feat(skills/update-stack): block on undeclared drift vs upstream

[PierreBrisorgueil]

Problem

During a 2026-05-30 audit of comes-io/trawl_node, 3 architectural violations and 9 promote-up candidates were found in stack-managed modules (auth, users, billing). These accumulated over weeks because /update-stack had no automated gate — drift could silently survive ISO merge if conflict resolution picked --ours incorrectly or if a downstream dev committed directly to a shared module.

Solution

Add a 3ter gate to Phase 1 of /update-stack (SKILL.md): after /verify passes and before Phase 2 starts, diff each common-module non-test file against devkit-node/master. If a file diverges from upstream AND is not listed in DOWNSTREAM_PATCHES.md, block with a clear error.

Allowed divergence paths

1. File lives in a downstream-only module (not in devkit at all)
2. File is config/defaults/<project>.config.js (explicitly downstream-owned)
3. File is declared in DOWNSTREAM_PATCHES.md with rationale + /update-stack action

Complement

• Task E.1: DOWNSTREAM_PATCHES.md ledger convention
• Task E.3: PRF Phase 0.5 gate (catches drift at PR time)
• Task E.6: memory feedback_no_dev_in_shared_modules

Ref: plan 2026-05-30-trawl-devkit-perfect-alignment.md