B7 Governed Export-Packet Validation Report — tool-kiem-thu (2026-06-10)
B7 Governed Export-Packet Validation Report
Verdict: B7_EXPORT_PACKET_REFERENCE_VALIDATION_PASS · Date: 2026-06-10
Production mutation: NO · Codex: NO · Mac-local evidence: NO · MVP live DB access: NO
Article 13: PASS (native gateway only; packet = evidence not authority). Article 14: PASS (every check ran; no prose-only PASS; honest gap disclosed).
A real, runnable validation of the whole B7 export-packet pipeline: a real governed packet was produced read-only through the native
context_pack_readonlygateway (acting as the §2 export operator, not the MVP) and validated against theb7-governed-packet/v1schema + B7 rules, including negative tests. This is evidence, not a fixture.
1. What was run (all read-only, no mutation)
Source-surface verification (live, directus DB): connected role context_pack_readonly (rolsuper=false, rolcreaterole=false, rolcreatedb=false, rolbypassrls=false, rolcanlogin=true); 17/17 target governed surfaces exist in directus.public; the export/manifest/catalog families (context_pack_manifest, v_iu_collection_manifest, v_iu_collection_export_status, dot_iu_command_catalog, v_*_packet) exist as reuse precedents.
Gateway enforcement probes (live, non-mutating):
INSERT …→[DENIED] only SELECT queries allowed, got InsertCREATE TEMP TABLE …→[DENIED] … got CreateSELECT 1; SELECT 2→[DENIED] exactly one statement required, got 2current_setting('transaction_read_only')→[DENIED] … safe parameter listSELECT pg_backend_pid()→514845(executed — proves a SELECT can call a function ⇒ the catalog allowlist, not the gateway alone, is what stops side-effect functions)
Named-query export (live, read-only): 6 named queries executed, results: dot_tools=309, information_unit=219, tac_logical_unit=102, v_dot_reconciliation_reliability=309 rows, v_dot_registry_no_file=41 (diagnostic), system_issues=224019. Export timestamp 2026-06-10T02:40:06.819600+00:00.
2. Real packet produced
PKT-B7-REF-2026-06-10-001 · manifest_hash = sha256:bba872b9a1f449e538b3db98fa26be71d6bb532ed604add66d91cbc4e56e6097 · 6 items, each with full source_metadata + content_hash:
| named_query_id | governed_surface | authority | content_hash |
|---|---|---|---|
| NQ-DOT-REGISTRY-COUNT-V1 | directus.public.dot_tools | binding | sha256:87fd225d…23aa4 |
| NQ-IU-INVENTORY-COUNT-V1 | directus.public.information_unit | binding | sha256:793c0ca8…10ad |
| NQ-TAC-INVENTORY-COUNT-V1 | directus.public.tac_logical_unit | binding | sha256:b5c15798…84dd5 |
| NQ-DOT-RECON-CANONICAL-ROWS-V1 | directus.public.v_dot_reconciliation_reliability | binding | sha256:510407a0…fafcd |
| NQ-DOT-REGISTRY-NO-FILE-COUNT-V1 | directus.public.v_dot_registry_no_file | diagnostic | sha256:1ee845d4…0235e |
| NQ-SYSTEM-ISSUES-COUNT-V1 | directus.public.system_issues | binding | sha256:c76330dc…643d5 |
Local artifacts (evidence, non-authority): /tmp/tki-ci/b7-governed-packet-sample-2026-06-10.json (the packet) and /tmp/tki-ci/b7_validate.py (the harness, stdlib-only, no network/DB).
3. Validation results — 10/10 positive, 7/7 negative
Positive (schema + provenance): V01 required fields · V02 source_mode=PACKET_DERIVED · V03 decision_effect=NONE & may_gate=false · V04 non-global-denial disclaimer · V05 full per-item provenance · V06 no local surrogate · V07 manifest_hash reproduces · V08 per-item content_hash tamper-evident · V09 diagnostic≠canonical · V10 no raw SQL exposed to consumer — all PASS.
Negative (each must catch the injected defect): N1 tampered payload→V08 FAIL · N2 missing provenance→V05 FAIL · N3 local-first→V06 FAIL · N4 manifest tamper→V07 FAIL · N5 diagnostic-as-canonical→V09 FAIL · N6 raw-SQL leak→V10 FAIL · N7 freshness present — all PASS. Harness exit 0, OVERALL: B7_VALIDATION_PASS.
4. Reconciliation with baseline (Article 14)
Fresh 2026-06-10 counts (309/219/102/41) confirm the prior baseline (reports/dot-registry-directus-text-as-code-baseline-reconciliation-2026-06-09.*): dot_tools=309 (registry frozen 2026-04-02), IU=219, TAC=102, registry_no_file=41. No CONFLICT. system_issues total=224019 (the earlier "open 223,313" was a status subset, not the total — not a conflict).
5. Honest gaps (not faked)
- The catalog is provisional non-authority — no governed catalog surface exists; promotion needs owner/Codex (B7-EXP-1).
- The export was operator-run (agent through the gateway); an automated, audited export service is not built (B7-EXP-2 / D9).
- Side-effect-function rejection is enforced by the empty allowlist + named catalog, with the gateway's SELECT-can-call-a-function behavior (B-05) as the live rationale — full end-to-end network-policy enforcement of a service is D9, deferred.
- The MVP was not given live access in this run; consumption was validated at the schema/contract level (the packet is schema-compatible with the Phase-2
packet_loader, §7 of the consumption contract).
6. Verdict
The B7 export-packet core pipeline (source authority → named-query/export contract → provenance packet → MVP consumption rules → validation) is closed with real, reproducible evidence. Residual promotion/service/writer/gate items remain action-ready blockers (see checkpoint). No fake-green; no global-absence claim; no production mutation.