Kashi · Folder 60 · Stage-2 Closure

The console shipped — and survived its own audit

All 18 prompts are merged to main. Then an adversarial audit tried to break the merged code. It found four things worth fixing. All four are now fixed and on main.

2026-06-12 · F60 P01–P18 merged (#486–#501) · Stage-2 fix batch #502 merged · schema 0050 live · nothing deployed yet

Adversarial conformance + safety audit (12 agents, find→refute)

0 blocking · 4 major

No live leaks, no unsafe-shipping holes, no RBAC or cross-tenant gaps. The four majors were real hardening gaps — all closed, with regression tests that bite.

What the audit caught — and how it's fixed

1 Personal data could leak through a meeting-type name leak · simulator+notice

The privacy filters strip unsafe field names, but not unsafe values. If an admin named a meeting type with someone's name, that name would echo verbatim into the simulator's aggregate output and the worker notice.

Fixed at the root: the policy now refuses to save a meeting-type or detector that isn't in Kashi's known list (without ever echoing the offending name), and the simulator additionally relabels any unknown one as "Other meeting type." Two new tests inject a fake PII name and prove it's blocked and never echoed.

2 Publish acknowledgements were only checked in the browser 2026-06-06 class

The "this is not an employment decision / not a finding / floors unchanged" confirmations were enforced in the UI but never re-checked on the server — so a direct API call could publish without them. This is the exact pattern that bit us on 2026-06-06.

Fixed: the server now requires all three confirmations and blocks the publish if any is missing. The browser sends them; the API is the source of truth.

3 The copy-safety scanner could be fooled test integrity

The scanner that bans surveillance/scoring/harassment language allowed a forbidden phrase if any nearby sentence contained a negation — so an overclaim sitting next to an unrelated "Kashi does not…" bullet could slip through.

Fixed: the negation now has to be in the same sentence as the phrase, plus a mutation test that proves a neighbour's negation no longer launders an overclaim.

4 The nav showed 5 built screens as "not started" user-facing accuracy

Five configuration screens that are fully built were hardcoded to display "not started" in the console navigation — honest in the wrong direction.

Fixed: built screens now read "complete"; only the genuinely-unbuilt audit viewer stays "not started." The honesty test now checks both directions.

tsc 0 errors · full F60 suite 305/305 (+5 new) · eval byte-identical · blast radius confirmed folder-60-only · CI green

Where everything stands

F60 console (P01–P18)	merged to main — #486–#501
Stage-2 fix batch	merged to main — #502
Database schema 0050	applied (production)
main CI	green (full suite + build)
User-facing impact	none yet — push ≠ deploy, nothing is live
Migration 0051 (binding cols)	your dashboard apply — inert until wiring, no rush
Activation PR (live binding + pause)	future, gated — built behind a signed eval diff + adversarial gate
Deploy	your call — manual `cf:deploy`
F55–F59 six-folder re-audit	deferred — long-stable, already Pass-1'd (token-aware)

Audit method: 6 surface auditors × find → 6 verifiers × refute; every finding re-checked against real code, every fix regression-tested.
Sign-off packet: F60_SIGNOFF_PACKET
Prepared by Claude · 2026-06-12 · for Justine.