hypomnema 1.2.1 → 1.3.0

package/scripts/crystallize.mjs

@@ -55,7 +55,9 @@
  *     hypo-personal-check is still the final enforcement.
  *   • Post-apply — runs after the writes. Surfaces as stage='post-apply-lint'
  *     (or 'post-apply-verification+lint' if freshness also fails). Catches
- *     payloads that introduce a broken wikilink / malformed body.
+ *     payloads that introduce a malformed body / bad frontmatter (error-level);
+ *     broken wikilinks are lint W4 warnings and are not gated. A lint crash
+ *     hard-fails regardless of scope.
  */
 
 import {
@@ -77,6 +79,9 @@ import {
   writeSessionClosedMarker,
   sessionClosedMarkerPath,
   hypoIsClean,
+  extractTouchedWikiFiles,
+  closeFileTargets,
+  partitionLintScope,
 } from '../hooks/hypo-shared.mjs';
 
 const LINT_SCRIPT = join(dirname(fileURLToPath(import.meta.url)), 'lint.mjs');
@@ -117,6 +122,7 @@ function parseArgs(argv) {
     sessionId: null,
     payload: null,
     force: false,
+    transcriptPath: null,
   };
   for (const arg of argv.slice(2)) {
     if (arg.startsWith('--hypo-dir=')) args.hypoDir = expandHome(arg.slice(11));
@@ -126,6 +132,7 @@ function parseArgs(argv) {
     else if (arg === '--mark-session-closed') args.markSessionClosed = true;
     else if (arg.startsWith('--session-id=')) args.sessionId = arg.slice(13);
     else if (arg.startsWith('--payload=')) args.payload = arg.slice(10);
+    else if (arg.startsWith('--transcript-path=')) args.transcriptPath = expandHome(arg.slice(18));
     else if (arg === '--force') args.force = true;
     else if (arg === '--json') args.json = true;
   }
@@ -246,7 +253,7 @@ function writeIfChanged(path, content) {
  * Append `entry` to `path` only if `alreadyPresent(content)` is false.
  * Atomic: rebuilds the full file content and writes via atomicWrite — a crash
  * mid-append cannot leave log.md or session-log/YYYY-MM.md half-written, which
- * matters for these append-only history files (codex review of fix #38).
+ * matters for these append-only history files.
  */
 function appendIfAbsent(path, entry, alreadyPresent) {
   let content = '';
@@ -350,13 +357,58 @@ function runMarkSessionClosed(args) {
     if (args.json) {
       console.log(JSON.stringify(result, null, 2));
     } else {
-      console.log(`✗ session-close gate not satisfied — marker not written (project: ${status.project || '(unresolved)'}):`);
+      console.log(
+        `✗ session-close gate not satisfied — marker not written (project: ${status.project || '(unresolved)'}):`,
+      );
       for (const f of status.missing) console.log(`  ✗ ${f} (missing)`);
       for (const f of status.stale) console.log(`  ✗ ${f} (stale)`);
       if (!git.clean) console.log(`  ✗ git: ${git.reason}`);
     }
     process.exit(1);
   }
+  // Bug A coherence: the marker suppresses the Stop hook, but PreCompact blocks
+  // on lint. If a transcript is provided, refuse the marker when THIS session's
+  // own files (edited ∪ mandatory close files) carry lint errors — otherwise
+  // Stop would pass only for /compact to immediately re-block. No transcript →
+  // legacy freshness+git recovery path (lint left to PreCompact).
+  if (args.transcriptPath) {
+    let scopedLint = null;
+    try {
+      scopedLint = runLint(args.hypoDir);
+    } catch (err) {
+      // Lint crash → fail-open (never strand the marker writer on tooling), same
+      // posture as the PreCompact hook.
+      process.stderr.write(
+        `[crystallize] mark-session-closed lint skipped: ${err?.message ?? err}\n`,
+      );
+    }
+    if (scopedLint) {
+      const scope = new Set([
+        ...extractTouchedWikiFiles(args.transcriptPath, args.hypoDir),
+        ...closeFileTargets(args.hypoDir),
+      ]);
+      const { blocking } = partitionLintScope(scopedLint.errors || [], scope);
+      if (blocking.length > 0) {
+        const files = [...new Set(blocking.map((b) => b.file))];
+        const result = {
+          ok: false,
+          session_id: args.sessionId,
+          project: status.project,
+          lint_blockers: files,
+          error: "session-close gate not satisfied — lint errors in this session's files",
+        };
+        if (args.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else {
+          console.log(
+            `✗ lint errors in files this session touched — marker not written (fix then re-run):`,
+          );
+          for (const b of blocking) console.log(`  ✗ ${b.file}: ${b.message}`);
+        }
+        process.exit(1);
+      }
+    }
+  }
   writeSessionClosedMarker(args.hypoDir, args.sessionId, { project: status.project });
   // Marker writer swallows IO errors (best-effort, see hypo-shared.mjs). Verify
   // the file actually landed before claiming success — otherwise CLI exits 0
@@ -364,7 +416,11 @@ function runMarkSessionClosed(args) {
   // Codex Worker-2 CONCERN (pre-commit review).
   if (!existsSync(sessionClosedMarkerPath(args.hypoDir, args.sessionId))) {
     const err = 'marker file did not land after write (likely .cache permission/disk issue)';
-    console.log(args.json ? JSON.stringify({ ok: false, session_id: args.sessionId, error: err }, null, 2) : `✗ ${err}`);
+    console.log(
+      args.json
+        ? JSON.stringify({ ok: false, session_id: args.sessionId, error: err }, null, 2)
+        : `✗ ${err}`,
+    );
     process.exit(1);
   }
   const result = {
@@ -376,7 +432,9 @@ function runMarkSessionClosed(args) {
   if (args.json) {
     console.log(JSON.stringify(result, null, 2));
   } else {
-    console.log(`✓ session-closed marker written (session_id: ${args.sessionId}, project: ${status.project}).`);
+    console.log(
+      `✓ session-closed marker written (session_id: ${args.sessionId}, project: ${status.project}).`,
+    );
   }
   process.exit(0);
 }
@@ -469,6 +527,19 @@ function applySessionClose(args) {
   if (payload.rootHot) overwriteTargets.add('hot.md');
   if (payload.openQuestions) overwriteTargets.add(join('pages', 'open-questions.md'));
 
+  // Bug B: the documented close path must not be blocked by lint debt OUTSIDE
+  // the files it writes (other projects, shared pages this close did not author).
+  // payloadScope = every file this apply writes or appends. Both lint passes are
+  // judged against it; errors elsewhere are surfaced as notices, never blocking.
+  const payloadScope = new Set([
+    join('projects', project, 'session-state.md'),
+    join('projects', project, 'hot.md'),
+    'hot.md',
+    join('projects', project, 'session-log', `${ym}.md`),
+    'log.md',
+    ...(payload.openQuestions ? [join('pages', 'open-questions.md')] : []),
+  ]);
+
   let preflightLint;
   try {
     preflightLint = runLint(args.hypoDir);
@@ -477,7 +548,13 @@ function applySessionClose(args) {
     console.log(args.json ? JSON.stringify(out, null, 2) : `✗ ${e.message}`);
     process.exit(1);
   }
-  const blockingErrors = preflightLint.errors.filter((e) => !overwriteTargets.has(e.file));
+  // Block only on errors in payload files we are NOT about to overwrite (append
+  // targets — session-log, log.md — can't be repaired by appending, so existing
+  // corruption there must block). Overwrite targets are about to be replaced;
+  // out-of-scope debt is not this close's concern (Bug B).
+  const blockingErrors = preflightLint.errors.filter(
+    (e) => payloadScope.has(e.file) && !overwriteTargets.has(e.file),
+  );
   if (blockingErrors.length > 0) {
     const out = {
       ok: false,
@@ -538,14 +615,19 @@ function applySessionClose(args) {
 
   const verification = sessionCloseFileStatus(args.hypoDir);
 
-  // Fix #40 post-apply lint: payload may have introduced a broken wikilink or
-  // a malformed session-state body. Surface as a distinct `stage` so caller can
-  // tell "lint broke" apart from "frontmatter stale". This runs even if the
-  // freshness gate also failed — both failure modes are useful to the caller.
+  // Fix #40 post-apply lint: payload may have introduced a malformed body or
+  // bad frontmatter. Surface as a distinct `stage` so caller can tell "lint
+  // broke" apart from "frontmatter stale". This runs even if the freshness gate
+  // also failed — both failure modes are useful to the caller.
   let postApplyLint;
+  let postApplyCrashed = false;
   try {
     postApplyLint = runLint(args.hypoDir);
   } catch (e) {
+    // A lint crash (unparseable output) after writes is NOT scopeable — there is
+    // no reliable `file` to classify — and must stay a HARD failure, exactly as
+    // before scoping was introduced.
+    postApplyCrashed = true;
     postApplyLint = {
       ok: false,
       errors: [{ file: '(lint crash)', message: e.message }],
@@ -553,9 +635,24 @@ function applySessionClose(args) {
     };
   }
 
-  const ok = verification.ok && postApplyLint.ok;
+  // Scope post-apply lint to payload files (Bug B): a payload-introduced error
+  // lands in a file this apply wrote, so it blocks; pre-existing debt elsewhere
+  // is a non-blocking notice. A lint crash bypasses scoping and blocks outright.
+  let postBlocking;
+  let postNotice;
+  if (postApplyCrashed) {
+    postBlocking = postApplyLint.errors;
+    postNotice = [];
+  } else {
+    ({ blocking: postBlocking, notice: postNotice } = partitionLintScope(
+      postApplyLint.errors || [],
+      payloadScope,
+    ));
+  }
+  const postLintOk = !postApplyCrashed && postBlocking.length === 0;
+  const ok = verification.ok && postLintOk;
 
-  // fix #27 PR-C (ADR 0022 amendment 2026-05-19): auto-write the per-session
+  // ADR 0022 amendment 2026-05-19: auto-write the per-session
   // closed marker on a verified close. Hook authority is read-only; this is
   // one of the two writer paths (the other is --mark-session-closed standalone).
   // Marker requires BOTH file/lint gate (already in `ok`) AND clean git tree —
@@ -573,7 +670,7 @@ function applySessionClose(args) {
   }
   const stage = ok
     ? null
-    : !verification.ok && !postApplyLint.ok
+    : !verification.ok && !postLintOk
       ? 'post-apply-verification+lint'
       : !verification.ok
         ? 'post-apply-verification'
@@ -587,6 +684,9 @@ function applySessionClose(args) {
     skipped,
     verification,
     lint: { preflight: preflightLint, postApply: postApplyLint },
+    // Pre-existing lint debt in files this close did not author (Bug B): surfaced
+    // for visibility, never gated. Empty on a clean vault.
+    notices: [...new Set(postNotice.map((e) => e.file))],
   };
 
   if (args.json) {
@@ -606,12 +706,21 @@ function applySessionClose(args) {
         console.log(`\n✗ session-close still incomplete after apply: ${bad}`);
         console.log('  Fix the payload (likely an `updated:` field) and retry.');
       }
-      if (!postApplyLint.ok) {
+      if (!postLintOk) {
         console.log('\n✗ post-apply lint failed:');
-        for (const e of postApplyLint.errors) console.log(`  ✗ ${e.file}: ${e.message}`);
+        for (const e of postBlocking) console.log(`  ✗ ${e.file}: ${e.message}`);
         console.log('  Payload introduced a lint blocker — fix the payload content and retry.');
       }
     }
+    if (postNotice.length > 0) {
+      console.log(
+        `\n· ${postNotice.length} pre-existing lint issue(s) in untouched files (not blocking): ${[
+          ...new Set(postNotice.map((e) => e.file)),
+        ]
+          .slice(0, 5)
+          .join(', ')}${postNotice.length > 5 ? ', …' : ''}`,
+      );
+    }
   }
   process.exit(ok ? 0 : 1);
 }

package/scripts/doctor.mjs

@@ -31,7 +31,8 @@ import {
   EXT_TYPES,
   CODEX_TYPES,
 } from './lib/extensions.mjs';
-import { sha256, readFileIfRegular } from './lib/pkg-json.mjs';
+import { sha256, readFileIfRegular, readPkgJson } from './lib/pkg-json.mjs';
+import { resolveCliOnPath, classifyInstall } from '../hooks/version-check.mjs';
 
 const HOME = homedir();
 const SCRIPT_DIR = fileURLToPath(new URL('.', import.meta.url));
@@ -221,7 +222,7 @@ function checkDirectories(hypoDir) {
     'projects',
     'sources',
     // Extensions baseline (ADR 0024). Existence only — SHA / settings /
-    // manifest integrity is E5 (#33).
+    // manifest integrity is E5 (fix #33).
     'extensions/hooks',
     'extensions/commands',
     'extensions/skills',
@@ -306,10 +307,10 @@ function checkSettingsJson() {
     fail('settings.json hook registrations', `0/${total} registered — run /hypo:init`);
   }
 
-  // fix #7: stale hypo-* entries (uninstall remnants).
+  // stale hypo-* entries (uninstall remnants).
   // hypo-ext-* commands are user-extension entries (ADR 0024) — not core hooks,
   // so they are intentionally absent from HOOK_MAP. Excluded here; their
-  // integrity (SHA + manifest + entry match) is checked separately in E5 (#33).
+  // integrity (SHA + manifest + entry match) is checked separately in E5 (fix #33).
   const isExtCommand = (cmd) => /(?:^|[/\s])hypo-ext-[^/\s]+\.mjs(?=$|["'\s])/.test(cmd);
   const expectedCmds = new Set(
     Object.entries(HOOK_MAP).flatMap(([, files]) =>
@@ -342,7 +343,7 @@ function checkSettingsJson() {
     pass('settings.json stale hypo-* entries', 'None');
   }
 
-  // fix #7: duplicate hypo-* entries per event
+  // duplicate hypo-* entries per event
   const dupes = [];
   for (const [event, groups] of Object.entries(settings.hooks || {})) {
     if (!Array.isArray(groups)) continue;
@@ -351,7 +352,7 @@ function checkSettingsJson() {
       if (!g || typeof g !== 'object') continue;
       for (const h of g.hooks || []) {
         if (typeof h.command !== 'string' || !/hypo-[^/]+\.mjs/.test(h.command)) continue;
-        if (isExtCommand(h.command)) continue; // ext duplicates are E5's concern (#33)
+        if (isExtCommand(h.command)) continue; // ext duplicates are E5's concern (fix #33)
         if (seen.has(h.command)) dupes.push(`${event}:${h.command}`);
         else seen.add(h.command);
       }
@@ -538,12 +539,12 @@ function checkSyncState(hypoDir) {
 }
 
 function checkProjectSuggestions(hypoDir) {
-  // fix #23 / ADR 0023: the auto-project skip-persistence store. Absent file is
+  // ADR 0023: the auto-project skip-persistence store. Absent file is
   // healthy (no offers declined yet). Validate the RAW JSON shape here rather
   // than via readProjectSuggestions(): that helper deliberately normalizes a
   // non-array `skips` to [] for fail-open hook reads, which would mask a
-  // malformed file and silently break permanent "N" suppression (codex review
-  // 2026-05-22). Doctor must catch the malformation the helper hides.
+  // malformed file and silently break permanent "N" suppression. Doctor must
+  // catch the malformation the helper hides.
   const path = projectSuggestionsPath(hypoDir);
   if (!existsSync(path)) {
     pass('Auto-project suggestions', 'No skip-persistence file (clean)');
@@ -1008,6 +1009,40 @@ function checkFeedbackProjection(hypoDir, claudeHome, projectId) {
   }
 }
 
+// ── stale sibling install (ADR 0038, D) ──────────────────────────────────────
+//
+// Detect a SECOND, older Hypomnema that owns the `hypomnema` bin on PATH while a
+// newer copy owns the active hooks. That sibling is a footgun: `hypomnema init` /
+// `upgrade --apply` routed through it downgrades the active hooks. This is a
+// detective backstop to the preventive init/upgrade guard — but it must NOT be
+// the only surface, since `hypomnema doctor` invoked via the stale CLI would run
+// the OLD doctor (the active-hook notifier covers that live case). fs-only.
+function checkStaleSibling() {
+  const active = readPkgJson(join(HOME, '.claude', 'hypo-pkg.json'));
+  if (!active || !active.pkgVersion) {
+    pass('PATH CLI vs active install', 'no active metadata (skipped)');
+    return;
+  }
+  const cli = resolveCliOnPath('hypomnema');
+  if (!cli) {
+    pass('PATH CLI vs active install', `no \`hypomnema\` on PATH (active v${active.pkgVersion})`);
+    return;
+  }
+  const verdict = classifyInstall(
+    { pkgRoot: cli.pkgRoot, version: cli.version },
+    { pkgRoot: active.pkgRoot, version: active.pkgVersion },
+  );
+  if (verdict === 'downgrade') {
+    warn(
+      'PATH CLI vs active install',
+      `stale sibling: \`${cli.binPath}\` is v${cli.version}, active is v${active.pkgVersion} — ` +
+        `running it would DOWNGRADE hooks. Remove with \`npm uninstall -g hypomnema\``,
+    );
+  } else {
+    pass('PATH CLI vs active install', `v${cli.version} (active v${active.pkgVersion})`);
+  }
+}
+
 // ── main ─────────────────────────────────────────────────────────────────────
 
 const args = parseArgs(process.argv);
@@ -1023,6 +1058,7 @@ if (rootOk) {
 }
 checkHooks();
 checkSettingsJson();
+checkStaleSibling();
 if (args.codex) checkCodexPaths();
 if (rootOk) checkExtensions(args.hypoDir, args.claudeHome, 'claude');
 if (rootOk && args.codex) checkExtensions(args.hypoDir, args.claudeHome, 'codex');

package/scripts/feedback-sync.mjs

@@ -205,7 +205,7 @@ function regionHasIntruders(content) {
   return span.trim().length > 0;
 }
 
-// ── projection targets (descriptor abstraction — ADR 0032 reuse) ──────────────
+// ── projection targets (descriptor abstraction) ──────────────────────────────
 
 const PUBLIC_SENSITIVITY = new Set(['public', 'sanitized']);
 
@@ -439,7 +439,7 @@ function applyTarget(target, res) {
   }
 }
 
-// ── project-id derivation (contract §5, OQ-31.3) ──────────────────────────────
+// ── project-id derivation ─────────────────────────────────────────────────────
 
 function deriveProjectId(args) {
   if (args.projectId) return { id: args.projectId, derived: false, exists: true };
@@ -602,7 +602,7 @@ function bootstrapDraftContent({ title, summary, body, date, origin }) {
     `title: ${title}`,
     'type: feedback',
     'status: draft',
-    'scope: TODO              # global | project:<slug>',
+    'scope: TODO              # global | project:<project-id>',
     'tier: TODO               # L1 (CLAUDE.md <learned_behaviors> candidate) | L2',
     'targets: [project-memory]   # + claude-learned for a global L1 rule',
     'sensitivity: public      # public | sanitized (private is forbidden)',
@@ -660,13 +660,18 @@ function existingPageSlugs(hypoDir) {
   );
 }
 
-// --bootstrap: read the two legacy projection surfaces (CLAUDE.md
-// <learned_behaviors> + MEMORY.md feedback_* index) and scaffold drafts.
-function runBootstrap(args) {
-  const draftsDir = join(args.hypoDir, 'pages', 'feedback', '_drafts');
-  const existing = existingPageSlugs(args.hypoDir);
-  const report = { mode: 'bootstrap', dryRun: args.dryRun, created: [], skipped: [] };
+// Source loader for --bootstrap (input side, symmetric with the output-side
+// target descriptors): read the two legacy projection surfaces — CLAUDE.md
+// <learned_behaviors> + the project MEMORY.md feedback_* index — and shape them
+// into ordered draft candidates. CLAUDE candidates come first (file order from
+// parseLearnedBehaviors), then MEMORY (parseMemoryIndex order); this order drives
+// duplicate handling in runBootstrap, so it must be preserved. Returns
+// { candidates, warnings, skipped } where `skipped` carries the unsafe MEMORY
+// slugs the loader could not sanitize (seeded into report.skipped before the
+// dedup loop appends its own skips).
+function loadBootstrapSources(args) {
   const warnings = [];
+  const skipped = [];
   const candidates = [];
 
   const claudeFile = join(args.claudeHome, 'CLAUDE.md');
@@ -692,7 +697,7 @@ function runBootstrap(args) {
     for (const e of parseMemoryIndex(readFileSync(memFile, 'utf-8'))) {
       const slug = safeDraftSlug(e.name.replace(/_/g, '-'));
       if (!slug) {
-        report.skipped.push({ slug: e.name, reason: 'unsafe-slug' });
+        skipped.push({ slug: e.name, reason: 'unsafe-slug' });
         continue;
       }
       candidates.push({
@@ -710,6 +715,17 @@ function runBootstrap(args) {
     );
   }
 
+  return { candidates, warnings, skipped };
+}
+
+// --bootstrap: load the two legacy projection surfaces (loadBootstrapSources)
+// and scaffold one draft per deduped candidate.
+function runBootstrap(args) {
+  const draftsDir = join(args.hypoDir, 'pages', 'feedback', '_drafts');
+  const existing = existingPageSlugs(args.hypoDir);
+  const { candidates, warnings, skipped } = loadBootstrapSources(args);
+  const report = { mode: 'bootstrap', dryRun: args.dryRun, created: [], skipped: [...skipped] };
+
   const seen = new Set();
   for (const c of candidates) {
     if (seen.has(c.slug)) {
@@ -736,20 +752,33 @@ function runBootstrap(args) {
   return { code: 0, report, warnings };
 }
 
-// --import-target-change --from=<memory|claude>: capture hand-edited (conflict)
-// managed blocks back into drafts so the human can reconcile them into the SoT.
-function runImport(args) {
+// Source loader for --import-target-change (input side): select the target
+// projection file (CLAUDE.md or the project MEMORY.md), read it, and return the
+// managed blocks whose inner content no longer matches their marker hash
+// (hand-edited = conflict). This IS the import contract — findBlocks + hash-
+// mismatch filter, NOT projection evaluation. Returns { file, conflicts } or
+// { error } for an invalid --from / missing target file.
+function loadImportConflicts(args) {
   if (args.from !== 'memory' && args.from !== 'claude') {
-    return { code: 1, error: '--import-target-change requires --from=memory|claude' };
+    return { error: '--import-target-change requires --from=memory|claude' };
   }
   const file =
     args.from === 'claude'
       ? join(args.claudeHome, 'CLAUDE.md')
       : join(args.claudeHome, 'projects', deriveProjectId(args).id, 'memory', 'MEMORY.md');
-  if (!existsSync(file)) return { code: 1, error: `target file not found: ${file}` };
+  if (!existsSync(file)) return { error: `target file not found: ${file}` };
 
   const { blocks } = findBlocks(readFileSync(file, 'utf-8'));
   const conflicts = blocks.filter((b) => b.actualHash !== b.declaredHash);
+  return { file, conflicts };
+}
+
+// --import-target-change --from=<memory|claude>: capture hand-edited (conflict)
+// managed blocks back into drafts so the human can reconcile them into the SoT.
+function runImport(args) {
+  const src = loadImportConflicts(args);
+  if (src.error) return { code: 1, error: src.error };
+  const { file, conflicts } = src;
   const report = { mode: 'import', from: args.from, dryRun: args.dryRun, imported: [] };
   const warnings = [];
   if (!conflicts.length) {

package/scripts/feedback.mjs

@@ -19,7 +19,7 @@
  *   --title=<text>          Frontmatter title (default: topic)
  *
  * Classification (lint #8 schema — required on create):
- *   --scope=<v>             global | project:<slug>           (required)
+ *   --scope=<v>             global | project:<project-id>     (required)
  *   --tier=<v>              L1 | L2                            (required)
  *   --targets=<list>        comma list of project-memory,claude-learned (default: project-memory)
  *   --sensitivity=<v>       public | sanitized                (default: public)
@@ -47,6 +47,7 @@ import { join } from 'path';
 import { spawnSync } from 'child_process';
 import { fileURLToPath } from 'url';
 import { resolveHypoRoot, expandHome } from './lib/hypo-root.mjs';
+import { FEEDBACK_SCOPE_RE } from './lib/feedback-scope.mjs';
 
 const SCRIPT_DIR = fileURLToPath(new URL('.', import.meta.url));
 
@@ -120,7 +121,6 @@ function listTopics(hypoDir) {
 
 // ── classification validation (mirrors lint #8 / ADR 0031 §6) ──────────────────
 
-const SCOPE_RE = /^(global|project:[a-z0-9][a-z0-9-]*)$/;
 const TIER_ENUM = ['L1', 'L2'];
 const SENSITIVITY_ENUM = ['public', 'sanitized']; // private is forbidden (wiki is git-public)
 const TARGET_ENUM = ['project-memory', 'claude-learned'];
@@ -135,8 +135,8 @@ function parseTargets(raw) {
 // Validate the create-mode classification. Returns an array of error strings.
 function validateClassification(args, targets) {
   const errs = [];
-  if (!args.scope) errs.push('--scope is required (global | project:<slug>)');
-  else if (!SCOPE_RE.test(args.scope)) errs.push(`--scope invalid: "${args.scope}"`);
+  if (!args.scope) errs.push('--scope is required (global | project:<project-id>)');
+  else if (!FEEDBACK_SCOPE_RE.test(args.scope)) errs.push(`--scope invalid: "${args.scope}"`);
   if (!args.tier) errs.push('--tier is required (L1 | L2)');
   else if (!TIER_ENUM.includes(args.tier)) errs.push(`--tier invalid: "${args.tier}"`);
   if (!SENSITIVITY_ENUM.includes(args.sensitivity))
@@ -222,7 +222,7 @@ function renderPage(args, targets, today) {
 // it the freshest correction, so it should sort first. Rewrite the `updated:`
 // line ONLY inside the leading frontmatter block (between the first pair of
 // `---` fences). A naive multiline replace would also rewrite any body line that
-// happens to start with "updated:" (codex review) — so we scope to the fence.
+// happens to start with "updated:" — so we scope to the fence.
 function bumpUpdated(content, today) {
   const m = content.match(/^---\n([\s\S]*?)\n---/);
   if (!m) return content; // no frontmatter → nothing to bump