Checkpoint — Sandbox Feasibility + Phase-2 Build-Go Decision

Macro: PROGRAM_MACRO_SANDBOX_FEASIBILITY_AND_PHASE2_BUILD_GO_DECISION_4RO_2026_06_09 · 2026-06-09 Final status: SANDBOX_DECISION_READY · Build-go: B — BUILD_PROMPT_READY_BUT_OPERATOR_SANDBOX_ACTION_REQUIRED Production mutation: NO · Codex consulted: NO · Install: NO · Sandbox created: NO · Owner/operator decision faked: NO

What this session did

Closed the sandbox-feasibility + Phase-2 build-go decision layer end-to-end, reclassifying the prior INTERNAL_PROOF_PARTIAL / TRUE_BLOCKER determination. Read all 6 required docs in full from KB (SSOT). Took one read-only governed-native evidence read (list_docker) that materially changed the picture.

Decisive evidence (governed-native, read-only)

mcp__claude_ai_Incomex_VPS__list_docker → Docker runtime already deployed + 11 live containers on the host, including an ephemeral test container pg-restore-test-20260520T031054Z. A deny-by-default container (--network none, RO/WO mounts, seccomp, no-new-privileges) is realizable on the existing runtime — no new install. This removes the "impossible / true-blocker" reading of B-EXT-1.

The reclassification (the substantive advance)

• The deny-by-default sandbox guard harness (profile + L2/L3 guards + negatives) is build-scope code — authorable now. (rev4 itself: "provisioning the sandbox and passing the Track-7 negative tests … is part of MVP build scope (B4′).")
• What remains is (i) an operator action to run the harness in a deny-by-default container and attest the L1 negatives (B4′ acceptance), on the already-present runtime; and (ii) the owner's disposition of B0‴ (honor → Codex, or waive with risk). Both narrow, both action-ready. Neither is a true blocker.
• Prior "TRUE_BLOCKER" conflated authoring a build prompt (safe now) with accepting a built MVP (needs host) and predated the runtime-presence evidence.

Decisions

• Sandbox option: B (Docker/Podman deny-by-default) primary; C (bubblewrap) co-equal fallback; D (CI) complementary venue. Reject A (in-process only) and F (no-sandbox) for acceptance.
• Guard harness build-scope: PARTIAL — authorable now; acceptance gated on operator attestation.
• Codex: not now — remaining blocker is engineering/testable; B0‴ owner-waivable.
• Build-go: B. (Not A: owner/operator action stands before accepted build. Not C: understates that the gated build prompt is authorable now. Not D: engineering/testable. Not E: no design defect. Not F: safe path exists on the existing runtime.)

Documents created

1. reports/sandbox-feasibility-and-phase2-build-go-decision-2026-06-09.md
2. reports/sandbox-feasibility-and-phase2-build-go-decision-2026-06-09.json
3. planning/build-offline-packet-mvp-with-guard-harness-program-macro-prompt-2026-06-09.md (GATED build prompt)
4. checkpoints/operator-action-packet-sandbox-host-for-phase2-mvp-2026-06-09.md
5. checkpoints/checkpoint-sandbox-feasibility-and-phase2-build-go-2026-06-09.md (this file)
6. 00-index.md (updated)

No Codex packet (not D), no rev5 packet (not E), no true-blocker packet (not F).

Self-audit

Article 13 PASS · Article 14 PASS · KB-first/local-last PASS · no unsupported build-go PASS · no fake owner/operator/Codex PASS · no hidden mutation PASS · sandbox decision evidence-backed PASS · next step unambiguous PASS.

Remaining blockers (both action-ready; neither a true blocker)

• B4′ (operator): run deny-by-default container per the operator packet; attest L1 negatives pass. Gates build acceptance.
• B0‴ (owner): route rev4 to Codex OR waive with documented risk. Gates build execution.

Minimal safe next step

Owner disposes B0‴ and operator provisions+attests the §12.1 sandbox (Option B on the existing Docker runtime; C fallback). Then execute the gated build prompt. Do not build/install/mutate/create-sandbox/call-Codex before both clear.