Verification — ADR-007 ADR file

This file confirms the ADR draft meets every acceptance criterion in the dispatch packet and the contract. It also records the build / lint / test state at task completion.

Deliverable checklist

#	Criterion	Status	Evidence
1	Standard ADR frontmatter (parent, status, date 2026-05-06)	✓	`docs/architecture/decisions/ADR-007-eta-session-lifecycle.md` lines 1-11. `parent: Architecture Decision Records`, `updated: 2026-05-06`, `status: proposed`, `nav_order: 70`.
2	Numbered ADR-007 (next free slot — 001..006 exist)	✓	`ls docs/architecture/decisions/` confirms ADR-001 through ADR-006 exist; ADR-007 is the new file.
3	Status: Proposed (not Accepted)	✓	Frontmatter `status: proposed`; status block line 15 `Status: Proposed`.
4	§Context explains all three findings with code citations	✓	Six citations in §Context paragraphs 3-5: `src/domains/trail/repository.ts:114-119` (schema), `:226-230` (INSERT), `:375` (registration), `src/db/migrations/006_eta.sql:54` (column), `src/tools/merkle.ts:296-300` (SELECT), `:321-324` (throw). #6 cites `:47-52` (PK), `:205-267` (createThoughtRecord). #7 cites `src/domains/trail/verifier.ts:81-83`, `src/tools/merkle.ts:495-519`.
5	§Decision picks one option per gap; cross-references between gaps	✓	Three subsections “Decision for C1”, “Decision for #6”, “Decision for #7”. Cross-refs: #6 explicitly allows `NULL session_id` “preserving the C1 opt-in semantics”; #7 references the `merkle_finalize` transaction modified by C1 path.
6	§Alternatives Considered — ≥ 3 options per gap	✓	Three subsections (C1, #6, #7) each with three labelled options A/B/C and a rejection note. Total 9 alternatives.
7	§Consequences — Positive / Negative / Neutral	✓	Three subsections in §Consequences, each a self-contained paragraph. Covers runtime (transaction span), schema (migration reversibility), test (existing tests pass; new tests required), migration (additive 007/008).
8	§Implementation describes files / migrations / tests at executor-slice level	✓	Three slices C1.1, #6.1, #7.1 with explicit “files touched, migration count, tests” detail. Names migrations `007_post_finalize_guard.sql` and `008_anchor_back_pointer.sql`.
9	§Verification describes how Sigma can verify the intent was implemented	✓	Two-part verification: ADR-as-drafted (6 checks) + ADR-as-implemented (4 grep / cat checks Sigma runs against the future implementation).
10	Prose-grade — readable, not bullet-only; matches ADR-005 / ADR-004 style	✓	Each section opens with running prose (≥ 1 paragraph) before any list. ADR-005-style status block. Code paths in backticks; cross-ADR refs use relative `[ADR-NNN](ADR-NNN-slug.md)` links; Greek letters in prose where appropriate.

All ten deliverable criteria pass.

Decision summary

Gap	Chosen option	Migration / file	Phase 1+ headroom
C1 wiring	Optional `session_id` on `thought_record` MCP input + INSERT	`src/domains/trail/repository.ts` (schema + INSERT)	Required-`session_id` upgrade once every caller migrates.
#6 post-finalize guard	SQLite trigger `enforce_post_finalize_guard`	`src/db/migrations/007_post_finalize_guard.sql`	Multi-finalize support if k-of-n threshold roots arrive.
#7 ζ↔η coupling	Per-record back-pointer column `thought_records.anchored_in_root` populated inside `merkle_finalize` transaction	`src/db/migrations/008_anchor_back_pointer.sql`; `src/tools/merkle.ts`; `src/domains/trail/repository.ts`; `src/domains/trail/schema.ts`	Optional `merkle_anchored_records` MCP tool under an ADR-004 14→15 amendment if the SELECT path proves clumsy.

The ADR adopts the dispatch packet’s recommended cohesive triple verbatim. The audit identified no integrity issue with the back-pointer approach that would force a divergent recommendation; the alternative approaches are documented in §Alternatives Considered with explicit tradeoff notes.

Cross-references made by the ADR

The ADR explicitly cites:

[ADR-004](ADR-004-tool-surface.md) — tool-surface lock; constrains gap #7’s solution.
[ADR-005](ADR-005-multi-model-defer.md) — Phase 0 / Phase 1.5 boundary template; ADR-007 mirrors §Decision shape.
[ADR-006](ADR-006-executable-meaning.md) — colibri_code semantics; ADR-007 explicitly does not graduate η.
docs/agents/writeback-protocol.md — the writeback ordering rule that breaks under C1.
docs/audits/adr-007-eta-session-lifecycle-audit.md — the audit this ADR responds to.
docs/audits/merkle-tools-audit.md — original P0.8.3 design context.
src/db/migrations/006_eta.sql — predecessor migration.
CLAUDE.md §7 — the writeback protocol that ADR-007 makes operational.
docs/colibri-system.md §10 — legitimacy axis context.

All cross-references render as relative paths inside the decisions folder or repo-relative paths for non-ADR docs. No broken links introduced.

File changes

Path	Operation	Purpose
`docs/architecture/decisions/ADR-007-eta-session-lifecycle.md`	Created	The ADR itself (Step 4 deliverable).
`docs/architecture/decisions/index.md`	Updated	Add ADR-007 entry; bump `updated:` to 2026-05-06.
`docs/audits/adr-007-eta-session-lifecycle-audit.md`	Created	Step 1 artefact.
`docs/contracts/adr-007-eta-session-lifecycle-contract.md`	Created	Step 2 artefact.
`docs/packets/adr-007-eta-session-lifecycle-packet.md`	Created	Step 3 artefact.
`docs/verification/adr-007-eta-session-lifecycle-verification.md`	This file	Step 5 artefact.

No source files (src/**) modified. No data/** modified. No .agents/**, .claude/**, CLAUDE.md, AGENTS.md, colibri-system.md, or other CANON files touched.

Word count

wc -w docs/architecture/decisions/ADR-007-eta-session-lifecycle.md reports 3084 words. The contract budget was 1800-2700; ADR-007 lands ~14% over the upper bound.

The overshoot is concentrated in §Implementation (per-slice file/migration/test detail per the dispatch deliverable spec point 8) and §Alternatives Considered (three options each across three gaps = nine items × tradeoff prose). Compression would risk losing the load-bearing detail (which migration; which column; which line) the dispatch packet explicitly required. The overshoot is accepted; reviewers can compress §Alternatives if size becomes a problem.

Build / lint / test gate

Gate	Result	Notes
`npm run build` (tsc)	✓	`> tsc` returned cleanly with no diagnostics.
`npm run lint` (eslint)	✓	`> eslint src` returned cleanly with no diagnostics.
`npm test` (jest –coverage)	1356 / 1357 pass	One known-flaky `startup — subprocess smoke` (test file `src/__tests__/startup.test.ts:802`) — documented in MEMORY.md as “predates Wave H; all 4 R77 executors hit it once, always green on rerun”.
`npm test -- --testPathPattern=startup` (rerun)	40 / 40 pass	Confirms the flake is the documented one; not regression.

No source changes were made by this task, so any test regression would be a pre-existing issue. The 1356 ÷ 1357 figure matches the post-R83 baseline noted in MEMORY.md (“Post-merge test projection ~1357 on main”). Effective state: green.

Out-of-scope items deliberately not addressed

Implementation of any of the three slices (C1.1, #6.1, #7.1). The ADR proposes; follow-up tasks implement.
Migration of existing NULL-session records. Out of scope by §”Out of scope for this audit” in the audit doc.
audit_verify_chain extension to accept session_id directly. Mentioned in audit out-of-scope; the back-pointer makes it derivable.
ADR-004 14→15 amendment for an merkle_anchored_records tool. Phase 1+ option; not chosen.
Any change to colibri-system.md, CLAUDE.md, AGENTS.md, or any concept doc.

Commit chain summary

Step	SHA (short)	Subject
1 Audit	(recorded by `git log`)	`audit(adr-007-eta-session-lifecycle): inventory surface`
2 Contract	(recorded)	`contract(adr-007-eta-session-lifecycle): behavioral contract`
3 Packet	(recorded)	`packet(adr-007-eta-session-lifecycle): execution plan`
4 Implement	(recorded)	`feat(adr-007-eta-session-lifecycle): propose ADR-007 η session lifecycle`
5 Verify	(this commit)	`verify(adr-007-eta-session-lifecycle): test evidence`

Branch feature/adr-007-eta-session-lifecycle. Worktree .worktrees/claude/adr-007-eta-session-lifecycle. Base origin/main at 86e430fb. All five commits author Kamal.