Why: tier rules forbidding @PRE/@POST on C2 cause agents to either
remove useful documentation or generate audit noise. Both outcomes are
worse than having slightly richer metadata.
Changed:
- Tier table in all 4 agent prompts: removed 'Forbidden' column,
replaced with 'descriptive signal, NOT gatekeeper'
- All tags (@PRE/@POST/@RATIONALE/@REJECTED) welcomed at any tier
- semantics-core: complexity table collapsed to descriptive
- qa-tester: removed tier-based reject rules from P1 and Phase 1
Hard rules preserved: CONTRACT-FIRST, ANCHOR SAFETY, FRACTAL LIMIT,
RESURRECTION BAN. Everything else is descriptive intent.
- Add mask_api_key() and is_masked_or_placeholder() to llm_provider service
- Return masked keys in all provider CRUD endpoints
- Reject masked/placeholder keys in fetch_models and test_provider_config
- Show masked key with Change button in ProviderConfig.svelte edit form
- Exclude masked keys from fetch-models, test, and submit payloads on frontend
- Update semantics-core skill with clarified complexity tier rules
- Switch agent modes from subagent to all