<!-- DOC_STATUS: ACTIVE_NON_AUTHORITY -->

TKT Base — Structural-Evidence & Governance Pack — README

Pack name: tkt-base-structural-evidence-governance-pack-2026-06-11 Status: TKT_BASE_STRUCTURAL_EVIDENCE_GOVERNANCE_PACK_READY Authority: NON_AUTHORITY / NOT_PROMOTED · Codex consulted: NO · Owner approval requested: NO Date: 2026-06-11 · Host lane: T2

---

0. What this is, in one paragraph

This pack is the reusable base layer of Tool-Kiểm-Thử. It packages the patterns proven across the v0.2 / NVSZ / packet-completeness / fail-closed / governance work into templates, checker policies, and a validation harness that any technical packet can adopt. It lets an operator or agent stand up a new packet that is structurally sound (files exist + hash), reproducible (reconstructs

• reruns), fail-closed (bad input → no PASS/seal), and governance-clean (IDs, lanes, firewall, no-vector evidence). It is not the semantic Text-as-Code layer and makes no semantic claim.

1. Read order

1. TKT_BASE_SCOPE_AND_LIMITS.md — what the base layer covers and refuses.
2. TKT_OUTPUT_LEVEL_POLICY.md — the only verdicts (L0–L3) and forbidden overclaims.
3. TKT_BASE_PACKET_TEMPLATE.md — how a conforming packet is shaped.
4. checkers/ — the seven reusable policies (one per check).
5. packet_template/ — copy-me skeleton for a new packet.
6. harness/ — executable base validation harness + the 10 fail-closed probes.
7. examples/ — three read-only worked patterns (v0.2 packet, NVSZ dry-run, FIX7 N6).
8. limitations/ — the semantic-deferred boundary and the IU inputs L4–L6 need.

2. The four levels (summary)

Level	Name	Passes when
L0	FILE PASS	every load-bearing file exists + hash matches; no missing file
L1	PACKET RECONSTRUCTION PASS	manifest + tree pass; commands/RERUN pass; exit_codes stable
L2	FAIL-CLOSED PASS	bad input rejected; invalid emits no PASS/cert/digest/seal
L3	GOVERNANCE CONSISTENCY PASS	IDs no-collision; no orphan; lanes respected; firewall holds; no-vector evidence has hash+pointer+regen

Highest honest verdict is L3. L4 (IU traceability), L5 (semantic Text-as-Code), L6 (release/bundle) are deferred and must never be emitted by a base run.

3. Quick start (use the base for a new packet)

# 1. copy the skeleton
cp -r packet_template/ /path/to/my-new-packet/

# 2. add your real files, then build the manifest (deterministic order)
cd /path/to/my-new-packet
( for f in $(find . -type f ! -name HASH_MANIFEST.txt ! -name packet_tree.sha256 | sort); \
    do shasum -a 256 "$f"; done ) | sed 's# \./# #' > HASH_MANIFEST.txt
shasum -a 256 HASH_MANIFEST.txt | awk '{print $1}' > packet_tree.sha256

# 3. run the gates and the probes
bash commands.sh            # writes exit_codes.json, prints OVERALL_RESULT
bash RERUN.sh               # reconstruct + reverify

# 4. classify the level reached per TKT_OUTPUT_LEVEL_POLICY.md

Full walkthrough: ../reports/tkt-base-packaging-report-2026-06-11.md (the "How to use TKT Base for any technical packet" guide).

4. Self-verification of THIS pack

This pack is itself a TKT packet and verifies against its own policy:

bash commands.sh                      # G0..G4 → OVERALL_RESULT: PASS, writes exit_codes.json
shasum -a 256 -c HASH_MANIFEST.txt    # every pack file byte-for-byte
bash RERUN.sh                         # fresh reconstruct into mktemp + reverify
python3 harness/tkt_base_harness.py   # 10/10 fail-closed probes, any_fail_open=false

See ../reports/tkt-base-validation-probes-2026-06-11.md for the recorded run.

5. Hard boundaries (what this pack never does)

• No mutation of FIX7 / T1 active surfaces or N-number/N6/N7/N8/P7.
• No destructive mutation of the v0.2 convention packet (read-only references only).
• No promotion of Tool-Kiểm-Thử v0.2.
• No semantic Text-as-Code / IU-traceability / release PASS.
• No Codex call, no owner ask mid-run.
• No canonical registry/index fold while T1 is active — addendum only.
• No NVSZ root designation, no production mutation, no REAL_RUN/QT001/apply/ permit/activation/repoint/cutover.

6. Provenance

Patterns generalized (byte-identical references, not forks) from the governed v0.2 sources. Every check policy in checkers/ cites the v0.2 artifact it generalizes. See examples/ and the packaging report for the source mapping.