chore: package send sandbox evidence gate
This commit is contained in:
@@ -58,7 +58,7 @@ N13/N14/N15 are pre-business validation results. They can help identify UI eleme
|
||||
|
||||
## Current loop
|
||||
|
||||
Current loop: `R6b B-route preview/dry-run contract complete; next R6c online sandbox-send evidence gate`.
|
||||
Current loop: `R6c local online-sandbox evidence package prepared; next R6d returned sandbox evidence intake after package is run and returned`.
|
||||
|
||||
Plan file: `docs/superpowers/plans/2026-07-10-core-business-capabilities-roadmap.md`.
|
||||
|
||||
@@ -115,6 +115,7 @@ Current loop output so far:
|
||||
42. R5b/C30-live: analyzed returned live-probe package `isphere-live-probe-20260710-121958`; confirmed one x86 `IMPlatformClient.exe` `4.1.2.6842`, live server endpoint evidence, installed B-route DLL presence, active local `MsgLib.db` path shape, and A-route UIA selectors for search/draft/send/file menu. Production send remains blocked because the probe did not prove runtime entrypoint reachability or send success/ack mapping and the captured chat panels report an offline-send blocker.
|
||||
43. R6a/C31: added WinHelper `0.4.0` read-only `probe_send_entrypoints` and `probe_send_uia_controls`, wired the live recorder to emit `send_entrypoints_preflight.json` and `send_uia_controls_preflight.json`, and verified that copied install metadata reports all 5 required B-route entrypoints available while the synthetic UIA classifier reports `A_ROUTE_OFFLINE_BLOCKED`. Production send/file upload remains blocked pending preview/dry-run, dynamic observation, idempotency/audit, and one approved sandbox send.
|
||||
44. R6b: added `isphere_send_message` preview/dry-run only. The tool validates `target_type`, `target_id`, `content_sha256`, and `idempotency_key`, returns connector metadata `implatform-sidecar`/`preview`, appends redacted JSONL audit events without raw message body or raw idempotency key, and returns `send_status="blocked"` for production with all side-effect flags false. `verify-go-mcp.ps1` now verifies the 9-tool surface and proves `send_preview_tool_present=true` and `production_send_enabled=false`.
|
||||
45. R6c: because the local machine cannot log in, prepared an online/internal sandbox evidence package instead of attempting local send. Added `scripts/package-send-sandbox-gate.ps1`, `scripts/verify-send-sandbox-gate-package.ps1`, and `docs/source-discovery/2026-07-10-send-sandbox-gate.md`; local verification generates `runs/send-sandbox-gate-package.zip` with the read-only recorder, before/after scripts, sandbox input template, SHA256 helper, expected-return checklist, and return-zip helper.
|
||||
|
||||
## Recompiled business roadmap
|
||||
|
||||
@@ -185,3 +186,14 @@ R6b B-route preview/dry-run contract is complete:
|
||||
- `ISPHERE_SEND_AUDIT_PATH` can override the local audit JSONL path; the default path is ignored under `runs/send-audit/send-message-preview.jsonl`.
|
||||
- Standard MCP smoke now verifies 9 tools and confirms production send is not enabled.
|
||||
- Decision: next node is R6c online sandbox-send evidence gate. Do not implement production send until one approved sandbox send proves success/ack or sent-record evidence and duplicate idempotency protection.
|
||||
|
||||
R6c local preparation for online sandbox-send evidence is complete:
|
||||
|
||||
- Local login is still unavailable, so no local live send was attempted.
|
||||
- Created `docs/source-discovery/2026-07-10-send-sandbox-gate.md`.
|
||||
- Added package script `scripts/package-send-sandbox-gate.ps1`.
|
||||
- Added verification script `scripts/verify-send-sandbox-gate-package.ps1`.
|
||||
- Verified package output: `runs/send-sandbox-gate-package.zip`.
|
||||
- Package requires an online/internal sandbox operator to run before/after read-only recorder captures around exactly one manual sandbox send.
|
||||
- Production `isphere_send_message` and `isphere_send_file` remain blocked until the returned package proves success/ack or sent-record evidence and no second send.
|
||||
- Next node: R6d returned sandbox evidence intake after the package is run and returned.
|
||||
|
||||
@@ -354,7 +354,52 @@ powershell -NoProfile -ExecutionPolicy Bypass -File .\scripts\validate-n12r-retu
|
||||
|
||||
Keep the validation report outside `$captureRoot`; the returned package is evidence input and should remain unchanged.
|
||||
|
||||
## 13. Troubleshooting
|
||||
## 13. R6c online sandbox send evidence package
|
||||
|
||||
The local development machine cannot log in to iSphere. Do not attempt to prove production send locally.
|
||||
|
||||
To prepare the online/internal sandbox evidence package:
|
||||
|
||||
```powershell
|
||||
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\package-send-sandbox-gate.ps1
|
||||
```
|
||||
|
||||
Verify the package locally:
|
||||
|
||||
```powershell
|
||||
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\verify-send-sandbox-gate-package.ps1
|
||||
```
|
||||
|
||||
Expected output includes:
|
||||
|
||||
```json
|
||||
{
|
||||
"ok": true,
|
||||
"local_login_required": false,
|
||||
"online_sandbox_required": true,
|
||||
"production_send_enabled": false
|
||||
}
|
||||
```
|
||||
|
||||
Generated package:
|
||||
|
||||
```text
|
||||
runs\send-sandbox-gate-package.zip
|
||||
```
|
||||
|
||||
Send that zip to the online/internal sandbox operator. The operator must follow `OPERATOR-STEPS.md` inside the package:
|
||||
|
||||
1. fill `SANDBOX-SEND-INPUTS.json`;
|
||||
2. run `run-before-recorder.bat`;
|
||||
3. manually send exactly one sandbox message in the official client;
|
||||
4. fill `success_ack_or_sent_record`;
|
||||
5. run `run-after-recorder.bat`;
|
||||
6. run `make-return-zip.ps1`;
|
||||
7. return the generated zip.
|
||||
|
||||
Production `isphere_send_message` remains blocked until the returned package is analyzed.
|
||||
|
||||
## 14. Troubleshooting
|
||||
|
||||
- If C# helper build fails, run `scripts\build-win-helper.ps1` directly and check for missing .NET Framework reference assemblies.
|
||||
- If `win_helper_version` fails, rerun `powershell -NoProfile -ExecutionPolicy Bypass -File scripts\verify-win-helper.ps1` first.
|
||||
|
||||
109
docs/source-discovery/2026-07-10-send-sandbox-gate.md
Normal file
109
docs/source-discovery/2026-07-10-send-sandbox-gate.md
Normal file
@@ -0,0 +1,109 @@
|
||||
# Send Sandbox Gate
|
||||
|
||||
Date: 2026-07-10
|
||||
Node: R6c online sandbox-send evidence gate
|
||||
|
||||
## Local constraint
|
||||
|
||||
The local development environment cannot log in to iSphere / IMPlatformClient because it has no reachable service endpoint. Therefore R6c cannot be completed by a local live send.
|
||||
|
||||
Decision for this loop: prepare a returnable online sandbox evidence package instead of attempting any local send.
|
||||
|
||||
## Package produced
|
||||
|
||||
Script:
|
||||
|
||||
```powershell
|
||||
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\package-send-sandbox-gate.ps1
|
||||
```
|
||||
|
||||
Verification:
|
||||
|
||||
```powershell
|
||||
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\verify-send-sandbox-gate-package.ps1
|
||||
```
|
||||
|
||||
Generated package:
|
||||
|
||||
```text
|
||||
runs/send-sandbox-gate-package/
|
||||
runs/send-sandbox-gate-package.zip
|
||||
```
|
||||
|
||||
The package embeds the existing read-only live probe recorder under:
|
||||
|
||||
```text
|
||||
recorder/ISphereLiveProbeRecorder.exe
|
||||
recorder/variants/ISphereLiveProbeRecorder-x86.exe
|
||||
```
|
||||
|
||||
## Package files
|
||||
|
||||
| File | Purpose |
|
||||
| --- | --- |
|
||||
| `README.txt` | Explains local login limitation, online sandbox requirement, and one-send rule. |
|
||||
| `OPERATOR-STEPS.md` | Step-by-step operator procedure. |
|
||||
| `SANDBOX-SEND-INPUTS.template.json` | Template for sandbox target, content hash, idempotency key, and observed result. |
|
||||
| `EXPECTED-RETURN-FILES.txt` | Return package acceptance checklist. |
|
||||
| `run-before-recorder.bat` | Runs read-only recorder before the manual sandbox send. |
|
||||
| `run-after-recorder.bat` | Runs read-only recorder after the manual sandbox send. |
|
||||
| `compute-content-hash.ps1` | Computes SHA256 for the exact test message body. |
|
||||
| `make-return-zip.ps1` | Creates the return zip after before/after recordings and input JSON are present. |
|
||||
|
||||
## Operator rules
|
||||
|
||||
The package encodes these explicit markers:
|
||||
|
||||
```text
|
||||
LOCAL_LOGIN_UNAVAILABLE
|
||||
ONLINE_SANDBOX_REQUIRED
|
||||
MANUAL_ONE_SEND_ONLY
|
||||
DO_NOT_SEND_SECOND_TIME
|
||||
content_sha256
|
||||
idempotency_key
|
||||
success_ack_or_sent_record
|
||||
```
|
||||
|
||||
Required online procedure:
|
||||
|
||||
1. Log in normally on an online/internal sandbox machine.
|
||||
2. Fill `SANDBOX-SEND-INPUTS.json` from the template.
|
||||
3. Run `run-before-recorder.bat`.
|
||||
4. Manually send exactly one message to the declared sandbox target.
|
||||
5. Record `success_ack_or_sent_record`.
|
||||
6. Do not send a second copy.
|
||||
7. Run `run-after-recorder.bat`.
|
||||
8. Run `make-return-zip.ps1`.
|
||||
9. Return the generated zip.
|
||||
|
||||
## Safety boundary
|
||||
|
||||
The package does not:
|
||||
|
||||
- send messages automatically;
|
||||
- upload files;
|
||||
- click or type;
|
||||
- inject or hook;
|
||||
- capture network traffic;
|
||||
- enable production send.
|
||||
|
||||
The only send action is the operator's one manual sandbox send inside the official client.
|
||||
|
||||
## Acceptance gate
|
||||
|
||||
R6c can pass only after a returned package proves all of the following:
|
||||
|
||||
- explicit sandbox target;
|
||||
- exactly one content hash;
|
||||
- exactly one idempotency key;
|
||||
- observed success/ack or local sent-record evidence;
|
||||
- confirmation that no second send was made;
|
||||
- before/after read-only recorder outputs are present.
|
||||
|
||||
## Current decision
|
||||
|
||||
R6c local-preparation slice is complete, but the full online evidence gate is not passed yet.
|
||||
|
||||
Production `isphere_send_message` remains blocked.
|
||||
|
||||
Next node: **R6d returned sandbox evidence intake** after the user returns the generated package.
|
||||
@@ -344,17 +344,17 @@ connector_stage = "preview" | "sandbox_send" | "production"
|
||||
|
||||
## Next implementation loop
|
||||
|
||||
R6b B-route preview/dry-run contract is now complete. `isphere_send_message` is registered as preview/dry-run only, validates target/content-hash/idempotency input, appends redacted audit JSONL, and blocks production with all side-effect flags false.
|
||||
R6c local preparation is now complete. Because the local development machine cannot log in, the online sandbox-send gate was converted into a returnable evidence package rather than a local live-send attempt.
|
||||
|
||||
Next node should be **R6c online sandbox-send evidence gate**:
|
||||
Next node should be **R6d returned sandbox evidence intake** after the package is run in an online/internal sandbox and returned:
|
||||
|
||||
1. Prepare or collect one operator-approved sandbox send evidence package.
|
||||
2. Use one explicit sandbox target, one content hash, and one idempotency key.
|
||||
3. Observe success/ack or local sent-record evidence.
|
||||
4. Prove duplicate retry with the same idempotency key is locally rejected before any second send.
|
||||
5. Capture method names, argument shape, IDs/hashes, status booleans, and refs only.
|
||||
6. Do not enable production `send_message_after_approval` until the evidence gate passes.
|
||||
1. Check completed `SANDBOX-SEND-INPUTS.json`.
|
||||
2. Check before/after read-only recorder outputs.
|
||||
3. Confirm one explicit sandbox target, one content hash, and one idempotency key.
|
||||
4. Confirm `success_ack_or_sent_record`.
|
||||
5. Confirm no second send was made.
|
||||
6. Do not enable production `send_message_after_approval` until returned evidence passes.
|
||||
|
||||
## Current status
|
||||
|
||||
B is selected as the primary send/file-send route. Runtime discovery, entrypoint metadata preflight, and preview/dry-run audit are in place. A remains the fallback and now has concrete UIA selector/offline-blocker classifier support. Production send remains blocked until dynamic observation and one approved sandbox send prove success/ack behavior.
|
||||
B is selected as the primary send/file-send route. Runtime discovery, entrypoint metadata preflight, preview/dry-run audit, and the online sandbox evidence package are in place. A remains the fallback and now has concrete UIA selector/offline-blocker classifier support. Production send remains blocked until the returned sandbox package proves success/ack behavior.
|
||||
|
||||
@@ -6,6 +6,7 @@ Evidence index: `docs/source-discovery/2026-07-09-n12-pre-zyl-index.md`
|
||||
Schema notes: `docs/source-discovery/2026-07-09-n12-pre-zyl-schema-notes.md`
|
||||
Returned live probe: `docs/source-discovery/2026-07-10-returned-live-probe-analysis.md`
|
||||
Send connector preflight: `docs/source-discovery/2026-07-10-send-connector-preflight.md`
|
||||
Send sandbox gate: `docs/source-discovery/2026-07-10-send-sandbox-gate.md`
|
||||
|
||||
## Source priority
|
||||
|
||||
@@ -24,8 +25,8 @@ Send connector preflight: `docs/source-discovery/2026-07-10-send-connector-prefl
|
||||
| `isphere_search_contacts` | bare sender/receiver JIDs extracted from normalized log-backed messages loaded from configured PacketReader file or directory source | validated copied `MsgLib.db` tables: `TD_Roster`, `TD_CustomEffigy`, `tblRecent`, `tblChatLevel`, `tblPersonMsg`; decrypted roster/contact stanzas from `Smark.SendReceive`; UIA helper source if display names are still missing | `docs/source-discovery/2026-07-10-msglib-readonly-schema-extraction.md`; `internal/isphere/contacts_test.go`; `internal/tools/isphere_contacts_test.go` | C34 documents optional MsgLib contact display enrichment; R2 adds deterministic exact-match-first ranking, case-insensitive de-duplication across log/MsgLib candidates, and preserves `source`/`raw_ref` | core contact search complete; optional richer fields later |
|
||||
| `isphere_search_groups` | decrypted `PacketReader.ProcessPacket` `type="groupchat"` stanzas and conference/MUC JIDs loaded from configured PacketReader file or directory source | validated copied `MsgLib.db` tables: `tblMsgGroupPersonMsg`, `TD_WorkGroupAuth`, `tblRecent`; UIA helper source if group display names are still missing | `docs/source-discovery/2026-07-10-msglib-readonly-schema-extraction.md`; `internal/isphere/groups_test.go`; `internal/tools/isphere_groups_test.go`; C9 ignored-log scan: PacketReader 86 groupchat/86 conference hits; Smark 24 groupchat/658 conference/631 muc hits | C34 documents optional MsgLib group display enrichment; R2 adds deterministic exact-match-first ranking, case-insensitive de-duplication across log/MsgLib candidates, and preserves `source`/`raw_ref` | core group search complete; optional member/owner hierarchy later |
|
||||
| `isphere_receive_files` | decrypted `PacketReader.ProcessPacket` file-transfer message stanzas via `internal/isphere.ListFilesFromMessages` and `isphere_receive_files` list mode; configured PacketReader file or directory source; `zyl\importal\<hash>` cache entries remain unlinked | MsgLib `TD_ReceiveFileRecord` safe metadata through explicit copied-DB path; decrypted `Smark.SendReceive` and `SaveToDB` traces for file-reference reconciliation; future UIA/client connector for download | `docs/source-discovery/2026-07-09-n12-pre-zyl-schema-notes.md#c12-file-transfer-evidence-precheck`; `docs/source-discovery/2026-07-10-file-download-mapping-precheck.md`; `docs/source-discovery/2026-07-10-file-cache-mapping-diagnostic.md` | C22 verifies safe file-list contract args; R3 confirms list metadata is available; R3b diagnostic finds 0 current cache/archive matches, so R4 remains blocked | blocked pending better cache evidence or UI/client download connector |
|
||||
| `isphere_send_message` | B-route selected: running-client sidecar / in-process connector, preferring `AppContextManager.SendTxtMessageByJid(...)` or `MessageScheduling.SendChatMessage(...)` over the unimplemented `SendP2PMessage(...)` interface path; current MCP tool exposes preview/dry-run only | A-route fallback: constrained UI/RPA wrapper only if B cannot pass runtime probe, entrypoint availability, dynamic observation, and idempotent dry-run gates; network/protocol replay remains deferred | `docs/source-discovery/2026-07-10-send-message-source-precheck.md`; `docs/source-discovery/2026-07-10-send-message-connector-selection.md`; `docs/source-discovery/2026-07-10-send-sidecar-b-first-plan.md`; `docs/source-discovery/2026-07-10-returned-live-probe-analysis.md`; `docs/source-discovery/2026-07-10-send-connector-preflight.md`; `internal/tools/isphere_send_message_test.go` | R6b registers `isphere_send_message` preview/dry-run only. Preview validates target/content hash/idempotency, returns `send_status="planned"`, connector metadata, redacted audit metadata, and all side-effect flags false. Production returns `send_status="blocked"` and `production_send_enabled=false` in verification. No real send, success/ack, or production idempotency behavior is proven. | next: R6c online sandbox-send evidence gate; production send remains blocked |
|
||||
| `isphere_send_file` | B-route selected after send-message probe: managed offline-file path through `OffLineFileSend.sendFile()`, `IMPP.Service*.dll` `IFileTransfer.FileUpload(...)`, and `Chat.sendFileMessage(...)` | A-route fallback: constrained UI/RPA upload/send-file flow; native `TcpFileTransfer.dll` is a later candidate only after managed path is rejected | `docs/source-discovery/2026-07-10-send-message-source-precheck.md`; `docs/source-discovery/2026-07-10-send-message-connector-selection.md`; `docs/source-discovery/2026-07-10-send-sidecar-b-first-plan.md`; `docs/source-discovery/2026-07-10-returned-live-probe-analysis.md`; `docs/source-discovery/2026-07-10-send-connector-preflight.md` | R6a/C31 metadata confirms `FileTransfer.FileUpload`, `FileTransfer.AsynFileUpload`, `OffLineFileSend.sendFile`, and `Chat.sendFileMessage` candidates. File-send remains blocked behind message-send sandbox evidence plus later upload/file-message dry-run evidence. | next: wait for R6c sandbox-send evidence, then file-send upload preflight |
|
||||
| `isphere_send_message` | B-route selected: running-client sidecar / in-process connector, preferring `AppContextManager.SendTxtMessageByJid(...)` or `MessageScheduling.SendChatMessage(...)` over the unimplemented `SendP2PMessage(...)` interface path; current MCP tool exposes preview/dry-run only | A-route fallback: constrained UI/RPA wrapper only if B cannot pass runtime probe, entrypoint availability, dynamic observation, and idempotent dry-run gates; network/protocol replay remains deferred | `docs/source-discovery/2026-07-10-send-message-source-precheck.md`; `docs/source-discovery/2026-07-10-send-message-connector-selection.md`; `docs/source-discovery/2026-07-10-send-sidecar-b-first-plan.md`; `docs/source-discovery/2026-07-10-returned-live-probe-analysis.md`; `docs/source-discovery/2026-07-10-send-connector-preflight.md`; `docs/source-discovery/2026-07-10-send-sandbox-gate.md`; `internal/tools/isphere_send_message_test.go` | R6c prepares the online sandbox evidence package because local login is unavailable. `runs/send-sandbox-gate-package.zip` can collect before/after read-only recorder outputs around one manual sandbox send, but no returned evidence has been analyzed yet. Production remains blocked. | next: R6d returned sandbox evidence intake after user returns the package |
|
||||
| `isphere_send_file` | B-route selected after send-message probe: managed offline-file path through `OffLineFileSend.sendFile()`, `IMPP.Service*.dll` `IFileTransfer.FileUpload(...)`, and `Chat.sendFileMessage(...)` | A-route fallback: constrained UI/RPA upload/send-file flow; native `TcpFileTransfer.dll` is a later candidate only after managed path is rejected | `docs/source-discovery/2026-07-10-send-message-source-precheck.md`; `docs/source-discovery/2026-07-10-send-message-connector-selection.md`; `docs/source-discovery/2026-07-10-send-sidecar-b-first-plan.md`; `docs/source-discovery/2026-07-10-returned-live-probe-analysis.md`; `docs/source-discovery/2026-07-10-send-connector-preflight.md`; `docs/source-discovery/2026-07-10-send-sandbox-gate.md` | R6a/C31 metadata confirms `FileTransfer.FileUpload`, `FileTransfer.AsynFileUpload`, `OffLineFileSend.sendFile`, and `Chat.sendFileMessage` candidates. File-send remains blocked behind returned message-send sandbox evidence plus later upload/file-message dry-run evidence. | next: wait for R6d, then file-send upload preflight |
|
||||
|
||||
## Stage C entry rule
|
||||
|
||||
@@ -42,4 +43,4 @@ Start Stage C with a narrow log-backed `isphere_receive_messages` source abstrac
|
||||
|
||||
## Deferred source work
|
||||
|
||||
`MsgLib.db` has a validated copied read-only open path through the bundled 32-bit `System.Data.SQLite.dll` and password `123`. C27 adds `MsgLibReadSidecar` as the bounded x86 .NET reader boundary, C28 adds the Go `internal/msglib` process client, C29 adds bounded `display_entities` extraction, C30 wires it as optional contact/group MCP enrichment, C31 proves real copied-DB MCP enrichment with sanitized output, C32 reuses it for receive-message display fields, C33 proves that receive display path through a real copied-DB MCP smoke without printing entity values, C34 documents the operator setup/verification path, C35 maps MsgLib message tables to receive-message contract fields without reading row values, C36 adds metadata-only `message_sources` readiness, C37 defines the bounded DB-backed receive-source design, C38 implements sidecar/Go-wrapper `list_messages` with sanitized verification, C39 adds a Go adapter from MsgLib list results to the receive-message domain model, C40 adds explicit tool-level `msglib_readonly` source selection, C41 wires env-configured explicit MsgLib receive with optional sanitized smoke, R1 documents source reconciliation keys, and R2 hardens contact/group search ranking and de-duplication. The active roadmap is `docs/superpowers/plans/2026-07-10-core-business-capabilities-roadmap.md`; next step is R6c online sandbox-send evidence gate.
|
||||
`MsgLib.db` has a validated copied read-only open path through the bundled 32-bit `System.Data.SQLite.dll` and password `123`. C27 adds `MsgLibReadSidecar` as the bounded x86 .NET reader boundary, C28 adds the Go `internal/msglib` process client, C29 adds bounded `display_entities` extraction, C30 wires it as optional contact/group MCP enrichment, C31 proves real copied-DB MCP enrichment with sanitized output, C32 reuses it for receive-message display fields, C33 proves that receive display path through a real copied-DB MCP smoke without printing entity values, C34 documents the operator setup/verification path, C35 maps MsgLib message tables to receive-message contract fields without reading row values, C36 adds metadata-only `message_sources` readiness, C37 defines the bounded DB-backed receive-source design, C38 implements sidecar/Go-wrapper `list_messages` with sanitized verification, C39 adds a Go adapter from MsgLib list results to the receive-message domain model, C40 adds explicit tool-level `msglib_readonly` source selection, C41 wires env-configured explicit MsgLib receive with optional sanitized smoke, R1 documents source reconciliation keys, and R2 hardens contact/group search ranking and de-duplication. The active roadmap is `docs/superpowers/plans/2026-07-10-core-business-capabilities-roadmap.md`; next step is R6d returned sandbox evidence intake after the online package is returned.
|
||||
|
||||
@@ -28,9 +28,9 @@
|
||||
| Search contacts | Registered MCP tool; deterministic exact-match ranking and case-insensitive de-duplication across log/JID candidates and optional copied-DB MsgLib display enrichment. | Optional richer fields such as department/title remain future enrichment, not a core search blocker. | complete for core search; optional enrichment later |
|
||||
| Search groups | Registered MCP tool; deterministic exact-match ranking and case-insensitive de-duplication across groupchat/conference candidates and optional copied-DB MsgLib display enrichment. | Optional member count, owner refs, and nested/group hierarchy remain future enrichment, not a core search blocker. | complete for core search; optional enrichment later |
|
||||
| Receive messages | PacketReader source works; copied `MsgLib.db` explicit receive works with `source_preference="msglib_readonly"`; R1 precheck says default should remain PacketReader until a future reconciliation helper is implemented. | Future reconciliation helper, source confidence scoring, pagination policy. | future receive helper after R2/R3 |
|
||||
| Send messages | `isphere_send_message` preview/dry-run is registered; R6a confirms B-route entrypoint metadata and A-route UIA/offline-state classifier support. | Need dynamic observation and one approved sandbox send before production. | next R6c online sandbox-send evidence gate |
|
||||
| Send messages | `isphere_send_message` preview/dry-run is registered; R6a confirms B-route entrypoint metadata; R6c local package for online sandbox evidence is prepared. | Need returned online sandbox evidence proving success/ack and no duplicate send before production. | next R6d returned sandbox evidence intake |
|
||||
| Receive files | List mode exists from message-derived file metadata; R3/R3b confirm DB file metadata exists but current cache/archive evidence does not map to local files. | R4 download is blocked until better cache evidence or a UI/client download connector is available. | blocked; continue R5 |
|
||||
| Send files | Contract exists; R6a/C31 metadata confirms file-upload/offline-file/file-message candidates and A-route file menu classifier support. | Blocked behind send-message sandbox evidence plus upload/file-transfer dry-run. | wait for R6c, then file-send upload preflight |
|
||||
| Send files | Contract exists; R6a/C31 metadata confirms file-upload/offline-file/file-message candidates and A-route file menu classifier support. | Blocked behind returned send-message sandbox evidence plus upload/file-transfer dry-run. | wait for R6d, then file-send upload preflight |
|
||||
|
||||
## Node Sequence
|
||||
|
||||
@@ -474,11 +474,45 @@ powershell -NoProfile -ExecutionPolicy Bypass -File scripts\verify-go-mcp.ps1
|
||||
**Stop condition:**
|
||||
- If the environment cannot log in or cannot use a sandbox target, stop and request a returned sandbox evidence package rather than implementing production send.
|
||||
|
||||
**R6c Result:**
|
||||
|
||||
- Created `docs/source-discovery/2026-07-10-send-sandbox-gate.md`.
|
||||
- Added `scripts/package-send-sandbox-gate.ps1`.
|
||||
- Added `scripts/verify-send-sandbox-gate-package.ps1`.
|
||||
- Generated and locally verified `runs/send-sandbox-gate-package.zip`.
|
||||
- The package includes the read-only live probe recorder plus before/after recorder batch files, sandbox input template, SHA256 helper, expected-return checklist, and return-zip script.
|
||||
- This local slice does not pass the online evidence gate because the local machine cannot log in. It only prepares the exact package needed for an online/internal sandbox operator.
|
||||
- Decision: next node is R6d returned sandbox evidence intake after the package is run and returned. Production `isphere_send_message` and `isphere_send_file` remain blocked.
|
||||
|
||||
---
|
||||
|
||||
### R6d: Returned sandbox evidence intake
|
||||
|
||||
**Purpose:** Analyze the returned R6c online sandbox-send evidence package and decide whether production send implementation can start.
|
||||
|
||||
**Files:**
|
||||
- Create: `docs/source-discovery/2026-07-10-returned-send-sandbox-analysis.md`
|
||||
- Modify: this roadmap, `docs/current-status-card.md`, and `docs/source-discovery/capability-source-matrix.md`.
|
||||
|
||||
**Evidence to check:**
|
||||
- Completed `SANDBOX-SEND-INPUTS.json`.
|
||||
- Before recorder output.
|
||||
- After recorder output.
|
||||
- `success_ack_or_sent_record`.
|
||||
- Confirmation that no second send was made.
|
||||
|
||||
**Acceptance gate:**
|
||||
- If success/ack or sent-record evidence and duplicate-send prevention are proven, allow the later R6 production implementation node to start.
|
||||
- If any item is missing, keep production send blocked and request a corrected returned package.
|
||||
|
||||
**Stop condition:**
|
||||
- Do not infer success from screenshots or vague operator notes alone. Require the structured returned package fields and before/after recorder output.
|
||||
|
||||
---
|
||||
|
||||
### R6: Send-message preview and production path
|
||||
|
||||
**Purpose:** Implement production `isphere_send_message` after R6c proves success/ack behavior.
|
||||
**Purpose:** Implement production `isphere_send_message` after R6d analyzes returned sandbox evidence and proves success/ack behavior.
|
||||
|
||||
**Files:**
|
||||
- Create or modify: `internal/tools/isphere_send_message.go`
|
||||
|
||||
Reference in New Issue
Block a user