teleo-infrastructure/docs/reports/leo-working-state-20260709/gcp-canonical-parity-live-20260715.json

154 lines
7.8 KiB
JSON

{
"artifact": "gcp_canonical_parity_live_attempt",
"schema": "livingip.gcpCanonicalParityLiveAttempt.v1",
"generated_at_utc": "2026-07-15T01:50:20Z",
"status": "gated_external",
"required_tier": "T3_live_private_gcp_staging",
"current_tier": "T2_historical_source_and_isolated_restore_under_superseded_parity_contract",
"current_canary": "Restore the newest authorized canonical snapshot into one private generated Cloud SQL database, prove exact parity and ID-free Leo reasoning from staging compute, then drop the generated database and verify absence.",
"current_source": {
"run_id": "canonical-20260715t014930z",
"captured_at_utc": "2026-07-15T01:49:39.104116+00:00",
"capture_authorization_ref": "codex-delegation:019f47af-f2cc-7c10-b928-a9283afa2621",
"receipt_sha256": "7d96b052591d36df3b67dc6291b0f74a7bbeb9602c9cc424779e7c21194d59a5",
"dump_sha256": "6c56a841c1159a17f9404c2d63e3e93ae8ff55e842bf311d6d1bff21e9b95c9a",
"manifest_sha256": "39f06c6b9fc806a89ecd19294be29c58c499c65234611c7a483ddefa3c78d7d3",
"provenance_binding_sha256": "fb587093a76b61af670b7d968d32b78d6a87572faa78ca1ad93ef6cba1c9b776",
"source_system_identifier": "7649789040005668902",
"table_count": 39,
"total_rows": 52167,
"service": {
"active_state": "active",
"sub_state": "running",
"main_pid": 347406,
"restart_count": 0,
"unchanged": true
},
"production_database_mutated": false,
"telegram_send_attempted": false
},
"source_stability": {
"baseline_run_id": "canonical-20260715t014814z",
"current_run_id": "canonical-20260715t014930z",
"receipt_sha256": "d761a2b8b0313ee03c9d01e50fcca709af779578281cf10de5aed4709e914d72",
"status": "pass",
"delta_detected": false,
"table_count": 39,
"total_rows": 52167,
"total_row_delta": 0,
"changed_tables": [],
"changed_structures": [],
"table_fingerprint_sha256": "f50d86fc3ce699f602bdc0029485bd901fd98bd8114eecd5dcc4346a0f52112a",
"structure_fingerprint_sha256": "61bf482330a652ebdb419de3fb78196f2c7d25d1a482b100f385e8102c8e8d52"
},
"isolated_restore": {
"receipt_sha256": "181901afc91bebee7c343500c601ed1e5b7a5e42a5b81583d445109bfc680d86",
"status": "pass",
"source_table_count": 39,
"target_table_count": 39,
"source_total_rows": 52167,
"target_total_rows": 52167,
"table_mismatches": [],
"structural_hashes_equal": true,
"constraint_hash": "8b26d26fda56f09325e0603aae48051da08dfc6c35322fa88880acdabb8ad859",
"application_role_mismatches": {},
"target_extra_application_roles": [],
"required_extension_mismatches": {},
"performance_problems": [],
"network_mode": "none",
"persistent_postgres_storage_used": false,
"container_absent_after_test": true,
"authorization_state_verified": false,
"prior_manifest_contract_only": true
},
"contract_reassessment": {
"status": "changes_required",
"reviewed_manifest_sql_sha256": "430390129bc8980c4ece9939f2aee18e8c40e9da4b226782579349d5c45c5301",
"prior_receipts_recomputed_under_current_contract": false,
"newly_required_parity": [
"kb_gate_owner plus exact application-role attributes",
"role memberships",
"database, schema, relation, function, and type ownership",
"normalized database, schema, relation, column, function, and type ACLs",
"symmetric role and extension sets",
"nonempty row hash for every table"
],
"t3_receipt_accepted_by_repository_api": false,
"independent_platform_attestation_required": true
},
"permission_profile": {
"approval_policy": "never",
"sandbox_mode": "danger-full-access",
"network": "enabled"
},
"config_readback": {
"gcloud_sdk_version": "551.0.0",
"configured_account": "billy@livingip.xyz",
"configured_project": "teleo-501523",
"configured_account_status": "failed_noninteractive_reauthentication",
"application_default_credentials_status": "failed_noninteractive_reauthentication",
"expected_cloudsql_instance_not_currently_verified": "teleo-pgvector-standby",
"expected_private_network_not_currently_verified": "teleo-staging-net",
"expected_private_address_not_currently_verified": "10.61.0.3",
"expected_staging_compute_not_currently_verified": "teleo-prod-1/europe-west6-a",
"public_ip_disabled_currently_verified": false,
"generated_database_inventory_currently_verified": false
},
"attempted_no_approval_routes": [
"configured privileged gcloud identity",
"three other cached gcloud identities",
"application-default credentials",
"direct SSH to the retained staging address",
"local gcloud IAP SSH dry run",
"local and VPS TCP probes to the expected private Cloud SQL address",
"fixed GitHub IAP status workflow receipt",
"five GitHub readiness workflow receipts across candidate service accounts",
"current successful Artifact Registry-only WIF workflow"
],
"exact_gate": "The privileged local Google OAuth session requires human reauthentication, the fixed IAP workflow names an unavailable teleo-iap-operator WIF provider, and no existing noninteractive service-account route can obtain a Cloud SQL/Compute-capable token. Current Cloud SQL topology and generated-database inventory cannot be read, so the private restore cannot start.",
"why_autonomous_repair_stops": "Google reauthentication may require a password, MFA, passkey, or consent that Codex must not retrieve or enter. Recreating or rebinding the WIF/IAP identities requires an already-authorized GCP administrator, and no safe noninteractive identity currently has that authority.",
"next_non_user_action": "After the reviewed operator route and exact restore service account are available, capture a new source snapshot with the expanded manifest, implement and review a Cloud-SQL-compatible authorization replay, use verify-full TLS with the reviewed server name and CA, run the disposable clone lifecycle, then obtain an independently authenticated platform receipt. The repository eight-receipt verifier remains preparation-only.",
"gcp_effects_from_this_attempt": {
"cloudsql_database_created": false,
"gcp_resource_created": false,
"gcp_resource_modified": false,
"public_ip_exposure_changed": false,
"staging_promoted": false,
"telegram_sent": false
},
"proof_receipts": {
"retained_private_runtime_artifacts": true,
"source_receipt": {
"filename": "receipt.json",
"sha256": "7d96b052591d36df3b67dc6291b0f74a7bbeb9602c9cc424779e7c21194d59a5"
},
"source_manifest": {
"filename": "source-manifest.jsonl",
"sha256": "39f06c6b9fc806a89ecd19294be29c58c499c65234611c7a483ddefa3c78d7d3"
},
"source_delta": {
"filename": "source-stability-delta.json",
"sha256": "d761a2b8b0313ee03c9d01e50fcca709af779578281cf10de5aed4709e914d72"
},
"isolated_restore": {
"filename": "local-rebuild-receipt.json",
"sha256": "181901afc91bebee7c343500c601ed1e5b7a5e42a5b81583d445109bfc680d86"
},
"route_recheck": {
"filename": "route-recheck.json",
"sha256": "0fda5e6d58d72dcb084dc277bc59312bf62c002c728e249a9f16e79ae096037b"
}
},
"strongest_claim_allowed": "The retained snapshot was stable and reconstructed data and schema under the prior parity contract. It does not prove current authorization parity or live GCP operation under the expanded contract.",
"not_proven": [
"current Cloud SQL topology or public-IP-disabled state",
"current generated-database inventory",
"private staging-to-Cloud-SQL TLS connectivity",
"current Cloud SQL restore parity",
"current role membership, ownership, and ACL parity",
"certificate-authenticated verify-full database access",
"independently authenticated T3 lifecycle attestation",
"blind Leo reasoning against the generated Cloud SQL database",
"generated Cloud SQL database teardown"
]
}