What

Fix the portfolio truth/projection contract lane by adding notion_projection_policy.v2, truth-shadow row support, canonical remote identity selection, and a durable reconciliation note.

Why

The live contract-health audit showed Notion projection drift and two portfolio truth identity mismatches where local archive/import remotes were winning over canonical public repo identities.

Review Of What Was Built

• Adds projection policy schema/config support for truth-shadow rows.
• Teaches portfolio truth remote identity selection to prefer canonical, then normal origin, while allowing archive/import origins to yield to a matching public remote.
• Adds regression tests for canonical remote and ApplyKit archive-origin behavior.
• Adds the June 19 reconciliation plan with the verified post-repair state.

Cleanup Review

• Left unrelated decision-queue work out of this PR.
• Did not mutate live Notion rows, GitHub repo settings, bridge files, databases, or local remotes.

Verification Summary

• uv run ruff check src/portfolio_truth_sources.py src/project_registry.py tests/test_portfolio_truth.py tests/test_project_registry.py
• PYTHONDONTWRITEBYTECODE=1 uv run pytest tests/test_portfolio_truth.py tests/test_portfolio_truth_sources.py tests/test_project_registry.py -q
• Cross-system contract-health passed after the refreshed truth snapshot showed 0 truth-only / 14 audit-only.

Shipped Summary

Portfolio truth now maps ApplyKit and GithubRepoAuditor to their public canonical repo identities, while private archive/import repos remain audit-only.

Next Phase

Decide separately whether any remaining supplementary non-Projects audit-only surfaces should gain registry metadata. Do not promote them into first-class truth without explicit operator approval.

Remaining Roadmap

• Revisit fable-outputs after the June 22, 2026 campaign window.
• Keep the remaining archive/support/profile audit-only repos out of truth unless reactivated by operator decision.