# Runtime Reconciliation + Stale Artifact Policy

Runtime reconciliation is a read-only Runtime Core responsibility. It
normalizes historical runtime artifacts for operator visibility, scorecard,
doctor, and carry-forward interpretation. It does not execute dispatcher
actions, retry commits, resolve approvals, restart services, or mutate
authority state.

## Canonical States

- `healthy`: current state is complete and non-actionable.
- `stale`: an unexecuted approval or runtime artifact is no longer safe to
  execute without fresh approval.
- `superseded`: a newer decision or artifact replaces the older one.
- `consumed`: an approved action has executed or is otherwise complete.
- `retry_succeeded`: a failure was recorded before a later success for the
  same action/question. Treat it as non-actionable success, but keep it visible
  as audit evidence.
- `partially_failed`: a failure exists with no later success.
- `unresolved`: an actionable item remains open.
- `blocked`: the artifact requires operator or authority-owner intervention.
- `ignored`: explicitly ignored audit state.
- `resolved_stale`: stale state was reviewed and resolved as audit-only.
- `inconsistent`: records disagree in a way that must stay operator-visible.
- `advisory_only`: visible for audit but not blocking.

## Stale Artifact Policy

Stale approvals are not actionable by default. They require fresh approval
before execution unless the canonical approved-action record is already
`executed`, `resolved_stale`, `ignored`, or `superseded`.

Dispatcher failures followed by a later success for the same question/action are
classified as `retry_succeeded`. This is benign for actionability, but remains
operator-visible and keeps `cfd-0001` visible until close_commit idempotency is
actually fixed.

Dispatcher failures without a later success are `partially_failed` or
`inconsistent` and remain blocking/operator-visible. Runtime Core must not
retry them automatically.

Transient probe failures, including scorecard timing thresholds that pass on a
later retry, are `advisory_only`/`retry_succeeded`; unresolved probe failures
remain visible until rerun or inspected.

Duplicate dispatcher timeline events are audit evidence. They are not
actionable by themselves when a later success exists, but they contribute to
`retry_succeeded` visibility.

## Authority Boundaries

Runtime Core reconciliation methods are read-only:

- `runtime.reconciliationSummary`
- `runtime.staleArtifacts`
- `runtime.inconsistencies`
- `dispatcher.reconcile`
- `approvals.reconcile`
- `runtime.transientState`
- `runtime.retrySucceeded`

Mutation remains with the existing authority owners:

- approved-action dispatcher owns approved execution.
- operator daemon owns trusted local actions.
- runtime supervisor owns service restarts.
- lifecycle tooling owns lifecycle authority transitions.
- operator-question tools own explicit stale resolution.