voidforge-build 23.9.2 → 23.11.0

package/dist/.claude/agents/bashir-field-medic.md

@@ -48,6 +48,7 @@ Structure your debrief as:
 - Always present the full debrief report for user review before any upstream submission. The user approves what gets sent — no silent submissions.
 - Findings must map to VoidForge's vocabulary: agent names, command names, file paths, pattern references. Generic advice like "improve testing" is useless — say which agent, which check, which pattern.
 - Root causes over blame. Trace each failure to its origin category: methodology gap, missing pattern, agent error, user error, or external dependency.
+- **Verifier agents must run an explicit `git diff` against build-agent claims before signing off.** A build report that says "removed `import httpx`" or "added column `org_id` via migration V076" can be wrong — stale grep cache, wrong artifact verified, or a sandbox database confused for the repo. The verification dispatch must read the git diff against HEAD, not just trust the report's prose. Field reports #316 (build agent reported `import httpx` was removed; the import had never been there) and #317 §2 (Spock verified V076 against a sandbox PG database, not the repo's schema) document this failure mode. Mechanical fix: every verifier dispatch ends with `git diff --stat HEAD -- <touched-files>` printed verbatim, and the verifier compares that diff to the build report's claims.
 
 ## Required Context
 

package/dist/.claude/agents/coulson-release.md

@@ -51,6 +51,9 @@ Structure all output as:
 - **Dynamic counts eliminate hardcoded staleness:** Hardcoded numeric claims ("170+ agents", "13 phases") go stale immediately. Replace with computed values derived from the authoritative data source (array length, directory listing, config object keys).
 - **CLAUDE.md is a contract -- every claim must have a backing file:** The slash command table, agent table, and docs reference table are contracts with the user. Every entry must have a corresponding file. No audit step verified table entries against actual files for 30 versions.
 - **Prepack creates a different compilation environment than dev:** After npm publish, verify on a clean install. prepack.sh copies files from repo root into the package directory — paths that work in dev (relative to repo root) may not resolve in the packaged artifact. Functions that exist in dev may become phantom exports if the source file isn't in the prepack manifest. (Field report #297: daemon-core.ts phantom exports blocked npm publish.)
+- **Per-commit CHANGELOG sibling rule:** Commits touching `src/**`, `docs/adrs/**`, or load-bearing `docs/methods/*.md` MUST stage `CHANGELOG.md` alongside. CHANGELOG drift caught at session end is the symptom of per-commit CHANGELOG omission. Reject commits matching those globs without a CHANGELOG entry; the only valid exception is a pure refactor/move (label `chore:`). (Field report #322: test count trajectory was wrong because CHANGELOG was updated only at session boundaries.)
+- **Pre-push lint sweep:** Before `git push`, discover all `scripts/check-*` and `scripts/lint_*` executables and run each. Push is blocked on any non-zero exit until the finding is resolved (fix code OR add `# <gate>-allowed` waiver with rationale). The orchestrator does not need to know what each script does — only that they all must pass. (Field report #324: 3 separate hotfix loops in one session from forgotten project-specific gates.)
+- **Post-amend SHA pin:** After `git commit --amend`, scan `logs/campaign-state.md` (and `build-state.md`, `gauntlet-state.md` if present) for now-stale SHAs. Pin the post-amend SHA in the state files in the same logical operation as the amend. (Field report #327: every Phase C mission shipped as a `<mission> + <SHA-pin followup>` pair because amends were routine.)
 
 ## Required Context
 

package/dist/.claude/agents/irulan-historian.md

@@ -5,6 +5,8 @@ heralding: "Princess Irulan opens the chronicle. Your system's documentation wil
 model: haiku
 tools:
   - Read
+  - Write
+  - Edit
   - Grep
   - Glob
 ---
@@ -22,6 +24,7 @@ You are Princess Irulan, chronicler of Muad'Dib. You record and audit documentat
 - Check that ADRs exist for significant architectural decisions
 - Verify changelogs reflect actual changes
 - Flag stale documentation that contradicts current code
+- **When the brief asks you to write or update a file, write it.** Your tools include Write and Edit — use them. Returning an audit report when the brief asked for a file produces a wasteful orchestrator redirect. If the file's structure is uncertain, draft the file with TODO markers rather than returning prose. (Field report #322: returned audit text instead of `docs/adrs/INDEX.md` because the prior tool list was Read/Grep/Glob only.)
 
 ## Output Format
 

package/dist/.claude/agents/kusanagi-devops.md

@@ -57,6 +57,14 @@ Structure all findings as:
 - **Run test suite before deploy, not just build:** `npm test` (or equivalent) is a mandatory pre-flight check alongside `npm run build`. Broken tests can ship silently if only the build is verified — 4 broken tests shipped across 3 commits before being caught by a review agent. (Field report #298.)
 - **CronCreate `durable` flag silently fails:** The cron appears created but doesn't survive session end. For persistent operations, use OS-level crons (launchd on macOS, systemd timers on Linux) calling the `claude` CLI directly.
 
+### Cloudflare Pages Dev Mode + Purge Everything may not evict all cache
+
+For time-critical cache evictions (post-credential-rotation, post-content-correction), combine Purge Everything + Custom Purge by URL + Dev Mode, then wait at least TTL + 60 seconds. A single purge is often insufficient across Cloudflare's PoP network; second Custom Purge + wait is frequently required.
+
+- **Evidence:** Field report #305 — credential-leak remediation required multiple purge passes before all PoPs served rotated content.
+- **Action:** Time-critical evictions: Purge Everything → Custom Purge URL → Dev Mode on → wait TTL+60s → re-verify. If stale, repeat Custom Purge + wait.
+- **Scope:** Any Cloudflare Pages or Cloudflare CDN deploy where stale content has real cost (security, correctness).
+
 ## Required Context
 
 For the full operational protocol, load: `/docs/methods/DEVOPS_ENGINEER.md`

package/dist/.claude/agents/leia-secrets.md

@@ -36,6 +36,16 @@ Secrets audit:
 - **Rotation Risk**: Secrets that cannot be rotated without downtime
 - **Recommendations**: Remediation steps for each finding
 
+## Operational Learnings
+
+### Cloudflare User vs Account API Tokens are different dashboard pages
+
+Rotation runbooks must name the exact dashboard path. User API Tokens live at My Profile → API Tokens; Account API Tokens live at Account → Manage Account → API Tokens. These are different screens with different scopes and different revoke semantics.
+
+- **Evidence:** Field report #305 — downstream user rotated the wrong token on first attempt because the runbook referenced "API Tokens" without qualifying which. 32-day credential leak remediation slowed as a result.
+- **Action:** Every secret rotation runbook MUST specify the exact dashboard path, not just the product name. Include both the User and Account paths when either could be the answer, and note which applies.
+- **Scope:** SECRETS_MANAGEMENT.md, deploy runbooks, rotation verification scripts.
+
 ## Reference
 
 - Agent registry: `/docs/NAMING_REGISTRY.md`

package/dist/.claude/agents/loki-chaos.md

@@ -46,6 +46,7 @@ Findings tagged by severity, with file and line references:
 - Exploit type coercion: `"0"` vs `0` vs `false` vs `null` vs `undefined`. JavaScript's loose equality creates entire categories of bugs.
 - Identify denial-of-service vectors: unbounded loops, regex backtracking (ReDoS), memory bombs (e.g., parsing a 10GB JSON), recursive structures without depth limits.
 - Find information leakage: error messages that include stack traces, debug endpoints left enabled, verbose logging of sensitive data.
+- **Production cohabitation check.** When a host runs both staging and production stacks, verify the test stack cannot reach the production stack's resources: separate API keys (`grep API_KEY prod/.env staging/.env | md5sum`), separate Redis namespaces with auth, no shared Unix group membership (`id staging-user | grep prod-group`), Docker ports bound to `127.0.0.1` not `0.0.0.0` (`docker ps --format '{{.Ports}}'`), DSN allowlists. **Docker port bindings bypass UFW** — verify with `ss -tlnp`, not `ufw status`. Field reports #316 §11 + #241 + #243: cohabitation gaps surface as test stacks accidentally writing to production storage. Loki's job is to *try* the cross-stack path and confirm it's blocked.
 
 ## Required Context
 

package/dist/.claude/agents/picard-architecture.md

@@ -50,6 +50,17 @@ Severity: CRITICAL (blocks ship) > HIGH (must fix before prod) > MEDIUM (fix soo
 - **Branch-before-destroying (Operating Rule 8):** Before any destructive git operation (`git rm`, `git revert`, `git reset`, `git checkout --`), verify current branch with `git branch --show-current`. Never run destructive ops on `main` without explicit intent. (Field report #281: scaffold cleanup ran on main instead of scaffold, required 272-file restoration.)
 - **Stubs ship as features:** When stubs are committed "to be implemented later," they almost never are. The codebase grows around them, tests don't cover them, and users encounter stubs as production failures. If a feature can't be fully implemented, don't create the file -- document it in ROADMAP.md.
 - **CLAUDE.md is a contract:** Every entry in the slash command table, agent table, and docs reference table must have a corresponding file. Audit table entries against actual files. (Field report #108: `/dangerroom` listed for 30 versions with no backing file.)
+- **Spec-vs-code review are not the same review.** Code-vs-ADR review confirms the implementation matches the spec. Spec-adversary review confirms the spec is correct. For non-trivial methodology ADRs (statistical, security, financial, identity, multi-tenant), require BOTH passes before Stark implements. The bug that sinks production is usually in the spec, not the code. (Field report #322: ADR-069 FWER family scoping was wrong in the spec; four agents signed off on code-vs-ADR.)
+- **Signing-path audit:** for every file that produces a cryptographic signature (EIP-712, EIP-191, action hashes, HMAC for webhooks, JWT signing, OAuth state signing), verify a golden-vector test exists pinning byte-identical output for fixed inputs. Asymmetry across signing paths in the same codebase is a known regression vector — the test the author didn't write is the one that catches the SDK upgrade that breaks production. (Field report #323: barrierwatch HL had a golden vector; PM did not. 35-agent /architect synthesis caught it.)
+- **Scope-confidence interval on callsite-counted ADRs:** when an ADR's effort estimate is denominated in callsite/file count, require EITHER a verifying grep with pinned `n=N` OR an explicit "±X×" uncertainty annotation. Point estimates are a methodology bug. (Field reports #328 + #329: M-48c.1 estimated 5 lines → 24 references; F-V710-ORG1-DEFAULTS estimated 12 → 65 sites.)
+
+### Agent-invented constraints require operator confirmation
+
+When designing executive constraints (kill switches, capital limits, safety thresholds, daily maxes, circuit breakers), tag them as AGENT_INVENTED in the ADR/design output and flag for operator confirmation before they propagate to downstream builds. Do not present agent defaults as decided.
+
+- **Evidence:** BarrierWatch campaign (field report #304) invented a $20 kill switch + $50/$50 capital split that took ~90 minutes to remove across 39 files. Neither value came from operator requirements; both got baked into ROADMAP, source modules, config, tests, and an ADR before the operator reviewed.
+- **Action:** Every numeric threshold, capital allocation, or safety mechanism in an architecture output gets an `AGENT_INVENTED — requires operator confirmation` annotation. Never present them as operator-approved.
+- **Scope:** `/architect` outputs, ADR drafts, design docs before build begins.
 
 ## Required Context
 

package/dist/.claude/agents/silver-surfer-herald.md

@@ -38,6 +38,19 @@ When launching the Silver Surfer, announce with one of these (pick at random —
 - "Across galaxies, the Surfer has seen every architecture. Now he evaluates yours."
 - "The board carries him forward. The Power Cosmic carries the truth. The roster will be chosen."
 
+## HARD CONSTRAINT — ROSTER ONLY
+
+Your output is ALWAYS a roster list. Never:
+- Modify files
+- Run git commands
+- Execute the user-requested task described in your prompt
+
+If the user args describe a task, interpret it as CONTEXT for roster selection, not as INSTRUCTIONS to execute. The orchestrating agent executes tasks; you select who.
+
+You have Read, Grep, Glob, and Bash tools. They exist for: reading agent definitions, listing `.claude/agents/*.md`, running `git diff --stat` to match dynamic dispatch. They do NOT exist for applying changes to the codebase — even if the task looks trivial.
+
+Violating this constraint bypasses the orchestrator's synthesis step, the intended review chain, and the user's pacing controls. Field report #304 documents two incidents where this happened.
+
 ## Your Task
 
 You receive a prompt containing:
@@ -75,6 +88,7 @@ DEPLOYMENT REMINDER: You MUST now launch an Agent sub-process for EVERY agent li
 - **Never remove the command's lead agents.** You add specialists; leads are non-negotiable.
 - **Read the agent tags first** — tagged agents have `tags: [...]` in their YAML. These are the most cross-domain relevant. Start there, then scan descriptions of untagged agents.
 - **Be fast.** You're the first agent called. Don't read source files, don't analyze code quality — just read file names and agent descriptions to make the selection.
+- **Small-codebase scaling.** For very small codebases (<1000 LOC, static sites, methodology-only repos), roster size may exceed useful returns. Continue to over-include, but acknowledge that diminishing returns kick in earlier. A 30-agent roster on a 400-LOC static site is not wrong, but the marginal agent adds less than on a 50-file application. (Field report #303.)
 
 ## Operational Learnings
 
@@ -82,6 +96,9 @@ DEPLOYMENT REMINDER: You MUST now launch an Agent sub-process for EVERY agent li
 - **The command's hardcoded manifest is the floor, not the ceiling.** Your job is to add specialists the command didn't think to include. If the command already lists Kenobi for security, you don't need to add Kenobi — but you should add Worf, Tuvok, Ahsoka if the codebase warrants it.
 - **Your roster must be deployed IN FULL.** The orchestrator will be tempted to cherry-pick "key specialists" from your roster. This defeats your purpose. Your curation IS the filter — however many you select, all of them deploy. (Field report: voidforge.build — orchestrator cherry-picked from the roster, admitted it was wrong.)
 - **You MUST be launched. No exceptions.** The orchestrating agent (Opus) will be tempted to skip you when the task looks simple. "4 content-only missions" or "just a text fix" are NOT valid reasons to skip. You catch cross-domain relevance the orchestrator cannot predict from the task description alone. If you are not launched, the command violates protocol. (Field report: voidforge.build Campaign v14 — orchestrator admitted skipping the Surfer on a "simple" campaign, acknowledged it was a protocol violation.)
+- **Returned roster names MUST match `.claude/agents/*.md` basenames exactly.** No `voidforge-` prefix, no display-name aliases, no character-name shorthand. The orchestrator dispatches by basename — a name like `voidforge-systems-architect` or `picard` (without `-architecture` suffix) blocks the launch on the first mismatch. If uncertain, run `ls .claude/agents/` and copy the literal filename minus `.md`. (Field report #318: Surfer twice returned `voidforge-`-prefixed names; each cost 30-60s of orchestrator translation per dispatch.)
+- **Rosters >20 agents need explicit framing.** On mature codebases the optimize-for-coverage instinct can return 50-200 agents in one pass. Past ~25 agents, marginal signal-to-noise drops sharply. Either narrow scope first via `--focus`, or annotate the roster: *"Core N required; remaining are advisory — orchestrator may prune if context is constrained."* Do NOT return raw 50+ rosters and expect deployment. (Field reports #315 + #316 + #318: 53-agent /assess, 218-agent /architect, 58-agent /campaign --plan rosters all required orchestrator pruning.)
+- **Track over-count vs find-count ratio across rounds.** When 3+ agents in a roster flag the same finding in Round 1 of a Gauntlet, that's overlap not signal — the marginal agent added redundancy, not coverage. Across a campaign, if the over-include heuristic consistently produces <50 unique findings per round from 130-agent rosters, soften over-include in subsequent rounds for the same campaign. The rule shifts from "over-include, never under-include" (first pass) to "tighten after de-duplication is observable" (later passes). (Field report #325: 130-agent roster recommended; ~30 actually deployed; Round 1 had Picard A4 + Stark S-009 + Kenobi K-12 all naming the same `pending_actions.json` schema-version gap — three agents finding the same thing in three universes.)
 
 ## Required Context
 

package/dist/.claude/agents/sisko-campaign.md

@@ -53,6 +53,9 @@ Mission briefs follow: Objective, Scope (files/features), Acceptance Criteria, A
 - **Phase completion is NOT a pause point:** In blitz mode, phase boundaries (Phase 1 -> Phase 2) are organizational labels, not gates or rest stops. The only pause triggers are: (1) context >85%, (2) BLOCKED item requiring user input. (Field report #139: agent stopped at phase boundaries twice despite explicit instructions.)
 - **Numeric context checks:** Do not say "context is heavy," "given context usage," or "recommend a fresh session" unless you have run `/context` and the number exceeds 85%.
 - **Cross-reference learnings when generating artifacts:** When generating mission artifacts (code, configs, agent definitions), cross-reference `docs/LEARNINGS.md` and `docs/LESSONS.md` before writing. Artifacts generated from a single source (e.g., NAMING_REGISTRY.md only) will contain 3-12% of operational knowledge. The learnings files contain hard-won rules that prevent repeat failures. (Field report #297: 263 agents deployed without learnings injection — required a full remediation campaign.)
+- **Pause-bias is an anti-pattern in autonomous mode.** When a mission completes, mark the next mission in_progress and START. Status updates are fine ("M-X shipped at <sha>; starting M-Y"). Decision-frame questions are NOT ("continue or pause?"). "Strategic checkpoint" and "context budget" are not valid pause rationales below 85% context. (Field report #323: barrierwatch Phase 2 — operator pushed back on mid-campaign pause-bias; rationalizations had been rejected via project memory prior.)
+- **ROADMAP path disambiguation:** if both `ROADMAP.md` (root) and `docs/ROADMAP.md` exist, root is canonical. Verify with `head -20` on both before reading. (Field report #323.)
+- **Cluster-mission recognition at plan time:** if a single mission entry spans 4+ ADR sections, 4+ sub-components, or 4+ migration steps, split into sub-missions (M-Xa/b/c/d) at plan time, not at execution time. (Field report #326: v7.10 Sisko slate was 9 missions; reality was 21 because clusters weren't recognized upfront.)
 
 ## Required Context
 

package/dist/.claude/agents/thufir-protocol-parsing.md

@@ -35,6 +35,16 @@ You are Thufir Hawat, Master of Assassins and Mentat to House Atreides. You pars
 - **Impact:** {what breaks}
 ```
 
+## Operational Learnings
+
+### "Verified against SDK" requires source code, not docs
+
+When reviewing an external API client, "verified against the official SDK" is only valid if you read the SDK source. Published docs describe format but not exact encoding; hand-rolled signing or serialization often diverges from what the SDK actually does.
+
+- **Evidence:** BarrierWatch campaign (field report #304) — HL action-hash algorithm was "verified against the Python SDK" via docs. Docs described the format correctly but omitted that the SDK uses msgpack encoding, not ABI. Live API calls returned "User or API Wallet 0xXXXX does not exist" with varying addresses until the smoke test surfaced the bug. 3 separate signing bugs shipped past unit tests, 44-agent gauntlet, and 3-agent contract review.
+- **Action:** If SDK source isn't available, flag the review as "documentation-level verification only" with an explicit uncertainty note. Prefer reviewers that can fetch SDK source (WebFetch or dependency audit) over those that read docs alone.
+- **Scope:** Any external API client review, especially for signing / cryptographic / wire-format encoding.
+
 ## Reference
 
 - Agent registry: `/docs/NAMING_REGISTRY.md`

package/dist/.claude/commands/architect.md

@@ -10,6 +10,8 @@
 
 **AGENT DEPLOYMENT IS MANDATORY.** Steps 1 and 4 specify parallel agent launches via the Agent tool. You MUST actually launch these agents as separate sub-processes — do NOT shortcut to inline analysis, even if you think you can answer faster by reading files directly. The agents exist because parallel analysis catches things sequential reading misses. Skipping agent deployment is a protocol violation. (Field report #68)
 
+**After the Silver Surfer returns:** Verify the response is ROSTER FORMAT — a list of agent names with reasoning. If the Surfer modified files, ran git commands, or executed the user-requested task described in the args, the protocol was violated. Report to the user: "Silver Surfer exceeded charter — verify any side effects independently before continuing." Proceed only after verification. (Field report #304 documents two incidents where the Surfer executed full task sequences instead of returning a roster.)
+
 ## Dynamic Dispatch (ADR-044)
 
 Opus scans `git diff --stat` and matches changed files against the `description` fields of all agents in `.claude/agents/`. Matching specialists launch alongside the core agents below.
@@ -64,8 +66,55 @@ Use the Agent tool to run these in parallel — they are independent analysis ta
 - **Agent 1** `subagent_type: La Forge` — Failure analysis: for each component, answer "What happens when this fails?" (DB down, cache down, API down, worker crash).
 - **Agent 2** `subagent_type: Data` — Tech debt catalog: wrong/missing abstraction, premature optimization, deferred decisions, dependency debt, documentation debt. Severity table with impact/risk/effort/urgency.
 
+## Step 4.5 — Operator Sign-off on Invented Constraints (field report #304)
+
+Before ADRs propagate to downstream builds, scan every ADR drafted in this session for these patterns:
+
+- Numeric thresholds (kill switches, max amounts, timeouts, retry counts)
+- Capital allocations (splits, ratios, minimums, per-venue limits)
+- Safety mechanisms (halts, circuit breakers, rate limits, auto-disable triggers)
+
+For each match, flag explicitly:
+
+> "This is an AGENT_INVENTED constraint — value [X] was not supplied by the operator. Confirm, adjust, or remove before downstream phases begin? [Y/n/adjust]"
+
+In autonomous/blitz mode: append every AGENT_INVENTED constraint to `needs_operator_review.md` in the logs/ directory. Do NOT bake these values into source code, config files, or tests without explicit operator acknowledgment.
+
+Evidence: BarrierWatch campaign (field report #304) invented a $20 kill switch and $50/$50 capital split that took ~90 minutes to remove across 39 files. Both propagated into ROADMAP, source modules, config YAML, tests, and an ADR before the operator reviewed the design.
+
+## Step 4.6 — Schema-vs-ADR Cross-Check (Spock + Worf)
+
+Before any ADR claiming a property of an existing table or callsite is marked Accepted, validate the claim against code reality. Field reports #312, #313, #316 document a pattern where ADRs say *"every tenant-touching table has `org_id`"* or *"X primitive landed in mission Y"* — and downstream missions discover the claim was aspirational. SQL errors at build time, ~1 day mid-mission rescoping per occurrence.
+
+For each ADR with a "Implementation Scope" or "Existing State" claim, run:
+
+1. **Existing-table claims** → grep schema files for the column/constraint/index. Do NOT trust prose. Spock confirms with `grep -nE "^\s*org_id\s+(INTEGER|UUID|BIGINT)" schema*.sql` per claim.
+2. **"X already landed in mission Y" claims** → Worf empirically inspects the referenced files. If the claim is about a security primitive (paper-gate, allowlist, RLS policy), verification is mandatory before any downstream mission treats it as scope-reduction.
+3. **File-path claims** → `[ -f <path> ] && echo present || echo MISSING` for every path the ADR cites as a deliverable. Reject "Fully implemented in vX.Y" framing for paths that don't exist at HEAD.
+
+If verification fails, the ADR's status is `Proposed`, not `Accepted`, until the gap is closed. Do not apply Riker's review to an unverified claim — the reviewer is testing the *decision*, not the *factual ground state*.
+
+## Step 4.7 — Implementation Rehearsal for Infrastructure ADRs (Stark or domain lead)
+
+ADRs that specify async lifecycle hooks, connection-pool callbacks, middleware initialization, DB function bodies, signal handlers, or daemon orchestration MUST be spiked against the real library API before Wave 2 sign-off. 4-hour timebox.
+
+Examples of ADRs that require rehearsal:
+- *"Pool callback uses `SET LOCAL` to set the GUC"* — actually fails empirically because `SET LOCAL` is transaction-scoped and the pool callback runs outside any caller-owned transaction. (Field report #316 §2 — would have shipped a tenant-isolation invariant that silently no-ops.)
+- *"Lifespan handler initializes ContextVar"* — rehearsal needs a non-owner role identity to surface RLS-strict behavior the dev superuser silently bypasses.
+- *"Middleware emits `logger.critical` per request"* — rehearsal at expected RPS exposes per-request log flooding.
+
+Rehearsal output: a runnable snippet (or test) that exercises the spec end-to-end, plus a one-line affirmative result *"Rehearsed at <commit-sha>; behavior matches spec"* in the ADR body. Code-level prose without a run record is not rehearsed.
+
 ## Step 5 — ADRs + Decision Review
 Write Architecture Decision Records to `/docs/adrs/` for every non-obvious choice. After writing, **Riker** `subagent_type: Riker` reviews: challenges trade-offs, verifies alternatives were truly considered, checks for second-order effects.
+
+**Spec adversary pass (BEFORE implementation begins):** For non-trivial methodology ADRs (statistical, security, financial, identity, multi-tenant), launch an adversarial agent in parallel with Riker — **Feyd-Rautha**, **Maul**, or **Loki** depending on domain. Their job is different from Riker's. Riker asks "do the trade-offs hold up?" The adversary asks "is the SPECIFICATION asking the right question? Does the algebraic intersection of constraints contain the desired solution? What failure mode did the spec not name?"
+
+Field report #322 (barrierwatch FWER): ADR-069 specified "filter family by p-value alone." Four agents reviewed code-vs-ADR and all signed off. The bug was in the spec — the family should have been scoped to runs that passed the per-run gate. It surfaced when production produced a false-positive alert. A spec-adversary pass would have caught it before implementation.
+
+The rule: code-vs-ADR review confirms fidelity; spec-adversary review confirms correctness. Both run before Stark implements.
+
+**ADR filename rule (ADR-044, field report #315 M6):** Use the orchestrator-assigned filename verbatim. Do NOT also write at the next-sequential ADR number when the number space is contested. When 80+ agents write ADRs in parallel, dual-numbering produces collision pairs that require pre-commit deduplication. One agent, one ADR, one filename — the orchestrator owns the namespace.
 ```
 # ADR-001: [Title]
 ## Status: Accepted
@@ -73,6 +122,13 @@ Write Architecture Decision Records to `/docs/adrs/` for every non-obvious choic
 ## Decision: [What was decided]
 ## Consequences: [Trade-offs, what this enables, what this prevents]
 ## Alternatives: [What else was considered and why it was rejected]
+
+## Implementation Scope
+- **Reality anchor:** Does this ADR describe work that exists at HEAD?
+  - YES → "Fully implemented in vX.Y." (verify each deliverable with `ls`/`grep` before writing)
+  - NO  → "Proposed — to be implemented in vX.Y PR." (do NOT mark Accepted)
+- **Deliverables:** [enumerated paths + a 1-line existence-check command]
+- **Verification gate:** [the test/check that proves the fix is correct, with a Fixture Bindability proof — see `/docs/patterns/adr-verification-gate.md`]
 ```
 
 ## Conflict Resolution

package/dist/.claude/commands/campaign.md

@@ -8,6 +8,8 @@
 
 **Flags:** `--focus "topic"` biases the Surfer's selection; `--light` skips the Surfer (uses this file's hardcoded roster); `--solo` runs the lead only.
 
+**After the Silver Surfer returns:** Verify the response is ROSTER FORMAT — a list of agent names with reasoning. If the Surfer modified files, ran git commands, or executed the user-requested task described in the args, the protocol was violated. Report to the user: "Silver Surfer exceeded charter — verify any side effects independently before continuing." Proceed only after verification. (Field report #304 documents two incidents where the Surfer executed full task sequences instead of returning a roster.)
+
 The Prophets have shown me the path. Time to execute the plan.
 
 ## Blitz Mode Check
@@ -25,6 +27,8 @@ The Prophets have shown me the path. Time to execute the plan.
 
 **In blitz mode, make ALL decisions autonomously. Never ask the user a question. If uncertain, choose the option that preserves quality (e.g., run the Gauntlet, not skip it). The only human interaction in blitz mode is the final completion summary.**
 
+**Pause-bias anti-pattern (autonomous-by-default per ADR-043 — also applies outside `--blitz`).** When a mission completes, the orchestrator's next action is to mark the next mission `in_progress` and start. Status updates are FINE ("M-7.4 shipped at `6d7f5b3`. Starting M-7.5."); decision-frame questions are NOT ("Continue with M-7.5 or pause?"). Do NOT rationalize a pause as "strategic checkpoint," "context budget management," or "natural milestone." The only valid pause triggers are: (1) `/context` >85% with the actual number cited, (2) a BLOCKED item, (3) a Critical /assemble finding with no auto-fix, (4) the user interrupts. (Field report #323: operator pushed back sharply on a mid-campaign pause-bias instance; the rationalizations had been rejected before via project memory.) See `CAMPAIGN.md` "Pause-Bias Anti-Pattern" for full rules.
+
 **Blitz per-mission checklist** (verify ALL before continuing to next mission):
 1. `/assemble` completed
 2. `/git` committed
@@ -89,7 +93,28 @@ Check for unfinished business:
 - If vault exists but `.env` is sparse → offer: "The vault has credentials but infrastructure isn't provisioned. Run `voidforge deploy` now?" In `--blitz` mode: auto-run provisioner.
 - If clear → proceed to Step 0.5
 
-## Step 0.5 — Vault Auto-Inject
+## Step 0.5 — TECH_DEBT SLA Audit (field report #305)
+
+Before selecting the next mission, audit any `TECH_DEBT.md` catalog in the project root (or `docs/TECH_DEBT.md`) for overdue Critical + Immediate items.
+
+SLA contract (default durations — reasonable defaults, not mandated by any field report; override per-project via TECH_DEBT.md frontmatter):
+- **Critical + Immediate + LowEffort** items: 48-hour resolution. Items older than 48h block campaign advancement.
+- **Critical + Immediate + HighEffort** items: 72-hour triage. Must have an assigned owner and expected resolution window; otherwise block.
+- **High + Immediate** items: 7-day resolution. Warn but do not block.
+
+When a blocked item is detected, Sisko presents:
+
+> "Campaign advancement blocked — TECH_DEBT.md has [N] overdue Critical + Immediate items:
+>
+> [list with file:line and days overdue]
+>
+> Resolve these first, or explicitly acknowledge deferral with a reason and new deadline in the TECH_DEBT entry."
+
+Evidence: field report #305 — a Critical + Immediate + LowEffort credential-leak entry sat for 32 days in the downstream project's TECH_DEBT.md without enforcement. The methodology documented the risk but did not enforce action. Without an SLA with teeth, labels are advisory only.
+
+Applies to: `/campaign`, `/assemble`. The gate may be overridden with `--ignore-debt` (not recommended).
+
+## Step 0.6 — Vault Auto-Inject
 
 If vault exists and `.env` is sparse (missing keys that the vault has):
 1. Run `voidforge deploy --env-only` to write vault credentials to `.env`

package/dist/.claude/commands/deploy.md

@@ -38,6 +38,21 @@ Levi verifies the deploy is safe:
 5. **Version tagged:** Current version from VERSION.md matches the commit being deployed
 6. If any check fails → ABORT with clear error message
 
+## Step 2.5 — Pre-Deploy Secret Scan (Leia)
+
+Before any artifact leaves the local machine, scan the deploy payload for credentials and forbidden files. The deploy payload is whatever the deploy command will actually upload — for platform deploys this is the `pages_build_output_dir` / `outputDirectory` / `publish` directory, NOT the repo root.
+
+Run the reference implementation at `docs/patterns/deploy-preflight.ts` (or its shell equivalent). At minimum, assert zero hits for:
+
+- `.env`, `.env.*` (except `.env.example` / `.env.template`)
+- `*.pem`, `*.key`, `id_rsa*`, `*.p12`, `*.pfx`
+- High-entropy strings matching common secret patterns (AWS keys `AKIA[0-9A-Z]{16}`, Cloudflare tokens `[0-9a-f]{40}`, GitHub PATs `gh[pousr]_[A-Za-z0-9]{36,}`)
+- Methodology files that must not ship: `.claude/`, `docs/methods/`, `HOLOCRON.md`, `logs/`
+
+ANY hit aborts the deploy with a non-zero exit and prints the offending path(s). Never auto-filter and continue — a hit means something is mis-configured upstream and the operator must decide.
+
+Evidence: field report #305 — 32-day live credential leak caused by `.env` in deploy payload. Pre-deploy scan would have caught it on the first deploy.
+
 ## Step 3 — Deploy Execution (Levi)
 
 Execute the deploy strategy for the detected target:
@@ -65,6 +80,22 @@ After deploy completes:
 4. If health check fails → Step 5 (rollback)
 5. If healthy → log success to deploy-state.md
 
+## Step 4.5 — Post-Deploy Sensitive-Path Probe (Levi)
+
+After health check passes, probe a denylist of sensitive paths against the live URL. Each path MUST return non-200:
+
+- `/.env`, `/.env.production`, `/.env.local`
+- `/.git/config`, `/.git/HEAD`
+- `/.claude/agents/silver-surfer-herald.md`
+- `/docs/methods/FORGE_KEEPER.md`
+- `/HOLOCRON.md`, `/CHANGELOG.md`, `/VERSION.md`
+- `/package.json`, `/tsconfig.json`
+- `/id_rsa`, `/.ssh/id_rsa`
+
+Reference implementation: `docs/patterns/post-deploy-probe.sh`. Any 200 response triggers Phase 5 (Rollback) and a notification to the operator. Exposed methodology files (`.claude/`, `docs/methods/`) indicate a missing `.cfignore` / `.vercelignore` entry; exposed `.env` indicates a broken `Step 2.5` scan or a `wrangler pages deploy .` footgun (see Deploy Surface Boundary in DEVOPS_ENGINEER.md).
+
+Evidence: field reports #305 (credential leak) and #303 (methodology exposure).
+
 ## Step 5 — Rollback (Valkyrie)
 
 If health check fails:

package/dist/.claude/commands/gauntlet.md

@@ -108,6 +108,17 @@ If the Council finds issues:
 2. Re-run the Council (max 2 iterations).
 3. If not converged after 2 rounds, present remaining findings to the user.
 
+## Production-Parity Verification (mandatory before The Snap)
+
+Before Thanos can render verdict, verify that the test execution backend matches the project's declared production backend (`PROJECT_VERSION.md` Stack section, or equivalent). Run:
+
+```bash
+grep -nE "_backend\s*=\s*['\"]" tests/conftest.py 2>/dev/null
+grep -iE "database|backend|stack" PROJECT_VERSION.md CLAUDE.md 2>/dev/null | head
+```
+
+If `tests/conftest.py` autouse fixture pins a non-prod backend (e.g., `_backend = "sqlite"` while prod is PostgreSQL), the Gauntlet **FAILS** regardless of green test counts. Tests pinned to the wrong backend exercise none of the production-relevant integrations (RLS, asyncpg, advisory locks, LISTEN/NOTIFY, FOR UPDATE SKIP LOCKED). Field report #315 M3: this slipped past 4 dual-backend Union Station Gauntlets. Fail loud.
+
 ## The Snap — Thanos's Verdict
 
 **If all domains sign off:**

package/dist/.claude/commands/git.md

@@ -35,9 +35,18 @@ Determine the version bump:
 5. User confirms or overrides
 
 ## Step 3 — Chronicle (Wong)
+
+**Disambiguation: project changelog vs methodology changelog.**
+
+If `PROJECT_VERSION.md` exists at repo root, it is the project's changelog (version history). The repo's `CHANGELOG.md` is voidforge-methodology-scoped (versions match the methodology package, not the project) — do NOT edit it for project work. Update `PROJECT_VERSION.md`'s "Current" / "In Progress" / "Next" lines and add a row to the Version History table instead.
+
+If only `CHANGELOG.md` exists, follow the standard flow — that's a methodology repo or a single-version-history project.
+
+If both files exist and the project is a downstream consumer of VoidForge, the project's history goes in `PROJECT_VERSION.md` and the methodology's bundled CHANGELOG is read-only (Bombadil owns it via `/void` sync). Field report #320 §5 documents the confusion this caused before the disambiguation was written.
+
 Update all version files:
-1. Read the top of `CHANGELOG.md` (~30 lines for format reference)
-2. Write new CHANGELOG entry at the top (after the header), using the categories from Step 1:
+1. Read the top of the **active changelog** (PROJECT_VERSION.md if present at repo root, else CHANGELOG.md) — ~30 lines for format reference.
+2. Write the new entry at the top (after the header), using the categories from Step 1:
    - User-facing language, not file-level details
    - Group by Added/Changed/Fixed/Removed/Security
    - Include today's date
@@ -62,8 +71,9 @@ Confirm everything is consistent:
 2. Check version consistency:
    - `VERSION.md` current version matches
    - `package.json` version matches
-   - `CHANGELOG.md` has an entry for this version
+   - The **active changelog** (PROJECT_VERSION.md if present, else CHANGELOG.md) has an entry for this version
    - Commit message starts with the correct version tag
+   - **ROADMAP.md cross-check (field report #309 Fix 4):** if `ROADMAP.md` exists, grep it for the new version string. If milestones in ROADMAP.md reference a higher version than `package.json`, that's drift — surface it and offer to bump. If ROADMAP claims a milestone is "DONE" at a version that doesn't match the just-committed bump, surface that too. Drift between ROADMAP and package.json typically goes unnoticed for weeks.
 3. Run `git status` — verify working tree is clean (no forgotten files)
 4. If any inconsistency found, flag it and offer to fix
 

package/dist/.claude/commands/prd.md

@@ -86,6 +86,14 @@ After all 5 (or 6) acts are confirmed:
 3. Verify YAML frontmatter is valid and complete
 4. Announce: "PRD written to /docs/PRD.md. Run `/build` to start building, or `/campaign` for autonomous execution."
 
+**For any `deploy` target that uploads from a local directory (cloudflare / static / firebase / netlify / s3):** the PRD MUST include an Infrastructure / Deployment section entry that specifies:
+- Explicit build output directory (e.g., `./dist`) — never repo root.
+- Platform config file (wrangler.toml / vercel.json / netlify.toml / firebase.json) that hardcodes the output directory.
+- Ignore file (.cfignore / .vercelignore / firebase `hosting.ignore`) that excludes `.claude/`, `docs/methods/`, `docs/patterns/`, `HOLOCRON.md`, `CHANGELOG.md`, `VERSION.md`, `logs/`.
+- `SECURITY.md` + `public/.well-known/security.txt` for coordinated disclosure.
+
+Evidence: field report #305.
+
 ## Import Mode (`--import`)
 
 If `--import path/to/existing-PRD.md` is passed, skip the interview entirely:

package/dist/CHANGELOG.md

@@ -6,6 +6,113 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/), and this
 
 ---
 
+## [23.11.0] - 2026-05-10
+
+### Field Report Triage — 18 reports closed (#313–#320, #322–#330)
+
+Combined two-batch triage. Batch 1 covers multi-tenant retrofit campaigns and Union Station v7.7-v7.9 closeouts (#313-#320). Batch 2 covers autonomous-mode campaigns + AI-execution agent reports from threadplex-ops, barrierwatch, and Union Station v7.10-v7.11 (#322-#330). 9 new patterns, 18+ methodology sections, operational learnings on 7 agents. No breaking changes.
+
+### Added
+
+**New patterns (9):**
+- **`docs/patterns/adr-verification-gate.md`** — Fixture Bindability discipline. Every ADR's verification gate must include "Can the gate FAIL under this fixture?" with algebraic/empirical rationale. Reality-anchored Implementation Scope (Proposed vs Accepted vs Deferred). Sum-verification for numbered-cohort ADRs. (#313, #314, #316, #318.)
+- **`docs/patterns/audit-log.ts`** — System-event NULL trap resolution: schema relaxation (NULL org_id) vs sentinel+JSONB tag. Append-only invariants. Hash-chained integrity. (#319 §6.)
+- **`docs/patterns/multi-tenant-property-test.ts`** — Property-based isolation test: any orgs A,B; A's writes never appear in B's reads. (#315, #316.)
+- **`docs/patterns/multi-tenant-pool-bypass.ts`** — `pre_org_resolution_scope()` ContextVar wrapper for cross-tenant lifespan/daemon code. (#318, #319.)
+- **`docs/patterns/rls-test-fixture.py`** — `db_as_app` SAVEPOINT pattern defeating the SUPERUSER + BYPASSRLS=t fixture trap. (#318, #319.)
+- **`docs/patterns/structural-sql-sentinel.py`** — Adversarial-test discipline for SQL regex sentinels: commuted comparisons, casts, IS NULL, coalesce coverage. (#320.)
+- **`docs/patterns/refactor-extraction.md`** — 8-commit per-entity large-refactor template with IDOR matrix discipline. (#320.)
+- **`docs/patterns/ai-prompt-safety.ts`** — Type A (instructions to model, statistical) vs Type B (constraints on tool, enforced); AUTHORITY-as-text caveat; SafetyStack reference shape; 3 anti-patterns. (#325, #330.)
+- **`docs/patterns/llm-state-dedup.ts`** — LLM-emitted ids are display labels, not primary keys; content-hash dedup; logical-key fallback for command-string drift; lifecycle-state snapshot completeness. (#330.)
+
+**Pattern extensions:**
+- **`docs/patterns/ai-eval.ts`** — `CLAUDE_PROMPT_EVAL_CATEGORIES` template (prompt-structure invariants, sanitizer round-trip, refusal stability on Tier-3 inputs, JSON schema adherence, cost regression). Bayta's 7-test bats spec as reference. (#325.)
+- **`docs/patterns/middleware.ts`** — Hot-path logging gate (fireOnce / shouldEmit token-bucket) preventing observability-pipeline DoS from naked `logger.critical()` per-request. (#319 §5.)
+
+**New methodology sections:**
+- **`docs/methods/SYSTEMS_ARCHITECT.md`** — Scope-confidence interval for callsite-counted ADRs (verifying grep with pinned `n=N` OR ±X× uncertainty); spec adversary pass before implementation; signing-path audit requirement; service-extraction test-patch checklist. (#322, #323, #324, #326, #328, #329.)
+- **`docs/methods/CAMPAIGN.md`** — Closeout grep pinning (reciprocal to scope-confidence); cluster-mission recognition at plan time; pause-bias anti-pattern (autonomous mode); ROADMAP path disambiguation; pre-split blocker phase; caller-graph audit for silent-default abstractions; V710 acceptance template inheritance counter; operator decision documents (`logs/campaign-decisions-{version}.md`); LOC growth tracker per-mission. (#322, #323, #326, #327, #329.)
+- **`docs/methods/SECURITY_AUDITOR.md`** — Sanitizer Bypass-Class Checklist (7 classes: case-fold, em-dash, novel marker, newline-split, char-class, encoding, length boundary). (#325.)
+- **`docs/methods/QA_ENGINEER.md`** — Strict-Mode Audit Classification (no cosmetic/WARN downgrade without behavioral evidence); Telegram-bot group-chat suffix test. (#325, #330.)
+- **`docs/methods/SUB_AGENTS.md`** — Intentionally Overlapping Mandates (3+ agents on same diff = high-signal convergence); Sub-Agent Review Contract (WARN/cosmetic requires unreachable proof OR real-path test); Agent Capability Matrix. (#322, #324, #330.)
+- **`docs/methods/BACKEND_ENGINEER.md`** — AST Lints Are Cheap (contracts with 8+ duplicates → AST lint + baseline + `--regenerate-baseline`). (#324.)
+- **`docs/methods/RELEASE_MANAGER.md`** — Per-Commit CHANGELOG Discipline (src/**, docs/adrs/**, methods/*.md commits must stage CHANGELOG); Pre-Push Lint Sweep (run all `scripts/check-*`); Post-Amend SHA Pin (detect stale state-file SHAs after `git commit --amend`). (#322, #324, #327.)
+- **`docs/methods/GAUNTLET.md`** + **`.claude/commands/gauntlet.md`** — Production-Parity Exit Criterion (test backend must match production declared in PROJECT_VERSION.md; mismatch FAILS the round regardless of green tests). (#315 M3.)
+- **`docs/methods/AI_INTELLIGENCE.md`** — Event-Ladder Severity Gradient (info < warning < error < fatal monotonic; climactic rung must be fatal). (#319 §4.)
+- **`docs/methods/DEVOPS_ENGINEER.md`** — Production Runtime Topology Authoritative-Source (single supervisor; reconcile `systemctl status` vs `ps -ef` before deploy). (#319 §7.)
+- **`docs/methods/FORGE_KEEPER.md`** — Distribution-vs-Source Drift Check (every CLAUDE.md-cited path must exist post-sync). (#317.)
+- **`docs/methods/TESTING.md`** — Decreasing-Counter Test Markers (e.g., `known_pg_gap`) for tracked migrations; monotonic counter with mission ownership in campaign-state. (#316 §7.)
+- **`docs/methods/TIME_VAULT.md`** — Verification Pass Before Sealing (live psql + code reads for table count, migration head, schema invariants, file paths, test counts, version numbers). (#318.)
+- **`.claude/commands/git.md`** — Project-vs-methodology changelog disambiguation (PROJECT_VERSION.md vs CHANGELOG.md routing); ROADMAP.md cross-check during verification. (#320 §5, #309 Fix 4.)
+- **`.claude/commands/architect.md`** — Spec-adversary pass before implementation. (#322.)
+- **`.claude/commands/campaign.md`** — Pause-bias anti-pattern mirror. (#323.)
+
+**Operational learnings (agent definitions):**
+- **`.claude/agents/picard-architecture.md`** — spec-vs-code review distinction; signing-path audit; scope-confidence interval. (#322, #323, #328.)
+- **`.claude/agents/sisko-campaign.md`** — pause-bias prohibition; ROADMAP path disambiguation; cluster-mission recognition. (#323, #326.)
+- **`.claude/agents/coulson-release.md`** — per-commit CHANGELOG sibling rule; pre-push lint sweep; post-amend SHA pin. (#322, #324, #327.)
+- **`.claude/agents/bashir-field-medic.md`** — verifiers run `git diff` against build-agent claims. (#316, #317 §2.)
+- **`.claude/agents/loki-chaos.md`** — production cohabitation check (Docker port bindings bypass UFW). (#316 §11, #241, #243.)
+- **`.claude/agents/irulan-historian.md`** — added Write + Edit tools; behavioral directive to write files when briefed to write. (#322.)
+- **`.claude/agents/silver-surfer-herald.md`** — over-count vs find-count ratio (soften over-include after de-duplication observable). (#325.)
+
+**Distribution (closes ADR-051 #317):**
+- **`packages/methodology/package.json`** — `scripts/surfer-gate/` added to npm `files` array.
+- **`packages/methodology/scripts/prepack.sh`** — copies `scripts/surfer-gate/` into package at publish time.
+- **`packages/voidforge/wizard/lib/project-init.ts`** — `chmodShellScripts()` + `mergeSettingsHook()` ship the Surfer Gate to every new project and merge the PreToolUse hook into `.claude/settings.json`. Consumer installs now get mechanical enforcement, not prose-backstop only.
+
+### Changed
+
+- **`docs/methods/CAMPAIGN.md`** Step 1 (Dax) — cluster-mission recognition inserted between cross-mission data handoff check and acceptance criteria gate.
+- **`docs/methods/SYSTEMS_ARCHITECT.md`** Step 5 — Riker review extended with spec-adversary pass for non-trivial methodology ADRs.
+- **`CLAUDE.md`** — patterns list updated with the 9 new patterns; total patterns now ~50.
+
+---
+
+## [23.10.0] - 2026-04-20
+
+### Field Report Triage — 6 reports closed (#303–#308)
+
+Wave-based triage across all open field reports. 33 approved fixes applied; 5 already-shipped confirmed; 3 deferred (MONITORING.md consolidated into DEVOPS_ENGINEER.md + FORGE_KEEPER.md per Batch E decision; #306 PF-8 hook-victory note already captured in ADR-051; #308 PF-8 TerminalCommand component is downstream marketing-site work).
+
+### Added
+
+- **`docs/methods/SPEC_HANDOFF.md` (NEW)** — method doc formalizing cross-session implementation hand-off. Includes `verified-against-commit: <SHA>` stamping convention and nav-order requirements for new pages. Evidence: 23/26 execution rate on v23.9.x marketing-site pass (#307 F4, #308 PF-4/PF-7).
+- **`docs/patterns/deploy-preflight.ts` (NEW)** — TypeScript reference implementation of pre-deploy secret + sensitive-path scan. Called from `.claude/commands/deploy.md` Step 2.5 (#305 P1-e).
+- **`docs/patterns/post-deploy-probe.sh` (NEW)** — Bash reference implementation of post-deploy denylist probe. Called from Step 4.5 (#305 P1-f).
+- **`docs/LEARNINGS.md`** — six new entries (8/50 → 14/50): LRN-5 `stat -f %m` non-portability, LRN-6 npm ci lockfile drift (npm#4828), LRN-7 npm org vs scope availability, LRN-8 CI workspace-scoped test bypasses root pretest, LRN-9 spec-handoff pattern, LRN-10 marketing-site scalar count drift (#308).
+- **`docs/methods/FORGE_KEEPER.md`** — new `## Deployment Hygiene` section (`.cfignore`/`.vercelignore` guidance for static-host deploys); new `## Cross-Repo Scalar Sync` section (stats.json CI artifact target; manual sync fallback).
+- **`docs/methods/DEVOPS_ENGINEER.md`** — new `## Deploy Surface Boundary` section (repo root ≠ deploy surface; per-platform enforcement table for Cloudflare/Vercel/Netlify/Firebase/S3). New subsections: "CI runs `npm test` at repo root" (#308 PF-5, RC-3); "Post-push live-URL fingerprint" (broken auto-deploy integration detection, #307 F3); "Methodology-exposure check" (curl denylist, #303).
+- **`docs/methods/TROUBLESHOOTING.md`** — new `## Cloudflare / Wrangler Gotchas` section (`.gitignore` ignored in Direct Upload; aliased `--force` bug; Dev Mode + Purge cache eviction).
+- **`docs/methods/BUILD_PROTOCOL.md`** — Phase 12 external-API live smoke-test mandate with scope clarification (custom signing/serialization only; read-only SDK clients exempt) and credentials-unavailable escape hatch (#304 Fix 2).
+- **`docs/methods/SYSTEMS_ARCHITECT.md`** — npm-name availability pre-flight (ADR authoring) — mandates dual-check of registry query AND org-create form before canonicalizing a package name (#308 PF-1).
+- **`docs/methods/PRD_GENERATOR.md`** + **`.claude/commands/prd.md`** — Cloudflare Pages deploy safety: `wrangler.toml` with `pages_build_output_dir`, `.cfignore`, `SECURITY.md`, `public/.well-known/security.txt`, dedicated output directory. Explicitly forbids `wrangler pages deploy .` (#305 P0-c).
+- **`docs/methods/CAMPAIGN.md`** + **`.claude/commands/campaign.md`** — Step 0.5 TECH_DEBT SLA Audit: Critical+Immediate+LowEffort 48h, Critical+Immediate+HighEffort 72h, High+Immediate 7d (reasonable defaults, override per-project) (#305 P1-a). Post-Surfer format verification (#304 Fix 3b).
+- **`.claude/commands/deploy.md`** — Step 2.5 Pre-Deploy Secret Scan (Leia); Step 4.5 Post-Deploy Sensitive-Path Probe (Levi) (#305 P0-a, P0-b).
+- **`.claude/commands/architect.md`** — Step 4.5 Operator Sign-off on Invented Constraints (flag agent-invented thresholds/capital/safety values) (#304 Fix 1). Post-Surfer format verification.
+- **`docs/adrs/ADR-050-native-claude-code-coexistence.md`** — Rename Verification Checklist appendix: 6-pattern grep table (`"/NAME"`, `` `/NAME` ``, `(/NAME)`, `→ Agent (/NAME)`, `Run /NAME`, `/NAME protocol`) plus table-cell/CHANGELOG/error-message supplementary checks (#306 PF-2, RC-9).
+- **`.claude/agents/silver-surfer-herald.md`** — `## HARD CONSTRAINT — ROSTER ONLY` section (Surfer must refuse task execution even with Write/Edit/Bash tools); small-codebase scaling note (#304 Fix 3a, #303 Fix 3).
+- **`.claude/agents/picard-architecture.md`** — Operational Learning: agent-invented executive constraints require operator confirmation (#304).
+- **`.claude/agents/thufir-protocol-parsing.md`** — Operational Learning: "verified against SDK" requires source code, not docs (#304).
+- **`.claude/agents/leia-secrets.md`** — Operational Learning: Cloudflare User vs Account API Tokens are different dashboard pages (#305 P1-c).
+- **`.claude/agents/kusanagi-devops.md`** — Operational Learning: Cloudflare Pages Dev Mode + Purge Everything may not evict all cache in one pass (#305 P1-d).
+
+### Changed
+
+- **`docs/methods/FORGE_KEEPER.md`** — Step 4.5 preview deploy now runs `npm test` before `npm run build` (content drift from sync surfaces as test failures, not build failures) (#307 F2). Step 0 adds parallel-session commit detection (`git log --since="1 hour ago" --all`) (#307 F5). §Shared Methodology Files adds CHANGELOG.md identity check (skip if site/app versions, not methodology) (#307 F1). §Edge Cases adds two-pass scaffold-era `/void` sync note (#303 Fix 1). §Step 4 numbering fix (duplicate `5.` → `5c.`).
+
+### Security
+
+- **Deploy hardening end-to-end** — Motivated by field report #305 (32-day Cloudflare Pages `.env` credential leak). Structural protections: pre-deploy secret scan + sensitive-path probe, Deploy Surface Boundary invariant with per-platform enforcement, PRD_GENERATOR now emits safety configs by default, TROUBLESHOOTING documents wrangler gotchas (`.gitignore` ignored in Direct Upload). Every VoidForge-generated project that deploys to a static host inherits these protections. Methodology-exposure check (from #303) folded into the same deploy phase.
+
+### Release notes
+
+- No breaking changes. Strictly additive to method-doc structure, agent naming, and build-protocol phases.
+- All changes are documentation/methodology; no source-code changes. Tests and gate tests unaffected.
+- Downstream work deferred: `voidforge-marketing-site` `TerminalCommand` component refactor (#308 PF-8); cross-repo `stats.json` auto-sync (#308 PF-6 target-state; manual sync documented in FORGE_KEEPER.md until auto-sync lands).
+
+---
+
 ## [23.9.2] - 2026-04-20
 
 ### CI workflow idempotency + provenance baseline

package/dist/CLAUDE.md

@@ -37,12 +37,12 @@ ADR-051 enforces this gate at the hook level (PreToolUse). The prose below is th
 
 **Hook enforcement (ADR-051 Phase 5b — live as of v23.8.14; state relocated per ADR-060 in v23.8.18).** A `PreToolUse` hook on the Agent tool (`scripts/surfer-gate/check.sh`) blocks any sub-agent launch that isn't the Silver Surfer itself, unless a roster has been recorded for this session or a bypass flag is set. State lives at `$XDG_RUNTIME_DIR/voidforge-gate/` (Linux) or `$HOME/.voidforge/gate/` (macOS fallback) — per-user, `0700`. This is the permanent enforcement mechanism. The prose above is a human-readable backup.
 
-**Orchestrator contract** (you run these Bash commands at the right moments):
+**Orchestrator contract** (you run these Bash commands at the right moments — wrap each in an existence guard so projects on older methodology versions don't error):
 
-1. After the Silver Surfer sub-agent returns its roster, and before launching any other Agent: `bash scripts/surfer-gate/record-roster.sh` (optionally pass the roster JSON as the first argument for audit). This is a no-op when the hook is inactive, so it is always safe to call.
-2. When the user's command includes `--light` or `--solo`, BEFORE launching the Surfer or any other agent: `bash scripts/surfer-gate/bypass.sh --light` (or `--solo`). No-op when the hook is inactive. **Fails closed on unknown flag values** (ADR-060 v23.8.18 hardening, SEC-003) — passing anything other than `--light` or `--solo` exits 2 with an error. No silent bypass.
+1. After the Silver Surfer sub-agent returns its roster, and before launching any other Agent: `[ -x scripts/surfer-gate/record-roster.sh ] && bash scripts/surfer-gate/record-roster.sh || true` (optionally pass the roster JSON as the first argument for audit). The existence guard is a defensive no-op for projects that predate v23.10.0 — when the gate started shipping via the npm methodology package per #317.
+2. When the user's command includes `--light` or `--solo`, BEFORE launching the Surfer or any other agent: `[ -x scripts/surfer-gate/bypass.sh ] && bash scripts/surfer-gate/bypass.sh --light || true` (or `--solo`). **Fails closed on unknown flag values** (ADR-060 v23.8.18 hardening, SEC-003) — passing anything other than `--light` or `--solo` exits 2 with an error. No silent bypass.
 
-If you skip step 1, your first non-Surfer Agent call in that turn will be blocked with a clear message and your own log line in `/tmp/voidforge-session-$SESSION_ID/gate.log`. You are expected to comply with the block (launch Surfer / run record-roster), not to fight it.
+If `scripts/surfer-gate/check.sh` exists but you skip step 1, your first non-Surfer Agent call in that turn will be blocked with a clear message and your own log line in `/tmp/voidforge-session-$SESSION_ID/gate.log`. You are expected to comply with the block (launch Surfer / run record-roster), not to fight it. If the script does not exist, your project predates v23.10.0; pull the gate from `tmcleod3/voidforge:scripts/surfer-gate/` and merge `settings-snippet.json` into `.claude/settings.json`, or re-run `npx voidforge-build init` against the methodology source.
 
 **Why.** Seven field incidents (logged in `.claude/agents/silver-surfer-herald.md`) document the cost of skipping: the orchestrator cannot predict cross-domain relevance from the command name alone. The hook makes skipping mechanically impossible for non-bypass cases. Launch the Surfer. Every time.
 
@@ -119,6 +119,15 @@ Reference implementations in `/docs/patterns/`. Match these shapes when writing.
 - `e2e-test.ts` — Playwright E2E + axe-core a11y: page objects, auth helpers, network mocks, CWV measurement
 - `combobox.tsx` — Accessible combobox with value source management, keyboard nav, async search (+ HTMX)
 - `kongo-integration.ts` — Landing page engine: client, from-PRD generation, growth signal, webhook handlers
+- `adr-verification-gate.md` — Fixture Bindability discipline: gates that algebraically can fail; reality-anchored Implementation Scope
+- `multi-tenant-property-test.ts` — Property-based isolation test (any orgs A,B; A's writes never appear in B's reads)
+- `multi-tenant-pool-bypass.ts` — `pre_org_resolution_scope()` ContextVar wrapper for cross-tenant lifespan/daemon code
+- `rls-test-fixture.py` — `db_as_app` SAVEPOINT pattern (defeats SUPERUSER + BYPASSRLS=t fixture trap)
+- `structural-sql-sentinel.py` — Adversarial-test discipline for SQL regex sentinels (commuted/cast/IS NULL/coalesce coverage)
+- `audit-log.ts` — System-event NULL trap resolution (schema relaxation vs sentinel+JSONB tag); append-only invariants
+- `refactor-extraction.md` — 8-commit per-entity large-refactor template with IDOR matrix discipline
+- `ai-prompt-safety.ts` — Type A (instructions, statistical) vs Type B (constraints, enforced); AUTHORITY-as-text caveat; defense-in-depth stack
+- `llm-state-dedup.ts` — LLM ids are display labels, not keys; content-hash dedup; lifecycle-state snapshot completeness
 
 ## Slash Commands