Verification and Risk

IGRE treats verification and risk as structured claims.

Verification Fit

Verification fit is derived from the structure of a check. It is not self-declared.

Examples:

• same-source read-after-write equality for granular state can be exact
• cross-source equality for granular state can be acceptable
• instant reads of aggregate metrics are weak
• subjective checks are weak unless backed by external attestation
• absence checks are weak unless paired with proof the observation pipeline is healthy

This prevents a CLI from inflating a weak check into an “exact” check.

Rollback Truth

Rollback categories should be explicit:

• FULL_REVERT: the mutation can be made observationally invisible.
• PARTIAL_REVERT: some affected addresses can be restored.
• COMPENSATE: an inverse-shaped operation can move toward a better state.
• RATCHET: the system is forward-only by design.
• NO_ROLLBACK: this CLI cannot undo or compensate.

If the CLI cannot delete or undo, it should say NO_ROLLBACK.

Risk Anchors

Risk ratings are domain-local. They should reference anchor scenarios:

{
  "rating": "MODERATE",
  "anchor_scenario_ref": "time-entry-create-moderate",
  "reasons": [
    "remote mutation may be billable",
    "this CLI has no rollback support"
  ]
}

The linter should reject unknown anchors and mismatched ratings.

Blind Spots

Blind spots are structured disclosures:

{
  "what": "semantic duplicate records may already exist",
  "why_unverifiable": "the remote API does not provide a complete duplicate guarantee",
  "consequence_if_wrong": "duplicate billable records may be created",
  "severity": "DATA_INTEGRITY"
}

Blind spots prevent silence from being mistaken for completeness.