- Normalize rich proposals into atomic reviewed canonical graph bundles with exact row verification. - Harden reviewer/apply roles, upgrade ACLs, and prove generic plus Helmer lifecycles in isolated PostgreSQL. - Publish repo-native VPS/GCP/Cory skills and live-readonly GCP inventory without changing the live VPS runtime. `.agents/skills/crabbox/SKILL.md` `.agents/skills/teleo-gcp-parity-ops/SKILL.md` `.agents/skills/teleo-kb-db-change-workflow/SKILL.md` `.agents/skills/teleo-leo-onboarding/SKILL.md` `.agents/skills/teleo-vps-runtime-ops/SKILL.md` `.agents/skills/working-leo-cory-outcomes/SKILL.md` `docs/reports/leo-working-state-20260709/approve-claim-clone-canary-current.json` `docs/reports/leo-working-state-20260709/approve-claim-clone-canary-current.md` `docs/reports/leo-working-state-20260709/current-truth-index.md` `docs/reports/leo-working-state-20260709/gcp-cloud-sql-t3-live-readonly-current.json` `docs/reports/leo-working-state-20260709/gcp-cloud-sql-t3-live-readonly-current.md` `docs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.json` `docs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.md` `docs/reports/leo-working-state-20260709/gcp-parallel-delegation-current.json` `docs/reports/leo-working-state-20260709/helmer-approve-claim-clone-canary-current.json` `docs/reports/leo-working-state-20260709/helmer-approve-claim-normalization-current.json` `docs/reports/leo-working-state-20260709/skill-pack-manifest.json` `docs/reports/leo-working-state-20260709/skill-pack-readme.md` `docs/reports/leo-working-state-20260709/working-leo-current-state-20260709.md` `docs/reports/leo-working-state-20260709/working-leo-definition-20260709.md` `docs/reports/leo-working-state-20260709/working-leo-execution-plan-current.md` `scripts/apply_proposal.py` `scripts/apply_worker.py` `scripts/approve_proposal.py` `scripts/kb_apply_prereqs.sql` `scripts/kb_proposal_normalize.py` `scripts/probe_gcp_db_parity.py` `scripts/run_approve_claim_clone_canary.py` `scripts/run_approve_claim_isolated_container_canary.sh` `tests/test_apply_proposal.py` `tests/test_apply_worker.py` `tests/test_approve_proposal.py` `tests/test_kb_apply_prereqs.py` `tests/test_kb_proposal_normalize.py` `tests/test_kb_proposal_routes.py` `tests/test_probe_gcp_db_parity.py` `tests/test_repo_skill_pack.py`
4.4 KiB
Approved Claim Bundle Isolation Canary
Status: pass
Working Target
A Cory-approved strict bundle must move through a separate reviewer credential, an immutable approval snapshot, and a narrow apply credential before exact claim/source/evidence/edge/reasoning-tool rows become canonical. A stale payload, replay, hash collision, or direct privilege bypass must leave no partial rows.
Final Runtime Proof
- Generic bundle:
37/37checks passed. Its exact payload-controlled projection and exact table deltas were2claims,2sources,2evidence links,1edge, and1reasoning tool. - Real Helmer bundle:
37/37checks passed. Its exact payload-controlled projection and exact table deltas were5claims,13sources,17evidence links,7edges, and1reasoning tool. - Helmer source proposal:
a64df080-8502-42e2-98f4-9bbdecb8da73; strict child proposal in the final isolated run:87344d36-5005-5d88-a04c-067aeceda3c3. kb_reviewapproved the exact pending type and full JSON payload as mapped reviewerm3ta; the immutable approval row matched the proposal ledger.kb_applycould not directly update proposal status/payload, immutable approval rows, or existingclaim_evidencerows.- Mutating the approved ledger after SQL generation made the stale apply fail before canonical writes; restoring the ledger left the immutable approval unchanged.
- Replay was refused. A different source ID reusing an existing source hash was refused, and its proposal/approval remained intact with zero partial rows.
- Every payload-controlled persisted field, including weights, roles, owners, tags, hashes, and relationships, matched the reviewed payload. Exact table deltas also exclude unexpected extra rows under unrelated IDs.
- The migration readback proves one expected signature per gate function, no legacy overload, no protected-role membership, no object owned by a login role, and the exact reviewer/apply execute split.
Isolation And Cleanup
- Both runs used a new unexposed
postgres:16container built from a read-only schema/reference copy of liveteleo; no cluster-wide role was created in the productionteleo-pginstance. - The wrapper issued read-only queries to live
teleo-pg; endpoint counts were identical before and after each final run, with zero deltas for all six tables:claims=1837,sources=4145,claim_evidence=4670,claim_edges=4916,reasoning_tools=17,kb_proposals=26. This is endpoint-count evidence, not a claim that every live row byte was compared. leoclean-gateway.servicestayedactive/running,MainPID=2999690,NRestarts=0.- Inner clone databases, outer Postgres containers, temporary workdirs, and the remote source bundle were removed. Independent name/path readbacks found no residue after cleanup.
- Both receipts retain repo-relative SHA-256/size bindings for the apply, approval, prerequisite SQL, inner canary, and isolation wrapper source files; a local recomputation matched every retained hash.
- No Telegram message, production canonical apply, production permission migration, service restart, or runtime-profile write occurred.
Reproduce
Generic bundle:
scripts/run_approve_claim_isolated_container_canary.sh \
--output docs/reports/leo-working-state-20260709/approve-claim-clone-canary-current.json
Real normalized Helmer bundle:
scripts/run_approve_claim_isolated_container_canary.sh \
--normalization-json docs/reports/leo-working-state-20260709/helmer-approve-claim-normalization-current.json \
--output docs/reports/leo-working-state-20260709/helmer-approve-claim-clone-canary-current.json
Evidence And Claim Ceiling
- Generic receipt:
approve-claim-clone-canary-current.json - Helmer receipt:
helmer-approve-claim-clone-canary-current.json - Lossless normalization:
helmer-approve-claim-normalization-current.json - Inner harness:
scripts/run_approve_claim_clone_canary.py - Isolation wrapper:
scripts/run_approve_claim_isolated_container_canary.sh
This proves the repo-owned review/apply lifecycle at isolated runtime tier. It
does not mean the new code, reviewer/apply roles, or permission migration are
deployed on VPS production, and it does not mean Helmer is canonical there.
kb_apply remains an operator-only trusted canonical writer; the proof covers
the supplied tool and privilege matrix, not a compromised apply credential.