Phase 2 Execution Substrate & Route Decision (B4′) — 2026-06-10
Phase 2 Execution Substrate & Route Decision (B4′)
Final status: APPROVED_CI_OR_OPERATOR_PACKET_READY
Date: 2026-06-10 · Production mutation: NO · Codex consulted: NO · Mac-local evidence used: NO
Authoritative source rule applied: KB-FIRST / PG-FIRST / NATIVE-DRIVEN / LOCAL-LAST. Generated artifacts are evidence, not authority.
Executive summary
The blocker is reclassified and narrowed, not merely restated. The prior macro stopped at "no agent-facing docker run surface." This run inventoried every governed and local execution venue and found that the only thing missing is an authorized execution substrate / trigger — not host Docker, not a profile, not a design. Two complete, command/design-free execution packets are now ready:
- CI route (new this run): a turnkey GitHub Actions workflow + probe harness + evidence emitter (
planning/ci-sandbox-attestation-workflow-draft-2026-06-10.md) that runs B4′ on an ephemeral, non-Mac-local, Docker-capable GitHub-hosted runner. TheghCLI is authenticated (Huyen1974, scopes incl.workflow,repo). Action reduces to: owner authorizes a repo → trigger → collect artifact. - Operator/VPS route (consolidated):
checkpoints/operator-execution-packet-phase2-sandbox-final-2026-06-10.md, carrying the canonical 2026-06-09 VPS--rmprobe commands.
Residual blocker is pure authority + execution-permission, with zero engineering/design ambiguity: the owner must authorize one venue, and a human/CI then runs it and returns the §7 evidence bundle. The agent cannot run B4′ itself (no agent-facing container-create/exec/shell surface on any approved venue), so the MVP remains correctly gated (NOT built — building before B4′ PASS is prohibited).
Track 1 — KB readback proof
1.1 Readback table (14 required docs + index)
| Doc | Type | Status it asserts | Rev |
|---|---|---|---|
| action-ready-blocker-after-phase2-offline-mvp-execution-path | checkpoint | B4_PRIME_OPERATOR_ACTION_REQUIRED |
1 |
| checkpoint-phase2-offline-mvp-execution-path | checkpoint | B4_PRIME_OPERATOR_ACTION_REQUIRED; T1 PASS, T2 RUNTIME_PRESENT_BUT_NOT_AGENT_REACHABLE, T3–8 not reached |
1 |
| operator-blocker-packet-sandbox-attestation | checkpoint | B4_PRIME_BLOCKED_OPERATOR_ACTION_REQUIRED (canonical command-level fix) |
1 |
| deny-by-default-sandbox-profile-phase2-offline-mvp | design | SANDBOX_PROFILE_SPECIFIED_NOT_ATTESTED |
1 |
| sandbox-host-attestation-for-phase2-offline-mvp (md+json) | report | SANDBOX_ATTESTATION_PARTIAL; b4_prime:BLOCKED |
1 |
| checkpoint-sandbox-attestation-phase2-offline-mvp | checkpoint | SANDBOX_ATTESTATION_PARTIAL |
1 |
| build-offline-packet-mvp-with-guard-harness-program-macro-prompt | planning | BUILD_PROMPT_READY_GATED (decision B; 2 hard preconditions) |
1 |
| implementation-package-dot-v0-1-gap-only-scope-spec-rev4 (md+json) | design | GAP_ONLY_SCOPE_SPEC_v0_1_REV4_READY_FOR_CODEX; mvp_implementation_allowed:false |
rev4 |
| acceptance-test-matrix-...-rev4 | design | ACCEPTANCE_MATRIX_v0_1_REV4_READY_FOR_CODEX (45 tests, L1–L5) |
rev4 |
| fix7-read-report-pilot-design-rev4 | design | FIX7_READ_REPORT_PILOT_DESIGN_REV4_READY_FOR_CODEX |
rev4 |
| mvp-read-report-inspector-implementation-plan-no-code-rev4 | planning | MVP_PLAN_REV4_DESIGN_ONLY; build BLOCKED until B0‴ + B4′ |
rev4 |
| 00-index.md | index | header …REV4_READY_FOR_CODEX; body advanced through 2026-06-10 |
rev82 |
1.2 Version/status verdict
All rev4 design docs are mutually consistent and READY_FOR_CODEX (Codex deferred under the B0‴ waiver for this offline-prototype scope). The sandbox profile is SPECIFIED_NOT_ATTESTED. B4′ is BLOCKED across every doc that mentions it. mvp_implementation_allowed = false until B4′ PASS.
1.3 Contradiction check
- Index revision drift (77→78→80→82): sequential across sessions, each correct as of its own write. Not a substantive contradiction; resolved by treating live
00-index.md(rev82, now → rev83 by this run) as current. - Status-name shorthand:
SANDBOX_ATTESTATION_PARTIAL(memory/index) vsB4_PRIME_OPERATOR_ACTION_REQUIRED(newest docs) are the same B4′-BLOCKED determination at two altitudes. Consistent. - B0‴: all docs agree it is WAIVED for this offline-MVP scope only and does NOT cover B4′. The gated build prompt still lists "B0‴ disposed" as precondition 1; resolved by the owner waiver (does not default to Codex). Consistent.
- No KB↔KB conflict on counts, scope, or readiness. No CONFLICT requiring KB/PG/native override was found.
1.4 Extracted constraints (binding on this run)
- B4′ PASS requires running the 12 §6 probes inside a real deny-by-default container on an approved venue, returning the §7 evidence bundle (
probe_id, operation, expected, actual_stderr_or_value, errno_or_exit, verdict, artifact_pathper probe; top-levelvenue, image_digest, seccomp_sha256, runtime;raw.{mountinfo, env_keyset, proc_net_dev}). - Mac-local is a rejected venue (owner direction; Article-14 venue-confusion). Mac Docker Desktop must not be started.
- MVP must stay offline / no-PG-driver / no-KB-writer / no-gate-consumer / no-proof-of-run; build only after B4′ PASS.
- Codex must not be consulted this scope. No production mutation. No install.
1.5 KB input verdict
PASS — KB read first and in full; statuses consistent; constraints extracted; no blocking contradiction. Proceed to substrate inventory on KB-confirmed footing.
Track 2 — Execution substrate inventory
Fresh native evidence (2026-06-10): VPS list_docker → 11 containers up (runtime present); the VPS Docker socket is read-only by design (tool contract: "Read-only; Docker socket is mounted read-only."). The exposed VPS toolset is list_docker, docker_logs, pg_schema, query_pg, read_file, write_file(→/opt/incomex/docs/mcp-writes), directus_* — no run/create/exec/shell. Local gh is authenticated (Huyen1974; scopes incl. workflow,repo,admin:org); /Users/nmhuyen is not a git repo; no project repo for tool-kiem-thu exists.
| # | Surface | Venue type | Approved | Can create/run disposable container | Can create files | Can collect logs | Can update KB reports | Production risk | Permission gap | Decision |
|---|---|---|---|---|---|---|---|---|---|---|
| S1 | VPS Docker via MCP (list_docker/docker_logs) |
VPS | governed-yes (read-only) | NO (socket read-only; no run/create/exec) | no | tail only | no | n/a (read-only) | no container-create/exec tool | Cannot attest — inspect only |
| S2 | VPS shell / SSH | VPS | NO (no tool; no creds exposed) | unknown/NO | no | no | no | high if bypassed | no governed shell tool; going around governance = shadow path | Reject (no approved path) |
| S3 | VPS write_file (/opt/incomex/docs/mcp-writes) |
VPS | yes | no (text only) | yes (text) | no | n/a | low | not an execution surface | Use as evidence-return channel only |
| S4 | VPS query_pg / pg_schema |
VPS | yes (read-only SELECT) | no | no | no | no | n/a | not an execution surface | Inspect only |
| S5 | Local Bash (Mac) | local | REJECTED venue for attestation | technically maybe (Docker Desktop) | yes | yes | via MCP | n/a | owner-rejected; Article-14 venue-confusion | Reject for attestation; use only for gh/git route inspection |
| S6 | computer-use MCP → Terminal | local | REJECTED + tier-limited | no | no | no | no | n/a | terminals are "click" tier (cannot type); Mac-local anyway | Reject |
| S7 | GitHub Actions (hosted runner) | CI | approved-EQUIVALENT, pending owner repo authorization | YES (ephemeral ubuntu VM, Docker preinstalled, non-Mac-local) | yes | yes (artifacts) | indirectly (operator returns bundle) | none (single-use VM, --rm) |
owner must authorize a repo to host the workflow; publishing internal harness externally is outward-facing | PREPARE — Route 2 packet authored |
| S8 | Approved internal CI runner (if any) | CI | unknown (none identified) | yes if it exists | yes | yes | yes | low | none identified in governed surfaces | Use if owner designates one (CI-B) |
| S9 | Human operator on VPS w/ docker permission | operator | yes (owner/operator) | YES | yes | yes | yes | low (use --rm throwaway) |
requires human with VPS docker rights | PREPARE — Route 3 packet consolidated |
| S10 | incomex-agent-api-executor container (:8090) |
VPS | not agent-reachable for arbitrary container-create | NO (no MCP tool wired to it for docker run) |
no | no | no | high if misused | no exposed tool/contract | Reject (no governed call surface) |
Inventory verdict: No agent-runnable approved execution substrate exists. Two human/CI-triggerable approved substrates are ready (S7 CI, S9 operator). S2/S5/S6/S10 rejected with reasons. The runtime exists (S1) but is read-only by design.
Track 3 — Route decision
Selected: Route 2 (Approved CI / GitHub Actions) as PRIMARY, with Route 3 (Operator-run VPS) as co-equal fallback. Both packets are delivered. The single unresolved input is the owner's venue authorization.
Why Route 2 is primary
- The hosted runner is ephemeral, single-use, non-Mac-local, Docker-capable — it satisfies "approved CI runner with equivalent container isolation," the exact venue the KB names as Option D / V2.
- It removes the hardest prerequisite of Route 3 (a human with live
docker runon the VPS): the action collapses to "authorize repo → click Run → download artifact." - The full workflow + probe harness + evidence emitter is authored (
planning/ci-sandbox-attestation-workflow-draft-2026-06-10.md) and the CI packet (checkpoints/ci-attestation-packet-phase2-sandbox-2026-06-10.md) carries trigger/collect/verify/cleanup — no design work remains.
Why not the others
- Route 1 (Direct VPS attestation by agent): rejected — VPS Docker socket is read-only by design; no run/create/exec tool. The agent physically cannot create a container.
- Route 3 (Operator-run VPS): kept as fallback, not primary — equally valid but requires a human with VPS docker permission; higher-friction than a workflow trigger. Packet delivered.
- Route 4 (Design repair / rev5): rejected — no design defect found; rev4 profile/matrix/pilot are internally consistent (Track 1.3). The blocker is execution-permission, not design.
- Route 5 (True blocker): rejected — a safe approved path provably exists (CI hosted runner and/or operator VPS), so "no safe path exists" is false.
The one owner decision (cannot be closed by engineering evidence)
Authorize CI-A (create a private Huyen1974/tki-sandbox-attest repo for attestation — note this publishes the harness to GitHub) or CI-B (designate an existing approved repo/runner) or the VPS operator route. The agent did not create any external repo or publish anything: doing so is outward-facing and the B0‴ waiver is explicitly narrow (offline prototype-prep), so it does not authorize standing up external CI infrastructure.
Tracks 4–9 — not reached (honest, no fake-green)
| Track | State | Reason |
|---|---|---|
| T4 Direct VPS attestation run | NOT RUN | no agent-facing container-create/exec on any approved venue |
| T5 CI execution packet | DELIVERED (workflow + harness + packet) | ready to apply; awaiting owner repo authorization + trigger |
| T6 Operator packet | DELIVERED (consolidated final) | awaiting human with VPS docker permission |
| T7 Build offline MVP | NOT BUILT (gated) | prohibited until B4′ PASS; correctly withheld |
| T8 Acceptance/negative tests | NOT RUN | L1-dependent tests (#25/#27/#28/#29/#33/#34/#35/#37) require an attested sandbox |
| T9 FIX7 read/report fixture | NOT RUN | part of the MVP, which is gated |
No B4′ attestation report/JSON/raw-log, no MVP execution report/JSON/matrix-binding/raw-log were produced — those deliverables are intentionally absent because their preconditions are unmet. Producing them now would be fake-green (Article 14 violation).
Track 11 — Cleanup
No disposable execution artifacts were created (no container run, no repo created, no external publish). Nothing to clean up. Local Bash was used only for read-only gh/git inspection. VPS used read-only except KB document writes (deliverables). Cleanup verdict: N/A — nothing disposable created.
Track 12 — Article 13 audit (PG-first / native / driven)
| Check | Verdict |
|---|---|
| KB read first, before local | PASS (full KB readback before any decision) |
Native/governed evidence drove the inventory (list_docker, tool contracts) |
PASS |
| No Mac-local substitution as authority | PASS (Mac used only to read gh/git state) |
| No local-first authority | PASS |
| Generated artifacts treated as evidence, not authority | PASS (CI draft labeled draft/evidence) |
| No shadow SSOT created | PASS (no external repo/infra stood up) |
Article 13: PASS.
Track 13 — Article 14 audit (evidence-backed, no fake-green)
| Check | Verdict |
|---|---|
| No prose-only PASS | PASS (no PASS claimed; B4′ stays BLOCKED) |
| Every claim backed by evidence | PASS (tool contracts, list_docker, gh auth status quoted) |
| No fake-green | PASS (Tracks 4/7/8/9 honestly NOT RUN) |
| No unsupported build authorization | PASS (MVP gated, not built) |
| No hidden mutation | PASS (no prod mutation; only KB doc writes) |
| Partial/failures reported honestly | PASS (residual owner/authority blocker named) |
Article 14: PASS.
Remaining blocker & minimal safe next step
- Blocker:
B4_PRIME_AUTHORIZATION_AND_EXECUTION_REQUIRED— pure owner authorization + human/CI execution permission. No engineering ambiguity. Details:checkpoints/action-ready-blocker-after-phase2-execution-substrate-2026-06-10.md. - Minimal safe next step: owner authorizes one venue — CI-A/CI-B (then trigger
planning/ci-sandbox-attestation-workflow-draft-2026-06-10.mdper its §3) or the VPS operator packet (checkpoints/operator-execution-packet-phase2-sandbox-final-2026-06-10.md). Either returns the §7 bundle; a follow-up agent verifies it read-only against rev4 matrix #24–#37 and only then runs the gated build prompt.