet
# replace every <…> placeholder in README_FOR_REVIEWER.md, commands.sh, manifest.json
Step 2 — write the manifest (deterministic order)
( find . -type f ! -name HASH_MANIFEST.txt ! -name packet_tree.sha256 ! -path './evidence/*' \
| sed 's#^\./##' | LC_ALL=C sort \
| while IFS= read -r f; do shasum -a 256 "$f"; done ) > HASH_MANIFEST.txt
Order MUST be stable (LC_ALL=C lexical sort) and paths normalized (no leading ./).
Step 3 — compute the packet_tree pin
shasum -a 256 HASH_MANIFEST.txt | awk '{print $1}' > packet_tree.sha256
This single value certifies the whole tree; any byte change to any file breaks it.
Step 4 — write commands.sh / RERUN.sh
commands.shruns G0..Gn, writesexit_codes.json, printsOVERALL_RESULT.- G0 is always the three-way manifest check (tree pin +
shasum -c). RERUN.shcopies intomktemp -dand reverifies — proves dir-independence.- If
exit_codes.jsonis committed, use the two-pass build (build manifest → run → rebuild manifest with the all-passexit_codes.json→ re-run) so the anchor is byte-stable and pinned.
Step 5 — write the bad-input probes
- Implement at least the relevant base classes P1–P10 (see
checkers/fail_closed_probe_policy.md) plus your domain's tamper/stale/authority probes. Reuseharness/tkt_base_harness.pyas the reference shape. - Apply the detector-correctness rule: a PASS/SEAL token counts as emitted only
when exit==0; a
*_REJECTEDmessage that contains the substring does not count.
Step 6 — run the report-vs-file audit
- For every load-bearing claim in your report: recompute the cited hash, re-run the
cited command, confirm the pointer exists, and confirm the file exists at its
path (the §8 check). See
checkers/report_vs_file_audit_policy.md.
Step 7 — classify the output level
- Run
bash commands.shandbash RERUN.sh; map results to L0/L1/L2/L3 perTKT_OUTPUT_LEVEL_POLICY.md. Reportlevel_reachedand per-level evidence.
Step 8 — avoid overclaiming
- Never emit
IU_TRACEABILITY_PASS/SEMANTIC_TEXT_AS_CODE_PASS/RELEASE_BUNDLE_PASS. The honest ceiling is L3. State the semantic-deferred boundary explicitly (citelimitations/). - Register new object IDs strictly above the highest reserved range via a
governance addendum; do not apply a canonical registry/index fold while
another lane is active (
checkers/object_id_collision_policy.md). - Keep raw evidence out of the vector KB — carry
{hash, pointer, regen}only.
3. Readback Table C — existing tool components (generalized into the base)
| component | path | hash | command | input | output | reusable template? | limitations |
|---|---|---|---|---|---|---|---|
| pack gate runner | …/commands.sh |
b6ba682b… |
bash commands.sh |
pack files | exit_codes.json + OVERALL_RESULT |
yes (packet_template/commands.sh) |
gate bodies are pack-specific |
| pack RERUN | …/RERUN.sh |
a6673481… |
bash RERUN.sh |
pack | RERUN_RESULT: PASS |
yes (packet_template/RERUN.sh) |
requires mktemp |
| validation harness | …/harness/tkt_base_harness.py |
8e3d7d9b… |
python3 … |
none (synthetic) | 10/10 fail-closed report, exit 0 | yes (reference shape) | reference checkers, not the live SUT verifiers |
| verdict anchor | …/exit_codes.json |
21e03bcb… |
(generated) | gate results | byte-stable JSON | yes | must be deterministic |
| tree pin | …/packet_tree.sha256 |
6a6137d1… |
shasum -a256 HASH_MANIFEST |
manifest | tree pin | yes | — |
| v0.2 verifier (source) | …/review/v02-…/content_bind_verify.py |
3bdee7d2… |
python3 … --selftest |
corpus+oracle | exit 0/2/3/5/6 | pattern only (by-reference) | content-binding profile, dev-only |
| v0.2 probe suite (source) | …/review/v02-…/sp_probes.py |
04098c6a… |
python3 sp_probes.py |
verifier | 28/28, 0 fail-open | pattern only | domain-specific |
| NVSZ escrow validator (source) | …/nvsz_escrow_validator.py |
933fd046… |
python3 … |
escrow record | exit 2–9 | pattern → nvsz_no_vector_evidence_policy.md |
dry-run; no root designated |
| NVSZ root validator (source) | …/nvsz_root_validator.py |
73c613b5… |
python3 … |
candidate root | 14/14 fail-closed | pattern → policy | dry-run only |
| frozen SUT (baseline) | …/real-sut/fix7_canon_v1_ssot.py |
d9caa9fe… |
--selftest |
— | exit 0 | by-reference only | T1/FIX7 surface, not mutated |
4. Verdict
Workstreams B + D complete: reusable pack consolidated; packet, checker/probe, report-vs-file audit, governance/object-ID, and no-vector templates all exist and are reused by the pack's own self-verification. The packaging guide above is the practical "how to use TKT Base" reference.