Checkpoint — Phase 2 + Phase 3 CI/Operator Route

Date: 2026-06-10 · Final status: PHASE2_AND_PHASE3_PASS Production mutation: NO · Codex: NO · Mac-local evidence: NO · New repo: YES (1, authorized) · Production repo: NO · Article 13: PASS · Article 14: PASS

Scope

Program macro PROGRAM_MACRO_CLOSE_PHASE2_AND_PHASE3_OFFLINE_MVP_VIA_APPROVED_CI_OR_OPERATOR_2026_06_10: close Phase 2 + Phase 3 end-to-end on an approved CI/operator venue, or leave a true action-ready blocker. Closed PASS. Read-only on governed surfaces except KB doc writes (the 15 deliverables) + one authorized dedicated private repo.

What happened (the unblock)

The residual blocker was missing authorized execution substrate. Verification found both pre-authorized repos (agent-data-test, chatgpt-githubnew) unsafe as a disposable venue — they auto-trigger entangled cloud CI (terraform-plan w/ real GCP secrets, deploy/secret-sync jobs) on any branch push, unsuppressable, and I was not authorized to disable their CI. That inverted a premise of the macro, so the owner was asked the one load-bearing venue decision and authorized route CI-C: exactly one dedicated, empty, private repo Huyen1974/tool-kiem-thu-ci (no secrets, no GCP/WIF, no terraform/deploy, no prod link, GitHub-hosted ephemeral runner only).

Results (all real CI runs)

• B4′ (run 27247749834): 12/12 probes PASS. Surfaced + handled a real defect: the strict §5 seccomp profile denies execve, which prevents the container from starting under runc (run 27247543884: exit 255) — attested via a startup-safe variant; "no subprocess" rests on distroless no-shell. Also fixed a host /out ownership crash. No fake-green.
• Phase 2 MVP (run 27248508492): ip_dot_inspector built (distroless, stdlib-only, no network/PG/KB-write/gate); build-guard NO_BUILD_GUARD_VIOLATION; 31/31 acceptance/negative tests; ran inside the deny-by-default container → exit 1, READ_LEVEL_FAIL, decision_effect=NONE, production_mutation=false, writes = local triplet.
• Phase 3 FIX7 pilot (same run): caught the Recheck-8 adequacy class (C1/C5/C2×2/C8/C4); proves_execution=false, proves_global_absence=false; existence sub-verdict NOT_EVIDENCED_IN_ALLOWED_SURFACES (scoped, not "does not exist"). Did not run FIX7 / FS-DOT / IU / detectors / hash recompute.
• Matrix binding PASS; cleanup RETAINED (documented); Article 13/14 PASS.

Deliverables (KB)

reports/phase2-phase3-ci-operator-route-execution-report-2026-06-10.{md,json} · planning/ci-phase2-phase3-workflow-and-harness-packet-2026-06-10.md · reports/b4-prime-sandbox-attestation-evidence-2026-06-10.{md,json} + raw-log-index · reports/phase2-offline-mvp-execution-report-2026-06-10.{md,json} + acceptance-matrix-binding + raw-log-index · reports/phase3-fix7-read-report-pilot-execution-report-2026-06-10.{md,json} + raw-log-index · this checkpoint · 00-index rev84→85.

Honest caveats / what is NOT claimed

• The attested seccomp profile allows execve (strict execve-deny is structurally unrunnable); no-subprocess is structural (distroless), not seccomp-on-execve. Recorded as a finding, not a PASS.
• The MVP consumes a fixture governed packet; the real governed export step (B7 / #32 / D9), the server-enforced KB report-writer (D10), and any downstream gate-consumer (D11) remain deferred — not built.
• Codex was NOT consulted (waiver scope). Real sandbox/test/tool evidence now exists, so an optional later Codex external seal is permitted (B0‴ = owner disposition).
• The dedicated repo is retained (private, inert); owner may delete anytime: gh repo delete Huyen1974/tool-kiem-thu-ci --yes.

Next safe step

Optional Codex external seal of this real evidence; otherwise the next functional increment is the B7 governed export-step contract so the MVP consumes a governed packet instead of a fixture.