Phase 4 Call-Contract Readiness Map (after B7) — tool-kiem-thu (2026-06-10)
Phase 4 Call-Contract Readiness Map (after B7) — tool-kiem-thu
Status: PHASE4_READINESS_MAP_READY · Date: 2026-06-10
Authoritative source rule: KB-FIRST / PG-FIRST / NATIVE-DRIVEN / LOCAL-LAST. Maps what B7's partial closure unblocks for Phase 4, what stays blocked, and what needs Codex vs can proceed internally.
After Phase 2/3 PASS and the B7 export-packet core closure, this records the next-phase landscape so Phase 4 starts from an honest map, not a vibe.
1. Where we are
- Phase 2 offline MVP: PASS. Phase 3 FIX7 pilot: PASS. B4′ sandbox: PASS (12/12). Tests 31/31.
- B7 export-packet core: PARTIAL→closed at design+reference-validation — real governed packet produced + validated (10/10 + 7/7); gateway side-effect prevention live-proven; named-query catalog (provisional), packet schema, export-step contract, MVP consumption contract all written.
- The MVP still consumes a packet (now demonstrably a governed one of the same schema); it has no live authority.
2. Readiness by capability
| Capability | Status after B7 | Unblocks on | Codex? |
|---|---|---|---|
| Consume a governed packet (vs fixture) | UNBLOCKED (schema-compatible, consumption contract written) | catalog promotion for authority; service for automation | No to consume; Yes to seal catalog |
| Automated, audited export service (D9) | BLOCKED | B7-EXP-2: build read-only service + network-policy; owner authorizes a runtime venue | Recommended (network policy) |
| Named-query catalog as governed authority (B7-EXP-1) | BLOCKED | owner/Codex seal + governed home + content-hash seal | Yes (mandatory) |
| Call Contract (command run + exit codes) — the keystone | BLOCKED | per-command identity/mode/inputs/exit-semantics/timeout/lease/audit-ledger/non-mutation boundary | Yes (mandatory) |
Proof-of-run / execution verifier (upgrade EVIDENCE_PRESENT→ran_clean/ran_with_drift/error_running) |
BLOCKED | Call Contract first; reproducible run-evidence model | Yes |
Global-absence proof (vs scoped NOT_EVIDENCED) |
BLOCKED | proof-of-run + exhaustive-surface contract | Yes |
| Path-scoped server-enforced KB report writer (D10) | BLOCKED | build a server-enforced path-scoped writer (KB verbs are broad/unscoped today) | Yes (mandatory) |
| Downstream gate-consumer / authority (D11) | BLOCKED | a sealed contract letting output gate/authorize anything | Yes (mandatory) |
--selftest N/N + module_sha256 (D4) |
deferred | post-reseal build | optional |
audit_dead_links()→system_issues write (D5) |
BLOCKED | write contract (Domain F sink) | Yes |
| Directus DOT-control write (D6) | BLOCKED | DOT-control proof contract | Yes |
| OPA/Conftest/CI/Git-hook gating (D7) | BLOCKED | CI/policy-gate contract (depends on D11) | Yes |
| Positive/green verdict + exit 0 (D8) | BLOCKED | sealed governed taxonomy authority | Yes |
3. The keystone remains the Call Contract
Most execution capability (proof-of-run, global absence, run/pass half of the claim↔test binder, D8 positive verdicts) is blocked on the Call Contract (future-contracts-queue [1]): per-command identity, permitted mode, inputs, exit-code semantics, timeout, lease/gate, audit ledger, non-mutation boundary. The 15 dot_iu_command_catalog mutating=false rows are a candidate set, not authorized. No static whitelist, no new dispatcher. Codex review MANDATORY before any build.
4. What can proceed internally (no Codex)
- Author the Call Contract design packet (no build) — read-only, like B7 here.
- Extend the provisional named-query catalog with more read-only entries (each with live-run evidence), staying provisional.
- Harden the MVP consumption contract checks (manifest_hash verify, authority_status enforce) as a non-capability-expanding change.
- Continue reference exports + validations to broaden packet coverage.
5. What needs Codex (when owner chooses)
- Seal the named-query catalog as governed authority (B7-EXP-1).
- Seal the Call Contract before any command-run build.
- Seal the path-scoped KB writer (D10) and any gate-consumer (D11).
- Optional now-permitted: external seal of the existing Phase 2/3 + B7 evidence (B0‴ = owner disposition).
6. Recommended next safe increment
Author the Call Contract design packet (read-only, no build, no Codex) — it is the single highest-leverage blocker and can be drafted internally exactly as B7 was, leaving only the seal for the owner/Codex. In parallel, the owner may decide catalog-promotion (B7-EXP-1) and whether to route the accumulated real evidence to Codex.