Example - NVSZ Dry-Run
Example (read-only) — NVSZ Root-Provisioning Dry-Run
Purpose: show how no-vector evidence is validated without designating a root or inventing one. Read-only.
Source
knowledge/dev/laws/tool-kiem-thu/dev/v0.2-hardening/review/v02-nvsz-root-provisioning-dryrun-2026-06-11/
and the escrow-planning packet (nvsz_escrow_validator.py 933fd046…,
nvsz_root_validator.py 73c613b5…). NON_AUTHORITY / NOT_PROMOTED.
What it demonstrates (L3 no-vector policy)
A dry-run validates a candidate no-vector root against R0–R8 without
designating or inventing one. The root constant stays NON_VECTOR_ROOT_PLACEHOLDER/.
Fail-closed coverage (root-provisioning validator, 14/14 bad-input probes, 0 fail-open):
| Bad input | Exit |
|---|---|
| omitted root | 3 |
| invented root (agent-designated) | 4 |
| raw log in vector KB | 5 |
| pointer field missing | 6 |
| no regeneration command | 7 |
| stale hash | 8 |
| duplicate record | 9 |
| path traversal | 10 |
| symlink escape | 11 |
| prod/permission violation | 12 |
| fold-apply-while-T1-active | 13 |
The template self-rejects (exit 3) — it cannot become a designation. The escrow validator's own taxonomy: 2 absent · 3 pointer/schema · 4 no-regen · 5 vector-KB · 6 local-claims-authority · 7 byte-exact mismatch · 8 secret token · 9 invented root.
Byte-exact vs functional (shown live)
exit_codes.jsonis byte-exact (2a5f8e29…) — recomputed and rejected on mismatch.- Probe
.logfiles are functional — byte drift frommktemppaths is allowed and disclosed.
The standing blocker it preserves
V02-PB-NVSZ-1 — no designated no-vector root; owner/operator only. Until then
raw evidence stays local + hashed + regenerable (honest interim). The base layer
packages this as policy and a dry-run; it never designates the root.