Action-ready Blockers after Gap-only Spec rev4

No "no engineering omissions" claim. This packet lists the exact, bounded blockers that gate the read/report MVP after the rev4 repair. MVP implementation is NOT authorized. Design only; no mutation; no build. Date: 2026-06-09 · Status: ACTION_READY_BLOCKERS_REV4. · Production mutation: NO.

MVP readiness recommendation (Track 8)

Recommended: Option C — start as an offline, packet-only inspector, with live KB/PG reads deferred — governed by the Option-A discipline: the build may begin only when the offline guard harness is in MVP build scope, and MVP acceptance requires its enforcement-bound negative tests to pass against a real deny-by-default sandbox. Hard fallback to Option B (build remains blocked) if no sandbox host can be provisioned/proven. MVP build is NOT allowed today.

Blockers

B0‴ — Codex re-seals rev4 (precondition to any build)

Codex must adjudicate the six guard/authority repairs (packet: reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev4-2026-06-09.md). Disposition GAP_ONLY_SPEC_REV4_SEALED or RETURN_BLOCKERS. Until sealed, no build.

B4′ — Offline guard harness built + enforcement-bound negative tests pass (gates MVP acceptance)

The deny-by-default sandbox (rev4 spec §12.1: no network namespace; RO input mount; WO output mount; no secret mounts; scrubbed env; seccomp execve/socket/connect/ptrace) must be provisioned, plus the in-process defense-in-depth (§12.2), and the acceptance-matrix capability/bypass tests (#24–#37) must pass against the real sandbox with their proof-of-block evidence (seccomp EPERM, mount table, env keyset, build-time rejection). The sandbox is specified, not yet deployed — this is the honest gap. Acceptance ≠ seal: the seal (B0‴) can precede the harness, but the MVP cannot be accepted until B4′ passes.

B6 — No governed taxonomy authority ⇒ triage-only, no green (bounds the MVP)

No sealed governed claim/evidence/verdict taxonomy source exists ⇒ no positive/green verdict, no exit 0, ceiling UNVERIFIED; every output non-gating (decision_effect=NONE, may_gate=false). A positive verdict requires a separate sealed taxonomy authority.

B7 — Deferred online surface BLOCKED until its contracts are sealed (rev4)

The following stay BLOCKED and out of the MVP until sealed:

• Live governed export step + named-query-catalog/driver/network-policy contract — the only place a live governed read may occur; named query IDs only, side-effect-free; until then the MVP runs on a manually-produced governed packet.
• Path-scoped server-enforced KB report writer — until sealed, the MVP writes only a local output artifact and KB upload is a separate governed step.
• Downstream consumer/authority contract — until sealed, nothing may consume the inspector's output as a gate/block/authorization (may_gate=false).

B1 / B2 / B3 — Execution surface (carried; gate any "does it run / global absence" capability)

• B1 running any command + exit capture → Call Contract.
• B2 proof-of-run / binding a claim to a real execution result → Proof-of-run Contract.
• B3 proving global absence of an artifact → Call / Proof-of-run Contract (the read-level tool may only ever say NOT_EVIDENCED_IN_ALLOWED_SURFACES).

What is NOT a blocker (already adequate at design level)

• Article-14 adequacy chain (Gate 2 PASS, preserved + strengthened).
• FIX7 discoverability honesty (Gate 5 PASS, preserved; verdict renamed NOT_EVIDENCED_IN_ALLOWED_SURFACES).
• Sealed B/C/D/G/H (not reopened).
• Denominator provenance / no-collapse model (Codex fixes 5/6/7 closed).

Minimal safe next step (exactly one)

Route reviews/codex-checkpoint-packet-gap-only-spec-and-fix7-pilot-rev4-2026-06-09.md to Codex for the rev4 re-seal (B0‴). Do not implement, invoke, install, mutate, provision, or create a tool/schema/runner/sandbox.

Cross-references

• Gap-only Spec rev4: designs/implementation-package-dot-v0-1-gap-only-scope-spec-rev4-2026-06-09.{md,json} (§21 readiness, §22 blockers)
• Fix ledger rev4: reports/codex-fix-ledger-gap-only-spec-rev4-2026-06-09.md
• Codex re-seal (source): reviews/codex-reseal-gap-only-spec-rev3-2026-06-09.md
• Superseded rev3: checkpoints/action-ready-blockers-after-gap-only-spec-rev3-2026-06-09.md