Wardline 01 13 residual risks

13. Residual risks¶

Seventeen risks are inherent to the wardline model regardless of language, tooling, or governance maturity. They are structural limitations, not implementation defects.

Seventeen inherent residual risks with primary compensating controls

1. Declaration correctness. The wardline itself could be wrong. If the application declares the wrong tier for a data source — classifying external API data as Tier 1, or authoritative audit records as Tier 3 — enforcement is structurally correct but semantically meaningless. The tool faithfully enforces the wrong policy. Pre-generation context projection (§9.5) amplifies the consequences of declaration errors when LLMs are active consumers: a wrong tier declaration causes the LLM to generate code conforming to the wrong policy, and that code passes enforcement because enforcement faithfully implements the poisoned manifest. The accidental defensive patterns that would otherwise serve as symptoms of misclassification — patterns that a human reviewer might notice as anomalous — are eliminated by the projection, because the LLM generates code that is stylistically consistent with the (wrong) declared tier. Compensating control: governance model (§10), baseline ratification with classification confirmation, and independent review of trust-escalation declarations.

2. Governance decay. Every governance gate is a human activity. Protected-file review, temporal separation, provenance justification — each requires a human to exercise judgement under deadline pressure. Under sustained pressure, each becomes a candidate for rubber-stamping. The wardline cannot verify the quality of the human judgement that governs it. It can only make the judgement visible and auditable. Compensating control: annotation fingerprint baseline (§10.2), which makes governance erosion detectable even if it cannot prevent it.

3. Serialisation boundary blindness. Static analysis cannot cross the serialisation boundary to verify that bytes on disk were written by a trusted code path. When a function declares "this data is internal" and deserialises from a file, the enforcement tool verifies that the function's body treats the data as Tier 1 — but it cannot verify that the file was written by a Tier 1 code path rather than manually edited, corrupted, or replaced. Trust-escalation declarations at serialisation boundaries are governance-verified only. This is the point where the wardline's machine-readable guarantees yield to institutional trust. Restoration boundaries (§6.3, Group 17) are where this risk is most acute — and where it converges with risk 9 (adversarial annotation injection): an adversarially injected restoration boundary declaration bypasses technical enforcement entirely and relies solely on governance quality.

4. Annotation coverage gaps. Unannotated code is invisible to the enforcement system. A function without wardline annotations is not checked against any pattern rules, and its data flow is not traced through the taint model. The enforcement system MUST report coverage metrics (percentage of functions annotated, percentage of data paths traced) as a binding requirement — coverage below 100% means the wardline has blind spots, and those blind spots MUST be visible. In practice, 100% annotation coverage is neither achievable nor desirable — the annotation budget SHOULD be spent at boundaries, not on internal utility functions. The residual risk is that a critical code path falls outside the annotated surface. Compensating control: the annotation fingerprint baseline (§10.2) makes the coverage boundary visible and tracks its evolution over time, ensuring that coverage gaps do not silently widen.

5. Semantic downgrade. A function authorised as an exception translation boundary — architecturally permitted to make terminal policy decisions about exceptions from high-stakes paths — could translate those exceptions in ways that defeat the original function's intent. It could convert an audit integrity error into a generic warning, or translate a halt-required failure into a logged-and-continued event. Static analysis can enforce structural authorisation (only designated functions may translate these exceptions) but not semantic appropriateness (the translation preserves the original severity). This gap is irreducible by static means. Compensating control: golden corpus specimens that test exception translation boundaries, and governance review of functions granted translation authority.

6. Expedited governance path normalisation. Every expedited governance path becomes the default path under sustained delivery pressure. The ratio of expedited to standard governance approvals is a leading indicator of governance decay — a ratio that trends upward signals that "time-critical" has expanded to include routine work. Compensating control: the expedited governance ratio metric (§10.4), computed from the exception register's provenance field (§14.1.3) and reported in the SARIF findings output (§11.1), with a project-defined threshold declared in the root wardline manifest that triggers a governance-level finding when exceeded.

7. Implicit-flow taint bypass. The framework scopes taint analysis to explicit flows only (§8.6). An implicit flow — where the fact that a branch was taken leaks information about a tier-classified value (if tier1_field == "sensitive": x = True; else: x = False) — launders taint through control flow without a data dependency. This is a known limitation of explicit-flow taint analysis, deliberately accepted because implicit-flow analysis is computationally expensive and a prolific source of false positives. The residual risk is that an adversary or careless agent can bypass tier enforcement through control-flow encoding. Compensating controls: the implicit-flow evasion heuristic (§8.6.1), which catches the dominant conditional-assignment pattern as a warning-level signal; and prompted review and code inspection at tier boundaries for cases the heuristic does not cover.

8. SHOULD-layer verification gap. The verification properties (§11) define six independently evaluable criteria, but all six apply to the static analysis layer. There is no equivalent verification mechanism for the type system layer (§9.2) or the runtime structural layer (§9.3). A binding that claims SHOULD compliance for these layers has no independently assessable way to demonstrate it. Compensating control: language bindings MAY extend the golden corpus concept to cover type system and runtime enforcement — a type-checking corpus that verifies tier mismatches produce diagnostics, and a runtime corpus that verifies fabricated defaults raise errors. For the Assurance governance profile, bindings that claim Wardline-Type or substantial runtime-structural coverage SHOULD provide such an assessor-runnable corpus, even though this remains a tool quality target rather than a framework invariant.

9. Adversarial annotation injection. Deliberate or agent-generated misannotation — declaring external data as Tier 1 to bypass enforcement, or annotating a validation boundary that performs no actual validation. This risk is distinct from residual risk #1 (declaration correctness), which addresses honest error. Adversarial injection is intentional or agent-induced: an agent that generates code with wardline annotations may produce structurally valid but semantically dishonest declarations, and a human reviewer may approve them without recognising the misclassification. Compensating controls: code review of annotation correctness (not just code correctness), structural checks where feasible (WL-007 catches validators with no rejection path), and the annotation fingerprint baseline (§10.2) which flags new or changed annotations for explicit review. The highest-risk combination is adversarial injection at restoration boundaries (Group 17), where risk #3 (serialisation boundary blindness) and this risk converge: an injected restoration boundary declaration faces no technical verification of the provenance claim and relies entirely on governance. The fingerprint baseline's hash scope (§10.2) — which covers annotation declarations but not function bodies — is a deliberate trade-off that creates a documented gap in coverage for this attack vector. An adversary or agent can modify a function's body to circumvent the wardline's intent (e.g., making a rejection path unreachable by guarding it with a condition that is always false due to upstream logic rather than a constant expression) while leaving annotations untouched, and the fingerprint baseline will not flag the change. WL-007 catches structurally absent rejection paths but not rejection paths guarded by conditions that are practically unreachable — this is the gap. Including function bodies in the hash would close this gap but generate governance noise on every implementation change — the framework accepts this trade-off on the basis that code review of function bodies is already a standard development practice, whereas annotation changes are wardline-specific and require wardline-specific governance visibility.

10. Contract adequacy. The validation_scope.contracts declaration (§14.1.2) makes the scope of a Tier 2 semantic-validation claim explicit — each named boundary contract declares what data crosses the boundary and at what tier, replacing the previous function-name consumer list. The enforcement tool verifies that the declaration exists but cannot verify that it is adequate: whether the validator's checks actually satisfy the constraints implied by each declared contract is a semantic judgement that requires domain knowledge the scanner does not have. A validator that declares a "landscape_recording" contract but only checks half of the constraints that landscape recording actually requires passes all structural checks. The abstraction improvement — stable semantic identifiers rather than volatile function names — reduces governance noise from refactoring and makes contracts more legible for both human reviewers and agent consumers, but the core adequacy problem remains: the contract name describes intent, not coverage. Compensating controls: contract declarations are reviewable and auditable (tracked in the fingerprint baseline as policy artefact changes); the separation of contracts from contract bindings (§14.1.2) means that governance review focuses on semantic adequacy rather than function-name bookkeeping; and the consumers themselves may fail at runtime if the validator's coverage is incomplete — surfacing the gap through operational evidence rather than static analysis. The declaration converts the most important semantic claim in the framework from implicit to explicit, but the adequacy of that claim remains a governance judgement.

11. MIXED state coarseness (partially addressed). The framework now distinguishes join_fuse (operations that genuinely merge data into an inseparable artefact, e.g., string concatenation, dict merge) from join_product (operations that compose data into a product-type structure where components retain their identity, e.g., dataclass construction, named-tuple packing) — see §6.1. Bindings MAY implement a MIXED_TRACKED extension state for join_product on named product types where the binding can statically resolve field membership, preserving per-field taint rather than collapsing to MIXED_RAW. This reduces false-positive volume on container types without weakening the conservative join for genuinely fused artefacts. The risk is reduced but not eliminated. MIXED_TRACKED implementations may be inconsistent across bindings — tracking field-level taint for some product types but not others, or losing field resolution at untyped intermediaries. The conservative fallback (bindings that do not implement field sensitivity treat join_product as join_fuse, producing MIXED_RAW) prevents false negatives: a binding that cannot prove field-level resolution defaults to the safe behaviour. The residual risk is that field-sensitive tracking creates a precision disparity between bindings — the same composite type may be MIXED_TRACKED in one binding and MIXED_RAW in another, producing different finding sets for structurally equivalent code. Compensating controls: bindings that implement MIXED_TRACKED declare which product types they track, demonstrate precision through golden corpus specimens, and inherit MIXED_RAW severity unless they explicitly narrow it (§6.1). The STANDARD exceptionability on MIXED_RAW cells continues to allow governance overrides where the composite structure is documented but the binding does not implement field-level tracking.

12. Evasion surface trajectory. The evasion surface for pattern rules grows as model capability grows — but not monotonically. Current LLMs produce structurally sloppy code that trips syntactic rules (fabricated defaults, broad exception catches, missing rejection paths). As models improve at producing structurally clean but semantically wrong code, they will naturally route around syntactic tripwires without adversarial intent — through helper wrappers, try/except substitution, conditional assignment, schema-level defaults, and other semantic equivalents of the flagged patterns. However, in codebases with high annotation coverage, the trajectory partially reverses: annotations constrain the generation space by making institutional knowledge part of the agent's context window, reducing the rate at which agents produce violations in the first place. The net effect is that the coding-level risk falls as annotation coverage grows, while the governance risk rises — who writes annotations, who approves changes to tier assignments, and who controls the policy surface become the dominant concerns (see risks 1, 2, 9, and 10). The framework's extensibility — a living pattern catalogue, the golden corpus, binding-level heuristics — provides room to adapt to new evasion patterns, but that adaptation MUST be deliberate and adversarially informed. Compensating control: version-tracked semantic equivalent lists for each pattern rule (binding requirement), adversarial specimens in the golden corpus, and the governance mechanisms that address the manifest as a policy surface.

13. Governance-layer attack surface. The manifest threat model (§10.3.2) identifies three attack vectors that target the governance surface rather than the code surface: manifest poisoning (corrupting tier assignments so agents generate code compliant with the wrong policy), governance fatigue exploitation (overwhelming review capacity to smuggle consequential changes), and boundary declaration manipulation (widening validation-scope declarations to permit previously prohibited data flows). These attacks are harder to detect than code-level evasion because they exploit the governance mechanisms that are supposed to catch code-level problems — the guardrails themselves become the target. The compensating controls specified in §10.3.2 (two-person review for tier changes and boundary widenings, anomaly detection for change patterns, mandatory human ratification for agent-originated policy changes) reduce the attack surface but do not eliminate it. The irreducible residual: governance quality depends on human attention, and human attention is the resource the governance model is designed to economise. A governance model that requires sustained high-quality human judgement to secure the policy surface on which automated enforcement depends is inherently fragile under sustained pressure — the same "governance decay" dynamic identified in risk 2, now operating at the meta-level. Section 9 acknowledges this fragility operationally through temporal separation, anomaly detection, capacity metrics, and control-law degradation paths; this risk entry makes explicit that those mechanisms mitigate rather than remove the dependency on scarce human judgement.

14. Third-party library boundary taint. Enterprise and regulated applications depend on third-party libraries — open-source packages maintained by communities with no relationship to the wardline specification, no compliance obligations, and no governance visibility into how their code is used in downstream pipelines. Third-party library functions are seams in the application's trust topology: data crosses them, but the library code is outside the wardline's annotation surface and governance perimeter. The enforcement tool cannot verify a library's internal validation logic, and the library maintainer has no obligation to annotate their code.

The framework addresses this through dependency_taint declarations (§14.1.2) — overlay entries that assign taint states to third-party function return values with governance rationale and version pinning. These are taint source declarations, not boundary declarations: the library function's return value is classified, but the library itself is not treated as a wardline validation boundary. The application's own annotated boundaries perform tier promotion under governance. A third-party library that performs internal validation provides defence in depth — it does not substitute for the application's own validation boundaries.

Three residual risks remain within this model. First, the taint declaration may be inaccurate — a library function declared as returning GUARDED may not actually guarantee structural properties, and the enforcement tool cannot verify the claim. This is analogous to risk 1 (declaration correctness) applied to the dependency surface. Second, library updates may silently change the function's validation behaviour, error handling, or return structure, invalidating the taint assumption. The package version pinning, staleness detection SHOULD, and fingerprint baseline flagging (§6.5, §14.1.2) provide leading indicators but do not guarantee that the taint declaration is re-reviewed promptly. Third, the default conservative treatment (UNKNOWN_RAW) may generate governance noise in applications with heavy third-party library usage, creating pressure to over-declare taint states to reduce finding volume — the same "governance fatigue" dynamic identified in risk 6, applied to dependency declarations.

Compensating controls: dependency_taint declarations with version-pinned package constraints; fingerprint baseline flagging when dependency versions change; governance review of taint declarations at manifest ratification; the application's own validation boundaries as the terminal control regardless of the library's internal behaviour.

15. Capacity-driven classification drift. This risk is distinct from risk 2 (governance decay, which erodes something that was once good) and risk 9 (adversarial annotation injection, which requires intent). Capacity-driven classification drift occurs when a manifest is authored under the same capacity pressure the wardline exists to mitigate — the initial classification was never accurate because nobody had time to make careful tier assignments. The "already drowning" context (§3) makes this the most likely deployment scenario: the team adopting the wardline is the team that is already overwhelmed by unreviewed LLM-generated code, and the manifest authoring process inherits that capacity constraint. The result is a wardline that faithfully enforces a policy that was never carefully considered — enforcement is structurally sound but semantically hollow. Unlike governance decay (risk 2), there is no prior good state to erode; unlike adversarial injection (risk 9), there is no malicious or careless intent — the classification was simply never given the attention it required. Compensating controls: the Lite governance profile (§15.3.2), which reduces the governance surface to a manageable size for capacity-constrained teams; phased adoption with advisory-only early stages, which allows the team to observe enforcement behaviour before committing to blocking enforcement; and manifest ratification with explicit classification confirmation, which forces at least one deliberate review of tier assignments before the wardline becomes authoritative.

16. Type/encoding coercion gap. The framework does not attempt to prove the semantic safety of type, encoding, or format coercions that preserve structural compatibility while changing meaning — for example, float() hiding precision loss, lossy datetime parsing, enum-to-string coercion, or normalisation steps that collapse distinct external representations into a single internal value. This gap is called out in §3 and explicitly left as a non-goal in §4 because coercion safety is domain-specific and often undecidable from syntax alone. The residual risk is silent semantic corruption of tier-classified data even when boundary declarations, taint propagation, and pattern rules all pass. Compensating controls: boundary-contract review that names coercion-sensitive fields, domain-specific validators, targeted corpus specimens in bindings that choose to model common coercion hazards, and explicit governance acknowledgement that some semantic losses remain outside framework scope.

17. Polyglot/projection coherence drift. Polyglot deployments rely on a shared manifest (§14) while allowing per-binding canonical forms, per-binding fingerprint baselines, and different implementation depths across scanners. This creates two related residual risks. First, bindings may make inconsistent practical decisions about the same shared policy surface — for example, one binding may treat a shared database artefact as effectively Tier 2 in code generation and governance workflows while another enforces it as Tier 3, even when the logical manifest identifier is the same. Second, pre-generation context projection (§9.5) may be stale relative to the current manifest or derived taint state: the declaration can be correct, but the projection delivered to an LLM may reflect a previous commit or analysis run and therefore steer generation toward code that is compliant with yesterday's policy rather than today's. The wardline.projectionCurrency property and shared manifest identifiers reduce this risk, but they do not eliminate it. Compensating controls: per-binding review of shared manifest interpretations, explicit cross-binding governance for shared resources, projection currency tracking and staleness checks, and treating stale or cross-binding-divergent projections as advisory context that requires human review rather than trusted policy truth.