refactor(cso): renumber Tier 3 rules R7/R8/R9/R12 → R1/R2/R3/R4

The R7/R8/R9/R12 numbering reflected a 14-rule draft history where R10,
R11, R13, R14 were dropped during review (hash-level IOCs and cloud-SDK
false-positive risks). Renumbering closes the gaps so reviewers see four
contiguous rules instead of wondering what R10/R11 were.

Rule definitions and FP guards are unchanged. Self-ref in the FP guards
section updated (R9 → R3).

cso/SKILL.md

@@ -1056,17 +1056,17 @@ If approved, run the same Grep patterns on globally installed skill files and ch
 
 **Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected.
 
-**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes.
+**R1** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes.
 
-**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match.
+**R2** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match.
 
-**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh <path>`, `node --require <path>`, `node -e <inline-require>`, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade.
+**R3** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh <path>`, `node --require <path>`, `node -e <inline-require>`, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade.
 
-**R12** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire.
+**R4** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire.
 
 **Tier 3 FP guards:**
 - gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above).
-- R9 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field.
+- R3 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field.
 
 ### Phase 9: OWASP Top 10 Assessment
 

cso/SKILL.md.tmpl

@@ -304,17 +304,17 @@ If approved, run the same Grep patterns on globally installed skill files and ch
 
 **Tier 3 — known-campaign IOCs (comprehensive mode only):** All rules in this tier surface only under `/cso --comprehensive` with TENTATIVE marking — daily mode's 8/10 zero-noise contract is unaffected.
 
-**R7** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes.
+**R1** — Any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` field containing a `/proc/.*/mem` read pattern. Direct process-memory introspection from a Claude Code hook has no legitimate use; it is a known credential-exfiltration technique against runner processes.
 
-**R8** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match.
+**R2** — `.claude/**/*.{js,mjs,ts,cjs}` or `.vscode/**/*.{js,mjs,ts,cjs}` containing **both** the `_0x[0-9a-f]{4,}` variable pattern (≥3 distinct occurrences) **and** at least one of `createDecipheriv`, `gunzip`, `gunzipSync`, `inflateRawSync`, `inflateSync`. Do not alert on ordinary minified bundles or inline sourcemap output unless both halves match.
 
-**R9** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh <path>`, `node --require <path>`, `node -e <inline-require>`, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade.
+**R3** — File under `.claude/**` or `.vscode/**` where **all three** hold: (a) referenced from any Claude Code settings file (`.claude/settings.json`, `.claude/settings.local.json`, `~/.claude/settings.json`, or `~/.claude/settings.local.json`) `hooks.*.command` via `node|bun|python3?|bash|sh <path>`, `node --require <path>`, `node -e <inline-require>`, or direct path invocation, **OR** from a `tasks.json` task with `runOptions.runOn: "folderOpen"`; (b) not present in package manifest evidence (`package.json` `files` array, npm tarball, or installed locked-package artifacts); (c) not exempt by the Tier 3 FP guards below. Auto-run persistence bridge in TTP form — renaming the payload file does not evade.
 
-**R12** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire.
+**R4** — Strings `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, or `seed3.getsession.org` appearing inside an executable context: a `hooks.*.command` value, a `tasks.json` `command`/`args` field, or a `fetch`/`http.get`/`axios`/`socket.connect`/`curl`/`nc` call inside a `.{js,mjs,ts,cjs,sh,py}` file under `.claude/**`/`.vscode/**`. Documentation or IOC-note mentions do not fire.
 
 **Tier 3 FP guards:**
 - gstack-installed paths trusted: `~/.claude/skills/gstack/`, `~/.claude/skills/gstack-*/`, `~/.claude/hooks/` when content matches distributed checksums (extends the existing "gstack's own skills are trusted" precedent above).
-- R9 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field.
+- R3 excluded under `.vscode/extensions/` and inside any directory listed in the root `package.json` `workspaces` field.
 
 ### Phase 9: OWASP Top 10 Assessment