docs(plan,spec): apply re-verification fixes (5 high + 5 med + 6 low)

Re-verification gate cleared all original criticals; these close the residual
defects the reassembly leaked back in:

HIGH:
- H-D1: add ssh-key dep to relicario-wasm; two-step PrivateKey::from; drop false note
- H-D2: org_open_with_registered_device unwraps inside WASM (DEVICE_STATE seed,
  session-only); device private key never crosses to JS
- H-D3: extension grant-filters the org manifest (members.json → member grants →
  filter_for_member) to honor the spec parity promise
- H-C1: hook diffs {commit}^:members.json, rejects owner/admin escalation unless
  signer is Owner; adds signed-commit hook test
- H-B4: reorder B4 tests to "org init --dir <path>" (subcommand-scoped global)

MEDIUM: trash=item-delete + item-restore vocabulary reconciled; real
transfer-ownership (demote caller unless --keep-owner); delete-org local-only
caveat in spec; pinned RFC8032 X25519 KAT.

LOW: org init honors RELICARIO_ORG_DIR; D3 VaultEntry type pinned; static_secrets
in File Map/Tech Stack; --format <table|json>; hook slug-in-collections check;
spec-mandated integration tests (TAMPERED, audit JSON, rotate race, remove→rotate
decrypt-denial).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/superpowers/specs/2026-06-06-relicario-enterprise-org-vault-design.md

@@ -201,12 +201,14 @@ relicario org create-collection <slug> --name "..."
 relicario org grant <member-id> <slug>
 relicario org revoke <member-id> <slug>
 relicario org rotate-key                           # new org key: re-wrap for members AND re-encrypt all items + manifest
-relicario org transfer-ownership <member-id>       # owner → another member (owner only)
-relicario org delete-org                           # owner only; explicit confirmation
+relicario org transfer-ownership <member-id>       # owner → another member (owner only; caller demoted to admin unless --keep-owner)
+relicario org delete-org                           # owner only; explicit confirmation; LOCAL tombstone only (see caveat below)
 relicario org status                               # members, roles, collections — no decryption
 relicario org audit [--since ..] [--member ..] [--collection ..] [--action ..] [--format json]
 ```
 
+> **`delete-org` caveat (phase 1):** the pre-receive hook rejects deletion of the protected JSON files (`members.json` / `collections.json` / `org.json`) as part of schema-monotonicity enforcement. Therefore phase-1 `delete-org` is a **local tombstone only** — it removes the org files in the working tree and records a delete commit locally, but that commit **cannot be pushed to a hook-protected remote**. Pushing org teardown to a protected remote (a hook-side "owner may delete" exception) is a tracked phase-2 follow-up. `transfer-ownership` is fully hook-compatible (it only mutates `members.json` roles, owner-signed).
+
 ### Onboarding Flow
 
 1. Alice runs `relicario device add`, exports her ed25519 public key (`signing.pub`).
@@ -251,7 +253,7 @@ Relicario-Item: 9f8e7d6c5b4a3f2e
 
 | `Relicario-Action` | Trigger |
 |---|---|
-| `item-create` / `item-update` / `item-delete` / `item-purge` | org item add / edit / trash / purge |
+| `item-create` / `item-update` / `item-delete` / `item-restore` / `item-purge` | org item add / edit / trash / restore / purge |
 | `member-add` / `member-remove` / `member-role-change` | member management |
 | `collection-create` / `collection-grant` / `collection-revoke` | collection management |
 | `key-rotate` | org key rotation |
@@ -355,3 +357,4 @@ This spec covers phase 1 (git-native org, CLI + extension parity). Phase 2 adds:
 - Server-mediated read audit
 - "Hide value" autofill (per-item subkeys or server-mediated relay)
 - Per-collection cryptographic isolation (subkeys — explicit non-goal for phase 1)
+- Pushable `delete-org` org teardown (a hook-side "owner may delete protected files" exception); phase-1 `delete-org` is a local tombstone only