diff --git a/.github/workflows/gate.yml b/.github/workflows/gate.yml
index e98e652e..e057892c 100644
--- a/.github/workflows/gate.yml
+++ b/.github/workflows/gate.yml
@@ -14,7 +14,14 @@
 #   - Third-party actions SHA-pinned by full 40-char commit SHA;
 #     trailing `# vX.Y.Z` comments for humans.
 #   - permissions: contents: read at the workflow level; no job
-#     elevates. No secrets referenced.
+#     elevates. The only secret referenced is the auto-generated
+#     per-run secrets.GITHUB_TOKEN (see workflow-level env: block
+#     below) — needed because mise's aqua: backend authenticates
+#     to the GitHub API for release-tag lookups. The token
+#     inherits the read-only permissions; no write escalation.
+#     Workflow-level scope chosen over per-step for DRY (~7
+#     install-toolchain steps would otherwise repeat the env);
+#     trade-off documented at the env: block.
 #   - Concurrency: workflow-scoped; cancel-in-progress only for PR
 #     events (main pushes queue so every main commit gets a record).
 #   - fail-fast: false so one OS failure doesn't hide another.
diff --git a/docs/BACKLOG.md b/docs/BACKLOG.md
index 271a18a1..54a965e0 100644
--- a/docs/BACKLOG.md
+++ b/docs/BACKLOG.md
@@ -10703,8 +10703,8 @@ systems. This track claims the space.
 - [ ] **Exempt `memory/CURRENT-*.md` from memory-index-
   integrity paired-edit trigger.** The
   `memory-index-integrity.yml` workflow (NSA-001 guard)
-  requires any modify to a top-level `memory/*.md` file
-  to be paired with a `memory/MEMORY.md` edit in the same
+  requires any add-or-modify on a top-level `memory/*.md`
+  file to be paired with a `memory/MEMORY.md` edit in the same
   PR. The intent is real — new session memories must
   have index pointers — but the trigger-exemption list
   (`memory/README.md`, `memory/persona/*`, `memory/MEMORY.md`
diff --git a/docs/research/provenance-aware-claim-veracity-detector-2026-04-23.md b/docs/research/provenance-aware-claim-veracity-detector-2026-04-23.md
index 29716744..dbec1cc3 100644
--- a/docs/research/provenance-aware-claim-veracity-detector-2026-04-23.md
+++ b/docs/research/provenance-aware-claim-veracity-detector-2026-04-23.md
@@ -153,7 +153,7 @@ output.**
 |---|---|---|
 | G_similarity | `sim(e_q, e_y) < τ_low` — below retrieval-noise floor | `sim < τ_med` — weak match only |
 | G_evidence_independent | `y` has no independent-oracle-verified evidence | `y` has evidence but only self-attested |
-| G_carrier_overlap | `overlap(q, y) > θ_high` where `overlap(q, y) = 0` when `size(cone(y)) = 0`, else `size(cone(q) ∩ cone(y)) / size(cone(y))` — majority of y's provenance shared with q | `overlap(q, y) > θ_med` |
+| G_carrier_overlap | `overlap(q, y) > θ_high` (majority of y's provenance shared with q) **OR** `size(cone(y)) = 0` (no provenance to verify against — carrier-laundering safeguard treats missing-lineage as suspicious, not clean) | `overlap(q, y) > θ_med`. When `size(cone(y)) > 0`, `overlap(q, y) = size(cone(q) ∩ cone(y)) / size(cone(y))`. |
 | G_contradiction | `y` or its provenance cone contains an unresolved contradiction with a known-good anchor | a resolved contradiction within cone |
 | G_status | `y.status = known-bad` or `y.status = superseded` | `y.status = unresolved` (no status pins it) |