fix(ai): correct stale role-hierarchy and file-listing claims

Codex review of the dual-agent handoff migration flagged factual errors
carried over verbatim from the pre-migration CLAUDE.md. All claims
verified against the live code before correction.

PROJECT_CONTEXT.md — SaaS shape:
- Role hierarchy was `super_admin > team_admin > engineer > viewer`,
  but `backend/app/core/permissions.py:4` and
  `frontend/src/hooks/usePermissions.ts:4` both define it as
  `super_admin > owner > engineer > viewer`. The `team_admin` concept
  exists separately as an orthogonal team-scoped gate
  (`require_team_admin`, `is_team_admin=True` + valid `team_id`), not
  a level in the primary hierarchy.
- Dep list was missing `require_account_owner` and `require_team_admin`,
  both present in `backend/app/api/deps.py`.

PROJECT_CONTEXT.md — directory tree:
- `api/endpoints/` comment listed 11 routers; `api/router.py` actually
  registers 50+. Replaced with a summary that points at `router.py` as
  the source of truth instead of trying to maintain a freezing list.
- `services/psa/` comment omitted `exceptions.py` and `ticket_context.py`,
  both present in the directory.

CURRENT_TASK.md + TODO.md:
- Replaced `<!-- EXAMPLE -->` placeholders with clearer empty-state
  sentinels so a resume agent sees "no real task yet" at a glance
  rather than placeholder acceptance criteria that look unresolved.

SESSION_LOG.md updated with a follow-up bullet documenting this pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.ai/CURRENT_TASK.md

@@ -1,23 +1,33 @@
 # CURRENT_TASK.md
 
-<!-- EXAMPLE — replace on first real task -->
-
-**Task:** One-sentence goal describing what this task accomplishes.
+**Task:** none — replace this file when starting the next real task.
 
 **Status:** not-started
 
+**Definition of Done:** n/a
+
+**Assumptions:** n/a
+
+**Out of scope:** n/a
+
+---
+
+<!-- When you start a real task, replace the block above with:
+
+**Task:** One-sentence goal.
+
+**Status:** not-started | in-progress | blocked | ready-for-review | complete
+
 **Definition of Done:**
-- [ ] Testable criterion 1 (e.g., "endpoint returns 200 with expected payload shape")
-- [ ] Testable criterion 2 (e.g., "frontend displays new field without layout regression")
+- [ ] Testable criterion 1
+- [ ] Testable criterion 2
 - [ ] Tests added or updated
 - [ ] `npm run build` passes (frontend) / `pytest` passes (backend)
 
 **Assumptions:**
-- What we're treating as given (e.g., "existing auth middleware handles this case")
-- Constraints inherited from surrounding work
+- What we're treating as given
 
 **Out of scope:**
-- What this task explicitly does NOT cover (prevents scope creep across handoffs)
-- Adjacent work that belongs in a separate task
+- What this task explicitly does NOT cover
 
-<!-- END EXAMPLE -->
+-->

.ai/PROJECT_CONTEXT.md

@@ -14,7 +14,7 @@ Canonical product name is **ResolutionFlow**. `patherly` is the legacy internal
 
 ## SaaS shape
 
-Multi-tenant by account. Roles: `super_admin` > `team_admin` > `engineer` > `viewer`. Team admin = `role='engineer'` + `is_team_admin=True` + valid `team_id`. Never `role=='admin'` — use `is_super_admin`. Backend deps in `app/api/deps.py`: `get_current_active_user`, `require_engineer_or_admin`, `require_admin`. Frontend: `usePermissions()` hook. Central logic in `backend/app/core/permissions.py` + `frontend/src/hooks/usePermissions.ts`.
+Multi-tenant by account. Primary role hierarchy: `super_admin` > `owner` > `engineer` > `viewer` — driven by `is_super_admin` + `account_role`. Never `role=='admin'` — use `is_super_admin`. Separate team-scoped admin gate exists orthogonally to the role hierarchy: `is_team_admin=True` + valid `team_id`, enforced by `require_team_admin`. Backend deps in `app/api/deps.py`: `get_current_active_user`, `require_engineer_or_admin`, `require_admin`, `require_account_owner`, `require_team_admin`. Frontend: `usePermissions()` hook. Central logic in `backend/app/core/permissions.py` + `frontend/src/hooks/usePermissions.ts`.
 
 ---
 
@@ -39,13 +39,13 @@ resolutionflow/
 ├── backend/
 │   ├── app/
 │   │   ├── main.py                     # FastAPI entry
-│   │   ├── api/endpoints/              # auth, trees, sessions, admin, steps, survey, copilot, assistant_chat, integrations, flow_proposals, flowpilot_analytics
+│   │   ├── api/endpoints/              # 50+ routers registered in api/router.py — auth/admin, trees/sessions, AI/chat, scripts, integrations, uploads, accounts, FlowPilot, etc.
 │   │   ├── api/deps.py                 # auth deps (incl. require_team_admin)
 │   │   ├── api/router.py               # registration
 │   │   ├── core/                       # config, database, permissions, security, audit, rate_limit
 │   │   ├── models/                     # SQLAlchemy (incl. FlowProposal)
 │   │   ├── schemas/                    # Pydantic
-│   │   ├── services/psa/               # PSA provider pattern (base, connectwise/, autotask/, halopsa/, cache, encryption, registry, types)
+│   │   ├── services/psa/               # PSA provider pattern (base, connectwise/, autotask/, halopsa/, cache, encryption, exceptions, registry, ticket_context, types)
 │   │   ├── services/knowledge_flywheel.py + _scheduler.py
 │   │   └── services/knowledge_gap_service.py
 │   ├── alembic/versions/               # 001-070 sequential, then hex hash

.ai/SESSION_LOG.md

@@ -19,3 +19,4 @@
 - Deleted legacy `SESSION-HANDOFF.md` (superseded).
 - Left for next session: first real feature task should replace the seed `CURRENT_TASK.md` and update `HANDOFF.md` with real resume state.
 - Files touched: `.ai/*.md` (created), `CLAUDE.md` (rewritten), `AGENTS.md` (created), `SESSION-HANDOFF.md` (deleted).
+- Follow-up (same day): Codex review pass flagged stale SaaS-role claim and incomplete file-listings carried over from the pre-migration CLAUDE.md. Verified against `backend/app/core/permissions.py`, `frontend/src/hooks/usePermissions.ts`, `backend/app/api/deps.py`, `backend/app/api/router.py`, and `backend/app/services/psa/`. Corrected PROJECT_CONTEXT.md role hierarchy (`super_admin > owner > engineer > viewer`, not `team_admin`), added `require_account_owner` / `require_team_admin` to deps list, replaced stale endpoint comment with a summary pointing at `api/router.py`, added `exceptions.py` + `ticket_context.py` to the PSA file list. Also replaced seed-example content in `CURRENT_TASK.md` and `TODO.md` with clearer empty-state sentinels.

.ai/TODO.md

@@ -5,8 +5,8 @@
 
 ## Up next
 
-- [ ] (seed entry — replace with real next-up items)
+- [ ] No queued backlog yet.
 
 ## Backlog
 
-- [ ] (seed entry — replace with real backlog items)
+- [ ] No queued backlog yet.