@blamejs/blamejs-shop 0.4.31 → 0.4.32

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -1,5 +1,12 @@
 "use strict";
 
+// SMOKE_RUN_SOLO — the smoke runner (test/smoke.js) runs this file ALONE
+// with the whole machine instead of inside the parallel layer-0 pool.
+// The duplicate-block scan fans out across worker_threads and is CPU-
+// bound; sharing a low-core CI runner (macos-latest = 3 cores) with
+// sibling forks oversubscribes the CPU and the scan overruns its
+// per-file watchdog budget. Run alone, it finishes in its normal time.
+
 // Re-exec under a 6 GiB old-space ceiling when the parent process did
 // not already raise the heap cap. The test's cartesian fingerprint /
 // cluster index across ~300 lib/ files lands close to the v8 default
@@ -300,6 +307,7 @@ var VALID_ALLOW_CLASSES = {
   "dynamic-regex": 1,
   "dynamic-require": 1,
   "from-base64url-untrapped": 1,
+  "hand-rolled-sql": 1,
   "fs-path-from-operator-identifier-without-traversal-refusal": 1,
   "gitleaks-entropy": 1,
   "handrolled-buffer-collect": 1,
@@ -852,6 +860,178 @@ function testNoTierTerminologyInLib() {
   _report("no Tier-A / Tier-B / Tier-C terminology in lib/", matches);
 }
 
+// ---- No hand-rolled SQL — compose b.sql / b.guardSql ----
+//
+// String-built SQL is the surface that breaks on Postgres (unquoted
+// identifiers fold to lowercase) and that the b.sql builder eliminates
+// by construction: it quotes every identifier through b.safeSql, binds
+// every value as a placeholder, resolves table names + the configurable
+// prefix, and routes raw fragments through b.guardSql. So no lib/ module
+// should compose SQL by hand — it should build it through b.sql, and it
+// should never hardcode a `_blamejs_*` table literal (that bypasses the
+// configurable-prefix resolution). This detector flags both: a string
+// literal that STARTS a SQL statement, and a hardcoded `_blamejs_*`
+// literal, in any DB-touching lib file outside the migration backlog.
+//
+// Files still carrying hand-rolled SQL live on HAND_ROLLED_SQL_BACKLOG
+// until migrated onto b.sql; remove a file from the backlog as it is
+// migrated, and any residual hand-rolled SQL in it then fails the gate
+// (so the migration runs to completion and can't silently stall). A new
+// DB file that hand-rolls SQL without being on the backlog fails
+// immediately. Only DB-touching files (a SQL execution sink or a
+// `_blamejs_` literal) are scanned, so non-SQL `SELECT`/`WITH` text in
+// guard-html / forms / i18n etc. never false-positives.
+//
+// PERMANENT exceptions: the builder/guard/primitive that legitimately
+// produce or inspect SQL text.
+var HAND_ROLLED_SQL_PERMANENT = {
+  "lib/sql.js":             1,   // the b.sql builder itself
+  "lib/guard-sql.js":       1,   // the b.guardSql guard inspects SQL text
+  "lib/safe-sql.js":        1,   // identifier primitive (docstring examples)
+  "lib/framework-schema.js": 1,  // declarative DDL + the canonical LOCAL_TO_EXTERNAL name source
+};
+// Migration backlog — every DB file still hand-rolling SQL. Shrinks to
+// empty as the everything-sweep migrates each onto b.sql.
+//
+// db-declare-row-policy / outbox / inbox now compose b.sql: the builder
+// grew the constructs they needed — Postgres RLS (enableRowLevelSecurity /
+// createPolicy / dropPolicy), `FOR UPDATE SKIP LOCKED` (forUpdate), the
+// single-bind `col = ANY(?)` array form (whereInArray), an allowlisted
+// value-position SQL function (fn -> NOW() / CURRENT_TIMESTAMP) and cast
+// (cast -> `?::jsonb` / `?::interval`), `ON CONFLICT DO NOTHING RETURNING`
+// (doNothing().returning()), the sqlite `SELECT changes()` probe
+// (catalog.changes), a partial index (createIndex { where }), and the
+// driver-final `$1..$N` translation for code that hands SQL to an
+// operator-supplied driver directly (toExternalSql).
+//
+// vault/rotate now composes b.sql end to end: the at-rest key-rotation
+// pipeline walks its standalone node:sqlite handle through the catalog /
+// pragma sub-API (`sqlite_master` list / `tableExists` / `PRAGMA
+// table_info` / `journal_mode` / `synchronous` / `wal_checkpoint` /
+// `ORDER BY RANDOM()`), and the per-column re-seal SELECT/UPDATE + drift
+// sample + verification COUNT through b.sql.select / b.sql.update.
+//
+// mail-store now composes b.sql end to end: the sqlite-only sealed full-
+// text mail store builds every cached prepared statement + the schema
+// bootstrap through b.sql with { dialect: "sqlite", quoteName: true } (the
+// store targets a concrete sqlite handle, never clusterStorage, so each
+// prefixed table name emits as a quoted identifier). The FTS5 search runs
+// through whereMatch (the `<fts> MATCH ?` IN-subquery), the hard-expunge
+// candidate set through whereInJsonEach (json_each), and the FTS5 virtual-
+// table DDL through createVirtualTable; the composite-PK flags table, the
+// ON-DELETE-CASCADE FK back to messages, and the per-folder quota
+// accumulator (`col = col + EXCLUDED.col`) compose createTable /
+// upsert.doUpdate. The backlog is now empty.
+var HAND_ROLLED_SQL_BACKLOG = {
+};
+function testNoHandRolledSql() {
+  // A DB-touching file: composes a SQL execution sink or hardcodes a
+  // framework table name. Only these are scanned (no non-SQL FPs).
+  var SINK = /clusterStorage\.(?:execute|executeOne|executeAll)|externalDb\.query|\bdb\(\)\.(?:prepare|exec|run)|\b_q\(|\b_psql\(|tx\.query|runSqlOnHandle/;
+  // A hardcoded framework TABLE-name literal - `_blamejs_<words>` whose
+  // token does NOT continue into a `.` (which would make it a file name
+  // like `_blamejs_rotate.tmp.db`, not a table reference). The trailing
+  // `(?![a-z_.])` asserts the whole token ended (no further word char) and
+  // is not immediately followed by `.`, keeping the rule on hardcoded table
+  // names and off staging-file path literals.
+  var LIT  = /_blamejs_[a-z_]+(?![a-z_.])/;
+  // A string literal that STARTS a SQL statement.
+  // TRUNCATE requires a following TABLE keyword or a table-name token - a
+  // bare quoted "TRUNCATE" (e.g. a PRAGMA wal_checkpoint mode arg, or an
+  // FTS5 token) is not the TRUNCATE statement and must not false-positive.
+  var START = /(["'`])\s*(SELECT\b|INSERT\s+(?:INTO|OR)\b|REPLACE\s+INTO\b|UPDATE\s+["'`]?[A-Za-z_]|DELETE\s+FROM\b|CREATE\s+(?:TABLE|UNIQUE\s+INDEX|INDEX|TRIGGER|VIRTUAL\s+TABLE|OR\s+REPLACE)\b|ALTER\s+TABLE\b|DROP\s+(?:TABLE|TRIGGER|INDEX)\b|WITH\s+[A-Za-z_]|MERGE\s+INTO\b|TRUNCATE\s+(?:TABLE\s+)?["'`]?[A-Za-z_])/i;
+  // A SQL CLAUSE fragment assembled by string concatenation (mid-statement
+  // construction a START-only check misses): `... + " WHERE " + ...`,
+  // `" SET " +`, `" VALUES (" +`, `" FROM " +`, `" ORDER BY " +`, the JOIN
+  // family, ON CONFLICT / RETURNING / LIMIT / OFFSET / HAVING / GROUP BY.
+  // The leading/trailing `+` (or the unclosed `(` for VALUES) is the
+  // build-by-concat tell that separates it from a fragment passed whole to
+  // b.sql's whereRaw / setRaw (which carry their own allow marker).
+  var FRAG = /(?:\+\s*(["'`])\s*(?:SET|FROM|WHERE|VALUES|ORDER\s+BY|GROUP\s+BY|HAVING|RETURNING|LIMIT|OFFSET|ON\s+CONFLICT|(?:INNER\s+|LEFT\s+|RIGHT\s+|CROSS\s+)?JOIN)\b|(["'`])\s*(?:SET|FROM|WHERE|VALUES\s*\(|ORDER\s+BY|GROUP\s+BY|HAVING|RETURNING|ON\s+CONFLICT|(?:INNER\s+|LEFT\s+|RIGHT\s+|CROSS\s+)?JOIN)\b[^"'`]*\2\s*\+)/i;
+  var matches = [];
+  var files = _libFiles();
+  for (var i = 0; i < files.length; i++) {
+    var rel = _relPath(files[i]);
+    if (HAND_ROLLED_SQL_PERMANENT[rel] || HAND_ROLLED_SQL_BACKLOG[rel]) continue;
+    var content;
+    try { content = fs.readFileSync(files[i], "utf8"); }
+    catch (_e) { continue; }
+    if (!SINK.test(content) && !LIT.test(content)) continue;   // not a DB file
+    var lines = content.split(/\r?\n/);
+    for (var j = 0; j < lines.length; j++) {
+      var line = lines[j];
+      if (/^\s*(\/\/|\*|\/\*)/.test(line)) continue;   // comment line
+      if (START.test(line)) {
+        matches.push({ file: rel, line: j + 1, content: "hand-rolled SQL — use b.sql: " + line.trim().slice(0, 90) });
+        continue;
+      }
+      if (FRAG.test(line)) {
+        matches.push({ file: rel, line: j + 1, content: "hand-rolled SQL clause built by concatenation — use b.sql: " + line.trim().slice(0, 80) });
+        continue;
+      }
+      if (/_blamejs_[a-z_]+(?!\.)/.test(line)) {
+        matches.push({ file: rel, line: j + 1, content: "hardcoded _blamejs_* literal — use frameworkSchema.tableName / b.sql: " + line.trim().slice(0, 70) });
+      }
+    }
+  }
+  matches = _filterMarkers(matches, "hand-rolled-sql");
+  _report("no hand-rolled SQL outside the b.sql builder (compose b.sql / b.guardSql; no hardcoded _blamejs_* literals)", matches);
+}
+
+// ---- Pattern 9b: no hardcoded framework state file names ----
+//
+// The framework's on-disk state file names (db.enc, db.key.enc, vault.key,
+// audit.tip, ...) are centralized in lib/framework-files.js so a rename /
+// relocation is one edit and operators can override them. Every owner should
+// resolve its file name via frameworkFiles.fileName(<logical>) instead of
+// hardcoding the literal. This is the inverse detector that drives that
+// migration in reverse (mirrors testNoHandRolledSql for table names): files
+// still hardcoding a registered name live on FRAMEWORK_FILE_NAME_BACKLOG
+// until migrated; remove a file as it migrates and any residual literal then
+// fails the gate. A NEW lib file hardcoding a registered state-file name
+// without being on the backlog fails immediately.
+var FRAMEWORK_FILE_PERMANENT = {
+  "lib/framework-files.js": 1,   // the registry that DEFINES the canonical names
+};
+var FRAMEWORK_FILE_NAME_BACKLOG = {
+};
+// Registered state-file names — kept in sync with framework-files.js
+// DEFAULT_FILE_NAMES. A quoted literal of any of these outside the registry
+// or the backlog is a hardcoded name that should resolve via frameworkFiles.
+var FRAMEWORK_STATE_FILE_NAMES = [
+  "db.enc", "db.key.enc", "vault.key", "audit.tip", "audit-sign.key",
+  "rows.enc", "checkpoint.enc",
+];
+function testNoHardcodedFrameworkFileNames() {
+  var rx = new RegExp("[\"'`](" + FRAMEWORK_STATE_FILE_NAMES.map(function (n) {
+    return n.replace(/\./g, "\\.");
+  }).join("|") + ")[\"'`]");
+  var matches = [];
+  var files = _libFiles();
+  for (var i = 0; i < files.length; i++) {
+    var rel = _relPath(files[i]);
+    if (FRAMEWORK_FILE_PERMANENT[rel] || FRAMEWORK_FILE_NAME_BACKLOG[rel]) continue;
+    var content;
+    try { content = fs.readFileSync(files[i], "utf8"); }
+    catch (_e) { continue; }
+    if (!rx.test(content)) continue;
+    var lines = content.split(/\r?\n/);
+    for (var j = 0; j < lines.length; j++) {
+      var line = lines[j];
+      if (/^\s*(\/\/|\*|\/\*)/.test(line)) continue;   // comment line
+      var m = line.match(rx);
+      if (m) {
+        matches.push({ file: rel, line: j + 1,
+          content: "hardcoded framework state file name " + m[0] +
+            " - resolve via frameworkFiles.fileName(<logical>): " + line.trim().slice(0, 60) });
+      }
+    }
+  }
+  matches = _filterMarkers(matches, "hardcoded-framework-file-name");
+  _report("no hardcoded framework state file names outside lib/framework-files.js " +
+    "(resolve via frameworkFiles.fileName)", matches);
+}
+
 // ---- Pattern 10: inline require() (should be top-of-file) ----
 
 function testNoInlineRequires() {
@@ -2559,6 +2739,161 @@ async function testNoDuplicateCodeBlocks() {
   // so the audit trail records exactly which body of code shares the
   // shape.
   var KNOWN_CLUSTERS = [
+    {
+      // v0.15.0 #103 guard-family consolidation — the genuine re-implementations
+      // are EXTRACTED into gate-contract primitives (profile resolution ->
+      // gateContract.makeProfileResolver, 24 guards; the sanitize/parse refuse-on-
+      // severity throw -> gateContract.throwOnRefusalSeverity, 18 guards) and reused.
+      // The residual STRONG-DUP across the guard validate/sanitize/parse entry
+      // points is the guards uniformly + CORRECTLY COMPOSING those primitives
+      // (resolveOpts -> _detectIssues -> throwOnRefusalSeverity / aggregateIssues /
+      // numericBounds) — correct usage, not duplication. The only per-guard parts
+      // (the _detectIssues body + the transform) are interleaved + distinct;
+      // templating them would couple unrelated detection grammars. Re-hand-rolling
+      // either primitive is caught by the use-makeProfileResolver-not-handrolled +
+      // use-throwOnRefusalSeverity-not-handrolled inverse detectors. The structural /
+      // primitive-aware detector (#102, v0.15.4) will recognise correct usage + retire
+      // this entry (task #104).
+      mode:  "family-subset",
+      files: [
+        "lib/guard-agent-registry.js:validate",
+        "lib/guard-auth.js:sanitize",
+        "lib/guard-auth.js:validate",
+        "lib/guard-cidr.js:sanitize",
+        "lib/guard-cidr.js:validate",
+        "lib/guard-domain.js:sanitize",
+        "lib/guard-domain.js:validate",
+        "lib/guard-email.js:sanitize",
+        "lib/guard-email.js:validate",
+        "lib/guard-event-bus-payload.js:validate",
+        "lib/guard-event-bus-topic.js:validate",
+        "lib/guard-filename.js:sanitize",
+        "lib/guard-graphql.js:sanitize",
+        "lib/guard-html.js:sanitize",
+        "lib/guard-idempotency-key.js:validate",
+        "lib/guard-image.js:sanitize",
+        "lib/guard-image.js:validate",
+        "lib/guard-imap-command.js:validate",
+        "lib/guard-jmap.js:validate",
+        "lib/guard-json.js:validate",
+        "lib/guard-jsonpath.js:sanitize",
+        "lib/guard-jsonpath.js:validate",
+        "lib/guard-jwt.js:sanitize",
+        "lib/guard-jwt.js:validate",
+        "lib/guard-list-unsubscribe.js:validate",
+        "lib/guard-mail-compose.js:validate",
+        "lib/guard-mail-move.js:validate",
+        "lib/guard-mail-reply.js:validate",
+        "lib/guard-mail-sieve.js:validate",
+        "lib/guard-managesieve-command.js:validate",
+        "lib/guard-markdown.js:sanitize",
+        "lib/guard-markdown.js:validate",
+        "lib/guard-message-id.js:validate",
+        "lib/guard-mime.js:sanitize",
+        "lib/guard-mime.js:validate",
+        "lib/guard-oauth.js:sanitize",
+        "lib/guard-pdf.js:sanitize",
+        "lib/guard-pdf.js:validate",
+        "lib/guard-pop3-command.js:validate",
+        "lib/guard-posture-chain.js:validate",
+        "lib/guard-regex.js:gate",
+        "lib/guard-regex.js:sanitize",
+        "lib/guard-regex.js:validate",
+        "lib/guard-saga-config.js:validate",
+        "lib/guard-shell.js:sanitize",
+        "lib/guard-shell.js:validate",
+        "lib/guard-smtp-command.js:detectBodySmuggling",
+        "lib/guard-smtp-command.js:validate",
+        "lib/guard-snapshot-envelope.js:validate",
+        "lib/guard-stream-args.js:validate",
+        "lib/guard-svg.js:sanitize",
+        "lib/guard-template.js:sanitize",
+        "lib/guard-template.js:validate",
+        "lib/guard-tenant-id.js:validate",
+        "lib/guard-time.js:sanitize",
+        "lib/guard-time.js:validate",
+        "lib/guard-trace-context.js:validate",
+        "lib/guard-uuid.js:sanitize",
+        "lib/guard-uuid.js:validate",
+        "lib/guard-xml.js:sanitize",
+        "lib/guard-xml.js:validate",
+        "lib/guard-yaml.js:parse",
+        "lib/guard-yaml.js:validate",
+      ],
+      reason: "v0.15.0 #103 — guard-family consolidation CONTRACT SHAPE. The genuine re-implementations are extracted into gate-contract primitives and reused (gateContract.makeProfileResolver — profile resolution, 24 guards; gateContract.throwOnRefusalSeverity — sanitize/parse refuse-on-critical|high throw, 18 guards), so the residual cross-guard STRONG-DUP at the validate/sanitize/parse entry points is the guards uniformly + CORRECTLY composing those primitives plus aggregateIssues / numericBounds — correct usage, not duplication. The per-guard _detectIssues body + transform are distinct and interleaved; templating would couple unrelated detection grammars. Re-hand-rolling either primitive is a hard fail via the use-makeProfileResolver-not-handrolled + use-throwOnRefusalSeverity-not-handrolled inverse detectors. The structural + primitive-aware detector (task #102, v0.15.4) recognises correct primitive usage and retires this allowlist (task #104).",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/auth/oid4vp.js:matchDcql",
+        "lib/gate-contract.js:_ctxValueForKind",
+        "lib/http-message-signature.js:_parseUrl",
+      ],
+      reason: "v0.15.0 — coincidental 50-tok window across unrelated domains: a DCQL query matcher (auth/oid4vp.matchDcql), the guard ctx-field picker (gate-contract._ctxValueForKind — pick first present ctx field), and an HTTP-message-signature URL parser (http-message-signature._parseUrl). Three unrelated loops; no shared behaviour. Surfaced when the v0.15.0 ctxFields work reshaped _ctxValueForKind's window.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-adapters.js:close",
+        "lib/crypto-field.js:listPerRowResidency",
+        "lib/tracing.js:spanSync",
+      ],
+      reason: "v0.15.4 — coincidental 50-tok normalized window across three unrelated domains: an archive adapter's close() (destroy a readable / closeSync an fd), the crypto-field per-row-residency enumerator (listPerRowResidency — map declared tables to {table, residencyColumn, allowedTags}), and the tracing spanSync delegator (type-check fn, delegate to span()). The shingle is the short-function / object-literal-return shell, not behaviour — one releases a handle, one projects a config map, one delegates a call. archive-adapters:close + tracing:spanSync were already a sub-threshold pair; listPerRowResidency (added so backup.create can see per-row cross-border regions a deployment-level check is blind to) became the third member tipping it over the 3-file STRONG-DUP floor.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/audit.js:_queryCluster",
+        "lib/auth/ciba.js:startAuthentication",
+        "lib/auth/oauth.js:endSessionUrl",
+        "lib/auth/oauth.js:exchangeToken",
+      ],
+      reason: "v0.14.30 — guarded accumulator-fill idiom (`if (input.X) acc.method(\"name\", input.X)` repeated per optional field). audit._queryCluster builds a b.sql WHERE chain (`if (criteria.X) qb.where(...)`) after the hand-rolled cluster query migrated onto b.sql; auth/ciba.startAuthentication + auth/oauth.endSessionUrl/exchangeToken build URLSearchParams request bodies (`if (opts.X) body.set(...)`). The 50-tok shingle is the chain-of-guarded-single-statement-calls shell, not behaviour: one composes a SQL predicate set, the others compose form-encoded OAuth/CIBA bodies — different accumulators (b.sql builder vs URLSearchParams), different vocabularies, no shared body. Same cross-domain false-match class the SQL char-walk cluster documents.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/cluster-storage.js:placeholderize",
+        "lib/db-query.js:_assertRawNoStringLiteral",
+        "lib/guard-sql.js:_hasEmbeddedStringLiteral",
+        "lib/safe-sql.js:countPlaceholders",
+        "lib/safe-sql.js:assertSingleStatement",
+        "lib/sql.js:_assertRawNoStringLiteral",
+        "lib/sql.js:_assertNoRawJsonbKeyOp",
+        "lib/sql.js:_toPositional",
+      ],
+      reason: "v0.14.29 / v0.15.4 - the canonical quote- and comment-aware SQL char-walk shell. The ONE consolidatable instance, the single-statement OUTPUT gate, was extracted to safeSql.assertSingleStatement (v0.15.4): sql._assertEmittable + sql._assertCatalogEmittable now DELEGATE to it (a makeError preserves their sql-builder/* codes), and the raw-DDL paths (db-schema.reconcileTable, the DSR store) route through the same primitive instead of hand-rolling DDL - so a verbatim column type can no longer smuggle a stacked statement. safeSql.countPlaceholders was already the other extracted instance. What REMAINS shares only the char-walk SHELL for genuinely different purposes that cannot share a body: db-query._assertRawNoStringLiteral / sql._assertRawNoStringLiteral refuse a literal in an operator raw fragment (each its own typed error), guard-sql._hasEmbeddedStringLiteral is the tokenizer literal-mask step, sql._toPositional / clusterStorage.placeholderize translate ? placeholders to positional $N, sql._assertNoRawJsonbKeyOp guards a raw JSONB key op, and safeSql.assertSingleStatement is the extracted gate itself. Same shape-only family the external-db opaque-span cluster documents.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/auth/fido-mds3.js:_validateChain",
+        "lib/middleware/require-methods.js:create",
+        "lib/network-dns.js:useDesignatedResolvers",
+        "lib/safe-sql.js:quoteList",
+      ],
+      reason: "v0.14.29 — non-empty-array validation prelude (`if (!Array.isArray(x) || x.length === 0) throw; for (i) { if (typeof x[i] !== \"string\" || ...) throw }`). safeSql.quoteList validates a names array before quoting each identifier; fido-mds3._validateChain walks an x5c cert chain; require-methods.create validates an HTTP-verb allowlist; network-dns.useDesignatedResolvers validates a resolver-IP list. Each throws a primitive-local typed error; the shingle is the array-walk-then-throw idiom, not behaviour. Same family as the non-empty-array opt-validation cluster below.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/audit-sign.js:init",
+        "lib/framework-schema.js:ensureSchema",
+        "lib/vault/index.js:init",
+      ],
+      reason: "v0.14.29 — schema/keystore bootstrap prelude (open-or-create the backing table(s), run idempotent CREATE-IF-NOT-EXISTS DDL, then read the current tip / key row). framework-schema.ensureSchema gained the quote-by-construction DDL emit (the Postgres identifier-casing fix), tipping its setup prelude past the shingle threshold against audit-sign.init (audit hash-chain table bootstrap) and vault.init (sealed-keystore bootstrap). Each bootstraps a different durable store with a primitive-local error class; the shared shape is the create-then-read setup idiom, not behaviour.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/external-db.js:_skipOpaqueSpan",
+        "lib/external-db.js:_cteMainKeyword",
+        "lib/external-db.js:_explainResolve",
+        "lib/external-db.js:_copyLoadsRows",
+        "lib/external-db.js:_emitMetric",
+      ],
+      reason: "v0.14.24, expanded v0.15.0 — the residency-gate write-classifier in external-db.js walks SQL statements char-by-char to resolve a statement's effective verb (WITH/EXPLAIN-prefix resolution, dollar-quoted bodies $tag$...$tag$, bracket identifiers, doubled-quote re-entry, -- / /* */ comments). Its five span-walking helpers (_skipOpaqueSpan / _cteMainKeyword / _explainResolve / _copyLoadsRows / _emitMetric) share the opaque-span / quoted-token skip-loop shape, so the dup detector groups them. They already compose the single _skipOpaqueSpan primitive; the residual match across the four classifier helpers is the same skip-loop applied at different resolution stages (CTE main keyword, EXPLAIN unwrap, COPY row-load detection, metric emit), each with stage-specific keyword tables. No further extractable behaviour — splitting them would not remove the shared loop shape.",
+    },
     {
       mode:  "family-subset",
       files: [
@@ -2603,6 +2938,8 @@ async function testNoDuplicateCodeBlocks() {
         "lib/archive-adapters.js:close",
         "lib/crypto-field.js:declarePerRowKey",
         "lib/crypto-field.js:assertColumnResidency",
+        "lib/crypto-field.js:declarePerRowResidency",
+        "lib/crypto-field.js:getPerRowResidency",
         "lib/network-smtp-policy.js:mtaStsFetch",
         "lib/parsers/safe-env.js:readVar",
         "lib/mail-crypto-pgp.js:sign",
@@ -2612,8 +2949,14 @@ async function testNoDuplicateCodeBlocks() {
       reason: "v0.14.20 — generic validate/guard control-flow shingle that the crypto-field plain-Error → typed-CryptoFieldError(code, msg) conversion tipped over the 3-file threshold. The throw now normalizes to `throw new _ID ( _STR , _STR )` (two-arg framework-error contract) instead of the keyword-`Error` one-arg form, so the early-return + typed-throw prelude in crypto-field.declarePerRowKey / assertColumnResidency now exact-matches the same prelude shape in unrelated primitives: archive-adapters fs/http/close adapter methods, network-smtp-policy.mtaStsFetch (MTA-STS policy fetch), parsers/safe-env.readVar (env-var read), mail-crypto-pgp.sign (PGP detached signature), metrics.shadowRegistry (Prometheus shadow registry), tracing.spanSync (OTEL span helper). Members are unrelated subsystems with primitive-local error namespaces operators grep for; there is no shared behaviour to extract — consolidating would couple field-level encryption, archive I/O, SMTP policy, env parsing, PGP, metrics, and tracing on a trivial guard-then-throw shell.",
     },
     {
-      files: ["lib/api-key.js:issue", "lib/db-query.js:<top>", "lib/session.js:create"],
-      reason: "Generic JS array helper / lambda shape — Object.keys(...).map(fn) + similar functional idioms appearing in any code that walks a column-or-key list.",
+      mode:  "family-subset",
+      files: [
+        "lib/api-key.js:issue",
+        "lib/db-query.js:<top>",
+        "lib/db-query.js:_assertLocalResidency",
+        "lib/session.js:create",
+      ],
+      reason: "Generic JS array helper / lambda shape — Object.keys(...).map(fn) + similar functional idioms appearing in any code that walks a column-or-key list; db-query._assertLocalResidency joins via its allowedTags.join diagnostics + safeEmit metadata-object assembly, unrelated to api-key issuance / session creation beyond the walk-and-format shell.",
     },
     {
       mode:  "family-subset",
@@ -3174,6 +3517,8 @@ async function testNoDuplicateCodeBlocks() {
         "lib/auth/jwt.js:verify",
         "lib/auth/jwt-external.js:verifyExternal",
         "lib/auth/jwt-external.js:_fetchJwks",
+        "lib/auth/jwt-external.js:_signCompactJws",
+        "lib/mail-auth.js:inboundVerify",
         "lib/auth/oauth.js:verifyBackchannelLogoutToken",
         "lib/auth/oauth.js:verifyIdToken",
         "lib/auth/oauth.js:exchangeToken",
@@ -3214,7 +3559,7 @@ async function testNoDuplicateCodeBlocks() {
         "lib/self-update.js:poll",
         "lib/self-update.js:verify",
       ],
-      reason: "v0.10.16 — JOSE / signature-verify / posture-check prelude across heterogeneous primitives: each verify/check pattern decomposes a token / envelope / posture set, asserts spec-required shape (header.alg in allowlist / kty in allowlist / iss CT-compare / aud match / time-window), and dispatches per-alg via shared helpers. The shingle similarity is the boilerplate header-parse + alg-allowlist + timing-safe compare; each primitive enforces a distinct spec (RFC 7519 JWT / RFC 7515 JWS / RFC 9449 DPoP / OAuth 2.0 Client Attestation draft / OASIS CSAF VEX / FIDO MDS / SAML 2.0 / RFC 9528 SD-JWT / W3C FedCM 2024 / RFC 8917 backchannel-logout / SBOM compliance / OIDC Federation / OID4VCI / CIBA / RFC 8460 TLS-RPT / restore-rollback). The OAuth client-attestation sign/verify path (_signAttestationJws / _verifyAttestationJws / verifyClientAttestation) shares the JWS header-parse + per-alg nodeCrypto.sign/verify + constant-time aud/jti compare shell while throwing its own auth-oauth/attestation-* code namespace. Consolidating would lose per-spec error code namespacing.",
+      reason: "v0.10.16 — JOSE / signature-verify / posture-check prelude across heterogeneous primitives: each verify/check pattern decomposes a token / envelope / posture set, asserts spec-required shape (header.alg in allowlist / kty in allowlist / iss CT-compare / aud match / time-window), and dispatches per-alg via shared helpers. The shingle similarity is the boilerplate header-parse + alg-allowlist + timing-safe compare; each primitive enforces a distinct spec (RFC 7519 JWT / RFC 7515 JWS / RFC 9449 DPoP / OAuth 2.0 Client Attestation draft / OASIS CSAF VEX / FIDO MDS / SAML 2.0 / RFC 9528 SD-JWT / W3C FedCM 2024 / RFC 8917 backchannel-logout / SBOM compliance / OIDC Federation / OID4VCI / CIBA / RFC 8460 TLS-RPT / restore-rollback). The OAuth client-attestation sign/verify path (_signAttestationJws / _verifyAttestationJws / verifyClientAttestation) shares the JWS header-parse + per-alg nodeCrypto.sign/verify + constant-time aud/jti compare shell while throwing its own auth-oauth/attestation-* code namespace. mail-auth.js:inboundVerify shares only the validateOpts prelude + per-step result-shape assertions while composing spf.verify / dkim.verify / dmarc.evaluate — a mail-domain pipeline whose verdict vocabulary (RFC 7489/8601 result enums) has nothing to consolidate with the JOSE error namespaces. Consolidating would lose per-spec error code namespacing.",
     },
     {
       mode:  "family-subset",
@@ -3510,6 +3855,16 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "Same shared SMTP listener create() shingle as the entry above; observability-otlp-exporter create() coincidentally shares the bind + listen + connection-tracker pattern (it accepts inbound OTLP spans on a TCP socket). All three carry distinct domain-specific opts validation + protocol logic.",
     },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/mail-server-imap.js:create",
+        "lib/mail-server-pop3.js:create",
+        "lib/observability-otlp-exporter.js:create",
+        "lib/outbox.js:create",
+      ],
+      reason: "Domain-specific create() opts-validation boilerplate — each runs a sequence of validateOpts.optionalPositiveFinite(opts.X, ...) presence/type checks followed by `var X = opts.X || DEFAULT_X` default assignment. b.outbox.create joined this 50-token shingle when the in-flight reaper added the claimReclaimMs lease opt, lengthening its validation block to the threshold. The four create()s validate entirely different option sets (IMAP / POP3 listener bind opts, OTLP exporter socket opts, outbox poll / batch / backoff / lease opts) with different defaults and semantics; the shared shape IS the validateOpts call sequence, which is already the extracted primitive — the per-domain opt list can't be factored further without a domain-specific wrapper per call site. Shape-only, not an extractable dup.",
+    },
     {
       mode:  "family-subset",
       files: [
@@ -4118,6 +4473,10 @@ async function testNoDuplicateCodeBlocks() {
         "lib/data-act.js:shareWithThirdParty",
         "lib/data-act.js:recordSwitchRequest",
         "lib/db.js:declareRequireDualControl",
+        // v0.14.24 — per-row residency declaration shares the same
+        // validateOpts.requireNonEmptyString cascade + registry-write
+        // + return-copy scaffold.
+        "lib/crypto-field.js:declarePerRowResidency",
         // v0.8.77 — OAuth resource-server / SCIM / protected-resource-metadata
         // additions share the standard primitive scaffolding
         "lib/auth/oauth.js:pollDeviceCode",
@@ -4524,6 +4883,16 @@ async function testNoDuplicateCodeBlocks() {
         "lib/cache-status.js:_parseParamValue",
         "lib/client-hints.js:acceptList",
         "lib/daemon.js:_safeAuditEmit",
+        // v0.15.0 SQL sweep — the data-layer's frozen SQL-keyword tables
+        // (`Object.freeze({ SELECT: true, INSERT: true, ... })`) and the
+        // residency write-classifier's verb-table walk share the same
+        // Object.freeze token-table declaration cadence as the command
+        // guards' verb tables, but over the SQL grammar. external-db's
+        // _cteMainKeyword centroids on its _CTE_MAIN_VERBS table; sql.js's
+        // dropPolicy centroids on the adjacent CATALOG_PRAGMA_VERBS table;
+        // guard-sql's <top> centroids on STATEMENT_VERBS / LEADING_VERB_
+        // FLOOR / MIGRATION_DDL_VERBS. Different tokens, different grammar.
+        "lib/external-db.js:_cteMainKeyword",
         "lib/guard-dsn.js:<top>",
         "lib/guard-dsn.js:_resolveProfile",
         "lib/guard-envelope.js:check",
@@ -4543,6 +4912,7 @@ async function testNoDuplicateCodeBlocks() {
         "lib/guard-mail-move.js:<top>",
         "lib/guard-mail-move.js:_checkFolderName",
         "lib/guard-mail-query.js:<top>",
+        "lib/guard-mail-reply.js:<top>",
         "lib/guard-mail-sieve.js:<top>",
         "lib/guard-managesieve-command.js:<top>",
         "lib/guard-managesieve-command.js:validate",
@@ -4555,6 +4925,7 @@ async function testNoDuplicateCodeBlocks() {
         "lib/guard-smtp-command.js:_parseAuthCommandSyntax",
         "lib/guard-smtp-command.js:_resolveProfile",
         "lib/guard-smtp-command.js:validate",
+        "lib/guard-sql.js:<top>",
         "lib/guard-stream-args.js:<top>",
         "lib/keychain.js:_drain",
         "lib/mail-dav.js:_emit",
@@ -4610,11 +4981,12 @@ async function testNoDuplicateCodeBlocks() {
         "lib/safe-vcard.js:_parseContentLine",
         "lib/safe-vcard.js:_stripDoubleQuotes",
         "lib/sandbox.js:_validateAllowed",
+        "lib/sql.js:dropPolicy",
         "lib/self-update.js:<top>",
         "lib/self-update.js:_safeAuditEmit",
         "lib/watcher.js:_compileIgnore",
       ],
-      reason: "v0.9.58 mail-stack bundle (multi-agent parallel ship: ManageSieve + ICAP + PGP/SMIME + DAV) — every new lib/ file written by the 4 sub-agents joins one or more existing family-subset clusters (guard-* validate / <top> banner shapes; mail-server-* listener scaffolds; safe-* line-folded parsers; emit-audit wrappers; resolveProfile dispatchers). Each underlying domain stays distinct (different RFCs, different wire grammars); the shared shingle is the framework's family-contract scaffolding (`b.gateContract` / listener template / safeBuffer.boundedChunkCollector / lazyRequire-audit / drop-silent emit). Consolidation into a single base module would couple unrelated wire-protocol grammars under one abstraction. Documented as one cluster rather than 49 individual family-subset entries because each cluster fingerprint is a subset of this union.",
+      reason: "v0.9.58 mail-stack bundle (multi-agent parallel ship: ManageSieve + ICAP + PGP/SMIME + DAV), expanded v0.15.0 SQL sweep — every new lib/ file written by the sub-agents joins one or more existing family-subset clusters (guard-* validate / <top> banner shapes; mail-server-* listener scaffolds; safe-* line-folded parsers; emit-audit wrappers; resolveProfile dispatchers). Each underlying domain stays distinct (different RFCs, different wire grammars); the shared shingle is the framework's family-contract scaffolding (`b.gateContract` / listener template / safeBuffer.boundedChunkCollector / lazyRequire-audit / drop-silent emit). Consolidation into a single base module would couple unrelated wire-protocol grammars under one abstraction. Documented as one cluster rather than 49 individual family-subset entries because each cluster fingerprint is a subset of this union. The v0.15.0 data-layer additions (guard-sql <top>, external-db _cteMainKeyword, sql.js dropPolicy) match on the module-level `Object.freeze({ KEY: true, ... })` token-table declaration cadence the command guards also use, but over the SQL grammar — guard-sql's STATEMENT_VERBS/LEADING_VERB_FLOOR/MIGRATION_DDL_VERBS (SELECT/INSERT/CREATE/ALTER/DROP) and external-db's _CTE_MAIN_VERBS (SELECT/VALUES/MERGE/UPSERT/REPLACE) and sql.js's CATALOG_PRAGMA_VERBS (table_info/journal_mode/wal_checkpoint) carry SQL-keyword tokens, where POP3 carries USER/PASS/RETR, IMAP carries CAPABILITY/SELECT/FETCH, and safe-ical/vcard carry RFC 5545/6350 property names — different keys, different grammars, no shared values. The single genuinely-shared declaration (`var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES`) is already extracted-by-reference and guarded by the inline-all-strict-postures-map inverse detector; guard-sql keeps its own overlay posture map (PROFILES.strict + gdprRedact) which is not the strict-all literal.",
     },
     {
       files: [
@@ -4883,13 +5255,21 @@ async function testNoDuplicateCodeBlocks() {
         "lib/guard-auth.js:gate",
         "lib/guard-auth.js:sanitize",
         "lib/guard-auth.js:validate",
+        "lib/guard-sql.js:gate",
+        "lib/guard-sql.js:sanitize",
+        "lib/guard-sql.js:validate",
+        "lib/guard-sql.js:compliancePosture",
+        "lib/guard-sql.js:_truncateForAudit",
+        "lib/guard-sql.js:_firstRefusal",
         "lib/guard-smtp-command.js:<top>",
         "lib/guard-smtp-command.js:gate",
         "lib/guard-smtp-command.js:validate",
         "lib/guard-envelope.js:<top>",
         "lib/guard-envelope.js:check",
+        "lib/gate-contract.js:defaultGate",
+        "lib/gate-contract.js:_ctxValueForKind",
       ],
-      reason: "guard-* family ABI — every member's gate() factory header (function gate(opts) { opts = _resolveOpts(opts); return gateContract.buildGuardGate(...); }), bottom-of-file helper triplet (buildProfile = gateContract.makeProfileBuilder(PROFILES); function compliancePosture(name) { return gateContract.lookupCompliancePosture(...); }; var _xRulePacks = gateContract.makeRulePackLoader(...); var loadRulePack = _xRulePacks.load), and PROFILES literal block all share the family-shared vocabulary by design. The keys ARE the family contract; the values diverge per guard (csv handles operatorRules + sanitize re-emit; html has sanitize-eligibility branching; svg refuses SVGZ; filename operates on strings; archive on entries; json on parsed trees + source scan). Further extraction would either pull body decision logic that's genuinely per-guard into a shared place, or extract a one-line factory that hides the family contract from anyone reading the guard source.",
+      reason: "guard-* family ABI — every member's gate() factory header (function gate(opts) { opts = _resolveOpts(opts); return gateContract.buildGuardGate(...); }), bottom-of-file helper triplet (buildProfile = gateContract.makeProfileBuilder(PROFILES); function compliancePosture(name) { return gateContract.lookupCompliancePosture(...); }; var _xRulePacks = gateContract.makeRulePackLoader(...); var loadRulePack = _xRulePacks.load), and PROFILES literal block all share the family-shared vocabulary by design. The keys ARE the family contract; the values diverge per guard (csv handles operatorRules + sanitize re-emit; html has sanitize-eligibility branching; svg refuses SVGZ; filename operates on strings; archive on entries; json on parsed trees + source scan). gateContract.defineGuard + its defaultGate / _ctxValueForKind ARE the canonical extraction of that header + triplet + serve->audit-only->refuse decision shape: the four kinds (content/filename/identifier/command) that ship a guard onto the factory delegate their wiring to it, while guards with a bespoke gate (csv/filename/jwt) pass their own gate body and the rest converge on defaultGate as they migrate. The remaining per-guard gate bodies still carry the literal shape until the family fan-out lands; consolidating them eagerly would either pull body decision logic that's genuinely per-guard into a shared place, or hide the family contract from anyone reading the guard source.",
     },
     {
       // v0.9.37 — guard-dsn / guard-mail-move / guard-smtp-command
@@ -4918,6 +5298,35 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "Three independently-domain'd entry points share an array-walk + per-item validation cascade. Each emits a domain-distinct error class (SdJwtVcIssuerError / GuardSagaConfigError / ComposePipelineError) and validates a different field tuple. Consolidating would couple unrelated specs.",
     },
+    {
+      // v0.15.0 — three unrelated functions share only a
+      // walk-the-string / loop-over-a-small-list token shell.
+      // gateContract._pascalCase rewrites a guard's short name to its
+      // PascalCase audit prefix; oid4vp.matchDcql walks a DCQL
+      // credential-query claim set; http-message-signature._parseUrl
+      // walks URL components. Shape-only. (The factory consolidation
+      // moved the matching 50-tok window off _ctxValueForKind onto
+      // _pascalCase — same shape-only family, different gate-contract fn.)
+      mode:  "family-subset",
+      files: [
+        "lib/gate-contract.js:_pascalCase",
+        "lib/auth/oid4vp.js:matchDcql",
+        "lib/http-message-signature.js:_parseUrl",
+      ],
+      reason: "coincidental 50-tok window across unrelated domains; no shared behaviour. gateContract._pascalCase is a regex-driven name caser (\"smtp-command\" -> \"SmtpCommand\") that builds the default gate's audit/metric prefix; oid4vp.matchDcql evaluates a DCQL credential-query against a presented credential set; http-message-signature._parseUrl decomposes a request URL into the @authority / @path / @query derived-component pieces. Three different domains, three different return types — nothing extractable beyond the trivial walk shell.",
+    },
+    {
+      // v0.15.0 — coincidental cross-domain 50-tok window: a regex
+      // pascal-caser, a create-opts validator, and a UUID generator
+      // happen to share the local-var / return-shape token sequence.
+      mode:  "family-subset",
+      files: [
+        "lib/api-key.js:_validateCreateOpts",
+        "lib/cloud-events.js:_genId",
+        "lib/gate-contract.js:_pascalCase",
+      ],
+      reason: "coincidental 50-tok window across unrelated domains (pascal-case helper / create-opts validator / UUID gen); no shared behaviour. api-key._validateCreateOpts type-checks the create() opts cascade; cloud-events._genId mints a random CloudEvents id; gateContract._pascalCase rewrites a guard short-name to its PascalCase audit prefix. Nothing extractable beyond the shared token shell.",
+    },
     {
       // v0.9.40 — RFC 5322 header-injection control-char scans
       // (boolean variant: does this string contain CR/LF/NUL/C0/DEL?)
@@ -5527,13 +5936,15 @@ async function testNoDuplicateCodeBlocks() {
       reason: "_safeGlobalObs drop-silent observability helper — each primitive defines a local `function _safeGlobalObs(action, attrs) { try { observability.event({...}); } catch (_e) { /* drop-silent */ } }` because the global observability binding is module-load-time captured. Three auth-related primitives; the closure captures the per-primitive event-name namespace. Same observability-sink discipline noted in the cookies/gpc/headers _emitAudit cluster.",
     },
     {
+      mode:  "family-subset",
       files: [
         "lib/db-query.js:<top>",
+        "lib/db-query.js:_assertLocalResidency",
         "lib/db.js:init",
         "lib/db.js:stream",
         "lib/external-db.js:_connectAs",
       ],
-      reason: "node:sqlite + external-db wiring scaffold — `var statement = database.prepare('...'); var rows = statement.all(...); for (i in rows) { ... }`. db-query top-level statement-cache setup, db.init schema-bootstrap walk, db.stream readable-walk, external-db.js role connect-as walk. Four sites within the db / external-db domain; the SQL bodies and result shapes differ per call.",
+      reason: "node:sqlite + external-db wiring scaffold — `var statement = database.prepare('...'); var rows = statement.all(...); for (i in rows) { ... }` plus the posture/region lookup-then-branch shell. db-query top-level statement-cache setup, db.init schema-bootstrap walk, db.stream readable-walk, external-db.js role connect-as walk, db-query._assertLocalResidency region-set assembly. Sites within the db / external-db domain; the SQL bodies, result shapes, and refusal semantics differ per call.",
     },
     {
       files: [
@@ -6156,6 +6567,24 @@ function testStateStampScanningDeferred() {
 //   4. The catalog scans whole-file content (multiline regex) so
 //      patterns split across lines still match.
 var KNOWN_ANTIPATTERNS = [
+  {
+    id: "use-makeProfileResolver-not-handrolled",
+    primitive: "b.gateContract.makeProfileResolver",
+    scanScope: "lib",
+    skipCommentLines: true,
+    regex: /function\s+_resolveProfile\s*\(/,
+    allowlist: ["lib/safe-sieve.js"],
+    reason: "v0.15.0 #103 — profile resolution (posture->profile map, profile||default, validate-or-throw on unknown) is owned by gateContract.makeProfileResolver; 24 guards reuse it. A hand-rolled `function _resolveProfile(opts)` re-implements the solved primitive and drifts downstream — this exact dup was previously ALLOWLISTED in KNOWN_CLUSTERS before extraction (feedback_codebase_patterns_is_a_drift_signal). lib/safe-sieve.js is the one genuine holdout (reads the public opts.compliancePosture not opts.posture, returns opts.profile unvalidated, never throws) pending its contract decision in task #104. Any other lib file declaring _resolveProfile must call gateContract.makeProfileResolver instead.",
+  },
+  {
+    id: "use-throwOnRefusalSeverity-not-handrolled",
+    primitive: "b.gateContract.throwOnRefusalSeverity",
+    scanScope: "lib",
+    skipCommentLines: true,
+    regex: /ruleId\s*\|\|\s*['"][a-zA-Z0-9_-]+\.refused['"]/,
+    allowlist: ["lib/guard-auth.js"],
+    reason: "v0.15.0 #103 — the guard sanitize/parse refuse-on-critical|high throw (err(issue.ruleId || '<x>.refused', 'guard<Name>.<op>: ' + issue.snippet)) is owned by gateContract.throwOnRefusalSeverity; 18 guards reuse it (this was the failing STRONG-DUP fp:f349a8d1f51b before extraction). A hand-rolled `issues[i].ruleId || '<x>.refused'` throw re-implements it. lib/guard-auth.js is the one genuine holdout (its message embeds issues[i].source: 'guardAuth.sanitize [<source>]:') pending task #104; the primitive itself uses a `fallback` variable (no .refused literal) so it does not match. Any other lib file with this shape must call gateContract.throwOnRefusalSeverity (the severities / op options cover the critical-only + parse variants).",
+  },
   {
     // A hard quota / rate / budget ceiling must be enforced with an
     // atomic conditional reserve — the limit test and the charge are
@@ -6174,6 +6603,523 @@ var KNOWN_ANTIPATTERNS = [
     allowlist: [],
     reason: "Hard quota / rate / budget ceilings must be enforced with an atomic conditional reserve (the limit test and the charge are one indivisible operation), never charge-then-refund (an unconditional increment plus a compensating `decrBy`). The refund shape transiently over-counts a shared counter and falsely denies concurrent calls that should fit (Codex P1 on PR #178, v0.12.27 — b.ai.quota originally shipped this shape and was reworked to store.reserve). A future store that genuinely needs a decrement for a non-ceiling gauge metric allowlists with a structural reason explaining why no limit decision reads the counter mid-refund.",
   },
+  {
+    // The cross-border residency WRITE gate must classify writes by what
+    // a statement DOES, not by its leading keyword. A statement whose
+    // effective verb is hidden behind a prefix — `WITH ... INSERT`,
+    // `EXPLAIN ANALYZE INSERT` (Postgres EXECUTES the wrapped write),
+    // `CALL` / `EXECUTE` / `DO`, `COPY ... FROM`, `REPLACE` — reads as a
+    // harmless leading keyword and slips past a gate that enforces only
+    // on `class === "DML"`. lib/external-db.js resolves WITH / EXPLAIN
+    // prefixes to the effective verb in _classifyStatement and gates via
+    // a positive pure-read exempt set (_RESIDENCY_READ_CLASS), treating
+    // everything else — DML, ROUTINE, a COPY load, an unresolved or
+    // unmapped statement — as a write that requires a residency tag
+    // (Codex P1 on PR #304 flagged the WITH-wrapped-DML instance; the
+    // COPY / EXPLAIN-ANALYZE / CALL / REPLACE / DO siblings were
+    // confirmed in the same review). Comparing the statement class to
+    // the single string "DML" reintroduces the bypass.
+    id: "residency-gate-dml-equality",
+    primitive: "gate SQL writes by a positive pure-read exempt set that resolves WITH/EXPLAIN prefixes and fails closed on unknown (lib/external-db.js _RESIDENCY_READ_CLASS + _classifyStatement); never discriminate writes by leading-keyword equality to a single class string like \"DML\"",
+    regex: /[!=]==\s*["']DML["']/,
+    allowlist: [],
+    reason: "The cross-border residency write gate must enforce on what a statement DOES, not its leading keyword. `WITH ... INSERT`, `EXPLAIN ANALYZE INSERT` (Postgres EXECUTES the wrapped write), `CALL` / `EXECUTE` / `DO`, `COPY ... FROM`, and `REPLACE` all place rows while reading as a harmless prefix, so a gate enforcing only on `class === \"DML\"` waves them across a border untagged (Codex P1 on PR #304 flagged the WITH instance; the verifier confirmed the COPY / EXPLAIN-ANALYZE / CALL / REPLACE / DO siblings). lib/external-db.js resolves WITH / EXPLAIN to the effective verb in _classifyStatement and gates via the positive _RESIDENCY_READ_CLASS exempt set, treating every non-read (DML, ROUTINE, a COPY load, an unmapped or unresolved statement) as a write that needs a tag. A forensic-only comparison that does not gate a write may allowlist with a structural reason naming why no transfer decision rides on it.",
+  },
+  {
+    // A per-row / per-record crypto-shred key (K_row) — or a keyed-MAC
+    // that advertises vault-secret protection — must seed off a CSPRNG
+    // secret (b.crypto.generateBytes) or the SEALED-at-rest
+    // b.vault.getDerivedHashMacKey(), NEVER off kdf() over the
+    // PLAINTEXT-on-disk b.vault.getDerivedHashSalt(). A key whose entire
+    // input is recomputable from the data directory is re-derivable by a
+    // disk-access attacker, so destroying the wrapped form shreds nothing
+    // and a keyed-MAC over a low-entropy preimage is brute-forceable
+    // offline — defeating the exact secrecy/erasure the primitive
+    // advertises (v0.14.25: the per-row-key K_row and the idempotency
+    // fingerprint HMAC both shipped this shape and were reseeded).
+    // The salted-sha3 derived-hash INDEX (crypto-field.js:325) uses the
+    // plaintext salt via sha3Hash() — a deterministic equality index that
+    // disclaims MAC-grade secrecy, a DIFFERENT shape (not kdf) — so it
+    // does not match and is covered by its own detector.
+    id: "kdf-key-from-plaintext-derived-hash-salt",
+    primitive: "seed per-row crypto-shred keys / vault-secret keyed-MACs from a CSPRNG secret (b.crypto.generateBytes) or the sealed b.vault.getDerivedHashMacKey(); never kdf() over the plaintext-on-disk b.vault.getDerivedHashSalt()",
+    regex: /\bkdf\s*\([^\n]*getDerivedHashSalt\s*\(/,
+    allowlist: [],
+    reason: "v0.14.25 — the per-row-key K_row was kdf(...getDerivedHashSalt()...) over the PLAINTEXT-on-disk salt, so a disk-access attacker re-derived it and destroyPerRowKey/eraseHard shred NOTHING (advertised as crypto-shred since v0.7.27, false); the idempotency fingerprint HMAC seeded off the same plaintext salt despite promising the vault root was the trust root. Both reseeded — K_row onto a fresh b.crypto.generateBytes(32) row-secret AAD-wrapped via b.vault.aad.seal, the fingerprint HMAC onto the sealed b.vault.getDerivedHashMacKey() (since v0.14.7). This detector refuses the inline regression `kdf(...getDerivedHashSalt()...)`; the legitimate `kdf(getDerivedHashMacKey()...)` (the sealed key) and the `sha3Hash(getDerivedHashSalt()...)` deterministic equality index are different shapes and do not match. NOTE the historical bug assigned the salt to a var first (`saltHex = getDerivedHashSalt()...; kdf(...saltHex...)`) — a data-flow shape regex can't trace, so reviewers must also reject any kdf/HMAC key whose IKM transitively names getDerivedHashSalt.",
+  },
+  {
+    // A break-glass grant pin (pinIp / sessionPin — both documented
+    // default-ON) binds redemption to the IP / session captured when the
+    // grant was minted. The enforcement MUST fail closed when the
+    // captured binding is absent: a grant that recorded no IP (or no
+    // session) is refused, never waved through. The historical fail-open
+    // was a `grantRow.ip != null &&` short-circuit around the comparison
+    // — "no binding recorded, so there is nothing to check, so allow" —
+    // which lets a grant minted without a binding be redeemed from any
+    // origin, defeating the pin exactly when it is the only control left.
+    // The fixed shape is `if (grantRow.ip == null) throw ...` BEFORE the
+    // `redeemIp !== grantRow.ip` comparison (see _enforceGrantPins). The
+    // `grantRow.` receiver is unique to lib/break-glass.js, so this
+    // bad-shape regex needs no companion; skipCommentLines keeps the
+    // narrative comment that quotes the bad form from self-matching.
+    id: "break-glass-pin-fails-open-on-null-binding",
+    primitive: "fail closed in break-glass pin enforcement — refuse a grant whose pinIp/sessionPin binding was never captured (if grantRow.ip == null throw); never short-circuit the comparison with a `grantRow.ip != null &&` guard that treats an absent binding as 'nothing to check, allow'",
+    regex: /grantRow\.(?:ip|sessionId)\s*!=\s*null\s*&&/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "pinIp / sessionPin are documented default-ON; redemption binds to the IP / session captured at mint time. A `grantRow.ip != null &&` (or sessionId) guard around the pin comparison fails OPEN: a grant minted without a captured binding skips the check and is redeemable from any origin — the pin's whole point is lost in the one case it must hold. Enforce by refusing the unbound grant first (`if (grantRow.ip == null) throw`), then comparing. Resolve the redeeming client IP from the redemption request (falling back to req.ip), not from a value the redeemer can omit.",
+  },
+  {
+    // The b.dsr database-backed ticket store holds the data subject's
+    // identifiers and the raw request payload — PII under GDPR Art. 15 /
+    // 17 that an erasure request must be able to destroy. Those columns
+    // MUST be sealed via cryptoField.registerTable(DSR_SEAL_TABLE, { aad:
+    // true, ... }) so the row's plaintext is encrypted at rest and goes
+    // with the shredded row key; storing them plaintext leaves
+    // un-erasable PII and defeats b.subject.eraseHard for DSR tickets.
+    // DSR_SEAL_TABLE is unique to lib/dsr.js; the companion `requires`
+    // exempts the file once the registerTable call is present (the fix),
+    // so this fires only if a future edit drops the registration while
+    // keeping the table.
+    id: "dsr-ticket-store-pii-must-be-sealed",
+    primitive: "seal the b.dsr database ticket store's subject identifiers + request payload via cryptoField.registerTable(DSR_SEAL_TABLE, { aad: true, columns: [...] }); plaintext PII in the ticket store is un-erasable and defeats DSR erasure",
+    regex: /\bDSR_SEAL_TABLE\b/,
+    requires: /registerTable\s*\(\s*DSR_SEAL_TABLE/,
+    allowlist: [],
+    reason: "The DSR dbTicketStore persists the data subject's identifiers and the raw request body — the exact PII an Art. 17 erasure must destroy. Those columns must be sealed via cryptoField.registerTable(DSR_SEAL_TABLE, { aad: true }) so they are encrypted at rest under a per-row key bound to (table, rowId) and shredded with the row; leaving them plaintext means an erasure request cannot delete the data it is processing. The companion registerTable(DSR_SEAL_TABLE call satisfies the discipline; this entry fires only if the registration is removed while the table remains.",
+  },
+  // #114 — legal-hold + subject-restriction local tables seal their PII columns.
+  {
+    id: "legal-hold-store-pii-must-be-sealed",
+    primitive: "seal the b.legalHold _blamejs_legal_hold PII columns (reason/placedBy/custodian/citation) via cryptoField.sealRow(HOLD_TABLE, ...) on insert + unseal on read — the legal-basis / custodian / citation free text links a data subject to a legal matter and must not be stored plaintext",
+    regex: /sql\.insert\(HOLD_TABLE/,
+    requires: /\bsealRow\(HOLD_TABLE/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "#114 — _blamejs_legal_hold stored legal-basis / custodian / ticket-citation free text in clear via the raw sql.insert + db.prepare().run() path, which bypasses the structured builder's auto-seal. db.js declares sealedFields on the table; legal-hold.js must seal on write (cryptoField.sealRow(HOLD_TABLE, ...)) and unseal on read (get/list/release). Fires if an insert into HOLD_TABLE lands without the seal.",
+  },
+  {
+    id: "subject-restriction-store-pii-must-be-sealed",
+    primitive: "seal the b.subject restriction reason (a PII ticket reference) via cryptoField.sealRow(RESTRICTIONS_TABLE, ...) on insert into _blamejs_subject_restrictions",
+    regex: /sql\.insert\(RESTRICTIONS_TABLE/,
+    requires: /\bsealRow\(RESTRICTIONS_TABLE/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "#114 — _blamejs_subject_restrictions declares sealedFields:[\"reason\"] but subject.js wrote the reason in clear via the raw sql.insert path. Seal on write (cryptoField.sealRow(RESTRICTIONS_TABLE, ...)); the reason is write-only (isRestricted reads only the PK) so there is no unseal site. Fires if the restriction insert lands without the seal.",
+  },
+  {
+    // Vault keypair rotation stages every output file (the re-encrypted
+    // db, resealed vault/db keys, additional sealed files, derived-hash
+    // material, and the transient PLAINTEXT db) inside opts.stagingDir.
+    // Those writes must go through _writeStagedFileExclusive — O_CREAT |
+    // O_EXCL | O_NOFOLLOW, owner-only 0o600 — so a same-user pre-planted
+    // file or symlink swap in the staging dir is a hard failure rather
+    // than a followed write (CWE-377 / CWE-379 / CWE-59). A raw
+    // nodeFs.writeFileSync into the staging dir (or to the tmpDbPath /
+    // verifyTmp markers) follows whatever is already at the path. The
+    // identifiers tmpDbPath / verifyTmp / stagingDir are unique to
+    // lib/vault/rotate.js, so this bad-shape regex self-scopes there and
+    // needs no companion; the exclusive helper's own write targets an fd,
+    // not these names, so it does not match.
+    id: "vault-rotate-staged-write-not-exclusive",
+    primitive: "write vault-rotation staging files via lib/vault/rotate.js _writeStagedFileExclusive (O_CREAT|O_EXCL|O_NOFOLLOW, 0o600); never raw nodeFs.writeFileSync into opts.stagingDir or the tmpDbPath/verifyTmp markers — a non-exclusive create follows a pre-planted file/symlink in the staging dir (CWE-377/379/59)",
+    regex: /writeFileSync\s*\(\s*(?:tmpDbPath\b|verifyTmp\b|nodePath\.join\(\s*stagingDir)/,
+    allowlist: [],
+    reason: "vault rotation re-encrypts the database and reseals keys through framework-named files in opts.stagingDir, including a transient PLAINTEXT copy of the whole database. A raw nodeFs.writeFileSync to those paths follows a pre-planted regular file or symlink (CWE-59) and inherits a umask-wide mode (CWE-377/379). Every staged write must go through _writeStagedFileExclusive, which unlinks any stale entry then creates with O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW at 0o600 and fsyncs; the exclusive create turns a pre-plant into a hard error and O_NOFOLLOW refuses a symlinked target. This detector encodes the CodeQL js/insecure-temporary-file finding fixed in v0.14.26 so the raw-write shape cannot return to the rotation path.",
+  },
+  {
+    // The local queue seals job rows via cryptoField.sealRow(SEAL_TABLE,
+    // ...), but cryptoField.sealRow silently passes the row through as
+    // PLAINTEXT for a table that was never registerTable'd. The queue
+    // therefore MUST self-register its seal table on init via
+    // _ensureSealTable (an idempotent getSchema-probe + registerTable),
+    // or a queue node that never ran db.init writes job payloads to the
+    // backend in cleartext (fail-open). SEAL_TABLE and _ensureSealTable
+    // are queue-local identifiers, so the bad-shape regex self-scopes;
+    // the companion `requires` (the helper's presence) is the fix marker.
+    id: "queue-seal-table-not-self-registered",
+    primitive: "the local queue must self-register its seal table on init via _ensureSealTable (cryptoField.registerTable(SEAL_TABLE)) so job payloads seal at rest from the first write; cryptoField.sealRow/unsealRow is a silent no-op against an unregistered table, leaving jobs in plaintext (fail-open)",
+    regex: /cryptoField\.(?:sealRow|unsealRow)\s*\(\s*SEAL_TABLE\b/,
+    requires: /function _ensureSealTable\b/,
+    allowlist: [],
+    reason: "v0.14.26 — queue-local seals job rows with cryptoField.sealRow(SEAL_TABLE, ...), but cryptoField.sealRow writes PLAINTEXT (silent no-op) for a table that was never registered. A standalone redis/sqs queue node that never ran db.init would therefore persist job payloads in cleartext. The fix self-registers the seal table on queue.init via _ensureSealTable (idempotent). This detector fires if a future edit seals/unseals SEAL_TABLE rows while the _ensureSealTable self-register is removed — reopening the fail-open-to-plaintext window. The companion _ensureSealTable declaration satisfies the discipline once the self-register is present.",
+  },
+  {
+    // When the DSR ticket store adds the derived subject-hash lookup
+    // columns to an existing table, ensureSchema MUST backfill legacy /
+    // vault-less rows: compute the hashes from the plaintext subject + re-
+    // seal. Once a vault is present, list({ subject }) matches on the hash
+    // columns (the plaintext columns are sealed and unmatchable), so a
+    // pre-upgrade row with NULL hashes is never found for its subject — and
+    // the erasure-completion purge, which lists by subject, skips exactly
+    // the tickets it must remove (GDPR Art. 17). The regex matches the
+    // list-by-hash spec (always present in dsr.js); the companion `requires`
+    // is the backfill SELECT, so the file is skipped while the backfill is
+    // in place and flagged if it is removed. subject_email_hash is unique
+    // to lib/dsr.js, so this self-scopes.
+    id: "dsr-schema-upgrade-without-legacy-hash-backfill",
+    primitive: "when the DSR ticket store queries subject-hash lookup columns, ensureSchema must backfill legacy/vault-less rows (compute hashes from plaintext + re-seal) so list({ subject }) finds pre-upgrade tickets and the erasure purge does not skip them",
+    regex: /hashCol:\s*["']subject_email_hash["']/,
+    requires: /subject_email_hash IS NULL/,
+    allowlist: [],
+    reason: "v0.14.26 — the DSR dbTicketStore matches list({ subject }) on derived-hash columns once a vault is present. A row written before the sealed-store upgrade (or while vault-less) has plaintext subject columns with NULL hashes, so it is invisible to a subject lookup — and the erasure-completion purge that lists by subject silently skips it, leaving un-erased PII (GDPR Art. 17 / CWE-noted advertised-vs-actual). ensureSchema must backfill: SELECT rows with NULL subject_*_hash, computeDerived from the plaintext, sealRow, and write hashes + sealed columns back (idempotent; also makes the legacy plaintext erasable). This detector fires if the hash-lookup path remains but the `subject_email_hash IS NULL` backfill SELECT is removed.",
+  },
+  {
+    // The break-glass TOTP factor must reserve the accepted step ATOMICALLY
+    // as part of acceptance (_reserveTotpStep — one compare-and-advance
+    // cache update). The earlier shape read the replay floor
+    // (_readLastTotpStep), verified against it, then committed the step in a
+    // separate step (_commitTotpStep): two concurrent grant() calls with the
+    // same in-window code both observe the old floor before either commits,
+    // so both verify and the same code is redeemed twice (replay). Those two
+    // function names are unique to lib/break-glass.js; their reappearance is
+    // the racy read-then-commit pattern returning. skipCommentLines so the
+    // historical reference in this catalog / docstrings doesn't self-match.
+    id: "totp-step-read-then-commit-race",
+    primitive: "reserve the break-glass TOTP replay step atomically as part of acceptance (_reserveTotpStep — one compare-and-advance); never read the floor, verify, then commit in a separate step (the _readLastTotpStep + _commitTotpStep shape) — two concurrent grants observe the same floor and both pass (replay)",
+    regex: /\b_readLastTotpStep\b|\b_commitTotpStep\b/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "v0.14.26 (Codex P2 on PR #306) — break-glass grant() read the highest accepted TOTP step, verified against it, then committed the new step in a separate cache write. Two concurrent grants for the same (actor, secret, code) both read the old floor before either committed, so both _verifyTotpFactor calls passed and the same in-window code was redeemed more than once. The fix reserves the step atomically in _reserveTotpStep (a single _factorLockoutCache.update that advances the floor only if the step is strictly above it, reporting whether THIS caller won), so the second concurrent grant is refused. This detector flags reintroduction of the read-then-commit helpers (_readLastTotpStep / _commitTotpStep) that carried the race.",
+  },
+  // ---- v0.14.27 security-hardening sweep detectors ----
+  // CodeQL js/path-injection — the static file server must re-confine a
+  // request-derived path at the fs sink; the serve stream reads the confined
+  // streamTarget, not the raw request-derived absPath.
+  {
+    id: "static-serve-stream-path-not-confined",
+    primitive: "stream the static-served file from the root-confined streamTarget (lib/static.js _assertInsideRoot), never the request-derived absPath",
+    regex: /createReadStream\(\s*absPath\s*,\s*streamOpts/,
+    requires: /createReadStream\(\s*streamTarget\b/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-22 — the static file server resolves a request URL to a disk path; the path handed to fs.createReadStream must flow from the per-sink root-confinement barrier _assertInsideRoot (resolves under root, refuses anything outside via startsWith(root+sep)), not directly from the request-derived candidate. Streaming from the bare absPath re-opens the traversal-read class CodeQL flags.",
+  },
+  // CodeQL js/file-system-race + js/insecure-temporary-file — the content-safety
+  // gate read must open the confined path with O_NOFOLLOW and anchor to one fd.
+  {
+    id: "static-gate-open-not-nofollow",
+    primitive: "open the static content-safety gate read with O_RDONLY | O_NOFOLLOW on the confined path (lib/static.js) — refuse a final-component symlink swap, single-fd anchored",
+    regex: /fsp\.open\(\s*\w*[Aa]bsPath\s*,\s*["']r["']\s*\)/,
+    requires: /O_NOFOLLOW/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-367/CWE-59 — the pre-serve content-safety read must open the root-confined path with O_NOFOLLOW so a final-component symlink swap between the directory stat and the read cannot redirect it, and take size + bytes from that single descriptor. The bare fsp.open(absPath, \"r\") form drops both defenses.",
+  },
+  // CodeQL js/insecure-temporary-file — atomic-file stages every write into a
+  // sibling temp file before rename; that create must be exclusive + no-follow.
+  {
+    id: "atomic-file-temp-create-not-exclusive",
+    primitive: "create the atomic-file rename-staging temp via _openExclTemp (O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW) — never the truncating, symlink-following \"w\" flag",
+    regex: /openSync\(\s*tmpPath\s*,\s*"w"/,
+    requires: /_openExclTemp\s*\(/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-377/CWE-59 — atomic-file stages each write into a sibling temp before rename; that temp create must be O_EXCL (refuse a pre-planted file) + O_NOFOLLOW (refuse a planted symlink), not the truncating, symlink-following \"w\" flag.",
+  },
+  // CodeQL js/insecure-temporary-file — http-client download staging must be
+  // exclusive + no-follow.
+  {
+    id: "http-client-download-temp-stream-not-exclusive",
+    primitive: "stage the http-client download with O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW (numeric flag), not createWriteStream flags:\"w\"",
+    regex: /createWriteStream\([^\n]*flags:\s*"w"/,
+    requires: /O_EXCL/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-377/CWE-59 — downloadStream streams a remote body into a sibling temp before the hash-gated rename; that create must be O_EXCL + O_NOFOLLOW so an attacker can't pre-plant a file (truncated) or symlink (written through to a victim) at the staging path.",
+  },
+  // CodeQL js/remote-property-injection — body-parser must build maps from
+  // [key,value] pairs (Object.fromEntries), never a request-keyed computed write.
+  {
+    id: "body-parser-request-keyed-map-write",
+    primitive: "build body-parser header/param/field maps via Object.fromEntries (_mapFromPairs), never assign a request-derived key directly (target[bareKey|currentField|fieldName] = v)",
+    regex: /\b\w+\[\s*(?:bareKey|currentField|fieldName)\s*\]\s*=(?!=)/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-915/CWE-1321 — body-parser's multipart Content-Disposition parser and field accumulator wrote attacker-controlled key names into a map; a part named __proto__/constructor/prototype reaches the Object.prototype setter. They now collect [key,value] pairs and materialize via _mapFromPairs (Object.fromEntries onto Object.create(null), poisoned keys dropped) / Object.assign(fields, Object.fromEntries([[fieldName,value]])). The bareKey/currentField/fieldName key vars are unique to these parsers.",
+  },
+  {
+    id: "websocket-extension-params-keyed-write",
+    primitive: "build the Sec-WebSocket-Extensions params map via Object.fromEntries onto Object.create(null) (lib/websocket.js _parseExtensionHeader), never ext.params[name] = v",
+    regex: /\bext\.params\[\s*\w+\s*\]\s*=(?!=)/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-915/CWE-1321 — the RFC 7692 extension-parameter name comes from the client Sec-WebSocket-Extensions header; written as ext.params[k]=v a param named __proto__/constructor/prototype is the sink. The parser now collects paramPairs (poisoned names skipped) and builds via Object.assign(Object.create(null), Object.fromEntries(paramPairs)).",
+  },
+  {
+    id: "body-parser-header-maps-compose-mapFromPairs",
+    primitive: "lib/middleware/body-parser.js must compose _mapFromPairs to build its request-header/param maps — dropping the helper means a raw request-keyed computed write returned",
+    regex: /function _parseMultipartHeaders\s*\(/,
+    requires: /_mapFromPairs\s*\(/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-915/CWE-1321 — the generic-key parser sites (_contentType, _parseMultipartHeaders, _parseHeaderParams) build maps keyed by a request-controlled name; they're guarded structurally by the one composing primitive _mapFromPairs (Object.fromEntries onto Object.create(null), poisoned keys dropped). Anchored on _parseMultipartHeaders (unique to body-parser); fails if a future edit drops _mapFromPairs.",
+  },
+  // M10 — azure blob key must be percent-encoded before URL interpolation.
+  {
+    id: "azure-blob-key-unencoded-in-url",
+    primitive: "percent-encode each azure blob-key path segment via _encodeBlobKey (sigv4.awsUriEncode) before URL interpolation",
+    regex: /config\.container\s*\+\s*"\/"\s*\+\s*(?:opts\.)?key\b/,
+    requires: /_encodeBlobKey\s*\(/,
+    allowlist: [],
+    reason: "CWE-20 — an azure blob key with ?/#/space truncates the URL path or corrupts the request line; keys must route through _encodeBlobKey (per-segment RFC 3986 encoding, preserving / separators) before interpolation, the encoder GCS already uses.",
+  },
+  // M7 — every file-upload content-safety skip path must audit the bypass.
+  {
+    id: "file-upload-content-safety-skip-unaudited",
+    primitive: "every fileUpload content-safety skip path must emit a fileUpload.content_safety_skipped audit (_emitContentSafetySkipped) naming the reason, not just an obs counter",
+    regex: /content_safety_skipped_streamed/,
+    requires: /_emitContentSafetySkipped\s*\(/,
+    allowlist: [],
+    reason: "CWE-778 — an upload that bypasses the byte-level content scan (opt-out / no gate for the extension / over the reassembly cap) must be visible in the audit log, not just an observability counter, so a reviewer can tell a scanned upload from a bypassed one.",
+  },
+  // api-key rotate-on-verify re-hash must compare-and-swap on the value it read.
+  {
+    id: "apikey-rehash-on-verify-without-cas",
+    primitive: "guard the rotate-on-verify secret re-hash UPDATE with a compare-and-swap on the read hash (.where(\"secretHash\", row.secretHash)) so a concurrent rotate() is not clobbered",
+    regex: /touchFields\.secretHash\s*=\s*freshSecretHash/,
+    requires: /\.where\(\s*"secretHash"\s*,\s*row\.secretHash\s*\)/,
+    allowlist: [],
+    reason: "CWE-362 (lost update) — verify() reads the stored secretHash, computes the upgraded hash, then writes it in a later UPDATE. Without a compare-and-swap on the exact hash that was read, a rotate()/hardRotate() landing between the read and the write is overwritten with the OLD secret's re-hash: the rotated token is invalidated and the old token keeps verifying. The re-hash UPDATE must carry `.where(\"secretHash\", row.secretHash)` so it no-ops when the row changed underneath it.",
+  },
+  // SigV4 canonical path must be service-aware (S3 single-encodes, others double).
+  {
+    id: "sigv4-canonical-path-unconditional-double-encode",
+    primitive: "branch the SigV4 canonical path on doubleEncodePath (S3/GCS single-encode the already-encoded pathname; only sqs/logs/sns double-encode) — never unconditionally awsUriEncode the path",
+    regex: /awsUriEncode\(\s*path\b/,
+    requires: /doubleEncodePath\s*\?/,
+    allowlist: [],
+    reason: "Object-store correctness — a WHATWG URL pathname is ALREADY the single-encoded wire form, and S3/S3-compatible/GCS sign the canonical path with exactly that one encoding. A second awsUriEncode(path) signs '/a%2520b' for a key the wire carries as '/a%20b' → SignatureDoesNotMatch (403) on any key with a space/+/&/unicode. canonicalRequest must single-encode for S3 (doubleEncodePath=false, the default) and keep the second pass only for the genuinely double-encoding AWS services. Shipped green because every test key was plain ASCII (awsUriEncode is a no-op there).",
+  },
+  // awsUriEncode must iterate by Unicode code point, not UTF-16 code unit.
+  {
+    id: "sigv4-awsuriencode-utf16-unit-iteration",
+    primitive: "iterate awsUriEncode by code point (Array.from / codePointAt), not by UTF-16 index + charAt — a per-unit encodeURIComponent throws URIError on a non-BMP key's split surrogate pair",
+    regex: /function awsUriEncode\([\s\S]{0,400}?encodeURIComponent/,
+    requires: /Array\.from|codePointAt/,
+    allowlist: [],
+    reason: "Object-store correctness — encodeURIComponent on a lone surrogate throws 'URIError: URI malformed', so iterating awsUriEncode by str.charAt(i) and escaping each UTF-16 unit breaks any object key containing a non-BMP character (emoji, CJK Extension B, ...) before the request is signed. The encoder must walk Unicode code points (Array.from(str) keeps surrogate pairs together) so the whole character reaches encodeURIComponent as one UTF-8 sequence.",
+  },
+  // sql.js createTable must route its emitted DDL through the quote-aware catalog gate.
+  {
+    id: "sql-createtable-ddl-not-catalog-gated",
+    primitive: "route createTable's emitted CREATE TABLE through _assertCatalogEmittable (its quote-aware single-statement scan is the injection backstop for the one raw-emission position — the verbatim column type) — never return a bare { sql, params }",
+    regex: /var sql = "CREATE TABLE " \+ ifNot[\s\S]{0,420}?return \{ sql:/,
+    allowlist: [],
+    reason: "SQL injection — _ddlType returns an unrecognised column type verbatim into the DDL; it is the one raw-emission position in an otherwise quote-by-construction builder (constraints route through _checkRawFragment, names through _quoteId). The injection backstop is the quote-aware _assertCatalogEmittable scan, which refuses a top-level ';' / comment / unbalanced quote / unbalanced paren while CORRECTLY allowing those characters inside a balanced quoted label (ENUM('needs;review')). createTable must therefore return _assertCatalogEmittable(sql, []) — a bare { sql, params } would let a type like 'text); DROP TABLE x; --' emit a stacked statement. A non-quote-aware pre-scan on the type was removed precisely because it over-rejected valid quoted labels.",
+  },
+  {
+    // v0.15.4 R2 — every hand-rolled DDL (CREATE/ALTER TABLE, CREATE INDEX)
+    // concatenated and handed to runSql/exec must route through
+    // safeSql.assertSingleStatement first, the same quote-aware single-statement
+    // gate the b.sql builder enforces. db-schema.reconcileTable shipped a
+    // verbatim-column-type injection (a type "TEXT); DROP TABLE x; --" smuggled a
+    // stacked statement) until this gate; this enforces the invariant across the
+    // whole raw-DDL family (schema reconcile, DSR store, migrations), not one site.
+    id: "ddl-concat-to-runsql-without-single-statement-gate",
+    primitive: "wrap a hand-rolled CREATE TABLE / ALTER TABLE / CREATE INDEX string in safeSql.assertSingleStatement(sql, { label }) before runSql/exec — the raw-DDL paths use the same single-statement gate the b.sql builder does",
+    regex: /\b(?:runSql|exec)\(\s*(?:\w+,\s*)?"(?:CREATE TABLE|ALTER TABLE|CREATE INDEX|DROP TABLE)/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "A finished DDL string built by concatenating a (possibly operator-controlled) value and passed straight to runSql/exec bypasses the quote-aware single-statement scan the b.sql builder enforces on its own DDL — a verbatim column type like 'TEXT); DROP TABLE x; --' smuggles a stacked statement (lib/db-schema.js reconcileTable shipped exactly this until v0.15.4). Route the finished string through safeSql.assertSingleStatement(sql, { label }); the gated form does not match because the string literal no longer sits directly after the runSql/exec open-paren + optional db arg.",
+  },
+  // #63 — safe-xml must reject prototype-poisoning element/attribute names and
+  // build null-prototype accumulators.
+  {
+    // v0.15.4 R1 — the raw write entry points (execRaw / prepare) must route a
+    // write to a per-row-residency table through the residency gate, like the
+    // structured builder's insert/update. Without it a raw INSERT/UPDATE lands a
+    // cross-border row past the gate. The function body must reference the gate:
+    // _assertRawWriteResidency (execRaw) or _isRawWriteToResidencyTable (prepare).
+    id: "db-raw-write-entry-skips-residency-gate",
+    primitive: "execRaw / prepare must call the residency gate (_assertRawWriteResidency / _isRawWriteToResidencyTable) so a raw INSERT/UPDATE to a per-row-residency table is validated like b.db.from().insertOne/updateOne",
+    regex: /function (?:execRaw|prepare)\s*\([^)]*\)\s*\{(?:(?!_assertRawWriteResidency|_isRawWriteToResidencyTable|\n\})[\s\S]){0,12000}?\n\}/,
+    allowlist: [
+      // localDb.thin is an isolated lightweight node:sqlite wrapper with no
+      // cryptoField / residency policy and a separate DB file - its prepare
+      // cannot write a per-row-residency row, so the residency gate is N/A.
+      "lib/local-db-thin.js",
+    ],
+    reason: "The structured builder runs every insert/update through _assertLocalResidency, but the raw paths b.db.runSql (execRaw) and b.db.prepare(sql).run(...) bypass it, so under a regulated posture a cross-border row lands straight on disk (shipped this way until v0.15.4). execRaw must call _assertRawWriteResidency(sql); prepare must wrap a write to a residency table via _isRawWriteToResidencyTable. This detector fires if either function reaches its closing brace without referencing the gate.",
+  },
+  {
+    id: "xml-parsename-no-prototype-key-rejection",
+    primitive: "reject element/attribute names __proto__/constructor/prototype in the XML name parser (lib/parsers/safe-xml.js parseName → FORBIDDEN_KEYS)",
+    regex: /xml\/bad-name[\s\S]{0,200}?return\s+input\.substring/,
+    requires: /FORBIDDEN_KEYS\.has/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-1321 — b.safeXml built its key accumulators from parser-controlled names with no poisoned-key rejection (unlike its toml/yaml/ini siblings); an attribute named constructor tripped the duplicate guard via an inherited member, and __proto__/constructor/prototype landed as result-tree keys. parseName (uniquely scoped by the xml/bad-name code) must reject FORBIDDEN_KEYS before returning the parsed name.",
+  },
+  {
+    id: "xml-make-wrapper-plain-object",
+    primitive: "build the XML element-name wrapper with Object.create(null) (lib/parsers/safe-xml.js _make), not a plain {} keyed by an attacker-influenced element name",
+    regex: /function _make\(name, value\)[\s\S]{0,600}?var out = \{\}/,
+    requires: /var out = Object\.create\(null\)/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-1321 — _make wrapped each parsed element as `var out = {}; out[name] = value` keyed by the element name; with a plain object, out[\"__proto__\"]=value reassigns the wrapper prototype and the returned tree exposes inherited Object members on absent keys. The accumulator must be Object.create(null).",
+  },
+  // #64 — router.use must branch on a string/array path prefix, not drop it.
+  {
+    id: "router-use-drops-path-argument",
+    primitive: "Router.use must classify its first argument (function = global; string/array = path-scoped) — never a single-arg use(fn){this.middleware.push(fn)} that drops the path",
+    regex: /\buse\s*\(\s*fn\s*\)\s*\{\s*this\.middleware\.push\s*\(\s*fn\s*\)\s*;?\s*\}/,
+    requires: /_usePrefixesFromFirstArg|typeof\s+first\s*===\s*["']function["']/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-670 — router.use(path, mw) is documented across ~11 security middleware but was unimplemented: use(fn) pushed the first arg and dropped the rest, so a path-scoped security gate either 500'd every request (the path string invoked as a function) or never ran where mounted (silent control-scoping bypass). The fix classifies the first argument before pushing.",
+  },
+  // M4 — JMAP must gate a client accountId against accountsFor before dispatch.
+  {
+    id: "jmap-accountid-forwarded-without-accountsfor-gate",
+    primitive: "gate a client-supplied JMAP accountId against accountsFor(actor)'s permitted set (lib/mail-server-jmap.js _permittedAccountIds → accountNotFound) before dispatching to a method/blob handler",
+    regex: /\b(?:uploadBlob|downloadBlob)\([^)]*accountId[^)]*\)/,
+    requires: /_permittedAccountIds|accountNotFound/,
+    allowlist: [],
+    reason: "RFC 8620 §3.6.1 — a client-supplied accountId must be checked against accountsFor(actor)'s permitted set and rejected with accountNotFound BEFORE reaching a method/blob handler. Forwarding it on format-validation alone lets one tenant reach another tenant's account.",
+  },
+  // #69 / #125 — EVERY OTLP attribute-map encoder must route its values
+  // through the telemetry redactor. The class is "a function that turns a raw
+  // { key: value } attribute map into OTLP KeyValues": _attrsToOtlp (metric /
+  // event JSON, lib/otel-export.js), _attrToOtlp (span / event / resource JSON,
+  // lib/observability-otlp-exporter.js), _attrsToProto (span / event / resource
+  // protobuf, same file). Each must call observability.redactAttrs() (or the
+  // legacy per-value _redactAttrValue) before emitting; the value type-encoders
+  // (_valueToOtlp / _anyValueToProto / _encodeValue) run AFTER redaction and
+  // are deliberately NOT anchored. Span-anchored so a body that reaches its
+  // column-0 close without a redactor reference fires.
+  {
+    id: "otlp-attr-encoder-skips-telemetry-redactor",
+    primitive: "route every OTLP attribute-map encoder (_attrsToOtlp / _attrToOtlp / _attrsToProto) through observability.redactAttrs() before serialization — telemetry is a first-class EGRESS sink and an unredacted attribute value ships secrets/PII onto the OTLP wire (CWE-532)",
+    scanScope: "lib",
+    regex: /function (?:_attrToOtlp|_attrsToProto|_attrsToOtlp)\s*\([^)]*\)\s*\{(?:(?!redactAttrs|_redactAttrValue|\n\})[\s\S]){0,4000}?\n\}/,
+    allowlist: [],
+    reason: "CWE-532 — span/metric/resource attributes are a first-class egress sink. #69 fixed lib/otel-export.js _attrsToOtlp but pinned its detector to that one function name, leaving the SPAN exporter's two sibling encoders (lib/observability-otlp-exporter.js _attrToOtlp JSON + _attrsToProto protobuf) shipping attribute values verbatim to the collector (#125). The shared root is 'an attribute-map encoder that serializes without scrubbing'; every such encoder must pass each value through observability.redactAttrs() (default composes b.redact.redact, fail-toward-dropping on a throwing redactor) before the wire payload. The negative lookahead exempts the per-value type-encoders (_valueToOtlp/_anyValueToProto) which run after redaction; the {0,4000} bound is a ReDoS backstop well above the real encoder bodies (<2000 chars).",
+  },
+  // #131 — the b.middleware.dpop factory must REQUIRE its replayStore at config
+  // time. The store is DPoP's jti-replay defense (RFC 9449 §11.1); reading it
+  // optionally and gating the check behind `if (replayStore)` silently mounts a
+  // proof-of-possession middleware that performs no replay check when the
+  // operator omits the store. The middleware (operator security default) must
+  // enforce presence + the checkAndInsert shape with validateOpts.requireMethods;
+  // the low-level verify() primitive keeps its documented optional replayStore.
+  {
+    id: "dpop-middleware-replaystore-not-required",
+    primitive: "enforce opts.replayStore presence + checkAndInsert shape at b.middleware.dpop create() via validateOpts.requireMethods(opts.replayStore, [\"checkAndInsert\"], ...) — a missing store silently disables DPoP jti-replay defense (RFC 9449)",
+    scanScope: "lib",
+    regex: /var replayStore\s*=\s*opts\.replayStore/,
+    requires: /requireMethods\(\s*opts\.replayStore/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "#131 — b.middleware.dpop documented replayStore as required but create() read it optionally (`var replayStore = opts.replayStore`) and gated the replay check behind `if (replayStore)`, so omitting it mounted a DPoP gate with NO jti-replay defense — a captured proof replays indefinitely (RFC 9449 §11.1). The operator-facing middleware must fail closed at config time: validateOpts.requireMethods(opts.replayStore, [\"checkAndInsert\"], ...) throws on both a missing store and a store lacking checkAndInsert. The unique `var replayStore = opts.replayStore` token is the middleware's optional read (the low-level lib/auth/dpop.js verify() primitive uses opts.replayStore inline and keeps it deliberately optional, so it is not matched). This entry fires only if the create-time requireMethods enforcement is removed while the optional read remains.",
+  },
+  // #135 — SD-JWT-VC ES256/ES384 must sign/verify with JOSE encoding (raw r||s).
+  {
+    id: "sd-jwt-vc-ecdsa-der-not-ieee-p1363",
+    primitive: "sd-jwt-vc _signJwt / _verifyJwt must wrap the EC key with dsaEncoding: \"ieee-p1363\" for ES256/ES384 — node:crypto defaults to DER, which every conformant JOSE / EUDI-wallet verifier rejects (and the library would reject their raw-r||s signatures)",
+    scanScope: "lib",
+    regex: /nodeCrypto\.sign\(\s*sigAlgo\s*,\s*Buffer\.from\([^)]*\)\s*,\s*privateKey\s*\)|nodeCrypto\.verify\(\s*sigAlgo\s*,\s*Buffer\.from\([^)]*\)\s*,\s*publicKey\s*,/,
+    allowlist: [],
+    reason: "#135 — _signJwt/_verifyJwt passed the bare EC key (`, privateKey)` / `, publicKey,`) to nodeCrypto.sign/verify, so ES256/ES384 ECDSA signatures were DER-encoded (ASN.1 SEQUENCE, leading 0x30, ~70-72 bytes for P-256). JOSE/JWS — and EUDI wallets — require raw r||s (\"ieee-p1363\", 64 bytes for ES256, 96 for ES384), so tokens this issuer signed were rejected by conformant verifiers and the library rejected conformant wallets' KB-JWTs. The fix routes both calls through _ecKeyParam(algorithm, key), which returns { key, dsaEncoding: \"ieee-p1363\" } for ES256/ES384 — matching oauth.js / dpop.js / jwt-external.js _verifyParamsForAlg. The anchor is the bare-key call shape (3rd arg is the literal `privateKey` / `publicKey` identifier); once wrapped in _ecKeyParam the shape no longer matches. The KB-JWT (holder) and issuer JWT both sign through this single _signJwt, so the one fix closes both.",
+  },
+  // #137 — verifyIdToken's skipExpCheck must be gated to logout tokens.
+  {
+    id: "oauth-verifyidtoken-skipexpcheck-ungated",
+    primitive: "verifyIdToken must NOT honor a caller-passable skipExpCheck on a regular ID token — the exp bypass is only valid for OIDC Back-Channel-Logout tokens (events claim), and even then bounded by an iat freshness floor; a bare `if (!vopts.skipExpCheck)` gate lets any caller verify an expired/replayed credential clean",
+    scanScope: "lib",
+    regex: /if \(!vopts\.skipExpCheck\)/,
+    requires: /skip-exp-check-not-allowed/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "#137 — verifyIdToken wrapped its exp validation in `if (!vopts.skipExpCheck) { ... }` so any external caller (verifyIdToken is a public API) could pass skipExpCheck: true and verify an EXPIRED id_token clean — token-replay of expired-but-once-valid credentials. skipExpCheck exists only because OIDC Back-Channel Logout 1.0 §2.4 logout tokens carry no exp; the internal verifyBackchannelLogoutToken passes it. The fix flips the branch to `if (vopts.skipExpCheck) { <require the backchannel-logout events claim> + <iat freshness floor> } else { <exp check> }`, so skipExpCheck is refused (auth-oauth/skip-exp-check-not-allowed) on any token lacking the logout event claim and a stale logout token is refused (auth-oauth/logout-token-stale). The detector anchors on the bare negative gate and requires the new refusal code in-file; after the fix the bare gate is gone and the code is present, so it stays silent.",
+  },
+  // #116 — crypto-field upgrade-on-read rewrite must honor the handle's dialect.
+  {
+    id: "cryptofield-upgrade-on-read-hardcodes-sqlite-dialect",
+    primitive: "_upgradeDerivedHashesOnRead must build its durable re-hash UPDATE with the resolved dialect of the writable handle, not a hardcoded dialect: \"sqlite\" — unsealRow accepts a caller-supplied Postgres/MySQL handle, and a sqlite-quoted UPDATE (double quotes) is rejected by MySQL (backticks), so the advertised keyed-MAC migration silently no-ops off sqlite",
+    scanScope: "lib",
+    regex: /function _upgradeDerivedHashesOnRead(?:(?!\nfunction )[\s\S]){0,4000}?sql\.update\(\s*table\s*,\s*\{\s*dialect:\s*"sqlite"/,
+    allowlist: [],
+    reason: "#116 — the upgrade-on-read durable rewrite (re-hash a legacy salted-sha3 derived-hash column to the keyed MAC) hardcoded sql.update(table, { dialect: \"sqlite\", quoteName: true }). unsealRow's 4th arg is a caller-supplied dbHandle that db-query threads from an external Postgres/MySQL connection; on a MySQL handle the sqlite-dialected UPDATE emits double-quoted identifiers (\"users\"), which MySQL parses as a string literal and rejects, so the rewrite throws into the best-effort try/catch and the legacy digest stays on disk — keyed-MAC migration never happens off sqlite. The fix resolves the dialect from handle.dialect (validated to postgres|mysql|sqlite, default sqlite — db-query._dialect()'s contract). The detector anchors INSIDE _upgradeDerivedHashesOnRead (the function-scoped span) so the legitimately-sqlite-only _PER_ROW_SQL_OPTS literal at module scope is not flagged; it fires while the literal dialect: \"sqlite\" remains and goes silent once it reads the handle's dialect.",
+  },
+  // #126 — SSE _writeRaw must bound its outbound buffer (slow-consumer DoS).
+  {
+    id: "sse-writeraw-no-bounded-buffer",
+    primitive: "sse _writeRaw must bound the per-channel outbound buffer (res.writableLength vs a maxBufferedBytes cap) and evict a slow consumer — res.write() returning false is unbounded backpressure; a stalled client otherwise grows the server heap without limit (memory-exhaustion DoS)",
+    scanScope: "lib",
+    regex: /function _writeRaw\b/,
+    requires: /writableLength/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "#126 — _writeRaw called res.write(s) and discarded the boolean return (the backpressure signal) with no bound on res.writableLength (Node's count of buffered-but-unflushed bytes). SSE is server-push: when a client stalls, the app keeps calling send() and the writable buffer grows without limit until the heap is exhausted — one slow connection is a memory-exhaustion DoS. The fix reads res.writableLength after each write and, when it exceeds the per-channel maxBufferedBytes cap (default 1 MiB), closes the channel and throws sse/backpressure — evicting the slow consumer instead of buffering forever (the bounded-write discipline lib/archive.js already follows). The detector fires while _writeRaw never consults writableLength and goes silent once the cap lands; a healthy client (writableLength ~0) is never evicted.",
+  },
+  // #141 — sealed-field membership (IN) must hash each candidate element.
+  {
+    id: "db-query-sealed-in-hashes-whole-array",
+    primitive: "db-query's sealed-field → derived-hash rewrite must map EACH element of an IN candidate list through cryptoField.lookupHash (and include each one's legacy digest for dual-read) — passing the whole array to lookupHash as a single value produces one bogus hash and makes whereIn/$in on a sealed column throw or silently miss",
+    scanScope: "lib",
+    regex: /if \(this\._isSealedField\(field\)\)\s*\{(?:(?!op === "IN")[\s\S]){0,200}?cryptoField\.lookupHash/,
+    allowlist: [],
+    reason: "#141 — _resolvePredicate's sealed-field branch called cryptoField.lookupHash(this._cryptoFieldKey(), field, value) once with the raw value. For op \"=\"/\"!=\" that value is a scalar, but for op \"IN\" (b.db.from().whereIn(sealedCol, [...]) / b.db.collection().find({ sealedCol: { $in: [...] } })) it is the candidate ARRAY — lookupHash then hashes the array-as-one-value, and the later `where IN requires a non-empty array` shape check throws, so membership queries on a sealed column were unusable (the documented derived-hash query path supported equality but not membership). The fix branches on op === \"IN\" inside the sealed block and maps each element through lookupHash, building the combined IN-list with each element's keyed + legacy digest (the same dual-read the \"=\" path does across the v0.15.0 keyed-MAC flip). The tempered span fires while the sealed block reaches lookupHash with no `op === \"IN\"` branch first and goes silent once that branch precedes the per-element lookup; the {0,200} bound is a ReDoS backstop above the ~60-char buggy span.",
+  },
+  // #127 — worker-pool must mark a slot recycling BEFORE _finishTask drains the queue.
+  {
+    id: "workerpool-finishtask-before-recycling-mark",
+    primitive: "_onTaskTimeout / _onWorkerError must set slot.recycling = true BEFORE calling _finishTask — _finishTask sets slot.busy = false and drains the queue, so a freshly-queued task would be dispatched to the slot whose worker is about to be terminated (the task dies with workerpool/worker-exit instead of running on the replacement worker)",
+    scanScope: "lib",
+    regex: /function _onTaskTimeout\s*\([^)]*\)\s*\{(?:(?!slot\.recycling = true)[\s\S]){0,600}?_finishTask\(slot|function _onWorkerError\s*\([^)]*\)\s*\{(?:(?!slot\.recycling = true)[\s\S]){0,600}?_finishTask\(slot/,
+    allowlist: [],
+    reason: "#127 — _finishTask() sets slot.busy = false and ends with _drainQueue(); _findIdleSlot() returns any slot that is `!busy && !recycling`. _onTaskTimeout/_onWorkerError called _finishTask FIRST and only marked the slot recycling afterward (in _recycleWorker), so the synchronous drain inside _finishTask handed a just-queued task to the dying slot — its message went to a worker about to be terminate()d and came back as workerpool/worker-exit (or hung), even though a healthy replacement was about to spawn. The fix sets slot.recycling = true before _finishTask in both handlers so the drain skips the dying slot and the queued task waits for the replacement. The tempered span fires while _finishTask(slot is reached before the recycling mark in either handler and goes silent once the mark precedes it; the {0,600} bound is a ReDoS backstop above the ~15-line handler bodies.",
+  },
+  // #128 — outbox must reap stale in-flight claims before claiming new work.
+  {
+    id: "outbox-processonce-claims-without-reaping",
+    primitive: "outbox._processOnce must call _reapStaleInflight() BEFORE _claimBatch() — a claim flips a row to in-flight (status), and the claim path only selects status='pending', so a crash between claim and mark-published strands the row in-flight forever (at-least-once violated). The poll must reclaim stale in-flight rows each cycle",
+    scanScope: "lib",
+    regex: /async function _processOnce\s*\([^)]*\)\s*\{(?:(?!_reapStaleInflight)[\s\S]){0,400}?_claimBatch/,
+    allowlist: [],
+    reason: "#128 — the outbox claims jobs by flipping status pending → in-flight, but _claimBatch only SELECTs status='pending'. With no reaper, a publisher that claims a row then crashes before _markPublished/_markRetry/_markDead leaves the row in-flight forever — the event is silently dropped and the advertised at-least-once delivery is violated (b.queue has sweepExpired; outbox had nothing). The fix stamps claimed_at on claim and reaps any in-flight row older than claimReclaimMs (or NULL claimed_at, a legacy/crashed claim) back to pending at the top of every poll, before _claimBatch. The tempered span fires while _processOnce reaches _claimBatch without a preceding _reapStaleInflight call and goes silent once the reap precedes the claim; the {0,400} bound is a ReDoS backstop above the short body. The behavioral guard is test/layer-0-primitives/outbox-inflight-reaper.test.js.",
+  },
+  // #133 — SAML Bearer/HoK SubjectConfirmation NotOnOrAfter must fail closed.
+  { id: "saml-subjectconfirmation-notonorafter-must-fail-closed", primitive: "verifyResponse's Bearer SubjectConfirmationData NotOnOrAfter check must fail closed: `var notOnOrAfter = _attr(scd, \"NotOnOrAfter\"); if (!notOnOrAfter) continue;` followed by a parseability+expiry check — never the optional `if (notOnOrAfter) { ... }` shape, which accepts a confirmation with NO NotOnOrAfter as fresh-forever", scanScope: "lib", regex: /var notOnOrAfter\s*=\s*_attr\([^)]*\);\s*if \(notOnOrAfter\)/, allowlist: [], reason: "SAML 2.0 Web Browser SSO Profile §4.1.4.2 requires every Bearer SubjectConfirmationData to carry a NotOnOrAfter that bounds the assertion's freshness window. lib/auth/saml.js verifyResponse once read `var notOnOrAfter = _attr(scd, \"NotOnOrAfter\"); if (notOnOrAfter) { ... }` — a MISSING NotOnOrAfter skipped the whole block, so a confirmation with no time bound was accepted as fresh-forever (an unbounded, replay-forever assertion; CWE-613 insufficient session expiration / CWE-294 replay). The Holder-of-Key sibling (Profile §3.1, which incorporates §3 time-bounding) had the same missing-attribute hole PLUS a second latent one: `if (noaHok && isFinite(...) && Date.parse(noaHok)/1000 < ...)` short-circuited on `&&`, so an UNPARSEABLE NotOnOrAfter was also accepted. Both sites now require presence + parseability + not-expired before the confirmation is honored (`if (!notOnOrAfter) continue;` then the isFinite/expiry continue). This detector fires while the Bearer check is the optional `if (notOnOrAfter)` shape and goes silent once it is the fail-closed `if (!notOnOrAfter) continue;` shape; the behavioral guard is test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js (RED on the optional shape for the missing-attr case, GREEN on the fix). Empty allowlist — an optional NotOnOrAfter on a Bearer confirmation is the unbounded-freshness bug." },
+  // #109 — defineGuard's default gate must resolve profile + posture.
+  {
+    id: "defineguard-defaultgate-skips-profile-posture-resolution",
+    primitive: "defineGuard's defaultGate must resolve profile + posture (resolveProfileAndPosture) before passing opts to buildGuardGate — otherwise the gate reads forensicSnippetBytes / maxRuntimeMs from RAW opts, dropping the profile's runtime cap and the posture's forensic-snippet cap",
+    scanScope: "lib",
+    regex: /function defaultGate\s*\([^)]*\)\s*\{(?:(?!resolveProfileAndPosture)[\s\S]){0,2000}?return buildGuardGate/,
+    allowlist: [],
+    reason: "#109 — defineGuard's defaultGate passed RAW opts straight to buildGuardGate, which reads opts.forensicSnippetBytes / opts.maxRuntimeMs directly. Those caps live in the resolved PROFILE (maxRuntimeMs) and POSTURE (forensicSnippetBytes), not the raw caller opts — so gate({ compliancePosture: \"hipaa\" }) dropped the 128-byte forensic cap to 0 (forensic snapshots disabled on a regulated-posture refusal) and dropped the profile's runtime cap to uncapped. The hand-written gates call resolveProfileAndPosture(opts, ...) first; the default gate must too. The span anchors on the single defaultGate and fires if its body reaches `return buildGuardGate` without a resolveProfileAndPosture call; the {0,2000} bound is a ReDoS backstop above the ~700-char body.",
+  },
+  // #129 — session.rotate must re-key the sid-bound device fingerprint.
+  {
+    id: "session-rotate-skips-fingerprint-rekey",
+    primitive: "session.rotate must re-key the sid-bound __bj_fingerprint to the NEW sid via _hashFingerprint(newSid, ...) — a rotated session that carries the old-sid hash makes verify() falsely report fingerprintDrift (logout under strict operators) or silently breaks the device binding",
+    scanScope: "lib",
+    regex: /async function rotate\s*\([^)]*\)\s*\{(?=[\s\S]*?newSidHash)(?:(?!_hashFingerprint|\n\})[\s\S]){0,3000}?\n\}/,
+    allowlist: [],
+    reason: "#129 — __bj_fingerprint is sid-keyed (_hashFingerprint(sid, inputs), so a stolen DB can't replay the binding). rotate() moves the sid but left the stored fingerprint bound to the OLD sid; verify(newToken, sameReq) then recomputes _hashFingerprint(newSid, inputs) and mismatches → a false fingerprintDrift (strict operators destroy the session = self-DoS on every rotation) or a silently-broken binding. rotate must re-key the fingerprint to the new sid from the live request: _hashFingerprint(newSid, _buildFingerprintInputs(req, fpFields)). The span anchors on the single async rotate() in lib/session.js and fires if its body reaches the column-0 close with no _hashFingerprint re-key; the {0,3000} bound is a ReDoS backstop above the ~2KB body. updateData legitimately PRESERVES the old hash (sid unchanged) so it is a different function and not matched.",
+  },
+  // #120 — a retention dry-run / preview must not VACUUM the database.
+  {
+    id: "retention-erase-vacuums-before-dryrun-gate",
+    primitive: "retention._erase must compute its sealed/hash field set and pass the `if (dryRun) return` gate BEFORE calling cryptoField.eraseRow — eraseRow schedules a full DB VACUUM and emits db.vacuum_after_erase under a regulated posture, so calling it before the dry-run gate makes a preview rewrite the whole database file per candidate row",
+    scanScope: "lib",
+    regex: /function _erase\s*\([^)]*\)\s*\{(?:(?!if \(dryRun\) return)[\s\S]){0,1500}?cryptoField\.eraseRow/,
+    allowlist: [],
+    reason: "#120 — cryptoField.eraseRow, under a posture whose POSTURE_DEFAULTS sets requireVacuumAfterErase (gdpr/hipaa/dpdp/pipl-cn/lgpd-br), calls db().vacuumAfterErase({ mode: \"full\" }) → VACUUM; → db.vacuum_after_erase. retention._erase called eraseRow at the top of the function, before the `if (dryRun) return { wouldErase: 1 }` gate, so b.retention.run(name, { dryRun: true }) (and the CLI `retention preview`) ran a full-table VACUUM per past-TTL row — a preview that locks the DB and rewrites the file, the opposite of a dry-run. eraseRow's return value is discarded (void erased), so it only ran for that side effect; the fix computes sealedFields/hashFields (no side effect) and returns on dryRun BEFORE eraseRow. The tempered span anchors on the single _erase and the `if (dryRun) return` structural boundary: it fires while eraseRow is reachable before the gate and goes silent once eraseRow moves after it; the {0,1500} bound is a ReDoS backstop above the ~400-char body.",
+  },
+  // #71 — registerTable must honor the pinned posture's seal-envelope floor.
+  {
+    id: "crypto-field-register-without-seal-floor-gate",
+    primitive: "enforce the pinned posture's sealEnvelopeFloor at cryptoField.registerTable (_assertSealEnvelopeFloor) — a regulated posture must refuse a table sealing columns below its envelope floor",
+    regex: /function registerTable\b/,
+    requires: /_assertSealEnvelopeFloor/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "CWE-311/CWE-326 — POSTURE_DEFAULTS gained a sealEnvelopeFloor (hipaa/pci-dss → aad); registerTable must throw at config-time when a regulated posture is pinned and the table seals columns under a weaker envelope (plain below aad/per-row-key), or a HIPAA deployment can register a copy-paste-vulnerable plain-sealed table.",
+  },
   {
     // Node 26 ships `Map.prototype.getOrInsertComputed(key, factory)`
     // (TC39 stage-4, lands in V8 13.x). It replaces the two-step
@@ -6423,6 +7369,34 @@ var KNOWN_ANTIPATTERNS = [
     // derives a different signing input or refuses the critical header.
     // The `requires` companion is satisfied by the refusal branch
     // naming 'b64' somewhere in the same file.
+    id: "db-query-write-without-residency-gate",
+    primitive: "_assertLocalResidency(table, plaintextRow, op) before cryptoField.sealRow on every local write path",
+    // A local write method that seals a row without first running the
+    // residency gates can land a region-bound row (or region-bound
+    // column value) outside the deployment's declared region set —
+    // the cross-border transfer shape GDPR Art 44-46 / PIPL Art 38 /
+    // DPDP §16 regulate. The gate must see the PLAINTEXT row, so it
+    // runs before sealRow in the same method.
+    regex: /sealRow\(this\._cryptoFieldKey\(\)/,
+    requires: /_assertLocalResidency\(this\._cryptoFieldKey\(\)/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "v0.14.24 — declareColumnResidency/assertColumnResidency shipped in v0.7.27 documenting a write-time gate that was never wired into any write path; rows and region-bound columns landed on any backend unchecked. Every db-query method that seals a row must run _assertLocalResidency on the plaintext first; a future write method (upsert, bulk path) inherits the requirement automatically.",
+  },
+  {
+    id: "ar-header-prepend-without-forged-strip",
+    primitive: "_stripForgedAuthResults(messageBuf, authservId) before prepending a computed Authentication-Results header",
+    // A receiver that prepends its own Authentication-Results header
+    // without first deleting sender-attached instances claiming the
+    // same authserv-id lets a forged pre-attached verdict shadow the
+    // computed one for downstream consumers (RFC 8601 §5 MUST).
+    regex: /Buffer\.from\(\s*\w+\.authResults\s*\+/,
+    requires: /_stripForgedAuthResults/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "v0.14.23 — a receiver that prepends its computed Authentication-Results header without stripping sender-forged instances carrying its own authserv-id lets a downstream consumer reading 'the receiver's A-R header' read the attacker's instead. RFC 8601 §5 requires deleting (or renaming) same-authserv-id instances before adding the new one. Any code path that prepends an emitted A-R header must compose the strip helper in the same file.",
+  },
+  {
     id: "jose-header-passthrough-without-b64-crit-refusal",
     primitive: "refuse own 'b64'/'crit' members on any caller-supplied JOSE protected-header object before signing",
     regex: /assignOwnEnumerable\s*\(\s*\{\s*\}\s*,\s*opts\.header/,
@@ -7468,6 +8442,30 @@ var KNOWN_ANTIPATTERNS = [
     allowlist: ["lib/gate-contract.js"],
     reason: "Extracted across guard-csv / guard-html / guard-svg compliancePosture(name) entry points. Identical 5-line `if (!COMPLIANCE_POSTURES[name]) throw; return Object.assign({}, COMPLIANCE_POSTURES[name])` shape consolidated.",
   },
+  {
+    // Every command / protocol / pipeline guard whose four baseline
+    // postures (hipaa / pci-dss / gdpr / soc2) all map to the bare string
+    // "strict" composes the single frozen gateContract.ALL_STRICT_POSTURES
+    // map instead of re-declaring the literal. The literal was byte-
+    // identical across ~36 guard/safe/mail files (the POP3 / IMAP / SMTP /
+    // ManageSieve command validators, mail-compose / query / sieve / move /
+    // reply, the envelope + event-bus shapes, the mail-pipeline scorers,
+    // the safe-* line-protocol parsers, and mail-crypto-smime) — a genuine
+    // duplicate, not a shape-only coincidence — so it was extracted to a
+    // shared constant in lib/gate-contract.js and the call sites rewritten
+    // to `var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES`. The
+    // STRONG-DUP block detector only fires at 3+ files, so a single future
+    // file re-inlining the literal would slip past it; this n=1 inverse
+    // detector catches the re-introduction the moment it lands. The
+    // negative lookaheads exclude the content-guard overlay shape
+    // (`Object.assign({}, PROFILES["strict"], { ... })`), which is a
+    // genuinely per-guard posture map and is NOT centralized.
+    id: "inline-all-strict-postures-map",
+    primitive: "gateContract.ALL_STRICT_POSTURES — the canonical frozen strict-all posture map (hipaa/pci-dss/gdpr/soc2 → \"strict\"); compose it (`var COMPLIANCE_POSTURES = gateContract.ALL_STRICT_POSTURES`) instead of re-declaring the strict-all posture map inline",
+    regex: /COMPLIANCE_POSTURES\s*=\s*Object\.freeze\(\s*\{(?=(?:(?!PROFILES|Object\.assign|COMPLIANCE_POSTURES\s*=)[\s\S]){0,400}?["']?hipaa["']?\s*:\s*["']strict["'])(?=(?:(?!PROFILES|Object\.assign|COMPLIANCE_POSTURES\s*=)[\s\S]){0,400}?["']pci-dss["']\s*:\s*["']strict["'])(?=(?:(?!PROFILES|Object\.assign|COMPLIANCE_POSTURES\s*=)[\s\S]){0,400}?["']?gdpr["']?\s*:\s*["']strict["'])(?=(?:(?!PROFILES|Object\.assign|COMPLIANCE_POSTURES\s*=)[\s\S]){0,400}?["']?soc2["']?\s*:\s*["']strict["'])(?:(?!PROFILES|Object\.assign|COMPLIANCE_POSTURES\s*=)[\s\S]){0,400}?\}\s*\)/,
+    allowlist: ["lib/gate-contract.js"],
+    reason: "The strict-all COMPLIANCE_POSTURES map (hipaa/pci-dss/gdpr/soc2 all → \"strict\") was a byte-identical duplicate across ~36 command/protocol/pipeline guards (guard-pop3/imap/smtp/managesieve-command, guard-mail-compose/query/sieve/move/reply, guard-list-id/list-unsubscribe, guard-event-bus-topic/payload, guard-dsn/envelope/message-id/idempotency-key/jmap/tenant-id/trace-context/saga-config/snapshot-envelope/agent-registry/posture-chain/stream-args, safe-ical/vcard/sieve/icap/dns, mail-helo/scan/rbl/greylist/spam-score, ai-content-detect's posture overlay, and mail-crypto-smime). Extracted to the single frozen gateContract.ALL_STRICT_POSTURES and every call site rewritten to read it by reference — the object is frozen once and shared, never mutated. This inverse detector refuses any re-inlined strict-all literal outside lib/gate-contract.js (the primitive home, allowlisted); the STRONG-DUP block detector would only catch a re-introduction once it reached 3+ files, so the n=1 gate is what makes the extraction durable. Content guards that overlay per-posture byte-limits or redaction flags (CSV / HTML / JSON / XML / YAML / JWT / OAuth / template / ... use `Object.assign({}, PROFILES[\"strict\"], { ... })`) keep their own posture map and are excluded by the negative lookaheads.",
+  },
   {
     id: "inline-rule-pack-loader",
     primitive: "gateContract.makeRulePackLoader(errorClass, codePrefix)",
@@ -7912,8 +8910,48 @@ var KNOWN_ANTIPATTERNS = [
     regex: /\b(FROM|INTO|UPDATE|TABLE|INDEX|TRIGGER|VIEW|JOIN)\s+["']\s*\+\s*(?![qQ][A-Za-z0-9_]|quoted)\w+\s*\+/,
     allowlist: [
       "lib/safe-sql.js",   // the helper itself emits quote chars
+      // lib/sql.js IS the b.sql query builder — the canonical composer
+      // that assembles SQL from safeSql-quoted identifiers + bound
+      // placeholders. Its CREATE TABLE / INDEX assembly interpolates a
+      // resolved table reference (ref.ref(dialect), which validates +
+      // quotes via the table() contract) after the keyword-string `ifNot`
+      // ("IF NOT EXISTS "), which the keyword+next-token regex misreads as
+      // a raw identifier. The builder is the thing every other module must
+      // route through, so it's exempt like safe-sql.js itself.
+      "lib/sql.js",
     ],
-    reason: "Identifier ALWAYS reaches SQL through safeSql.quoteIdentifier(name, dialect). Validates shape + quotes for the dialect; a future shape-regex bypass can't reach raw concatenation. Local variables holding quoted identifiers use a `q`/`Q`/`quoted` prefix so the detector can skip them.",
+    reason: "Identifier ALWAYS reaches SQL through safeSql.quoteIdentifier(name, dialect). Validates shape + quotes for the dialect; a future shape-regex bypass can't reach raw concatenation. Local variables holding quoted identifiers use a `q`/`Q`/`quoted` prefix so the detector can skip them. lib/sql.js (the b.sql builder) is exempt — it is the composer that assembles SQL from safeSql-quoted parts, so the must-compose rule is satisfied by construction there.",
+  },
+  {
+    id: "framework-table-sql-without-dialect",
+    primitive: "thread the configured backend dialect into every framework-table b.sql call — { dialect: clusterStorage.dialect() }, the module's _sqlOpts() helper, or dbSchema.handleDialect/sqlOpts",
+    skipCommentLines: true,
+    // Inverse detector for the tri-dialect data layer. A framework table —
+    // a "_blamejs_..." literal, a FOO_TABLE constant, or a _fooTable()
+    // table-name helper — addressed through the b.sql builder MUST carry the
+    // configured backend dialect. Omit it and the builder emits the sqlite
+    // default, so the statement parses locally and in the test backend
+    // (both sqlite) but breaks on a Postgres / MySQL deployment — a silent
+    // dialect-default footgun. Every framework module threads the dialect:
+    // inline `{ dialect: ... }`, a module-local `_sqlOpts()` returning
+    // `{ dialect: clusterStorage.dialect() }`, or dbSchema.handleDialect /
+    // dbSchema.sqlOpts. The regex marks the framework-table builder call;
+    // the companion `requires` is satisfied by any threading marker anywhere
+    // in the file.
+    //
+    // Anchors are framework-internal: a "_blamejs_" table literal, an
+    // UPPER_SNAKE *_TABLE constant, or an underscore-prefixed _fooTable()
+    // helper. Operator-supplied names (cli.js `safeTable` on the local
+    // single-node b.db handle) are deliberately NOT matched.
+    //
+    // Per-FILE durability guard: a framework-table b.sql module that threads
+    // NO dialect at all is the drift this catches. Per-CALL precision (one
+    // missed dialect in a file that threads elsewhere) belongs to the
+    // structural/primitive-aware detector tracked for a later cycle.
+    regex: /\bsql(?:\(\))?\.(?:select|insert|insertMany|update|upsert|del|delete|create|createTable|alter|drop|truncate)\s*\(\s*(?:["']_blamejs_|[A-Z][A-Z0-9_]*_TABLE\b|_[a-z][A-Za-z0-9]*Table\s*\()/,
+    requires: /dialect\s*:|sqlOpts\s*\(|handleDialect/,
+    allowlist: [],
+    reason: "v0.15.0 — the data layer is tri-dialect (sqlite / postgres / mysql). A framework-table b.sql call that omits the dialect emits the sqlite default and breaks on a Postgres/MySQL backend, silently, because the local default and the test backend are both sqlite. Every framework module threads it (inline `{ dialect: clusterStorage.dialect() }`, a `_sqlOpts()` helper, or dbSchema.handleDialect / dbSchema.sqlOpts); the requires-marker confirms the threading is present. Locks in the tri-dialect data layer so a newly-added framework table cannot silently default to sqlite.",
   },
   {
     id: "inline-optional-plain-object-validation",
@@ -8407,6 +9445,22 @@ var KNOWN_ANTIPATTERNS = [
     reason: "Hardcoded bind ports race under SMOKE_PARALLEL=64 when two parallel tests pick the same value. Convention: .listen(0) + server.address().port. Read-only protocol-constant references (autoconfig XML port: 993 / 587, mock-server config port: 1025) don't trip this detector — only .listen() with a literal non-zero port does.",
   },
 
+  {
+    // Constructing a "malformed" base64url test input by replacing only the
+    // FIRST standard-base64-only character ('+' or '/') of a freshly generated
+    // certificate/key is non-deterministic: the per-run base64 carries no such
+    // character ~0.4% of the time (a 400-char cert), so the replace is a no-op
+    // and the input stays a VALID value that is correctly accepted — flaking
+    // any assertion that expects refusal. Inject a base64url-only char
+    // unconditionally (prepend one) so the malformed entry is guaranteed.
+    id: "test-malformed-base64url-via-noop-replace",
+    primitive: "prepend a base64url-only char ('-' / '_') unconditionally to build a guaranteed-malformed x5c / JOSE base64 test input — never a single non-global replace of the first '+' / '/', which is a no-op when the input carries neither",
+    scanScope: "test",
+    regex: /\.replace\(\s*\/\[\+\/\]\/\s*,\s*["'][-_]["']\s*\)/,
+    allowlist: [],
+    reason: "A single non-global replace of the first standard-base64-only character to forge a base64url-charset string is a no-op whenever that run's base64 happens to carry no such character, leaving a still-valid input that is correctly accepted — so the refusal assertion flakes (measured ~0.4% per run on a 400-char certificate; surfaced as the OID4VCI base64url-x5c refusal flake). Build the malformed entry deterministically by prepending a base64url-only char.",
+  },
+
   {
     // v0.11.13 — `fs.watchFile` / `fs.watch` MUST NOT be called
     // directly from tests. The framework exposes `b.watcher`
@@ -8443,6 +9497,29 @@ var KNOWN_ANTIPATTERNS = [
     reason: "v0.11.13 — every recurring flake in the fs.watch test class (vault-seal-pem-file + watcher) shared the same root cause: the test wrote a file with a future mtime expecting the watcher's first poll to detect the change, but the first poll could land AFTER the mutation under runner contention. helpers.backdateFile establishes an unambiguously-older baseline; pairing it with future-mtime writes makes the watcher's transition detection deterministic.",
   },
 
+  {
+    // v0.15.0 — an encrypted-at-rest b.db.init refuses a tmpDir that is not a
+    // recognized tmpfs mount (/dev/shm, /run/shm, /run/user, /tmp): a decrypted
+    // working copy on persistent disk leaks into backup snapshots, replicas,
+    // and forensic images. That gate is a NO-OP on win32, so a test that builds
+    // its scratch dir under the repo-local test/.test-output and passes it to a
+    // BESPOKE db.init PASSES on the author's Windows host and FAILS on the
+    // Linux/macOS CI floor with db/tmpdir-not-tmpfs (audit-checkpoint-false-
+    // rollback shipped this exact bug). The shared setupTestDb / setupTestDbForMW
+    // helpers already pass allowNonTmpfsTmpDir:true; a bespoke db.init must opt in
+    // the same way, OR base its scratch on os.tmpdir() (/tmp on Linux is a
+    // recognized tmpfs), OR run atRest:"plain" (no decrypted working copy, so the
+    // gate does not apply). The companion `requires` is satisfied by any one.
+    id: "test-bespoke-db-init-nontmpfs-tmpdir",
+    primitive: "a bespoke b.db.init with a tmpDir must pass allowNonTmpfsTmpDir:true (as setupTestDb does), base the scratch on os.tmpdir(), or run atRest:\"plain\" — so the encrypted-at-rest non-tmpfs gate does not fail it on the Linux/macOS CI floor",
+    scanScope: "test",
+    skipCommentLines: true,
+    regex: /\bb\.db\.init\s*\([\s\S]{0,400}?\btmpDir\s*:/,
+    requires: /allowNonTmpfsTmpDir|atRest\s*:\s*["']plain["']|os\.tmpdir\s*\(/,
+    allowlist: [],
+    reason: "v0.15.0 — the encrypted-at-rest db.init disk-residency gate refuses a non-tmpfs tmpDir on Linux/macOS but is a no-op on win32, so a bespoke db.init with a repo-local (.test-output) scratch dir passes on Windows and fails on CI. setupTestDb / setupTestDbForMW already pass allowNonTmpfsTmpDir:true; a bespoke db.init must do the same, base its scratch on os.tmpdir() (/tmp = recognized tmpfs), or run atRest:\"plain\". The requires-marker confirms one mitigation is present in the file.",
+  },
+
   {
     // N3 (v0.10.14) — tests creating a real DB handle without an
     // isolation primitive. Any test file calling `b.db.create(` MUST
@@ -10875,11 +11952,14 @@ function testCompliancePostureCoverage() {
 // examples/wiki/Dockerfile, the workflow's `-p host:container` map +
 // curl host MUST also reference X.
 // Internal working notes (planning documents, scratch output, session
-// residue) live outside the repository — a tracked file under memory/,
-// notes/, or a .scratch* path ships internal planning narrative to
-// everyone who clones the repo. v0.14.22 removed the one such file that
-// had been committed (a migration planning note, added v0.11.2); this
-// gate refuses any recurrence at commit time instead of at code review.
+// residue) and editor/tool atomic-write temp artifacts
+// (<name>.tmp.<pid>.<hash>) live outside the repository — a tracked
+// file under memory/, notes/, a .scratch* path, or a *.tmp.* name
+// ships internal residue to everyone who clones the repo, and tmp
+// copies under lib/ ship in the npm tarball (`files` publishes lib/
+// wholesale). v0.14.22 removed a committed planning note; v0.14.23
+// caught four committed editor temp copies pre-merge. This gate
+// refuses any recurrence at commit time instead of at code review.
 function testNoTrackedInternalNotes() {
   var out;
   try {
@@ -10887,18 +11967,41 @@ function testNoTrackedInternalNotes() {
     // file — child_process is only touched on the two paths that talk
     // to the host (re-exec + this git query).
     out = require("node:child_process").execFileSync(
-      "git", ["ls-files", "memory", "notes", ".scratch", ".scratch-*"],
+      "git", ["ls-files", "memory", "notes", ".scratch", ".scratch-*", "*.tmp.*"],
       { stdio: ["ignore", "pipe", "ignore"] }
     ).toString().trim();
   } catch (_e) {
     // Not a git checkout (npm tarball / exported tree) — nothing to gate.
     return;
   }
-  check("no tracked internal-notes files (memory/ notes/ .scratch*)" +
+  check("no tracked internal-notes or temp-artifact files (memory/ notes/ .scratch* *.tmp.*)" +
         (out ? " — found: " + out.split("\n").join(", ") : ""),
         out === "");
 }
 
+// The residency write gates exist only if they're actually wired —
+// declareColumnResidency/assertColumnResidency shipped in v0.7.27
+// advertising a write-time gate that no write path called for 7 minor
+// versions. This gate pins the wiring: the local write methods run
+// _assertLocalResidency, the external query/transaction paths run
+// _assertRowResidency, and assertColumnResidency has a real lib/
+// caller outside its own definition file.
+function testResidencyGatesWired() {
+  var dbq, edb;
+  try {
+    dbq = fs.readFileSync("lib/db-query.js", "utf8");
+    edb = fs.readFileSync("lib/external-db.js", "utf8");
+  } catch (_e) { return; }
+  var localCalls = (dbq.match(/_assertLocalResidency\(this\._cryptoFieldKey\(\)/g) || []).length;
+  check("db-query wires the local residency gate on insert AND update", localCalls >= 2);
+  check("db-query wires the long-advertised assertColumnResidency",
+        dbq.indexOf("assertColumnResidency(") !== -1);
+  var extCalls = (edb.match(/_assertRowResidency\(sql,/g) || []).length;
+  check("external-db wires the row residency gate on query AND transaction", extCalls >= 2);
+  check("external-db replica reads honor the row tag",
+        edb.indexOf("REPLICA_RESIDENCY_INCOMPATIBLE") !== -1);
+}
+
 function testWikiPortAgreesAcrossArtifacts() {
   var bad = [];
   var dockerfile;
@@ -11773,6 +12876,8 @@ async function run() {
   testSafeGuardWiredInIndex();
   testSafeGuardHasMustComposeDetector();
   testNoTierTerminologyInLib();
+  testNoHandRolledSql();
+  testNoHardcodedFrameworkFileNames();
   testNoInlineRequires();
   testRequireBindingConsistency();
   testRequireBlockAlignment();
@@ -11895,6 +13000,7 @@ async function run() {
   // step's port mapping + curl host.
   testWikiPortAgreesAcrossArtifacts();
   testNoTrackedInternalNotes();
+  testResidencyGatesWired();
   testWikiStopGraceExceedsShutdownBudget();
   testOrchestratorRegistryReadsTenantScoped();
   testErrorCodesNamespacedKebab();