diff --git a/tools/enforce-override-vocab.json b/tools/enforce-override-vocab.json
index ea831016..302cf2b0 100644
--- a/tools/enforce-override-vocab.json
+++ b/tools/enforce-override-vocab.json
@@ -54,12 +54,9 @@
       "phrase": "recovery",
       "suppresses": [
         "branch-switch",
-        "git-recovery",
-        "graph-first",
-        "chain-recommendation",
-        "semgrep-security"
+        "git-recovery"
       ],
-      "description": "Git recovery operation, branch-state mismatch ok"
+      "description": "Git recovery only — branch-state mismatch ok. Does NOT suppress graph-first / chain-recommendation / semgrep-security (use specific phrases for those)."
     },
     {
       "phrase": "memory dump",
diff --git a/tools/enforce-semgrep-security.test.mjs b/tools/enforce-semgrep-security.test.mjs
index 2adf269f..5be6be6f 100644
--- a/tools/enforce-semgrep-security.test.mjs
+++ b/tools/enforce-semgrep-security.test.mjs
@@ -165,9 +165,9 @@ describe('override vocab coverage', () => {
     const o = findOverride("быстрый коммит", 'semgrep-security');
     expect(o).toBeTruthy();
   });
-  it("global override \"recovery\" suppresses semgrep-security", () => {
+  it("global override \"recovery\" does NOT suppress semgrep-security (git-only scope)", () => {
     const o = findOverride("recovery", 'semgrep-security');
-    expect(o).toBeTruthy();
+    expect(o).toBeFalsy();
   });
   it("global override \"memory dump\" suppresses semgrep-security", () => {
     const o = findOverride("memory dump", 'semgrep-security');