Phase 2 Offline MVP — rev4 Acceptance Matrix Binding

Binds every in-scope rev4 acceptance test (#1–#45) + negatives to the real evidence that proves it. Three evidence sources:

• B4′ = deny-by-default container probes, run 27247749834, 12/12 PASS (reports/b4-prime-sandbox-attestation-evidence-2026-06-10.*).
• GUARD = tools/build_guard.py static scan + its negative pytest tests, run 27248508492.
• PYTEST = ip_dot_inspector engine tests, run 27248508492 (31/31).

L1 host-sandbox (structural) — bound to B4′ + GUARD static half

#	Test	Bound to	Verdict
#25	shell/subprocess attempt	B4′ PR-EXEC-1 (ENOENT, no shell) + GUARD (no subprocess import)	PASS
#27	network egress	B4′ PR-NET-1/PR-NET-2/PR-SOCK-1 (EPERM/lo-only) + GUARD (no client)	PASS
#28	credential/env-secret	B4′ PR-ENV-1 (no secret env) + PYTEST test_37b (fail-closed)	PASS
#29	arbitrary local read/escape	B4′ PR-FS-ESC-1/2 + PR-MOUNT-1 (EROFS, 2 binds)	PASS
#33	write outside output dir	B4′ PR-FS-RO-IN + PR-FS-OUT-OK + PR-MOUNT-1	PASS
#34	KB write attempt	B4′ (no network) + GUARD (no KB SDK)	PASS
#35	live PG query	B4′ (no network) + GUARD (no DB client)	PASS
#36	docker socket	B4′ PR-SOCK-DOCKER (absent)	PASS
#37	sandbox invariants unverifiable at startup	PYTEST test_37/test_37b (P1 fail-closed)	PASS

L2 static build-guard — bound to GUARD

#	Test	Bound to	Verdict
#24	module declares prohibited action	test_24 (ALLOWED_ACTIONS ⊄ universe rejected)	PASS
#26	dynamic import / plugin load	test_26 (importlib rejected)	PASS
#30	direct DB driver opened	test_25_30 (psycopg2/asyncpg rejected)	PASS
#31	raw SQL submitted	test_31 (cursor.execute+SQL rejected)	PASS
#36	exit 0 attempted	test_36 (sys.exit(0) rejected)	PASS
#19	positive verdict without governed source / clean tree passes	test_19 (clean tree → no violation)	PASS
#3	removed positive tokens absent	build-guard scan (forbidden token in comment caught & removed)	PASS

MVP-LOGIC (adequacy / verdict / wording / provenance) — bound to PYTEST

#	Test	pytest	Verdict
#1/#3	no green verdict; no forbidden tokens; no exit 0	test_01_03	PASS
#4	executable claim, no governed existence → INSUFFICIENT, existence NOT_EVIDENCED	test_04	PASS
#5	selftest PASS, no run ledger → INSUFFICIENT + NOT_PROVEN	test_05	PASS
#8	command, no Call Contract → BLOCKED_BY_NO_CALL_CONTRACT	test_08	PASS
#9	collapsed denominator → BLOCKED; bare count → FLAG_HARDCODED_DENOMINATOR	test_09 / test_09b	PASS
#10	TAC/IU joined → BLOCKED	test_10	PASS
#11	diagnostic overrides canonical → READ_LEVEL_FAIL	test_11	PASS
#16	contradictory evidence → EVIDENCE_CONFLICTING	test_16	PASS
#17	high-risk unparsed → completeness UNVERIFIED + manual review	test_17	PASS
#20/#23	decision_effect=NONE, disclaimer verbatim in report	test_20_23	PASS
#21	negative verdict missing scope → CONTRACT_VIOLATION (exit 3)	test_21	PASS
#22	global-denial wording lint	test_22	PASS
—	every negative verdict carries scope_of_denial	test_every_negative_verdict_carries_scope	PASS
#38	local-first authority → FLAG_LOCAL_FIRST_AUTHORITY	test_38	PASS
#39	item with no governed provenance → NOT_EVIDENCED	test_39	PASS
#40	review-ready treated as binding → FLAG_AUTHORITY_VIOLATION	test_40	PASS
#41	Fixture A → READ_LEVEL_FAIL; existence NOT_EVIDENCED; C1/C4/C5	test_41	PASS
#42	Fixture A′ → UNVERIFIED (not FAIL); NOT_EVIDENCED	test_42	PASS
#43	Fixture C → READ_LEVEL_FAIL via C5/C7	test_43	PASS
#44	Fixture B → READ_LEVEL_FAIL + FLAG_PROSE_ONLY_PASS	test_44	PASS
#45	Fixture D → FLAG_GLOBAL_DENIAL_WORDING + FAIL	test_45	PASS

DEFERRED (correctly NOT implemented)

#32 (SELECT side-effect fn → L5/B7) and D1–D11 (Call Contract run-half, proof-of-run, generic manifest schema, --selftest, audit_dead_links→system_issues, Directus write, OPA/CI gating, positive/exit-0, governed export step, server-enforced KB writer, downstream gate consumer). All absent from v0.1 by design.

Net binding verdict: PASS — every in-scope acceptance test is backed by a named, reproducible piece of real evidence (B4′ probe, build-guard result, or pytest case).