docs(v1.100 Amendment 3): G1/AmbiguityConflictExternal narrow split for orphan-CSF-on-DA — DOC SEED (#522)

Authority gap discovered during dns2 Gate B run #1 (2026-04-29T12:33:02Z):
on a real DirectAdmin host with a real CSF install where Gate A canonical
takeover succeeded, the classifier returns

  Authority=AuthorityAmbiguous + Ambiguity=AmbiguityConflictExternal
  + external=csf

because csf-residue (/etc/csf/, /usr/sbin/csf.disabled, lfd.service unit-file,
etc.) is intact post-canonical-install per §17.2 invariant. The lattice
correctly refused at G1/AmbiguityConflictExternal per the locked §6 Group 1
hard-stop.

Amendment 2's G1/AuthorityNFTBan/OrphanProceed was scoped to non-ambiguous
AuthorityNFTBan; on srv3 (no real csf install) the classifier returned that;
on dns2 (real csf install + canonical takeover) the classifier returns
AmbiguityConflictExternal. Same operator intent, different lattice path.

Auditor disposition (2026-04-29) approved Option A (narrow lattice extension
mirroring Amendment 2). Options B (manual residue cleanup) and C (classifier
semantic patch within PR-26 scope) rejected.

This amendment appends Part VI (§§62–69) to internal/installer/restore/
contract.md:

  §62  pinned sentence + scope + invariants + new INV-AMD3-CONFLICT-EXTERNAL-CSF-NARROW
  §63  G1/AmbiguityConflictExternal split (entirely within Group 1; §5 precedence preserved)
  §64  evidence predicate (§54/§64 combined; §54 untouched, predicate scoped to §62 entry conditions)
  §65  forbidden behaviors (extends §25, §34, §38.2, §55)
  §66  test requirements (unit tests, regression tests, CI grep gates)
  §67  test matrix — 15 rows including AMD3-13 (empty external defensive guard),
       AMD3-14 (rule-label assertion for downstream consumers), AMD3-15 (multi-external defensive guard)
  §68  sequencing recommendation (10 sequential gates to PR-26 final merge)
  §69  rejected alternatives (Options B, C, D + any-pre-code-A-mutation rejection)

Doc-only commit. Single file. No production code change. No CI change. No
engine.go or engine_test.go edit. No §54 modification (Amendment 2's
predicate stays scoped to AuthorityNFTBan). No classifier semantic change.
No §32 ordering change. No new mutation surface. No new state terminal. No
new exit code. No host action.

Code phase opens in a separate amendment-3-code-A PR after this seed merges
and the auditor approves the code-A scope.

dns2 stays in canonical post-Gate-A state until code-A merges + fresh Tier 1
+ fresh signoff + Gate B retry pre-execution audit returns GO. The Gate B
run #1 REFUSE was non-mutating; no R-1 cleanup, no fresh Gate A run, no
snapshot rollback needed.

PR-26 final remains non-mergeable until amendment-3-code-A lands AND Gate B
retry produces StateRestoreExecuted AND post-B auditor returns GO.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: itcmsgr