<!-- DOC_STATUS: ACTIVE_NON_AUTHORITY -->

Checker Policy — NVSZ / No-Vector Evidence (L3)

Generalizes: v0.2 NVSZ evidence-escrow model + root requirements R0–R8 and the escrow/root validators (exit taxonomies). Level: 3.

Core split (what goes where)

• Vector KB stores the recipe — how to reproduce: commands.sh, checker/probe scripts, committed *_oracle.json, summaries, exit_codes.json, and pointers into the root. KB stores summary + hash + pointer + regeneration command — never raw transcripts.
• The no-vector root (NVSZ) stores the artifact — what was produced: raw stdout/stderr/*.log, run packets, the hash ledger. It lives outside the vector embedding pipeline (not retrievable via search_knowledge).

Non-negotiables (R0)

• R0.1 Raw logs MUST NOT live in the vector KB (knowledge/…, Qdrant, kb summary docs). A Postgres vector_excluded=true row is a row store, not a file/object root, and writing it is a forbidden PG mutation — it does not satisfy R1.
• R0.2 The root MUST NOT be invented by an agent. Only owner/operator may designate it. (validator → exit 9 for invented root)
• R0.3 The root is NON_AUTHORITY: storing evidence grants no gate/seal/ decision power. (validator → exit 6 for local-claims-authority)

Requirement summary R1–R8

• R1 Storage — raw files outside the vector KB; stable paths or content-addressed oids; append-only / write-once per run id; outside the embedding pipeline.
• R2 Integrity — every raw file has a sha256 in a hash ledger {path,sha256,size}; the ledger is itself hashable (sha256(ledger) pinned); 1-byte tamper → shasum -c fails; pointers carry {target, hash, size, produced_by, timestamp_policy} (missing field → exit 3).
• R3 Regeneration — every raw file has a regeneration command (absent → exit 4); determinism is declared, not assumed: determinism ∈ {byte-exact, functional}; a byte-exact class that drifts → exit 7.
• R4 Retention — retention policy exists (TTL or keep-N); expiry never deletes the last reproducible recipe (KB recipe is independent); temp recon dirs have cleanup/retention documented.
• R5 Safety — no secret exposure (secret-looking token → quarantine, exit 8); no production mutation by default (designation is config/pointer only); reviewable by future owner/Codex; reversible (re-pointable without recipe data loss).
• R6 Interface binding — the root plugs in at a single constant (NON_VECTOR_ROOT); once it satisfies R1–R5, only that constant is repointed — no code rewrite. Run-packet layout: <ROOT>/.../runs/<run_id>/{run_manifest.json, result.json, result.md, commands.sh, stdout.log, stderr.log, exit_codes.json, HASH_MANIFEST.sha256, packet_tree.sha256, negative_tests/, forbidden_scope/, rerun/RERUN.sh}.
• R7 Acceptance gate — the root is accepted only when R0.1–R5.4 are each demonstrated AND the validator returns exit 0 on a real escrow record whose storage_location is the new root and nvsz_root.designated_by ∈ {owner, operator}.
• R8 Blocker — until a root is designated, raw evidence stays local + hashed + regenerable (honest interim). Not invented here.

Escrow record schema (required fields)

{ "evidence_class", "claims_raw_log", "authority": "NON_AUTHORITY / NOT_PROMOTED",
  "may_gate": false, "decision_effect": "NONE",
  "pointer": { "target", "local_path"(optional), "hash":"sha256:<64hex>", "size",
               "produced_by", "timestamp_policy":"none|recorded|policy-ref" },
  "storage_location": "local_workbench | nvsz_file_root | nvsz_object_store | content_addressed_store",
  "regeneration_command": "bash commands.sh",
  "determinism": "byte-exact | functional",
  "nvsz_root": {"designated": false, "designated_by": null} }

Byte-exact vs functional (declared, not assumed)

• byte-exact — bytes are invariant across reruns (e.g. exit_codes.json); the validator recomputes and REJECTS a mismatch (exit 7).
• functional — only the verdict/exit is invariant; byte drift from mktemp paths is allowed and disclosed (e.g. probe .log files). The validator accepts functional without byte equality.

Validator exit taxonomy (escrow)

2 absent · 3 pointer/schema missing field · 4 no regeneration command · 5 raw-log-in-vector-KB · 6 local-claims-authority · 7 byte-exact mismatch · 8 secret token → quarantine · 9 invented root.

Fail-closed contract

• Raw evidence without {hash, pointer, regeneration_command} → FAIL.
• Any raw log written into the vector KB → FAIL.
• A root designated by anyone other than owner/operator → FAIL (invented).
• A byte-exact class that does not recompute identically → FAIL.
• A secret-looking token in evidence → FAIL (quarantine).