Reflection follow-up: sub-agent DM recording — close the dm-guard bypass

Reflection 2026-06-18 surfaced that sub-agent-emitted DMs to Will bypass the parent dm-guard recording layer. dm-audit.sh at 17:40 UTC 6/17 caught 4 unrecorded DMs from the 6/16 batch (all-1610 reply, all-1872, all-1862, all-1865) — backfilled with kind=BACKFILL-from-audit, but this is a latent integrity gap (≥5 weeks). dm-audit caught it cross-layer; the primary recording layer never did. Fix (lean option B): require sub-agents to call `~/agents/will-engineer/bin/dm-guard.sh record <topic> <slack-ts> <priority> [kind] [note]` themselves before exit whenever they DM Will. Add a `MANDATORY DM RECORDING` block to the AGENTS.md sub-agent task template. Provide an inline example. Then run dm-audit and confirm 24h of clean. Alternative (option A): forbid sub-agents from DMing Will at all; route through a parent message-relay primitive. More restrictive but more robust. Pick whichever fits the heartbeat's existing patterns best. Acceptance: 1. AGENTS.md sub-agent template updated with explicit DM-recording requirement + helper invocation example. 2. dm-audit clean for ≥24h after the next sub-agent that DMs Will fires. 3. LEARNINGS reflection-follow-up loop validates this as 5th datapoint (latency budget: <10 min from heartbeat pickup to AGENTS.md edit). Context: see LEARNINGS.md 2026-06-18 entry (search for "sub-agent DM recording"), and memory/2026-06-17.md 17:40 UTC entry for the original audit hit. The 5/15 lesson (protocol prose is not enforcement) applies — the cooldown rule was documented but not enforced at the call site that matters.