Incomex AI Portal
KB-3307

Build Prompt — Offline Packet MVP + Guard Harness (Program Macro, GATED)

8 min read Revision 1
tool-kiem-thubuild-promptprogram-macroguard-harnessgated2026-06-09

BUILD PROMPT (GATED) — Offline Packet MVP + Guard Harness

Program Macro build prompt for Phase-2 of Implementation Package DOT v0.1. Status: BUILD_PROMPT_READY_GATED — produced under decision B (BUILD_PROMPT_READY_BUT_OPERATOR_SANDBOX_ACTION_REQUIRED). This is a design artifact, not an authorization to build now.

⛔ HARD PRECONDITIONS — DO NOT EXECUTE THIS BUILD UNTIL BOTH CLEAR

This prompt must not be run until:

  1. B0‴ disposed (owner authority). The owner has either (a) routed reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev4-2026-06-09.md to Codex and received a GAP_ONLY_SPEC_REV4_SEALED, or (b) explicitly waived B0‴ with the unreviewed-offline-architecture risk recorded in a checkpoint. The corpus records B0‴ as a precondition to any build; honoring or waiving it is the owner's call, not the builder's.
  2. Sandbox host attested (operator resource). The operator has provisioned and attested a deny-by-default sandbox per checkpoints/operator-action-packet-sandbox-host-for-phase2-mvp-2026-06-09.md, and the read-only attestation evidence (seccomp EPERM, mount table = exactly RO-input + WO-output, scrubbed env keyset) is recorded. Until then, the MVP's own P1 self-check fails closed to BLOCKED / exit 3 and ~11 of 45 acceptance tests cannot pass.

If either precondition is unmet, stop and route back to the owner/operator. Running this build with an unprovisioned sandbox or an open B0‴ would be a fake-green and an Article-14 violation.

0. Operating rules (carried, non-negotiable)

  • KB-FIRST / PG-FIRST / NATIVE-DRIVEN / LOCAL-LAST. Read all project facts from KB / governed native sources; local files are not authority unless declared output artifacts. CONFLICT → prefer KB/PG/native.
  • Article 13 (PG-first / native / driven) and Article 14 (evidence-backed; no prose-only PASS; no fake-green) apply throughout.
  • §0.5 honesty bound: do NOT fake KB/PG-first by granting the tool unrestricted network/PG/local access. The MVP reads a governed-provenance export packet, not live surfaces.

1. Goal

Build the offline, packet-derived, NON-GATING inspector MVP prototype specified by rev4 (designs/…gap-only-scope-spec-rev4-2026-06-09.md, planning/…implementation-plan-no-code-rev4-2026-06-09.md, designs/acceptance-test-matrix-…-rev4-2026-06-09.md), running inside the attested deny-by-default sandbox, and prove it with the 45 enforcement-bound acceptance/negative tests.

2. Build deliverables (in order; the harness is FIRST and GATING)

  1. Guard harness (L1 + L2 + L3) — gating.
    • L1 sandbox profile: the container/OS-sandbox config realizing §12.1 — --network none / --unshare-net; RO input bind-mount; WO output bind-mount; no home/project/etc/secret mounts; scrubbed env / --clearenv; seccomp.json denying execve/execveat/socket/connect/bind/ptrace; no-new-privileges; --cap-drop ALL. (Recommended Option B Docker/Podman on the existing host runtime; Option C bubblewrap fallback.)
    • L2 static-build-guard: import/capability denylist; per-module assertion allowed_actions ⊆ {READ_PACKET_ITEM, WRITE_LOCAL_REPORT}; build-time rejection of any module declaring a prohibited capability.
    • L3 runtime-self-check (P1): capability-envelope + sandbox-invariant attestation that runs before any packet read and fails closed to BLOCKED / exit 3 if the sandbox invariants (mounts, net ns, env, seccomp) are not present.
  2. Packet reader — reads only the governed-provenance input packet (source_mode=PACKET_DERIVED, freshness=AS_OF_EXPORT); allowed_actions = {READ_PACKET_ITEM, WRITE_LOCAL_REPORT} only.
  3. Provenance validator — validates each item's source_metadata = {governed_surface, named_query_id_or_kb_path, observation_ts, source_revision, content_hash}; unverified/stale/out-of-scope/local-not-governed → BLOCKED_BY_UNVERIFIED_SOURCE.
  4. Evidence-adequacy classifier (Article-14 chain) — the §3 7-step chain (claim → claim_type → required_evidence_class[] → artifact → capability → adequacy → dossier_verdict + article14_status). Iron law §3.IRON: "reference resolves" yields only ARTIFACT_EXISTENCE_EVIDENCE; execution-class claims force ARTICLE14_NOT_PROVEN_EXECUTION_UNVERIFIED.
  5. Non-global verdict reporter — emits only the 5 bounded scoped verdicts (NOT_EVIDENCED_IN_ALLOWED_SURFACES, INSUFFICIENT_EVIDENCE_FOR_CLAIM, BLOCKED_BY_UNVERIFIED_SOURCE, BLOCKED_BY_UNSAFE_ACCESS, CONTRACT_VIOLATION_IN_DESIGN); every output carries decision_effect=NONE, may_gate=false, mandatory scope_of_denial, the non-global disclaimer, and FLAG_GLOBAL_DENIAL_WORDING. Dossier verdicts limited to READ_LEVEL_FAIL / BLOCKED / UNVERIFIED (no green, no exit 0).
  6. Local report writer (L4) — writes only report.md, report.json, checkpoint-<name>.md to the single WO output mount. No KB write (no KB credential/capability). KB upload is a separate governed step.
  7. Fixtures — including the FIX7 packet fixture (canonicalizer resolves only as .md; load-bearing .py on no governed surface → NOT_EVIDENCED_IN_ALLOWED_SURFACES, non-global) + Fixture A′ (pure discoverability) + Fixture D (global-denial trap) + a real dossier + a stripped negative.
  8. 45 acceptance/negative tests — exactly the rev4 matrix; each capability/bypass test bound to a named enforcement layer L1–L5 + block point + proof-of-block evidence (seccomp EPERM / mount table / env keyset / build-time rejection). The ~11 L1-dependent tests (#25/#27/#28/#29/#33/#34/#35/#37 and siblings) must produce real OS-level proof-of-block against the attested sandbox. Side-effect-fn #32 stays deferred (D9 / export contract).
  9. Article-13 self-audit and Article-14 self-audit — evidence-backed PASS/PARTIAL/FAIL, no prose-only PASS.

3. Prohibition wall (build-time and runtime)

NO network · NO PG driver · NO live KB/PG · NO KB write · NO secret/env access · NO arbitrary local read · NO subprocess/shell/command execution · NO dynamic import outside the L2 allowlist · NO output-path escape · NO mutation of PG/Directus/registry/system_issues · NO fake-green / no exit-0 / no green verdict · NO global-absence claim · NO local-first evidence · NO making the local report an authority · NO gate/build-break consumption of the output (B7 deferred).

4. Acceptance (B4′)

The build is accepted only when the L1-bound negative tests pass against the attested real sandbox and the Article-13/14 self-audits pass with evidence. Absent the attested sandbox, the build remains BLOCKED (rev4 §21 hard fallback B). If Option B/C cannot be attested locally, Option D (CI deny-by-default runner) is the fallback acceptance venue.

5. What stays deferred (do NOT build)

The live governed export step + named-query-catalog/driver/network-policy contract, a path-scoped server-enforced KB report writer, any downstream gate-consumer/authority contract (all B7); the execution surface / Call Contract / proof-of-run / global-absence (B1/B2/B3). These are out of this build.

Authored as a gated design artifact under decision B. Execution is conditional on the two hard preconditions above. No build, install, sandbox creation, mutation, or Codex call was performed in authoring it.

Back to Knowledge Hub knowledge/dev/laws/tool-kiem-thu/planning/build-offline-packet-mvp-with-guard-harness-program-macro-prompt-2026-06-09.md