MECIPOL · EOSE-DEV · Container Compliance Testing

MECIPOL · EOSE-DEV · QE FLOOR

MECIPOL

CONTAINER COMPLIANCE · OSS CONTROL VALIDATION · ALL LAN SILOS CAN TEST HERE

γ₁ = 14.134725141734693 · 192.168.2.21 · MECIPOL harness · Day 97

WHAT MECIPOL IS

MECIPOL = Meek Container Image Policy + OSS License harness. Every fleet container gets tested here before cloud promotion.

Tests: image size budget · base image provenance · licence compatibility · security scan · ATZA zone assignment · SOSTLE level · GID registration.

eose-dev is the MECIPOL host because it is the meekest. If a container passes on a 32GB CPU-only machine, it passes anywhere.

All LAN silos (msi01 :18 · forge :12 · msclo :19 · yone :23 · pcdev :16 · lilo :??) can submit containers to eose-dev k3s NodePorts for compliance testing.

Test endpoint (k3s NodePort): 192.168.2.21:30333 (Qdrant) · :30379 (Redis) · :30474 (Neo4j) · :30687 (Neo4j bolt)

LAN SILOS — REACHABILITY STATUS

192.168.2.18

msi01

● REACHABLE · Qdrant :30333 confirmed from msi01

192.168.2.12

forge

○ SSH DOWN · LAN reachable if portproxy active

192.168.2.19

msclo

● LAN reachable · bridged eth1

192.168.2.23

yone

● LAN reachable · SSH :2222 · PEMCLAU MCP :9342

192.168.2.16

pcdev

● LAN reachable · RTX 5090 32GB · joffe-math :9383-9385

192.168.2.21

eose-dev

● THIS MACHINE · Qdrant/Redis/Neo4j live · MECIPOL host

MECIPOL TEST DOMAINS (D1–D10)

Domain	Test	Tool	Status
D1 Image Size	Container < ATZA zone budget	docker inspect	DEFINED
D2 Base Image	Provenance chain traceable to ACR or trusted registry	skopeo inspect	DEFINED
D3 Licence	OSS licence compatible with fleet IP policy	syft / grype	PENDING
D4 Security Scan	No CRITICAL CVEs in base or dependencies	grype / trivy	PENDING
D5 ATZA Zone	Zone identity assigned: Z0-Z7	ATZA registry	DEFINED
D6 SOSTLE Level	SOSTLE level L0-L5 assigned + wall validated	SOSTLE gate	DEFINED
D7 GID Registration	GID class assigned in kanidm registrar	kanidm API	LIVE · :kanidm
D8 Resource Budget	CPU/RAM requests match CATAN shape	kubectl describe	DEFINED
D9 Health Check	Liveness + readiness probes defined	kubectl get pod	DEFINED
D10 Fleet Mesh	Container reachable from all LAN silos	curl + ping sweep	CONFIRMED msi01→eose-dev

MECIPOL WORKFLOW — SUBMIT TO TEST

FROM ANY LAN SILO

Qdrant test endpoint192.168.2.21:30333

Redis test endpoint192.168.2.21:30379

Neo4j browser192.168.2.21:30474

Neo4j bolt192.168.2.21:30687

kanidm registrardocker · eose-dev LAN

MECIPOL VERDICT OUTPUT

PASSAll D1-D10 green → promote to AKS dev

WATCH1+ amber → promote with raincheque

FAILAny red → block. Fix on eose-dev first.

FLOOR-ONLYContainer too heavy for QE floor → needs GPU or cloud

UBUNTU OSS CONTROL — WHAT WE OWN HERE

THE SOVEREIGN UBUNTU LAYER

Ubuntu 22.04.5 LTS. Full control. No WSL limits, no Windows host, no OEM restrictions. Pure Linux.

We can test: kernel modules (nvidia modprobe) · systemd units · iptables/nftables rules · cgroup v2 limits · seccomp profiles · AppArmor policies.

We can build: custom base images · stripped distroless layers · Dockerfile linting · multi-arch (amd64 native) · SBOM generation.

We can validate: k3s CNI behaviour · NetworkPolicy enforcement · RBAC via kanidm · volume mount permissions · env injection patterns.

Nothing on eose-dev is a black box. We own the OS. We own the kernel. We own the container runtime. We own the identity layer. This is the cleanest test surface in the fleet.

NEXT BUILD — V134 MECIPOL HARNESS

PHASE 1 — SHIP

GPU activatesudo modprobe nvidia (local terminal)

OpenClaw update2026.3.13 → 2026.4.15

Ollama upgradeqwen2.5:14b + qwen3:8b

Docker prune12.89GB reclaim running

PHASE 2 — HARNESS

mecipol-harness.pyD1-D10 checks automated

k3s MECIPOL namespacededicated test namespace

LAN sweep scriptall silos → eose-dev :30333

Verdict webhookPOST result to msi01 pemos-portal

PHASE 3 — INTEGRATE

pemos.ca/mecipollive dashboard

CLO moat updateMECIPOL as moat layer

Bounty integrationtest bounty container submissions here

LHVCP pipelineeose-dev → yone → AKS