<!-- DOC_STATUS: ACTIVE_NON_AUTHORITY -->

TKT NVSZ Real-Root Readiness Packet — 2026-06-11

• Authority: NON_AUTHORITY / NOT_PROMOTED / SUPPORT_LANE
• Host: T2 / CLAUDE CODE / FABLE
• Object: TKT-OBJ-384 (PROPOSED, governed by TKT-OBJ-388)
• APPLY_NOW: NO. This packet does NOT designate a root, does NOT create storage, does NOT upload raw evidence. It is an operator-ready checklist consolidating the existing governed NVSZ requirements (R0–R8) and escrow model so the operator can act in one pass. Root designation remains owner/operator-only (blocker V02-PB-NVSZ-1).

0. Readback Table D — NVSZ readiness

Requirement	Current evidence	Operator input needed	Blocks base pack?	Blocks durable evidence?
Designated no-vector root	none — storage_location=local_workbench, nvsz_root.designated=false	designate explicit root_path + designated_by∈{owner,operator}	NO (base pack ships L0–L3 without a root)	YES (durable retention waits)
No-vector isolation (R0.1,R1.4)	only verified no-vector zone is a PG row store (not a file root)	choose storage outside vector KB / embedding pipeline	NO	YES
Hash ledger + tamper (R2)	local hashed escrow proven this lane	ledger on the real root	NO	YES
Regeneration (R3)	recipe in KB, regenerable	none (recipe independent of root)	NO	NO
Retention (R4)	/tmp disposable, regenerable	TTL or keep-N-runs policy + ACL	NO	YES
Validator exit 0 on real record (R7 gate)	escrow validator returns 0 only on local interim now	run validator against real root	NO	YES

1. Required storage properties (verbatim R1, with R0 non-negotiables)

R0 non-negotiables: R0.1 raw logs MUST NOT live in the vector KB (knowledge/, Qdrant, kb summary docs) — the only verified no-vector zone today is a Postgres row store, not a file/object root, so it does not satisfy R1. R0.2 the root MUST NOT be invented by an agent — only owner/operator may designate (validator exit 9 on invented root). R0.3 the root is NON_AUTHORITY — storing evidence grants no gate/seal/decision power (validator exit 6).

id	requirement	acceptance test
R1.1	stores raw files (.log/.json/.txt) outside vector KB	a written file is NOT retrievable via search_knowledge
R1.2	stable paths OR content-addressed object ids	a path/oid resolves to the same bytes on re-read
R1.3	append-only / write-once per run id (no silent overwrite)	re-writing same run id is rejected or versioned
R1.4	outside the vector embedding pipeline	no Qdrant point created for a stored object

Layout (R6): <NON_VECTOR_ROOT>/tool-kiem-thu/runs/<run_id>/ containing run_manifest.json result.json result.md commands.sh stdout.log stderr.log exit_codes.json HASH_MANIFEST.sha256 packet_tree.sha256 negative_tests/ forbidden_scope/ rerun/RERUN.sh. Storage_kind ∈ {nvsz_file_root, nvsz_object_store, content_addressed_store, local_workbench}.

2. No-vector evidence policy

• Raw logs MUST NOT be embedded (R0.1). Stored objects produce no Qdrant point (R1.4).
• KB side stores how to reproduce (recipe commands.sh/*.py/*.sh, fixtures, summaries, pointers). Root side stores what was produced (raw stdout/stderr/*.log, run packets, hash ledger).
• Validator rejects any pointer target/storage under knowledge/, kb://, vector://, qdrant://.

3. Escrow model — record schema + byte-vs-functional rule

Record schema (one JSON object per evidence class, enforced by the escrow validator TKT-OBJ-269):

{
  "evidence_class": "<name>",
  "claims_raw_log": true,
  "authority": "NON_AUTHORITY / NOT_PROMOTED",
  "may_gate": false, "decision_effect": "NONE",
  "pointer": {"target": "<no-vector path or oid>", "local_path": "<optional>",
              "hash": "sha256:<64hex>", "size": <int>,
              "produced_by": "<command>", "timestamp_policy": "<none|recorded|policy-ref>"},
  "storage_location": "local_workbench | nvsz_file_root | nvsz_object_store | content_addressed_store",
  "regeneration_command": "bash commands.sh",
  "determinism": "byte-exact | functional",
  "nvsz_root": {"designated": false, "designated_by": null}
}

Byte-vs-functional rule (verbatim): a class declares determinism. byte-exact = bytes invariant across reruns; validator recomputes and REJECTS a mismatch (exit 7). functional = only the verdict/exit is invariant; byte drift from mktemp paths is allowed and disclosed. Declared, not assumed.

4. Retention requirement

• R4.1 a retention policy must exist (TTL or keep-N-runs).
• R4.2 expiry must NEVER delete the last reproducible recipe — the KB recipe is independent; after raw expiry, bash commands.sh still regenerates.
• R4.3 /tmp reconstruction dirs must have documented cleanup-or-retention.

5. Access / permission requirement

• R5.2 designation is config/pointer only — no PG/Directus write, no production mutation by default.
• R5.3 must be reviewable by future Codex/owner — reviewer can list + hash + regenerate without agent help.
• R5.4 storing is reversible — re-pointable without losing the recipe.
• R5.1 must not expose secrets — secret-looking tokens quarantined (validator exit 8).
• R0.2 owner/operator-only designation; R0.3 grants no authority. Permission tests (write/read/delete) ONLY against a temp/dry-run path, never the real root (root-validator exit 12).

6. Validation commands / probes needed later

Two governed fail-closed validators already exist (both NON_AUTHORITY, neither designates a root):

• Escrow-record validator nvsz_escrow_validator.py (TKT-OBJ-269) — exit taxonomy 0,2–9. This is the R7 gate validator: a root is accepted iff it returns exit 0 on a real escrow record whose storage_location is the new root and nvsz_root.designated_by ∈ {owner, operator}. (3=pointer-integrity, 4=regen-trace, 5=no-vector-violation, 6=authority-violation, 7=determinism-dishonesty, 8=secret-leak, 9=invented-root.)
• Candidate-root descriptor validator nvsz_root_validator.py (TKT-OBJ-290) — exit taxonomy 0,2–14, runs at provisioning time on a candidate-root descriptor. (3=root-path-placeholder, 4=invented, 5=under-vector-kb, 6=pointer-integrity, 7=stale-hash, 8/9 dup, 10=path-traversal, 11=symlink-escape, 12=production/permtest-outside-temp, 13=fold-while-T1-active, 14=missing-hash-ledger.) The shipped candidate-root-template.json is intentionally INVALID (placeholder root_path → exit 3) so it can never accidentally become a designation.

Operator sequence later: fill a real candidate-root descriptor → nvsz_root_validator.py --descriptor <file> must clear (no exit 3/4/5/12/13) → write one real escrow record on the root → nvsz_escrow_validator.py must return exit 0 → only then is R7 met and V02-PB-NVSZ-1 closeable.

7. Exact operator inputs still needed (the missing inputs)

To designate a real root, the operator must supply ALL of:

1. An explicit named root_path (not <…>/PLACEHOLDER/OPERATOR_MUST_SET/TODO/CHANGEME/NON_VECTOR_ROOT_PLACEHOLDER/empty).
2. storage_kind ∈ {nvsz_file_root, nvsz_object_store, content_addressed_store}; outside_vector_kb=true.
3. designated=true with designated_by ∈ {owner, operator}.
4. A hash ledger (path + sha256 ledger_hash) with ≥1 valid evidence record.
5. Permissions asserting no production/real-run; any write/read/delete permission tests confined to a temp/dry-run path.
6. A retention policy (TTL or keep-N-runs) + ACL.

Decision-packet options (TKT-OBJ-266), recommendation A now → C/D later:

• A keep local hashed escrow (interim) — none/none, status quo, recommend now.
• B designate an EXISTING no-vector root — operator designate + owner authorize; verify it bypasses the vector pipeline (R1.4).
• C create a NEW no-vector object store — provisioning is a production action, out of agent scope; durable.
• D content-addressed store (CAS/git-annex/IPFS-style) — integrity-first; durable.
• E defer NVSZ root and BLOCK promotion — only if policy demands a root before any promotion (over-blocks; dev packet + Codex review do not require a root).

8. Blockers

Blocker ID	Missing/failed item	Actor	Next action	Blocks
V02-PB-NVSZ-1	no designated no-vector root	owner/operator	pick option A–E; if B/C/D, designate per §7 then run validators (§6)	durable evidence (NOT base pack)
V02-NVSZ-GOV-FOLD-1	NVSZ gov objects 263..272/289..304 not folded	owner/GPT	apply prepared fold patch at T1-quiescent safe point	governance fold

9. Verdict

NVSZ_READINESS = COMPLETE (checklist) · ROOT_DESIGNATED = NO · STORAGE_CREATED = NO · RAW_EVIDENCE_UPLOADED = NO · base pack is NOT blocked by the missing root; durable evidence IS.