Umbrella: merge guard end-to-end + hook contract documentation + governance meta-pattern

[michael-wojcik]

Status (2026-05-11): Phase 1 + 2 + 5 ✅ DONE. Phase 4 tracked as #704. Phase 3 still future work. See status comment for full follow-up linkage.

Why this exists

The merge-guard mechanism has two distinct bugs that prevent it from working end-to-end as designed:

• merge_guard_pre _GH_PR_NUMBER_RE matches wrong digit on heredoc bodies and stderr redirects #665 — merge_guard_pre._GH_PR_NUMBER_RE greedy-quantifier picks the wrong PR number from heredoc-style --body arguments (also broken by trailing 2>&1). Produces "Authorization token exists but does not match this operation" even with a valid token.
• merge_guard_post reads stdin field 'tool_output'; Claude Code sends 'tool_response' — tokens never written #676 — merge_guard_post.py reads stdin field tool_output; Claude Code sends tool_response. Authorization tokens have never been written automatically by the post-hook. Every observably-clean PACT merge has gone around the guard (web UI, manual touch, or operator typing gh pr merge outside the hook surface).

Either bug alone breaks merges. Together they make the merge guard a no-op security theater: when it does block, the failure is misleading; when it appears to work, it's because operators learned workarounds.

This umbrella issue bundles Option B — fix both #665 and #676 in a single PR — plus the surrounding gaps that fixing the immediate bugs does NOT address.

Scope

Phase 1 — Pair the two bug fixes (the merge guard works end-to-end) ✅ DONE (PR #697)

• merge_guard_post reads stdin field 'tool_output'; Claude Code sends 'tool_response' — tokens never written #676: rename tool_output → tool_response in merge_guard_post.py. Update the test fixtures in test_merge_guard.py. Update the docstring header.
• merge_guard_pre _GH_PR_NUMBER_RE matches wrong digit on heredoc bodies and stderr redirects #665: fix merge_guard_pre._GH_PR_NUMBER_RE greedy-quantifier so it matches the FIRST PR-number-shaped digit sequence after gh pr (or use a stricter parse that locates the subcommand and reads its first positional arg). Add tests covering: heredoc bodies with version numbers, dates, test counts; trailing 2>&1; cross-flag positions.
• merge_guard_post reads stdin field 'tool_output'; Claude Code sends 'tool_response' — tokens never written #676 audit cleanup: fix the 4 misleading docstring headers (auditor_reminder.py, file_size_check.py, track_files.py, teachback_check.py) where "tool_output" is in the docstring template but the code only reads tool_input + tool_name.
• task_lifecycle_gate.py:321 — keep the defensive tool_response or tool_output or {} fallback (no harm), add comment explaining WHY + extract to shared extract_tool_response() helper threaded into all 4 PostToolUse hooks (delivered in PR fix(merge-guard): pair #665 + #676 fixes; bump to 4.1.8 (#677 PR #1) #697 cycle-2 commit e6ae33ee).

After Phase 1: the merge guard works as designed. AskUserQuestion + "Yes, merge" + gh pr merge flow succeeds without manual intervention. ✅ verified in v4.1.8 ship.

Phase 2 — Behavioral-change communication ✅ DONE (PR #697 + v4.1.8 release)

• Release notes call out the behavioral change explicitly. Operators with muscle memory of "just type gh pr merge directly" will hit unexpected denials. (v4.1.8 release notes shipped: https://github.com/Synaptic-Labs-AI/PACT-Plugin/releases/tag/v4.1.8)
• CLAUDE.md memory pins for merge_guard_pre _GH_PR_NUMBER_RE matches wrong digit on heredoc bodies and stderr redirects #665 + merge_guard_post reads stdin field 'tool_output'; Claude Code sends 'tool_response' — tokens never written #676 retired (no longer apply post-merge).
• Operator-impact comms in release notes: compound destructive commands cannot be authorized atomically; eval+heredoc combinations denied; canonical token schema; API/curl variants require canonical-form authorization.

Phase 3 — Captured-fixture hardening for ALL hooks ⏳ NOT STARTED

The root cause of #676 is that test_merge_guard.py's 13+ fixtures use tool_output — a fictional shape — and the code matches the fixtures. Synthetic fixtures don't catch platform-shape drift. Only fixtures captured from real Claude Code stdin during actual hook execution will detect when the platform schema changes underneath us.

• Apply the #612 logging-shim pattern (already proven in bootstrap_marker_writer's captured-fixture follow-up Capture real UserPromptSubmit stdin fixture per #664 §8.7 #672) to every PostToolUse hook in pact-plugin/hooks/:
  • merge_guard_post.py
  • wake_lifecycle_emitter.py
  • task_lifecycle_gate.py
  • auditor_reminder.py
  • file_size_check.py
  • track_files.py
  • teachback_check.py
  • file_tracker.py
• Each hook gets a captured-from-production fixture in pact-plugin/tests/fixtures/{hook_name}_stdin.json representing the actual stdin shape Claude Code sends. The #612 shim runs on a separate scratch branch, captures during a fresh-startup PACT session, then is removed.
• Each hook's test suite gets at least one parametrized "fixture-load + dispatch" test that exercises the hook against the captured fixture.
• CI guards: a parametrized integration test over every PostToolUse hook that fails if a hook reads a stdin field that's not in the captured fixture's shape.

This is the only durable defense against the next silent platform-schema drift. Needs separate plan-mode + scratch branches per hook; cannot run inside the same session as the fix.

Phase 4 — Hook contract documentation ⏳ NOT STARTED — tracked as #704

The convention "PostToolUse hooks read tool_response" lives implicitly in wake_lifecycle_emitter.py's docstring. The 4 docstring-drift cases (auditor_reminder.py etc.) all carried the same incorrect template line — proving the convention propagates by template-copying without verification. PR #697 swept the immediate drift but the convention itself still needs canonical documentation.

See #704 for full Phase 4 scope (includes additions surfaced in PR #697: shared extract_tool_response helper pattern, SECURITY/PLANNING_SCAN_PATH_EXCLUDES bootstrap-self-block pattern, strict cross-op match enforcement, deny-compound-destructive pattern, eval+heredoc pre-strip detection).

Phase 5 — Governance / meta-pattern ✅ DONE (audit comment 2026-05-07)

The merge_guard_post bug and the lead-owns-commits violation pattern (#675) and the persona §2 /clear factual error (closed in PR #671) are all instances of the same meta-pattern: rules documented in prose with no mechanical enforcement, where the runtime cost of the violation is invisible to operators until something else surfaces it.

• Inventory current PACT rules that are prose-only (delivered as audit comment 2026-05-07 — categorized 30+ rules into A/B/C/D enforcement-state buckets)
• For each, propose either a test, a hook, or an explicit acceptance test (delivered in audit comment)
• File any net-new mechanical-enforcement issues that fall out of the inventory (C1 + C2 follow-ups recommended; C3 folded into C2)

Cross-references

Closed by PR #697 (Phase 1):

• merge_guard_pre _GH_PR_NUMBER_RE matches wrong digit on heredoc bodies and stderr redirects #665 — merge_guard_pre regex bug. CLOSED via PR fix(merge-guard): pair #665 + #676 fixes; bump to 4.1.8 (#677 PR #1) #697 commit 73410afb + cycle-1 expansion 04e63dd1.
• merge_guard_post reads stdin field 'tool_output'; Claude Code sends 'tool_response' — tokens never written #676 — merge_guard_post field-name bug + audit findings. CLOSED via PR fix(merge-guard): pair #665 + #676 fixes; bump to 4.1.8 (#677 PR #1) #697 commit b74ec540 + sibling docstring sweep d771af27.

Closed by PR #697 (cycle-2 + cycle-3 security remediation):

• merge_guard: token authorizes cross-op destructive commands (F-1 from #697 review) #699 F-1 cross-operation token-class mismatch. CLOSED via PR fix(merge-guard): pair #665 + #676 fixes; bump to 4.1.8 (#677 PR #1) #697 cycle-3 commit 43640e45 (symmetric WRITE+READ + strict-match).
• merge_guard: extract_context wildcard fails OPEN (F-2 from #697 review) #700 F-2 sparse-context wildcard tokens. CLOSED via PR fix(merge-guard): pair #665 + #676 fixes; bump to 4.1.8 (#677 PR #1) #697 cycle-2 commit e1ba7ea0.
• merge_guard: compound-command bypass — IMPROVED but RESIDUAL multi-match risk (F-3 from #697 review) #701 F-3 compound-command bypass. CLOSED via PR fix(merge-guard): pair #665 + #676 fixes; bump to 4.1.8 (#677 PR #1) #697 cycle-2 commit e1ba7ea0 (was IMPROVED-but-RESIDUAL post-cycle-1, now FULLY CLOSED).
• merge_guard: eval+heredoc strip-pipeline ordering bypass (F-4 from #697 review) #702 F-4 eval+heredoc strip-pipeline ordering. CLOSED via PR fix(merge-guard): pair #665 + #676 fixes; bump to 4.1.8 (#677 PR #1) #697 cycle-2 commit e1ba7ea0.

Open follow-ups from PR #697 review:

• merge_guard: defense-in-depth gaps inventory (F-8 from #697 review) #703 F-8 defense-in-depth gaps inventory (TRACKING — TTL, actor binding, HMAC, audit log, rate limiting; deferred-by-design under same-user-trust threat model)
• Phase 4: SHARED_CONVENTIONS.md hook contract documentation (deferred from #677 umbrella) #704 Phase 4 SHARED_CONVENTIONS.md hook contract documentation (next umbrella PR)
• Phase B planning-artifacts check needs bootstrap-aware design (deferred from #677 PR #1) #696 Phase B planning-artifacts bootstrap-aware design (deferred from PR fix(merge-guard): pair #665 + #676 fixes; bump to 4.1.8 (#677 PR #1) #697 cycle-2; separate from this umbrella's Phase 3/4)
• Make architect HANDOFF surface test-strategy + orchestrator dispatch test-engineer concurrent for comprehensive tests #698 Architect HANDOFF test-strategy field + orchestrator concurrent test-engineer dispatch (PACT planning-process improvement; separate from umbrella)
• Implement hallucination_gate PreToolUse hook (Defense #5 from #685) #705 Defense Create pact-observability-patterns skill #5 hallucination_gate PreToolUse hook (separate; spawned from Defense in depth against hallucinated 'Human:' turns (orchestrator session-integrity hardening) #685; small standalone PR)

Original cross-references (pre-PR #697):

• Capture real UserPromptSubmit stdin fixture per #664 §8.7 #672 — captured-from-production fixture for bootstrap_marker_writer (Phase 3 sets the precedent).
• Doc + ordering invariant: SendMessage-then-TaskUpdate to silence task_lifecycle_gate completion_no_paired_send WARN #674 — SendMessage-then-TaskUpdate ordering invariant for task_lifecycle_gate._has_paired_sendmessage. Phase 5 candidate (covered in audit comment).
• Mechanically enforce lead-owns-commits via PreToolUse Bash hook #675 — mechanically enforce lead-owns-commits via PreToolUse Bash hook. Phase 5 candidate (covered in audit comment).
• PR Hook-driven bootstrap marker write (#664) #671 (merged) — closes Hook-driven bootstrap marker write #664, originated this audit.

Suggested PR sequencing

1. ✅ PR Claude Code: not strictly follow framework #1: Phase 1 + Phase 2. DONE as PR fix(merge-guard): pair #665 + #676 fixes; bump to 4.1.8 (#677 PR #1) #697 → v4.1.8. Original scope expanded mid-flight via 4 cycles of peer-review remediation to also close 6 of 8 security findings (F-1 through F-7 except F-6) — became 14 commits.
2. ⏳ PR feat: Add PACT slash commands and update PACT_Prompt with explicit agent and PR workflows #2: Phase 4 (SHARED_CONVENTIONS.md). NEXT — tracked as Phase 4: SHARED_CONVENTIONS.md hook contract documentation (deferred from #677 umbrella) #704. Zero code change; pure doc.
3. ⏳ PR Validate skill auto-activation with real user tasks #3: Phase 3 (captured fixtures + integration tests). Larger; needs separate scratch branches per hook for capture, then a consolidation PR with all fixtures. This is the biggest scope and deserves its own architecture-phase planning.
4. ✅ Phase 5 delivered as audit comment 2026-05-07. C1 + C2 follow-ups recommended in that comment.

Acceptance for this umbrella

• Phase 1 PR merged; merge guard demonstrably works end-to-end (verified by running gh pr merge after AskUserQuestion + "Yes" without manual token-touching).
• Phase 2 release notes shipped on the version bump (v4.1.8 release: https://github.com/Synaptic-Labs-AI/PACT-Plugin/releases/tag/v4.1.8).
• Phase 3 capture procedure documented and at least the merge_guard_post fixture captured + integration-tested.
• Phase 4 SHARED_CONVENTIONS.md written and pinned. Tracked as Phase 4: SHARED_CONVENTIONS.md hook contract documentation (deferred from #677 umbrella) #704.
• Phase 5 inventory delivered as a comment on this issue with linked follow-up issues.
• Close merge_guard_pre _GH_PR_NUMBER_RE matches wrong digit on heredoc bodies and stderr redirects #665, merge_guard_post reads stdin field 'tool_output'; Claude Code sends 'tool_response' — tokens never written #676 on Phase 1 PR merge.
• Close this umbrella when Phases 3 + 4 land OR explicitly deferred-with-justification.

Out of scope

• Other plugins or external code that may have copied PACT's hook templates. We control PACT; downstream consumers are their own concern.
• Cross-platform Claude Code behavior verification (e.g., does the same bug exist on Linux/Windows? Probably yes since the field name is platform-side, but verifying is out of scope for the immediate fix).
• HMAC / cryptographic upgrades to the merge-guard token (out of scope per the same-user threat model documented in Dispatch-protocol hardening: rename Task→Agent + dispatch_gate + task_lifecycle_gate + bootstrap_gate F24/F25 (#662) #663's pin).

Background

This umbrella was filed during the post-merge investigation following PR #671 (#664 hook-driven bootstrap marker write). The merge-guard bug was discovered when the merge for #671 was blocked even after a textually-perfect AskUserQuestion + affirmative answer. Manual token write salvaged the merge; investigation traced the post-hook field-name mismatch and surfaced the broader docstring drift + the meta-pattern of prose-rules-without-mechanical-enforcement that has been visible in the merge guard, in lead-owns-commits (#675), in the SendMessage-then-TaskUpdate ordering invariant (#674), and in the persona §2 /clear factual error (closed in PR #671).

[michael-wojcik]

Phase 5 audit — governance / meta-pattern inventory

Method: walked the PACT plugin's hook surface (pact-plugin/hooks/*.py), CLAUDE.md pinned context, and per-session memory feedback notes. For each rule, classified by enforcement state. Where the rule is unenforced or partially enforced, proposed mechanical pinning if cheap or deferred-with-reasoning otherwise.

Scope caveat: this is one-session-context audit, not exhaustive line-by-line review. Some "already enforced" classifications below assume the hook does what its docstring + first 40 lines claim; full verification would require reading each hook end-to-end. Items flagged with ⚠️ have the highest uncertainty.

---

Category A — Already mechanically enforced (no action)

Rule	Enforcement surface
Lead-only completion carve-outs (#491, #578)	task_lifecycle_gate.is_self_complete_exempt + writeback path.
Two-call atomic pair (TaskUpdate + paired wake-SendMessage)	task_lifecycle_gate._has_paired_sendmessage advisory check (warns on absence). Note: gate is advisory not deny; intentional under #674 because false-positives from in-batch ordering are common.
Teachback gate task pair (Task A blocks Task B)	task_lifecycle_gate checks teachback tasks have addBlocks=[work_task_id].
{name} SECURITY constraint for Agent dispatch (^[a-z0-9-]+$)	dispatch_gate denies non-conforming names.
Team must exist before Task dispatch	team_guard.py PreToolUse on Task denies dispatch if team config absent.
Bootstrap-complete marker presence + content fingerprint	bootstrap_gate.is_marker_set (gate) + bootstrap_marker_writer.py (producer, post #664).
HANDOFF format on subagent stop	validate_handoff.py SubagentStop hook checks handoff structure.
Pin caps (12 pins, ≤1500 chars)	pin_caps_gate.py PreToolUse on Edit/Write.
Pin staleness flagging	pin_staleness_gate.py.
Worktree boundary for application-code edits	worktree_guard.py PreToolUse on Edit/Write blocks edits outside the active worktree (when PACT_WORKTREE_PATH env var is set).
No credentials/secrets at git commit time (SACROSANCT 1)	git_commit_check.py PreToolUse scans staged files.
No frontend credential exposure / backend proxy pattern (SACROSANCT 2)	git_commit_check.py same hook.
hookEventName on every hook emit	AST-walk schema compliance test at pact-plugin/tests/test_hook_schema_compliance.py (PR #660 Future #3).
Workflows auto-invoke worktree-setup	Skill body of /PACT:orchestrate auto-invokes; orchestrator can't double-dispatch.
AskUserQuestion required for irreversible ops	merge_guard_pre.py (currently broken end-to-end per #665 + #676 — Phase 1 of this umbrella fixes it).
No broadcast addressing in SendMessage ⚠️	pact-plugin/tests/test_no_broadcast_addressing.py — assumed passing; not verified line-by-line in this audit.

Category B — Partially enforced (cheap tightening proposed)

Rule	Current state	Proposed enforcement	Cost
Lead-owns-commits (#675 already filed)	Prose-only in CLAUDE.md feedback memory + dispatch templates. PR #671 demonstrated 5 violations in one cycle.	PreToolUse hook on Bash matching git commit / git push / git stash / branch-mutation ops; deny when actor session is not the team-lead session (per leadSessionId in team config).	Small — #675 already scoped; lifts directly into Phase 5 PR.
No planning artifacts in committed repo (CLAUDE.md pin)	Prose-only. Audit command exists: rg -nE '\bF[0-9]+\b|Sketch [A-Z]|architect §' <repo>/.	Wire the audit regex into git_commit_check.py as a soft-warn (or block via PreToolUse) on staged files containing F-row labels / sketch IDs / architect §refs. Excludes commit-message footers (Closes #N).	Small — single regex addition to existing hook.
Plugin version 4-file dance (auto-memory)	Prose-only. Failure mode: version bump lands partial, drifts between plugin.json / marketplace.json / README.md / pact-plugin/README.md.	PreToolUse hook on Edit (matcher: /plugin\.json$|/marketplace\.json$|/README\.md$/) that compares the version field across the 4 files post-edit and warns/blocks on mismatch.	Small.
Tag + release after every plugin-version bump (CLAUDE.md pin from #663)	Prose-only. Failure mode: version bump lands without GitHub release; users can't see what changed without trawling commits.	Post-merge GitHub Actions workflow that detects plugin.json version bumps in the merge diff and blocks if no matching v{version} tag exists within N hours.	Medium — needs CI workflow + tag-detection logic.
Captured-from-production fixture for new hooks (architect §8.7 from #664; now Phase 3 of this umbrella)	Prose-only in architect doc. The #676 bug surfaced precisely because synthetic fixtures matched the broken code.	Phase 3 of this umbrella applies the #612 logging-shim pattern to all 8 PostToolUse hooks. After Phase 3: a CI test refuses any new hook merge that lacks a captured fixture.	Larger — Phase 3 itself.
SendMessage-then-TaskUpdate ordering (#674 already filed)	CLAUDE.md pin + task_lifecycle_gate advisory WARN. Order-violation produces noise, not block.	Phase 4 (SHARED_CONVENTIONS.md) names the invariant explicitly. Optional: gate could shift WARN → DENY if the in-batch race rate becomes a problem; intentionally deferred since false-positives are real.	Phase 4 captures; no additional code beyond doc.

Category C — Not enforced; cheap to enforce; propose new follow-up issues

#	Rule	Proposed mechanism	New issue?
C1	Persona / agent-doc cross-references resolve at write-time (e.g., session_init._clear_bootstrap_marker symbol references in persona §2 must point at extant code).	Lint pass over agents/*.md + protocols/*.md extracting \bsession_init\.\w+|, _clear_\w+, :LINE_NUM references and verifying each resolves. Run in CI on PR.	Yes — file as new issue if you want this. The _clear_bootstrap_marker test from PR #671 is the per-symbol case; this generalizes. Cost: medium.
C2	Worktree-artifact preservation before remove (auto-memory: lost the hallucination-mitigation audit report 2026-03-12)	PreToolUse hook on Bash matching git worktree remove that checks for unstaged work in the target worktree and denies with a clear advisory.	Yes — file as new issue. Cost: small. The user has explicitly lost work to this; mechanical enforcement is high-value.
C3	CWD persistence between Bash calls when removing worktrees (auto-memory)	Could detect chained git worktree remove after cd <worktree> in command history, but that's heuristic. Likely better solved by C2 above (the block-on-unstaged-work catches the failure mode that motivates the rule).	No new issue — fold into C2's design.

Category D — Not enforced; intentionally deferred (prose-only is acceptable)

Rule	Why deferred
Hooks not smoke-testable in-session (CLAUDE.md pin).	Discipline rule for plan-writers; no clean static signal. The cost-of-failure (smoke test "passes" against old hook code → false confidence) is real but caught by post-merge fresh-session validation, which is itself a discipline rule. Mechanical enforcement would require detecting "smoke-test"-shaped strings in plan-doc verification checklists; noisy and fragile. Accept prose-only.
Agent-reader-primary axiom (CLAUDE.md pin, foundational).	"Edits center the agent-reader" is too abstract for a static check. Specific failures (e.g., persona §2 /clear factual error in PR #671) get pinned per-claim via regression tests. The general axiom must remain a review-time judgment call. Accept prose-only with case-specific enforcement (C1 above is one such case).
Don't fabricate Human turns (auto-memory feedback, SACROSANCT).	Model-side discipline rule. PACT can't enforce it from the plugin layer; requires agent-side compliance. The pin + persona body's pre-commitment paragraph are the available levers. Accept prose-only.
Use PACT workflows, not direct Agent dispatch (auto-memory feedback).	Mechanical enforcement would block ad-hoc Agent calls outside /PACT:orchestrate / /PACT:comPACT workflows — but the orchestrator legitimately calls Agent for research / Explore agents, and the Plan agent during plan-mode. A hook that catches "non-workflow Agent dispatch" would need workflow-state awareness, which isn't trivially available at PreToolUse time. Accept prose-only; revisit if drift continues.
HALT signal lead-side fan-out (persona body §11).	Intentional design: lead must iterate by-name through in-progress teammates. The lack of broadcast addressing is the categorical correct shape; mechanizing the iteration would re-introduce broadcast semantics by the back door. Accept prose-only; the persona's Lead-Side HALT Fan-Out example is the canonical pattern.
Pre-commitment paragraph in pact-orchestrator.md (L14) + scope-boundary clause (L16).	These are persona-self-discipline rules that can't be hook-enforced — they govern how the orchestrator interprets its own input stream, not what tools it calls. Empirical validation runbook (#664 Section 4 lazy-load fidelity) is the existing check. Accept prose-only.

---

Summary

State	Count
Already enforced (Category A)	16
Partially enforced (Category B)	6
Cheap to enforce; new issues recommended (Category C)	2 (C1 + C2; C3 folds into C2)
Intentionally prose-only (Category D)	6

Net work falling out of this audit:

• Two new follow-up issues (C1 persona-cross-reference linting; C2 worktree-remove unstaged-work guard). These are independent of Umbrella: merge guard end-to-end + hook contract documentation + governance meta-pattern #677's existing phases and could ship in any order.
• One enhancement to git_commit_check.py (B: planning-artifacts regex). Could fold into Phase 1 of Umbrella: merge guard end-to-end + hook contract documentation + governance meta-pattern #677 if scope permits, since it touches the same hook family.
• One CI workflow (B: tag+release after version bump). Independent; could ship as its own small PR or fold into Phase 4 PR alongside SHARED_CONVENTIONS.md.

Closing the umbrella: when Phase 1 + 2 + 3 + 4 are done and Category C net-work is filed (or explicitly deferred), Phase 5's deliverable here is complete and the umbrella can close.

Open questions for the umbrella owner

1. Should the planning-artifacts regex (Category B row 2) ship in Phase 1's PR or its own? Lean: fold into Phase 1 since it's a small addition to a hook the Phase 1 PR is already touching contextually (security_check sibling).
2. Should the tag+release CI workflow (Category B row 4) live in .github/workflows/ or be enforced via hook? Lean: GitHub Actions workflow — post-merge automation is the right surface for "did the release land?" questions.
3. Does C1 (persona cross-reference linting) deserve its own follow-up issue now or after Phase 4's SHARED_CONVENTIONS.md lands? Lean: after Phase 4, since the doc would specify which symbols/line-numbers/file-paths are valid cross-reference targets.

Tagging back to the umbrella's acceptance: this Phase 5 deliverable resolves the umbrella's last open phase. The user can review, accept, and (optionally) close #677 once Phase 1 + 4 land. Phase 3 should remain open as a tracked-but-deferred item.