Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@crates/warp-core/src/strand.rs`:
- Around line 205-208: The remove method currently returns Option<Strand> which
silently accepts missing IDs; change pub fn remove(&mut self, strand_id:
&StrandId) -> Option<Strand> to return Result<Strand, StrandError> and return
Err(StrandError::NotFound(*strand_id)) (or appropriate clone) when the id is
absent to match StrandError::NotFound; update all callers of
StrandRegistry::remove (or the remove function) to handle the Result error path
so drop failures are surfaced explicitly.
- Around line 224-229: Introduce a zero-allocation iterator API and make the
Vec-allocating API opt-in: add a new method (e.g., iter_by_base or
strands_by_base_iter) that returns an iterator over &Strand (signature like pub
fn iter_by_base<'a>(&'a self, base_worldline_id: &'a WorldlineId) -> impl
Iterator<Item = &'a Strand>) implemented as self.strands.values().filter(move
|s| &s.base_ref.source_worldline_id == base_worldline_id); then rewrite
list_by_base to be a thin wrapper that calls the new iterator and collects into
a Vec (keeping existing behavior for callers that need materialization). This
keeps the Strands map scanning lazy/zero-allocation for hot paths while
preserving the existing Vec-producing convenience API.
- Around line 133-144: The Strand struct currently exposes public fields
allowing invalid instances into the registry; add a Strand::validate_v1(&self)
-> Result<(), StrandError> that enforces INV-S7 (child_worldline_id !=
base_ref.source_worldline_id), v1 writer_heads cardinality == 1, and INV-S9
(support_pins.is_empty()), add a StrandError::InvariantViolation variant, call
validate_v1() from the registry insertion path (the code around the insertion
that currently only enforces ID uniqueness) and reject inserts on validation
failure, and either make Strand fields private with a validated constructor or
ensure all public construction sites call validate_v1(); note INV-S8 (writer
head membership) should be checked in validate_v1 once WriterHeadKey exposes a
worldline accessor.

In `@crates/warp-core/tests/strand_contract_tests.rs`:
- Around line 60-90: The tests currently use make_test_strand() which constructs
a perfectly valid Strand (with BaseRef, one writer_head and empty support_pins),
so INV-S2/S5/S7/S8/S9/cardinality checks only re-assert the fixture; change the
tests to either (A) stop calling these "contract-validation" tests or (B) add
negative and edge cases that exercise the real enforcement surface: create
Strand instances with invalid BaseRef/provenance (mismatched
provenance_ref.worldline_id or wrong commit_hash), with zero or multiple
writer_heads where cardinality forbids, with duplicate writer_heads, and with
non-empty support_pins that violate constraints, and then pass those instances
into the actual validation routine in warp_core::strand (e.g., call the module's
validate function such as validate_strand or Strand::validate) to assert the
validator rejects them rather than relying on the helper fixture.
- Around line 386-417: The test currently builds BaseRef from child_entry and
compares fields to the child copy; instead fetch the source entry via
store.entry(base_id, wt(1)) (e.g., let base_entry = store.entry(base_id,
wt(1)).expect(...)) and assert that base_entry.expected.commit_hash and
base_entry.expected.state_root equal the BaseRef.commit_hash and
BaseRef.boundary_hash respectively, and also assert
base_entry.expected.commit_hash/ state_root equal the
child_entry.expected.commit_hash/state_root to ensure fork() didn’t rewrite
those on the child; keep existing checks on BaseRef.provenance_ref.worldline_id,
worldline_tick, and commit_hash.

In `@docs/method/retro/0004-strand-contract/retro.md`:
- Around line 36-42: Update the playback table and surrounding prose in retro.md
to accurately reflect only the APIs and behaviors currently implemented and
tested: remove or reclassify any claims that "create_strand" or full drop
cleanup are delivered when they are not (per the later note that the
orchestrated create/drop API and provenance cleanup are future work), and
instead list only what the tests actually cover (e.g., that create_strand
returns the expected fields as verified by the 14 Rust tests, base_ref pinning
as shown by inv_s5, strand head states and exclusion from runnable set as shown
by inv_s4 and inv_s4_s10, and that drop-related behavior covered by
registry_remove and drop_receipt tests is limited to what those tests assert).
Ensure the table rows (create_strand, drop) and the explanatory lines around
them reference the actual test witnesses (inv_s4, inv_s5, inv_s4_s10,
registry_remove, drop_receipt, 14 Rust tests) and remove any forward-looking or
incorrect "delivered" wording, adding a short note that orchestrated create/drop
API and provenance cleanup remain future work.

In `@docs/method/retro/0004-strand-contract/witness/rust-test-output.txt`:
- Around line 2-18: The recorded test output is stale: rerun the test suite for
crates/warp-core (which now has 15 #[test] functions, including
provenance_fork_happy_path_child_has_correct_prefix) and update
docs/method/retro/0004-strand-contract/witness/rust-test-output.txt to reflect
the new output (should show "running 15 tests" and include the new test name and
the final summary of 15 passed); ensure the new file content exactly matches the
fresh cargo test output for the current branch.

In `@scripts/tests/strand_contract_invariant_test.sh`:
- Around line 38-40: The loop uses grep -q "${code}" which allows substring
matches (e.g., INV-S1 matching INV-S10); update the check so it only matches the
whole invariant token by anchoring the pattern or using
fixed-strings+line-anchoring against the invariant file: modify the assert call
that wraps grep -q (referencing the loop variable "${code}", the assert
invocation, and the "${invariant}" file) to use an anchored match (for example
grep with -x or a ^...$ regex or grep -F -x) so each code is matched exactly and
no false positives occur.