Tighten chain-family output wording and proof boundaries

.github/pull_request_template.md

@@ -18,3 +18,4 @@
 
 - [ ] Focused, single-purpose change
 - [ ] No secrets introduced
+- [ ] Non-operator docs were kept out of the repo unless they are required for build, validation, release, install, or packaging

CONTRIBUTING.md

@@ -33,18 +33,30 @@ pytest -m integration
 
 ## Semantics + Contracts
 
+- Before changing output wording, proof language, help text, or artifact behavior that could apply
+  across the HarrierOps family, read:
+  - the shared family style guide
+  - the shared family style guide applicability register
 - Keep command boundaries stable.
 - Use normalized models under `src/azurefox/models/`.
 - Keep JSON output deterministic and schema-compatible.
+- Keep family-wide truthfulness rules, claim-strength rules, and partial-read rules aligned with
+  the shared family documents instead of re-inventing them in repo-local prose.
 - Update schemas with `python scripts/generate_schemas.py`.
+- If AzureFox needs a documented wording or contract exception, update the applicability register in
+  the same change instead of leaving the exception implied only by local docs, help text, or tests.
 
 ## Documentation Boundaries
 
 - Keep live operator guidance in `azurefox help`, `azurefox help <command>`, `README.md`, and curated `docs/` content.
-- Treat `wiki/` as source material for intentional long-form wiki pages, not as a catch-all for internal planning notes.
-- Do not add new command-by-command planning trees under `wiki/` unless they are actively maintained and have a clear published destination.
-- If a note is temporary design scratch work, keep it out of the main repo or remove it once the implementation lands.
-- If planning material becomes durable user-facing documentation, promote it into a maintained docs/wiki page instead of leaving README links pointed at planning notes.
+- Keep non-operator documentation out of the repo unless the file is directly needed for build,
+  validation, release, install, or packaging flow.
+- Treat maintainer-only planning, drift-control, and family-governance notes as external reference
+  material rather than repo content.
+- If a temporary note or governance reminder lands locally during implementation, remove it before
+  merge unless it is truly required for the repo to build, validate, release, install, or package.
+- If planning material becomes durable user-facing documentation, promote it into maintained
+  operator documentation instead of leaving internal notes in the repo.
 
 ## Lightweight Guardrails (Solo)
 
@@ -56,3 +68,5 @@ pytest -m integration
 - Local pre-push hook blocks `codex` branch names, blocks direct pushes to `main`, and runs lint/tests.
 - CI blocks Codex-branded PR titles.
 - Temporary bypass for emergency push: `AZUREFOX_ALLOW_MAIN_PUSH=1 git push`.
+- Before merge, remove any non-operator doc that is not required for build, validation, release,
+  install, or packaging.

src/azurefox/chains/credential_path.py

@@ -363,9 +363,11 @@ def _build_candidate_record(
             target_resolution=target_resolution,
             visibility_note=visibility_note,
         ),
-        missing_confirmation=(
-            f"AzureFox has not yet shown which {target_service} this setting reaches or whether "
-            "the credential works there."
+        missing_confirmation=_candidate_missing_confirmation(
+            target_service=target_service,
+            target_resolution=target_resolution,
+            target_count=len(target_ids),
+            visibility_issue=visibility_issue,
         ),
         related_ids=_merge_related_ids(
             env.get("related_ids", []),
@@ -451,29 +453,75 @@ def _candidate_confidence_boundary(
 ) -> str:
     if target_resolution == "visibility blocked":
         return (
-            f"AzureFox cannot name the downstream {target_service} under current target-side "
-            "visibility; do not treat this as a confirmed credential path."
+            f"Current scope does not confirm which downstream {target_service} target this "
+            "setting reaches."
         )
 
     if target_resolution == "narrowed candidates":
         candidate_count = max(len(target_names), 1)
+        candidate_text = "candidate" if candidate_count == 1 else "candidates"
         return (
-            f"AzureFox narrowed this to {candidate_count} visible {target_service} candidate(s), "
-            "but has not yet proved the exact target or a working credential."
+            f"AzureFox narrowed this to {candidate_count} visible {target_service} "
+            f"{candidate_text}, but the loaded evidence does not name the exact target, so this "
+            "setting is not confirmed to reach it."
         )
 
     if target_resolution == "tenant-wide candidates":
         return (
             f"AzureFox can only narrow this to a broad visible {target_service} set so far; "
-            "the exact target and working credential remain unconfirmed."
+            "the loaded evidence does not name the exact target, so this setting is not "
+            "confirmed to reach a specific downstream target."
         )
 
     if target_resolution == "service hint only":
         return (
-            f"AzureFox only has a service hint for this {target_service} path so far; the "
-            "downstream target and working credential remain unconfirmed."
+            f"AzureFox only has a service hint for this {target_service} path so far; no "
+            "concrete downstream target is visible, so this setting is not confirmed to reach a "
+            "specific downstream target."
         )
 
+    return (
+        f"AzureFox has not yet proved the exact downstream {target_service} target, so this "
+        "setting is not confirmed to reach a specific downstream target."
+    )
+
+
+def _candidate_missing_confirmation(
+    *,
+    target_service: str,
+    target_resolution: str,
+    target_count: int,
+    visibility_issue: str | None,
+) -> str:
+    if target_resolution == "visibility blocked" or visibility_issue:
+        return (
+            f"Current scope does not confirm which {target_service} target this setting reaches. "
+            "AzureFox also has not proved a working credential there."
+        )
+    if target_resolution == "narrowed candidates":
+        if target_count == 1:
+            return (
+                f"Current env-vars and token surfaces narrow this to one visible "
+                f"{target_service} candidate, but they do not name the exact downstream target. "
+                "AzureFox also has not proved a working credential there."
+            )
+        return (
+            f"Current env-vars and token surfaces narrow this to {target_count} visible "
+            f"{target_service} candidates, but they do not show which one this setting reaches. "
+            "AzureFox also has not proved a working credential against any listed target."
+        )
+    if target_resolution == "tenant-wide candidates":
+        return (
+            f"Current evidence only narrows this to a broad visible {target_service} set and "
+            "does not name the exact downstream target. AzureFox also has not proved a working "
+            "credential there."
+        )
+    if target_resolution == "service hint only":
+        return (
+            f"Current evidence suggests a {target_service} path, but no concrete downstream "
+            "target is visible from current inventory and AzureFox has not proved a working "
+            "credential."
+        )
     return (
         f"AzureFox has not yet proved the exact downstream {target_service} target or a working "
         "credential."

src/azurefox/chains/registry.py

@@ -40,8 +40,8 @@ class ChainFamilySpec:
         ),
         allowed_claim=(
             "Can claim that the visible evidence suggests a likely credential path and name the "
-            "most plausible downstream service. Cannot claim the credential works or that the path "
-            "is confirmed without deeper source evidence."
+            "most plausible downstream service. Cannot claim the exact downstream target or that "
+            "the setting is confirmed to reach it."
         ),
         current_gap=(
             "The live family now joins backing evidence in one run, but it still needs periodic "
@@ -142,8 +142,8 @@ class ChainFamilySpec:
         allowed_claim=(
             "Can claim that the visible evidence suggests a controllable or nearly controllable "
             "Azure change path and can name or narrow the likely downstream footprint when the "
-            "join is honest. Cannot claim successful execution or exact downstream change without "
-            "deeper source evidence."
+            "join is honest. Cannot claim successful execution or the exact downstream Azure "
+            "change from current visible evidence alone."
         ),
         current_gap=(
             "The live family still needs stronger source-side actionability proof and tighter "