T2 Watchdog 00 — Readme First (RP Automation Actuation, 2026-06-05)
T2 READ-ONLY WATCHDOG — RP Automation Actuation / REAL-RUN Closeout
Program: PROGRAM_AUDIT_T2_READONLY_RP_AUTOMATION_ACTUATION_WATCHDOG Role: Terminal 2 read-only safety watchdog, run concurrently while Terminal 1 (T1) executes RP_AUTOMATION_ACTUATION_AND_REALRUN_CLOSEOUT. Date: 2026-06-05. Database: directus (public schema). All times UTC.
Final status: PARTIAL — WATCH CLEAN, T1 STILL RUNNING
All five read-only safety checks are clean. The status is PARTIAL (not PASS) for one reason only: T1's newest checkpoint does not yet exist (checkpoint-rp-automation-actuation-realrun-closeout-2026-06-05.md returns 404), and T1 is observed actively probing the live DB (its queries appear in postgres logs through 08:55:53 UTC). Per the watchdog rules, no area that depends on T1's final state may be declared PASS while T1 runs. The watch itself is useful and every safety invariant held at audit time.
Read-only confirmation
This terminal performed ZERO mutations to the DB, filesystem, UI, Git, scheduler, approvals, owners, events, REAL_RUN flags, source IU, or KB source content. Only query_pg (read-only role, 5s timeout), docker_logs (read-only), and KB upload_document for my own audit docs under this report directory. Mutations: NONE except these KB audit docs.
Area verdicts at a glance
| # | Area | Verdict | One-line basis |
|---|---|---|---|
| 1 | OOM watch | CLEAN | No signal-9 since 06:04:02 UTC (clean to 08:55:53); guard OOM_SAFE; 0 crash landmines |
| 2 | Action safety | CLEAN | No REAL_RUN; all runtime flags false; ownership 0; president votes 0; guard 129 |
| 3 | Scanner provenance | STALE / AWAITING_T1_FINAL | Honest path (adapter_run_log) fresh 06-05 02:10; lie cols still frozen 06-04; fix not yet wired |
| 4 | No-blind-spot | CLEAN | Guard 7/7 PASS; no UNKNOWN/PARTIAL converted to zero |
| 5 | Drift / action queue | CLEAN | Drift 6 rows teeth intact; action queue fully fail-closed |
Document index
- 00-readme-first.md (this doc)
- 01-oom-watch.md
- 02-action-safety-watch.md
- 03-scanner-provenance-watch.md
- 04-no-blind-spot-watch.md
- 05-drift-action-queue-watch.md
- 06-final-summary.md
Single most important caveat for T1
Scanner provenance was STILL STALE at audit time — wf_scanner_run_log frozen 06-04 09:53 and workflow_scanner_registry.last_run_at frozen 06-04 10:25, while the honest read path wf_adapter_run_log is fresh 06-05 02:10:44. This is exactly the documented "provenance lie" gotcha and the drift detector's scanner_provenance_age_vs_real_run_age row is still flagged actionable (T1_CAN_WIRE). If T1 wires the reversible provenance fix, it must re-confirm that the honest read path is not broken by the rewire and that the no-blind-spot guard stays 7/7.