Skip to content
Academy
0/19

Routes

On this page

Auditable architecture · Unit 5 of 8

Booting with warnings: accepted risks

bootable_with_warnings exists on purpose: every required dependency closes, but the graph carries warnings — suggested capabilities without providers, or surfaces with declared caveats. The host can boot with the trade-offs made explicit (MILPA_BOOTABLE_WITH_WARNINGS): each warning is reviewed or recorded as an accepted risk; none is erased.

Intermediate to senior30 min

By the end, you'll be able to

  • Read bootable_with_warnings as a deliberate state of the traffic light
  • Accept a risk with a reason, an expiry and a clock

Understand

bootable_with_warnings exists on purpose: every required dependency closes, but the graph carries warnings — suggested capabilities without providers, or surfaces with declared caveats. The host can boot with the trade-offs made explicit (MILPA_BOOTABLE_WITH_WARNINGS): each warning is reviewed or recorded as an accepted risk; none is erased.

Accepting a risk demands a reason — accepting without saying why silences it, and a silenced warning is exactly what acceptedRisks exists to prevent — and it may carry an expiry. But the resolver is pure and never reads the wall clock: the caller supplies evaluatedAt. An expiry that runs without a clock is MILPA_RISK_EXPIRY_UNEVALUATED: a risk you think is bounded but nobody is enforcing.

Suggested means optional: a suggested capability with no provider doesn't block the graph (MILPA_SUGGESTED_CAPABILITY_MISSING); the fallback path applies and the message names where the runtime degrades to, so the absent behaviour stays visible instead of vanishing.

See

Operate the gate

Accepting a risk is a decision with an actor, a reason and context: the gate shows how such a decision stays auditable instead of becoming an invisible shortcut.

Do

Run the practice in your checkout and keep the output as evidence.

terminal
$php coa coa:inspect architecture

Verify

Show that you can apply the unit. Progress only advances once you pass the assessment.

Criteria assessed

  • Tell a reviewable warning apart from a risk accepted with a reason.
  • Explain why an expiry without evaluatedAt isn't bounding anything.

Graded assessment

Solve the 3 scenarios. This unit requires 3 of 3 correct answers.

0 attempts
Question 1 of 3Every required dependency closes, but two suggested capabilities have no provider. Which status applies and what does it imply?
Question 2 of 3The profile accepts a risk with its reason and expires: "2026-09-01", but the resolution runs without evaluatedAt. What should the resolver do?
Question 3 of 3The suggested cache capability has no provider and its record declares a fallback. Which behavior is correct?

Grading validates answers in this browser; it doesn't certify identity.

Primary sources

Content verified: 2026-07-12