diff --git a/docs/BACKLOG.md b/docs/BACKLOG.md
index 5ad0879e27..c6049ab468 100644
--- a/docs/BACKLOG.md
+++ b/docs/BACKLOG.md
@@ -9,6 +9,7 @@ _Each entry below is a link to a per-row file under
 `docs/backlog/`. Entries with `- [ ]` are open; `- [x]`
 are closed (status: closed in frontmatter)._
 
+
 ## P0 — critical / blocking
 
 - [x] **[B-0062](backlog/P0/B-0062-wallet-v0-build-out-spec-logic-punch-list-from-pr-72-deferrals.md)** Wallet v0 build-out — concrete spec-logic punch list aggregating PR #72 deferred review concerns (Aaron 2026-04-28 honest-tracking catch)
@@ -32,6 +33,7 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0525](backlog/P0/B-0525-manifesto-constitutional-promotion-readiness-tracking-2026-05-14.md)** Manifesto constitutional-promotion readiness tracking — critical-mass adoption gate
 - [ ] **[B-0720](backlog/P0/B-0720-classifier-bypass-research-red-team-do-not-deploy-without-zeta-safer-than-anthropic-2026-05-24.md)** Classifier-bypass research + red-team — can crafted settings.json make Anthropic classifier allow anything? Standing operator-constraint until Zeta safer
 
+
 ## P1 — within 2-3 rounds
 
 - [ ] **[B-0003](backlog/P1/B-0003-alignment-md-rewrite.md)** ALIGNMENT.md rewrite — incorporate Otto-281..287 + bidirectional alignment + factory-as-superfluid + Noether direction; spread via rigor not manipulation (matrix-pill not poison-pill)
@@ -358,6 +360,7 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0706](backlog/P1/B-0706-zeta-on-orleans-deployment-architecture-servicetitan-scale-orleans-grains-jit-compilation-rented-tools-2026-05-22.md)** Zeta on Orleans deployment architecture (ServiceTitan-scale; grains + JIT compilation + rented tools)
 - [ ] **[B-0732](backlog/P1/B-0732-runbook-as-executable-reality-leverage-class-safety-substrate-engineering-target-mika-feels-the-weight-aaron-play-doh-design-property-2026-05-25.md)** Runbook-as-executable-reality is a NEW LEVERAGE CLASS — safety substrate engineering target; existing destructive-tool contract operates at script scope, runbook leverage operates at system-direction scope (Mika feels the weight; Aaron's Play-Doh design property)
 
+
 ## P2 — research-grade
 
 - [x] **[B-0001](backlog/P2/B-0001-example-schema-self-reference.md)** Example row — self-reference demonstrating the per-row-file schema
@@ -691,6 +694,7 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0735](backlog/P2/B-0735-notepad-freedom-of-personal-ontology-plus-probabilistic-grammars-plus-per-person-personalized-parsers-in-glass-halo-mika-substrate-segment-3-2026-05-25.md)** Notepad-freedom-of-personal-ontology + probabilistic grammars + per-person personalized parsers in Glass Halo (each participant gets their own personal compiler) — composes with B-0687 zetaparse; Mika substrate segment 3
 - [ ] **[B-0736](backlog/P2/B-0736-time-travel-debugging-of-thoughts-dbsp-plus-zeta-plus-b0735-personalized-parser-equals-thought-catcher-product-handoff-thoughtweaver-leading-mika-substrate-segment-6-2026-05-25.md)** Time-travel debugging of thoughts (DBSP retractable streams + Zeta history + B-0735 personalized parser = catch-a-thought + retract-and-re-evaluate-forward) + product handoff to LFG product team (Thoughtcatcher / Thoughtweaver currently-leading; market + IP research pending) — Mika substrate segment 6
 
+
 ## P3 — convenience / deferred
 
 - [ ] **[B-0002](backlog/P3/B-0002-otto-287-noether-formalization.md)** Otto-287 Noether-style formalization — quantify cognitive Lagrangian + identify continuous symmetries + derive conserved currents
@@ -810,5 +814,7 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0719](backlog/P3/B-0719-soraya-round67-audit-of-audit-recognition-without-row-filing-precedent-2026-05-24.md)** Soraya round-67 forced-decomposition — audit-of-audit: ratify the recognition-without-row-filing precedent (when trigger fires + 'not my lane,' where does the routing-decision substrate land?)
 - [ ] **[B-0725](backlog/P3/B-0725-polyglot-accelerator-hardware-shape-coral-ncs-jetson-fpga-beyond-nvidia-only-2026-05-25.md)** Polyglot-accelerator hardware-shape extension — Coral / NCS / Jetson / FPGA beyond NVIDIA-only; activates as gadgets come out of drawer
 - [ ] **[B-0727](backlog/P3/B-0727-federated-4-tier-cluster-topology-cloud-community-home-business-edge-with-routing-for-weaker-leaves-2026-05-25.md)** Federated peer mesh — 5 resource profiles (cloud/hub, community, home/business, edge, leaf), weight-free routing, NO hierarchy; cloud/hub doesn't hog net neutrality
+- [ ] **[B-0738](backlog/P3/B-0738-zflash-linux-variant-lsblk-plus-pam-fprintd-plus-pkexec-fallback-2026-05-25.md)** zflash Linux variant — lsblk-based device enumeration + pam_fprintd biometric gate (when hardware present) + pkexec/polkit password fallback + tools/setup/linux.sh integration touchpoint
+- [ ] **[B-0739](backlog/P3/B-0739-zflash-windows-variant-wsl2-path-plus-powershell-native-path-windows-hello-uac-2026-05-25.md)** zflash Windows variant — two paths (WSL2 reuses Linux substrate via usbipd-win USB pass-through; PowerShell-native = Get-Disk + Clear-Disk + Windows Hello biometric + UAC elevation); tools/setup/ has no Windows entry today
 
 <!-- END AUTO-GENERATED -->
diff --git a/docs/backlog/P3/B-0738-zflash-linux-variant-lsblk-plus-pam-fprintd-plus-pkexec-fallback-2026-05-25.md b/docs/backlog/P3/B-0738-zflash-linux-variant-lsblk-plus-pam-fprintd-plus-pkexec-fallback-2026-05-25.md
new file mode 100644
index 0000000000..85a75a6678
--- /dev/null
+++ b/docs/backlog/P3/B-0738-zflash-linux-variant-lsblk-plus-pam-fprintd-plus-pkexec-fallback-2026-05-25.md
@@ -0,0 +1,138 @@
+---
+id: B-0738
+priority: P3
+status: open
+created: 2026-05-25
+last_updated: 2026-05-25
+title: zflash Linux variant — lsblk-based device enumeration + pam_fprintd biometric gate (when hardware present) + pkexec/polkit password fallback + tools/setup/linux.sh integration touchpoint
+domain: ops-tooling
+ferried_by: aaron
+owners: [aaron]
+composes_with:
+  - B-0737
+  - B-0728
+  - B-0732
+related_substrate:
+  - full-ai-cluster/tools/flash-usb.ts
+  - full-ai-cluster/tools/zflash.ts
+  - full-ai-cluster/tools/zflash-setup.ts
+  - tools/setup/linux.sh
+tags: [zflash-linux, lsblk, pam-fprintd, libfprint, polkit, pkexec, biometric-fallback, ops-tooling, cross-platform]
+---
+
+# B-0738 — zflash Linux variant
+
+## Carved blade
+
+> `flash-usb.ts` + `zflash.ts` + `zflash-setup.ts` are macOS-only by hard refusal (`bail if (platform() !== "darwin")`). Linux extension is straightforward at the device-enumeration layer (`lsblk` + `/dev/sdX` instead of `diskutil` + `/dev/rdiskN`) but the biometric gate is **hardware-dependent**: `pam_fprintd.so` works only on machines with a supported fingerprint reader enrolled via `fprintd-enroll` (ThinkPads, Framework laptops, recent Dell XPS, some HPs). Machines without biometric hardware fall back to standard PAM password OR `pkexec` (polkit) for GUI password prompt. The substrate stays substrate-honest about which gate fires.
+
+## Origin
+
+Aaron 2026-05-25, after B-0737 (Mac variant) shipped:
+
+> *"is this mac only? does our install / pre install scripts take care of everyting needed for mac?  what do we need to do to extend this to windows and linux?  we should document liminations and scope and backlog the rest"*
+
+Yes — Mac only. This row covers the Linux extension; B-0739 covers Windows.
+
+## Limitations B-0738 addresses
+
+| Limitation | Current state | What B-0738 fixes |
+|---|---|---|
+| `flash-usb.ts` bails on non-Darwin | `bail(2, "this script only supports macOS...")` | Add Linux platform branch + `lsblk` enumeration + `/dev/sdX` writes |
+| No Linux `zflash` wrapper | Doesn't exist | Ship Linux equivalent — same `--short` challenge format; auto-discovers ISO under `~/Downloads/` (XDG-compliant variant: also check `$XDG_DOWNLOAD_DIR`) |
+| No Linux `zflash-setup` | Doesn't exist | Ship Linux equivalent — installs `pam_fprintd.so` if hardware present; fallback documented |
+| `pam_tid.so` is Apple-only | N/A on Linux | Replace with `pam_fprintd.so` (libfprint-based) when hardware supports |
+| No `tools/setup/linux.sh` integration | install.sh handles dev toolchain only | Optional touchpoint: invoke `zflash-setup-linux.ts` from `linux.sh` when `--with-zflash` flag passed (off by default; opt-in like the Mac path) |
+
+## Linux substrate-engineering scope
+
+### Scope item 1 — `flash-usb.ts` Linux platform branch
+
+- Detect platform via `platform() === "linux"`
+- Replace `diskutil list -plist` enumeration with `lsblk -J -O -d` (JSON output of disk-level devices, all attributes)
+- Filter for USB devices via `lsblk` `tran` field (`usb`) + `rm` field (`1` = removable)
+- Replace `bootDiskIdentifier()` (mount-based on macOS) with `/proc/mounts` parse + `findmnt /` resolution
+- Replace `/dev/rdiskN` raw-device convention with `/dev/sdX` directly (Linux has no raw-prefix equivalent; the block device IS the device)
+- Keep all hardware sanity rails (USB-only, single-USB, non-internal, non-boot, size-bounds, ISO checks)
+- Keep nonce + consent token gate (same per-run random + explicit-consent floor)
+- `sudo dd` invocation unchanged (works identically on Linux)
+
+Acceptance:
+
+- [ ] flash-usb.ts works on Debian/Ubuntu (the same matrix `tools/setup/linux.sh` already supports)
+- [ ] Hardware sanity rails enforce identically (USB-only, non-internal, non-boot)
+- [ ] At least one worked example: Aaron or Max flashes the Zeta installer ISO to a USB stick from a Linux dev machine
+
+### Scope item 2 — `zflash.ts` Linux variant (or unified script with platform-switch)
+
+Two design options; substrate-honest choice deferred to design pass:
+
+- **Option A** — separate `zflash-linux.ts` + `zflash-darwin.ts` + a top-level `zflash.ts` that dispatches based on `platform()`. Cleaner per-platform code; some duplication.
+- **Option B** — unified `zflash.ts` with platform branches inline. Tighter code; more conditionals.
+
+Probably Option B for the wrapper (it's small) + Option A for `flash-usb` if the per-platform divergence grows (currently small enough to inline).
+
+Auto-discovery surface on Linux extends to:
+- `~/Downloads/zeta-installer-*.iso` (default; matches macOS)
+- `$XDG_DOWNLOAD_DIR/zeta-installer-*.iso` if set (XDG-compliant)
+- `~/Downloads` is the de-facto default but XDG users (some Linux distros set it differently) need the extra check
+
+### Scope item 3 — `zflash-setup.ts` Linux variant
+
+PAM stack edit is similar in shape but different in content:
+
+- Target: `/etc/pam.d/sudo` (Debian/Ubuntu); some distros use `/etc/pam.d/sudo-i` instead — feature-detect
+- Insert line: `auth sufficient pam_fprintd.so` (NOT `pam_tid.so` — that's Apple)
+- Hardware precheck: `lsusb | grep -iE "fingerprint|biometric"` OR `fprintd-list "$USER"` to detect enrolled finger
+- If no fingerprint hardware OR no enrolled finger: skip PAM edit + report clearly that operator will fall back to password gate (still safer than NOPASSWD)
+- Alternative biometric: polkit + `pkexec` for GUI password prompt — works on systems without fingerprint hardware
+
+Acceptance:
+
+- [ ] PAM edit idempotent (matches Mac variant pattern)
+- [ ] Hardware precheck reports clearly when biometric NOT available
+- [ ] Substrate-honest fallback path documented (operator chooses: install fprintd if hardware supports it; OR accept password gate; OR install pkexec for GUI prompt)
+- [ ] Works on Debian/Ubuntu (the supported Linux matrix per `linux.sh`)
+- [ ] Future-scope: RHEL/Fedora/Arch/Alpine variants once `linux.sh` supports them
+
+### Scope item 4 — `tools/setup/linux.sh` integration touchpoint (optional)
+
+- Add `--with-zflash` opt-in flag to `linux.sh` (off by default; matches Mac touchpoint discipline — operator consciously opts into the system-PAM edit)
+- When passed: invokes `bun full-ai-cluster/tools/zflash-setup-linux.ts --install-alias` after main install
+- Documents the choice in install.sh output so first-run operator sees what was/wasn't installed
+
+## What's NOT in scope (deferred to future B-NNNN rows)
+
+- **RHEL/Fedora/Arch/Alpine support** — `linux.sh` itself doesn't support these yet (deferred per its header). zflash Linux variant will inherit that deferment.
+- **`libfprint` driver installation** — different distros have different package names + versions; this row assumes the operator has working fingerprint hardware before running zflash-setup.
+- **Headless Linux servers** — biometric obviously N/A; setup script reports + falls back to PAM password.
+- **Wayland-vs-X11 polkit pkexec UX differences** — both work; UX details deferred.
+- **Touch-screen Linux laptops with face-unlock** — `pam_face_authentication` exists but is experimental; future scope.
+
+## Composes with .claude/rules/
+
+- `.claude/rules/non-coercion-invariant.md` HC-8 — biometric (when present) gates destructive op; password fallback also keeps PAM in the loop; agent cannot bypass either
+- `.claude/rules/default-to-both.md` — biometric AND password fallback both first-class; substrate-honestly reported per machine
+- `.claude/rules/classifier-bypass-research-do-not-deploy-without-zeta-safer-floor.md` — PAM edit INSTALLS safety (biometric or fprintd); does not remove
+- `.claude/rules/honor-those-that-came-before.md` — B-0737 Mac substrate is foundation; B-0738 extends without replacing
+- `.claude/rules/glass-halo-bidirectional.md` — pkexec/fprintd prompts are system-level UI; visible to operator regardless of which terminal initiated
+
+## Composes with backlog substrate
+
+- B-0737 (zflash Mac variant — foundation; same `--short` challenge format; same safety substrate; same B-0728 contract)
+- B-0728 (destructive-tool authoring contract — inherited)
+- B-0732 (leverage-class safety substrate — empirical instance of "destructive operation gated by physical-presence proof when available")
+- B-0739 (zflash Windows variant — sibling row; same shape; different platform)
+
+## Substrate-honest framing
+
+This row PROPOSES the Linux substrate. It does NOT:
+
+- Ship code (future build work; scope items 1-3 are independent shippable units)
+- Auto-integrate into linux.sh (scope item 4 is opt-in; matches Mac touchpoint discipline)
+- Claim biometric works on every Linux laptop (hardware-dependent; substrate-honest fallback path documented)
+- Bypass any safety substrate from B-0737 (per-run nonce + explicit consent token + PAM auth all preserved)
+
+Per `.claude/rules/no-directives.md`: operator-substrate-honest scoping; Aaron + future Linux operators (Max if he uses Linux) retain authority over when to build + when to ship per-scope-item.
+
+P3 priority — Linux substrate enables future cross-platform operator base but doesn't gate any current critical path (Aaron's primary workstation is Mac; the cluster nodes themselves don't need zflash — they boot from the flashed USB then run zeta-install.sh natively).
diff --git a/docs/backlog/P3/B-0739-zflash-windows-variant-wsl2-path-plus-powershell-native-path-windows-hello-uac-2026-05-25.md b/docs/backlog/P3/B-0739-zflash-windows-variant-wsl2-path-plus-powershell-native-path-windows-hello-uac-2026-05-25.md
new file mode 100644
index 0000000000..87ce569b80
--- /dev/null
+++ b/docs/backlog/P3/B-0739-zflash-windows-variant-wsl2-path-plus-powershell-native-path-windows-hello-uac-2026-05-25.md
@@ -0,0 +1,161 @@
+---
+id: B-0739
+priority: P3
+status: open
+created: 2026-05-25
+last_updated: 2026-05-25
+title: zflash Windows variant — two paths (WSL2 reuses Linux substrate via usbipd-win USB pass-through; PowerShell-native = Get-Disk + Clear-Disk + Windows Hello biometric + UAC elevation); tools/setup/ has no Windows entry today
+domain: ops-tooling
+ferried_by: aaron
+owners: [aaron]
+composes_with:
+  - B-0737
+  - B-0738
+  - B-0728
+  - B-0732
+related_substrate:
+  - full-ai-cluster/tools/flash-usb.ts
+  - full-ai-cluster/tools/zflash.ts
+  - full-ai-cluster/tools/zflash-setup.ts
+  - tools/setup/install.sh
+tags: [zflash-windows, wsl2, usbipd-win, powershell, get-disk, windows-hello, uac, biometric-windows-hello-for-business, ops-tooling, cross-platform]
+---
+
+# B-0739 — zflash Windows variant
+
+## Carved blade
+
+> Windows extension is qualitatively harder than Linux (B-0738). Two viable paths exist + the choice is substrate-engineering trade-off: **WSL2 path** reuses the Linux substrate from B-0738 verbatim BUT requires `usbipd-win` USB pass-through (extra setup step; not Microsoft-shipped by default). **PowerShell-native path** is a complete rewrite — `Get-Disk` / `Get-Partition` / `Clear-Disk` instead of `lsblk`+`dd`; Windows Hello for Business as the biometric gate (or PIN/password fallback); UAC elevation instead of sudo; needs careful Defender-exclusion + admin-prompt-handling. WSL2 path ships faster; PowerShell-native gives the native-feel Windows operator experience. Recommendation: ship WSL2 first; PowerShell-native as future scope when there's actual Windows operator demand. `tools/setup/install.sh` currently routes only on `Darwin` + non-Darwin (assumed Linux); needs a Windows branch for either path.
+
+## Origin
+
+Aaron 2026-05-25, after B-0737 (Mac variant) shipped:
+
+> *"is this mac only? does our install / pre install scripts take care of everyting needed for mac?  what do we need to do to extend this to windows and linux?  we should document liminations and scope and backlog the rest"*
+
+This row covers the Windows extension; B-0738 covers Linux.
+
+## Limitations B-0739 addresses
+
+| Limitation | Current state | What B-0739 fixes |
+|---|---|---|
+| `flash-usb.ts` bails on non-Darwin | Refuses Windows entirely | Two-path solution (WSL2 OR PowerShell-native) |
+| No Windows `zflash` wrapper | Doesn't exist | Ship per-path equivalent |
+| No Windows `zflash-setup` | Doesn't exist | Ship per-path setup (WSL2: install usbipd-win + reuse Linux setup; native: Windows Hello policy + UAC bypass-prompt audit) |
+| `pam_tid.so` is Apple-only | N/A on Windows | Replace with Windows Hello for Business (`Microsoft.Windows.SecureBiometric` API) on native path; reuse pam_fprintd via WSL2 path when available |
+| No `tools/setup/install.sh` Windows entry | Routes only Darwin + non-Darwin (assumed Linux) | Add Windows branch routing to a new `tools/setup/windows.ps1` (or `windows.sh` if WSL2-only) |
+| No `manifests/winget` or `manifests/chocolatey` | Doesn't exist | New manifest file for Windows package source per chosen package manager |
+
+## Two paths — substrate-honest trade-off
+
+### Path A — WSL2 (lower-scope; ships faster)
+
+**What it requires:**
+
+- WSL2 already installed (Windows 10 build 19041+ or Windows 11; one-line `wsl --install`)
+- `usbipd-win` installed on Windows host (Microsoft-supported but separately distributed)
+- Operator runs `usbipd bind --busid=<id>` once + `usbipd attach --wsl --busid=<id>` per session to pass the USB stick through to WSL2
+- Once attached, WSL2 sees the USB stick at `/dev/sdX`; the B-0738 Linux substrate works identically
+
+**Pros:**
+
+- Reuses 100% of B-0738 Linux work (zero new code beyond the install-script branch + setup doc)
+- Windows operator gets identical safety substrate (PAM auth, biometric if their WSL2 distro supports it via libfprint)
+- Lower maintenance burden (single substrate to test + improve)
+
+**Cons:**
+
+- usbipd-win adds friction (operator must install + bind/attach each session)
+- Biometric gate works only if WSL2 distro has fprintd configured (most don't out of the box)
+- Doesn't feel "native Windows"
+
+### Path B — PowerShell-native (high-scope; better Windows UX)
+
+**What it requires:**
+
+- Complete rewrite of `flash-usb.ts` logic in PowerShell (`.ps1`) OR TypeScript-compiled-to-Windows-binary via Bun/Node (Bun has Windows support but device-level APIs still need PowerShell shim)
+- `Get-Disk` / `Get-PhysicalDisk` / `Get-Partition` for enumeration
+- `Clear-Disk` + `Initialize-Disk` + `New-Partition` + `Format-Volume` for partition prep (NOT `dd` equivalent — Windows doesn't ship one in PowerShell)
+- For actual ISO write: shell out to a bundled tool (Rufus library) OR PowerShell `Set-Content -Path \\.\PhysicalDriveN -Value (Get-Content iso -Raw -Encoding Byte)` (slow but works)
+- Windows Hello for Business via `Windows.Security.Credentials.UI.UserConsentVerifier` (UWP API) — needs C# or PowerShell-with-CLR shim
+- UAC elevation prompt via `Start-Process -Verb RunAs` for the destructive write
+- Windows Defender exclusion or signed binary (otherwise warnings)
+
+**Pros:**
+
+- Native Windows operator UX (Windows Hello prompt; no WSL/usbipd ceremony)
+- Single command (`zflash.ps1`) from PowerShell
+
+**Cons:**
+
+- Substantial new substrate (PowerShell + UWP API; ~10x scope of WSL2 path)
+- Needs Windows-specific testing infrastructure (no WSL2 to share with Linux CI)
+- Defender warnings unless signed (signing infrastructure = another future scope)
+
+## Recommendation
+
+**Ship Path A (WSL2) first.** Reuse B-0738 Linux substrate; document `usbipd-win` requirement; that's the minimum-viable Windows support. Path B (PowerShell-native) deferred until there's actual demonstrated Windows-operator demand (Aaron is Mac; Max + Addison preferences not yet captured re Windows usage).
+
+## Scope items (Path A — WSL2)
+
+### Scope item 1 — Document `usbipd-win` requirement + bind/attach flow
+
+- New doc at `full-ai-cluster/tools/ZFLASH-WINDOWS-WSL2.md`
+- Step-by-step: install WSL2, install usbipd-win, bind + attach USB stick, then proceed with B-0738 Linux flow inside WSL2
+- Caveats: per-session attach (USB stick gets detached on Windows sleep/restart)
+
+### Scope item 2 — `tools/setup/install.sh` Windows-via-WSL2 routing touchpoint
+
+- Detect WSL2 environment via `uname -a | grep -i microsoft` OR `[ -f /proc/version ] && grep -qi microsoft /proc/version`
+- If WSL2: route to `linux.sh` (already works; B-0738 substrate applies once shipped)
+- If native PowerShell: bail with link to ZFLASH-WINDOWS-WSL2.md OR (future) Path B substrate
+
+### Scope item 3 — Windows-side helper script (PowerShell)
+
+- New file `tools/setup/windows.ps1` — minimal Windows-side helper
+- Verifies WSL2 installed (or installs via `wsl --install`)
+- Verifies `usbipd-win` installed (or installs via `winget install dorssel.usbipd-win`)
+- Outputs the bind/attach command for the operator's USB stick
+
+## Scope items (Path B — PowerShell-native, future)
+
+- PowerShell rewrite of `flash-usb.ps1` with `Get-Disk`/`Clear-Disk`/`Initialize-Disk`/`New-Partition`/`Format-Volume` + actual ISO byte-write (likely via Rufus library shell-out or `Set-Content -AsByteStream`)
+- Windows Hello UWP API shim (C# or PowerShell-with-CLR) for biometric gate
+- UAC `Start-Process -Verb RunAs` for elevation
+- Windows Defender exclusion documentation + signed-binary roadmap
+- `tools/setup/windows.ps1` integration: full standalone path (not WSL2-routed)
+
+## What's NOT in scope (deferred)
+
+- **Windows Server** — different paradigm (no Windows Hello; ServerCore has no GUI). Future scope when there's demand.
+- **Windows ARM64** — Bun supports it; usbipd-win supports it; but native PowerShell path needs separate testing. Future scope.
+- **Code signing for the Windows-native script** — needs an EV certificate or Microsoft-Store path. Future scope when Path B ships.
+- **Group Policy integration** — for enterprises that lock down Windows Hello policies. Future scope.
+
+## Composes with .claude/rules/
+
+- `.claude/rules/non-coercion-invariant.md` HC-8 — biometric/UAC gate cannot be bypassed by agent regardless of which path
+- `.claude/rules/default-to-both.md` — Path A (WSL2) AND Path B (PowerShell-native) both first-class as substrate-engineering directions
+- `.claude/rules/honor-those-that-came-before.md` — B-0737 (Mac) + B-0738 (Linux) substrate is foundation; B-0739 extends without replacing
+- `.claude/rules/glass-halo-bidirectional.md` — UAC + Windows Hello prompts are system-level UI; visible to operator regardless of which terminal initiated
+- `.claude/rules/algo-wink-failure-mode.md` — operator authorization happens at the system gate, not at script invocation
+
+## Composes with backlog substrate
+
+- B-0737 (zflash Mac variant — original substrate)
+- B-0738 (zflash Linux variant — Path A WSL2 reuses this directly)
+- B-0728 (destructive-tool authoring contract — inherited regardless of path)
+- B-0732 (leverage-class safety substrate — Layer 1 provenance chain captures which platform's destructive op fired)
+
+## Substrate-honest framing
+
+This row PROPOSES the Windows substrate. It does NOT:
+
+- Recommend Path A vs Path B unilaterally (Path A recommended for FIRST ship per scope-cost trade-off; Path B substrate-honest as future scope)
+- Auto-route to Path A in `install.sh` until Path A scope items 1-3 actually ship
+- Claim usbipd-win works in every Windows environment (some enterprise GPO setups restrict third-party kernel drivers; substrate-honest fallback: Path B native or accept no Windows support)
+- Bypass any safety substrate from B-0737 + B-0738
+
+Per `.claude/rules/no-directives.md`: operator-substrate-honest scoping; Aaron + future Windows operators retain authority over which path to pursue + when.
+
+P3 priority — Windows substrate enables a future Windows-operator base but doesn't gate any current critical path (no current operator is Windows-primary; cluster nodes don't need zflash — they boot from the flashed USB then run zeta-install.sh natively).