Offline MVP Governed-Packet Consumption Contract — tool-kiem-thu

Status: MVP_GOVERNED_PACKET_CONSUMPTION_CONTRACT_DESIGN_COMPLETE · Date: 2026-06-10 Article 13/14: offline; native-derived input only; packet is evidence input, not authority; fail-closed; no fake-green.

Defines how the already-built offline ip_dot_inspector (Phase 2, reports/phase2-offline-mvp-execution-report-2026-06-10.md) consumes a §b7-governed-packet/v1 packet without gaining any live authority. The MVP is unchanged in capability — this contract pins the boundary and the per-item handling. It swaps the Phase-2 fixture packet for a governed packet of the same schema, so no MVP code change is required to begin consuming governed packets.

---

1. Hard boundary (unchanged from Phase 2, re-affirmed)

The MVP consumes the packet only, from the read-only /in mount, and writes the local report triplet to the write-only /out mount. It has NO live KB read, NO live PG read, NO PG driver, NO network, NO KB writer, NO secret, NO subprocess, NO dynamic import. Proven structurally by the B4′ deny-by-default container (reports/b4-prime-sandbox-attestation-evidence-2026-06-10.md, 12/12) + L2 build-guard. This contract adds no capability to the MVP.

allowed_actions ⊆ {READ_PACKET_ITEM, WRITE_LOCAL_REPORT} — that is all.

2. Input acceptance

The MVP accepts a packet iff:

• schema == "b7-governed-packet/v1", all packet-level required fields present (else BLOCKED, exit 3, before any item read);
• source_mode == "PACKET_DERIVED" and decision_effect == "NONE" and may_gate == false;
• the P1 capability/sandbox self-check passes (network unreachable, exactly the two mounts, scrubbed env). If P1 cannot confirm the sandbox invariants ⇒ BLOCKED (exit 3) before any read (rev4 §12.4; matrix I11).

3. Per-item handling

Condition	Verdict
Full source_metadata, governed surface, hash matches	item usable as evidence
Missing any source_metadata field	NOT_EVIDENCED_IN_ALLOWED_SURFACES (held out)
governed_surface is a local path	FLAG_LOCAL_FIRST_AUTHORITY ⇒ FAIL, prefer KB/PG
content_hash mismatch / manifest_hash mismatch	BLOCKED_BY_UNSAFE_ACCESS / CONTRACT_VIOLATION (tamper)
authority_status ∈ {review-ready, draft} used as binding	FLAG_AUTHORITY_VIOLATION
diagnostic item used to override canonical	READ_LEVEL_FAIL (Domain D)
any raw-SQL / sql field present in a packet item	CONTRACT_VIOLATION_IN_DESIGN (packets carry named_query_id only)

The MVP never executes named_query_id/sql; it treats them as provenance labels only (it holds no driver — §1).

4. Freshness / staleness gate

The MVP keys on packet_as_of. An item or packet older than the consumer's configured max age ⇒ BLOCKED_BY_UNVERIFIED_SOURCE + marked stale; never silently used. (No live re-read to refresh — that would breach §1; refresh is a new export.)

5. Fail-closed

Missing/unprovenanced/stale/tampered ⇒ stop or hold out the item; the run degrades to BLOCKED/UNVERIFIED/READ_LEVEL_FAIL. No path produces a green verdict or exit 0 (enforced by the verdict engine + build-guard, Phase 2 §5).

6. Output & authority

• Writes only the local /out triplet (report.json, report.md, checkpoint-*.md). production_mutation=false.
• The local report is evidence-only, non-authority regardless of location (rev4 §13/§16). Uploading it to KB is a separate human governed action; it does not make the MVP a KB writer (D10 deferred).
• The report stays non-gating (decision_effect=NONE, may_gate=false) until a sealed downstream consumer/authority contract exists (D11 deferred).

7. Compatibility statement (no code change to begin)

The Phase-2 MVP already loads a packet with source_metadata = {governed_surface, named_query_id_or_kb_path, observation_ts, source_revision, content_hash} (its packet_loader + provenance gate G10). The §b7-governed-packet/v1 schema is a superset-compatible instance of that shape (adds authority_status, precedence, manifest_hash, surface_kind). Therefore the MVP can consume the governed packet produced 2026-06-10 without modification; the only additions are advisory checks (manifest_hash verification, authority_status enforcement) that can be added as a minor, non-capability-expanding hardening when the catalog is promoted. No live-access code is added.

8. What this contract does NOT authorize

• It does not let the MVP read live KB/PG (B7 export step does that, separately).
• It does not let the MVP write KB (D10).
• It does not let the report gate/authorize anything (D11). These remain blocked; see checkpoints/action-ready-blocker-after-b7-governed-export-packet-2026-06-10.md.