VSL/MSL coordination: M1→M3 trackers, kickoffs, memory (incl. M3 storage seam + notional-DBIA)

memory/MEMORY.md

@@ -8,6 +8,8 @@ its own session). See the org + per-repo `CLAUDE.md` for the coordination rules.
 
 - [Increment protocol](increment-protocol.md) — ORG RULE (`~/vista-cloud-dev/CLAUDE.md`): every verified increment auto-persists to memory + updates the tracker + commits/pushes to the working branch, across all repos. **Driver-effort exceptions** (m-driver-sdk/m-iris/m-ydb) carved in that file + per-repo CLAUDE.md + [[coordination-model]].
 
+- [Notional DBIA — never a blocker](notional-dbia-not-a-blocker.md) — HARD DIRECTIVE (user, 2026-06-16): the VistA DBIA/ICR registry is **notional** — a manually human-curated FORUM list, NOT in code, NOT in a FileMan DD, NOT enforced programmatically. `check-icr` requires a documented **Supported** API + **no-direct-global**, but **never** a numeric ICR; missing numbers (esp. the **FileMan DBS API** `GETS^DIQ`/`$$GET1^DIQ`/`UPDATE^DIE`/`FILE^DIE`/`$$FIND1^DIC`, none in the gold corpus) are **NOT** a blocker and emit **no warning** — use a notional `@icr DBS` marker + real `@status/@source`. Amended plan §5.4; coded into v-stdlib `gen-icr.py` at M3. Don't re-raise.
+
 - [Engine access through the driver stack](engine-access-through-driver-stack.md) — HARD RULE: reach the VistA/M engines (`vehu`, `foia*`, test engines) ONLY through `m-driver-sdk` → `m-ydb`/`m-iris` via the `m` toolchain (`m test --docker`, `m vista exec`, `mdriver.Client`) — NEVER raw `docker exec … mumps`/`iris session`. Exercises the designated VSL-MSL stack at all times. **Enforced**: `PreToolUse` hook `engine-stack-guard.sh` (deny + `stack-exempt` escape) + `make check-engine-access` CI gate + org `CLAUDE.md` §waterline engine-access rule.
 
 - [CI gate hardening + waterline audit](ci-gate-hardening-waterline-audit.md) — 2026-06-14 org-wide CI audit: hardened reusable `go-ci.yml` (govulncheck/vet/gofmt, propagates to 12 repos) + wired arch gate to m-parse & m-dev-tools-mcp (added layer-m meta). Waterline validated CLEAN; latent gaps = G2–G5 unbuilt, SDK pin drift, m-stdlib stale meta org. 3 branches pushed, unmerged.

memory/notional-dbia-not-a-blocker.md

@@ -0,0 +1,50 @@
+---
+name: notional-dbia-not-a-blocker
+description: HARD DIRECTIVE (user, 2026-06-16) — the VistA DBIA/ICR registry is NOTIONAL — a manually human-curated FORUM list, NOT in code, NOT in a FileMan DD, NOT enforced programmatically. The check-icr gate must require a documented Supported API + no-direct-global, but NEVER require a numeric ICR; missing ICR numbers (esp. FileMan DBS) are NOT a blocker and emit NO warning. Don't re-raise it.
+metadata:
+  type: feedback
+---
+
+# The DBIA/ICR number is notional — never a blocker
+
+**User directive (2026-06-16, emphatic):** the VistA DBIA / ICR (Integration
+Control Registration) registry is **notional**. It is a **manually
+human-curated list that lives only in FORUM** — it is **not in the routine
+code, not in a FileMan data dictionary on the running system, and not enforced
+programmatically anywhere**. So an ICR *number* must **never** be treated as a
+hard requirement or a blocker, and the absence of one must **not** produce a
+warning.
+
+**Why:** the integration-agreement number is paperwork (a notional governance
+list), not a machine-checkable fact. The load-bearing, machine-checkable
+invariants are the ones that actually protect the system: (a) the L4 call is a
+**documented `Supported` public API**, and (b) **no direct global access**
+(every read/write/delete goes through the documented DBS/API call, never a raw
+`SET`/`KILL`/`$ORDER` on a VistA file global). Those stay gated. The *number*
+is optional enrichment.
+
+**How to apply (the `check-icr` gate — `tools/gen-icr.py` in v-stdlib, and the
+§5.4 design in [[msl-vsl-coordination-plan]]):**
+- A `@icr` declaration may carry a **notional marker** instead of a number
+  (`@icr DBS` or `@icr notional`) together with a real
+  `@status Supported @custodian <pkg> @source <doc_key>#<anchor>`. The gate
+  accepts it as **declared** and emits **no warning** about the missing number.
+- Keep red-gating: an **undeclared** L4 call, a `Private`/retired status, or
+  **direct global access** to a VistA file. Those are the real violations.
+- Pin a real number only if/when someone sources it from the live FileMan #9.8
+  FORUM registry — never block, warn, or churn waiting for one.
+
+**Concrete trigger that prompted this (do NOT re-open):** the **FileMan DBS
+API** — `GETS^DIQ` · `$$GET1^DIQ` · `UPDATE^DIE` · `FILE^DIE` · `$$FIND1^DIC`
+(the S1 storage / S3 audit seams, custodian `DI`) — is the public DBS
+programmer API documented in the FileMan Developer's Guide (`DI/fm22_2dg`), but
+the vdocs gold corpus carries **no ICR number** for any of them (whole-corpus
+scan confirmed). That is expected and fine: they are notionally Supported.
+`VSLFS` (M3) and `VSLLOG` (M4) declare them with a notional marker; this is
+**not** a gap, a risk, or a follow-up. (Related: the FileMan **record-delete**
+path is an FDA `.01="@"` via `FILE^DIE`/`UPDATE^DIE` — there is no `DELETE^DIE`,
+and `^DIK`/direct KILL are forbidden — see [[m3-vslfs]] when it lands.)
+
+§5.4 of the coordination plan was amended with this resolution. Encoded in code
+in v-stdlib's `gen-icr.py` at M3. See also [[engine-access-through-driver-stack]]
+(the sibling "real invariant, not paperwork" enforcement posture).

prompts/m2-lane-b-vslio-kickoff.md

@@ -0,0 +1,180 @@
+---
+title: "VSL/MSL M2 Lane B — the VSLIO adapter (bind STDNET to ^%ZIS / CALL^%ZISTCP)"
+status: ready
+created: 2026-06-16
+doc_type: [PROMPT]
+for: a fresh implementation session (cwd v-stdlib; reads m-stdlib, edits neither m-stdlib nor vpng)
+plan: docs/vsl-msl/vsl-implementation-plan.md
+tracker: docs/vsl-msl/vsl-implementation-tracker.md
+supersedes_for_lane_b: docs/prompts/m2-vslio-kickoff.md
+---
+
+# VSL/MSL M2 Lane B — the `VSLIO` socket/TLS adapter
+
+**Lane A is DONE and `v0.8.0` is tagged**, so the leaf-first sequencing is
+satisfied and the immediate next step is **Lane B**: the `VSLIO` adapter in
+**v-stdlib** that binds the new `STDNET` socket seam to VistA's device handler.
+
+This prompt is the active, focused Lane B kickoff. The full M2 design context
+(the R1 TLS rationale, the engine-divergence map, the tiered acceptance) lives in
+[`m2-vslio-kickoff.md`](m2-vslio-kickoff.md) — read it for depth; its **Lane A is
+already complete**, so start from this file.
+
+## Where we are (snapshot, 2026-06-16)
+
+- **M1 COMPLETE** (the `STDENV→VSLCFG→VPNG` vertical, byte-identical both engines).
+- **M2 Lane A DONE — MSL `v0.8.0` tagged** (`d51084b`, pushed; `v0.8.0:dist/
+  seam-snapshot.json` carries `seams.STDNET`). `STDNET` (m-stdlib) is the portable
+  raw-TCP socket seam over each engine's native SOCKET device: **6 `@seam` verbs**
+  `listen`/`accept`/`connect`/`read`/`write`/`close` (+ `available`/`boundport`/
+  `lastError`). YottaDB loopback echo GREEN 9/9 on m-test-engine; IRIS deferred
+  (`$$available^STDNET()`=0, soft-skip).
+- **STDNET has LOUD TLS guards** (branch `stdnet-tls-gap`, pushed, unmerged):
+  `$$tlsAvailable^STDNET()`=0; `$$listenTls`/`$$connectTls` **raise
+  `,U-STDNET-NOTLS,`** (never silent plaintext); `$$tlsHelp`/`$$lastError` carry
+  the engine-TLS remediation. **TLS is a gating backlog item**
+  (m-stdlib `docs/tracking/discoveries.md`, 2026-06-16, P1 open GATING).
+- **v-stdlib pins `msl_ref: v0.7.0`** today; this session re-pins to `v0.8.0`.
+- **TLS infra is absent on both engines** (researched, gold-corpus): `DEFAULT TLS
+  SERVER CONFIG` is Kernel `XU*8.0*787` (IRIS-only, value = an IRIS
+  `Security.SSLConfigs` name); `vehu` is GT.M (no `$gtmtls`), `foia-t12` is IRIS
+  2026.1 without `XU*8.0*787`. A **param-def-only stand-in** (`DEFAULT TLS SERVER
+  CONFIG` #8989.51, install name `ZTLSCFG*1.0*1`) **is provisioned on BOTH
+  engines** (docs repo `vsl-msl/testinfra/`, settable via XPAR) — config-read is
+  testable, but there is **no cert / no working TLS socket**.
+- Both engines up: `vehu` (YDB), `foia-t12` (IRIS), reached over the driver stack only.
+
+## Decisions already made (do not re-litigate)
+
+1. **`VSLIO` lives in v-stdlib** — a `VSL*` module beside `VSLCFG`, layer `v`.
+   **Not** a new repo. This is a v-stdlib session: **one repo, one branch** (e.g.
+   `m2-vslio`). It READS m-stdlib (stage `STDNET` + `STDASSERT` via `--routines`,
+   re-pin the seam) but EDITS NEITHER m-stdlib nor vpng.
+2. **Seam invariant (waterline):** `VSLIO` exposes the **same public signature as
+   `STDNET`** and contains **only** the VistA binding — `^%ZIS` open,
+   `CALL^%ZISTCP` outbound, `OPEN/USE/CLOSE^%ZISUTL` handles, named TLS config.
+   Any framing/buffering/timeout logic stays in `STDNET` and is *called* up
+   (`needs MSL: …` → add to STDNET, re-tag, re-pin — never a private copy). The
+   no-duplication lint (§9) enforces this.
+3. **Tiered acceptance, lightest first** (§12.2 + the M2 prompt):
+   - **Tier 1** — outbound `CALL^%ZISTCP` to a reachable `host:port` returns
+     **`POP=0`** (the cheapest real 0/1).
+   - **Tier 2** — **plain-TCP loopback echo** of one byte via `^%ZIS`.
+   - **Tier 3** — the same over a **named TLS config** — **blocked-on-infra from
+     the start** (no cert / `XU*8.0*787`). Record it blocked; **do NOT fake TLS.**
+     `STDNET`'s `$$tlsAvailable`=0 + the `ZTLSCFG` param-def stand-in are the
+     markers; tier-3 is the gating cleanup the backlog already tracks.
+4. **DBIA + citation gates apply** (unlike VPNG): every L4 call site carries
+   `; doc: @icr … @status Supported @source …` so `check-icr` + `check-citations`
+   go green with real content. `CALL^%ZISTCP` is **ICR #2118** (Supported, XU,
+   `XU/krn_8_0_dg_device_handler_ug#CALL^%ZISTCP`); the `^%ZIS`/`^%ZISUTL`/TLS-read
+   ICRs are a build-time deliverable — **ground each from the vdocs gold corpus
+   with the `corpus-researcher` agent**, do not trust the plan's prose (T1.2 found
+   the plan's XPAR citation wrong → actually Kernel #2263).
+5. **No KIDS/packaging work** — adding `VSLIO` to a KIDS base + env-check is the
+   `VSLBLD` job at **M5**. M2's acceptance is the adapter **green dual-engine over
+   the driver**.
+
+## Resume prompt
+
+```
+Start VSL/MSL M2 Lane B — the VSLIO adapter in v-stdlib. Bind the STDNET socket
+seam (MSL v0.8.0) to VistA's device handler: ^%ZIS open / CALL^%ZISTCP outbound /
+OPEN-USE-CLOSE^%ZISUTL handles / named TLS config. Prove, in tiers, GREEN on BOTH
+engines (vehu YDB, foia-t12 IRIS) over the driver stack: (1) CALL^%ZISTCP -> POP=0;
+(2) plain-TCP loopback echo of one byte via ^%ZIS; (3) the same over a named TLS
+config (BLOCKED-on-infra — record, do not fake). Single-engine first; dual-engine
+is the exit criterion for tiers 1-2.
+
+ONE SESSION <-> ONE REPO (v-stdlib) <-> ONE BRANCH (e.g. m2-vslio). Reads m-stdlib
+(stage STDNET + STDASSERT; re-pin the seam) but EDITS NEITHER m-stdlib nor vpng
+(org CLAUDE.md). VSLIO is a VSL* module beside VSLCFG, layer v.
+
+START BY READING (in order):
+  1. docs/prompts/m2-vslio-kickoff.md — the full M2 design context (Lane A done):
+     the R1 TLS rationale, the engine-divergence map, the tiered acceptance, and
+     the recorded TLS-infra-absent finding.
+  2. m-stdlib/src/STDNET.m + m-stdlib/docs/modules/stdnet.md +
+     m-stdlib/docs/memory/m2-stdnet-socket-seam.md — the EXACT signature VSLIO
+     mirrors (listen/accept/connect/read/write/close) + the hard-won socket idiom
+     + the TLS gap (STDNET is plaintext; $$tlsAvailable=0; listenTls/connectTls
+     raise U-STDNET-NOTLS).
+  3. v-stdlib/src/VSLCFG.m + v-stdlib/tests/VSLCFGTST.m +
+     v-stdlib/docs/memory/t1.2-vslcfg.md + t0b4-msl-seam-pin.md — the adapter
+     pattern, the @icr/@source/seam-pin gate wiring to mirror, the live driver
+     recipe, and how `make pin`/`check-msl-pin` works (re-pin v0.7.0 -> v0.8.0).
+  4. docs/vsl-msl/msl-vsl-coordination-implementation-plan.md §5.1 (the S4 row),
+     §5.4 (the @icr gate; #2118 pinned), §5.5 (the @source gate), §12.2 (the
+     VSLIO acceptance row).
+  5. docs/vsl-msl/https-stack-spec.md §9 (TLS configuration per engine) +
+     docs/vsl-msl/testinfra/README.md (the provisioned DEFAULT TLS SERVER CONFIG
+     param-def stand-in — config-only, no cert).
+  6. v-stdlib/CLAUDE.md + ~/vista-cloud-dev/CLAUDE.md — layer-v rules, the m/v
+     waterline, the ENGINE-ACCESS HARD RULE (driver stack only; the PreToolUse
+     guard denies raw docker exec / iris session), and the Increment Protocol.
+
+THE WORK (TDD red-first, hard rule):
+  • Re-pin (boundary 1): `make pin` -> dist/msl-seam-pin.json msl_ref
+    v0.7.0 -> v0.8.0 (now carries seams.STDNET); `make check-msl-pin` green. This
+    is the first real exercise of T0b.4's fetch-the-MSL-contract-at-the-tag path.
+  • tests/VSLIOTST.m FIRST (red, safe-default stubs, never $ECODE): tier 1
+    (CALL^%ZISTCP POP=0), tier 2 (loopback echo). A clean way to do the loopback:
+    open a listener (STDNET works on the GT.M VistA engine too, or ^%ZIS), then
+    VSLIO CALL^%ZISTCP connects to it and echoes one byte. Confirm RED.
+  • src/VSLIO.m (green): expose STDNET's signature, VistA binding ONLY. Tag every
+    L4 call `; doc: @icr <n> @status Supported @custodian XU @source <doc_key>#<anchor>`
+    (CALL^%ZISTCP = #2118; ground ^%ZIS/^%ZISUTL via corpus-researcher).
+  • Tier 3 (TLS): assert $$tlsAvailable^STDNET()=0 / that a TLS path is not yet
+    wired; record tier-3 blocked-on-infra (no cert / XU*8.0*787). Do NOT fake it.
+
+ENGINE RECIPES (from t1.2/t1.3/vpng memory):
+  Suites:   m test --engine ydb  --docker vehu     --routines <m-stdlib>/src tests
+            m test --engine iris  --docker foia-t12 --namespace VISTA --routines <m-stdlib>/src tests
+  Ad-hoc:   m vista exec --engine ydb|iris --transport docker '<M>'  (+ M_YDB_*/M_IRIS_* env)
+  (Driver stack ONLY — never raw docker exec/iris session.)
+
+VERIFICATION (M2 Lane B "done"):
+  • VSLIOTST green YDB+IRIS for tier 1 (POP=0) and tier 2 (loopback echo); tier 3
+    recorded blocked-on-TLS-infra.
+  • The three determinism boundaries green: (1) check-msl-pin@v0.8.0; (2) check-icr
+    (every VSLIO L4 call Supported/declared); (3) check-citations (each @source
+    anchor verified vs the gold corpus). make check-fast clean (fmt/lint/arch +
+    all gates incl. check-namespaces, check-engine-access).
+  • No regression: m-stdlib (v0.8.0) + vpng unchanged; v-stdlib's existing
+    VSLCFG/VSLCFGTST + gates still green.
+
+DO NOT (scope guards):
+  • Do NOT edit m-stdlib or vpng. Do NOT build a KIDS package/env-check (VSLBLD, M5).
+  • Do NOT put framing/buffering in VSLIO — it goes in STDNET, called up.
+  • Do NOT fake TLS — tier-3 stays infra-blocked until a cert + XU*8.0*787 (or
+    GT.M $gtmtls) land; that is the gating cleanup the backlog tracks.
+  • One repo (v-stdlib), one branch. Merges + any MSL re-tag stay user actions.
+
+INCREMENT PROTOCOL (v-stdlib, when green):
+  1. Memory: v-stdlib/docs/memory/m2-vslio.md (the ^%ZIS/CALL^%ZISTCP binding, the
+     POP/IO contract, the @icr pins grounded, the tier-3 TLS-infra blocker) + index.
+  2. Tracker: flip the M2 row in docs/vsl-msl/vsl-implementation-tracker.md (docs
+     repo — SEPARATE commit, stage only the tracker) to note Lane B done / tier-3
+     blocked.
+  3. Commit + push the v-stdlib branch (e.g. m2-vslio). Co-Authored-By trailer.
+
+GOAL: the VistA side of the socket seam — VSLIO binding STDNET (v0.8.0) to
+^%ZIS/CALL^%ZISTCP, a byte echoing plaintext on BOTH engines (tiers 1-2), tier-3
+TLS recorded blocked-on-infra, all three determinism boundaries green. Then M3
+(VSLFS — the FileMan storage seam, §12.2).
+```
+
+## Notes for the operator (not part of the resume prompt)
+
+- **Why this is unblocked now.** Lane A tagged MSL `v0.8.0` carrying
+  `seams.STDNET`; v-stdlib's `check-msl-pin` compares against the **tag**, so the
+  re-pin to `v0.8.0` is the first real run of T0b.4's deferred fetch-at-tag path.
+- **The TLS tier is expected to be blocked.** Don't treat tier-3 as a failure —
+  the absence of engine TLS is a researched, documented, *gating* backlog item
+  (m-stdlib `discoveries.md` 2026-06-16). A green tier-1+tier-2 with tier-3
+  recorded blocked is a complete, honest Lane B increment.
+- **Grounding the non-pinned ICRs.** Only `CALL^%ZISTCP` (#2118) is pre-pinned.
+  Confirm `^%ZIS` / `^%ZISUTL` / any TLS-config read against the vdocs gold corpus
+  via `corpus-researcher` — verify, don't trust the plan's prose.
+- **If `foia-t12` is down**, recreate per the IRIS leg recipe in the t1.2/t1.3
+  memories; confirm `docker ps` healthy before the IRIS run.