Public Draft (Unsigned Preview) — Evaluation-only.For procurement/conformance: treat as UNTRUSTED → EXPECT HOLD (fail-closed).NOT FOR INCORPORATION BY REFERENCE. Procurement-grade status applies only to a future signed release with verifiable release-gate authenticity artifacts. Receipts, not promises. What this is KCS-ALP-L1: Agent Lockdown Profile (ALP-L1) v1.0.0 (Public Draft) — a procurement-shaped interoperability profile for enterprise agent runtimes, enabling buyer-run, offline verification of conformance receipts and replay determinism. Included artifacts: Whitepaper PDF (normative), bundle ZIP (offline verifier + fixtures), Release Checklist, publication‑integrity addendum, artifact‑signing public key, and CITATION.cff. Release date: 2026‑02‑18 Canonical standards surface: https://meridianverity.com/standards/ Project home: https://meridianverity.com/ Pinned artifact‑signing fingerprint (trust anchor): 9ACD3C8B2E02BD4CAA6742EB7132DE1CAA7BBB01 Normative scope Only the Whitepaper PDF is normative. All other files in this record are supporting artifacts (bundle ZIP, offline verifier + fixtures, templates, addenda, and reviewer/auditor packets). Fail‑closed posture: HOLD blocks sensitive side effects by default when evidence is missing, stale, inconsistent, unverifiable, or non‑deterministic. Fail‑closed / release gate This deposit is UNSIGNED_PREVIEW. Consumers MUST treat this deposit as UNTRUSTED → HOLD (fail‑closed) for any conformance, safety, or procurement acceptance claim. For a future signed release, procurement‑grade status exists if and only if offline verification succeeds under the pinned fingerprint: sha256sum -c SHA256SUMS gpg --verify SHA256SUMS.asc SHA256SUMS What the profile specifies (high level) · Deterministic runtime verdicts (ALLOW / DENY / HOLD) with standardized reason codes. · Deterministic offline outcomes (PASS / FAIL / HOLD) for Evidence Pack verification and replay checks. · Signed allowlist‑only tool/skill invocation (tamper‑evident). · Permit‑before‑send network egress (deny‑by‑default). · Untrusted → trusted boundary enforcement for privileged actions. · Secret isolation + scoped use (no plaintext secrets in prompts, tool output, or logs). · High‑risk action approval gates (HOLD until approval proof exists). · Version pinning + drift detection; stewardship/change‑control expectations. · Portable Evidence Packs with minimal schema/registry surfaces designed for procurement attachment. Interoperability evidence (included) This record includes a reference offline verifier contract and portable fixture Evidence Packs demonstrating expected outcomes (PASS / HOLD / FAIL), including negative and boundary cases, with deterministic receipts + reason codes. Buyer‑run demo from bundle root: python3 verifier_contract/alp_l1_offline_verifier.py verifier_contract/fixtures/ALP_SAMPLE_PACK_TV-ALP-001_PASS_BASELINE_v1.0.0.zip python3 verifier_contract/alp_l1_offline_verifier.py verifier_contract/fixtures/ALP_SAMPLE_PACK_TV-ALP-002_HOLD_ALLOWLIST_SIG_MISSING_v1.0.0.zip python3 verifier_contract/alp_l1_offline_verifier.py verifier_contract/fixtures/ALP_SAMPLE_PACK_TV-ALP-005_FAIL_DIGEST_MISMATCH_v1.0.0.zip Security considerations (snapshot) Threat model coverage includes (illustrative): tool injection/capability sprawl, allowlist tampering, data exfiltration, prompt injection, secret leakage, unauthorized high‑risk actions, baseline drift/downgrade, evidence repudiation, and TOCTOU‑style drift. Public‑safe by design The profile and artifacts avoid exploit guidance and do not require disclosure of confidential implementation details by default. License / rights notice CC BY 4.0 applies to text and supporting artifacts unless a file states otherwise. No patent license by publication. Not legal advice. Integrity / verification Use SHA256SUMS to verify file integrity (SHA‑256) after download/extraction: sha256sum -c SHA256SUMS How to cite Use the Zenodo “Cite as” entry after publication. CITATION.cff is included for convenience.