diff --git a/docs/HIVE-ONBOARDING.md b/docs/HIVE-ONBOARDING.md
index 6647bed..49ad2b9 100644
--- a/docs/HIVE-ONBOARDING.md
+++ b/docs/HIVE-ONBOARDING.md
@@ -115,6 +115,12 @@ Smallest path that is real:
 3. **Spawner hook** — call vault-provision right after jail create.
 4. **`mother` skill in layered-soul** — the genesis sequence above.
 
+**First-proof policy.** The first proven end-to-end runs against a **scratch jail + a
+throwaway test collection only** — no real tenant data until the path hardening lands
+(canonicalize + allowed-root containment, colibri issue #92). The two first-proof blockers
+are colibri **#88** (resolve the collection by name) and **#89** (per-call unlock); #92 is
+hardening that follows. Tracker state lives on those issues.
+
 **Overengineering traps to avoid for now:** a custom Bitwarden web UI (Vaultwarden's own UI
 + a Collection is enough to start), billing/metering, a native Bitwarden protocol in Rust,
 multi-region control plane, and recursive auto-spawn (gate it off until policy exists).