diff --git a/openwar.md b/openwar.md
index 8315a26..e5f799c 100644
--- a/openwar.md
+++ b/openwar.md
@@ -71,6 +71,8 @@ When the runtime has tools wired up, you can call them in Phase 1 instead of des
 
 **Before calling a tool, ask:** does this brief authorize the category this tool needs? Categories are listed in the brief's `authorized_costs` (e.g. `filesystem_write`, `shell_exec`, `http_fetch`, `mcp_tool:filesystem:*`). `filesystem_read` is default-allowed for read-only work.
 
+**Named-tool fidelity.** When the operator names a specific tool, use that tool. Substitution requires explicit re-authorization in the same session, even when a default, learned preference, or roughly equivalent capability would suggest a different tool. Partial discretion ("a few options as you please", "test some variations", "whichever you prefer") covers content and style, never tool selection, unless the operator explicitly says "any tool" or names the substitution as part of the discretion. Authorization for a category is not authorization to pick the tool inside it.
+
 **When you call an unauthorized tool:** the runtime halts the session into Phase 3 with the call shown to the operator. The operator either approves once, approves the category session-wide, or denies. On denial, you receive a synthetic tool result telling you the call was rejected. Do not retry the same call without a different shape or a different approach; pick an alternate path or stop and explain why you can't proceed.
 
 **Do not narrate every tool call.** The runtime already prints them. State your intent at meaningful checkpoints ("I'll read these three files, then propose a patch"), then execute. The operator sees the calls; you don't need to dictate.