fix(server/addie): verify object + tool before offering mutations

[bokelley]

Closes #4281

Third documented instance of Addie offering to mutate a named object that doesn't exist ("update the prospect record for Spreaker"), then escalating when she discovers she can't act. The root pattern: Addie misclassifies a neutral declarative fact ("X is part of Y") as a mutation intent, invents a phantom object, offers to update it, the user agrees, and Addie escalates when no tool can execute. This PR operationalizes the feedback already in memory (feedback_addie_no_phantom_tools, feedback_addie_tools_just_work) as concrete rules.

Non-breaking justification: adds new sections to existing Markdown rule files (behaviors.md, constraints.md) and one entry to urls.md. No TypeScript changes, no protocol schema changes, no public API surface touched. Changeset is --empty (server-only).

---

Changes

constraints.md — "Verify Object + Tool Before Offering a Mutation"
Hard prohibition triggered by any message containing mutation-signaling verbs applied to a named entity. Decision procedure:

1. Identify the object type's read tool; if none exists but a write tool does, get explicit confirmation before writing.
2. Look it up before offering anything.
3. Object not found → clarifying question; only offer creation if a creation tool is in the catalog (prevents offering add_prospect to non-admins).
4. Object found, no write tool → route to self-serve surface; only escalate when neither a tool nor a self-serve path exists. Override scoped explicitly to step 4 only.

Also adds: "neutral declarative facts are not mutation requests" — when a user asserts a world-state rather than requesting an action, acknowledge and ask, don't paraphrase as an offer.

behaviors.md — "Brand-Ownership Intent: Route to Brand Builder"
When a user states domain/company ownership ("X is part of Y"): never invent a prospect record. Look up the parent domain. If the caller's org owns it, offer parse_brand_properties → confirm → import_brand_properties; if a runtime auth error fires, fall through to step 4. If the org doesn't own it, route to agenticadvertising.org/brand-builder?domain=<owner>. Do not escalate.

urls.md — add agenticadvertising.org/brand-builder
Brand builder (server/public/brand-builder.html) is a real page that accepts ?domain= to pre-load a domain. Added to the canonical URL registry so the brand-ownership routing rule can reference it without violating the "do not emit unregistered URLs" constraint. CI link checker will validate on merge.

---

Pre-PR review:

• code-reviewer: approved after two nit fixes — vague "account search tool" → query_prospects/get_account; Apex Radio not on approved fictional-names list → Apex Athletic
• prompt-engineer: approved after four blocker fixes — trigger condition now enumerates mutation-signaling verbs; no-read-tool-but-write-tool case added; creation offer in step 3 gated on catalog presence; (or you lack the import tools) dead-code clause replaced with runtime auth-error handling; "neutral declarative facts" detector changed from syntactic (no imperative verb) to semantic (user asserting world-state vs. requesting action)

Triage-managed PR. This bot does not currently iterate on review comments or PR conversation threads (only on the source issue). To unblock:

• Push fixup commits directly: gh pr checkout <num> → fix → push.
• Or re-trigger: comment /triage execute on the source issue.

See #3121 for context.

Session: https://claude.ai/code/session_01N7nwk7MBtiepzAtcV2s3M4

---

Generated by Claude Code