1 files changed, 9 insertions, 4 deletions

diff --git a/docs/agent-knowledge-base-spec.org b/docs/agent-knowledge-base-spec.org
index c59c33b..bdf7852 100644
--- a/docs/agent-knowledge-base-spec.org
+++ b/docs/agent-knowledge-base-spec.org
@@ -3,7 +3,7 @@
 #+DATE: 2026-06-10
 
 * Metadata
-| Status   | ready with caveats — Codex review incorporated, D7 ratified keep (Craig, 2026-06-10); caveat: confirm work-root denylist contents; implementation awaiting Craig's go |
+| Status   | ready — Codex review incorporated, D7 ratified keep, work-root denylist confirmed =~/projects/work= only (Craig, 2026-06-10); implementation awaiting Craig's go |
 | Owner    | Craig Jennings                                                      |
 | Reviewer | Craig Jennings; Codex (2026-06-10)                                  |
 | Related  | [[file:../todo.org][todo.org — "Check that memories are sync'd across machines via git"]] |
@@ -71,7 +71,7 @@ Filename follows roam's timestamp-prefix convention (=YYYYMMDDHHMMSS-slug.org=).
 
 ** Project classification and write routing (v1)
 
-D5's boundary needs an executable answer to "is this project allowed to write?" — inference from cwd names, remotes, or task content is too much discretion for a confidentiality boundary. The v1 source of truth is an explicit *work-root denylist* carried in =knowledge-base.md= (initially =~/projects/work=; contents confirmed with Craig before the rule ships). Classification:
+D5's boundary needs an executable answer to "is this project allowed to write?" — inference from cwd names, remotes, or task content is too much discretion for a confidentiality boundary. The v1 source of truth is an explicit *work-root denylist* carried in =knowledge-base.md= (=~/projects/work= — confirmed complete by Craig, 2026-06-10; archangel is not work-scoped). Classification:
 
 - *Work* — the project root is, or sits under, a denylisted work root. No KB write, ever. The agent records durable facts per that project's own conventions (work already keeps its knowledge in its project tree); v1 adds no new work-side store.
 - *Personal* — the project root sits under a known project parent (=~/code/=, =~/projects/=, =~/.emacs.d=) and is not denylisted. KB writes allowed per D6.
@@ -152,7 +152,7 @@ A new =claude-rules/knowledge-base.md= rule (auto-installs via the Makefile RULE
 Not started — Craig has explicitly held implementation pending his go-ahead.
 
 ** Phase 1 — Pointer rule
-Confirm the work-root denylist contents with Craig, then write =claude-rules/knowledge-base.md=: path, the canonical query commands (conflict-file exclusion included), the D4 schema, the classification + write-routing rules, the refusal contract, and the D5/D6 boundary. =make install= links it machine-wide via the existing RULES glob — no Makefile change. Tree stays working throughout (pure addition).
+The work-root denylist is confirmed (=~/projects/work= only, Craig 2026-06-10). Write =claude-rules/knowledge-base.md=: path, the canonical query commands (conflict-file exclusion included), the D4 schema, the classification + write-routing rules, the refusal contract, and the D5/D6 boundary. =make install= links it machine-wide via the existing RULES glob — no Makefile change. Tree stays working throughout (pure addition).
 
 ** Phase 2 — Seed node + index verification
 Craig supplies or approves the durable fact; the implementer writes exactly one node under =~/sync/org/roam/= per the schema (a genuine durable fact, not a test stub). Craig runs =org-roam-db-sync= and confirms it indexes and displays cleanly. Rollback if the schema fails: delete that one timestamped =:agent:= file. This validates the schema end-to-end before agents write at volume.
@@ -190,7 +190,7 @@ Wire the promotion prompt into the wrap-up workflow (a "anything worth promoting
 - Un-reviewed writes propagate instantly (D6 accepted this). Dodge: the =:agent:= inventory keeps cleanup cheap.
 - Promotion discipline may not stick (D2). Dodge: Phase 3 makes it a mechanical wrap-up step rather than a memory burden.
 - Syncthing conflict files could confuse queries. Dodge: exclusion is baked into the canonical commands.
-- An incomplete work-root denylist would let a work project classify as personal. Dodge: Phase 1 starts by confirming the denylist with Craig, and the classification's safe default (unknown → refuse) covers anything outside the known parents.
+- An incomplete work-root denylist would let a work project classify as personal. Dodge: Craig confirmed the denylist (=~/projects/work= only, 2026-06-10), and the classification's safe default (unknown → refuse) covers anything outside the known parents.
 
 * Testing / Verification
 
@@ -234,3 +234,8 @@ Modified recommendations from the 2026-06-10 Codex review, with reasons. Everyth
 - What: processed the Codex review with Craig's D7 ratification ("keep") as a pre-agreed input. Both blockers cleared: D7 accepted (harness memory stays the capture layer, Phase 3 mandatory) and a new "Project classification and write routing" design subsection (work-root denylist as source of truth, unknown → refuse, refusal message contract, no new work-side store). Mediums accepted: canonical =rg= commands with conflict-file exclusion baked in, Phase 2 approval/rollback mechanics, Makefile no-change note, ~490 fact count, Testing/Verification section. Three recommendations modified (see Review dispositions); none rejected.
 - Why: converge to implementation-ready. Rubric: ready with caveats — the one caveat is confirming the work-root denylist contents with Craig before Phase 1 ships the rule.
 - Artifacts: this file; implementation-task breakdown under the parent task in todo.org; review file deleted.
+
+** 2026-06-10 Wed @ 17:29:37 -0500 — Craig Jennings — caveat resolved
+- What: confirmed the work-root denylist is complete at =~/projects/work= alone; archangel is not work-scoped.
+- Why: this was the single "ready with caveats" caveat. The spec is now ready. Implementation still awaits Craig's explicit go.
+- Artifacts: this file (status flipped to ready); the denylist VERIFY in todo.org resolved to a dated entry.