Checkpoint — Sandbox Attestation, Phase-2 Offline MVP

Macro: PROGRAM_MACRO_PROVISION_AND_ATTEST_DENY_BY_DEFAULT_SANDBOX_FOR_PHASE2_OFFLINE_MVP_2026_06_09 Date: 2026-06-09 Final status: SANDBOX_ATTESTATION_PARTIAL — operator action required. B4′: BLOCKED (sandbox specified + reproducible, not attested). MVP build: must not run. Production mutation: NO · Codex consulted: NO · Install/system mutation: NO · Container created by Claude: NO

What this session did

Closed the sandbox-provisioning layer as far as a read-only agent honestly can: authored a complete, reproducible deny-by-default sandbox profile and a command-level operator blocker packet, and held B4′ BLOCKED because no agent execution surface can run/attest a sandbox.

Decisive constraint (why PARTIAL, not READY)

• VPS governed Docker = read-only by design (list_docker socket RO; no run/exec/create tool; write_file text-only). Cannot create/run a container on the host.
• Mac-local Docker daemon not running; and per owner direction (2026-06-09), a Mac-local/ephemeral attestation is NOT an acceptable B4′ substitute (Article-14 venue-confusion). Target venue = VPS throwaway container (Option B) or approved CI runner (Option D).
• The rev4/operator-packet architecture is operator-provisions → agent-verifies; the agent does not run the sandbox.

Owner waiver applied

B0‴ (Codex rev4 re-seal) WAIVED for this limited scope only (Phase-2 offline-MVP prototype prep). Honored: no production mutation, no live KB/PG read, no KB write, no Directus/registry/system_issues mutation, no gate consumer, no proof-of-run/execution surface. The waiver does not cover B4′.

Runtime discovery verdict

Docker runtime present on host (11 containers, governed list_docker), no install needed, but not agent-reachable for provisioning → operator resource action.

Documents created (this session)

1. designs/deny-by-default-sandbox-profile-phase2-offline-mvp-2026-06-09.md — reproducible profile (Dockerfile, seccomp 4a/4b, exact docker run, probes §6, evidence schema §7, Podman/bwrap fallbacks).
2. reports/sandbox-host-attestation-for-phase2-offline-mvp-2026-06-09.md — attestation report, 7 tracks, PARTIAL.
3. reports/sandbox-host-attestation-for-phase2-offline-mvp-2026-06-09.json — machine mirror.
4. checkpoints/operator-blocker-packet-sandbox-attestation-2026-06-09.md — command-level operator packet (VPS/CI venue).
5. checkpoints/checkpoint-sandbox-attestation-phase2-offline-mvp-2026-06-09.md — this checkpoint.
6. 00-index.md — updated (rev78).

Not created: build-prompt v2 (…-v2…) — conditional on attestation, which did not occur. The gated build prompt's hard precondition 2 remains UNMET.

Audits

Article 13: PASS (KB-first; runtime from governed list_docker; artifacts evidence-only; no shadow SSOT). Article 14: PASS (no prose-only PASS; every claim evidenced; no fake-green; no unsupported build authorization; no hidden mutation; venue honesty preserved).

Remaining blockers

• B4′ (load-bearing, BLOCKED): operator runs the profile §5–§6 on VPS/approved CI runner and returns §7 evidence → gates build acceptance.
• B0‴ (parallel, WAIVED this scope): Codex re-seal usable later once sandbox/test evidence exists.

Minimal safe next step (exactly one)

Operator runs checkpoints/operator-blocker-packet-sandbox-attestation-2026-06-09.md on the VPS throwaway container or approved CI runner and returns the §7 attestation evidence bundle. A follow-up agent then verifies it read-only and binds it to matrix #24–#37 before any B4′ acceptance. Do not run the MVP build until then. Do not use Mac-local evidence.