Macro-3 Channel Host-Cron Risk Map — R2-B2 (2026-06-19)

Date: 2026-06-19 · Workstream: R2-B2-MACRO-3-OPTION-D-OWNER-DELEGATE-DECISION-PACKAGE-2026-06-19 (Deliverable 9 of 60) · Editorial revision: rev1 Class: channel risk map (host cron) · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NO write performed.

Metadata convention. Editorial revision (rev1) only. Storage revision/content_length authoritative at read time.

---

0. Status and non-authorization

STATUS: PASS — engineering / decision-prep. The risks the Owner accepts if host cron is later chosen. Engineering PASS ≠ authority PASS. Default: HOLD.

1. Purpose

State host-cron's downside honestly so the case (D7) is not read in isolation.

2. Sources / evidence read

Macro-2 host-cron memo, weighted comparison, channel proof-gap closure. Main process, no reader-agents.

3. Accepted baseline (carried)

Lowest blast radius ≠ lowest governance risk; observability is the trade.

4. Evidence / analysis — risk table

#	Risk	Severity	Note
HC-R1	Low observability — a silent failure leaves no contract-bound audit trail	HIGH	mitigated only by external logging the producer must add
HC-R2	Drift from governance contract — cron is out-of-band of the DOT/contract model	MED	weakens Điều-32 traceability
HC-R3	Standing-authority creep — a recurring cron can become a de-facto standing channel without a gate	MED	must stay staging-first + Owner-gated
HC-R4	No native DRY_RUN — fail-closed must be enforced in the producer, not the channel	MED	proof plan D11 obligation

5. Recommendation / matrix / result

If host cron is chosen, HC-R1…HC-R4 must be mitigated in the B2 producer (logging, fail-closed, idempotency, staging-first). Not selected here.

6. Owner-gated future work

Mitigations are designed in the actual B2 TD (Owner-gated), not here.

7. What remains unresolved

All four risks remain OPEN; none is mitigated by this package.

8. Ready for GPT/Codex review

Yes — Codex should add any host-cron risk omitted and re-rate severities.