04 — Containment Activation + Coverage Rule (Objective C)

Entry: containment registered active, 5 group values, 0 assignments, 0 coverage_rule → coverage_rule_missing finding.

Source of truth: collection_registry."group" (real folder mapping)

35 governed collections: GRP-AI 1 (owner GOV-DOT), GRP-BUSINESS 2 (GOV-MOIT), GRP-GOVERNANCE 16 (GOV-COUNCIL), GRP-REGISTRY 14 (GOV-KG-SYS), GRP-WORKFLOW 2 (GOV-DOT).

C (committed, sql/C_containment_activation.sql)

1. coverage_rule CR-CONTAIN-ASSIGNED: per_assignment, applies_to=collection, required_owner_kind=accountable, threshold 0.5, staleness 0. (per_assignment correct — each collection has exactly one group; cross_product would wrongly require 35×5.)
2. 35 real assignments (INSERT…SELECT from inventory ⋈ group), zone=approved, confidence=1.0, kind=rule, tagged.
3. 35 ownership rows (group→accountable authority) so coverage genuinely closes.

Verification

containment required=35, gap=0, ok=35; distribution 1/2/16/14/2; no hidden island (unregistered_groups_used=0, collections_without_group=0); coverage_rule_missing(containment) cleared. Self-guard asserted required=35∧gap=0∧missing=0∧crm=0∧island=0 before COMMIT.

Coverage-rule behaviour

v_axis_required_cell (per_assignment) = 35 cells; v_axis_missing_assignment(containment)=0; v_axis_coverage_gap(containment)=0 (every cell owned).

Fail-closed negatives (sql/C2, rollback-only)

N1 invalid group → FK 23503; N2 null provenance on approved → CHECK; N3 invalid zone → CHECK; N4 invalid owner_kind → CHECK; N5 delete assignment → detected (missing 0→1). All caught in BEGIN…ROLLBACK; exit restored 35.

No hidden island

Every value used is a registered active axis_value; every collection maps to one of 5 registered groups; no ungrouped collection, no unregistered group referenced. Verdict: containment fully activated.