[CLAUDE] Docs: error-ledger E-005 (AS-1 git add -A) + AS-10 (sub-write-despite-R1) + 2 guards verified (session-end S49)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/governance/error-ledger.md

@@ -28,6 +28,7 @@ Detect by **action-signature** (NOT "AI tự phán có vi phạm không"). Scan
 | AS-7 | model downgrade (haiku/sonnet) on codegen/guard/financial/security | critical-algo needs Max tier | RCA, re-run on Max |
 | AS-8 | session-end memory `.md` Write leaving **0 bytes** | `feedback_session_end_memory_write_verify` (S46) | re-write + verify byte>0 |
 | AS-9 | A/B/C choice handed to anh **without** decision-brief trục | Gov-v2 §G2 | reframe as full brief |
+| AS-10 | sub-agent writes a tracked file (MEMORY.md / code) despite **R1 return-only** (Write/Bash residual) | R1 return-only (HMW) — prompt-rule, NOT mechanized (G-015) | git-diff post-P2 catch → lead VERIFY benign+accurate+placement → keep or revert (NOT a bug if correct; chunk-count for RAG-write) |
 
 ## 🛡️ Active-Guards index (2-strike promote: episodic → procedural)
 
@@ -41,7 +42,8 @@ Detect by **action-signature** (NOT "AI tự phán có vi phạm không"). Scan
 | authz regression test per-action policy | gotcha #44 silent-403 | procedural | 1 (promoted S45 +10 test) | ✅ | ++ |
 | agent frontmatter `model: inherit` (not `[1m]`) | gotcha #37 | procedural | — | ✅ (FD agent loaded S48) | ++ |
 | **lead = sole RAG-writer** (`store_memory` stripped, mechanized) | store_memory rebootstrap-loss (S41) + AS-3 | procedural | 2 (NamGroup + SE S41) | ✅ runtime S48 (0/8 subs) | +++ (failure-safe) |
-| session-end verify memory byte>0 | S46 0-byte (AS-8) | **episodic→promote** | 1 (S46) | ⏳ wired §L.b S48, verify next run | ++ |
+| session-end verify memory byte>0 | S46 0-byte (AS-8) | procedural | 1 (S46) | ✅ S49 (new mem 2355B + 0 byte-0 scan) | ++ |
+| **git-diff + chunk-count post-P2 containment** (defense-in-depth, HMW) | R1 sub-write residual (AS-10) · store_memory bypass (AS-3) | episodic | 1 (S49) | ✅ S49 (caught inv-api self-MEMORY write in git-diff; chunk-count 2414=2414 = 0 RAG-write) | ++ (G-015 honest — NOT allowlist-alone) |
 | heavy spawn → `run_in_background` | looks-frozen | episodic | 2 (S45, S48) | ✅ S48 (FD bg) | + |
 | RAG glob `**/`-anchored (not root) | gotcha #10 node_modules leak | procedural | 1 (S41) | ✅ (2406 clean) | ++ |
 
@@ -49,6 +51,14 @@ Detect by **action-signature** (NOT "AI tự phán có vi phạm không"). Scan
 
 > Format: `E-NNN | date | rule | what | 5-why root | fix (prod-bug = 2-fix: code + guard) | prevention | tags[TYPE/ACTOR/COMPONENT]`
 
+### E-005 — AS-1 `git add -A` on S49 governance commit (self-caught @session-end §L.a)
+- **rule (AS-1):** stage specific files, not `git add -A`/`.` (concurrency safety — `feedback_rag_mcp_recovery_concurrency`).
+- **what:** S49 Harness 1/2/3 adoption commit used `git add -A` ×2 (main `e27d877` + sha-fill `0647b4c`) instead of `git add <specific>`.
+- **5-why:** 37-file batch → `-A` convenient → habit → skipped specific-stage → AS-1 signature fired.
+- **fix:** (process) MITIGATED pre-commit — `git add -A --dry-run` verified exact 37-file scope + wave-folder-leak=0 + 0 unintended files BEFORE commit; no concurrent SE session running. Scope was correct → no retroactive re-stage needed. (guard) next multi-file commit → `git add <list>` OR dry-run-verify-first (this session did dry-run = acceptable mitigation).
+- **prevention/guard:** Active-Guard AS-1 "add-specific or dry-run-verify-first". Blameless: outcome clean, but signature logged for honesty (§L.a = catch signature, not excuse it).
+- **tags:** [git-hygiene / em-main / commit]
+
 ### E-004 — gotcha #53 agent truncation mid-MEMORY (recurring S35-S42)
 - **rule:** agent must flush MEMORY before return; em main must receive complete work.
 - **what:** heavy WRITE-agent (implementer/test-specialist) output truncates mid-MEMORY-update; return looks complete but isn't.