Final Operator Execution Packet (B4′) — Phase 2 Sandbox
Final Operator Execution Packet (B4′) — Phase 2 Sandbox
Status: OPERATOR_EXECUTION_PACKET_FINAL_READY · Date: 2026-06-10 · Production mutation: NONE · Codex: NO · Mac-local: REJECTED
Consolidated, command-level packet. The canonical probe/run SSOT remains
checkpoints/operator-blocker-packet-sandbox-attestation-2026-06-09.mdand the profiledesigns/deny-by-default-sandbox-profile-phase2-offline-mvp-2026-06-09.md. This doc supersedes-by-reference (does not duplicate) by (a) confirming nothing changed in the run commands, (b) adding the CI alternative as the preferred lower-friction route, and (c) restating the venue rule after the 2026-06-10 substrate inventory. If anything here differs from the 06-09 canonical packet or the profile, those SSOTs win.
1. Venue rule (after 2026-06-10 inventory)
Approved venues, in preference order:
- CI hosted runner (preferred, lower friction) → use
checkpoints/ci-attestation-packet-phase2-sandbox-2026-06-10.md. - VPS throwaway
--rmcontainer (this packet) — a human withdockerpermission on the already-deployed VPS runtime (11 containers live). Do NOT reuse/modify any prod container/network/volume; create a fresh--rmcontainer only. - bwrap / rootless Podman equivalent (profile §5 fallback). Rejected: Mac-local / Docker Desktop (owner direction; Article-14 venue-confusion). The agent itself cannot run any of these (VPS Docker socket is read-only by design; no run/create/exec/shell tool).
2. Files to place (verbatim sources)
Dockerfile.sandbox— profile §3 / workflow draft §4.seccomp-deny-by-default.json— profile §4a / workflow draft §5.inspector/main.py— workflow draft §6 (the 12-probe harness, stdlib only).
3. Build + run (exact, §5 of the profile — unchanged)
docker build -f Dockerfile.sandbox -t tki-inspector:attest .
INPUT_DIR=$(mktemp -d); OUTPUT_DIR=$(mktemp -d)
echo '{"packet":"attestation-fixture"}' > "$INPUT_DIR/packet.json"; chmod -R a-w "$INPUT_DIR"
SECCOMP=$(pwd)/seccomp-deny-by-default.json
docker run --rm \
--name tki-sandbox-attest \
--network none \
--user 65532:65532 \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,nodev,size=16m \
--cap-drop ALL \
--security-opt no-new-privileges \
--security-opt seccomp="$SECCOMP" \
--pids-limit 64 \
--memory 256m --memory-swap 256m --cpus 1 \
--env-file /dev/null \
-v "$INPUT_DIR":/in:ro \
-v "$OUTPUT_DIR":/out:rw \
tki-inspector:attest --attest --run-date 2026-06-10
# capture metadata OUTSIDE the container:
docker image inspect tki-inspector:attest --format '{{.Id}}' # image_digest
sha256sum seccomp-deny-by-default.json # seccomp_sha256
docker --version # runtime
cat "$OUTPUT_DIR/sandbox-attestation-inside.json" # probes + raw
4. Probes & expected (12) — §3 table
PR-NET-1 (EPERM/ENETUNREACH/EAFNOSUPPORT), PR-NET-2 (ifaces={lo}), PR-SOCK-1 (EPERM), PR-ENV-1 (no secret key), PR-FS-RO-IN (EROFS), PR-FS-ESC-1 (EROFS), PR-FS-ESC-2 (EROFS/EACCES), PR-FS-OUT-OK (succeeds, positive control), PR-EXEC-1 (EPERM/ENOENT), PR-MOUNT-1 (rootfs ro,/in ro,/out rw,/tmp noexec), PR-SOCK-DOCKER (absent), PR-PTRACE-1 (EPERM). #35=PR-DYNIMPORT is build-time L2, not an OS probe.
5. Evidence bundle (§7) → return + closure
Merge probe output with venue:"VPS", venue_identity (hostname/uname -a proving NOT Mac), image_digest, seccomp_sha256, runtime, raw.{mountinfo,env_keyset,proc_net_dev}. Return to KB reports/sandbox-attestation-evidence-vps-2026-06-10.json or VPS /opt/incomex/docs/mcp-writes/sandbox-attestation-vps-2026-06-10.json. A follow-up agent verifies read-only vs rev4 matrix #24–#37, then asserts B4′ acceptance and runs the gated build prompt.
6. Cleanup
docker run --rm auto-removes the container; rm -rf "$INPUT_DIR" "$OUTPUT_DIR". Optionally docker rmi tki-inspector:attest. Do not touch any prod container/network/volume.
7. Risk if waived (from 06-09 §6)
Waiving B4′ yields a refusing MVP: rev4 P1/L3 self-check fails closed to BLOCKED/exit 3 — an unusable prototype, not an accepted one. Do not waive.