Eight new CodeRabbit findings landed on PR #1908 after the
terminology-alignment push. Seven are real; one is a stale re-scan of
an already-fixed item. Fixing the seven in place; the eighth (SKILL.md
fence without language identifier at line 103) is already resolved by
commit 3eda6e7 and needs no action.

Changes:

* backend/account_v2/DESIGN_RULES.md
  - Read first table: principle reference for fail-closed was P8, now
    P5. P8 is "internal vs external surfaces," P5 is "fail closed on
    permission decisions" — R2 is about the second one.
  - R2 Refs: same fix (`principles.md#P8` → `principles.md#P5`).
  - R4 Enforced by: was `not yet enforced — see project issue tracker
    (credential lifecycle)`. The contract requires a concrete tracker
    reference for `not yet enforced`; no real tracker ID exists yet.
    Downgraded to `code review only` (the actual current enforcement
    state) — same move previously applied to workers/shared R3. If a
    real tracker ID ever gets assigned, flip back to the
    `not yet enforced` form with the ID.

* unstract/connectors/DESIGN_RULES.md
  - Read first table: P8 → P5 (same fail-closed fix as account_v2).
  - R4 (Connector errors surface as the framework's exception
    hierarchy): Refs previously pointed at `principles.md#P8`, which
    doesn't fit — R4 is about type-boundary hygiene between driver
    exceptions and the framework exception hierarchy, not about URL
    group / auth middleware separation (which is what P8 actually
    says). No existing principle fits cleanly. Removed the principle
    reference entirely; Refs now points only at `security/standards.md`,
    which is honest about the rule's provenance.

* design-rules/principles.md
  - P1 Implementation row previously named only
    `DefaultOrganizationMixin`, which is only the model mixin (adds
    the FK and auto-populates it on save). The query-time filter is
    provided by `DefaultOrganizationManagerMixin` (a separate manager
    mixin living in the same file — verified in
    backend/utils/models/organization_mixin.py). Updated the row to
    name both classes and explain the split: the model mixin adds the
    FK, the manager mixin filters queries, and together they provide
    auto-scoping for direct-FK models. CodeRabbit's suggestion to
    "reconcile to one name" was based on the incorrect assumption
    that the two names refer to the same class — they don't.

* design-rules/per-component-contract.md
  - Rule format section: softened the overclaim that `validate.sh`
    "checks the field presence" of rule rows. The script does not
    parse rule tables today; it only greps for the Compatibility
    substring, the forbidden-word list, and directory sanity. Reviewers
    are the current enforcement of rule-field presence, with a note
    that a future hardening pass may extend the script.
  - "When to add a per-component file" section: removed the stale
    "`## Known Exceptions` and `## Checklist` sections are still
    required" wording, which contradicted the earlier commit making
    `## Known Exceptions` optional. Now says only `## Checklist` is
    still required, and Known Exceptions is included only when an
    accepted exception exists.
  - Self-update reminder: softened item 2 to describe what
    `validate.sh` actually greps for (Compatibility blockquote
    wording, forbidden-word list) instead of the `## Checklist`
    section header and rule field names (which it does not currently
    grep for).

Not addressed (deliberately):

* SKILL.md line 103 fence language identifier: already fixed in
  commit 3eda6e7 (the fence is `` ```markdown ``, not bare). The
  CodeRabbit finding at 11:22:54Z is a stale re-scan of the
  pre-alignment state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>