Record BTE provider gateway refresh proof

docs/goal-runs/bte-product-ready-provider-gateway-refresh/svrnty-vision-work-007-provider-gateway-refresh.json

@@ -0,0 +1,64 @@
+{
+  "schema": "svrnty-vision.bte-product-ready-provider-gateway-refresh-proof.v1",
+  "timestamp": "2026-06-19T20:08:14Z",
+  "work_item_id": "SVRNTY-VISION-WORK-007",
+  "route": "svrnty-vision",
+  "goal": "Provide bounded provider-gateway health proof for the BTE Product Ready live-effect chain without claiming readiness.",
+  "approval": {
+    "name": "BTE Product Ready provider gateway proof refresh",
+    "expired": true,
+    "expiry_reason": "first_failed_blocked_effect:bte_provider_call_timeout"
+  },
+  "precondition": {
+    "bte_expected_url": "http://localhost:8092/healthz",
+    "initial_host_health_status": "connection_refused"
+  },
+  "gateway_refresh": {
+    "image": "cortex-os/vision:seed",
+    "host_port_container": {
+      "name": "svrnty-vision-bte-proof",
+      "container_id_prefix": "b25509d4d640",
+      "mapping": "0.0.0.0:8092->8094/tcp",
+      "healthz": {
+        "url": "http://localhost:8092/healthz",
+        "http_status": 200,
+        "body_status": "ok",
+        "version": "0.1.0"
+      }
+    },
+    "bte_network_namespace_container": {
+      "name": "svrnty-vision-bte-net-proof",
+      "container_id_prefix": "a9a916ad2f5c",
+      "network": "container:bte-rest-mcp-readiness-api",
+      "env_override": "SVRNTY_VISION_PORT=8092",
+      "healthz_from_bte_runtime_namespace": {
+        "url": "http://localhost:8092/healthz",
+        "http_status": 200,
+        "body_status": "ok",
+        "version": "0.1.0"
+      }
+    }
+  },
+  "downstream_bte_recheck": {
+    "readyz": {
+      "url": "http://localhost:6001/readyz",
+      "http_status": 200,
+      "body_status": "Healthy"
+    },
+    "provider_call_result_ref": "../bte/docs/goal-runs/bte-product-ready-provider-gateway-refresh/bte-work-019-provider-gateway-refresh-and-provider-call.json"
+  },
+  "route_validator": {
+    "command": "python3 tools/validate_svrnty_vision_child.py",
+    "status": "pass"
+  },
+  "tool_effects": {
+    "gateway_runtime_started": true,
+    "provider_call_from_this_route": false,
+    "profile_exposure_changed": false,
+    "mcp_registered": false,
+    "archive_delete_performed": false,
+    "raw_payload_storage_created": false,
+    "product_ready_claim_made": false
+  },
+  "status": "gateway_health_proven_provider_call_blocked_downstream"
+}

docs/goal-runs/bte-product-ready-provider-gateway-refresh/svrnty-vision-work-007-provider-gateway-refresh.md

@@ -0,0 +1,24 @@
+# SVRNTY-VISION-WORK-007 Provider Gateway Refresh
+
+Status: gateway health proven; downstream BTE provider call blocked.
+
+Approval: `BTE Product Ready provider gateway proof refresh`. The approval expired after the first failed blocked effect: the bounded BTE provider call timed out at the local VLM backend.
+
+Proof:
+
+- `svrnty-vision-bte-proof` started from `cortex-os/vision:seed` and mapped host `8092` to container `8094`.
+- `GET http://localhost:8092/healthz`: HTTP `200`, status `ok`, version `0.1.0`.
+- `svrnty-vision-bte-net-proof` started from `cortex-os/vision:seed` in the BTE runtime network namespace with `SVRNTY_VISION_PORT=8092`.
+- From `bte-rest-mcp-readiness-api`, `GET http://localhost:8092/healthz`: HTTP `200`, status `ok`, version `0.1.0`.
+- BTE `GET http://localhost:6001/readyz`: HTTP `200`, status `Healthy`.
+
+Boundary:
+
+- No credentials or secrets were read or recorded.
+- No Profile Exposure, MCP registration, archive/delete, raw payload storage, release claim, or Product Ready claim happened.
+- This route did not call the VLM provider directly. The downstream bounded BTE provider-call result is recorded in BTE proof `bte-work-019`.
+
+Validator:
+
+- `python3 tools/validate_svrnty_vision_child.py`: PASS.
+- `python3 tools/validate_svrnty_vision_bte_provider_gateway_refresh.py`: PASS.

tools/validate_svrnty_vision_bte_provider_gateway_refresh.py

@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+"""Validate the Svrnty Vision BTE provider-gateway refresh proof."""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[1]
+PROOF = ROOT / "docs/goal-runs/bte-product-ready-provider-gateway-refresh/svrnty-vision-work-007-provider-gateway-refresh.json"
+MD = ROOT / "docs/goal-runs/bte-product-ready-provider-gateway-refresh/svrnty-vision-work-007-provider-gateway-refresh.md"
+
+
+def require(condition: bool, errors: list[str], message: str) -> None:
+    if not condition:
+        errors.append(message)
+
+
+def main() -> int:
+    errors: list[str] = []
+    proof = json.loads(PROOF.read_text(encoding="utf-8"))
+    md = MD.read_text(encoding="utf-8")
+
+    require(proof.get("schema") == "svrnty-vision.bte-product-ready-provider-gateway-refresh-proof.v1", errors, "schema")
+    require(proof.get("work_item_id") == "SVRNTY-VISION-WORK-007", errors, "work_item_id")
+    require(proof.get("route") == "svrnty-vision", errors, "route")
+    require(proof.get("approval", {}).get("expired") is True, errors, "approval_expired")
+
+    refresh = proof.get("gateway_refresh", {})
+    host = refresh.get("host_port_container", {}).get("healthz", {})
+    bte_ns = refresh.get("bte_network_namespace_container", {}).get("healthz_from_bte_runtime_namespace", {})
+    require(host.get("http_status") == 200 and host.get("body_status") == "ok", errors, "host_healthz")
+    require(bte_ns.get("http_status") == 200 and bte_ns.get("body_status") == "ok", errors, "bte_namespace_healthz")
+
+    readyz = proof.get("downstream_bte_recheck", {}).get("readyz", {})
+    require(readyz.get("http_status") == 200 and readyz.get("body_status") == "Healthy", errors, "bte_readyz")
+
+    effects = proof.get("tool_effects", {})
+    require(effects.get("gateway_runtime_started") is True, errors, "gateway_runtime_started")
+    for key in (
+        "provider_call_from_this_route",
+        "profile_exposure_changed",
+        "mcp_registered",
+        "archive_delete_performed",
+        "raw_payload_storage_created",
+        "product_ready_claim_made",
+    ):
+        require(effects.get(key) is False, errors, f"forbidden_effect:{key}")
+
+    for snippet in (
+        "No credentials or secrets",
+        "No Profile Exposure",
+        "raw payload storage",
+        "Product Ready claim",
+        "bte-work-019",
+    ):
+        require(snippet in md, errors, f"md_missing:{snippet}")
+
+    result = {
+        "ok": not errors,
+        "validator": "svrnty-vision-bte-provider-gateway-refresh-v1",
+        "checked": [str(PROOF.relative_to(ROOT)), str(MD.relative_to(ROOT))],
+        "errors": errors,
+    }
+    print(json.dumps(result, indent=2))
+    return 0 if not errors else 1
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())