Phase 2 + Phase 3 CI/Operator Route Execution Report — 2026-06-10
Phase 2 + Phase 3 CI/Operator Route Execution Report
Final status: PHASE2_AND_PHASE3_PASS
Date: 2026-06-10 · Production mutation: NO · Codex consulted: NO · Mac-local evidence used: NO · New repo created: YES (1, authorized) · Production repo used: NO
Authoritative source rule: KB-FIRST / PG-FIRST / NATIVE-DRIVEN / LOCAL-LAST. Generated artifacts are evidence, not authority; KB remains SSOT.
This report records the first time the Tool-Kiem-Thu DOT v0.1 path was driven all the way through Phase 3 on a real, authorized, non-Mac-local execution substrate. Every PASS below is backed by a real CI run; nothing is prose-only.
0. Executive summary
The program macro PROGRAM_MACRO_CLOSE_PHASE2_AND_PHASE3_OFFLINE_MVP_VIA_APPROVED_CI_OR_OPERATOR_2026_06_10 asked to close Phase 2 + Phase 3 end-to-end on an approved CI/operator venue, or leave a true action-ready blocker. The whole path closed PASS.
The residual blocker from the prior macro (state B, APPROVED_CI_OR_OPERATOR_PACKET_READY) was missing authorized execution substrate. This macro resolved it: the two pre-authorized repos were found unsafe as a disposable venue (they auto-trigger entangled cloud CI — see §2), so the owner authorized one dedicated, empty, private repo Huyen1974/tool-kiem-thu-ci. The full pipeline ran there on GitHub-hosted ephemeral runners.
Sequence executed (each gated on the prior):
- KB readback — PASS.
- CI-B venue verification → both pre-authorized repos rejected (auto-trigger risk) → owner authorized 1 dedicated clean repo (route CI-C).
- B4′ deny-by-default sandbox attestation — PASS, 12/12 probes (after surfacing + handling a real seccomp design defect).
- Offline MVP
ip_dot_inspectorbuilt — distroless, stdlib-only. - rev4 acceptance/negative tests — 31/31 PASS.
- MVP run inside the deny-by-default container (L1) — exit 1,
READ_LEVEL_FAIL, as designed. - Phase 3 FIX7 read/report pilot — PASS, caught the Recheck-8 adequacy class (C1/C5/C2/C8/C4), proved no execution / no global absence.
- Evidence bound to the rev4 matrix; reports + raw-log indices + checkpoint written.
1. KB readback verdict — PASS
15 required KB docs read KB-first (route-decision report+json, CI workflow draft, 3 checkpoints, sandbox profile, build-macro prompt, gap-only spec rev4 md+json, acceptance matrix rev4, FIX7 pilot design rev4, MVP plan rev4, 00-index). No contradiction blocking execution. Extracted constraints honored: offline packet only; no live KB/PG read by MVP; no PG driver; no KB writer; no gate consumer; deny-by-default sandbox is the L1 primary boundary; no positive/green verdict; no exit 0; non-global denial wording mandatory.
2. CI/operator route verdict — CI-C (1 authorized dedicated repo)
| Candidate | Verdict | Evidence |
|---|---|---|
Huyen1974/agent-data-test |
REJECTED as disposable venue | Private, ADMIN, but 17 live workflows. guard_bootstrap.yml (on: [push]) fires on ANY branch push; lint-only.yml fires on any push touching .github/workflows/** → my workflow file would trigger a terraform-plan job that authenticates to real GCP via WIF/SA secrets + a functions/manage_qdrant/deploy.sh job. Unsuppressable; not authorized to disable their CI. Triggering it violates the macro's no-cloud-side-effect prohibitions. |
Huyen1974/chatgpt-githubnew |
REJECTED | 17 workflows incl. deploy_containers, deploy_functions, sync-secrets, wif-gsm-smoke — worse for an isolated disposable run. |
Huyen1974/agent-data-production |
NOT USED (prohibited) | — |
Huyen1974/tool-kiem-thu-ci (NEW, authorized) |
SELECTED | Private, empty, no other workflows, no secrets, no GCP/WIF, no terraform/deploy, no prod link. GitHub-hosted ephemeral runner only. True isolation: zero prod side effects. |
gh authed Huyen1974, scopes incl. repo+workflow. The finding inverted a premise of the macro (the two repos were assumed safe for disposable workflow execution; they are not), so the owner was asked the one load-bearing venue decision and authorized exactly one dedicated repo.
Selected venue: Huyen1974/tool-kiem-thu-ci (GitHub-hosted ubuntu-latest, ephemeral, NOT Mac-local). Rejected venues (Mac-local, production repo, unverified repo) were not used.
3. B4′ sandbox attestation verdict — PASS (12/12), with a documented design correction
Run 27247749834 (2026-06-10). Venue: GitHub-hosted Linux/X64, not_mac_local:true, Docker 28.0.4. Image digest sha256:a75f623555d9a45749f28969de82db76ee6d183dc0de66371fcc8f52f38fb46e.
Real defect surfaced and handled (no fake-green): the SSOT §5 strict seccomp profile denies execve, which prevents the deny-by-default container's own entrypoint from starting under runc (run 27247543884: exec /usr/bin/python: operation not permitted, exit 255). This was never caught before because the profile had never been run. The attestation therefore used a startup-safe variant (identical deny set MINUS execve/execveat); "no subprocess" is then enforced structurally by the distroless no-shell image (PR-EXEC-1 → ENOENT), while socket/connect/ptrace/mount/module denials remain seccomp-enforced. Both profile hashes and both startup outcomes are recorded in the evidence bundle.
12/12 probes PASS: PR-NET-1/SOCK-1 (socket→EPERM), PR-NET-2 (ifaces={lo}), PR-ENV-1 (no secret env), PR-FS-RO-IN/ESC-1/ESC-2 (EROFS), PR-FS-OUT-OK (control), PR-EXEC-1 (ENOENT), PR-MOUNT-1 (/in ro,/out rw), PR-SOCK-DOCKER (absent), PR-PTRACE-1 (EPERM). Detail: reports/b4-prime-sandbox-attestation-evidence-2026-06-10.{md,json}.
4. Phase 2 MVP build verdict — PASS
ip_dot_inspector (rev4 offline read/report inspector) built into the same distroless deny-by-default image (Dockerfile.mvp). Stdlib only; no network/PG driver/KB writer/gate consumer/subprocess. Modules: contract, packet_loader, selfcheck (P1), claims, adequacy (P3/P4 chain + discovery + denominator/dual-corpus/reconciliation gates), verdict (precedence + wording lint + scope enforcement), report (local triplet emitter), fix7_pilot, engine, main. L2 build-guard tools/build_guard.py = NO_BUILD_GUARD_VIOLATION. Detail: reports/phase2-offline-mvp-execution-report-2026-06-10.{md,json}.
5. Acceptance/negative test verdict — PASS (31/31)
Run 27248508492. pytest 31/31 (failures 0, errors 0). Bound to rev4 matrix #1–#45 + negatives N1–N32 — see reports/phase2-offline-mvp-acceptance-matrix-binding-2026-06-10.md. The MVP also ran inside the deny-by-default container against the FIX7 fixture: container exit 1, final_verdict=READ_LEVEL_FAIL, article14=NOT_PROVEN_EXECUTION_UNVERIFIED, decision_effect=NONE, may_gate=false, production_mutation=false, writes = local /out triplet only.
6. Phase 3 FIX7 pilot verdict — PASS
The FIX7 read/report pilot ran through the offline MVP only (no FIX7 executed; no FS-DOT/IU/detector invoked; no command run; no hash recomputed). On Fixture A it caught the Recheck-8 / Article-14 adequacy class: C1 (.py existence NOT_EVIDENCED_IN_ALLOWED_SURFACES — scoped, not "does not exist"), C5 (wrong-kind .md offered), C2 ×2 (selftest/exit claims, no run-ledger), C8 (hash claim, no pinned hash evidence), C4 (prose-only "22/22 PASS / exit 0"). proves_execution:false, proves_global_absence:false, catches_article_14_adequacy_class:true. Detail: reports/phase3-fix7-read-report-pilot-execution-report-2026-06-10.{md,json}.
7. Matrix binding verdict — PASS
L1 host-sandbox tests #25/#27/#28/#29/#33/#34/#35/#37 → bound to B4′ container probes (real structural proof) + L2 static half in build-guard. L2 #24/#26/#30/#31/#36/#19 → build-guard negative tests. MVP-LOGIC #1–#23, #38–#45 + N1–N32 → pytest. DEFERRED #32 + D1–D11 → not implemented (correctly). Full table: matrix-binding doc.
8. Cleanup verdict — RETAINED (documented)
The dedicated repo Huyen1974/tool-kiem-thu-ci is retained as the reproducible source-of-record + run-artifact host (private, no secrets, no prod link, workflow_dispatch-only → inert). Reason: preserves full source reproducibility and the 30-day run artifacts for owner verification. Owner may delete at any time: gh repo delete Huyen1974/tool-kiem-thu-ci --yes. No production artifact was touched.
9. Article 13 audit — PASS
KB-first reads; approved non-Mac-local venue only; no Mac-local substitution; no local-first authority; generated artifacts treated as evidence not authority; KB remains SSOT; no shadow SSOT created.
10. Article 14 audit — PASS
No prose-only PASS — every verdict backed by a real CI run + artifact. No fake-green: the strict-seccomp container-start failure was reported honestly and handled, not hidden. The MVP's own design forbids green verdicts/exit 0; the FIX7 pilot proves nothing it cannot evidence and makes no global-absence claim. Partial/failure modes (strict profile unrunnable; run-1 /out permission crash) are documented in the raw-log indices.
11. Remaining blockers
None for Phase 2/3. Forward (not in scope here, unchanged): B7 deferred export-step/named-query-catalog/driver/network-policy contract (#32, D9); governed KB report-writer (D10); downstream gate-consumer contract (D11); optional later Codex review now that real sandbox/test/tool evidence exists (B0‴ remains owner's disposition).
12. Minimal safe next step
Optional: route this real evidence (B4′ + Phase 2/3) to Codex for an external seal (now permitted — evidence exists). Otherwise the offline MVP prototype is built, attested, and reproducible; the next functional increment is the B7 export-step contract that would let the MVP consume a governed packet instead of a fixture.