KB-5ACC
T2 Audit — 04 Risk Audit
3 min read Revision 1
terminal2auditrisk2026-06-04
04 — Risk Audit
| Risk class | Live exposure | Mitigation / current safeguard | Verdict |
|---|---|---|---|
| Irreversible birth | birth_registry rows are unretirable; every approval_requests/apr_approvals/dot_tools insert mints births. Counter at 1,194,790. |
Audit is read-only; engineering inserts deferred to owner. Use engineering-collection deltas (not raw counter) as the mutation proof. | CONTAINED |
| Irreversible canon | Setting axis_registry.status=ACTIVE / inserting AX-TRIGGER is effectively permanent canon. |
Handlers fail-closed on BLOCKED_NO_PRESIDENT_VOTE; AX-TRIGGER absent (not faked). |
CONTAINED (vote-gated) |
| Auto-approve trap | Auto-approve trigger fires only on action='add'. PROC-OWN rows use action='review' precisely to avoid it. |
Never insert a PROC-OWN/officialization approval with action='add'. |
LIVE TRAP — flagged |
| Event activation | Activating the 7 process.* events starts real event emission to downstream consumers. |
Gated behind PROC-OWN-05 (president vote); all 7 currently active=false. |
CONTAINED (vote-gated) |
| REAL_RUN | Flipping real_run_enabled=true lets dot:kg make real model calls / mutations; enables the dot:kg split. |
real_run_enabled=false, execute_enabled=false, dry_run_only=true; REALRUN multi-gate; obs REAL_RUN=0. |
CONTAINED (operator/owner-gated) |
| UI divergent git | Public nuxt main ahead17/behind13; PR branch feat/process-axis-dashboard. Rebase/force-push risk to a public repo. |
Operator-only; handoff runbook staged; AI does not touch git. Divergence UNVERIFIED_THIS_RUN (no ssh channel) — carried from checkpoint. | CONTAINED (operator-gated) |
| Background birth drift | +63 births since prior T2 with zero engineering change. | All engineering collections MATCH; drift sourced to entity_labels/system_issues/KB. Do not read raw counter as engineering mutation. | BENIGN |
| Trigger-canon | Temptation to insert AX-TRIGGER to "complete" the axis pair. | AX-TRIGGER deliberately absent from axis_registry; only read-only census/surfaces exist. | CONTAINED — must stay absent until owner |
| Source-IU edit | Editing information units / source content to reflect officialization. | Out of scope; no IU edited; content lives in separate KB docs. | CONTAINED |
Top three live traps for whoever executes next
action='add'auto-approve — any officialization approval inserted withaction='add'self-approves, bypassing the human-president gate. Useaction='review'.- Raw birth counter as proof — it drifts from background jobs; only engineering-collection before/after deltas prove birth-free.
- AX-TRIGGER fake-canon — inserting it into axis_registry without an owner + vote manufactures canon. It must remain absent until PROC-OWN-style request + vote.