docs(licence-policy): A5 — scaffold-placeholder leak is NOT licence debt

.machine_readable/licensing-policy.toml

@@ -46,10 +46,20 @@ exception = "an agent may author NEW files with correct SPDX; a brand-new repo's
 
 [debt]                                   # Addendum A3 — the ONLY licence debt
 type = "variant normalisation (manual, owner-driven)"
-fix = "PMPL-1.0 and PMPL-1.0-or-later-or-later -> PMPL-1.0-or-later"
+fix = "PMPL-1.0 -> PMPL-1.0-or-later (the only TRUE manual licence debt)"
+note = "PMPL-1.0-or-later-or-later is NOT hand-typed debt — it is a scaffold-substituter artifact; see [scaffold_placeholder]"
+
+[scaffold_placeholder]                   # Addendum A5 — NOT licence debt
+sentinel = ["PLMP-1.0-or-later", "PMLP-1.0-or-later"]
+classification = "unsubstituted scaffold placeholder (process bug) — NOT licence debt"
+remediation = "re-run contractiles scaffold substitution; NEVER hand-edit as licence work"
+family = "PMPL-1.0-or-later-or-later (doubled suffix) is the same scaffold-substituter family"
+tripwire = "contractiles/must/Mustfile (groups with REPLACE-WITH-*)"
 
 [guard]
 location = "rsr-template-repo/.github/workflows/spdx-policy-guard.yml"
 edits_files = false
 tolerates = ["PMPL-*"]
 fails_on = ["contradictory multi-SPDX in one file", "foreign licences outside the estate family"]
+hard_fails_on = ["PLMP-/PMLP- as a real SPDX value (scaffold-placeholder leak)"]
+warns_on = ["bare PMPL-1.0", "PMPL-1.0-or-later-or-later"]

LICENCE-POLICY.adoc

@@ -127,10 +127,13 @@ top-level LICENSE — that is authoring, not relicensing.
 
 === A3 — Variant normalisation is the only standing debt
 
-A few files carry malformed variants — `PMPL-1.0` (missing
-`-or-later`) and `PMPL-1.0-or-later-or-later` (doubled suffix). These
-should read `PMPL-1.0-or-later`. This is the *only* licence debt, and
-it is owner-driven manual cleanup (per A2) — not a drift to auto-fix.
+A few files carry the malformed variant `PMPL-1.0` (missing
+`-or-later`); it should read `PMPL-1.0-or-later`. This is the *only*
+true licence debt, and it is owner-driven manual cleanup (per A2) —
+not a drift to auto-fix. NOTE: the doubled form
+`PMPL-1.0-or-later-or-later` was found (2026-05-18) to be a
+scaffold-substituter artifact of the same family as A5, *not*
+hand-typed licence debt — see A5.
 
 === A4 — Open question (owner ruling pending)
 
@@ -140,6 +143,19 @@ The Palimpsest family has a canonical member `PAGPL-1.0-or-later`
 `PAGPL-1.0-or-later` is an *open owner decision* — not yet ruled, not
 asserted here.
 
+=== A5 — Scaffold-placeholder leak is NOT licence debt
+
+`PLMP-1.0-or-later` / `PMLP-1.0-or-later` (anagrams of PMPL) are an
+*intentional scaffold placeholder sentinel* — the contractiles
+substitution step must rewrite them to `PMPL-1.0-or-later`. Their
+survival into a repo is an *unsubstituted-scaffold leak* (a process
+bug), *not licence debt*. They must NEVER be hand-edited as licence
+remediation; the fix is re-running scaffold substitution. The
+canonical tripwire is `contractiles/must/Mustfile` (groups the
+sentinel with `REPLACE-WITH-*`); `spdx-policy-guard.yml` hard-fails it
+as a real SPDX value (and surfaces A3 variants as non-failing
+warnings). Evidence: `LICENCE-DEBT-LEDGER-2026-05-18`.
+
 == See Also
 
 * `PALIMPSEST.adoc` (this directory) — full narrative