cleargate 0.5.0 → 0.6.0

package/templates/cleargate-planning/.claude/hooks/pre-edit-gate.sh

@@ -0,0 +1,162 @@
+#!/usr/bin/env bash
+# pre-edit-gate.sh — CR-008 Phase B: planning-first PreToolUse gate
+#
+# Registered as a PreToolUse hook for Edit|Write tool calls.
+# In warn mode (default), logs would-block decisions but always exits 0.
+# In enforce mode, exits 1 to block the tool call when planning is missing.
+#
+# Mode controlled by CLEARGATE_PLANNING_GATE_MODE (warn|enforce|off). Default: warn.
+# Bypass: CLEARGATE_PLANNING_BYPASS=1 → skip check, log bypass=true, exit 0.
+
+set -u
+
+REPO_ROOT="${CLAUDE_PROJECT_DIR:-$(pwd)}"
+MODE="${CLEARGATE_PLANNING_GATE_MODE:-warn}"
+LOG_FILE="${REPO_ROOT}/.cleargate/hook-log/pre-edit-gate-warn.log"
+
+# ── 0. Off mode — do nothing ──────────────────────────────────────────────────
+if [ "${MODE}" = "off" ]; then
+  exit 0
+fi
+
+# ── 1. Read file path from stdin (PreToolUse JSON payload) ────────────────────
+# Claude Code sends JSON on stdin: {"tool_name":"Edit","tool_input":{"file_path":"..."}}
+INPUT=$(cat)
+FILE=$(printf '%s' "${INPUT}" | node -e "
+try {
+  var d = require('fs').readFileSync('/dev/stdin','utf8');
+  var o = JSON.parse(d);
+  var fp = (o.tool_input && o.tool_input.file_path) ? o.tool_input.file_path : '';
+  process.stdout.write(fp);
+} catch(e) {
+  process.stdout.write('');
+}
+" 2>/dev/null || true)
+
+TOOL_NAME=$(printf '%s' "${INPUT}" | node -e "
+try {
+  var d = require('fs').readFileSync('/dev/stdin','utf8');
+  var o = JSON.parse(d);
+  process.stdout.write(o.tool_name || '');
+} catch(e) {
+  process.stdout.write('');
+}
+" 2>/dev/null || true)
+
+# ── Guard: if we couldn't parse the file path, fail-open ──────────────────────
+if [ -z "${FILE}" ]; then
+  exit 0
+fi
+
+# ── 2. Bypass env var ─────────────────────────────────────────────────────────
+if [ "${CLEARGATE_PLANNING_BYPASS:-0}" = "1" ]; then
+  ISO_TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || date -u +"%Y-%m-%dT%H:%M:%SZ")
+  mkdir -p "$(dirname "${LOG_FILE}")"
+  printf '[%s] mode=%s bypass=true file=%s\n' "${ISO_TS}" "${MODE}" "${FILE}" >> "${LOG_FILE}"
+  exit 0
+fi
+
+# ── 3. Whitelist: always allow these paths ────────────────────────────────────
+# Normalise: strip leading REPO_ROOT prefix for matching
+REL_FILE="${FILE}"
+if [[ "${FILE}" == "${REPO_ROOT}/"* ]]; then
+  REL_FILE="${FILE#${REPO_ROOT}/}"
+fi
+
+is_whitelisted() {
+  local f="$1"
+  # Exact or prefix matches for whitelisted directories/files
+  case "${f}" in
+    .cleargate/*|.claude/*|cleargate-planning/*) return 0 ;;
+    CLAUDE.md|MANIFEST.json|README.md|.gitignore|.gitkeep) return 0 ;;
+    package.json|package-lock.json) return 0 ;;
+    .env|.env.*|.npmrc|.editorconfig) return 0 ;;
+    # Also allow absolute paths that fall under the repo's cleargate dirs
+  esac
+  # Check absolute path variants
+  case "${FILE}" in
+    "${REPO_ROOT}/.cleargate/"*|"${REPO_ROOT}/.claude/"*|"${REPO_ROOT}/cleargate-planning/"*) return 0 ;;
+  esac
+  return 1
+}
+
+if is_whitelisted "${REL_FILE}"; then
+  exit 0
+fi
+
+# ── 3.5 Sprint-active sentinel bypass ────────────────────────────────────────
+# If a sprint is actively running, all in-sprint edits bypass the gate.
+if [ -f "${REPO_ROOT}/.cleargate/sprint-runs/.active" ]; then
+  exit 0
+fi
+
+# ── 4. Resolve cleargate CLI (three-branch resolver — CR-009) ────────────────
+if [ -f "${REPO_ROOT}/cleargate-cli/dist/cli.js" ]; then
+  CG=(node "${REPO_ROOT}/cleargate-cli/dist/cli.js")
+elif command -v cleargate >/dev/null 2>&1; then
+  CG=(cleargate)
+else
+  # Read pinned version from stamp-and-gate.sh
+  HOOK_PIN=""
+  HOOK_SH="${REPO_ROOT}/.claude/hooks/stamp-and-gate.sh"
+  if [ -f "${HOOK_SH}" ]; then
+    HOOK_PIN=$(grep -oP '(?<=# cleargate-pin: )[\S]+' "${HOOK_SH}" 2>/dev/null || \
+               grep -oE 'cleargate@[^"]+' "${HOOK_SH}" 2>/dev/null | head -1 | sed 's/.*@//' || true)
+  fi
+  if [ -z "${HOOK_PIN}" ]; then
+    HOOK_PIN="__CLEARGATE_VERSION__"
+  fi
+  CG=(npx -y "cleargate@${HOOK_PIN}")
+fi
+
+# ── 5. Read user prompt snippet for log context (optional; best-effort) ───────
+PROMPT_SNIPPET=$(printf '%s' "${INPUT}" | node -e "
+try {
+  var d = require('fs').readFileSync('/dev/stdin','utf8');
+  var o = JSON.parse(d);
+  var p = (o.user_prompt || '').slice(0, 200);
+  process.stdout.write(p);
+} catch(e) {
+  process.stdout.write('');
+}
+" 2>/dev/null || true)
+
+# ── 6. Ask doctor --can-edit ──────────────────────────────────────────────────
+# Capture both stdout AND exit code without || true swallowing the exit code.
+_DOCTOR_TMPFILE=$(mktemp)
+"${CG[@]}" doctor --can-edit "${FILE}" --cwd "${REPO_ROOT}" > "${_DOCTOR_TMPFILE}" 2>/dev/null
+DOCTOR_EXIT=$?
+DOCTOR_OUT=$(cat "${_DOCTOR_TMPFILE}")
+rm -f "${_DOCTOR_TMPFILE}"
+
+# Parse reason from doctor output
+REASON=$(printf '%s' "${DOCTOR_OUT}" | grep -oP '(?<=blocked: )\S+' 2>/dev/null || \
+         printf '%s' "${DOCTOR_OUT}" | sed -n 's/blocked: //p' 2>/dev/null || \
+         echo "unknown")
+
+# Count approved stories in pending-sync (for log entry)
+PENDING_DIR="${REPO_ROOT}/.cleargate/delivery/pending-sync"
+PENDING_MATCH_COUNT=0
+if [ -d "${PENDING_DIR}" ]; then
+  PENDING_MATCH_COUNT=$(grep -rl 'approved: true' "${PENDING_DIR}" 2>/dev/null | wc -l | tr -d ' ' || echo "0")
+fi
+
+# ── 7. Gate decision ──────────────────────────────────────────────────────────
+if [ "${DOCTOR_EXIT}" -ne 0 ]; then
+  # Would block
+  ISO_TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || date -u +"%Y-%m-%dT%H:%M:%SZ")
+  mkdir -p "$(dirname "${LOG_FILE}")"
+  printf '[%s] mode=%s would_block file=%s reason=%s tool=%s pending_match_count=%d prompt_snippet=%s\n' \
+    "${ISO_TS}" "${MODE}" "${FILE}" "${REASON}" "${TOOL_NAME}" "${PENDING_MATCH_COUNT}" "${PROMPT_SNIPPET}" \
+    >> "${LOG_FILE}"
+
+  if [ "${MODE}" = "enforce" ]; then
+    printf 'ClearGate: planning-first gate — no approved story covers %s (%s). Draft a work item first.\n' \
+      "${FILE}" "${REASON}" >&2
+    exit 1
+  fi
+
+  # warn mode: log written above, exit 0 (do not block)
+fi
+
+exit 0

package/templates/cleargate-planning/.claude/hooks/session-start.sh

@@ -2,17 +2,20 @@
 set -u
 REPO_ROOT="${CLAUDE_PROJECT_DIR}"
 
-# Resolve cleargate CLI: prefer on-PATH binary, fall back to meta-repo-local
-# dist. If neither is present, this hook is a no-op (BUG-006).
-if command -v cleargate >/dev/null 2>&1; then
-  CG=(cleargate)
-elif [ -f "${REPO_ROOT}/cleargate-cli/dist/cli.js" ]; then
+# cleargate-pin: __CLEARGATE_VERSION__
+# Resolve cleargate CLI (three-branch resolver — CR-009):
+#   1. meta-repo dogfood dist (fastest; only present in ClearGate's own repo)
+#   2. on-PATH binary (global install or shim)
+#   3. pinned npx invocation (always works wherever Node is present)
+if [ -f "${REPO_ROOT}/cleargate-cli/dist/cli.js" ]; then
   CG=(node "${REPO_ROOT}/cleargate-cli/dist/cli.js")
+elif command -v cleargate >/dev/null 2>&1; then
+  CG=(cleargate)
 else
-  exit 0
+  CG=(npx -y "cleargate@__CLEARGATE_VERSION__")
 fi
 
-"${CG[@]}" doctor --session-start 2>/dev/null || true
+"${CG[@]}" doctor --session-start || true
 
 # ── §14.9 SessionStart sync nudge (STORY-010-08) ─────────────────────────────
 # Daily-throttled: probe remote for updates at most once per 24h.

package/templates/cleargate-planning/.claude/hooks/stamp-and-gate.sh

@@ -4,16 +4,17 @@ REPO_ROOT="${CLAUDE_PROJECT_DIR}"
 LOG="${REPO_ROOT}/.cleargate/hook-log/gate-check.log"
 mkdir -p "$(dirname "$LOG")"
 
-# Resolve cleargate CLI: prefer on-PATH binary (`npm i -g cleargate` / `npx`),
-# fall back to a meta-repo-local dist (dogfood case). If neither is present,
-# log a remediation message and exit 0 (BUG-006).
-if command -v cleargate >/dev/null 2>&1; then
-  CG=(cleargate)
-elif [ -f "${REPO_ROOT}/cleargate-cli/dist/cli.js" ]; then
+# cleargate-pin: __CLEARGATE_VERSION__
+# Resolve cleargate CLI (three-branch resolver — CR-009):
+#   1. meta-repo dogfood dist (fastest; only present in ClearGate's own repo)
+#   2. on-PATH binary (global install or shim)
+#   3. pinned npx invocation (always works wherever Node is present)
+if [ -f "${REPO_ROOT}/cleargate-cli/dist/cli.js" ]; then
   CG=(node "${REPO_ROOT}/cleargate-cli/dist/cli.js")
+elif command -v cleargate >/dev/null 2>&1; then
+  CG=(cleargate)
 else
-  echo "[$(date -u +"%Y-%m-%dT%H:%M:%SZ")] cleargate CLI not found — install with 'npm i -g cleargate' or run via 'npx cleargate'. Hook skipped." >>"$LOG"
-  exit 0
+  CG=(npx -y "cleargate@__CLEARGATE_VERSION__")
 fi
 
 FILE=$(jq -r '.tool_input.file_path' 2>/dev/null || echo "")

package/templates/cleargate-planning/.claude/hooks/token-ledger.sh

@@ -15,12 +15,21 @@
 #              misrouted SPRINT-04 firings to SPRINT-03 because ledger appends
 #              themselves bumped SPRINT-03's mtime. See REPORT.md SPRINT-04.
 #
-# Work-item ID detection (GENERALIZED 2026-04-19 STORY-008-04):
+# Work-item ID detection (GENERALIZED 2026-04-19 STORY-008-04, SCOPED 2026-04-26 BUG-010):
 #   Primary  : first user message in the transcript — that's the orchestrator's
 #              dispatch prompt, which by agent convention starts with
 #              `STORY=NNN-NN`, `PROPOSAL-NNN`, `EPIC-NNN`, `CR-NNN`, or `BUG-NNN`.
-#   Pattern  : (STORY|PROPOSAL|EPIC|CR|BUG)[-=]?[0-9]+(-[0-9]+)?
-#   Fallback : grep first match anywhere in the transcript.
+#   Scoping  : look ONLY at lines whose FIRST CHARACTER matches the dispatch-marker
+#              pattern (line-anchored). The SessionStart hook emits a "blocked items"
+#              reminder that lists work-item IDs in prose/bullets — those lines start
+#              with "- " or whitespace, never with the marker prefix. Scanning the full
+#              content caused BUG-010: all SPRINT-14 rows tagged BUG-002 (first item in
+#              the reminder list). Fix: join content with \n, split, filter line-starts.
+#   Pattern  : ^(STORY|PROPOSAL|PROP|EPIC|CR|BUG)[-=][0-9]...
+#              PROP-NNN is normalised to PROPOSAL-NNN after match (BUG-009, 2026-04-26)
+#   Tie-break: when multiple dispatch-marker lines appear in the first user message,
+#              the FIRST line wins (deterministic; orchestrator puts the marker first).
+#   Fallback : grep first line-start match anywhere in the transcript.
 #   story_id : populated only when the match is a STORY-* (backward compat).
 #   work_item_id: always populated when detection succeeds; equals story_id for STORY items.
 #   (Removed): grep-first-anywhere as PRIMARY — it picked up SPRINT-05 mentions
@@ -107,28 +116,42 @@ ACTIVE_SENTINEL="${REPO_ROOT}/.cleargate/sprint-runs/.active"
   fi
 
   # --- detect work_item_id (PRIMARY: first user message; FALLBACK: anywhere-grep) ---
-  # Orchestrator convention (.claude/agents/developer.md): the first line of the
-  # dispatch prompt is `STORY=NNN-NN`. The first user message in the transcript
-  # is that prompt. Look there first to avoid picking up work-item mentions inside
-  # the subagent's later reads of plans, sprint files, etc.
+  # Orchestrator convention (.claude/agents/developer.md): the FIRST LINE of the
+  # dispatch prompt is `STORY=NNN-NN` (or CR=NNN, BUG=NNN, EPIC=NNN, PROPOSAL=NNN,
+  # PROP=NNN). The SessionStart hook injects a "blocked items" reminder whose lines
+  # start with "- " or whitespace — never with the marker prefix. We therefore
+  # ONLY match lines whose first character is the start of the marker (line-anchored).
+  #
+  # BUG-010 (2026-04-26): joined with " " (space) before — scan() found BUG-002 from
+  # the reminder text. Fix: join with "\n" so line-anchored regex works.
   #
   # Pattern covers: STORY-NNN-NN, PROPOSAL-NNN, EPIC-NNN, CR-NNN, BUG-NNN
   # (and = separator variants like STORY=008-04)
+  # Tie-break: first line matching the anchor wins (orchestrator puts marker first).
   WORK_ITEM_RAW="$(jq -rs '
     [.[] | select(.type == "user")] | .[0].message.content
-    | if type == "array" then map(.text? // "") | join(" ") else (. // "") end
+    | if type == "array" then map(.text? // "") | join("\n") else (. // "") end
     | tostring
-    | scan("(STORY|PROPOSAL|EPIC|CR|BUG)[-=]?([0-9]+(-[0-9]+)?)") | .[0:2] | join("-")
+    | split("\n")
+    | map(select(test("^(STORY|PROPOSAL|PROP|EPIC|CR|BUG)[-=][0-9]")))
+    | .[0] // ""
+    | capture("^(?<kind>STORY|PROPOSAL|PROP|EPIC|CR|BUG)[-=](?<id>[0-9]+(-[0-9]+)?)")
+    | (.kind + "-" + .id)
   ' "${TRANSCRIPT_PATH}" 2>/dev/null | head -1)"
 
   if [[ -n "${WORK_ITEM_RAW}" && "${WORK_ITEM_RAW}" != "null" && "${WORK_ITEM_RAW}" != "-" ]]; then
     # Normalize: replace any = separator with - in the result
-    WORK_ITEM_ID="$(printf '%s' "${WORK_ITEM_RAW}" | sed 's/=/-/g')"
+    # Then normalize PROP-NNN → PROPOSAL-NNN (canonical form matches wiki/proposals/PROPOSAL-NNN.md filenames)
+    # BUG-009 (2026-04-26): PROP↔PROPOSAL normalization — PRESERVED BY BUG-010.
+    WORK_ITEM_ID="$(printf '%s' "${WORK_ITEM_RAW}" | sed 's/=/-/g' | sed 's/^PROP-/PROPOSAL-/')"
   else
-    # Fallback: grep anywhere in the transcript
-    WORK_ITEM_ID="$(grep -oE '(STORY|PROPOSAL|EPIC|CR|BUG)[-=]?[0-9]+(-[0-9]+)?' "${TRANSCRIPT_PATH}" 2>/dev/null \
+    # Fallback: grep for line-start dispatch markers anywhere in the transcript.
+    # Line-anchored (^) so that "- BUG-002:" reminder bullet lines are not matched —
+    # only lines whose first character starts the marker prefix.
+    # BUG-009 normalization preserved: sed 's/=/-/g' | sed 's/^PROP-/PROPOSAL-/'
+    WORK_ITEM_ID="$(grep -oE '^(STORY|PROPOSAL|PROP|EPIC|CR|BUG)[-=][0-9][0-9]*(-[0-9]+)?' "${TRANSCRIPT_PATH}" 2>/dev/null \
       | head -1 \
-      | sed 's/=/-/g')"
+      | sed 's/=/-/g' | sed 's/^PROP-/PROPOSAL-/')"
     if [[ -n "${WORK_ITEM_ID}" ]]; then
       printf '[%s] work_item_id fallback grep: %s\n' "$(date -u +%FT%TZ)" "${WORK_ITEM_ID}" >> "${HOOK_LOG}"
     fi

package/templates/cleargate-planning/.claude/settings.json

@@ -19,6 +19,15 @@
             "command": "${CLAUDE_PROJECT_DIR}/.claude/hooks/pending-task-sentinel.sh"
           }
         ]
+      },
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PROJECT_DIR}/.claude/hooks/pre-edit-gate.sh"
+          }
+        ]
       }
     ],
     "PostToolUse": [

package/templates/cleargate-planning/.cleargate/knowledge/cleargate-protocol.md

@@ -108,6 +108,8 @@ Under `execution_mode: "v1"` this rule is **advisory only** — the orchestrator
 
 **v2 story-file assertion:** Additionally for v2 sprints, `cleargate sprint init` asserts every story in §1 Consolidated Deliverables has a `pending-sync/STORY-*.md` file before writing `state.json`; missing files block init with an enumerated stderr list. Under v1 the assertion runs but only warns (does not block). The assertion is also available standalone: `node .cleargate/scripts/assert_story_files.mjs <sprint-file-path>`.
 
+As of cleargate@0.6.x, sprint-init asserts all six work-item id shapes (STORY/CR/BUG/EPIC/PROPOSAL/HOTFIX). v2 mode hard-blocks on missing OR unapproved OR stub-empty items; v1 warns-only (backwards compat).
+
 ### Gate 3 — Push Gate
 
 - **Never call `cleargate_push_item` on a file where `approved: false`.**
@@ -913,3 +915,56 @@ wiki:
 ```
 
 Exceeding the ceiling fails `cleargate wiki lint` (enforcement mode). Under `--suggest`, the usage percentage is reported but the check does not fail. Reference: EPIC-015.
+
+---
+
+## 22. Advisory Readiness Gates on Push (v2) — CR-010
+
+### §22.1 Two-tier push gate semantics
+
+Push-time gate enforcement uses two distinct tiers:
+
+**Tier 1 — `approved: true` (hard reject, unchanged):**
+`cleargate_push_item` throws `PushNotApprovedError` when `payload.approved !== true`. This is the human go/no-go gate. No advisory mode or env knob overrides it.
+
+**Tier 2 — `cached_gate_result` (advisory by default):**
+When `cached_gate_result.pass === false`, the push proceeds in default advisory mode. The pushed item's body receives a single advisory prefix line placed immediately after the H1 heading (or as the first line if no H1 exists):
+
+```
+[advisory: gate_failed — <comma-separated criterion ids>]
+```
+
+Body content beyond the advisory prefix is byte-identical to the input. The push result includes `gate_status: 'open'` and `failing_criteria: [...]` as response metadata (not persisted to the DB schema).
+
+### §22.2 Strict-mode opt-in and audit log
+
+Set `STRICT_PUSH_GATES=true` on the MCP server to restore pre-CR-010 hard-reject behavior (`PushGateFailedError`, no DB write). Default: `false` (advisory mode).
+
+Advisory pushes (gate_status='open') are recorded in `audit_log` with `result='ok'` — the push succeeded. The `failing_criteria` are surfaced in the push response shape, not in a new audit column. No schema migration is required.
+**Rationale:** PM-tool answer-collection requires items to land before readiness answers arrive; advisory mode enables this. See CR-010 §0 for full evidence.
+
+---
+
+## 23. Doctor Exit-Code Semantics
+
+`cleargate doctor` exits with one of three codes (all modes: default, `--session-start`, `--can-edit`, `--check-scaffold`, `--pricing`). Hooks branch on the integer, not on stdout.
+- `0` — clean. No blockers, no config errors. Stdout MAY include informational lines.
+- `1` — blocked items or advisory issues (gate failures, stamp errors, drifted SHAs, missing ledger rows). Stdout lists each blocker.
+- `2` — ClearGate misconfigured or partially installed (missing `.cleargate/`, missing `MANIFEST.json`, missing `auth.json`, hook resolver failure). Stdout emits a remediation hint. See `cleargate doctor --help`.
+
+---
+
+## 24. Lane Routing
+
+A story is eligible for `lane: fast` only if all seven checks pass (any false → `standard`):
+1. **Size cap.** ≤2 files AND ≤50 LOC net (tests count; generated files do not).
+2. **No forbidden surfaces.** Story does not modify: `mcp/src/db/` / `**/migrations/` (schema); `mcp/src/auth/` / `mcp/src/admin-api/auth-*` (auth); `cleargate.config.json` / `mcp/src/config.ts` (runtime config); `mcp/src/adapters/` (adapter API); `cleargate-planning/MANIFEST.json` (scaffold manifest); security-relevant code (token handling, invite verification, gate enforcement).
+3. **No new dependency.** No new package added to any `package.json`.
+4. **Single acceptance scenario or doc-only.** Exactly one `Scenario:` block (or zero for doc-only). `Scenario Outline:` or multiple scenarios → `standard`.
+5. **Existing tests cover the runtime change.** Named test file exists and includes the affected module, OR story is doc/comment/non-runtime config only.
+6. **`expected_bounce_exposure: low`.** `med` or `high` is auto-`standard`.
+7. **No epic-spanning subsystem touches.** All affected files live under the parent epic's declared scope directories.
+
+**Demotion mechanics.** Demotion is one-way (`fast → standard`). Trigger: pre-gate scanner failure OR post-merge test failure on a fast-lane story. On demotion: set `lane = "standard"`, write `lane_demoted_at` (ISO-8601), `lane_demotion_reason`, reset `qa_bounces = 0` and `arch_bounces = 0` (see STORY-022-02 schema). Architect plan is invoked and QA spawned per standard contract.
+
+Event-type `LD` (Lane Demotion) is recorded in sprint markdown §4 alongside existing `UR` and `CR` events; Reporter aggregates into §3 Execution Metrics > Fast-Track Demotion Rate.

package/templates/cleargate-planning/.cleargate/knowledge/readiness-gates.md

@@ -52,7 +52,7 @@ The asymmetry exists because Proposal documents are human-authored strategy arti
     - id: touched-files-populated
       check: "section(3) has ≥1 listed-item"
     - id: no-tbds
-      check: "body does not contain 'TBD'"
+      check: "body does not contain marker 'TBD'"
 ```
 
 ```yaml
@@ -63,7 +63,7 @@ The asymmetry exists because Proposal documents are human-authored strategy arti
     - id: proposal-approved
       check: "frontmatter(context_source).approved == true"
     - id: no-tbds
-      check: "body does not contain 'TBD'"
+      check: "body does not contain marker 'TBD'"
     - id: scope-in-populated
       check: "section(2) has ≥1 listed-item"
     - id: affected-files-declared
@@ -84,7 +84,7 @@ The asymmetry exists because Proposal documents are human-authored strategy arti
     - id: gherkin-error-path
       check: "body contains 'Error'"
     - id: no-tbds
-      check: "body does not contain 'TBD'"
+      check: "body does not contain marker 'TBD'"
     - id: interrogation-resolved
       check: "body does not contain 'Unresolved'"
 ```
@@ -97,7 +97,7 @@ The asymmetry exists because Proposal documents are human-authored strategy arti
     - id: parent-epic-ref-set
       check: "frontmatter(.).parent_epic_ref != null"
     - id: no-tbds
-      check: "body does not contain 'TBD'"
+      check: "body does not contain marker 'TBD'"
     - id: implementation-files-declared
       check: "section(3) has ≥1 listed-item"
     - id: dod-declared
@@ -112,9 +112,9 @@ The asymmetry exists because Proposal documents are human-authored strategy arti
   severity: enforcing
   criteria:
     - id: blast-radius-populated
-      check: "section(1) has ≥1 listed-item"
+      check: "section(2) has ≥1 listed-item"
     - id: no-tbds
-      check: "body does not contain 'TBD'"
+      check: "body does not contain marker 'TBD'"
     - id: sandbox-paths-declared
       check: "section(2) has ≥1 listed-item"
 ```
@@ -129,5 +129,5 @@ The asymmetry exists because Proposal documents are human-authored strategy arti
     - id: severity-set
       check: "frontmatter(.).severity != null"
     - id: no-tbds
-      check: "body does not contain 'TBD'"
+      check: "body does not contain marker 'TBD'"
 ```