CI Attestation Packet (B4′) — Phase 2 Sandbox
CI Attestation Packet (B4′) — Phase 2 Sandbox
Status: CI_ATTESTATION_PACKET_READY · Date: 2026-06-10 · Venue: GitHub-hosted ephemeral runner (NON-Mac-local) · Production mutation: NONE · Codex: NO
Action-ready packet. Pairs with the workflow draft
planning/ci-sandbox-attestation-workflow-draft-2026-06-10.md(the files) and the route-decision reportreports/phase2-execution-substrate-and-route-decision-2026-06-10.md. No design work remains for the next actor — only an owner authorization and a trigger.
1. Precondition (owner-only decision)
Authorize exactly one:
- CI-A — create a private repo
Huyen1974/tki-sandbox-attestfor attestation. ⚠ This publishes the harness files to GitHub (outward-facing). TheghCLI is already authenticated asHuyen1974(scoperepo+workflow). - CI-B — designate an existing approved repo/CI runner inside the governed system.
Until one is authorized, do not apply. No external publish has occurred.
2. Apply (exact)
Drop the 4 files from the workflow draft §1 into the authorized repo root:
.github/workflows/b4-prime-sandbox-attestation.yml, Dockerfile.sandbox, seccomp-deny-by-default.json, inspector/main.py. Verbatim contents in the draft §2/§4/§5/§6.
3. Trigger (exact)
gh workflow run "B4' Sandbox Attestation (deny-by-default)" -f run_date=2026-06-10
gh run list --workflow "b4-prime-sandbox-attestation.yml" -L 1 # get <run-id>
gh run watch <run-id>
No push/pr trigger exists → the workflow only runs when explicitly dispatched. Runner = ubuntu-latest (ephemeral, single-use, Docker preinstalled, not Mac-local).
4. Collect (exact)
gh run download <run-id> -n b4-prime-sandbox-attestation-evidence
# -> sandbox-attestation-evidence-ci-2026-06-10.json (+ sandbox-attestation-inside.json)
Return it to KB reports/sandbox-attestation-evidence-ci-2026-06-10.json or VPS /opt/incomex/docs/mcp-writes/sandbox-attestation-ci-2026-06-10.json.
5. Expected outputs (the §7 evidence contract)
Per probe: probe_id, operation, expected, actual_stderr_or_value, errno_or_exit, verdict, artifact_path. Top-level: venue:"CI", venue_identity{platform,runner_os,github_run_id,not_mac_local:true}, image_digest, seccomp_sha256, runtime. raw.{mountinfo, env_keyset, proc_net_dev}. The 12 probes and their expected errnos (EPERM(1)/ENETUNREACH(101)/EAFNOSUPPORT(97)/EROFS(30)/EACCES(13)) are in the draft §6/§7. A correct attestation has PR-FS-OUT-OK = PASS (positive control) and every boundary probe = PASS.
6. Evidence bundle contract → B4′ closure
A follow-up agent reads the bundle read-only, confirms actual == expected for every probe, binds each to rev4 matrix #24–#37, and only then asserts B4′ acceptance. PR-PTRACE-1 may legitimately return UNVERIFIED (libc unloadable in distroless) — that is honest, not a FAIL, but must be re-attested under the §4b hardened profile before final acceptance if required by the verifier.
7. No-production-mutation guarantees
- Manual-dispatch only;
permissions: contents:read; no packages/id-token write. - Runs entirely on a throwaway GitHub VM;
docker run --rm; VM destroyed at job end. - Touches nothing on the VPS, PG, Directus, registry, or system_issues.
--network none,--read-only,--cap-drop ALL,--security-opt no-new-privileges, seccomp deny-list, no docker.sock, no host mounts.
8. Cleanup
None required (single-use VM + --rm). Artifact auto-expires (retention 30d). If CI-A repo was created and is no longer needed, the owner may gh repo delete Huyen1974/tki-sandbox-attest (owner action only).
9. Honesty (Article 14)
Produces no B4′ PASS by itself; PASS exists only after a real run + read-only verification. The "approved" status of the hosted runner is the owner's determination. This packet is evidence/design, not authority.