docs(path-guard): sync paths-allowlist.yml schema docs + check-paths.mts.tmpl

The schema docs in paths-allowlist.yml drifted from canonical. The
old comment claimed line tolerance is ±2 (FALSE since Gap 2; lines
are now strict-exact) and didn't mention snippet_hash or --show-hashes.
Also brings the path-guard skill reference template up to date.

Author: jdalton

.claude/skills/path-guard/reference/check-paths.mts.tmpl

@@ -229,7 +229,8 @@ const loadAllowlist = (): AllowlistEntry[] => {
         blockLines = []
         return
       }
-      ;(current as any)[key] = key === 'line' ? Number(unquote(trimmed)) : unquote(trimmed)
+      ;(current as any)[key] =
+        key === 'line' ? Number(unquote(trimmed)) : unquote(trimmed)
     }
     if (line.startsWith('- ')) {
       if (current && current.reason) {
@@ -317,8 +318,7 @@ const isAllowlisted = (finding: Finding): boolean =>
     const hashProvided =
       typeof entry.snippet_hash === 'string' && entry.snippet_hash.length > 0
     if (lineProvided || hashProvided) {
-      const lineMatches =
-        lineProvided && entry.line === finding.line
+      const lineMatches = lineProvided && entry.line === finding.line
       const hashMatches =
         hashProvided && entry.snippet_hash === snippetHash(finding.snippet)
       if (!(lineMatches || hashMatches)) {
@@ -382,7 +382,8 @@ const STRING_LITERAL_RE = /(['"])((?:\\.|(?!\1)[^\\])*)\1/g
 // (including those with `${...}` placeholders) so Rule A also catches
 // path construction via template literals like
 // `${buildDir}/out/Final/${binary}` or `build/${mode}/out/Final`.
-const TEMPLATE_LITERAL_RE = /`((?:\\.|(?:\$\{(?:[^{}]|\{[^{}]*\})*\})|(?!`)[^\\])*)`/g
+const TEMPLATE_LITERAL_RE =
+  /`((?:\\.|(?:\$\{(?:[^{}]|\{[^{}]*\})*\})|(?!`)[^\\])*)`/g
 
 /**
  * Convert a template-literal body into a synthetic forward-slash path

.github/paths-allowlist.yml

@@ -7,21 +7,35 @@
 #
 # Schema (all top-level keys optional except `reason`):
 #
-#   - rule:    Rule letter (A, B, C, D, F, G). Omit to match any rule.
-#     file:    Substring match against the relative file path.
-#     pattern: Substring match against the offending snippet.
-#     line:    Line number; matches if within ±2 of the finding.
-#     reason:  Why this site is genuinely exempt. Required.
+#   - rule:         Rule letter (A, B, C, D, F, G). Omit to match any rule.
+#     file:         Substring match against the relative file path.
+#     pattern:      Substring match against the offending snippet.
+#     line:         Exact line number. Strict — no fuzz tolerance.
+#     snippet_hash: 12-char SHA-256 prefix of the normalized snippet
+#                   (whitespace collapsed). Drift-resistant: the entry
+#                   keeps matching after reformatting that doesn't
+#                   change the offending construction. Get the hash by
+#                   running `node scripts/check-paths.mts --show-hashes`.
+#     reason:       Why this site is genuinely exempt. Required.
 #
-# Prefer narrow entries (rule + file + line + pattern) over blanket
-# `file:` entries that exempt the whole file. Genuine exemptions are
-# rare — most "false positives" should be reported as gate bugs.
+# Match policy: if `line` is provided it must match exactly. If
+# `snippet_hash` is provided it must match exactly. Both may be set —
+# either one matching is sufficient (so a code reformat that keeps
+# the snippet but moves the line still matches via hash, and a
+# reformat that changes the snippet but keeps the line still matches
+# via line). If neither is set, `file` + `pattern` + `rule` matching
+# is used (broader; prefer narrow entries when possible).
+#
+# Prefer narrow entries (rule + file + snippet_hash + pattern) over
+# blanket `file:` entries that exempt the whole file. Genuine
+# exemptions are rare — most "false positives" should be reported
+# as gate bugs.
 #
 # Example:
 #
 #   - rule: A
 #     file: packages/foo/scripts/legacy-build.mts
-#     line: 42
+#     snippet_hash: a1b2c3d4e5f6
 #     pattern: "path.join(testDir, 'out', 'Final')"
 #     reason: |
 #       legacy-build.mts is scheduled for removal in v2.0; refactoring