Action-Ready Blocker after Phase 2 Execution-Substrate close

Final status: APPROVED_CI_OR_OPERATOR_PACKET_READY (terminal state B) · Date: 2026-06-10 Production mutation: NO · Codex: NO · Mac-local evidence: NO

The whole Phase 2 execution-substrate + offline-MVP path was driven end-to-end. It does not end in a vague blocker. Two complete, no-design-remaining execution packets are ready; the only residual is a single owner authorization + a human/CI trigger.

Blocker record

Field	Value
Blocker ID	B4_PRIME_AUTHORIZATION_AND_EXECUTION_REQUIRED (narrowed from the 06-09 B4_PRIME_OPERATOR_ACTION_REQUIRED)
Class	OWNER_AUTHORITY + EXECUTION_PERMISSION (no engineering/design ambiguity)
Evidence	VPS list_docker = 11 up, socket read-only by design (tool contract); VPS toolset has no run/create/exec/shell; local gh auth status = authenticated Huyen1974 (scope workflow,repo); /Users/nmhuyen not a git repo; no project repo for tool-kiem-thu
Routes inspected	Route 1 direct-VPS-agent (rejected: read-only socket) · Route 2 CI/GitHub Actions (prepared, primary) · Route 3 operator-VPS (prepared, fallback) · Route 4 design-repair (rejected: no defect) · Route 5 true-blocker (rejected: safe path exists) · plus S2 VPS-SSH, S5 Mac-Bash, S6 computer-use, S10 agent-api-executor — all rejected with reasons (see route-decision report Track 2)
Why it blocks	B4′ PASS requires running the 12 §6 probes inside a real deny-by-default container on an approved venue and returning the §7 bundle. The agent has no agent-facing container-create/exec/shell on any approved venue. Without B4′ PASS, the MVP's P1/L3 self-check fails closed to BLOCKED/exit 3 and ~11/45 acceptance tests (#25/#27/#28/#29/#33/#34/#35/#37 + sib) cannot pass → MVP build correctly gated
Exact next action	Owner authorizes one venue: CI-A (create private Huyen1974/tki-sandbox-attest — publishes harness) · CI-B (designate existing approved repo/runner) · VPS operator. Then trigger the matching packet
Who/what is needed	Owner (authorization) + a human-with-gh-trigger (CI) or a human-with-VPS-docker-permission (operator). Then a follow-up agent (read-only verification)
Blocks build or acceptance	Both (build is gated on B4′ PASS; ~11 L1 acceptance tests need the attested sandbox)
Artifact ready for next actor	CI: planning/ci-sandbox-attestation-workflow-draft-2026-06-10.md + checkpoints/ci-attestation-packet-phase2-sandbox-2026-06-10.md. Operator: checkpoints/operator-execution-packet-phase2-sandbox-final-2026-06-10.md. Verify-then-build: §7 bundle → matrix #24–#37 → gated build prompt

What advanced this run (not a restatement)

• Reclassified: missing host Docker → missing authorized execution substrate/trigger (Docker exists, read-only by design).
• Discovered the CI route is technically reachable (gh authenticated, workflow scope) and authored a turnkey workflow + 12-probe harness + §7 evidence emitter — converting the operator's hardest prerequisite (live VPS docker run) into "authorize repo → click Run → download artifact."
• Left two co-ready packets (CI primary, operator fallback) instead of one operator-only packet.

Single safe next step

Owner picks one venue (CI-A/CI-B/operator). Nothing else is needed to obtain B4′ evidence.