diff --git a/.ai/CURRENT_TASK.md b/.ai/CURRENT_TASK.md
index f70cc983..d9e5ac68 100644
--- a/.ai/CURRENT_TASK.md
+++ b/.ai/CURRENT_TASK.md
@@ -1,23 +1,33 @@
 # CURRENT_TASK.md
 
-<!-- EXAMPLE — replace on first real task -->
-
-**Task:** One-sentence goal describing what this task accomplishes.
+**Task:** none — replace this file when starting the next real task.
 
 **Status:** not-started
 
+**Definition of Done:** n/a
+
+**Assumptions:** n/a
+
+**Out of scope:** n/a
+
+---
+
+<!-- When you start a real task, replace the block above with:
+
+**Task:** One-sentence goal.
+
+**Status:** not-started | in-progress | blocked | ready-for-review | complete
+
 **Definition of Done:**
-- [ ] Testable criterion 1 (e.g., "endpoint returns 200 with expected payload shape")
-- [ ] Testable criterion 2 (e.g., "frontend displays new field without layout regression")
+- [ ] Testable criterion 1
+- [ ] Testable criterion 2
 - [ ] Tests added or updated
 - [ ] `npm run build` passes (frontend) / `pytest` passes (backend)
 
 **Assumptions:**
-- What we're treating as given (e.g., "existing auth middleware handles this case")
-- Constraints inherited from surrounding work
+- What we're treating as given
 
 **Out of scope:**
-- What this task explicitly does NOT cover (prevents scope creep across handoffs)
-- Adjacent work that belongs in a separate task
+- What this task explicitly does NOT cover
 
-<!-- END EXAMPLE -->
+-->
diff --git a/.ai/PROJECT_CONTEXT.md b/.ai/PROJECT_CONTEXT.md
index 578cb065..f6ea2946 100644
--- a/.ai/PROJECT_CONTEXT.md
+++ b/.ai/PROJECT_CONTEXT.md
@@ -14,7 +14,7 @@ Canonical product name is **ResolutionFlow**. `patherly` is the legacy internal
 
 ## SaaS shape
 
-Multi-tenant by account. Roles: `super_admin` > `team_admin` > `engineer` > `viewer`. Team admin = `role='engineer'` + `is_team_admin=True` + valid `team_id`. Never `role=='admin'` — use `is_super_admin`. Backend deps in `app/api/deps.py`: `get_current_active_user`, `require_engineer_or_admin`, `require_admin`. Frontend: `usePermissions()` hook. Central logic in `backend/app/core/permissions.py` + `frontend/src/hooks/usePermissions.ts`.
+Multi-tenant by account. Primary role hierarchy: `super_admin` > `owner` > `engineer` > `viewer` — driven by `is_super_admin` + `account_role`. Never `role=='admin'` — use `is_super_admin`. Separate team-scoped admin gate exists orthogonally to the role hierarchy: `is_team_admin=True` + valid `team_id`, enforced by `require_team_admin`. Backend deps in `app/api/deps.py`: `get_current_active_user`, `require_engineer_or_admin`, `require_admin`, `require_account_owner`, `require_team_admin`. Frontend: `usePermissions()` hook. Central logic in `backend/app/core/permissions.py` + `frontend/src/hooks/usePermissions.ts`.
 
 ---
 
@@ -39,13 +39,13 @@ resolutionflow/
 ├── backend/
 │   ├── app/
 │   │   ├── main.py                     # FastAPI entry
-│   │   ├── api/endpoints/              # auth, trees, sessions, admin, steps, survey, copilot, assistant_chat, integrations, flow_proposals, flowpilot_analytics
+│   │   ├── api/endpoints/              # 50+ routers registered in api/router.py — auth/admin, trees/sessions, AI/chat, scripts, integrations, uploads, accounts, FlowPilot, etc.
 │   │   ├── api/deps.py                 # auth deps (incl. require_team_admin)
 │   │   ├── api/router.py               # registration
 │   │   ├── core/                       # config, database, permissions, security, audit, rate_limit
 │   │   ├── models/                     # SQLAlchemy (incl. FlowProposal)
 │   │   ├── schemas/                    # Pydantic
-│   │   ├── services/psa/               # PSA provider pattern (base, connectwise/, autotask/, halopsa/, cache, encryption, registry, types)
+│   │   ├── services/psa/               # PSA provider pattern (base, connectwise/, autotask/, halopsa/, cache, encryption, exceptions, registry, ticket_context, types)
 │   │   ├── services/knowledge_flywheel.py + _scheduler.py
 │   │   └── services/knowledge_gap_service.py
 │   ├── alembic/versions/               # 001-070 sequential, then hex hash
diff --git a/.ai/SESSION_LOG.md b/.ai/SESSION_LOG.md
index c8c4bcd2..5c37fa04 100644
--- a/.ai/SESSION_LOG.md
+++ b/.ai/SESSION_LOG.md
@@ -19,3 +19,4 @@
 - Deleted legacy `SESSION-HANDOFF.md` (superseded).
 - Left for next session: first real feature task should replace the seed `CURRENT_TASK.md` and update `HANDOFF.md` with real resume state.
 - Files touched: `.ai/*.md` (created), `CLAUDE.md` (rewritten), `AGENTS.md` (created), `SESSION-HANDOFF.md` (deleted).
+- Follow-up (same day): Codex review pass flagged stale SaaS-role claim and incomplete file-listings carried over from the pre-migration CLAUDE.md. Verified against `backend/app/core/permissions.py`, `frontend/src/hooks/usePermissions.ts`, `backend/app/api/deps.py`, `backend/app/api/router.py`, and `backend/app/services/psa/`. Corrected PROJECT_CONTEXT.md role hierarchy (`super_admin > owner > engineer > viewer`, not `team_admin`), added `require_account_owner` / `require_team_admin` to deps list, replaced stale endpoint comment with a summary pointing at `api/router.py`, added `exceptions.py` + `ticket_context.py` to the PSA file list. Also replaced seed-example content in `CURRENT_TASK.md` and `TODO.md` with clearer empty-state sentinels.
diff --git a/.ai/TODO.md b/.ai/TODO.md
index 44656980..38730ced 100644
--- a/.ai/TODO.md
+++ b/.ai/TODO.md
@@ -5,8 +5,8 @@
 
 ## Up next
 
-- [ ] (seed entry — replace with real next-up items)
+- [ ] No queued backlog yet.
 
 ## Backlog
 
-- [ ] (seed entry — replace with real backlog items)
+- [ ] No queued backlog yet.