Sandbox Host Attestation for Phase-2 Offline MVP — PARTIAL (operator action required; B4′ still BLOCKED)
Sandbox Host Attestation for Phase-2 Offline MVP
Macro:
PROGRAM_MACRO_PROVISION_AND_ATTEST_DENY_BY_DEFAULT_SANDBOX_FOR_PHASE2_OFFLINE_MVP_2026_06_09Date: 2026-06-09 · Mode: READ-ONLY (no install, no container creation, no system mutation, no Codex) Final status:SANDBOX_ATTESTATION_PARTIAL— OPERATOR ACTION REQUIRED. B4′ remains BLOCKED. Sandbox is specified + reproducible, not attested. The MVP build must not run. Production mutation: NO · Codex consulted: NO · Install/system mutation: NO
0. Why PARTIAL and not READY (the decisive constraint)
The agent has no command-execution surface capable of provisioning or running a sandbox:
- Production VPS runtime — Docker is live (11 containers, governed
list_docker), but the governed Docker surface is read-only by design (the tool description states: "Read-only; Docker socket is mounted read-only."). There is nodocker run/exec/createtool. The only VPS write surface,write_file, writes text only into/opt/incomex/docs/mcp-writes(no exec). → Cannot create or run a container on the production host through any available tool. - Local Mac — Docker CLI installed (homebrew) but the daemon is not running (
Cannot connect to the Docker daemon); no Podman. Even if started, a local attestation proves only a local/ephemeral venue, which the owner directed (2026-06-09) is NOT an acceptable substitute for the operator/CI venue (Article-14 venue-confusion risk). → Not used.
The rev4/operator-packet architecture is itself operator-provisions → agent-verifies ("Agent will not run the sandbox itself"). Therefore the only honest completion the agent can reach now is: author a complete, reproducible, attestable profile + a command-level operator packet, and hold B4′ BLOCKED until the operator runs it on an approved venue and returns evidence. This matches the user's chosen path (Option 2, read-only).
Track 1 — KB readback proof
| KB path | Exists | Status/rev | Sandbox requirement extracted | Contradiction | Result |
|---|---|---|---|---|---|
reports/sandbox-feasibility-and-phase2-build-go-decision-2026-06-09.md |
YES | SANDBOX_DECISION_READY / build-go B (rev1) |
Option B Docker primary; harness build-scope; attestation is the B4′ gate | none | PASS |
reports/…decision-2026-06-09.json |
YES | machine mirror | option matrix A–F; B "operator_action: attestation only" | none | PASS |
checkpoints/operator-action-packet-sandbox-host-for-phase2-mvp-2026-06-09.md |
YES | active (rev1) | the 6-row minimum bar; agent verifies read-only evidence, does not run sandbox | none | PASS |
planning/build-offline-packet-mvp-with-guard-harness-program-macro-prompt-2026-06-09.md |
YES | BUILD_PROMPT_READY_GATED |
hard precondition 2 = sandbox attested; ~11/45 tests L1-dependent | none | PASS |
designs/…gap-only-scope-spec-rev4-2026-06-09.md |
YES | …REV4_READY_FOR_CODEX |
§12.1 deny-by-default sandbox = primary L1; in-process guards secondary | none | PASS |
designs/acceptance-test-matrix-…-rev4-2026-06-09.md |
YES | ACCEPTANCE_MATRIX_v0_1_REV4… |
L1 structural-bypass tests #24–#37; #27 = process-level egress | none | PASS |
00-index.md |
YES | rev77 | current phase + minimal next step (operator attests + owner disposes B0‴) | none | PASS |
No KB↔KB contradiction. All sandbox requirements trace to rev4 §12.1 + operator packet §2. KB-first satisfied.
Track 2 — Runtime discovery proof (governed-native, read-only)
| Question | Method | Finding | Verdict |
|---|---|---|---|
| Docker/Podman runtime exists? | mcp__claude_ai_Incomex_VPS__list_docker (read-only) |
Docker live; 11 containers (postgres:16 ×2 incl. ephemeral pg-restore-test-20260520T031054Z, directus:11.5, qdrant, nginx:alpine, nuxt, agent-data, claude-kb, claude-mcp, uptime-kuma) |
runtime PRESENT |
| Can the agent create a disposable container on the host? | tool-surface inspection | list_docker socket read-only; no run/exec/create tool; write_file text-only to /opt/incomex/docs/mcp-writes |
NO — governed surface is read-only |
| Does the agent/user have provisioning permission via tools? | tool-surface inspection | none exposed | UNVERIFIED via tools → operator/owner action |
| Will existing containers/networks/volumes be untouched? | n/a — agent performs no Docker write | guaranteed: agent issues no mutating Docker call | PRESERVED (no action taken) |
| Local runtime usable? | docker version / docker info (Bash) |
daemon not running; no Podman | NOT AVAILABLE now |
Runtime discovery verdict: runtime exists on the host (no install needed), but is not agent-reachable for provisioning — read-only governed surface only. Provisioning is an operator resource action.
Track 3 — Sandbox profile definition
Delivered, complete and reproducible: designs/deny-by-default-sandbox-profile-phase2-offline-mvp-2026-06-09.md — Dockerfile (distroless, no shell), seccomp-deny-by-default.json (targeted-deny 4a concrete + default-deny 4b hardened target with honest iterate caveat), exact docker run command (all of: --network none, --read-only, two binds /in:ro + /out:rw, --cap-drop ALL, --security-opt no-new-privileges, scrubbed env, --pids-limit/--memory/--cpus, tmpfs noexec; explicitly no privileged/host-net/host-pid/host-ipc/home/docker-sock/secret mounts), Podman + bwrap fallbacks, and the §6 probe set.
Sandbox profile verdict: SPECIFIED — reproducible — attestable. Covers every required boundary (network, mounts, env, output, caps, privileges, syscalls, docker-socket, namespaces, resource limits). Not yet run.
Track 4 — Attestation tests
NOT EXECUTED BY THE AGENT — no execution surface (Track 0/2). The exact tests the operator must run are fully specified in the profile §6 (PR-NET-1/2, PR-SOCK-1, PR-ENV-1, PR-FS-RO-IN, PR-FS-ESC-1/2, PR-FS-OUT-OK, PR-EXEC-1, PR-MOUNT-1, PR-SOCK-DOCKER, PR-PTRACE-1), each with operation identity, expected proof-of-block (EPERM/EROFS/EACCES/ENETUNREACH/empty-keyset), and L1 test binding (#24–#37). Required return-evidence schema is in profile §7.
Attestation test summary: 0 run / 12 specified. No PASS may be claimed. Per macro §2, "Docker exists" / "a container can run" / "the design says no network" are explicitly not completion.
Track 5 — Phase-2 build precondition update
The gated build prompt's hard precondition 2 (sandbox attested) remains UNMET. No …-v2… build prompt is produced (deliverable #6 is conditional on attestation, which did not occur). The exact action that flips the precondition is in the operator blocker packet (checkpoints/operator-blocker-packet-sandbox-attestation-2026-06-09.md): run profile §5–§6 on an approved venue, return §7 evidence; the agent then verifies read-only and binds to #24–#37. Build stays BLOCKED (rev4 §21 hard fallback B).
Track 6 — Article 13 audit
| Check | Result |
|---|---|
| KB-first / native facts | PASS — requirements from rev4 §12.1 + operator packet; runtime from governed list_docker |
| No local-first authority | PASS — local Docker state used only to prove "cannot attest locally", not as authority |
| Generated artifacts = evidence only | PASS — profile/report/packet explicitly marked non-authority, derived from KB |
| No shadow SSOT | PASS — profile defers to rev4 §12.1 on conflict |
Article 13 verdict: PASS.
Track 7 — Article 14 audit
| Check | Result |
|---|---|
| No prose-only PASS | PASS — no boundary is asserted PASS; all are "specified, awaiting run" |
| Every claim has evidence | PASS — runtime claim = list_docker output; "cannot attest" = tool schema + docker info error |
| No fake-green | PASS — final status PARTIAL; B4′ explicitly BLOCKED; no SANDBOX_ATTESTED_READY |
| No unsupported build authorization | PASS — build prompt v2 NOT created; build stays gated |
| No hidden mutation | PASS — zero Docker writes, zero installs, zero container creation; only KB doc writes |
| Venue honesty | PASS — local/ephemeral venue explicitly rejected as B4′ substitute (owner direction) |
Article 14 verdict: PASS.
Self-check (macro §6)
1 KB/AgentData first — YES · 2 avoided Codex — YES · 3 avoided install/system mutation — YES · 4 avoided prod container/network/volume mutation — YES · 5 avoided MVP implementation — YES · 6 only disposable tests specified (none run) — YES · 7 network/mount/env/output boundaries proven? NO — specified, not run · 8 evidence artifact paths recorded — YES (for what exists) · 9 Article 13 — YES · 10 Article 14 — YES · 11 avoided fake-green — YES · 12 next step unambiguous — YES.
Item 7 is NO ⇒ status is correctly SANDBOX_ATTESTATION_PARTIAL, not READY.
Failure classification (macro §5)
OWNER/OPERATOR REQUIRED + INSUFFICIENT (no agent execution surface). Not "missing runtime" (runtime present), not "network cannot be denied" (it can — --network none), not "design repair required" (no rev4/profile defect found). The sandbox is realizable; only the run + attest step needs an actor with an execution surface on an approved venue.
Remaining blockers
- B4′ (load-bearing): deny-by-default sandbox not attested — operator runs profile §5–§6 on approved venue (Option B host throwaway container, or Option D CI) and returns §7 evidence. Gates build acceptance.
- B0‴ (parallel authority, WAIVED for this scope): owner waived Codex rev4 re-seal for Phase-2 offline-MVP prototype prep only; Codex may still be used later once sandbox/test evidence exists. Not reopened here.
Minimal safe next step (exactly one)
Operator runs checkpoints/operator-blocker-packet-sandbox-attestation-2026-06-09.md on an approved venue and returns the §7 attestation evidence bundle. Then a follow-up agent verifies it read-only, binds it to matrix #24–#37, and only then may B4′ acceptance be asserted. Do not run the MVP build until then.