Assert be:1->be:0 or be:0+bs:1 are bad from get()

index.bs

@@ -5523,8 +5523,13 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
     let |currentBe| and |currentBs| be the values of the [=authData/flags/BE=] and [=authData/flags/BS=] bits, respectively,
     of the <code>[=flags=]</code> in |authData|.
     Compare |currentBe| and |currentBs| with
-    <code>|credentialRecord|.[$credential record/backupEligible$]</code> and <code>|credentialRecord|.[$credential record/backupState$]</code>
-    and apply [=[RP]=] policy, if any.
+    <code>|credentialRecord|.[$credential record/backupEligible$]</code> and <code>|credentialRecord|.[$credential record/backupState$]</code>:
+
+    1. If <code>|credentialRecord|.[$credential record/backupEligible$]</code> is set, verify that |currentBe| is set.
+
+    1. If <code>|credentialRecord|.[$credential record/backupEligible$]</code> is not set, verify that |currentBs| is not set.
+
+    1. Apply [=[RP]=] policy, if any.
 
     Note: See [[#sctn-credential-backup]] for examples of how a [=[RP]=] might process the [=authData/flags/BS=] [=flag=] values.