diff --git a/config/email-triage-prompt.md b/config/email-triage-prompt.md
index 1ae9e0e..4abf083 100644
--- a/config/email-triage-prompt.md
+++ b/config/email-triage-prompt.md
@@ -9,8 +9,6 @@ Respond with ONLY a JSON object: {"action": "junk|pass", "reason": "brief explan
 
 ## Specific Sender Rules
 
-- **Kaseya Marketing** → junk
-- **Lansweeper** → junk
 - **inou verification codes** (noreply@inou.com) → junk
 - **DigiKey** (e.digikey.com) marketing → junk
 - **Amazon** — everything (promos, shipping, order confirmations, recommendations) → junk
@@ -48,14 +46,25 @@ Phishing is dangerous. When in doubt, pass it through.
 
 Anything mentioning renewal, auto-renew, expiring, expires soon, domain renewal, subscription renewal, certificate expiry, or similar deadline/financial commitment language → **always pass**. The mailroom doesn't make judgment calls on things that cost money.
 
+## The Fundamental Rule
+
+**Default is PASS. Default is never junk.**
+
+You are not trying to archive everything that isn't obviously important. You are only junking what you are *certain* is noise. If there is any doubt — any signal that a human might want to read this — it passes through.
+
+Ask yourself: "Could this email require action from Johan?" If yes, or even maybe, **pass**.
+
 ## Critical Rules
 
-1. When uncertain, **pass** — never silently junk something important
-2. Sophia triggers ALWAYS **pass** — medical, therapy, brain activator, pediatric suppliers, "S. Jongsma"
-3. Personal correspondence from real humans → **pass**
-4. "Re:" thread replies from people → **pass** (active conversation)
-5. Infrastructure/server alerts → **pass**
-6. Google Search Console alerts → **pass**
+1. **When uncertain → pass.** Always. This is not optional.
+2. Any email that says "action required", "actie ondernemen", "you must", "deadline", "consequences" → **pass**, regardless of sender or language.
+3. Government/official bodies (belastingdienst, overheid, IRS, SSA, immigration, courts, any .gov/.nl/.eu official domain) → **always pass**. These have legal consequences.
+4. Sophia triggers ALWAYS **pass** — medical, therapy, brain activator, pediatric suppliers, "S. Jongsma"
+5. Personal correspondence from real humans → **pass**
+6. "Re:" thread replies from people → **pass** (active conversation)
+7. Infrastructure/server alerts → **pass**
+8. Google Search Console alerts → **pass**
+9. **Reading the body is mandatory.** A "notification" email from an official sender that contains "action required" language is not junk — it's a government document alert. Do not classify by sender name alone.
 
 ## Account Context
 
diff --git a/memory/claude-usage.db b/memory/claude-usage.db
index 7bb9741..c344b46 100644
Binary files a/memory/claude-usage.db and b/memory/claude-usage.db differ
diff --git a/memory/claude-usage.json b/memory/claude-usage.json
index 99d9081..3ff7b7e 100644
--- a/memory/claude-usage.json
+++ b/memory/claude-usage.json
@@ -1,9 +1,9 @@
 {
-  "last_updated": "2026-03-17T04:00:01.560178Z",
+  "last_updated": "2026-03-17T10:00:01.861155Z",
   "source": "api",
-  "session_percent": 3,
-  "session_resets": "2026-03-17T06:00:00.527385+00:00",
-  "weekly_percent": 24,
-  "weekly_resets": "2026-03-20T03:00:00.527404+00:00",
-  "sonnet_percent": 29
+  "session_percent": 12,
+  "session_resets": "2026-03-17T10:59:59.824998+00:00",
+  "weekly_percent": 27,
+  "weekly_resets": "2026-03-20T02:59:59.825025+00:00",
+  "sonnet_percent": 32
 }
\ No newline at end of file
diff --git a/memory/email-triage.md b/memory/email-triage.md
index 744dc11..ea0e8a7 100644
--- a/memory/email-triage.md
+++ b/memory/email-triage.md
@@ -83,7 +83,6 @@ curl -X POST http://localhost:8025/messages/{id}/to-docs
 - Anything unusual or uncertain
 
 ### Dashboard news
-- Kaseya marketing → summarize → news
 - Lansweeper updates → summarize → news
 - Immich releases → news + create James task to update server
 - Google Search Console → news + create James task
@@ -94,9 +93,6 @@ curl -X POST http://localhost:8025/messages/{id}/to-docs
 - Order confirmations → archive (ingest attachments if receipt/invoice)
 - Security alerts (password changes, new logins) → archive
 - Subscription confirmations → archive
-- **Kaseya Win Alerts** (winalert@kaseya.com) → `/seen`, nothing else
-- **Kaseya Lost Renewal Alerts** (lostalert@kaseya.com) → `/seen`, nothing else
-- **Kaseya Instrumentation** (standard.instrumentation@kaseya.com) → `/seen`, nothing else
 - **Salesforce no-reply** (noreply@salesforce.com) → `/seen`, nothing else
 
 ### Attachment handling
@@ -112,14 +108,24 @@ Skip: marketing images, logos, signatures, spam attachments.
 - **Lingerie/fashion new collections** (Pain de Sucre, Fleur du Mal) → alert Johan (info)
 - **inou verification codes** — should be junked by MC, but if they slip through → archive
 
+## The Fundamental Rule
+
+**Default is alert/keep. Default is never archive.**
+
+You are not trying to process everything into archive. You are only archiving what you are *certain* requires no human attention. If there is any doubt — any signal Johan might want to see this — alert or leave it.
+
+Ask yourself: "Could this email require action from Johan?" If yes, or even maybe, **alert**.
+
 ## Critical Rules
 
-1. **ALWAYS read the FULL message** before routing. No exceptions.
-2. **When uncertain → alert Johan** (info priority). Better to over-alert than miss something.
-3. **Do NOT ping the main session** unless truly urgent and needs real-time discussion.
-4. **Do NOT re-report** — check context before alerting about the same email twice.
-5. **Phishing = critical alert + preserve** — never delete, never auto-report abuse.
-6. **Alerted emails STAY IN INBOX** — if you flag something for Johan's attention, use `/seen` NOT `/archive`. He needs to be able to find and act on it. Only archive messages that truly need no follow-up.
+1. **ALWAYS read the FULL message body** before routing. Subject line and sender alone are never enough.
+2. **When uncertain → alert Johan** (info priority). Over-alerting is fine. Silent archiving of something important is not.
+3. **Any email containing "action required", "actie ondernemen", "deadline", "consequences", "you must" language → alert, regardless of sender.**
+4. **Government/official bodies → always alert.** Belastingdienst, MijnOverheid, IRS, immigration authorities, courts, any official domain. These have legal consequences. Never archive.
+5. **Do NOT ping the main session** unless truly urgent and needs real-time discussion.
+6. **Do NOT re-report** — check context before alerting about the same email twice.
+7. **Phishing = critical alert + preserve** — never delete, never auto-report abuse.
+8. **Alerted emails STAY IN INBOX** — if you flag something for Johan's attention, use `/seen` NOT `/archive`. He needs to be able to find and act on it. Only archive messages that truly need no follow-up.
 
 ## Account Context