11 — Risk Review

R1 — Forgetting risk (the mission's primary concern)

• Pivot+counting engine re-invention. HIGH likelihood pre-discovery (prior session memory never emphasized pivot_definitions/pivot_count). MITIGATED by docs 04/06/08. Action: any "add counting to lists" task MUST reuse PIV pattern.
• Birth gate / meta_catalog re-invention. Medium. MITIGATED — reference pattern documented (doc 10).
• Approval spine duplication. Medium. MITIGATED — approval_requests/apr_approvals is the single spine.

R2 — Hidden/unregistered laws

• Đ23 (frozen) and Đ45 (enacted) are NOT in normative_registry. Anyone querying PG for "all active laws" silently misses them → enforcement/scanner gaps. Severity HIGH. Action: RECONCILE (doc 10-I) under Đ38 process.
• law_catalog stale/divergent (mislabels Đ28; version drift). Severity MEDIUM. Risk of citing wrong law metadata. Action: treat normative_registry as authoritative; deprecate/realign law_catalog.

R3 — Counting integrity drift

• trg_auto_sync_registry_counts reportedly DISABLED → v_registry_counts may lag actual. cross_check LỆCH on 7 CATs. dot-pivot-health cron PATH wrong (KB). Severity MEDIUM-HIGH (lists could display stale counts). Action: re-enable sync, reconcile, run test_counting_contract().
• DOT dual count (CAT-006 vs CAT-DOT) — two truths for one table. Severity MEDIUM.

R4 — UI Preview Master as false "living list"

• Hand-maintained static JSON presents as authoritative but already drifted (review-log 19/4 vs manifest 61/16). Two disjoint inventories (ui_pages 37 vs manifest 61) with no mapping. Severity MEDIUM. Risk: decisions made off stale/duplicate UI truth. Action: RECONCILE + EXTEND to PG-backed (doc 10-C).

R5 — Inline (non-IU) workflow design

• workflows/steps store body inline; no iu_ref. Migrating later is harder the more inline content accrues. Severity MEDIUM. Action: EXTEND additively before WF-002's 60 steps are fleshed out further.

R6 — Unborn registries committed carelessly

• field/input_form/tier registries are dress-rehearsed but uncommitted. Risk: committing field_registry as a copy of directus_fields (1,482) → dual SoT. Severity MEDIUM. Action: RECONCILE — field_registry = overlay, directus_fields = truth. Strictly Đ32-gated.

R7 — Trigger naming collision

• Reusing trigger_registry (physical DB triggers) for design/business triggers would corrupt both. Severity MEDIUM. Action: NEW workflow_trigger_design (separate), never overload trigger_registry.

R8 — Event activation

• iu_outbound_route all dry_run; flipping to live is a sovereign macro. Risk of premature live delivery / duplicate sends (retry/idempotency policies empty). Severity MEDIUM. Action: populate policies + per-route approval before dry_run=false.

R9 — Vector / Qdrant drift (carried from prior sessions)

• IU vector_sync disabled; prior PG↔Qdrant drift notes. Out of this mission's scope (read-only, no Qdrant MCP). Severity LOW for lists. Note only.

R10 — Discovery completeness

• ~150 fn_iu_* and many scanners enumerated by signature, not all bodies read (confidence 0.78 scanner domain, doc 06). Residual risk a niche capability is under-described. Severity LOW. Mitigation: ledger flags it; future deep-dive if a list needs a specific scanner.

Overall risk posture

No HIGH-severity implementation risk introduced (read-only mission). The dominant residual risks are governance/data-integrity reconciliations (R2, R3, R4) that the reuse-first plan addresses without new engines. The single most important anti-forgetting safeguard: route all future "make lists live/counted" work through the pivot + meta_catalog + birth + approval chain documented here.