@windyroad/architect 0.15.1 → 0.15.2-preview.581

package/.claude-plugin/plugin.json

@@ -123,5 +123,5 @@
     }
   },
   "name": "wr-architect",
-  "version": "0.15.1"
+  "version": "0.15.2"
 }

package/hooks/architect-mark-reviewed.sh

@@ -41,29 +41,32 @@ case "$SUBAGENT" in
       VERDICT="FAIL"
     fi
 
+    # Substance-aware drift hash + atomic verdict-write (ADR-009 amendment
+    # 2026-06-06). The marker + hash file are written as an atomic pair via
+    # `_atomic_mark_with_hash` so a PASS never silently fails to persist
+    # (closes the "marker doesn't land after PASS" failure mode P353
+    # measured as ~12 subagent invocations + 3 BYPASS_RISK_GATE=1 uses
+    # per 3-filing session).
+    MARKER="/tmp/architect-reviewed-${SESSION_ID}"
     case "$VERDICT" in
-      PASS)
-        touch "/tmp/architect-reviewed-${SESSION_ID}"
+      PASS|"")
+        # PASS or unparseable verdict — allow with marker (the empty case
+        # preserves the pre-amendment "could not parse verdict" backward-
+        # compat allow-with-marker behaviour to avoid lockout).
+        if [ -d "$PROJECT_DIR/docs/decisions" ]; then
+          HASH=$(_substance_hash_path "$PROJECT_DIR/docs/decisions")
+        else
+          HASH="none"
+        fi
+        if ! _atomic_mark_with_hash "$MARKER" "$HASH"; then
+          echo "WARN: architect-mark-reviewed atomic marker-write failed for ${MARKER}" >&2
+        fi
         ;;
       FAIL)
         # Do NOT create marker — review found issues
         ;;
-      *)
-        # Could not parse verdict — allow with marker to avoid lockout
-        touch "/tmp/architect-reviewed-${SESSION_ID}"
-        ;;
     esac
 
-    # Store decision hash for drift detection
-    if [ -f "/tmp/architect-reviewed-${SESSION_ID}" ]; then
-      if [ -d "$PROJECT_DIR/docs/decisions" ]; then
-        HASH=$(find "$PROJECT_DIR/docs/decisions" -name '*.md' -not -name 'README.md' -print0 | sort -z | xargs -0 cat 2>/dev/null | _hashcmd | cut -d' ' -f1)
-      else
-        HASH="none"
-      fi
-      echo "$HASH" > "/tmp/architect-reviewed-${SESSION_ID}.hash"
-    fi
-
     # Plan review marker
     touch "/tmp/architect-plan-reviewed-${SESSION_ID}"
     ;;

package/hooks/architect-refresh-hash.sh

@@ -4,8 +4,8 @@
 # This prevents drift detection from invalidating the marker when creating
 # new decision files that the architect just approved.
 
-# Portable hash: tries md5sum, falls back to md5 -r, then shasum
-_hashcmd() { md5sum 2>/dev/null || md5 -r 2>/dev/null || shasum 2>/dev/null; }
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/lib/gate-helpers.sh"
 
 # P191 Phase 2: anchor docs/decisions on the project root, not the hook's
 # runtime CWD (see architect-enforce-edit.sh). The refreshed hash must match
@@ -33,14 +33,24 @@ esac
 MARKER="/tmp/architect-reviewed-${SESSION_ID}"
 HASH_FILE="/tmp/architect-reviewed-${SESSION_ID}.hash"
 
-# Only refresh if a valid marker exists
+# Only refresh if a valid marker exists. Uses substance-aware hash
+# (ADR-009 amendment 2026-06-06) and atomic-rename write (mktemp + mv).
 if [ -f "$MARKER" ] && [ -f "$HASH_FILE" ]; then
   if [ -d "$PROJECT_DIR/docs/decisions" ]; then
-    HASH=$(find "$PROJECT_DIR/docs/decisions" -name '*.md' -not -name 'README.md' -print0 | sort -z | xargs -0 cat 2>/dev/null | _hashcmd | cut -d' ' -f1)
+    HASH=$(_substance_hash_path "$PROJECT_DIR/docs/decisions")
   else
     HASH="none"
   fi
-  echo "$HASH" > "$HASH_FILE"
+  htmp="${HASH_FILE}.tmp.$$.${RANDOM:-0}"
+  if printf '%s\n' "$HASH" > "$htmp" 2>/dev/null; then
+    if ! mv -f "$htmp" "$HASH_FILE" 2>/dev/null; then
+      rm -f "$htmp"
+      echo "WARN: architect-refresh-hash atomic rename failed for ${HASH_FILE}" >&2
+    fi
+  else
+    rm -f "$htmp"
+    echo "WARN: architect-refresh-hash tempfile write failed for ${HASH_FILE}" >&2
+  fi
 fi
 
 exit 0

package/hooks/lib/architect-gate.sh

@@ -22,13 +22,17 @@ check_architect_gate() {
     local MARKER_TIME=$(_mtime "$MARKER")
     local AGE=$(( NOW - MARKER_TIME ))
     if [ "$AGE" -lt "$TTL_SECONDS" ]; then
-      # TTL still valid -- check for decision drift
+      # TTL still valid -- check for decision drift via substance-aware hash
+      # (ADR-009 amendment 2026-06-06: trivial whitespace / line-ending /
+      # trailing-newline edits do NOT trigger drift; substantive policy
+      # changes DO. Conservative boundary — ambiguous edits stay
+      # substantive. See gate-helpers.sh::_substance_hash_path).
       local HASH_FILE="/tmp/architect-reviewed-${SESSION_ID}.hash"
       if [ -f "$HASH_FILE" ]; then
         local STORED=$(cat "$HASH_FILE")
         local CURRENT
         if [ -d "$PROJECT_DIR/docs/decisions" ]; then
-          CURRENT=$(find "$PROJECT_DIR/docs/decisions" -name '*.md' -not -name 'README.md' -print0 | sort -z | xargs -0 cat 2>/dev/null | _hashcmd | cut -d' ' -f1)
+          CURRENT=$(_substance_hash_path "$PROJECT_DIR/docs/decisions")
         else
           CURRENT="none"
         fi

package/hooks/lib/gate-helpers.sh

@@ -13,6 +13,111 @@ _mtime() { stat -c%Y "$1" 2>/dev/null || /usr/bin/stat -f%m "$1" 2>/dev/null ||
 # Portable hash: tries md5sum, falls back to md5 -r, then shasum
 _hashcmd() { md5sum 2>/dev/null || md5 -r 2>/dev/null || shasum 2>/dev/null; }
 
+# ---------------------------------------------------------------------------
+# Substance-aware drift hash + atomic verdict-write (ADR-009 amendment
+# 2026-06-06, P353 + P303 close).
+#
+# `_substance_hash_path` normalises trivial/no-op edits BEFORE hashing so a
+# PASS marker survives whitespace / CRLF / trailing-newline edits while still
+# detecting substantive policy changes. Conservative boundary: when in doubt
+# whether an edit is trivial vs substantive, this helper treats it as
+# substantive (re-review fires). Only whitespace + line-ending + trailing-
+# newline are normalised in this iteration — single-numeral edits and
+# frontmatter-key changes are intentionally NOT normalised. See ADR-009
+# 2026-06-06 amendment for the ratified contract.
+#
+# `_atomic_mark_with_hash` writes the marker + hash file as an atomic pair
+# (mktemp + mv) so a PASS NEVER silently fails to persist (the empirically-
+# measured P353 failure mode that forced BYPASS_RISK_GATE=1 on every
+# external-comms gate clearance). Either both files land, or neither does.
+# Non-zero exit on failure so callers can emit a diagnostic.
+# ---------------------------------------------------------------------------
+
+# Substance-aware hash of a file or directory path.
+# For directories: hashes the concatenated content of all *.md files
+# (excluding README.md) in sorted order.
+# For files: hashes the file content.
+# Normalisation BEFORE hashing: CRLF → LF, strip trailing whitespace per
+# line, normalise trailing whitespace to a single \n.
+# Echoes "missing" for paths that do not exist (drop-in equivalence with the
+# pre-amendment `cat | _hashcmd | cut -d' ' -f1` site behaviour).
+# Echoes a hex sha256 of the normalised content on success.
+_substance_hash_path() {
+    local path="$1"
+    if [ -z "$path" ]; then
+        echo "missing"
+        return 0
+    fi
+    if [ -f "$path" ]; then
+        cat "$path" 2>/dev/null | _substance_normalize_then_hash
+    elif [ -d "$path" ]; then
+        find "$path" -name '*.md' -not -name 'README.md' -print0 \
+            | sort -z \
+            | xargs -0 cat 2>/dev/null \
+            | _substance_normalize_then_hash
+    else
+        echo "missing"
+    fi
+}
+
+# Internal: reads from stdin, normalises whitespace + line endings, emits a
+# hex sha256 of the normalised content. Conservative boundary documented in
+# ADR-009 2026-06-06 amendment: ambiguous edits stay substantive.
+_substance_normalize_then_hash() {
+    python3 -c "
+import sys, hashlib
+data = sys.stdin.buffer.read().decode('utf-8', errors='replace')
+# CRLF / CR -> LF
+data = data.replace('\r\n', '\n').replace('\r', '\n')
+# Strip trailing whitespace per line.
+lines = [line.rstrip() for line in data.split('\n')]
+# Re-join and normalise trailing whitespace to a single \n.
+normalised = '\n'.join(lines).rstrip() + '\n'
+print(hashlib.sha256(normalised.encode('utf-8')).hexdigest())
+" 2>/dev/null || echo "missing"
+}
+
+# Atomically write a presence marker + its paired hash file. Either both
+# files land or neither does. Returns 0 on success, 1 on failure. On failure
+# any partial state is rolled back.
+# Usage: _atomic_mark_with_hash "/tmp/architect-reviewed-${SID}" "$HASH"
+_atomic_mark_with_hash() {
+    local marker="$1"
+    local hash="$2"
+    local hash_file="${marker}.hash"
+
+    if [ -z "$marker" ]; then
+        return 1
+    fi
+
+    local htmp="${hash_file}.tmp.$$.${RANDOM:-0}"
+    local mtmp="${marker}.tmp.$$.${RANDOM:-0}"
+
+    # Write hash to tempfile.
+    if ! printf '%s\n' "$hash" > "$htmp" 2>/dev/null; then
+        rm -f "$htmp"
+        return 1
+    fi
+    # Write empty marker to tempfile.
+    if ! : > "$mtmp" 2>/dev/null; then
+        rm -f "$htmp" "$mtmp"
+        return 1
+    fi
+    # Atomic rename: hash file first.
+    if ! mv -f "$htmp" "$hash_file" 2>/dev/null; then
+        rm -f "$htmp" "$mtmp"
+        return 1
+    fi
+    # Atomic rename: marker second. If this fails, roll back the hash file
+    # so we never observe a hash-without-marker half-state.
+    if ! mv -f "$mtmp" "$marker" 2>/dev/null; then
+        rm -f "$mtmp"
+        rm -f "$hash_file"
+        return 1
+    fi
+    return 0
+}
+
 # Paths excluded from pipeline state hashing and docs-only detection.
 _doc_exclusions() {
     echo ':!docs/' ':!.risk-reports/' ':!.changeset/' ':!governance/' ':!.claude/plans/' ':!CLAUDE.md' ':!AGENTS.md' ':!PRINCIPLES.md' ':!DECISION-MANAGEMENT.md' ':!AGENTIC_RISK_REGISTER.md' ':!PROBLEM-MANAGEMENT.md'

package/hooks/test/substance-aware-drift.bats

@@ -0,0 +1,243 @@
+#!/usr/bin/env bats
+
+# Behavioural tests for ADR-009 amendment 2026-06-06: substance-aware drift +
+# atomic verdict-write. Closes P353 (hash-marker brittleness umbrella) +
+# P303 (architect-gate multi-ADR deadlock drift-relock facet).
+#
+# Cases ratified by the user 2026-06-06:
+#   (a) Trivial edit (whitespace, CRLF, trailing newline) does NOT re-trigger.
+#   (b) Substantive edit (new content, changed line) DOES re-trigger.
+#   (c) Atomic write — marker + hash file land together on PASS, with the
+#       marker's mtime current and the hash file's content equal to the
+#       substance hash of the policy content.
+#   (d) Conservative fallback — semantic edits beyond the documented
+#       whitespace normalisation (e.g. single-numeral change) ARE treated as
+#       substantive (re-review fires).
+
+setup() {
+  SCRIPT_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")/.." && pwd)"
+  source "$SCRIPT_DIR/lib/gate-helpers.sh"
+  source "$SCRIPT_DIR/lib/architect-gate.sh"
+
+  TEST_SESSION="bats-arch-substance-$$-${BATS_TEST_NUMBER}"
+  TEST_DIR=$(mktemp -d -t substance-aware-drift.XXXXXX)
+  mkdir -p "$TEST_DIR/docs/decisions"
+  CLAUDE_PROJECT_DIR="$TEST_DIR"
+  export CLAUDE_PROJECT_DIR
+
+  MARKER="/tmp/architect-reviewed-${TEST_SESSION}"
+  HASH_FILE="${MARKER}.hash"
+  rm -f "$MARKER" "$HASH_FILE"
+}
+
+teardown() {
+  rm -f "$MARKER" "$HASH_FILE"
+  rm -rf "$TEST_DIR"
+}
+
+# Helper: install ADR content, then store the substance hash + marker as the
+# architect-mark-reviewed.sh PASS path would.
+_install_and_mark() {
+  local body="$1"
+  printf '%s' "$body" > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+  local hash
+  hash=$(_substance_hash_path "$TEST_DIR/docs/decisions")
+  _atomic_mark_with_hash "$MARKER" "$hash"
+}
+
+# ---------------------------------------------------------------------------
+# Case (a) — trivial whitespace / line-ending edits do NOT re-trigger
+# ---------------------------------------------------------------------------
+
+@test "substance-aware: trailing-whitespace edit does NOT re-trigger drift" {
+  _install_and_mark "# ADR-123
+
+A line of policy content.
+"
+  # Add trailing spaces to the same line.
+  printf '%s' "# ADR-123
+
+A line of policy content.
+" > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+
+  run check_architect_gate "$TEST_SESSION"
+  [ "$status" -eq 0 ]
+  [ -f "$MARKER" ]
+  [ -f "$HASH_FILE" ]
+}
+
+@test "substance-aware: CRLF→LF edit does NOT re-trigger drift" {
+  _install_and_mark "# ADR-123
+
+A line of policy content.
+"
+  # Convert the same content to CRLF line endings.
+  printf '# ADR-123\r\n\r\nA line of policy content.\r\n' \
+    > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+
+  run check_architect_gate "$TEST_SESSION"
+  [ "$status" -eq 0 ]
+  [ -f "$MARKER" ]
+}
+
+@test "substance-aware: extra trailing newlines do NOT re-trigger drift" {
+  _install_and_mark "# ADR-123
+
+A line of policy content.
+"
+  # Add multiple trailing newlines.
+  printf '%s' "# ADR-123
+
+A line of policy content.
+
+
+
+" > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+
+  run check_architect_gate "$TEST_SESSION"
+  [ "$status" -eq 0 ]
+  [ -f "$MARKER" ]
+}
+
+# ---------------------------------------------------------------------------
+# Case (b) — substantive content edits DO re-trigger
+# ---------------------------------------------------------------------------
+
+@test "substance-aware: new-word edit DOES re-trigger drift" {
+  _install_and_mark "# ADR-123
+
+A line of policy content.
+"
+  # Real content change.
+  printf '%s' "# ADR-123
+
+A different line of policy content.
+" > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+
+  run check_architect_gate "$TEST_SESSION"
+  [ "$status" -ne 0 ]
+  [ ! -f "$MARKER" ]
+  [ ! -f "$HASH_FILE" ]
+}
+
+@test "substance-aware: added-paragraph edit DOES re-trigger drift" {
+  _install_and_mark "# ADR-123
+
+A line of policy content.
+"
+  printf '%s' "# ADR-123
+
+A line of policy content.
+
+A whole new paragraph of substantive change.
+" > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+
+  run check_architect_gate "$TEST_SESSION"
+  [ "$status" -ne 0 ]
+  [ ! -f "$MARKER" ]
+}
+
+@test "substance-aware: new file in docs/decisions DOES re-trigger drift" {
+  _install_and_mark "# ADR-123
+
+Content.
+"
+  # Adding a NEW ADR file is a substantive change.
+  printf '%s' "# ADR-124
+
+New ADR content.
+" > "$TEST_DIR/docs/decisions/124-new.proposed.md"
+
+  run check_architect_gate "$TEST_SESSION"
+  [ "$status" -ne 0 ]
+  [ ! -f "$MARKER" ]
+}
+
+# ---------------------------------------------------------------------------
+# Case (c) — atomic write persists the PASS marker reliably
+# ---------------------------------------------------------------------------
+
+@test "atomic-write: PASS write lands marker + hash together" {
+  printf '%s' "# ADR-123
+
+Policy content.
+" > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+  local hash
+  hash=$(_substance_hash_path "$TEST_DIR/docs/decisions")
+
+  run _atomic_mark_with_hash "$MARKER" "$hash"
+  [ "$status" -eq 0 ]
+  [ -f "$MARKER" ]
+  [ -f "$HASH_FILE" ]
+  # The stored hash equals the substance hash of the policy content.
+  [ "$(cat "$HASH_FILE")" = "$hash" ]
+}
+
+@test "atomic-write: failed hash-write leaves neither file (no half-state)" {
+  # Point the marker into a non-existent directory to force mv failure.
+  local bad_marker="/tmp/does-not-exist-bats-$$/architect-reviewed-${TEST_SESSION}"
+  run _atomic_mark_with_hash "$bad_marker" "deadbeef"
+  [ "$status" -ne 0 ]
+  [ ! -f "$bad_marker" ]
+  [ ! -f "${bad_marker}.hash" ]
+}
+
+@test "atomic-write: PASS write enables a subsequent gate check to allow" {
+  printf '%s' "# ADR-123
+
+Policy content.
+" > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+  local hash
+  hash=$(_substance_hash_path "$TEST_DIR/docs/decisions")
+  _atomic_mark_with_hash "$MARKER" "$hash"
+
+  run check_architect_gate "$TEST_SESSION"
+  [ "$status" -eq 0 ]
+}
+
+# ---------------------------------------------------------------------------
+# Case (d) — conservative boundary: semantic edits beyond whitespace
+# normalisation ARE treated as substantive
+# ---------------------------------------------------------------------------
+
+@test "conservative: single-numeral change DOES re-trigger drift" {
+  _install_and_mark "# ADR-123
+
+Threshold is 5 minutes.
+"
+  # A single-numeral change is semantic — conservative boundary re-reviews.
+  printf '%s' "# ADR-123
+
+Threshold is 6 minutes.
+" > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+
+  run check_architect_gate "$TEST_SESSION"
+  [ "$status" -ne 0 ]
+  [ ! -f "$MARKER" ]
+}
+
+@test "conservative: frontmatter-key change DOES re-trigger drift" {
+  _install_and_mark "---
+status: proposed
+date: 2026-06-06
+---
+
+# ADR-123
+
+Body.
+"
+  # Frontmatter date bump — conservative boundary re-reviews.
+  printf '%s' "---
+status: proposed
+date: 2026-06-07
+---
+
+# ADR-123
+
+Body.
+" > "$TEST_DIR/docs/decisions/123-test.proposed.md"
+
+  run check_architect_gate "$TEST_SESSION"
+  [ "$status" -ne 0 ]
+  [ ! -f "$MARKER" ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/architect",
-  "version": "0.15.1",
+  "version": "0.15.2-preview.581",
   "description": "Architecture decision enforcement for AI coding agents",
   "bin": {
     "windyroad-architect": "./bin/install.mjs"

package/skills/create-adr/SKILL.md

@@ -85,6 +85,8 @@ Before writing the ADR file, perform a decision-boundary analysis on the gathere
 
 **Non-interactive fallback**: When `AskUserQuestion` is unavailable (e.g., non-interactive/AFK mode), automatically split into separate ADRs with consecutive IDs and note the auto-split in output. Do not block creation.
 
+**ADR-013 Rule 6 carve-out audit (P352, 2026-06-06 amendment)**: the universal AFK default is **queue-and-continue**; this site is a documented **AUTO-DEFAULT** carve-out. Authorising principle: policy-authorised safe default per ADR-044 category 4 (silent framework). Splitting is fully reversible (manual combine via supersession), the framework's WSJF / lifecycle model rewards explicit per-decision ranking, and "split when in doubt" is the persona-correct safe heuristic for JTBD-006 (the loop progresses; over-splits are cheap to combine; halt would cost more loop throughput than the over-split risk). Note: the Step 5 substance-confirm HALT below is a separate carve-out authorised by ADR-074 — substance-confirm cannot AUTO-DEFAULT because the dependent work (Decision Outcome / Consequences / Confirmation / Pros and Cons drafting) is built ON the chosen option.
+
 **Split implementation**: When splitting, assign consecutive IDs. Cross-reference each ADR in the other's Related section or as a linked decision in the consequences.
 
 **Scope**: Scoped to new ADR creation only (steps 2–5). Does not apply to supersession handling (step 6), where the scope of the new decision is already known and bounded.
@@ -238,6 +240,8 @@ oversight-date: YYYY-MM-DD   # today
 
 The `wr-architect-mark-oversight-confirmed` call writes the session-scoped evidence marker (`/tmp/oversight-confirmed-<sha>-<sid>`) that the `architect-oversight-marker-discipline.sh` PreToolUse hook reads to authorise the subsequent Edit/Write — without the helper call, the hook will DENY the marker write. AFK iter subprocesses spawned via `claude -p` have no `AskUserQuestion` access; they MUST write `human-oversight: unconfirmed` instead (the AFK fallback enum value codified in ADR-066 amendment 2026-06-02), which the drain (`/wr-architect:review-decisions`) later promotes interactively. Calling the helper without a real user substance-confirm event is the P348 hollow-marker bug — every legitimate marker write traces back to an `AskUserQuestion` answer in the same turn.
 
+**ADR-013 Rule 6 carve-out audit (P352, 2026-06-06 amendment)**: the universal AFK default is queue-and-continue. This Step 5 substance-confirm HALT-and-write-`human-oversight: unconfirmed` shape is a documented carve-out, authorised by **ADR-074** (Confirm decision substance before building dependent work). Rationale: an ADR with `human-oversight: confirmed` enters the world born-confirmed (it does not appear in `/wr-architect:review-decisions`' unoversighted set), so dependent work — every implementation that cites this ADR as authority — would be built on substance that was never user-affirmed. AFK writing `human-oversight: unconfirmed` IS the queue-and-continue shape: the loop continues; the substance-confirm decision is queued to the next interactive drain. Persona-correct for JTBD-006 ("queued for my return, not guessed at"); the carve-out is from the auto-confirm shape, not from queue-and-continue itself.
+
 **Mismatch handling.** If the substance-confirm answer selects a DIFFERENT option than the draft was authored against:
 
 - DO NOT write the marker.

package/skills/review-decisions/SKILL.md

@@ -59,6 +59,8 @@ For each ADR in the ordered queue, surface the decision as an `AskUserQuestion`
 
 The trailing clause exists for cross-reference value — it is optional, NOT a re-entry point for meta-leading. When the meta does not add load-bearing context for the confirm decision, omit it entirely.
 
+**Brief-before-ID discipline (P350).** The `question` and `options` text MUST inline what each referenced artefact is and what is at stake before naming it by ID. `ADR-NNN` / `P-NNN` / `JTBD-NNN` / `RFC-NNN` references are audit-trail annotations, NEVER carriers of meaning — the user reads this prompt without project filesystem access (mobile clients, accessibility tooling, notification surfaces) and cannot follow links. Acceptable: *"This ADR decides: five per-tool-call hook patterns + their budget bands (sibling of the UserPromptSubmit-pattern decision and the SessionStart-pattern decision)."* Unacceptable: *"This ADR decides: 5 patterns; sibling to ADR-038 and ADR-040."* The trailing parenthetical IDs are permitted ONLY after a self-contained explanation, never as the explanation itself. Mirrors the canonical `/wr-architect:create-adr` Step 5 § 5a Rule 3 ("No IDs as explainers"). See also session memory `feedback_brief_before_id.md`.
+
 This is a genuine human-decision surface (the whole point of P283) — `AskUserQuestion` is correct here and is NOT over-asking. Do not auto-confirm; do not prose-ask.
 
 ### Step 4: Apply the outcome