diff --git a/org/security-dispatcher.org b/org/security-dispatcher.org
index f0d15ec..f1719f0 100644
--- a/org/security-dispatcher.org
+++ b/org/security-dispatcher.org
@@ -159,6 +159,19 @@ Destructive and injection patterns that are blocked in shell commands. Covers ~r
     (cl-ppcre:scan regex path)))
 
 #+end_src
+
+** Self-Build Safety Boundary (v0.4.0)
+
+The Dispatcher now protects the core pipeline from unapproved modification. This is the operational realization of "thin harness, fat skills" — the harness is thin enough for a human to audit, and the Dispatcher ensures it stays that way.
+
+The ~core-*~ files implement the Perceive-Reason-Act cycle, the Merkle-tree memory, the skill engine loader, and the Dispatcher gate stack itself. If the agent (or a hallucination) modifies these files, the agent loses its ability to reason about and fix the corruption. The Dispatcher blocks any file write or shell command targeting ~core-*.org~ or ~core-*.lisp~ — detected by ~dispatcher-check-core-path~ using direct regex matching (~core-.*\.(org|lisp)~).
+
+Unlike secret path protection (Vector 2), which produces a hard ~:LOG~ block, core file writes produce a ~:approval-required~ Flight Plan (Vector 2b). The human reviews the proposed core change in an Org buffer before approving — the same mechanism that governs shell commands and network exfiltration.
+
+The ~SELF_BUILD_MODE~ env var controls this protection:
+- ~SELF_BUILD_MODE=true~ (default ~false~): core path protection active — writes require HITL approval
+- ~SELF_BUILD_MODE=false~: protection disabled — useful during development when the human is manually editing core files
+
 ** dispatcher-check-core-path
 ;; REPL-VERIFIED: 2026-05-06T18:00:00
 #+begin_src lisp