🛡️ chore(process): enforce plan scope permission lock

Require active execution plans to record allowed paths and explicit permission checkboxes, and enforce this mechanically via arch-test to prevent unscoped edits.

Author: attid

.linters/check_exec_plan_scope_lock.py

@@ -0,0 +1,48 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parent.parent
+ACTIVE_PLANS_DIR = ROOT / "docs" / "exec-plans" / "active"
+
+REQUIRED_SNIPPETS = (
+    "## Files/Directories To Change",
+    "## Edit Permission",
+    "- [x] Allowed paths confirmed by user.",
+    "- [x] No edits outside listed paths.",
+)
+
+
+def should_check(path: Path) -> bool:
+    return path.suffix == ".md" and path.name != "README.md"
+
+
+def main() -> int:
+    missing = []
+    for plan in sorted(ACTIVE_PLANS_DIR.glob("*.md")):
+        if not should_check(plan):
+            continue
+        text = plan.read_text(encoding="utf-8")
+        not_found = [snippet for snippet in REQUIRED_SNIPPETS if snippet not in text]
+        if not_found:
+            missing.append((plan, not_found))
+
+    if missing:
+        print("Execution plan scope-lock check failed:")
+        for plan, snippets in missing:
+            rel = plan.relative_to(ROOT)
+            print(f"- {rel} is missing required items:")
+            for snippet in snippets:
+                print(f"  - {snippet}")
+        print(
+            "Fix: update active plan with explicit allowed paths and checked permission items."
+        )
+        return 1
+
+    print("Execution plan scope-lock checks passed.")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

docs/exec-plans/active/2026-03-01-wallet-crypto-v2-migration.md

@@ -38,6 +38,15 @@ Operational rollout without feature flags:
 - `adr/` (new ADR)
 - `docs/runbooks/` (migration/rollback runbook)
 
+## Edit Permission
+
+- [x] Allowed paths confirmed by user.
+- [x] No edits outside listed paths.
+
+Permission evidence:
+
+> "Ок, давай сделаем тогда план в файлике дотошный..." and explicit follow-ups to proceed with implementation.
+
 ## Change Plan
 
 1. [x] Add new DB field and model mapping (no legacy removal).

docs/exec-plans/template.md

@@ -4,6 +4,20 @@
 
 Why this task exists and links to issue/ADR.
 
+## Files/Directories To Change
+
+- `<path-or-dir-1>`
+- `<path-or-dir-2>`
+
+## Edit Permission
+
+- [ ] Allowed paths confirmed by user.
+- [ ] No edits outside listed paths.
+
+Permission evidence (copy user wording or exact confirmation):
+
+> <user confirmation>
+
 ## Change Plan
 
 1. [ ] Step one with concrete file targets.

docs/runbooks/task-intake-and-execution.md

@@ -14,17 +14,19 @@ Ensure every non-trivial task starts in AI-first workflow mode.
    just start-task <task-id> title="<short title>"
    ```
 
-4. Fill checkboxes in the created plan under `docs/exec-plans/active/`.
-5. Implement with minimal diff.
-6. Run validation commands:
+4. Record allowed paths and permission evidence in the plan (`Files/Directories To
+   Change` and `Edit Permission` sections).
+5. Mark permission checkboxes as done before first edit.
+6. Implement with minimal diff.
+7. Run validation commands:
 
    ```bash
    just arch-test
    just lint
    just test-fast
    ```
 
-7. Move completed plan:
+8. Move completed plan:
 
    ```bash
    just finish-task <plan-file>

justfile

@@ -62,6 +62,7 @@ test-external:
 arch-test:
     uv run python .linters/check_import_boundaries.py
     uv run python .linters/check_docs_contract.py
+    uv run python .linters/check_exec_plan_scope_lock.py
 
 secret-scan:
     docker run --rm -v "$PWD:/repo" -w /repo zricethezav/gitleaks:v8.24.2 detect --source=. --no-git --redact --config=.gitleaks.toml