{ "doc_kind": "gap_only_scope_spec_machine_mirror", "version": "rev4", "date": "2026-06-09", "status": "GAP_ONLY_SCOPE_SPEC_v0_1_REV4_READY_FOR_CODEX", "mvp_implementation_allowed": false, "supersedes": "designs/implementation-package-dot-v0-1-gap-only-scope-spec-rev3-2026-06-09.json", "production_mutation": false, "note": "Design artifact, NOT a runtime schema. Evidence only, never authority, never a gate (KB-first/PG-first/local-last without faking it). Mirrors the rev4 .md spec.", "operating_rule": { "id": "KB_FIRST_PG_FIRST_NATIVE_DRIVEN_LOCAL_LAST_WITHOUT_FAKING_IT", "authority_sources": ["KB", "PG_backed_AgentData", "governed_native_surfaces"], "local_filesystem": "NOT_AUTHORITY_output_or_workspace_only", "every_fact_must_cite_governed_surface": true, "unprovable_via_governed_source": "NOT_EVIDENCED_IN_ALLOWED_SURFACES_or_BLOCKED", "honesty_clause": "DO NOT fake KB-first/PG-first by granting the tool unrestricted network/PG/local access. If a safe bounded channel is unproven, mark BLOCKED or consume a bounded governed export packet. KB-first/PG-first honored at the governed export step; provenance-first inside the tool." }, "codex_rev3_blockers_addressed": { "1_shadow_denial_authority": "non-gating non-global denial contract: decision_effect=NONE, may_gate=false, 5 bounded scoped verdicts, scope_of_denial mandatory, non-global disclaimer, FLAG_GLOBAL_DENIAL_WORDING, READ_LEVEL_FAIL redefined as 'not acceptable for PASS' not 'false'", "2_db_allowlist_not_process_egress": "offline MVP has NO network namespace; nothing to allowlist; control = run environment denies all egress (provisionable + testable)", "3_no_sandbox_secret_local_network": "deny-by-default sandbox: no network namespace, RO input mount only, WO output mount only, no home/etc/project tree, scrubbed env, seccomp execve/socket/connect/ptrace deny", "4_no_bounded_kb_writer": "MVP writes ONLY local output mount; does NOT write KB; KB upload is a separate governed/manual step; no bounded KB writer claimed", "5_select_side_effect_functions": "MVP issues NO SQL; deferred export step uses named query IDs only, pre-approved side-effect-free, no raw/dynamic/multi-statement/CALL/DML/DDL, empty read-only function allowlist", "6_negative_tests_not_tied_to_enforcement": "every negative test maps enforcement layer / attempted bypass / block point / expected verdict / proof-of-block evidence / MVP-or-deferred (matrix rev4)" }, "decisive_decision": { "model": "OFFLINE_PACKET_DERIVED_NON_GATING_NON_AUTHORITATIVE_INSPECTOR", "mvp_performs_live_read": false, "mvp_writes_kb": false, "mvp_has_network": false, "mvp_holds_db_driver_or_credential": false, "input": "bounded governed provenance-stamped export packet (PACKET_DERIVED, freshness AS_OF_EXPORT)", "output": "local report triplet to a write-only output mount; KB upload separate governed step", "rationale": "no proven process-level sandbox/egress/secret/local-FS/KB-writer substrate exists; removing the live attack surface makes the six blockers structurally answerable instead of asserted" }, "non_gating_non_global_denial_contract": { "authority_status": "PROVISIONAL_NON_AUTHORITY", "decision_effect": "NONE", "may_gate": false, "cannot_declare_global_truth": ["artifact does not exist", "claim is false", "system non-compliant", "any world-level fact"], "allowed_negative_verdicts": [ "NOT_EVIDENCED_IN_ALLOWED_SURFACES", "INSUFFICIENT_EVIDENCE_FOR_CLAIM", "BLOCKED_BY_UNVERIFIED_SOURCE", "BLOCKED_BY_UNSAFE_ACCESS", "CONTRACT_VIOLATION_IN_DESIGN" ], "read_level_fail_means": "the dossier/report is NOT acceptable for reporting PASS (NOT 'the real-world claim is false')", "scope_of_denial": "mandatory on every negative verdict; missing => CONTRACT_VIOLATION_IN_DESIGN", "non_global_denial_disclaimer": "mandatory in every report", "gate_use_requires": "separate sealed downstream consumer/authority contract (deferred, B7)" }, "verdict_model": { "per_claim": [ "NO_READ_LEVEL_DEFECT_FOUND_NON_AUTHORITATIVE", "INSUFFICIENT_EVIDENCE_FOR_CLAIM", "NOT_EVIDENCED_IN_ALLOWED_SURFACES", "EVIDENCE_CONFLICTING", "BLOCKED_BY_NO_CALL_CONTRACT", "BLOCKED_BY_UNVERIFIED_SOURCE", "BLOCKED_BY_UNSAFE_ACCESS" ], "flags": ["FLAG_PROSE_ONLY_PASS", "FLAG_HARDCODED_DENOMINATOR", "FLAG_AUTHORITY_VIOLATION", "FLAG_LOCAL_FIRST_AUTHORITY", "FLAG_GLOBAL_DENIAL_WORDING"], "article14_status": ["ARTICLE14_NOT_APPLICABLE_NO_EXECUTABLE_CLAIMS", "ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED"], "final_dossier_verdict": ["READ_LEVEL_FAIL", "BLOCKED", "UNVERIFIED"], "removed": ["READ_LEVEL_ACCEPTABLE", "EVIDENCE_SUFFICIENT_FOR_READ_LEVEL", "exit_0", "READ_REPORT_PASS", "positive_EVIDENCE_PRESENT"], "triage_outcome": ["BLOCKING_FINDINGS", "NO_BLOCKING_FINDING_BUT_UNCERTIFIED"], "precedence": "BLOCKED > READ_LEVEL_FAIL > UNVERIFIED (no terminal state above UNVERIFIED)" }, "article14_chain": { "preserved_from": "rev2 (Codex Gate 2 PASS)", "steps": ["claim", "claim_type", "required_evidence_class[]", "evidence_artifact/reference(governed_provenance_packet_item)", "evidence_capability", "evidence_adequacy_verdict", "dossier_verdict+article14_status"], "iron_law": "a resolving reference in the governed-provenance packet yields ARTIFACT_EXISTENCE_EVIDENCE only; execution-class claims can never reach a non-defect outcome and force NOT_PROVEN", "binding_fields": ["claim_id", "claim_type", "required_evidence_class[]", "evidence_ref[]", "evidence_kind", "resolves", "governed_surface", "bound_to_claim", "identity_match", "producer", "observation_ts", "independence", "conflict_set[]", "evidence_adequacy_verdict", "scope_of_denial", "notes"] }, "capability_model": { "allowed_actions": ["READ_PACKET_ITEM", "WRITE_LOCAL_REPORT"], "prohibited_actions": ["EXECUTE_COMMAND", "SPAWN_SUBPROCESS", "DYNAMIC_IMPORT", "OPEN_SOCKET", "NETWORK_EGRESS", "READ_LOCAL_PATH_OUTSIDE_INPUT_MOUNT", "READ_CREDENTIAL_OR_ENV_SECRET", "OPEN_DB_DRIVER", "LIVE_PG_QUERY", "WRITE_KB", "WRITE_OUTSIDE_OUTPUT_MOUNT", "INVOKE_DOT", "MUTATE_PG", "MUTATE_DIRECTUS", "MUTATE_REGISTRY", "WRITE_SYSTEM_ISSUES", "CREATE_RESOLVER"], "rev3_live_verbs_removed_from_mvp": ["READ_KB_DOC", "READ_ONLY_QUERY", "WRITE_KB_REPORT"], "enforcement_substrate_primary_sandbox": { "no_network": "no network namespace / egress denied at namespace+host firewall; no socket reaches any endpoint", "read_only_input_mount": "exactly the input-packet directory, read-only; nothing else of host FS visible", "write_only_output_mount": "exactly the report output directory, writable; no other path writable", "no_secret_surfaces": "no home, no project tree, no /etc secrets mounted; scrubbed env (no creds/tokens/conn-strings)", "syscall_restriction": "no-new-privileges + seccomp deny execve/execveat, socket/connect/bind, ptrace" }, "enforcement_secondary_in_process_defense_in_depth": ["static_action_manifest_per_module", "import_capability_denylist", "runtime_capability_self_check_P1_with_envelope_attestation"], "in_process_guards_are": "SECONDARY/fail-fast/bypassable-in-principle; the sandbox is the structural boundary (answers Codex's 'static scans are bypassable')", "structural_not_asserted": { "no_egress": "enforced by absence of network namespace, not a client promise", "no_secret_local": "enforced by filesystem namespace (two mounts only) + scrubbed env", "no_subprocess": "enforced by seccomp execve deny", "no_db_write_or_side_effect_sql": "moot: tool issues no SQL and holds no driver" }, "fail_closed": "if P1 cannot confirm sandbox invariants => BLOCKED (exit 3) before any read" }, "deferred_governed_export_step": { "not_part_of_mvp_tool": true, "named_query_ids_only": true, "query_catalog": "sealed, versioned, content-hashed; each query ID pre-approved side-effect-free; maps to a governed read surface; no function call except an explicit read-only allowlist (empty today => none called)", "no_raw_sql": true, "no_dynamic_query_text": true, "no_multi_statement": true, "no_CALL_no_DML_no_DDL": true, "uses_verified_gateway_role": "context_pack_readonly (rev3-verified, NOT re-run in rev4)", "until_contract_sealed": "MVP runs against a manually-produced governed packet so it can be built/tested before the automated export exists", "unblocking_contract": "B7 export-step/driver/network-policy contract" }, "verified_substrate_cited_from_rev3": { "method": "read-only SELECT via query_pg gateway (rev3, 2026-06-09); NOT re-run in rev4 because the MVP performs no live read", "connected_role": "context_pack_readonly", "role_attrs": {"rolsuper": false, "rolcreaterole": false, "rolcreatedb": false, "rolbypassrls": false, "rolcanlogin": true}, "gateway_contract": "AST-validated READ ONLY transaction, statement_timeout 5s, hard LIMIT 500, no writes/DDL", "db_allowlist": ["directus", "incomex_metadata", "workflow"], "honest_correction": "server-side gateway substrate proves the GATEWAY cannot write/escape its DB allowlist; it does NOT prove a process-level network egress allowlist for any tool -> hence offline MVP, live read confined to the deferred export step" }, "output_contract": { "surface": "LOCAL write-only output mount (report.md + report.json + checkpoint-<name>.md). MVP does NOT write KB.", "kb_upload": "separate manual/governed step outside the tool; MVP holds no KB write credential/capability", "bounded_kb_writer_exists": false, "future_kb_writer_conditional": "path-scoped server-enforced writer restricted to reports/+checkpoints/ under tool-kiem-thu, create/update only, delete/ingest/patch-outside-scope impossible (B7)", "new_json_keys_rev4": ["decision_effect:NONE", "may_gate:false", "source_mode:PACKET_DERIVED", "packet{packet_id,packet_as_of,freshness,manifest_hash}", "claims[].scope_of_denial", "capability_envelope_attestation", "export_provenance{items[]}", "non_global_denial_disclaimer"], "writes_performed": "local output paths only", "production_mutation": false }, "exit_semantics": { "0": "RESERVED_UNUSED (no green terminal verdict)", "1": "READ_LEVEL_FAIL or any FLAG_*", "2": "BLOCKED or UNVERIFIED", "3": "CONTRACT_VIOLATION_IN_DESIGN / BLOCKED_BY_UNSAFE_ACCESS / prohibited action attempted", "4": "internal error", "rule": "nothing maps to exit 0; exit codes are diagnostic NOT gates (decision_effect=NONE applies)" }, "report_persistence_boundary": { "report_generation": "in scope (write-only output mount)", "report_upload_to_kb": "separate manual/governed step, NOT in MVP capability envelope", "report_is": "evidence-only, non-authority, non-gating regardless of location" }, "mvp_readiness_model": { "options": { "A": "build may start only if guard harness is in MVP build scope", "B": "build remains blocked until a sandbox mechanism is available", "C": "MVP starts as offline packet-only inspector, live KB/PG reads deferred" }, "recommended": "C (scope) governed by A discipline (build-start gate); hard fallback to B if no deny-by-default sandbox host can be provisioned/proven", "mvp_allowed_today": false, "becomes_allowable_when": "Codex seals rev4 (B0-triple-prime) AND offline guard harness built + enforcement-bound negative tests pass against a real sandbox (B4-prime)" }, "self_audit": { "no_global_denial_authority": "PASS", "no_arbitrary_sql": "PASS", "no_direct_pg_driver": "PASS", "network_sandbox_model_feasible": "PASS (design/feasibility; build-gated B4')", "kb_writer_boundary_honest": "PASS", "secret_local_fs_guard_specified": "PASS", "negative_tests_tied_to_enforcement": "PASS", "kb_first_pg_first_local_last_honest": "PASS", "article14_remains": "PASS (preserved + strengthened)", "no_hardcode_fake_green": "PASS" }, "action_ready_blockers": { "B0_triple_prime": "Codex seals rev4 (precondition to any build)", "B4_prime": "offline guard harness built + enforcement-bound negative tests pass against a real sandbox (gates MVP acceptance)", "B6": "no governed taxonomy authority => triage-only, no green, no exit 0", "B7": "deferred online surface BLOCKED until sealed: governed export step + named-query-catalog/driver/network-policy contract; path-scoped KB report writer; downstream consumer/authority contract for any gate use", "B1_B2_B3": "gate the execution surface (Call Contract / proof-of-run / global-absence)" }, "sealed_decisions_intact": ["B", "C", "D", "G", "H"], "article14_status": "PRESERVED_AND_STRENGTHENED" }