docs(spec): work-root denylist confirmed, agent KB spec now ready

Craig confirmed the denylist is complete at ~/projects/work alone (archangel is not work-scoped), which clears the spec's one remaining caveat. Phase 1 is unblocked, and implementation still awaits the explicit go.

2 files changed, 12 insertions, 7 deletions

diff --git a/docs/agent-knowledge-base-spec.org b/docs/agent-knowledge-base-spec.org
index c59c33b..bdf7852 100644
--- a/docs/agent-knowledge-base-spec.org
+++ b/docs/agent-knowledge-base-spec.org
@@ -3,7 +3,7 @@
 #+DATE: 2026-06-10
 
 * Metadata
-| Status   | ready with caveats — Codex review incorporated, D7 ratified keep (Craig, 2026-06-10); caveat: confirm work-root denylist contents; implementation awaiting Craig's go |
+| Status   | ready — Codex review incorporated, D7 ratified keep, work-root denylist confirmed =~/projects/work= only (Craig, 2026-06-10); implementation awaiting Craig's go |
 | Owner    | Craig Jennings                                                      |
 | Reviewer | Craig Jennings; Codex (2026-06-10)                                  |
 | Related  | [[file:../todo.org][todo.org — "Check that memories are sync'd across machines via git"]] |
@@ -71,7 +71,7 @@ Filename follows roam's timestamp-prefix convention (=YYYYMMDDHHMMSS-slug.org=).
 
 ** Project classification and write routing (v1)
 
-D5's boundary needs an executable answer to "is this project allowed to write?" — inference from cwd names, remotes, or task content is too much discretion for a confidentiality boundary. The v1 source of truth is an explicit *work-root denylist* carried in =knowledge-base.md= (initially =~/projects/work=; contents confirmed with Craig before the rule ships). Classification:
+D5's boundary needs an executable answer to "is this project allowed to write?" — inference from cwd names, remotes, or task content is too much discretion for a confidentiality boundary. The v1 source of truth is an explicit *work-root denylist* carried in =knowledge-base.md= (=~/projects/work= — confirmed complete by Craig, 2026-06-10; archangel is not work-scoped). Classification:
 
 - *Work* — the project root is, or sits under, a denylisted work root. No KB write, ever. The agent records durable facts per that project's own conventions (work already keeps its knowledge in its project tree); v1 adds no new work-side store.
 - *Personal* — the project root sits under a known project parent (=~/code/=, =~/projects/=, =~/.emacs.d=) and is not denylisted. KB writes allowed per D6.
@@ -152,7 +152,7 @@ A new =claude-rules/knowledge-base.md= rule (auto-installs via the Makefile RULE
 Not started — Craig has explicitly held implementation pending his go-ahead.
 
 ** Phase 1 — Pointer rule
-Confirm the work-root denylist contents with Craig, then write =claude-rules/knowledge-base.md=: path, the canonical query commands (conflict-file exclusion included), the D4 schema, the classification + write-routing rules, the refusal contract, and the D5/D6 boundary. =make install= links it machine-wide via the existing RULES glob — no Makefile change. Tree stays working throughout (pure addition).
+The work-root denylist is confirmed (=~/projects/work= only, Craig 2026-06-10). Write =claude-rules/knowledge-base.md=: path, the canonical query commands (conflict-file exclusion included), the D4 schema, the classification + write-routing rules, the refusal contract, and the D5/D6 boundary. =make install= links it machine-wide via the existing RULES glob — no Makefile change. Tree stays working throughout (pure addition).
 
 ** Phase 2 — Seed node + index verification
 Craig supplies or approves the durable fact; the implementer writes exactly one node under =~/sync/org/roam/= per the schema (a genuine durable fact, not a test stub). Craig runs =org-roam-db-sync= and confirms it indexes and displays cleanly. Rollback if the schema fails: delete that one timestamped =:agent:= file. This validates the schema end-to-end before agents write at volume.
@@ -190,7 +190,7 @@ Wire the promotion prompt into the wrap-up workflow (a "anything worth promoting
 - Un-reviewed writes propagate instantly (D6 accepted this). Dodge: the =:agent:= inventory keeps cleanup cheap.
 - Promotion discipline may not stick (D2). Dodge: Phase 3 makes it a mechanical wrap-up step rather than a memory burden.
 - Syncthing conflict files could confuse queries. Dodge: exclusion is baked into the canonical commands.
-- An incomplete work-root denylist would let a work project classify as personal. Dodge: Phase 1 starts by confirming the denylist with Craig, and the classification's safe default (unknown → refuse) covers anything outside the known parents.
+- An incomplete work-root denylist would let a work project classify as personal. Dodge: Craig confirmed the denylist (=~/projects/work= only, 2026-06-10), and the classification's safe default (unknown → refuse) covers anything outside the known parents.
 
 * Testing / Verification
 
@@ -234,3 +234,8 @@ Modified recommendations from the 2026-06-10 Codex review, with reasons. Everyth
 - What: processed the Codex review with Craig's D7 ratification ("keep") as a pre-agreed input. Both blockers cleared: D7 accepted (harness memory stays the capture layer, Phase 3 mandatory) and a new "Project classification and write routing" design subsection (work-root denylist as source of truth, unknown → refuse, refusal message contract, no new work-side store). Mediums accepted: canonical =rg= commands with conflict-file exclusion baked in, Phase 2 approval/rollback mechanics, Makefile no-change note, ~490 fact count, Testing/Verification section. Three recommendations modified (see Review dispositions); none rejected.
 - Why: converge to implementation-ready. Rubric: ready with caveats — the one caveat is confirming the work-root denylist contents with Craig before Phase 1 ships the rule.
 - Artifacts: this file; implementation-task breakdown under the parent task in todo.org; review file deleted.
+
+** 2026-06-10 Wed @ 17:29:37 -0500 — Craig Jennings — caveat resolved
+- What: confirmed the work-root denylist is complete at =~/projects/work= alone; archangel is not work-scoped.
+- Why: this was the single "ready with caveats" caveat. The spec is now ready. Implementation still awaits Craig's explicit go.
+- Artifacts: this file (status flipped to ready); the denylist VERIFY in todo.org resolved to a dated entry.
diff --git a/todo.org b/todo.org
index 9d04b66..1271a8b 100644
--- a/todo.org
+++ b/todo.org
@@ -106,11 +106,11 @@ Resolved in the spec-response pass: =knowledge-base.md= carries an explicit work
 *** 2026-06-10 Wed @ 14:44:00 -0500 Codex review incorporated — spec ready with caveats
 Spec-response pass processed the 2026-06-10 Codex review with D7 = keep as a pre-agreed input. Both blockers cleared (D7 accepted; classification/write-routing section added). Mediums accepted: canonical rg commands with conflict-file exclusion, Phase 2 seed-node approval/rollback mechanics, Makefile no-change note, Testing/Verification section. Three recommendations modified, none rejected — see the spec's Review dispositions. Review file deleted per the workflow. Rubric: ready with caveats (denylist confirmation). Implementation tasks broken out below; implementation itself awaits Craig's go.
 
-*** VERIFY Confirm the work-root denylist contents for knowledge-base.md
-The v1 classifier denylists =~/projects/work=. Is that complete — is archangel (or any other project) work-scoped? Phase 1 ships the rule only after this list is confirmed.
+*** 2026-06-10 Wed @ 17:29:37 -0500 Work-root denylist confirmed — ~/projects/work only
+Craig confirmed (2026-06-10, in chat): the denylist is just =~/projects/work=. Archangel is not work-scoped. The spec's one caveat clears — status now ready. Phase 1 is unblocked, but implementation still awaits Craig's explicit go.
 
 *** TODO Agent KB Phase 1 — pointer rule :feature:
-Write =claude-rules/knowledge-base.md=: KB path, canonical query commands (conflict-file exclusion baked in), the D4 write schema, the classification denylist + write routing, the refusal contract, and the D5/D6 boundary. The existing Makefile RULES glob installs it — no Makefile change. Blocked on the denylist VERIFY above. Spec: [[file:docs/agent-knowledge-base-spec.org][agent-knowledge-base-spec.org]] (Phase 1).
+Write =claude-rules/knowledge-base.md=: KB path, canonical query commands (conflict-file exclusion baked in), the D4 write schema, the classification denylist + write routing, the refusal contract, and the D5/D6 boundary. The existing Makefile RULES glob installs it — no Makefile change. Denylist confirmed 2026-06-10 (=~/projects/work= only); unblocked, awaiting Craig's go to implement. Spec: [[file:docs/agent-knowledge-base-spec.org][agent-knowledge-base-spec.org]] (Phase 1).
 
 *** TODO Agent KB Phase 2 — seed node + index verification :feature:
 Craig supplies or approves one durable fact; write exactly one =:agent:= node under =~/sync/org/roam/= per the schema; Craig runs =org-roam-db-sync= and confirms it indexes and displays. Rollback on schema failure: delete the one timestamped file. Spec: [[file:docs/agent-knowledge-base-spec.org][agent-knowledge-base-spec.org]] (Phase 2).