Migration · stage 1 of 5

Assessment

Auto gate

Inventory what's being migrated, identify risks and dependencies

Assessment

The opening stage of a migration: inventory everything in scope and surface the risk register before any mapping or moving begins. This is where the unknowns about the source system get turned into a documented picture — what exists, who owns it, what depends on what, and where the migration can hurt.

Scope

Source-system inventory, dependency mapping, and risk classification. Assessment decides what is being migrated and what could go wrong — not how source maps to target (mapping), how the move is implemented (migrate), how it's verified (validation), or how it's cut over (cutover). Units are knowledge topics; downstream stages create their own work from what this stage finds.

What to do

Inventory the source surfaces — artifacts, owners, volumes, runtime touchpoints — and source every entry.
Map the dependency graph so ordering constraints and blast radius are visible.
Build a risk register where every entry (data-loss vector, downtime window, ordering constraint) cites the inventory row it derives from.
Surface unknowns explicitly rather than assuming a surface is simple because it's undocumented.

What NOT to do

Don't define transformation rules or field mappings — that's the mapping stage.
Don't write migration code or plan the cutover; those are downstream stages.
Don't record a risk with no source inventory row, or an inventory that glosses over an unowned surface.
Don't treat an undocumented dependency as nonexistent; a missed dependency is a migration failure later.

How the engine runs this stage

1Elaborate

collaborative · plan the work, fan out discovery, declare outputs

Discovery fan-out

knowledge artifactMigration InventoryDocument the complete catalog of artifacts in scope for migration. This output feeds the mapping stage as its foundational context.

Migration Inventory

Document the complete catalog of artifacts in scope for migration. This output feeds the mapping stage as its foundational context.

Content Guide

Structure the inventory around the migration scope:

Source system overview — platform, version, architecture summary
Artifact catalog — schemas, tables, services, jobs, integrations with size/volume estimates
Dependency graph — which artifacts depend on which, migration ordering constraints
Risk register — categorized risks with severity, likelihood, and mitigation strategies
Data volume estimates — row counts, storage sizes, growth rates
Downstream consumers — systems that read from or depend on the source
Migration ordering constraints — what must move first, what can move in parallel

Quality Signals

Every artifact is accounted for, including ancillary systems (caches, queues, cron jobs)
Dependencies are verified against the live system, not just documentation
Risks have concrete mitigations, not just descriptions
Volume estimates inform the migration strategy (bulk vs. incremental vs. streaming)

Phase guidance

phase overrideELABORATION- "Inventory covers all source tables/services with row counts and dependency mappings"

Assessment Stage — Elaboration

Criteria Guidance

Good criteria — concrete and verifiable

"Inventory covers all source tables/services with row counts and dependency mappings"
"Risk register identifies at least 3 categories (data loss, downtime, compatibility) with severity ratings"
"Dependency graph shows which systems must migrate in sequence vs. parallel"

Bad criteria — vague (no clear check)

"Assessment is complete"
"Risks are documented"
"Systems are inventoried"

Outputs produced

output templateMigration InventoryComplete catalog of source artifacts with risk register and dependency graph.

Migration Inventory

Complete catalog of source artifacts with risk register and dependency graph.

Expected Artifacts

Source catalog -- all schemas, services, data stores, and integrations to be migrated
Risk register -- risks categorized by type (data loss, downtime, compatibility) with severity ratings
Dependency graph -- migration ordering constraints and parallel opportunities
Volume estimates -- row counts and data sizes for each source artifact

Quality Signals

Inventory covers all source artifacts with no undiscovered systems
Risk register identifies at least 3 categories with severity and mitigation strategies
Dependency graph shows which systems must migrate in sequence vs parallel
Each risk has a mitigation strategy documented

2Review

pre-execute · agents audit the planned spec before any code lands

review agentRisk CoverageThe agent **MUST** verify the assessment stage's inventory and risk register are substantively complete — every system, data store, integration, and ancillary dependency is captured; every risk category has been considered; every risk is paired with severity, likelihood, and a concrete mitigation or accept decision.

Mandate: The agent MUST verify the assessment stage's inventory and risk register are substantively complete — every system, data store, integration, and ancillary dependency is captured; every risk category has been considered; every risk is paired with severity, likelihood, and a concrete mitigation or accept decision.

Check

The agent MUST verify, filing feedback for any violation:

Inventory completeness — every artifact category (entities, data stores, services, integrations, jobs, configuration, ancillary systems like caches / queues / search indexes / audit logs) has rows in the inventory. Categories that don't apply MUST be named with a one-line "not applicable because X" rather than silently absent.
Volume estimates present — every inventory row has a concrete volume (row count, message rate, object count) or an explicit "not measurable because X." Volumes drive migration strategy.
Dependency edges captured — every read consumer and write producer relationship is recorded. An artifact with no edges is half-inventoried.
Risk category coverage — risks cover at minimum: data loss / corruption, downtime / availability, compatibility / functional regression, ordering constraints, human / process, reversibility. A missing category is a finding.
Risk-to-inventory traceability — every risk row cites the inventory row(s) it derives from. Untethered risks are speculation.
Severity and likelihood scoring — every risk has explicit severity and likelihood ratings on the studio's scale, not vague labels.
Mitigation per risk — every risk pairs with a concrete mitigation OR an explicit "accept — residual risk is X" decision. No risk is open-ended.
Ordering constraints surfaced — at least one ordering constraint section names which artifacts must move before which others (or explicitly states "no ordering required because X").

Common failure modes to look for

Inventory rows with "TBD" or "unknown" volumes / owners without a follow-up action
Risk register heavy on technical risks but missing human / process risks entirely
Risks cited as "low likelihood" without rationale — likelihood ratings need justification
"Documentation says X" as the only source for an inventory row, with no live-system verification
Cross-system dependencies recorded on one side only (artifact A says it reads B, but B doesn't list A as a consumer)
A risk that maps to multiple inventory rows but cites only one
Mitigations that read like wishes ("we'll be careful") rather than concrete actions
Reversibility section silent on which steps are irreversible

3Execute

per-unit baton · Migration Analyst → Risk Assessor → Verifier

hat 1Migration AnalystInventory every artifact in scope for this unit's slice of the migration — source schemas, data stores, services, integrations, jobs, configuration, and the ancillary systems (caches, queues, search indexes, replicas) that depend on them. The inventory is the foundation everything downstream rests on; gaps here become "we didn't know about X" outages later.

Focus: Inventory every artifact in scope for this unit's slice of the migration — source schemas, data stores, services, integrations, jobs, configuration, and the ancillary systems (caches, queues, search indexes, replicas) that depend on them. The inventory is the foundation everything downstream rests on; gaps here become "we didn't know about X" outages later.

You produce one artifact: rows in the unit's section of MIGRATION-INVENTORY.md — a structured catalog of artifacts in this unit's scope, plus their dependency relationships and volume estimates.

Process

1. Define the unit's scope precisely

Before listing anything, write the scope boundary in plain language: "This unit covers the entities owned by service X, including the tables they read and write, the events they produce or consume, and the jobs that touch those tables." Ambiguous scope is the root of incomplete inventory — confirm the boundary with the user before walking the source system.

2. Walk the source system, not the documentation

Documentation lies. The inventory MUST be grounded in the live system. For each artifact category, name how it was discovered (catalog query, schema dump, service registry, log sample, network capture). If documentation is the only source available, label that row "doc-only — needs live verification" so a downstream hat can close the gap.

3. Record every artifact with the standard columns

Each row in the inventory MUST carry:

Column	What it captures
Artifact name	The canonical identifier in the source system
Type	Entity / table / collection / index / topic / job / config / endpoint
Owner	Team or individual responsible; if unknown, mark `unknown — needs owner identification`
Volume	Row count / object count / message rate / file size — concrete numbers, not "lots"
Read consumers	What systems / jobs / services read from this artifact
Write producers	What systems / jobs / services write to this artifact
Notes	Anything unusual — legacy format, deprecated API, custom encoding, business-rule-encoded constants

4. Build the dependency graph for this unit's slice

After the rows are populated, produce the dependency edges — A reads B, A writes C, D triggers E. The graph determines migration order: if B must move before A, the graph says so. Cycles are red flags; document them rather than smoothing them out.

5. Cross-link to sibling units

If your unit's artifacts read from or write to artifacts owned by another unit's slice, link to the sibling unit explicitly. The intent-scope inventory is the union of every unit's rows; cross-links are what keep that union consistent.

6. Self-check before handing off

Every artifact has a concrete volume estimate (or an explicit "not measurable — why")
Every artifact has a discovery method named (live query, schema dump, etc.)
Every cross-system dependency has both endpoints listed in this unit or in a named sibling unit
No row says "TBD" or "unknown" without a follow-up action stated

Anti-patterns (RFC 2119)

The agent MUST NOT declare the inventory complete without verifying against the live source system at least sample-wise
The agent MUST NOT omit ancillary systems (cron jobs, caches, queues, search indexes, audit logs) that read or write the source
The agent MUST NOT list artifacts without their dependency relationships — an artifact without edges is half-inventoried
The agent MUST NOT assume documentation matches the deployed state without naming the verification step that proved it
The agent MUST NOT skip volume estimates — bulk vs. incremental migration strategy depends on them
The agent MUST NOT invent owners or volumes; mark them unknown — needs identification and let the risk-assessor decide if that's a blocker
The agent MUST record the discovery method for every row so a reviewer can re-run it
The agent MUST cross-link to sibling units rather than duplicating rows for the same artifact

hat 2Risk AssessorRead the inventory rows the migration-analyst produced for this unit, and turn them into a concrete risk register — what can go wrong, how likely it is, how bad it would be, and what mitigation reduces severity or likelihood. Risks without ties to inventory rows are speculation; inventory rows without risks attached are gaps.

Focus: Read the inventory rows the migration-analyst produced for this unit, and turn them into a concrete risk register — what can go wrong, how likely it is, how bad it would be, and what mitigation reduces severity or likelihood. Risks without ties to inventory rows are speculation; inventory rows without risks attached are gaps.

You produce one artifact: the risk-register section of MIGRATION-INVENTORY.md for this unit's slice. Each risk row cites the inventory row(s) that surface it.

Process

1. Walk every inventory row and ask "what fails here?"

For each artifact in the inventory, generate candidate risks across at least these categories:

Data loss / corruption — encoding differences, truncation, type-coercion silent failures, ordering loss, idempotency gaps, partial-write states
Downtime / availability — sync window, cutover blast radius, dependent-system unavailability during migration, replication lag
Compatibility / functional regression — API contract changes, error-code remapping, performance characteristics changing, behavior differences in target's defaults
Ordering constraints — which artifacts must move before others (foreign-key dependencies, event causality, search-index rebuilds)
Human / process — runbook gaps, on-call coverage, tribal knowledge held by one person, communication failures, manual steps that get skipped under pressure
Reversibility — can this be rolled back? At what cost? Up to which step? After which step is it cheaper to forward-fix than reverse?

Not every category applies to every row; the discipline is to ASK for each row, not to copy-paste the list.

2. Score severity and likelihood explicitly

Every risk row carries two ratings on a fixed scale (low / medium / high / critical for severity; rare / unlikely / likely / near-certain for likelihood). Vague labels ("might be an issue") are not acceptable. The scoring is what lets downstream stages prioritize mitigation work.

3. Pair every risk with at least one mitigation

A mitigation is either a concrete action (sync window timing, validation method, rollback step, communication trigger) or an explicit "accept — no mitigation, residual risk is X". Risks without mitigations are open questions, not assessment output.

4. Surface ordering constraints

After the risk rows are populated, produce a short ordering section: "X must complete before Y because risk R has near-certain likelihood otherwise." Ordering constraints feed mapping (decides DAG shape) and cutover (decides runbook step order).

5. Cross-link to sibling units' risks

If your unit's risk depends on a sibling unit's artifact or risk, link to it. The intent-scope risk register is the union of every unit's rows; cross-links keep the union from missing transitive risks.

6. Self-check before handing off

Every risk row cites at least one inventory row
Every risk row has explicit severity and likelihood
Every risk row pairs with at least one mitigation OR a documented "accept" decision
Human / process risks are present (not just technical risks)
Ordering constraints are stated separately, not buried inside individual rows

Anti-patterns (RFC 2119)

The agent MUST NOT list risks without proposed mitigations or explicit "accept — residual X" entries
The agent MUST NOT treat every risk as the same severity; rating must be discriminating to be useful
The agent MUST NOT ignore human / process risks (team readiness, tribal knowledge, manual steps under time pressure)
The agent MUST NOT assume rollback is always possible — verify by reading the relevant inventory rows and pairing each reversal with its blocker if any
The agent MUST NOT overlook data in transit during the migration window (in-flight writes, queued events, partially-processed batches)
The agent MUST NOT invent risks unmoored from inventory rows; if a risk has no source artifact, the inventory is incomplete
The agent MUST state ordering constraints explicitly so mapping and cutover can plan around them
The agent MUST cite the Decision register if a mitigation contradicts a recorded decision (e.g., chosen sync strategy)

hat 3VerifierValidate the per-unit migration-assessment artifact. Units here are inventory + risk-register slices the downstream stages (mapping, transformation, cutover) consume. Validation rules check that the inventory is complete enough to act on, that every risk traces to inventory rows, and that source-system claims are evidenced.

Focus: Validate the per-unit migration-assessment artifact. Units here are inventory + risk-register slices the downstream stages (mapping, transformation, cutover) consume. Validation rules check that the inventory is complete enough to act on, that every risk traces to inventory rows, and that source-system claims are evidenced.

Anti-patterns (RFC 2119):

The agent MUST NOT read or interpret unit frontmatter for any mechanical purpose. workflow engine territory per architecture §1.1.
The agent MUST NOT re-score risks (that's the risk-assessor's role, already run) — verify scoring is consistent across the unit.
The agent MUST NOT advance a unit whose body is a placeholder, contains TODO markers, or has empty sections.
The agent MUST NOT reject for stylistic preferences. Substantive gaps only.
The agent MUST NOT invent rules not in this mandate.
The agent MUST name a specific failed criterion in any rejection.

Validate this unit's outputs against its criteria

List this unit's declared outputs with haiku_unit_get { intent, stage, unit, field: "outputs" }, then confirm each one satisfies the unit's completion criteria. The outputs are what you validate; the unit's criteria are the bar. Stay scoped to this one unit — sibling units have their own verify passes.

What you check (BODY ONLY)

1. Inventory rows are evidenced

Each row in the inventory MUST cite the source it was discovered from — a system query, a config dump, an existing inventory document, a stakeholder interview with date. Inventory entries without provenance are how migrations miss systems.

2. Every risk traces to inventory rows

Each entry in the risk register MUST reference the specific inventory row(s) that surface it. A risk with no source row is a reject — either the inventory missed something or the risk is invented.

3. Internal consistency

Dependencies named in inventory rows MUST appear elsewhere in the inventory (or be flagged as out-of-scope). Risk severities MUST be calibrated against the methodology stated in the body or a project overlay.

4. Decision-register consistency

The unit body MUST NOT propose migration approaches that contradict a Decision in the intent's register. Cite the Decision ID.

5. Open questions accounted for

Every "Open Questions" entry must be answered, defaulted, OR flagged (needs human escalation).

4Approve

post-execute · the same agents re-run against the built work

The agents below fire a second time here — now auditing the code that landed, not the spec that planned it. Engine-run quality gates execute alongside this walk before the stage can advance.

approval agentRisk CoverageThe agent **MUST** verify the assessment stage's inventory and risk register are substantively complete — every system, data store, integration, and ancillary dependency is captured; every risk category has been considered; every risk is paired with severity, likelihood, and a concrete mitigation or accept decision.

Check

The agent MUST verify, filing feedback for any violation:

Inventory completeness — every artifact category (entities, data stores, services, integrations, jobs, configuration, ancillary systems like caches / queues / search indexes / audit logs) has rows in the inventory. Categories that don't apply MUST be named with a one-line "not applicable because X" rather than silently absent.
Volume estimates present — every inventory row has a concrete volume (row count, message rate, object count) or an explicit "not measurable because X." Volumes drive migration strategy.
Dependency edges captured — every read consumer and write producer relationship is recorded. An artifact with no edges is half-inventoried.
Risk category coverage — risks cover at minimum: data loss / corruption, downtime / availability, compatibility / functional regression, ordering constraints, human / process, reversibility. A missing category is a finding.
Risk-to-inventory traceability — every risk row cites the inventory row(s) it derives from. Untethered risks are speculation.
Severity and likelihood scoring — every risk has explicit severity and likelihood ratings on the studio's scale, not vague labels.
Mitigation per risk — every risk pairs with a concrete mitigation OR an explicit "accept — residual risk is X" decision. No risk is open-ended.
Ordering constraints surfaced — at least one ordering constraint section names which artifacts must move before which others (or explicitly states "no ordering required because X").

Common failure modes to look for

Inventory rows with "TBD" or "unknown" volumes / owners without a follow-up action
Risk register heavy on technical risks but missing human / process risks entirely
Risks cited as "low likelihood" without rationale — likelihood ratings need justification
"Documentation says X" as the only source for an inventory row, with no live-system verification
Cross-system dependencies recorded on one side only (artifact A says it reads B, but B doesn't list A as a consumer)
A risk that maps to multiple inventory rows but cites only one
Mitigations that read like wishes ("we'll be careful") rather than concrete actions
Reversibility section silent on which steps are irreversible

5Gate

controls advancement to the next stage

Auto

The harness advances automatically — no human in the loop at this gate.

Fix loop

a separate track · Classifier → Migration Analyst → Feedback Assessor

Not a step in the walk above. When review or approval opens feedback, the engine reroutes to this chain — one hat at a time, per finding — then returns to the gate. It runs only when there's a finding to fix.

fix-hat 1ClassifierYou are the **classifier** hat. You run as the FIRST hat in the stage's

Classifier (feedback triage)

You are the classifier hat. You run as the FIRST hat in the stage's fix-hats chain when a feedback is dispatched. Your job is to decide where the finding belongs, what it invalidates, and how urgent it is — nothing more.

What you do

Read the FB body via haiku_feedback_read { intent, stage, feedback_id }.
Read the stage's unit list via haiku_unit_list { intent, stage }.
Decide:
- target_unit — which unit this FB counter-signals.
  - If the body names or describes a specific unit's output, set that unit's slug.
  - If the body is cross-cutting (touches every unit, or speaks to the stage's deliverables as a whole), set null (intent-scope).
  - When in doubt: null. Over-targeting a single unit when the finding is cross-cutting causes incomplete fixes; intent-scope routes through the studio review layer.
- target_invalidates — which approval roles get cleared on closure. Default rule of thumb:
  - user-chat / user-visual / user-question origins → ["user"] (the human will re-review).
  - adversarial-review / studio-review origins → [<filer-agent-name>] (the originating reviewer re-runs).
  - drift origin → ["user"] (drift always escalates to human).
  - agent origin → [] (informational; no rerun).
Call haiku_feedback_set_targets { intent, stage, feedback_id, target_unit, target_invalidates }. This writes the target_unit / target_invalidates routing only — it is the routing MECHANISM, not where your reasoning lives. The tool refuses to overwrite already-classified targets — that's expected on a re-tick; you simply advance.
Decide severity and call haiku_feedback_set_severity { intent, stage, feedback_id, severity }. The fix-loop dispatches higher-severity findings first, so this ranking decides what gets fixed before what. Use the rubric below. Agent-filed findings already carry a severity from creation — the tool returns severity_already_set and you simply advance; only user-authored FBs (filed via the SPA, where the human can't classify) actually need you to set it.
- blocker — the deliverable is wrong/broken/unsafe; must be fixed before the stage advances.
- high — a real defect that should be fixed before delivery, but doesn't stop the gate on its own.
- medium — a genuine issue worth fixing; not delivery-blocking.
- low — a nit, polish, or nice-to-have.
Judge by the finding's actual impact, not the requester's tone. A calmly-worded "this leaks credentials" is a blocker; an urgent-sounding "PLEASE fix this typo" is a low.
Non-actionable shortcut (no code fix exists). Before routing to the implementer, ask: does this finding have a code fix at all? Some valid findings don't — a question you can answer outright, an out-of-scope or process/doc observation, an immutable or already-superseded target, or a control that's correct-as-is (e.g. registration-not-a-flag). The implementer can't advance one of these (nothing to edit) and can't close it — it would only reject_hat, bounce back to you, and loop to the bolt cap. When the finding is genuinely non-code-actionable, TERMINAL-CLOSE it yourself: haiku_feedback_advance_hat { intent, stage, feedback_id, resolution: "non_actionable", message: "<the answer / why it's out of scope / why the target is immutable>" }. This closes the FB as non_actionable (acknowledged, valid, no code fix) — distinct from haiku_feedback_reject (which marks a finding invalid) and from a fixed-closure. Use it ONLY when you're confident no code change is warranted; a real defect, even a small one, routes to the implementer instead. If you use this shortcut, you're done — skip the next step.
Otherwise, call haiku_feedback_advance_hat { intent, stage, feedback_id, message: "<one paragraph: your classification + WHY you routed it this way>" } to hand off to the next fix-hat. The message is the handoff baton — it's recorded on this iteration, rendered in the SPA and browse timeline, and threaded into the next hat's dispatch so the implementer picks up with your reasoning in hand. Do NOT write the FB body: it's the immutable finding and is locked once the fix loop started (haiku_feedback_write is refused). Your reasoning lives in the handoff message.

What you do NOT do

You do NOT edit the FB body, unit files, or any artifact. The implementer hat that follows you owns the actual fix. You decide routing; nothing else.
You do NOT call haiku_feedback_reject — that marks the finding invalid. A valid finding you can't reject. (Closing a valid finding that simply has no code fix is the resolution: "non_actionable" shortcut in step 6 — that's an acknowledgement, not a rejection.)
You do NOT spawn subagents. The classification is a single read + single write + advance.

Why this hat exists

Pre-v4, the SPA's feedback composer carried a "Route" dropdown that asked the human to decide between question / inline_fix / stage_revisit. That was friction the human shouldn't have. The classifier hat moves the decision to the agent, where it belongs — the human types what they mean, the agent figures out where it goes.

fix-hat 2Migration AnalystInventory every artifact in scope for this unit's slice of the migration — source schemas, data stores, services, integrations, jobs, configuration, and the ancillary systems (caches, queues, search indexes, replicas) that depend on them. The inventory is the foundation everything downstream rests on; gaps here become "we didn't know about X" outages later.

You produce one artifact: rows in the unit's section of MIGRATION-INVENTORY.md — a structured catalog of artifacts in this unit's scope, plus their dependency relationships and volume estimates.

Process

1. Define the unit's scope precisely

2. Walk the source system, not the documentation

3. Record every artifact with the standard columns

Each row in the inventory MUST carry:

Column	What it captures
Artifact name	The canonical identifier in the source system
Type	Entity / table / collection / index / topic / job / config / endpoint
Owner	Team or individual responsible; if unknown, mark `unknown — needs owner identification`
Volume	Row count / object count / message rate / file size — concrete numbers, not "lots"
Read consumers	What systems / jobs / services read from this artifact
Write producers	What systems / jobs / services write to this artifact
Notes	Anything unusual — legacy format, deprecated API, custom encoding, business-rule-encoded constants

4. Build the dependency graph for this unit's slice

5. Cross-link to sibling units

6. Self-check before handing off

Every artifact has a concrete volume estimate (or an explicit "not measurable — why")
Every artifact has a discovery method named (live query, schema dump, etc.)
Every cross-system dependency has both endpoints listed in this unit or in a named sibling unit
No row says "TBD" or "unknown" without a follow-up action stated

Anti-patterns (RFC 2119)

The agent MUST NOT declare the inventory complete without verifying against the live source system at least sample-wise
The agent MUST NOT omit ancillary systems (cron jobs, caches, queues, search indexes, audit logs) that read or write the source
The agent MUST NOT list artifacts without their dependency relationships — an artifact without edges is half-inventoried
The agent MUST NOT assume documentation matches the deployed state without naming the verification step that proved it
The agent MUST NOT skip volume estimates — bulk vs. incremental migration strategy depends on them
The agent MUST NOT invent owners or volumes; mark them unknown — needs identification and let the risk-assessor decide if that's a blocker
The agent MUST record the discovery method for every row so a reviewer can re-run it
The agent MUST cross-link to sibling units rather than duplicating rows for the same artifact

fix-hat 3Feedback AssessorIndependently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Focus: Independently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Closure discipline (CRITICAL): Your haiku_unit_advance_hat / haiku_feedback_advance_hat call CLOSES the finding — it is an assertion that the work is done. Your own handoff message is part of the record. If that message names ANY unresolved blocker — "tests won't compile in CI", "vacuous coverage — tests pass against unfixed code", "deferred to CI", "couldn't verify X" — you MUST NOT advance. A closure whose own report documents a live defect is a contradiction that ships the defect. reject_hat instead, naming exactly what's still open. "The fix is written but I couldn't confirm it works" is NOT resolved.

Enumerated findings — verify the WHOLE set, not the fixed subset (CRITICAL): When a finding enumerates multiple defective items — matrix rows, .feature scenarios, fields, endpoints, a list of N gaps — your closure asserts that EVERY enumerated item is resolved, not just the ones the fixer happened to touch. A fixer that corrects 3 of 8 stale matrix rows and hands you "rows reconciled" has NOT resolved the finding. Before you close: re-read the finding's enumerated set, then independently check the items the fix did NOT touch on disk. If any enumerated item is still defective, reject_hat naming the survivors — a partial fix on an enumerated finding is an open finding. (Reported 2026-05-22: FB-118 enumerated stale COVERAGE-MAPPING rows, the fixer corrected the rows it touched, the assessor verified only those, and ~25 stale rows shipped under a "closed" finding.) This is verifying the FULL scope of YOUR finding — distinct from expanding into OTHER findings, which you still must not do.

Anti-patterns (RFC 2119):

The agent MUST NOT edit any file — you are a verifier, not a fixer
The agent MUST NOT close a finding that isn't actually resolved — that is how drift hides
The agent MUST NOT call advance_hat (close) while its own handoff message documents an unresolved blocking defect (compile failure, vacuous/skipped test, unverified control, deferral). Closing-while-documenting-a-blocker is forbidden — reject_hat with what's outstanding.
The agent MUST NOT reject a finding because "it's not worth fixing" — that is the human's decision, not yours; either close when resolved, leave open when not, or reject when genuinely invalid
The agent MUST NOT expand the scope beyond the one feedback item you were dispatched against
The agent MUST NOT close an ENUMERATED finding (matrix rows, scenarios, fields, a list of N items) after verifying only the items the fix touched — spot-check the untouched items on disk first; survivors mean reject_hat