02 — Endpoint Service Feasibility and Implementation
02 — Endpoint Service Feasibility and Implementation (Workstream A)
Verdict: FEASIBLE NOW — authored, staged, logic-proven. Deploy is owner/operator-gated.
This overturns the prior macro's "BLOCKED_EXTERNAL (no credential + hosting)" verdict on the strength of new live evidence.
New live evidence (the premise change)
| fact | prior assumption | live finding (2026-06-04) |
|---|---|---|
| LLM credential | "none on VPS" | OpenAI key present in incomex-agent-data; openai SDK installed |
| egress | unknown | api.openai.com reachable (HTTP 401 without key = auth-only path open) |
| Anthropic key | implied needed | absent — so OpenAI is the default provider |
| hosting surface | "missing" | standard docker-compose on the internal network; same pattern as 10 live services |
Checked credential names only (values redacted via cut -d= -f1); no secret was read.
What was implemented (real code, staged)
A FastAPI plan-only / dry-run producer service at
/opt/incomex/docs/mcp-writes/process-discovery-endpoint-service-2026-06-04/:
main.py—/healthz,/selfcheck,/dispatch; fail-closed runtime gate; refuses REAL_RUN / non-DRYRUN-NS / missing fixture / missing correlation; returns to memory; never writes DB.verifier.py— deterministic verifier; Python twin of the (now-fixed) DB self-check; addscheck_producer_outputfor validating an actual producer output (not just fixture self-consistency).llm_client.py— provider-auto adapter; OpenAI default (matches the credential present), Anthropic optional; temperature 0 for idempotency; strict grounding system prompt.fixtures/dot_kg_explain_fixture_v1.json— the staged fixture (copied from the live fixture).container-build-recipe.txt(Dockerfile),service-snippet.txt(compose), requirements,reverse-proxy-optional-snippet.txt(default: do NOT expose),selftest_no_llm.py.
Endpoint requirements vs implementation
| requirement | met by |
|---|---|
| no-mutation producer | service makes zero DB connections; returns to memory; README + code assert it |
| consumes fixture_ref | _load_fixture allowlist (no traversal) |
| writes only DRYRUN-NS | refuses non-DRYRUN-NS: namespaces |
| plan-only/dry-run mode | PLAN_ONLY validates; DRY_RUN produces+verifies |
| refuses production mode | REAL_RUN → 403; runtime gate → 409 |
| refuses missing fixture | 404 |
| refuses missing correlation | 400 |
| idempotent | temperature 0 + deterministic fixture |
| logs safely | structured JSON return; no secret echo |
| no direct observation write | DB observation stays with fn_process_agent_api_dispatch |
| generic (not dot:kg-only) | keyed by dot_code + FIXTURE_MAP; add a row + fixture for another DOT |
Proof (this run, on the VPS)
python3 selftest_no_llm.py →
- fixture_selfcheck 7/7 PASS
- negative control (hallucinated node) correctly FAILS
- check_producer_output on a mock output PASSES
- producer-output negative control correctly FAILS No LLM, no DB, no network used by the self-test.
Chosen implementation path
Path 3 (container service) on the existing docker-compose surface, provider = OpenAI (the credential that exists). Paths considered and rejected: DB function (cannot reason), fixture replay (mock), reuse claude-mcp/kb (not DOT executors), mock contract (forbidden).
What remains (narrow, owner/operator)
- Owner authorizes reuse of the OpenAI credential for this new executor.
- Operator builds + deploys the staged container (internal-only).
- Operator runs the real
selfcheck+ a non-mockdispatchdry-run, then binds the endpoint.
Completion
Endpoint feasibility resolved to FEASIBLE; service authored, staged, and proven at the logic level. Remaining steps are authorization + deploy, not engineering discovery.