diff --git a/.console/log.md b/.console/log.md
index 4eba0ca..69f77c5 100644
--- a/.console/log.md
+++ b/.console/log.md
@@ -1,5 +1,12 @@
 # Log
 
+## 2026-06-04 — Enforce-only console reconciliation: flip reconcile_enforce
+
+.console is already clean and under budget (log < 400 lines, no scrub-target
+leak; `cl reconcile check` GREEN). Added `audit.reconcile_enforce: true` to
+.custodian/config.yaml so R1/R2 fail-closed here. Custodian audit gains no
+R1/R2 findings; all 66 tests pass.
+
 ## 2026-05-21 — Add closing console-context fence to CLAUDE.md
 
 Added <!-- /console-context --> end marker so OperatorConsole only
diff --git a/.custodian/config.yaml b/.custodian/config.yaml
index 8643ebd..8d5c523 100644
--- a/.custodian/config.yaml
+++ b/.custodian/config.yaml
@@ -16,6 +16,10 @@ privacy:
 # Audit: per-detector exclusions and tuning
 # ---------------------------------------------------------------------------
 audit:
+  # R1/R2 (.console reconciliation gate) are opt-in. This repo is reconciled and
+  # scrub-clean (log under budget, no private-name leak), so it enforces them.
+  reconcile_enforce: true
+
   cross_repo:
     platform_manifest_repo: ../PlatformManifest