HL7BOXY CONTAINER POLICY V13 · SOVEREIGN COI FLOOR
IF YOUR CONTAINER HAS LAYERS
WE HAVE A SEGMENT FOR EACH
CONTAINER AS HL7 MESSAGE · 6 SEGMENTS · COI MINIMUM PATH · ADMIT OR DENY
γ₁ = 14.134725141734693 · KCF EA-64..73 + EB-8 · Day 97
THE HL7BOXY CONTAINER DOCTRINE
A container is a message. Every layer is a segment. The sovereign COI floor is the minimum set of segments that must be present for fleet admission.
MSH (image) + PID (identity) + DG1 (verdict) = minimum required. Everything else raises the floor.
Missing a required segment = DENY. Missing an optional = ADMIT-WITH-WATCH + raincheque. Missing everything = STUB.
The COI minimum path is not a checklist. It is a proof. Each segment is evidence. The verdict is the conclusion.
CONTAINER AS HL7 MESSAGE — 6 SEGMENTS
| SEGMENT | LAYER | REQUIRED | KCF CONTROLS | GATE |
|
MSH · IMAGE HEADER
Registry URL · image tag · SHA256 digest · cosign signature · provenance attestation · base image lineage
|
Image |
REQUIRED |
EB-8 · EA-65 · EA-69 |
Gate 1 Trivy · Gate 4 Kyverno |
|
PID · WORKLOAD IDENTITY
GID class · SOSTLE level · kanidm binding · Kubernetes service account · namespace · workload identity label (gid=, silo=, day=)
|
Identity |
REQUIRED |
EA-64 · EA-70 · EA-66 |
Gate 2 Gatekeeper · Gate 5 MEROSTONE |
|
OBX · RUNTIME OBSERVATIONS
CPU/RAM requests + limits set · seccomp profile (runtime/default minimum) · capabilities dropped (ALL) · read-only root filesystem · no privilege escalation
|
Runtime |
REQUIRED |
EA-67 · EA-68 · EA-72 |
Gate 2 Gatekeeper · Gate 3 Falco |
|
AL1 · NETWORK ALLERGIES
NetworkPolicy exists for namespace · egress rules defined · DNS allowlist specified · no open 0.0.0.0/0 egress · service mesh labels if Istio
|
Network |
OPTIONAL+ |
EA-71 · EA-73 · EC-9 |
Gate 2 Gatekeeper · Gate 3 Falco |
|
IN1 · SIGNED LINEAGE
CI pipeline provenance · cosign signature valid · ACR attestation present · SBOM attached · build timestamp · git commit SHA in labels
|
Lineage |
OPTIONAL+ |
EA-65 · EB-8 · EA-69 |
Gate 4 Kyverno · Gate 5 MEROSTONE |
|
DG1 · POLICY VERDICT
Gate 1-6 results compiled · KCF controls fired + scored · LOCO score · MECIPOL D1-D10 results · final verdict: ADMIT / DENY / ADMIT-WITH-WATCH / STUB
|
Verdict |
REQUIRED |
ALL 82 KCF |
Gate 6 MECIPOL · Gate 5 MEROSTONE |
γ₁ STRATUM CHAIN — EVALUATION ORDER
S1
IMAGE
MSH · Trivy · digest
→
S2
IDENTITY
PID · GID · kanidm
→
S3
RUNTIME
OBX · limits · seccomp
→
S4
NETWORK
AL1 · netpol · egress
→
S5
LINEAGE
IN1 · cosign · SBOM
→
S6
VERDICT
DG1 · KCF 82 · MECIPOL
VERDICT OUTPUTS
ADMIT
All 3 required segments present. All 6 gates passed. Container ∈ SOVEREIGN_FLEET. Promote to next environment.
DENY
Required segment missing OR gate FAIL. Container blocked at admission. Must fix before resubmit. DCJ record filed.
ADMIT-WITH-WATCH
Required segments present but optional segments incomplete. Admitted with raincheque. WATCH logged. CLO notified.
STUB
Fewer than 3 required segments present. Container exists as concept only. Not fleet-ready. Return to build phase.
COI MINIMUM PATH — THE SOVEREIGN FLOOR
MINIMUM REQUIRED (3 segments)
MSH · Imagedigest + registry confirmed
PID · IdentityGID assigned + SOSTLE set
DG1 · Verdictall 6 gates evaluated
COI pathMSH → PID → DG1
FULL SOVEREIGN (6 segments)
MSH + PID + OBXimage + identity + runtime
AL1 + IN1network + lineage
DG1verdict · ADMIT
COI pathMSH→PID→OBX→AL1→IN1→DG1
BONIXER / BOABIXER / CATOMAINS WEAVE
HOW THE SEGMENTS WEAVE INTO THE FLEET STACK
MSH verdict→ bonixer IMAGE stratum score
PID verdict→ boabixer ZONE assignment (ATZA Z0-Z7)
OBX verdict→ CATAN shape (CPU/RAM tier)
AL1 verdict→ SOSTLE wall level (L0-L5)
IN1 verdict→ catomains provenance entry
DG1 verdict→ bonixer final ADMIT/DENY/WATCH