@windyroad/itil 0.35.13 → 0.35.14-preview.416

package/.claude-plugin/plugin.json

@@ -484,5 +484,5 @@
     }
   },
   "name": "wr-itil",
-  "version": "0.35.13"
+  "version": "0.35.14"
 }

package/hooks/lib/create-gate.sh

@@ -52,6 +52,39 @@ mark_step2_complete() {
   : > "/tmp/manage-problem-grep-${SESSION_ID}"
 }
 
+# P260 / ADR-050 Option C: write the Step 2 grep marker under EVERY
+# candidate SID read from stdin (one UUID per line, as emitted by
+# `get_candidate_session_ids` in lib/session-id.sh).
+#
+# Under concurrent orchestrator+subprocess sessions in the same project,
+# the per-machine runtime-sid marker is last-writer-wins, so agent-side
+# code cannot reliably PREDICT which single SID the create-gate hook will
+# read from the Write's stdin (ADR-050 §Context). Marking under every recent
+# candidate guarantees a matching marker exists whichever SID the hook reads,
+# eliminating the P260 marker-mismatch deny without a process-topology
+# assumption. The candidate set is bounded to recent announce markers + the
+# runtime-sid value by `get_candidate_session_ids` (NOT a global fail-open —
+# the P119 audit invariant holds: each marker still records that THIS session
+# ran the duplicate-check grep).
+#
+# Reuses the unchanged single-SID `mark_step2_complete` per candidate (same
+# idempotent `/tmp/manage-problem-grep-${SID}` marker class — no new
+# convention). Blank/whitespace lines are skipped. Returns 0 if at least one
+# marker was written, 1 if no candidate SIDs were supplied (fail-closed
+# parity with the empty-SID single-write no-op — the subsequent Write would
+# be denied and the agent recovers by re-running Step 2).
+#
+# Usage: get_candidate_session_ids | mark_step2_complete_candidates
+mark_step2_complete_candidates() {
+  local sid count=0
+  while IFS= read -r sid; do
+    [ -n "$sid" ] || continue
+    mark_step2_complete "$sid"
+    count=$((count + 1))
+  done
+  [ "$count" -gt 0 ]
+}
+
 # Returns 0 if the RFC capture-step marker exists for SESSION_ID; 1 otherwise.
 # Empty SESSION_ID => returns 1 (no marker).
 #

package/hooks/lib/session-id.sh

@@ -153,3 +153,76 @@ get_current_session_id() {
 
   return 1
 }
+
+# P260 / ADR-050 Option C: bounded multi-UUID candidate enumeration.
+#
+# Echoes EVERY candidate session UUID — one per line, deduplicated — that
+# the create-gate hook (manage-problem-enforce-create.sh) might read from
+# the Write's stdin `session_id`. The create-gate marker-write
+# (`mark_step2_complete_candidates`, lib/create-gate.sh) writes the marker
+# under each, so whichever SID the hook reads, a matching marker provably
+# exists.
+#
+# Why enumerate instead of picking one (get_current_session_id):
+#   `/wr-itil:work-problems` Step 5 BACKGROUNDS the iter subprocess and runs
+#   the orchestrator's poll loop in the main turn, so the orchestrator's
+#   PreToolUse hooks fire CONCURRENTLY with the subprocess. Both sessions
+#   write the same per-machine runtime-sid marker (same project => same
+#   proj_hash), last-writer-wins. When the orchestrator captures a ticket
+#   while the subprocess holds the runtime-sid, `get_current_session_id`
+#   returns the SUBPROCESS SID, but the orchestrator's Write carries the
+#   ORCHESTRATOR SID on its stdin — marker mismatch, create-gate deny (P260).
+#   ADR-050 §Context establishes that no agent-side algorithm can PREDICT
+#   the right single SID from filesystem state alone. Option C stops
+#   predicting and writes under every recent candidate instead.
+#
+# Candidate set (each line is one UUID):
+#   1. `get_current_session_id`'s pick (env-var > runtime-sid > announce-
+#      marker priority). Emitting this FIRST guarantees the candidate set is
+#      never a strict subset of the prior single-SID behaviour — Option C
+#      only ADDS the concurrent-session SIDs.
+#   2. Every announce-marker UUID across ALL systems whose marker mtime is
+#      within the window (the concurrently-active sessions: orchestrator +
+#      its running subprocess(es)). Announce markers are write-once-per-
+#      session (ADR-038, no touch-refresh), so mtime is the announcing
+#      session's first-prompt timestamp — a stable bound.
+#
+# Bounding (NOT a global fail-open):
+#   The mtime window (SESSION_CANDIDATE_WINDOW_MINS, default 1440 = 24h)
+#   bounds the enumeration against the P124 stale-marker pathology (103
+#   accumulated UUIDs selecting the wrong SID). 24h comfortably covers any
+#   realistic single AFK loop while excluding multi-day marker accumulation.
+#   Extra markers under recently-stale UUIDs are HARMLESS — empty files; the
+#   hook only matches the marker equal to the Write's stdin SID. The P119
+#   audit invariant holds: every marker still records that THIS session ran
+#   the duplicate-check grep (the marker is only written because Step 2's
+#   grep provably ran this turn; widening WHICH SID files receive that proof
+#   does not weaken the proof). A loop running >24h degrades gracefully to
+#   the recoverable create-gate deny (status quo), not silent corruption.
+#
+# Test overrides: SESSION_MARKER_DIR (marker dir, default /tmp) +
+# SESSION_CANDIDATE_WINDOW_MINS (window minutes, default 1440).
+#
+# Usage:
+#   source packages/itil/hooks/lib/session-id.sh
+#   source packages/itil/hooks/lib/create-gate.sh
+#   get_candidate_session_ids | mark_step2_complete_candidates
+get_candidate_session_ids() {
+  local marker_dir="${SESSION_MARKER_DIR:-/tmp}"
+  local window_mins="${SESSION_CANDIDATE_WINDOW_MINS:-1440}"
+  {
+    # Guaranteed member: the single-SID discovery's pick. Suppress its
+    # non-zero exit (no-SID cold path) so the pipeline still emits the
+    # enumerated candidates.
+    get_current_session_id 2>/dev/null || true
+
+    # Concurrent-session SIDs: every recent announce marker across all
+    # systems, within the mtime window. `*-announced-*` is system-agnostic
+    # (picks up any present or future announcing plugin). `-maxdepth 1` and
+    # `-mmin -N` are portable across BSD (macOS) and GNU find. The sed strips
+    # the leading path then the `<system>-announced-` prefix, leaving the
+    # trailing UUID (UUIDs never contain the literal "-announced-").
+    find "$marker_dir" -maxdepth 1 -name '*-announced-*' -mmin "-${window_mins}" 2>/dev/null \
+      | sed 's|.*/||; s/.*-announced-//'
+  } | awk 'NF && !seen[$0]++'
+}

package/hooks/test/manage-problem-enforce-create.bats

@@ -345,3 +345,80 @@ teardown_other_sid_marker() {
   [ "$status" -eq 0 ]
   [[ "$output" != *"BLOCKED"* ]]
 }
+
+# --- P260: concurrent orchestrator+subprocess create-gate marker race ---
+#
+# /wr-itil:work-problems Step 5 BACKGROUNDS the iter subprocess
+# (`claude -p ... &`) and runs an idle-timeout poll loop in the
+# orchestrator's main turn, so the orchestrator fires PreToolUse hooks
+# CONCURRENTLY with the running subprocess. Both sessions write the same
+# per-machine runtime-sid marker (same project ⇒ same proj_hash),
+# last-writer-wins. When the orchestrator captures a ticket while the
+# subprocess holds the runtime-sid, the single-SID Step-2 marker-write
+# (`sid=$(get_current_session_id) && mark_step2_complete "$sid"`) lands the
+# marker under the SUBPROCESS SID, but the orchestrator's Write fires the
+# PreToolUse:Write hook whose stdin session_id is the ORCHESTRATOR SID ⇒
+# marker mismatch ⇒ deny. This was P260 (the 2026-05-18 P254/P255 foreground
+# captures). ADR-050 Option C (architect-resolved + human-confirmed
+# 2026-05-26) is the fix: the candidate-set marker-write
+# (`get_candidate_session_ids | mark_step2_complete_candidates`) writes the
+# marker under EVERY recent candidate SID, so whichever SID the hook reads,
+# a matching marker exists.
+#
+# These tests are end-to-end: they run the real agent-side marker-write
+# helpers under the concurrent fixture, then fire the real hook with the
+# orchestrator's stdin SID and assert the observable permit/deny outcome.
+
+# Build the concurrent fixture in a sandbox marker dir: orchestrator
+# announced first (older mtime), subprocess announced later (newer mtime),
+# and the subprocess clobbered the runtime-sid marker last.
+p260_setup_concurrent_fixture() {
+  P260_SANDBOX=$(mktemp -d)
+  P260_ORCH_SID="p260-orch-$$-$RANDOM"
+  P260_SUB_SID="p260-sub-$$-$RANDOM"
+  : > "$P260_SANDBOX/architect-announced-${P260_ORCH_SID}"
+  sleep 1
+  : > "$P260_SANDBOX/jtbd-announced-${P260_SUB_SID}"
+  printf '%s' "$P260_SUB_SID" > "$P260_SANDBOX/itil-runtime-sid.current"
+}
+
+p260_teardown_concurrent_fixture() {
+  rm -f "/tmp/manage-problem-grep-${P260_ORCH_SID}" \
+        "/tmp/manage-problem-grep-${P260_SUB_SID}"
+  rm -rf "$P260_SANDBOX"
+}
+
+@test "P260: candidate-set marker-write PERMITS the orchestrator Write despite runtime-sid clobbered to the subprocess SID" {
+  p260_setup_concurrent_fixture
+  # Agent-side Step 2 marker write under the FULL candidate set (Option C).
+  SESSION_MARKER_DIR="$P260_SANDBOX" bash -c "
+    source '$SCRIPT_DIR/lib/session-id.sh'
+    source '$SCRIPT_DIR/lib/create-gate.sh'
+    get_candidate_session_ids | mark_step2_complete_candidates
+  "
+  # The orchestrator's Write carries the orchestrator SID on its stdin.
+  run run_write_hook "$PWD/docs/problems/997-concurrent-capture.open.md" "$P260_ORCH_SID"
+  p260_teardown_concurrent_fixture
+  [ "$status" -eq 0 ]
+  [[ "$output" != *"BLOCKED"* ]]
+  [[ "$output" != *"\"permissionDecision\": \"deny\""* ]]
+}
+
+@test "P260 negative control: single-SID marker-write (pre-Option-C behaviour) DENIES the orchestrator Write under the same race" {
+  # Pins WHY Option C is needed: the old single-SID write lands the marker
+  # under the subprocess SID (the clobbered runtime value), so the
+  # orchestrator's Write — stdin = orchestrator SID — is denied. This is
+  # the reproduced P260 failure; the candidate-set write above is what
+  # fixes it.
+  p260_setup_concurrent_fixture
+  SESSION_MARKER_DIR="$P260_SANDBOX" bash -c "
+    source '$SCRIPT_DIR/lib/session-id.sh'
+    source '$SCRIPT_DIR/lib/create-gate.sh'
+    sid=\$(get_current_session_id) && mark_step2_complete \"\$sid\"
+  "
+  run run_write_hook "$PWD/docs/problems/996-concurrent-capture.open.md" "$P260_ORCH_SID"
+  p260_teardown_concurrent_fixture
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"\"permissionDecision\": \"deny\""* ]]
+  [[ "$output" == *"BLOCKED"* ]]
+}

package/hooks/test/session-id.bats

@@ -256,3 +256,96 @@ mark_announced() {
   [[ "$output" != *"$marker_uuid"* ]]
   [[ "$output" == *"EXIT:0"* ]]
 }
+
+# --- Behavioural contract: candidate enumeration (Option C, P260) ---
+#
+# Under concurrent orchestrator+subprocess sessions in the SAME project,
+# the per-machine runtime-sid marker is last-writer-wins, so the single-SID
+# get_current_session_id cannot reliably predict which SID the create-gate
+# hook will read from the Write's stdin (the orchestrator's Write carries
+# the orchestrator SID; the subprocess may have just clobbered the runtime
+# marker with its own SID). No agent-side algorithm can PREDICT the right
+# single SID from filesystem state alone (ADR-050 §Context). Option C stops
+# predicting: get_candidate_session_ids returns EVERY recent candidate SID
+# — the get_current_session_id pick PLUS every recent announce-marker UUID
+# across all systems within the mtime window, deduplicated — so the marker
+# can be written under all of them and a match provably exists whichever
+# SID the hook reads. Bounded by SESSION_CANDIDATE_WINDOW_MINS (24h default)
+# to avoid the P124 stale-marker pathology (103 accumulated UUIDs); NOT a
+# global fail-open (the P119 audit invariant holds: every marker still
+# records that THIS session ran the duplicate-check grep).
+#
+# Per feedback_behavioural_tests.md (P081): tests assert the emitted
+# candidate set, not the source content of the helper.
+
+# Helper: source the helper and emit the candidate SID set (one per line).
+candidates() {
+  bash -c "source '$HELPER'; get_candidate_session_ids"
+}
+
+@test "candidates: returns BOTH the orchestrator and subprocess announce-marker UUIDs" {
+  orch_uuid="aaaaaaaa-0000-1111-2222-orchestrator0"
+  sub_uuid="bbbbbbbb-0000-1111-2222-subprocess00"
+  # Orchestrator announced first (loop start); subprocess announced later
+  # (dispatched mid-loop) — the subprocess marker has the NEWER mtime,
+  # exactly the condition that made the single-SID helper pick the wrong
+  # SID and deny the orchestrator's Write (the P260 race). Candidate
+  # enumeration must surface BOTH so neither is left out of the marker set.
+  mark_announced "architect" "$orch_uuid"
+  sleep 1
+  mark_announced "jtbd" "$sub_uuid"
+  output=$(candidates)
+  [[ "$output" == *"$orch_uuid"* ]]
+  [[ "$output" == *"$sub_uuid"* ]]
+}
+
+@test "candidates: includes the runtime-sid value even when no announce marker carries it" {
+  rt_uuid="cccccccc-0000-1111-2222-runtimeonly0"
+  printf '%s' "$rt_uuid" > "$SANDBOX_TMP/itil-runtime-sid.current"
+  output=$(candidates)
+  [[ "$output" == *"$rt_uuid"* ]]
+}
+
+@test "candidates: deduplicates a SID present in both the runtime-sid marker and an announce marker" {
+  dup_uuid="dddddddd-0000-1111-2222-duplicated00"
+  printf '%s' "$dup_uuid" > "$SANDBOX_TMP/itil-runtime-sid.current"
+  mark_announced "architect" "$dup_uuid"
+  output=$(candidates)
+  # The SID must appear exactly once — not once per source.
+  count=$(printf '%s\n' "$output" | grep -c "$dup_uuid")
+  [ "$count" -eq 1 ]
+}
+
+@test "candidates: announce-marker enumeration excludes markers older than the mtime window" {
+  rt_uuid="eeeeeeee-0000-1111-2222-runtimepick0"
+  fresh_uuid="ffffffff-0000-1111-2222-freshmarker0"
+  stale_uuid="99999999-0000-1111-2222-stalemarker0"
+  # runtime-sid wins get_current_session_id (so its single pick is the
+  # runtime value, not an announce marker) — this isolates the window
+  # behaviour to the announce-marker ENUMERATION step.
+  printf '%s' "$rt_uuid" > "$SANDBOX_TMP/itil-runtime-sid.current"
+  mark_announced "jtbd" "$fresh_uuid"
+  mark_announced "voice-tone" "$stale_uuid"
+  # Backdate the stale marker well beyond the window. touch -t is POSIX
+  # and portable across BSD (macOS) and GNU find/touch.
+  touch -t 202001010000 "$SANDBOX_TMP/voice-tone-announced-${stale_uuid}"
+  output=$(SESSION_CANDIDATE_WINDOW_MINS=60 bash -c "source '$HELPER'; get_candidate_session_ids")
+  [[ "$output" == *"$rt_uuid"* ]]
+  [[ "$output" == *"$fresh_uuid"* ]]
+  [[ "$output" != *"$stale_uuid"* ]]
+}
+
+@test "candidates: empty output when no markers, no runtime-sid, and no env var" {
+  output=$(candidates)
+  [ -z "$output" ]
+}
+
+@test "candidates: env-var SID is included as a candidate" {
+  env_uuid="12121212-0000-1111-2222-envvarsid000"
+  other_uuid="34343434-0000-1111-2222-announced000"
+  mark_announced "architect" "$other_uuid"
+  output=$(CLAUDE_SESSION_ID="$env_uuid" SESSION_MARKER_DIR="$SANDBOX_TMP" bash -c "source '$HELPER'; get_candidate_session_ids")
+  [[ "$output" == *"$env_uuid"* ]]
+  # The concurrent announce marker is still enumerated alongside the env SID.
+  [[ "$output" == *"$other_uuid"* ]]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windyroad/itil",
-  "version": "0.35.13",
+  "version": "0.35.14-preview.416",
   "description": "ITIL-aligned IT service management for Claude Code (problem, and future incident/change skills)",
   "bin": {
     "windyroad-itil": "./bin/install.mjs"

package/scripts/check-rfc-rejected-alternatives.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# check-rfc-rejected-alternatives.sh — ADR-052 behavioural lint enforcing
+# ADR-070 (RFCs hold no independent decisions).
+#
+# Invariant (ADR-070 § Confirmation): no RFC body in the RFC directory
+# contains a "Considered Options / Alternatives Rejected" block WITHOUT a
+# matching `adrs:` frontmatter reference. ADR-070 line 44 names the
+# machine-detectable tell: "an RFC body containing a rejected-alternatives
+# block with no matching `adrs:` reference is a decision masquerading as
+# scope." Contested choices belong in an ADR (referenced via `adrs:`),
+# never re-argued in the RFC body.
+#
+# This is an ARTEFACT-STATE behavioural check (ADR-052): given an RFC
+# corpus directory, it inspects the on-disk RFC bodies + frontmatter and
+# reports violations. It is NOT a structural grep of any SKILL.md / agent
+# prose. Detection targets a markdown HEADING block (`## ... Considered
+# Options ...` / `## ... Alternatives Rejected ...`), never a prose mention
+# of the phrase (e.g. a retrofit note explaining the section was removed).
+#
+# Usage:   check-rfc-rejected-alternatives.sh [rfcs-dir]   (default docs/rfcs)
+# Exit:    0 = clean (no violations); 1 = ≥1 violation; 2 = usage/dir error.
+#
+# Scope: docs/rfcs/ only. ADRs (docs/decisions/) legitimately carry
+# "Considered Options" headings — they ARE the decision ledger; this lint
+# never scans them.
+#
+# @adr ADR-070 (RFCs hold no independent decisions — the invariant)
+# @adr ADR-052 (behavioural-tests-default — artefact-state assertion)
+# @adr ADR-049 (plugin-bundled scripts; adopters run this over their docs/rfcs)
+# @problem P310 (RFC decisions invisible to the ADR-066 oversight net)
+
+set -euo pipefail
+
+rfcs_dir="${1:-docs/rfcs}"
+
+if [ ! -d "$rfcs_dir" ]; then
+  echo "check-rfc-rejected-alternatives: not a directory: $rfcs_dir" >&2
+  exit 2
+fi
+
+# Heading-block detector: a markdown ATX heading (1-6 '#') whose text
+# contains "Considered Options" or "Alternatives Rejected" (case-insensitive).
+# Anchored to '^#' so a prose/blockquote mention of the phrase never matches.
+heading_re='^#{1,6}[[:space:]]+.*([Cc]onsidered [Oo]ptions|[Aa]lternatives [Rr]ejected)'
+
+# adrs: frontmatter is non-empty when its line carries ≥1 ADR-<NNN> token.
+# (`adrs:` only appears as a line-leading key in the YAML frontmatter; an
+# RFC body never starts a line with `adrs:`.)
+adrs_re='^adrs:.*ADR-[0-9]'
+
+violations=0
+scanned=0
+
+# Iterate RFC files (RFC-*.md) in the directory. Sorted for stable output.
+shopt -s nullglob
+for f in "$rfcs_dir"/RFC-*.md; do
+  scanned=$((scanned + 1))
+  if grep -qE "$heading_re" "$f"; then
+    if ! grep -qE "$adrs_re" "$f"; then
+      line=$(grep -nE "$heading_re" "$f" | head -1 | cut -d: -f1)
+      echo "VIOLATION  $f:${line}  rejected-alternatives block with empty/absent adrs: frontmatter (ADR-070)"
+      violations=$((violations + 1))
+    fi
+  fi
+done
+shopt -u nullglob
+
+if [ "$violations" -gt 0 ]; then
+  echo "check-rfc-rejected-alternatives: $violations violation(s) across $scanned RFC(s) — an RFC carrying a rejected-alternatives block must reference its governing ADR(s) in adrs: (ADR-070)." >&2
+  exit 1
+fi
+
+echo "check-rfc-rejected-alternatives: clean ($scanned RFC(s) scanned; no rejected-alternatives block without adrs: reference)."
+exit 0

package/scripts/test/check-rfc-rejected-alternatives.bats

@@ -0,0 +1,108 @@
+#!/usr/bin/env bats
+
+# @problem P310 — RFCs carry independent decisions invisible to the ADR-066
+#   human-oversight net. ADR-070 closes the blind spot; this lint enforces it.
+# @adr ADR-070 (RFCs hold no independent decisions — the invariant under test)
+# @adr ADR-052 (behavioural-tests-default — this is an artefact-state behavioural
+#   assertion: it RUNS the checker against fixture RFC corpora + the real corpus
+#   and asserts the verdict (exit code + output). It does NOT structurally grep
+#   the checker's own source, the SKILL.md, or any agent prose — that would be
+#   the P081 structural-test-disguised-as-behavioural anti-pattern.)
+# @adr ADR-071 (every fix via RFC — composes; the lint guards the RFC corpus)
+#
+# Contract under test (ADR-070 § Confirmation): no RFC body in docs/rfcs/
+# contains a "Considered Options / Alternatives Rejected" HEADING block
+# without a matching `adrs:` frontmatter reference. The detector targets a
+# markdown heading, never a prose mention of the phrase.
+
+setup() {
+  REPO_ROOT="$(cd "$(dirname "$BATS_TEST_FILENAME")/../../../.." && pwd)"
+  SCRIPT="$REPO_ROOT/packages/itil/scripts/check-rfc-rejected-alternatives.sh"
+  FIXTURE_DIR="$(mktemp -d)"
+}
+
+teardown() {
+  rm -rf "$FIXTURE_DIR"
+}
+
+# ── Fixture helper: write an RFC file with given adrs-line + body ────────────
+write_rfc() {
+  local name="$1" adrs_line="$2" body="$3"
+  cat > "$FIXTURE_DIR/$name" <<EOF
+---
+status: accepted
+rfc-id: ${name%.md}
+problems: [P999]
+$adrs_line
+stories: []
+---
+
+# ${name%.md}: fixture
+
+## Summary
+
+A fixture RFC.
+
+$body
+EOF
+}
+
+@test "violation: rejected-alternatives heading block WITH empty adrs: -> exit 1 + VIOLATION" {
+  write_rfc "RFC-901-bad.md" "adrs: []" $'## Considered Options / Alternatives Rejected\n\n- F1 alternative rejected: foo.'
+  run bash "$SCRIPT" "$FIXTURE_DIR"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"VIOLATION"* ]]
+  [[ "$output" == *"RFC-901-bad.md"* ]]
+}
+
+@test "allowed: rejected-alternatives heading block WITH a matching adrs: reference -> exit 0 (clean)" {
+  write_rfc "RFC-902-homed.md" "adrs: [ADR-072, ADR-073]" $'## Considered Options / Alternatives Rejected\n\n- The contested choice is recorded in ADR-072; this block references it.'
+  run bash "$SCRIPT" "$FIXTURE_DIR"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"clean"* ]]
+}
+
+@test "clean: no rejected-alternatives block, empty adrs: -> exit 0" {
+  write_rfc "RFC-903-scope.md" "adrs: []" $'## Scope\n\nPure scope + decomposition + traces. No decisions here.'
+  run bash "$SCRIPT" "$FIXTURE_DIR"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"clean"* ]]
+}
+
+@test "prose mention (not a heading) of the phrase does NOT trigger -> exit 0" {
+  # Guards the RFC-005 retrofit-banner false positive: a blockquote/prose line
+  # mentioning the struck section must not be flagged.
+  write_rfc "RFC-904-retrofit.md" "adrs: []" $'> Retrofitted: this RFC originally carried a "Considered Options / Alternatives Rejected" section, now struck per ADR-070.'
+  run bash "$SCRIPT" "$FIXTURE_DIR"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"clean"* ]]
+}
+
+@test "variant heading 'Alternatives Rejected' WITH empty adrs: -> exit 1" {
+  write_rfc "RFC-905-variant.md" "adrs: []" $'### Alternatives Rejected\n\n- rejected: bar.'
+  run bash "$SCRIPT" "$FIXTURE_DIR"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"RFC-905-variant.md"* ]]
+}
+
+@test "mixed corpus: one violation among clean RFCs -> exit 1, names only the offender" {
+  write_rfc "RFC-906-ok.md" "adrs: [ADR-001]" $'## Considered Options\n\n- references ADR-001.'
+  write_rfc "RFC-907-bad.md" "adrs: []" $'## Considered Options\n\n- no adr.'
+  write_rfc "RFC-908-scope.md" "adrs: []" $'## Scope\n\nclean.'
+  run bash "$SCRIPT" "$FIXTURE_DIR"
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"RFC-907-bad.md"* ]]
+  [[ "$output" != *"RFC-906-ok.md"* ]]
+  [[ "$output" != *"RFC-908-scope.md"* ]]
+}
+
+@test "non-existent directory -> exit 2 (usage error)" {
+  run bash "$SCRIPT" "$FIXTURE_DIR/does-not-exist"
+  [ "$status" -eq 2 ]
+}
+
+@test "dogfood: the real docs/rfcs/ corpus is clean -> exit 0" {
+  run bash "$SCRIPT" "$REPO_ROOT/docs/rfcs"
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"clean"* ]]
+}

package/skills/capture-problem/SKILL.md

@@ -153,15 +153,15 @@ The **3-keyword cap** is a hard-coded constant. Do NOT make it env-overridable
 
 If matches are found: list them in the final report. **Do NOT halt or branch.** Capture proceeds. The user can resolve duplicates at the next `/wr-itil:review-problems` invocation (or invoke `/wr-itil:manage-problem` directly if the duplicate-check shape needs a structured branch).
 
-**After the grep completes**, write the per-session create-gate marker so the `PreToolUse:Write` hook (P119) permits the subsequent Write of the new `.open.md` file:
+**After the grep completes**, write the per-session create-gate marker so the `PreToolUse:Write` hook (P119) permits the subsequent Write of the new `.open.md` file. Per **P260 / ADR-050 Option C**, write it under EVERY recent candidate session SID (not just one) so a concurrent orchestrator+subprocess race cannot land the marker under the wrong UUID:
 
 ```bash
 source packages/itil/hooks/lib/session-id.sh
 source packages/itil/hooks/lib/create-gate.sh
-sid=$(get_current_session_id) && mark_step2_complete "$sid"
+get_candidate_session_ids | mark_step2_complete_candidates
 ```
 
-The marker is shared between `manage-problem` and `capture-problem` per ADR-032 amendment — same `/tmp/manage-problem-grep-${SESSION_ID}` path, idempotent across cross-skill ordering.
+The marker is shared between `manage-problem` and `capture-problem` per ADR-032 amendment — same `/tmp/manage-problem-grep-${SESSION_ID}` path, idempotent across cross-skill ordering. `get_candidate_session_ids` enumerates the `get_current_session_id` pick (P124) plus every recent `/tmp/<system>-announced-<UUID>` UUID within a 24h mtime window, and `mark_step2_complete_candidates` writes the marker under each — so whichever SID the hook reads from the Write's stdin, a matching marker exists. This closes the P260 create-gate race that fires when the orchestrator main turn captures a ticket while a backgrounded iter subprocess holds the per-machine runtime-sid marker (last-writer-wins). The candidate set is bounded to recent same-machine markers — not a global fail-open (the P119 audit invariant holds: each marker still records that THIS session ran the duplicate-check grep). See `/wr-itil:manage-problem` Step 2 substep 7 for the full mechanism.
 
 ### 3. Compute the next ID
 

package/skills/capture-rfc/SKILL.md

@@ -10,7 +10,7 @@ Capture a Request for Change (RFC) ticket quickly during foreground work. Lightw
 
 This skill is one half of the capture-then-manage RFC framework introduced by ADR-060 (Problem-RFC-Story framework with mandatory problem-trace and unified problem ontology, accepted 2026-05-05). The other half is `/wr-itil:manage-rfc` (heavyweight intake + lifecycle management).
 
-**Related JTBDs**: JTBD-008 (primary — Decompose a Fix Into Coordinated Changes; this skill IS the capture-time decomposition surface), JTBD-001 (extended scope — change-set-level governance), JTBD-101 (atomic-fix-adopter friction guard — capture-rfc remains opt-in, never auto-fires on atomic captures).
+**Related JTBDs**: JTBD-008 (primary — Decompose a Fix Into Coordinated Changes; this skill IS the capture-time decomposition surface), JTBD-001 (extended scope — change-set-level governance), JTBD-101 (atomic-fix-adopter — every fix goes through an RFC per ADR-071; capture-rfc is invoked deliberately, not auto-fired, because RFC scope is direction-setting per ADR-073 — NOT because atomic fixes skip ceremony).
 
 ## When to invoke
 
@@ -27,7 +27,7 @@ This skill is one half of the capture-then-manage RFC framework introduced by AD
 
 **Positional**: `<problem-trace> <description>` where `<problem-trace>` is `P<NNN>` or `P<NNN>,P<NNN>,...` (no spaces inside the trace; multiple problems comma-separated).
 
-**Optional flag (Phase 2)**: `--stories STORY-<NNN>,STORY-<NNN>,...` — ORDERED execution sequence per ADR-060 line 262. Cardinality 0..N: atomic RFCs OMIT the flag and capture-rfc populates `stories: []` in frontmatter (JTBD-101 friction guard — atomic RFCs are first-class); story-decomposed RFCs supply the ordered list. The flag accepts STORY-IDs that don't yet resolve to files (forward-reference is permitted at capture; the existence check happens at `manage-rfc <NNN> accepted` transition per ADR-060 working-the-problem flow line 304).
+**Optional flag (Phase 2)**: `--stories STORY-<NNN>,STORY-<NNN>,...` — ORDERED execution sequence per ADR-060 line 262. Cardinality 0..N: an RFC whose work is not decomposed into stories OMITS the flag and capture-rfc populates `stories: []` in frontmatter (a structural state, NOT a reduced-ceremony path — every fix goes through an RFC per ADR-071); story-decomposed RFCs supply the ordered list. The flag accepts STORY-IDs that don't yet resolve to files (forward-reference is permitted at capture; the existence check happens at `manage-rfc <NNN> accepted` transition per ADR-060 working-the-problem flow line 304).
 
 ```
 /wr-itil:capture-rfc P168 Pipeline consume-catalog and bootstrap-from-reports — multi-commit retrofit
@@ -225,7 +225,7 @@ done
 
 The helper (`packages/itil/scripts/update-problem-rfcs-section.sh`) is idempotent: running over a current section is a no-op. Lazy-empty discipline applies (zero traced RFCs → section absent) — capture-rfc invocations always have ≥ 1 trace at this step, so this surface always emits a populated section. The `git add` is conditional on the helper actually modifying the file — `cmp -s` no-op-on-current is the helper's idempotency contract; `git add` of an unchanged file is also a no-op.
 
-**Phase 2 — render `## Stories` body section on the new RFC** (when `--stories` was provided): the just-written RFC file carries `stories: [STORY-NNN, ...]` in frontmatter; the helper `update-rfc-references-section.sh <rfc-file> "Stories"` renders the forward-trace `## Stories` body section from that frontmatter array in execution order per ADR-060 line 270. Lazy-empty discipline applies — when `stories: []` (atomic RFC, JTBD-101 friction guard), the helper omits the section entirely:
+**Phase 2 — render `## Stories` body section on the new RFC** (when `--stories` was provided): the just-written RFC file carries `stories: [STORY-NNN, ...]` in frontmatter; the helper `update-rfc-references-section.sh <rfc-file> "Stories"` renders the forward-trace `## Stories` body section from that frontmatter array in execution order per ADR-060 line 270. Lazy-empty discipline applies — when `stories: []` (an RFC not decomposed into stories), the helper omits the section entirely:
 
 ```bash
 if [ -n "$stories_trace" ]; then
@@ -288,7 +288,7 @@ The two skills share the `/tmp/wr-itil-rfc-capture-grep-${SESSION_ID}` create-ga
 - **`docs/plans/170-rfc-framework-story-map.md`** — Slice 2 task B5.T3 lands this skill.
 - **JTBD-008** — Decompose a Fix Into Coordinated Changes. Primary persona-anchor.
 - **JTBD-001** (extended scope) — change-set-level governance composition.
-- **JTBD-101** (atomic-fix-adopter friction guard) — capture-rfc remains opt-in aside-invocation.
+- **JTBD-101** (atomic-fix-adopter) — every fix goes through an RFC (ADR-071); capture-rfc is a deliberate aside-invocation, not auto-fired (RFC scope is direction-setting per ADR-073).
 - **`docs/rfcs/README.md`** — RFC tier lifecycle index + frontmatter shape spec (Slice 2 tasks B5.T1 + B5.T2 — committed `adc53c8`).
 - **ADR-014** — governance skills commit their own work. Single-commit grain per capture.
 - **ADR-022** — problem lifecycle conventions; RFC lifecycle mirrors.

package/skills/manage-problem/SKILL.md

@@ -321,19 +321,21 @@ Before creating, search existing problems for similar issues. The user may not k
    - "I found existing problems that may be related: P011 (stuck saving, CLOSED), P023 (foul drawn garbled, OPEN). Would you like to: (a) Update an existing problem, (b) Create a new problem anyway, (c) Cancel?"
 5. If the user chooses to update, switch to the update flow for that problem ID
 6. If no matches found, proceed to create
-7. **After the grep completes** (whether duplicates were found or not), write the per-session create-gate marker so the `PreToolUse:Write` hook (`packages/itil/hooks/manage-problem-enforce-create.sh`, P119) allows the subsequent Write of the new `.open.md` file. The marker is `/tmp/manage-problem-grep-${SESSION_ID}` and the agent writes it via Bash by sourcing the session-id discovery helper (P124) and calling the existing `mark_step2_complete` helper:
+7. **After the grep completes** (whether duplicates were found or not), write the per-session create-gate marker so the `PreToolUse:Write` hook (`packages/itil/hooks/manage-problem-enforce-create.sh`, P119) allows the subsequent Write of the new `.open.md` file. The marker is `/tmp/manage-problem-grep-${SESSION_ID}`. Per **P260 / ADR-050 Option C**, the agent writes it under EVERY recent candidate session SID — not just one — by sourcing the discovery helpers (P124) and piping the candidate set into `mark_step2_complete_candidates`:
 
    ```bash
    source packages/itil/hooks/lib/session-id.sh
    source packages/itil/hooks/lib/create-gate.sh
-   sid=$(get_current_session_id) && mark_step2_complete "$sid"
+   get_candidate_session_ids | mark_step2_complete_candidates
    ```
 
-   `get_current_session_id` (P124) returns the canonical session UUID by reading `CLAUDE_SESSION_ID` if exported, else by scraping the most-reliable per-session announce marker (`/tmp/<system>-announced-<UUID>`, set on prompt 1 of every session per ADR-038 by architect / jtbd / tdd / style-guide / voice-tone / itil-assistant-gate / itil-correction-detect hooks). It exits non-zero if no session can be discovered — the `&&` short-circuits the marker write so the agent never lands `/tmp/manage-problem-grep-` (an empty UUID would never match the hook's stdin-JSON `session_id` and would silently fail later). `mark_step2_complete` (existing helper from `create-gate.sh`) writes the marker file under the canonical path; the marker is per-session (single marker covers all new tickets for the rest of this session), enabling Step 4b multi-concern splits and same-session unrelated-ticket creation without re-running the grep.
+   **Why every candidate, not one (P260 / ADR-050 Option C)**: under `/wr-itil:work-problems` the orchestrator main turn fires PreToolUse hooks concurrently with its backgrounded iter subprocess (Step 5). Both sessions write the same per-machine runtime-sid marker (last-writer-wins), so the single-SID `get_current_session_id` can return the subprocess SID while the orchestrator's Write carries the orchestrator SID on its stdin — marker mismatch, create-gate deny. No agent-side algorithm can predict the right single SID from filesystem state alone (ADR-050 §Context). `get_candidate_session_ids` instead enumerates EVERY candidate SID the hook might read — the `get_current_session_id` pick (env-var > runtime-sid > announce-marker priority, P124) PLUS every recent `/tmp/<system>-announced-<UUID>` UUID within a 24h mtime window (ADR-038 announce markers, set on prompt 1 of every session by architect / jtbd / tdd / style-guide / voice-tone / itil-assistant-gate / itil-correction-detect hooks) — and `mark_step2_complete_candidates` writes the marker under each. Whichever SID the hook reads from the Write's stdin, a matching marker provably exists. The candidate set is **bounded** to recent same-machine announce markers + the runtime-sid value — NOT a global fail-open: the P119 audit invariant holds (every marker still records that THIS session ran the duplicate-check grep). The marker is per-session, so a single write covers all new tickets for the rest of this session, enabling Step 4b multi-concern splits and same-session unrelated-ticket creation without re-running the grep.
 
-   **Why a helper instead of inline `${CLAUDE_SESSION_ID:-default}`**: the agent's process does NOT export `CLAUDE_SESSION_ID` today; the hook side reads `session_id` from its stdin JSON payload (per the Claude Code PreToolUse contract). The prior fallback wrote the marker under `default` while the hook checked the real UUID — mismatch caused the Write deny on every first ticket of a session until the agent ad-hoc scraped a UUID-bearing marker. The helper canonicalises that scrape so every agent context discovers the SID the same way. P124.
+   **Why helpers instead of inline `${CLAUDE_SESSION_ID:-default}`**: the agent's process does NOT export `CLAUDE_SESSION_ID` today; the hook side reads `session_id` from its stdin JSON payload (per the Claude Code PreToolUse contract). The prior fallback wrote the marker under `default` while the hook checked the real UUID — mismatch caused the Write deny on every first ticket of a session until the agent ad-hoc scraped a UUID-bearing marker. The helpers canonicalise that scrape so every agent context discovers candidate SIDs the same way. P124.
 
-   **Phase 4 (P142 / ADR-050)** — the helper now reads the runtime stdin `session_id` from a per-machine marker written by the `itil-runtime-sid-marker.sh` PreToolUse hook on every tool call. Because every Bash call that sources the helper is itself a PreToolUse:Bash event, the marker the helper reads was written moments earlier with the same `session_id` the runtime Write hook will see — so SID-mismatch denial is structurally impossible in the routine flow. The Phase 3 announce-marker priority logic is preserved as cold-path fallback (first tool call of a session, before any PreToolUse fires).
+   **Phase 4 (P142 / ADR-050)** — the helper reads the runtime stdin `session_id` from a per-machine marker written by the `itil-runtime-sid-marker.sh` PreToolUse hook on every tool call. Because every Bash call that sources the helper is itself a PreToolUse:Bash event, the marker the helper reads was written moments earlier with the same `session_id` the runtime Write hook will see — so SID-mismatch denial is structurally impossible **in non-concurrent flow**. The Phase 3 announce-marker priority logic is preserved as cold-path fallback (first tool call of a session, before any PreToolUse fires).
+
+   **Phase 5 (P260 / ADR-050 Option C)** — the "structurally impossible" guarantee above holds ONLY when no second session writes the runtime-sid marker concurrently. Under `/wr-itil:work-problems`, the orchestrator main turn and its backgrounded subprocess write the per-machine runtime-sid marker concurrently (last-writer-wins), re-introducing the mismatch (this was P260, surfaced by the 2026-05-18 P254/P255 foreground captures). The candidate-set marker-write above is the mitigation: it does not depend on the runtime marker carrying the right SID at Write-time, because it marks under every recent candidate SID.
 
 **Search strategy**: Search problem filenames AND file content. A match on the filename (kebab-case title) or the Description/Symptoms sections counts. Cast a wide net — false positives are cheap (user chooses), but false negatives mean duplicate problems.
 

package/skills/manage-rfc/SKILL.md

@@ -8,7 +8,7 @@ allowed-tools: Read, Write, Edit, Bash, Grep, Glob, Task
 
 Create, update, or transition RFC tickets following the Problem-RFC-Story framework introduced by ADR-060 (accepted 2026-05-05). This skill is the heavyweight counterpart to `/wr-itil:capture-rfc` — it owns the full intake flow, lifecycle transitions, batch review, and README refresh.
 
-**Related JTBDs**: JTBD-008 (primary — Decompose a Fix Into Coordinated Changes; this skill governs the lifecycle of decomposed work), JTBD-001 (extended scope — change-set-level governance), JTBD-101 (atomic-fix-adopter friction guard — RFC ceremony only fires on opt-in invocations).
+**Related JTBDs**: JTBD-008 (primary — Decompose a Fix Into Coordinated Changes; this skill governs the lifecycle of decomposed work), JTBD-001 (extended scope — change-set-level governance), JTBD-101 (atomic-fix-adopter — every fix goes through an RFC per ADR-071; the RFC skills are invoked deliberately, not auto-fired, because RFC scope is direction-setting per ADR-073 — NOT because atomic fixes skip ceremony).
 
 ## RFC Lifecycle
 
@@ -96,6 +96,8 @@ Apply the update — typical edits:
 - Adding `## Related` entries.
 - Updating `decision-makers` or `adrs` frontmatter when ADRs are referenced mid-RFC execution.
 
+**Do NOT add a "Considered Options / Alternatives Rejected" section to the RFC body.** Per ADR-070 (RFCs hold no independent decisions), every contested choice among ≥ 2 viable options is recorded as an ADR (inheriting the ADR-064 confirm gate + ADR-066 oversight marker) and referenced in the RFC's `adrs:` frontmatter — never re-argued in the RFC body. An RFC carries only scope, decomposition (sequencing/breakdown of already-decided work), and traces. The ADR-052 behavioural lint hard-fails any RFC body that contains a rejected-alternatives block without a matching `adrs:` reference.
+
 #### README refresh on conditional update (P094 mirror)
 
 If the update changed any ranking-bearing field (Status, Severity-via-problems, Effort, WSJF), regenerate `docs/rfcs/README.md` in-place reflecting the new ranking and stage it in the same commit. If the edit touched only `## Summary`, `## Scope`, `## Tasks`, `## Related`, or other non-ranking sections, skip the refresh.
@@ -150,7 +152,7 @@ for pid_token in $(awk '/^problems:/{gsub(/[][]/,"");gsub(/,/,"\n");for(i=2;i<=N
 done
 ```
 
-The helper (`packages/itil/scripts/update-problem-rfcs-section.sh`) is idempotent and applies lazy-empty discipline (zero traced RFCs → section absent — protects atomic-fix-adopter friction guard per JTBD-101). After the transition, the helper:
+The helper (`packages/itil/scripts/update-problem-rfcs-section.sh`) is idempotent and applies lazy-empty discipline (zero traced RFCs → section absent — a structural rendering rule, not a ceremony exemption; a problem traces ≥ 1 RFC once it reaches fix-time per ADR-071 / I13). After the transition, the helper:
 - Updates the row's `Status` column to the new lifecycle status.
 - Removes the row when this transition de-traces a problem (frontmatter `problems:` edit removed the entry).
 - No-op when the table is already current (idempotent contract).
@@ -159,7 +161,7 @@ The trailer hook (`itil-rfc-trailer-advisory.sh`) sits on top of this skill-side
 
 #### Forward trace — `## Stories` body section (Phase 2)
 
-Per ADR-060 line 270 + line 296: every transition that touches the RFC body refreshes the RFC's own `## Stories` body section from its frontmatter `stories:` array. The forward-trace surface renders the ordered execution sequence as inline links to the story files, lazy-empty when `stories: []` (atomic RFC — JTBD-101 friction guard). The helper is the Slice 2b sibling `update-rfc-references-section.sh`:
+Per ADR-060 line 270 + line 296: every transition that touches the RFC body refreshes the RFC's own `## Stories` body section from its frontmatter `stories:` array. The forward-trace surface renders the ordered execution sequence as inline links to the story files, lazy-empty when `stories: []` (an RFC not decomposed into stories). The helper is the Slice 2b sibling `update-rfc-references-section.sh`:
 
 ```bash
 bash "$(wr-itil-script-path 2>/dev/null || echo packages/itil/scripts)/update-rfc-references-section.sh" "$rfc_file" "Stories"
@@ -251,7 +253,7 @@ The two skills share the `/tmp/wr-itil-rfc-capture-grep-${SESSION_ID}` create-ga
 - **ADR-060** — Problem-RFC-Story framework with mandatory problem-trace and unified problem ontology.
 - **P170** — driver problem ticket.
 - **`docs/plans/170-rfc-framework-story-map.md`** — Slice 2 task B5.T4 lands this skill.
-- **JTBD-008** (primary), JTBD-001 (extended scope), JTBD-101 (atomic-fix-adopter friction guard).
+- **JTBD-008** (primary), JTBD-001 (extended scope), JTBD-101 (atomic-fix-adopter — every fix via RFC per ADR-071).
 - **`docs/rfcs/README.md`** — lifecycle index + frontmatter shape (Slice 2 B5.T1 + B5.T2 — `adc53c8`).
 - **`packages/itil/skills/capture-rfc/SKILL.md`** — sibling lightweight capture skill.
 - **`packages/itil/skills/manage-problem/SKILL.md`** — heavyweight counterpart at the problem tier; structural template for this skill.