tests fixes and some product advisories tunes ups

AGENTS.md

@@ -103,6 +103,16 @@ Whenever a new dependency, container image, tool, or vendored asset is added:
 - If compatibility is unclear, mark the sprint task `BLOCKED` and record the
   risk in `Decisions & Risks`.
 
+### 2.7 Web tool policy (security constraint)
+AI agents with web access (WebFetch, WebSearch, or similar) must follow these rules:
+
+1. **Default: no external web fetching** – Prefer local docs (`docs/**`), codebase search, and existing fixtures. External fetches introduce prompt-injection risk, non-determinism, and violate the offline-first posture.
+2. **Exception: user-initiated only** – Web fetches are permitted only when the user explicitly requests external research (e.g., "search for CVE details", "fetch the upstream RFC"). Never fetch proactively.
+3. **Never fetch external code or configs** – Do not pull code snippets, dependencies, templates, or configuration examples from the internet. This bypasses SBOM/attestation controls and supply-chain integrity.
+4. **Audit trail** – If a web fetch occurs during implementation work, log the URL and purpose in the sprint `Decisions & Risks` section so the action is auditable.
+
+Rationale: Stella Ops is an offline/air-gap-first platform with strong supply-chain integrity guarantees. Autonomous agents must not introduce external content that could compromise determinism, inject adversarial prompts, or exfiltrate context.
+
 ---
 
 ## 3) Advisory handling (deterministic workflow)
@@ -203,10 +213,10 @@ If a module-local AGENTS.md is missing or contradicts current architecture/sprin
 All sprint files must converge to this structure (preserve content if you are normalizing):
 
 ```md
-# Sprint <ID> <20> <Stream/Topic>
+# Sprint <ID> <20> <Stream/Topic>
 
 ## Topic & Scope
-- 2<>4 bullets describing outcomes and why now.
+- 2<>4 bullets describing outcomes and why now.
 - Working directory: `<path>`.
 - Expected evidence: tests, docs, artifacts.