diff --git a/zddc/internal/zddc/acl.go b/zddc/internal/zddc/acl.go
index 2b73156..7341dad 100644
--- a/zddc/internal/zddc/acl.go
+++ b/zddc/internal/zddc/acl.go
@@ -3,8 +3,16 @@ package zddc
 import "strings"
 
 // AllowedAtLevel is a thin shim over GrantedVerbsAtLevel preserved for
-// callers that only need the legacy boolean read decision. New code
-// should call GrantedVerbsAtLevel directly.
+// callers that only need the legacy boolean read decision on a single
+// ZddcFile (no cascade chain).
+//
+// Hardcodes ModeDelegated — safe because the synthetic chain has only
+// one level and no ancestors to fence — but callers that operate on a
+// real PolicyChain must call GrantedVerbsAtLevel directly with the
+// active mode.
+//
+// Deprecated: prefer GrantedVerbsAtLevel for any code path that may
+// later need fence-aware or strict-mode evaluation.
 func AllowedAtLevel(level ZddcFile, email string) (decision bool, matched bool) {
 	chain := PolicyChain{Levels: []ZddcFile{level}, HasAnyFile: true}
 	v, m := GrantedVerbsAtLevel(chain, 0, email, ModeDelegated)
diff --git a/zddc/internal/zddc/file.go b/zddc/internal/zddc/file.go
index 1b9380a..bb9cf2b 100644
--- a/zddc/internal/zddc/file.go
+++ b/zddc/internal/zddc/file.go
@@ -38,9 +38,12 @@ import (
 //
 // In strict cascade mode (federal / NIST AC-6), inherit:false is
 // REFUSED — a leaf-level directive cannot widen access an ancestor
-// refused. The internal decider treats it as inherit:true and emits a
-// warning at evaluation time. Operators running the federal Rego
-// preset get the same behaviour from policy enforcement.
+// refused. The internal decider silently treats it as inherit:true;
+// the cascade tracer (/.profile/effective-policy) reports both
+// `cascade_mode` and `chain.visible_start` so an operator can see
+// that a configured fence is being ignored under the active mode.
+// Operators running the federal Rego preset get the same behaviour
+// from policy enforcement.
 //
 // Inherit is per-level and not itself cascading: an ancestor's
 // `inherit: false` does not transitively block descendants from