KB-C2E4
T1 FIX7 Design Verification - 13 Risk Register (SUPERTRACK M)
6 min read Revision 1
QT001FIX7T1risk-registersupertrack-m
13 — Design Risk Register (SUPERTRACK M)
Severity: CRITICAL / HIGH / MED. Status: OPEN / CONTAINED (blocked-now) / INTENT-OK.
| risk_id | layer | sev | description | design mitigation | implementation check | operator dependency | Codex re-audit req | status |
|---|---|---|---|---|---|---|---|---|
| R1-HARDCODE | engine/policy | HIGH | Generic-interpreter claim unverifiable; manifest schemas/interpreter contract absent → T1 could re-introduce metadata-ID/CASE hardcode by guessing | typed interpreter, no metadata-ID CASE, sealed manifests (intent) | grep authoritative fn bodies for any tier/gate/collection literal = 0; policy is rows | none (author-time) | yes — re-audit engine for disguised hardcode | OPEN (spec) |
| R2-DIRECTUS-MUT | control-plane | CRITICAL | Directus owns all 4 control tables; INSERT/DELETE on signoff + INSERT on cap evidence proven live → control plane is app-mutable | NOLOGIN owner, Directus read-only, REVOKE, append-only | post-cutover: pg_class.relowner = qt001_cp_owner; has_table_privilege(directus,…,INSERT/UPDATE/DELETE)=false |
YES — owner cutover + REVOKE (FIX7b) | yes | OPEN (live) / CONTAINED by global block |
| R3-READINESS-DENOM | readiness | HIGH | Mutable/self-defined denominator; FIX7 readiness derivation rule unwritten; Directus can DELETE gate rows | sealed exact-set gate manifest; quorum activation; runtime zero DML | exact-set both-directions; NULL=FAIL; count=count(manifest); delete-a-gate test stays red | YES (manifest seal needs owner) | yes | OPEN (spec) / CONTAINED |
| R4-SIGNOFF-SPOOF | signoff | HIGH | Signoff table app-writable; principal/evidence schema unspecified; expiry/supersede/revoke not mentioned in FIX7 | FK principal, content-addressed evidence, no self-sign, independent quorum | spoof negative tests; self-sign rejected; expired/revoked fails; principal by FK not string | YES (owner storage) | yes | OPEN (spec+live) |
| R5-FAKE-CAPABILITY | capability | HIGH | Capability self-attestable live (Directus INSERT on evidence); behavioral-test/measurement schema unspecified | behavioral+operational evidence, verifier identity, owner-only storage | keyset/resume/perf tests defined + measured; existence/free-text rejected; Directus cannot INSERT | YES (owner + real scale evidence) | yes | OPEN (spec+live) |
| R6-HASH-AMBIG | hash | MED | SHA-256 asserted but extension/primitive availability unaddressed; canonicalization/NULL rules unspecified | SHA-256, domain-separated, plan-content vs control-state separation | confirm primitive exists or stage operator install; reorder-invariant; NULL=FAIL; per-component sensitivity | maybe (extension install) | yes | OPEN (spec) — H.9 separation INTENT-OK |
| R7-CALLGRAPH | dependency | HIGH | PG has no native PL/pgSQL call edges (func_to_func=0); reliance on external analyzer whose seal/staleness binding is unspecified | analyzer contract, sealed manifest, OID-checked dynamic SQL; does NOT pretend pg_depend | analyzer output content-hashed vs live pg_get_functiondef; unknown node = BLOCK; OID-check before EXECUTE |
possibly (analyzer run) | yes | OPEN (spec) — I.1 PASS |
| R8-TOCTOU | concurrency | HIGH | Writer/activation race; lock object, hold scope, pre-commit predicate, evidence epoch-binding unspecified | hash-bound control_epoch; writer shared / activation exclusive lock + increment | concurrent writer+activation test; stale-epoch abort proven; evidence epoch-stamped | none (author-time) | yes | OPEN (spec) — primitive INTENT-OK |
| R9-MANUAL-SQL | deploy | MED | Prior practice = manual psql -U directus; FIX7 forbids it but Level-B pipeline not shown to exist |
Level-B DOT/migration pipeline, owner-credentialed, never manual SQL | pipeline entrypoint exists + runs; manual psql blocked by NOLOGIN owner | YES (pipeline must be built) | yes | OPEN (artifact) |
| R10-PRIV-DEPLOY | deploy | HIGH | Privileged activation (owner/ACL/manifest) is operator-only; quorum/approval record schema unspecified | independent quorum, operator-alone-cannot-activate, read-back | approval record (who/quorum/sig); read-back diff logged | YES (operator quorum) | yes | OPEN (spec) — boundary INTENT-OK |
| R11-ROLLBACK | deploy | MED | No rollback snapshot/script published for cutover/activation | "rollback snapshots required" (FIX7b) | 99_rollback.sql per stage; rehearsed apply→rollback→verify-gone |
none (author-time) | yes | OPEN (artifact) |
| R12-MISSING-DESIGN-DOCS | governance | CRITICAL | Final-review 01–09 never authored; verdict rests on non-existent per-dimension evidence; no concrete spec anywhere | — (this is the meta-risk) | Codex publishes per-dimension design + concrete spec; T1 verifies before implementing | YES (Codex) | yes — this IS the re-audit gap | OPEN (root cause) |
Register summary
- CRITICAL (3): R2 (Directus mutates control plane — live-proven), R12 (missing design/evidence docs — root cause), and by linkage R3/R4/R5 escalate to critical until owner cutover.
- HIGH (6): R1, R3, R4, R5, R7, R8, R10.
- MED (3): R6, R9, R11.
- 0 risks are CLOSED. R12 is the root cause: every other "spec" risk is a symptom of the design package being property-assertions without the per-dimension concrete specification. R2 is the root live risk and is contained only by the present global block, not by FIX7 enforcement (which is operator-gated and unbuilt).