1f9254a4e56a8721c125b9cb319eed5883d8ecc1
diff --git a/content/blog/deploy-that-lies-cascade.md b/content/blog/deploy-that-lies-cascade.md
new file mode 100644
index 0000000000000000000000000000000000000000..fb935eaca61ad7d0c98285969665433963094e34
--- /dev/null
+++ b/content/blog/deploy-that-lies-cascade.md
@@ -0,0 +1,310 @@
+# When the deploy lies: three bugs hidden by one silent error suppressor
+
+The two prior posts in this thread were clean rounds: the verifier
+named a violation, I produced the named artifact, the verifier flipped
+green. Atomic-700 on `c21_app.ts` → split per domain → ✓. Modeled on
+four `c32_*.ts` files → add the four siblings → ✓. Encouraging stories
+about mechanical enforcement.
+
+This post is the messy round. It's the one that taught me that
+mechanical enforcement only works if the pipeline that runs it is
+itself running.
+
+## The visible bug
+
+`/reports/live` is the public live-data demo: real commit history for
+this repo, rendered into a TDD-discipline scorecard, refreshed on every
+deploy. On 2026-05-22 the header read:
+
+```
+tdd-discipline report · 2026-05-03 → 2026-05-10
+```
+
+Twelve days of staleness on a page that calls itself "live." I'd
+shipped seven commits across the previous rounds and none of them
+appeared.
+
+## Why nobody noticed for 12 days
+
+The deploy script in git-mode invoked the snapshot generator over ssh:
+
+```bash
+ssh "$SSH_HOST" "cd ~/$REMOTE_SRC_DIR && bun scripts/p620/snapshot-git-history.ts" 2>/dev/null \
+    || echo "  ⚠ snapshot-git-history skipped (script may live outside the rsync exclude — non-fatal)"
+```
+
+Two clauses are doing the damage:
+
+- `2>/dev/null` discards stderr — including the error message we'd want.
+- `|| echo "  ⚠ ... non-fatal"` turns a real failure into a printed
+  warning. Worse, the warning text *blames the wrong thing*
+  ("script may live outside the rsync exclude") so anyone who DID see
+  the warning would file it under "harmless artifact of rsync vs git
+  mode" and move on.
+
+The actual failure: there's no `bun` on the p620 host. Bun lives only
+inside the tdd-md container image. The ssh tried to invoke a binary
+that doesn't exist on PATH; the shell returned 127; the warning fired;
+the deploy continued; the snapshot file's timestamp stayed at May 11.
+
+Twelve days. Every deploy. Both of the previous "clean rounds" deployed
+through this same broken path and updated the *site* but not the
+*live data*. The blog posts about going green were themselves served by
+a deploy script that was lying about its own snapshot step.
+
+## Fix 1, and what it revealed
+
+The fix is structurally trivial: run the script *inside* the container
+where bun lives, by mounting the working tree as a volume:
+
+```bash
+ssh "$SSH_HOST" "podman run --rm \
+  -v \$HOME/$REMOTE_SRC_DIR:/work:Z \
+  --workdir /work \
+  $IMAGE_TAG \
+  bun scripts/p620/snapshot-git-history.ts" \
+    || { echo '✗ snapshot-git-history failed'; exit 1; }
+```
+
+The `:Z` is the Fedora SELinux relabel — the script process inside
+needs to be able to read/write the bind mount. The `||
+{ echo ✗; exit 1 }` replaces the swallow with a real failure mode. No
+more silent skips.
+
+After this fix landed, `/reports/live` immediately caught up:
+
+```
+tdd-discipline report · 2026-05-03 → 2026-05-22
+```
+
+So far so good. But the moment I looked at `/reports/live/tests`, the
+sibling test-stability page, the timestamp said:
+
+```
+last run 2026-05-10 · 17 runs cumulative
+```
+
+Same staleness. Different cause.
+
+## The second silent failure
+
+Looking at the deploy script again, the **rsync** escape hatch runs
+both snapshot scripts:
+
+```bash
+( cd "$REPO_ROOT" && bun scripts/p620/snapshot-git-history.ts ) || ...
+( cd "$REPO_ROOT" && bun scripts/p620/snapshot-tests.ts )         || ...
+```
+
+The **git-mode** happy path runs only the first one. When the deploy
+flow switched from rsync to git as the default a while back, the
+test-snapshot step got dropped on the floor and nobody noticed —
+because the test-stability page was always 17 cumulative runs old, and
+"old enough that nobody questioned the number" is one of the failure
+modes that a verifier can't detect.
+
+Fix 2: add the second podman-run step, with one wrinkle. Unlike
+`snapshot-git-history` (which is pure git + filesystem), `snapshot-tests`
+calls `bun test`, which needs `node_modules` to resolve `marked` and
+`node-html-parser`. The bind-mounted host directory has no
+`node_modules` (the host has no Bun). But the image already ships
+them at `/app/node_modules`. So:
+
+```bash
+podman run --rm -v $HOME/src/tdd.md:/work:Z --workdir /work $IMAGE_TAG \
+  sh -c 'ln -sfn /app/node_modules node_modules && bun scripts/p620/snapshot-tests.ts'
+```
+
+Symlink the container's `node_modules` into the work directory, then
+let the script use it. The symlink persists on the host between
+deploys but points at a path inside the container — harmless dead-link
+outside the next podman-run, valid inside.
+
+## Two more bugs, surfaced by the snapshot actually running
+
+When the next deploy ran with both snapshots wired in, the live page
+now read:
+
+```
+Total: 193 tests · 192 passing · 1 failing · 1 placeholder ⚠
+```
+
+193 pass locally, every time I run them. 192 pass + 1 fail + 1
+placeholder on the container. Two bugs that had been hiding behind
+"the test suite never actually ran in the deploy pipeline."
+
+### Bug A: a 1-in-16 flaky test
+
+The failing test was one I wrote in the prior round:
+
+```ts
+test("verifySession rejects a cookie with a forged signature", async () => {
+  const cookie = await signSession("eve");
+  const tampered = cookie.replace(/.$/, "0");
+  const result = await verifySession(tampered);
+  expect(result).toBeNull();
+});
+```
+
+`replace(/.$/, "0")` replaces the last character with "0". When the
+HMAC signature's last hex digit *is already* "0" — which happens with
+probability 1/16, since SHA-256 hex output is uniform — the
+"tampered" string is identical to the original, the signature
+verifies, the function returns `"eve"`, and the assertion fails.
+
+Local runs masked this because the random draws (the timestamp going
+into the signed payload) happened to never produce a `0`-ending sig.
+The first run that actually ran in CI hit the unlucky draw and
+exposed it.
+
+Fix: read the last char, flip to a digit it definitely isn't:
+
+```ts
+const lastChar = cookie.slice(-1);
+const tampered = cookie.slice(0, -1) + (lastChar === "f" ? "0" : "f");
+expect(tampered).not.toBe(cookie);  // loudly fail if a future regression collides
+```
+
+Five runs in a row, every one passes. Determinism restored.
+
+### Bug B: the verifier's own test, flagged by its own check
+
+The placeholder warning pointed at:
+
+```
+src/c32_sama_verify.test.ts > does nothing
+```
+
+`c32_sama_verify.ts` is the verifier itself. Its test file holds a
+fixture:
+
+```ts
+test("Atomic: placeholder test (zero expect calls) is flagged", () => {
+  const placeholderFixture = `test("does nothing", () => { /* TODO */ })`;
+  // ... feed it to the verifier, assert the verifier flags it
+});
+```
+
+The string `test("does nothing", () => { /* TODO */ })` is a *fixture*
+— a literal example of what a placeholder test looks like, fed to the
+verifier so we can assert the verifier catches it. It's not a real
+test.
+
+The verifier itself handles this correctly. It uses a
+`stripStringsAndComments` helper to mask out string literals before
+running its `test()`-finder regex over the source. So when the
+verifier scans `c32_sama_verify.test.ts`, it sees the fixture as
+whitespace, doesn't pick it up, and reports zero placeholders in that
+file.
+
+But `snapshot-tests.ts` — the deploy-time generator that feeds
+`/reports/live/tests` — duplicated the regex *without* the
+strip-strings step. So it grepped the raw source, found the fixture
+inside the backtick string, treated it as a real `test()` call, walked
+its (TODO-only) body, counted zero `expect()` calls, and flagged it.
+
+The deploy-time detector was flagging the very test that proves the
+runtime detector works.
+
+Fix: export `stripStringsAndComments` from `c32_sama_verify.ts` and
+use the same mask-index pattern in the snapshot script:
+
+```ts
+import { stripStringsAndComments } from "../../src/c32_sama_verify.ts";
+// ...
+const mask = stripStringsAndComments(content);
+while ((m = re.exec(content)) !== null) {
+  // If the match position is whitespace in the mask, the original
+  // was inside a string or comment — skip.
+  if (mask[m.index] === " " || mask[m.index] === "\n") continue;
+  // ... rest of the body-walking logic
+}
+```
+
+DRYing the helper across the two places that need the same string-aware
+behaviour. Now the snapshot agrees with the verifier.
+
+## What the cascade was actually telling me
+
+The bug count for ronde 4 looks bad: a 12-day staleness, a flaky test,
+a false-positive in the deploy-time detector. Three independent
+problems.
+
+But the *order* is the part worth looking at. Each fix made the next
+one visible:
+
+1. Deploy script ran the snapshot step → file's timestamp moved →
+   `/reports/live` started reporting current commits.
+2. Deploy script ran the test snapshot → tests actually ran in the
+   deploy pipeline → the flaky test surfaced (because previously it
+   never ran in CI), and the false-positive surfaced (because
+   previously the snapshot was 12 days old and that particular
+   fixture had been added since then).
+3. Each fix's success was the precondition for the next bug to be
+   visible.
+
+The cascade isn't proof the system is fragile. It's proof that the
+system was *blind* — a layer of silent error suppression had hidden
+every downstream failure, so they accumulated without being detected.
+The fix was less "patch three things" than "remove the lie and watch
+what falls out."
+
+This is the same shape as TDD's iron rule applied to *infrastructure*
+rather than to source: you can't trust a pass you didn't run. The
+deploy-pipeline checks `bun test` exits zero — but only if `bun test`
+*ran*. If the call returns 127 (command not found) and the deploy
+script swallows it, every later assertion is hollow.
+
+`/reports/live` showing all-green for 12 days was perfectly compatible
+with the test suite being completely broken. The only way to know is
+to delete the swallowing.
+
+## Why this is the empirical case for SAMA, not against it
+
+A naive reading is "the codebase had three bugs you didn't catch."
+The fairer reading is: the codebase had *one* bug — silent error
+suppression in a deploy script — and the other two were latent
+consequences that the verifier *would have* caught the moment they
+ran. Removing the silence took ~15 minutes. Once silence was gone, both
+hidden bugs surfaced *on the very next deploy*, with line numbers and
+file paths, in two cells of a public web page.
+
+That's the empirical pattern SAMA's pitch turns on, scaled to the
+infrastructure layer:
+
+- **Verification has to be observable.** A check that runs into
+  `2>/dev/null` is indistinguishable from a check that passes.
+- **The cost of removing silence is low.** A `||` swallow → `||
+  { echo ✗; exit 1; }` is a one-line change. A `2>/dev/null` →
+  `2>&1` is one word.
+- **Removing silence pays compounding returns.** Three bugs hidden by
+  one suppressor — each one would have been instantly diagnosable if
+  the surface had been honest.
+
+## What this still doesn't prove
+
+It doesn't prove that exposing every failure produces a useful signal.
+Some failures *should* be tolerated (best-effort cleanup, optional
+caches), and over-strict failure handling can break production for
+trivial reasons. The judgement is *which* failures: in this case,
+`snapshot-git-history` running was load-bearing for the public claim
+that `/reports/live` reflects the current repo. Treating its failure
+as "non-fatal" was a category error.
+
+The general principle the cascade demonstrates: in a system whose value
+proposition is *the artefacts a reviewer can replay*, the pipeline
+that produces those artefacts has the same audit requirements as the
+source code does. Silent failures in the pipeline are violations of
+the standard the same way silent failures in the source would be.
+
+---
+
+**See for yourself:**
+
+- Live: <https://tdd.md/reports/live> (date window is now current)
+- Live: <https://tdd.md/reports/live/tests> ("193 passing · 0 placeholder")
+- The PR that landed the three fixes:
+  <https://github.com/syntaxai/tdd.md/pull/14>
+- Previous posts in this thread:
+  [the c21 Atomic-700 split](/blog/sama-empirical-c21-split) ·
+  [greening the Modeled dogfood](/blog/sama-empirical-modeled-green)
diff --git a/e2e/git-content-browse.spec.ts b/e2e/git-content-browse.spec.ts
new file mode 100644
index 0000000000000000000000000000000000000000..6cd5fc28dc12e97f0525e61dbb0e19956de5bc00
--- /dev/null
+++ b/e2e/git-content-browse.spec.ts
@@ -0,0 +1,121 @@
+// E2E: every blog post in ALL_POSTS is reachable via /GIT/.
+//
+// Crawls the registry's slugs (lifted into a literal array here so
+// the test file doesn't import server-side modules) and asserts:
+//   1. /GIT/syntaxai/tdd.md/tree/main/content/blog lists each post
+//   2. /GIT/syntaxai/tdd.md/blob/main/content/blog/<slug>.md renders
+//      the post (markdown rendered via marked into the chrome)
+//   3. /GIT/syntaxai/tdd.md/raw/main/content/blog/<slug>.md serves
+//      the raw markdown
+// Plus the tree home (/GIT/syntaxai/tdd.md/tree/main) shows the
+// top-level directories (content/, src/, public/, scripts/, etc.).
+
+import { test, expect } from "@playwright/test";
+import * as fs from "fs";
+import * as path from "path";
+
+// Mirror of c31_blog.ts ALL_POSTS slugs. If a post is added there,
+// add the slug here too. Kept inline to avoid pulling server code
+// into the test process.
+const BLOG_SLUGS = [
+  "sama-meets-git-cms",
+  "from-rules-to-checks",
+  "agentic-coding-corpus-three-patterns",
+  "claude-code-harness-postmortem",
+  "three-constraints-agentic-coding",
+  "tweag-handbook-tdd",
+  "aider-tdd",
+  "cursor-tdd",
+  "claude-code-tdd",
+];
+
+const SCREENSHOT_DIR = "test-results/git-content-browse";
+
+test.beforeAll(() => {
+  fs.mkdirSync(SCREENSHOT_DIR, { recursive: true });
+});
+
+test.describe("/GIT browses the local bare repo", () => {
+  test("repo root tree lists the top-level directories", async ({ page }) => {
+    const res = await page.goto("/GIT/syntaxai/tdd.md/tree/main");
+    expect(res?.status()).toBe(200);
+
+    // Top-level dirs we expect after the dev tree was pushed.
+    for (const dir of ["content", "src", "public", "scripts", "e2e"]) {
+      await expect(
+        page.locator(`a[href="/GIT/syntaxai/tdd.md/tree/main/${dir}"]`),
+      ).toBeVisible();
+    }
+    // Top-level files
+    await expect(
+      page.locator('a[href="/GIT/syntaxai/tdd.md/blob/main/package.json"]'),
+    ).toBeVisible();
+
+    await page.screenshot({
+      path: path.join(SCREENSHOT_DIR, "1-repo-root-tree.png"),
+      fullPage: true,
+    });
+  });
+
+  test("content/blog tree lists every post in ALL_POSTS", async ({ page }) => {
+    const res = await page.goto("/GIT/syntaxai/tdd.md/tree/main/content/blog");
+    expect(res?.status()).toBe(200);
+    for (const slug of BLOG_SLUGS) {
+      const link = page.locator(
+        `a[href="/GIT/syntaxai/tdd.md/blob/main/content/blog/${slug}.md"]`,
+      );
+      await expect(link, `link to ${slug}.md must be present`).toBeVisible();
+    }
+
+    await page.screenshot({
+      path: path.join(SCREENSHOT_DIR, "2-content-blog-tree.png"),
+      fullPage: true,
+    });
+  });
+
+  for (const slug of BLOG_SLUGS) {
+    test(`blob view renders ${slug}.md as markdown via /GIT`, async ({ page }) => {
+      const res = await page.goto(
+        `/GIT/syntaxai/tdd.md/blob/main/content/blog/${slug}.md`,
+      );
+      expect(res?.status()).toBe(200);
+      // The repo-blob-rendered container is what marked.parse output
+      // lands in. It must exist + be non-empty.
+      const rendered = page.locator(".repo-blob-rendered");
+      await expect(rendered).toBeVisible();
+      const text = (await rendered.textContent()) ?? "";
+      expect(text.length).toBeGreaterThan(200);
+      // The breadcrumb must show the file path so users can climb.
+      await expect(page.locator(".commit-breadcrumb")).toContainText(`${slug}.md`);
+    });
+
+    test(`raw endpoint serves ${slug}.md as text/plain via /GIT`, async ({ request }) => {
+      const res = await request.get(
+        `/GIT/syntaxai/tdd.md/raw/main/content/blog/${slug}.md`,
+      );
+      expect(res.status()).toBe(200);
+      expect(res.headers()["content-type"]).toMatch(/text\/plain/);
+      const body = await res.text();
+      // Frontmatter or first heading — every blog post has one.
+      expect(body.length).toBeGreaterThan(200);
+    });
+  }
+
+  test("path traversal is rejected", async ({ request }) => {
+    for (const evil of [
+      "/GIT/syntaxai/tdd.md/blob/main/../etc/passwd",
+      "/GIT/syntaxai/tdd.md/blob/main/content/../../etc/passwd",
+      "/GIT/syntaxai/tdd.md/tree/main//content",
+    ]) {
+      const res = await request.get(evil);
+      expect(res.status(), `${evil} must 404`).toBe(404);
+    }
+  });
+
+  test("non-allowed (owner, repo) 404s — only syntaxai/tdd.md is served", async ({
+    request,
+  }) => {
+    const res = await request.get("/GIT/someone/random-repo/tree/main");
+    expect(res.status()).toBe(404);
+  });
+});
diff --git a/feedback.md b/feedback.md
index 3a279d036377b1d1ff0b0f4b310b4a0326243e81..a196671eacdc06db1a732443ffba734fd588f273 100644
--- a/feedback.md
+++ b/feedback.md
@@ -1,66 +1,114 @@
-Goede vraag. Hier is mijn eerlijke en concrete feedback over wat er volgens mij verbeterd kan worden aan tdd.md:
-Wat al goed is
+SAMA 2.0 — Voorstel voor de volgende evolutie
 
-    Strenge judge
+Hier is een uitgewerkte, concrete versie van SAMA 2.0. Ik houd de kern intact (want die is sterk), maar maak het completer, toekomstbestendiger en nog beter geschikt voor agentic coding in 2026+.
+Kern blijft hetzelfde (de vier letters)
 
-    Hidden tests
+    S — Sorted: Alphabetical + dependency direction (lager nummer importeert nooit hoger).
 
-    Git-based scoring
+    A — Architecture: Numerieke lagen met duidelijke contracten.
 
-    Publieke verdicts
+    M — Modeled: Types + sibling tests.
 
-Wat ik zou verbeteren
+    A — Atomic: Bestanden klein houden (~700 regels) + split per domein.
 
-    Te puristisch / te streng
-    Op dit moment is het bijna “religieuze TDD”. Dit jaagt mensen weg.
-    Verbetering: Introduceer verschillende niveaus of modi:
+Wat verandert / wordt toegevoegd in 2.0
 
-        Strict Mode (huidige versie)
+Ik voeg twee nieuwe letters toe → SAMA wordt SAMAX (of je houdt SAMA en maakt de extra’s optioneel).
+Nieuwe letter: X — eXtensible & Vertical
 
-        Pragmatic Mode (zoals Kent Beck later bedoelde): toestaat spikes/exploratie, test-first is sterk aangemoedigd maar niet heilig.
+    Doel: Combineer de kracht van horizontale lagen (duidelijke dependency flow) met verticale slices (alles van één feature dicht bij elkaar).
 
-        Learning Mode: mildere straf voor beginners.
+    Regel: Optionele feature-prefix bovenop de laag: c32_user_auth.ts of feat_payment_c32_processor.ts.
 
-    Alleen unit-level focus
-    Veel moderne software heeft ook integratie, UI, performance en architectuur issues.
-    Verbetering: Voeg kata’s toe op verschillende lagen (niet alleen string calculator niveau), inclusief:
+    Voordeel voor agents: Een agent die aan “user authentication” werkt, ziet alle relevante bestanden gegroepeerd via zoekopdracht feat_user_*.
 
-        API-kata’s
+Nieuwe letter: D — Documented (de vijfde discipline)
 
-        Database interactie
+    Regel: Elke module én elke feature-map heeft een README.md of .agent.md met:
 
-        UI/component testing
+        One-sentence responsibility
 
-    Geen onderscheid tussen exploratie en implementatie
-    In echte projecten doe je vaak eerst een spike.
-    Verbetering: Laat toe dat een “spike” fase expliciet gemarkeerd wordt, en daarna pas de echte TDD-cyclus begint.
+        Key types & contracts
 
-    Scoring is te binair
-    Momenteel voelt het soms als een spelletje “volg de regels perfect”.
-    Verbetering: Voeg kwaliteitsmetingen toe, zoals:
+        Acceptance criteria / invariants
 
-        Code simplicity / cyclomatic complexity
+        “Where to put new code” instructies
 
-        Hoe klein de stappen waren
+    Dit wordt de levende specificatie voor de agent.
 
-        Hoe goed de namen van tests en variabelen zijn
+Uitgebreide Layer Mapping (Architecture 2.0)
+Laag	Naam	Verantwoordelijkheid	Voorbeelden	Mag importeren van
+c11	Entry / Composition Root	App bootstrap, wiring	main.ts, server.ts	Alles
+c13	Data / Persistence	DB, repositories, queries	c13_user_repo.ts	c31
+c14	I/O Adapters	HTTP, queues, external APIs	c14_auth_controller.ts	c21, c31, c32
+c21	Handlers / Presenters	Request/response orchestration	c21_login_handler.ts	c32, c31
+c31	Models & Types	Domain models, DTOs, Value Objects, Zod schemas	c31_user.ts	- (puur)
+c32	Business Logic / Use Cases	Pure functions, domain rules	c32_user_auth.ts	c31
+c40	Application Services	Orchestratie van meerdere use cases (nieuw!)	c40_user_service.ts	c32, c31
+c51	UI / Presentation	Components, pages, server components	c51_user_profile.tsx	c31, c32
+c60	Infrastructure / External	Third-party clients, config, logging	c60_stripe_client.ts	-
+c70	Cross-cutting	Auth middleware, logging, monitoring, tracing	c70_logger.ts	alles (voorzichtig)
 
-        Of de code idiomatisch is voor de taal
+Atomic-regel verfijnd: Max ~600-700 regels of max 1 feature per bestand (zelfs als het kleiner is).
+Tooling & Automatisering (kritisch voor gold standard)
 
-    Te weinig feedback voor verbetering
-    Je krijgt een score, maar niet altijd waarom je slecht scoort op een begrijpelijke manier.
-    Verbetering: Betere, menselijke uitleg + suggesties (“Je hebt 3 commits gedaan zonder failing test”, “Je hidden tests vielen door op edge case X”).
+SAMA 2.0 moet dit hebben:
 
-    Te weinig variatie in kata’s
-    Beginnend met string-calc is prima, maar er moet snel meer komen (bijv. een kleine web API, een game loop, een parser, etc.).
+    Officiële sama CLI
 
-    Community & educatie
-    Voeg een “Why” sectie toe die uitlegt wanneer strikte TDD zinvol is en wanneer niet. Op dit moment straalt het te veel “dit is de enige juiste manier” uit.
+        sama check → voert alle verificaties uit
 
-Mijn ideale versie van tdd.md
+        sama new c32_user_auth → maakt bestand + template + .agent.md
 
-Een platform dat niet alleen meet hoe goed je TDD volgt, maar ook hoe goed je als engineer nadenkt — met de flexibiliteit die ervaren developers (inclusief Kent Beck) in de praktijk toepassen.
+        sama split → helpt bij Atomic splits
 
-Kort samengevat:
-tdd.md is nu een strenge TDD-judge.
-Ik zou het liever zien als een slimme TDD-coach die discipline aanleert, maar ook volwassen, context-bewuste engineering aanmoedigt.
+        sama verify-repo
+
+    Pre-commit hooks + GitHub Action
+
+    LSP / Editor integration (VS Code, Cursor, Windsurf)
+
+    Claude / Cursor skill met automatische checks
+
+Extra verbeteringen
+
+    Monorepo support: Package-prefixen (pkg_auth_c32_...)
+
+    Graduele adoptie: SAMA Light (alleen Sorted + Atomic) → Full SAMAX
+
+    Frontend + Backend harmonisatie (vooral Next.js App Router)
+
+    Deprecation policy: Duidelijke manier om oude lagen/bestanden af te bouwen
+
+    Performance & Security gates in Atomic-check (bijv. flag grote N+1 queries)
+
+Voorbeeld folder structuur (SAMA 2.0)
+
+src/
+├── c11_app.ts
+├── features/
+│   └── user/
+│       ├── feat_user_c13_repo.ts
+│       ├── feat_user_c31_types.ts
+│       ├── feat_user_c32_auth.ts
+│       ├── feat_user_c32_profile.ts
+│       ├── feat_user_c40_service.ts
+│       └── feat_user.agent.md
+├── c60_stripe.ts
+└── c70_auth_middleware.ts
+
+Samenvatting: Waarom dit de gold standard wordt
+
+    Behoudt mechanische verifieerbaarheid (grep + CLI)
+
+    Wordt hybride (horizontaal + verticaal)
+
+    Voegt documentatie als first-class citizen toe
+
+    Wordt echt toolbaar en adopteerbaar
+
+    Schaalt van solo-agent project tot middelgroot team
+
+Dit is geen over-engineering — het lost precies de pijnpunten op die ontstaan als projecten groter worden dan 20-30k regels met agents.
+
+Wil je dat ik een volledige officiële spec uitwerk (zoals de originele tdd.md pagina), inclusief verificatie commando’s en templates? Of focus op één deel (bijv. de CLI spec of een concrete Next.js template)?
\ No newline at end of file
diff --git a/plan.md b/plan.md
new file mode 100644
index 0000000000000000000000000000000000000000..ef5064aae89b01230c0d364cb0f80ecb5089e03b
--- /dev/null
+++ b/plan.md
@@ -0,0 +1,321 @@
+# Plan — port podman/syntax CMS into tdd.md, SAMA-native
+
+**Doel.** Het CMS uit `~/Documents/podman` (sx-filter + sx-editor + sx-content + Ghost-compat theme) volledig overzetten naar tdd.md, in 100% SAMA-stijl, met de bestaande tdd.md content intact gemigreerd.
+
+**Niet-doel.** Podman, Caddy, of een tweede service-tier in tdd.md. Alles draait in één Bun-proces dat we al hebben (`c11_server.ts`). Caddy's rol (TLS + routing) doet onze deploy-laag op p620.
+
+---
+
+## ⚠ Eerst beslissen — storage-canon
+
+Dit stuurt elke andere keuze. Twee opties; ik default naar **A** tenzij je flipt.
+
+### A. Git-canon (default — behoudt tdd.md identity)
+
+- Bron-van-waarheid blijft het bare repo `/app/repo` (huidige stack).
+- **Elke save in de editor = een commit** via bestaande `c14_git.commitFile`.
+- sxdoc-trees (typed blocks) leven als sidecar JSON naast de markdown:
+  `content/blog/foo.md` + `content/blog/foo.sxdoc.json`.
+- SQLite (bestaande `c13_database`) krijgt een afgeleide index-tabel
+  (`content_index`) voor snelle lijst-queries en taxonomie-lookups, **rebuildbaar uit git**. Drop het, replay `git log`, terug.
+- Voordeel: "SAMA meets git" verhaal blijft kloppen. `sama-meets-git-cms.md` blijft waarheid. Audit-trail = `git log content/`.
+- Nadeel: complexer dan podman's directe SQLite-writes. Trager bij grote sites (>10k posts). Niet relevant op onze schaal.
+
+### B. SQLite-canon (1-op-1 podman-port)
+
+- `content/*.md` wordt eenmalig geïmporteerd naar `sx_documents` + `posts` tabellen, daarna read-only.
+- Editor schrijft uitsluitend naar SQLite. Git-history van content stopt op het migratie-commit.
+- Voordeel: minimale afwijking van podman's code. Sneller te porten.
+- Nadeel: tdd.md verliest "elke content-edit = commit" — kern van het product per memory.
+
+**Beslissing 2026-05-11: B (SQLite-canon) + git-als-audit-mirror. Locked.**
+
+---
+
+## Locked decisions (2026-05-11)
+
+### Storage canon: **B (SQLite-canon)** + git-als-audit-mirror
+- **Canoniek:** `sx_documents` tabel in `c13_database` (bun:sqlite). Editor reads/writes hier; live-preview en alle render-paden lezen hier.
+- **Audit-mirror:** elke save → 1 multi-path commit met `content/{slug}.md` (afgeleide markdown-projectie) + `content/{slug}.sxdoc.json` (canonical JSON-tree). Zo blijft `git log content/` de menselijk-leesbare audit-trail; "elke save = een commit" uit `sama-meets-git-cms.md` blijft waar — de **canoniciteit** ligt nu in SQLite, het **bewijs** in git.
+- **Recovery:** SQLite-corruptie? Drop tabel, replay van `*.sxdoc.json`.
+- **Initial migration:** eenmalig `scripts/migrate_content_to_sxdoc.ts` leest huidige `content/**/*.md` → parseert naar `SxDocument` → schrijft SQLite + emit één migratie-commit met alle nieuwe `.sxdoc.json` ernaast.
+
+### Parser laag: **c31** · Render laag: **c51**
+- `c31_sxdoc_parse.ts` (HTML → SxDocument) + sibling `c31_sxdoc_parse.test.ts`.
+  Reden: `content/sama/modeled.md` is expliciet — *"every external input has a parser in a c31_* model"*. HTML strings vanuit de editor/migratie zijn external input → c31.
+- `c51_render_sxdoc.ts` (SxDocument → HTML) + sibling `c51_render_sxdoc.test.ts`.
+  Reden: `content/sama/architecture.md` picking-order regel 4 — *"Does it produce HTML? Yes → c51"*. sxToHtml produceert HTML.
+- **Correctie t.o.v. eerder plan + research-migration:** parser/renderer waren foutief op c32 geplaatst (research keek alleen naar verifier-hard-rule "c32 vereist sibling-test", maar canon-docs sturen anders). Tests blijven (c31 sibling is informationally verplicht via Modeled; c51 idem voor goed onderhoud al staat het niet hard in de verifier).
+
+### Commit-vorm: **één multi-path commit per save**
+- `c14_git` krijgt nieuwe `commitFiles(paths: Array<{path, body}>)` naast bestaande `commitFile`.
+- Eén commit → atomic rollback van die SHA herstelt beide bestanden.
+
+---
+
+## Werkwijze (build-discipline per file-landing)
+
+Elke file-write moet alle vier SAMA-axes passeren vóór de volgende file landt. Geen pile-up van violations.
+
+| Axis | Wat dat afdwingt | Hoe we dat afdwingen |
+|---|---|---|
+| **Sorted** | c1*/c3* mogen niet relatief upward importeren | Bottom-up bouwen: c1 → c3 → c2 → c5. Nooit import naar hogere laag. |
+| **Architecture** | prefix ∈ {11, 13, 14, 21, 31, 32, 51} | Layer-toewijzing vóór tik. I/O? → c14. Logic+transform? → c32. Pure types/registry? → c31. |
+| **Modeled** | c32_*.ts vereist sibling .test.ts (hard); c31 = info-only | **c32 source + test landen in dezelfde edit-batch**, nooit los. Test heeft ≥1 `expect()` per `test(...)`-body. |
+| **Atomic** | ≤700 LOC per file; geen placeholder tests | `wc -l` checken vóór commit. Splits gebudgetteerd (client/render per block-kind; shortcodes registry+substitute). |
+
+### Niet-verifier-afgedwongen SAMA-canon (per `content/sama/*.md`)
+
+- **Flat `src/`** — geen subdirs server-side. Client onder `src/client/**.ts` (buiten verifier-glob).
+- **Geen barrel re-exports** (`atomic.md`).
+- **c31/c32 importeren geen I/O-modules** (sharp, fs, bun:sqlite, fetch) — verifier ziet alleen relative imports, dus dit is persoonlijke discipline.
+- **One concept per file** — types apart van parser apart van renderer.
+
+### Verificatie-cadans
+
+Na **elke** file-landing (niet alleen aan eind van fase):
+
+```
+bun test src/c32_sama_verify.test.ts   # verifier zelf groen?
+bun test src/<file>.test.ts            # nieuwe sibling-test groen?
+wc -l src/c*<file>*.ts                 # geen file > 700
+```
+
+Aan einde van elke fase:
+```
+bun test                                # alles groen
+bun run src/c11_server.ts &             # boot smoke
+curl localhost:3000/health              # 200
+```
+
+### Anti-patronen (expliciet verboden)
+
+- **"Het werkt, test komt later"** voor c32 — source en test landen samen of niet.
+- **Refactoren van lower-layer code in een higher-layer fase** — bv. `c14_git.commitFiles` toevoegen tijdens Fase 1 omdat het "handig" is. Lower-layer changes horen bij de fase waar de caller landt.
+- **Sub-folders onder `src/`** server-side om "het netter te organiseren". Flatten is SAMA-canon.
+- **Improviseren over layer-toewijzing** — als je twijfelt over c31 vs c32, default naar c32 (sibling-test = vangnet).
+
+---
+
+## Layer-correcties uit research-migration.md
+
+Plan.md zat op drie plaatsen fout volgens de SAMA-rules in `c32_sama_verify.ts`. Gecorrigeerd:
+
+| Was | Wordt | Reden |
+|---|---|---|
+| `c31_image_resize.ts` | `c14_image_resize.ts` | sharp doet I/O — c14 verplicht |
+| `c31_ai_edit_block.ts` | `c14_openrouter.ts` (HTTP) + `c32_ai_edit_block.ts` (validate/transform) | OpenRouter HTTP = c14; orchestratie + sibling-test = c32 |
+| `c31_sxdoc_parse.ts` | `c32_sxdoc_parse.ts` | logica, geen pure types — c32 vereist sibling-test |
+| `c31_sxdoc_render.ts` | `c32_sxdoc_render.ts` | idem |
+
+### Atomic-700 splits gebudgetteerd
+
+| File | LOC bij directe port | Splits |
+|---|---|---|
+| `sx-editor/src/client/render.ts` | 775 | over Atomic-700; split per block-kind onder `src/client/blocks/render-{p,h,list,quote,code,img,html,shortcode}.ts` + één `src/client/render.ts`-dispatch ≤200 LOC |
+| `sx-filter/src/shortcodes.ts` | 650 | krap; pak meteen split langs `c31_shortcodes_registry.ts` (built-ins) + `c32_shortcodes_substitute.ts` (HTML-rewriter met regio-skip) |
+
+### Tests-zijn-siblings rule (was niet geëxpliciteerd)
+
+Podman's `sx-editor/tests/unit.test.ts` shape **incompatibel**. Elke `cXX_*.test.ts` moet als sibling naast `cXX_*.ts` staan onder `src/`. Bestaande tdd.md tests doen dit al correct.
+
+### Client-side placement: `src/client/**.ts`
+
+Geen verifier-impact (alleen `cXX_*.ts` wordt gescand). Relatieve imports naar `../c31_sxdoc.ts` werken vanuit hier. Bun.build bundelt uit `src/client/`. Geen nieuwe top-level dir.
+
+### Verboden subdirs onder `src/`
+
+Podman's `sxdoc/`, `core/`, `db/`, `client/blocks/` mag niet onder `src/` blijven bij server-port. Dat geldt **niet** voor `src/client/` (die staat buiten verifier-scope). Server-code flat houden.
+
+---
+
+## SAMA-mapping — podman-stuk → tdd.md cXX-laag
+
+SAMA-conventie (per memory): cXX_*.ts, `c1X` = data/I-O, `c2X` = handlers/app, `c3X` = pure logic, `c5X` = render. Lower layer never imports higher.
+
+| Podman | tdd.md (nieuw) | SAMA-laag | Wat het doet |
+|---|---|---|---|
+| `sx-data/sx.db` schema | `c13_database.ts` (extend) | c1 | tabellen `sx_documents`, `media`, `content_index`, `api_keys` |
+| `sx-editor/src/sxdoc/types.ts` | `c31_sxdoc.ts` | c3 | `SxDocument`, `Block`, helpers — pure types/registry |
+| `sx-editor/src/sxdoc/html-to-sx.ts` | `c31_sxdoc_parse.ts` (+ sibling `.test.ts`) | c3 | HTML → SxDocument (parser = c31 per Modeled.md) |
+| `sx-editor/src/sxdoc/sx-to-html.ts` | `c51_render_sxdoc.ts` (+ sibling `.test.ts`) | c5 | SxDocument → HTML (produces HTML = c51 per Architecture.md) |
+| `sx-editor/src/sxdoc/db.ts` | `c13_database.ts` extend (saveDocument/loadDocument/listDocuments/deleteDocument) | c1 | SQLite read/write (canon-B); bun:sqlite = c13, niet c14 |
+| `sx-editor/src/upload.ts` + sharp resize | `c14_media.ts` + `c14_image_resize.ts` | c1 | upload, on-disk store, sharp transforms (sharp = I/O) |
+| `sx-editor/src/ai.ts` (OpenRouter) | `c14_openrouter.ts` + `c32_ai_edit_block.ts` | c1 + c3 | HTTP-call in c14; validate + transform in c32 met sibling-test |
+| `sx-editor/src/templates.ts` (list/edit shells) | `c51_render_admin.ts` | c5 | admin-list + edit-page chrome |
+| `sx-editor/src/routes.ts` (urlForPage/Post) | bestaande `c31_site_config.ts` extend | c3 | routes.yaml-equivalent — wij hebben al routes-config |
+| `sx-editor/src/client/blockeditor.ts` + `slashmenu.ts` + `blocks/*` | `client/` (TS bundle) → served door `c21_handlers_edit.ts` | client | block-editor JS, slash-menu, AI ✨, autosave |
+| `sx-editor/src/build.ts` (Bun.build serve) | `c14_client_bundle.ts` | c1 | bundle TS-client → ESM, cache in geheugen |
+| `sx-filter/src/shortcodes.ts` (650 LOC — over 700 binnen 1 add) | **split**: `c31_shortcodes_registry.ts` (built-ins, namen, args) + `c32_shortcodes_substitute.ts` (HTML-rewriter met meta/script-skip) + verplichte `.test.ts` op de c32 | c3 | parsing/substitutie, voorkomt Atomic-700 violation |
+| `sx-filter/src/admin.ts` (admin-button injectie) | bestaande edit-flow heeft al login-gate | c2 | n.v.t. — wij hebben echte auth |
+| `sx-content/src/render.ts` (Handlebars renderer) | `c51_render_theme.ts` | c5 | Ghost-compat theme renderer; **geen Handlebars-dep** — pure TS template-helpers |
+| `sx-content/src/sitemap.ts` | `c51_render_sitemap.ts` | c5 | sitemap.xml + RSS |
+| `sx-content/src/images.ts` | onderdeel van `c14_media.ts` boven | c1 | path-routed /content/images/* |
+| `sx-themes/syntax/*.hbs` partials | `theme/*.html` of `c51_render_theme_partials.ts` | c5 | Ghost-look, maar als TS template-helpers |
+
+### Nieuwe handlers (c21)
+
+- `c21_handlers_admin_list.ts` — `/admin/` lijst van pages+posts
+- `c21_handlers_admin_edit.ts` — `/admin/edit/{type}/{slug}` (block-editor)
+- `c21_handlers_admin_new.ts` — `/admin/new`
+- `c21_handlers_admin_upload.ts` — `/admin/upload`
+- `c21_handlers_admin_ai.ts` — `/admin/ai/edit-block`
+- `c21_handlers_admin_preview.ts` — `/admin/preview` (live render)
+- `c21_handlers_content.ts` — public render dispatcher (post/page/tag/author)
+- `c21_handlers_sitemap.ts` — `/sitemap.xml`, `/blog/rss/`
+- `c21_handlers_media.ts` — `/content/images/*`
+
+Bestaande `c21_handlers_edit.ts` wordt **vervangen** door `c21_handlers_admin_edit.ts` (block-editor i.p.v. textarea).
+
+---
+
+## Content-migratie
+
+Bestaande tdd.md content:
+```
+content/home.md
+content/blog/*.md        (9 posts)
+content/sama/*.md        (5 pages)
+content/games/*/         (2 games — multi-file)
+content/guides/*.md      (3 pages)
+content/git-history/*    (commit-meta JSON)
+```
+
+Migratie-strategie (canon B, SQLite + git-mirror):
+
+1. **Eenmalig script** `scripts/migrate_content_to_sxdoc.ts` (loopt lokaal, niet in container).
+2. Voor elke `.md`: lees frontmatter (titel, tags, status), parseer body → `SxDocument` via `c32_sxdoc_parse`, **insert** in `sx_documents` tabel, schrijf óók `*.sxdoc.json` ernaast voor git-mirror.
+3. `home.md` → slug `_home` (matcht podman's special `_home` slug).
+4. Games (`content/games/*/`) blijven multi-file — buiten CMS-scope, blijven via `c31_games.ts` gerenderd.
+5. `git-history/` is geen content — geen migratie nodig.
+6. Eén batch-commit: "Migrate: content → sxdoc (SQLite-canon + git-mirror)" met alle `*.sxdoc.json` toevoegingen.
+
+Public URLs blijven gelijk (deze zijn al via `c31_site_config` gerouteerd). De Ghost-style `/blog/{primary_tag}/{slug}/` permalink is optioneel en gaat door de redirects-laag die we al hebben.
+
+---
+
+## Fasering
+
+Per memory: bypass-pacing / JOLO is OK voor scopes die in één run passen. Dit is een dagen-werk port, dus ik fasering aanhouden met deploy + verify per fase.
+
+### Fase 0 — beslissing + scaffolding (afgerond 2026-05-11)
+- [x] Plan vastleggen (dit document).
+- [x] Storage-canon bevestigd: **B (SQLite-canon + git-audit-mirror)**.
+- [x] Parser/render laag bevestigd: **c32**.
+- [x] Commit-vorm bevestigd: **één multi-path commit per save**.
+- [x] Research-migration onderzoek afgerond → `research-migration.md`.
+- [x] Layer-correcties verwerkt in mapping-tabel.
+- [ ] `plan.md` committen (wacht op user-go).
+
+### Fase 1 — sxdoc-fundament (in uitvoering 2026-05-11)
+- [x] `c31_sxdoc.ts` — types only (geen sibling-test verplicht)
+- [x] `c31_sxdoc_parse.ts` (HTML→tree, port van podman `html-to-sx.ts`) + sibling `c31_sxdoc_parse.test.ts`
+- [x] `c51_render_sxdoc.ts` (tree→HTML, port van podman `sx-to-html.ts`) + sibling `c51_render_sxdoc.test.ts`
+- [x] Skip typed marketing blocks — niet nodig voor tdd.md content (~600 LOC bespaard).
+- [x] `c13_database.ts` extend: `sx_documents` tabel + saveDocument/loadDocument/listDocuments/deleteDocument
+- [x] `package.json`: `node-html-parser` toegevoegd
+- [x] `bun install` — node-html-parser@7.1.0 binnen
+- [x] `bun test src/c31_sxdoc_parse.test.ts src/c51_render_sxdoc.test.ts` — 53/53 ✓
+- [x] `bun test src/c32_sama_verify.test.ts` — 10/10 ✓ (verifier zelf groen)
+- [x] `bun test` (full suite) — 120/120 ✓ (67 pre-Fase-1 + 53 nieuwe)
+- [x] `wc -l` op nieuwe files — hoogste 327 LOC (c31_sxdoc_parse), c13_database 390 LOC; allemaal < 700
+- [x] `bun run src/c11_server.ts` boot-smoke OK — `/` en `/sama` beide 200
+- `c14_client_bundle.ts` (Bun.build memoised) — komt pas in Fase 2
+- Geen route-impact — alles puur unit-getest, niets aan de live site veranderd.
+
+**Fase 1 gates passed 2026-05-11. Sxdoc-fundament SAMA-canon compliant en groen.**
+
+### Fase 2 — admin-UI
+
+**2a — server-side CRUD (afgerond 2026-05-11):**
+- [x] `c31_admin_validation.ts` + sibling test (14/14 groen) — parser/validator per Modeled.md
+- [x] `c51_render_admin.ts` — list + edit form + login/non-admin walls
+- [x] `c21_handlers_admin.ts` — adminListHandler, adminNewHandler, adminEditHandler, adminDeleteHandler (één bestand i.p.v. plan-spec 4; matcht bestaande `c21_handlers_agents`/`c21_handlers_auth` pattern, 218 LOC)
+- [x] `c21_app.ts` routes: /admin, /admin/new, /admin/edit/:type/:slug, /admin/delete/:type/:slug
+- [x] Boot-smoke: anonymous → 401, login-wall rendert ✓
+- ⚠ `c21_app.ts` is nu 702 LOC (Atomic-grens 700 overschreden door 2 regels). Vraagt aparte split-refactor — c21_handlers_projects.ts, c21_handlers_api_agents.ts, c21_handlers_webhook.ts uit het inline-deel halen.
+
+**2b — client-side block editor (afgerond 2026-05-11):**
+- [x] `c14_client_bundle.ts` — Bun.build memoised + ETag, 72 LOC
+- [x] `src/client/blockeditor.ts` — hydratie + state + autosave + raw-mode toggle, 336 LOC
+- [x] `src/client/slashmenu.ts` — filterable popup met arrows/enter/escape, 161 LOC
+- [x] `src/client/blocks.ts` — per-block-kind renderers (p, h, ul, ol, quote, code, img, hr, html, shortcode), inline marks parser, slash-trigger, 393 LOC (één file ipv `blocks/*` — onder Atomic-700)
+- [x] `c51_render_admin.ts` — neemt nu SxDocument als input, projecteert naar textarea-HTML + embedt `<script id="sxdoc-initial">` JSON, laadt bundle `<script type="module" src="/admin/assets/blockeditor.js">`
+- [x] `c21_handlers_admin.ts` — JSON autosave path (`Accept: application/json` → `{ok:true,ts,slug,type}`)
+- [x] `c21_app.ts` route `/admin/assets/blockeditor.js` met ETag/304
+- [x] `public/style.css` admin-editor sectie toegevoegd (~190 LOC editor + slashmenu + toast)
+- [x] Bundle compileert (26KB), serves 200, ETag → 304 ✓
+- [x] Boot-smoke: /admin nog 401 anoniem (auth-gate intact) ✓
+- [x] Full suite 134/134 ✓
+- E2E spec `e2e/admin-block-editor.spec.ts` — uitgesteld; needs admin-sessie helper, beter in apart turn
+- Deploy + verify op p620 — wacht op user-go
+
+**Tech-debt uit Fase 2:**
+- c21_app.ts is nu **716 LOC** (Atomic-grens 700 overschreden door 16). Bestond al lang voor admin port; mijn route-adds duwden 't over. Splitsen langs `c21_handlers_projects.ts` / `c21_handlers_api_agents.ts` / `c21_handlers_webhook.ts` patroon (al gebruikt voor agents/auth/reports/sama) — aparte refactor, niet Fase 3-blocker.
+
+### Fase 3 — media + AI
+- `c14_media.ts` (upload + on-disk store onder `content/images/`)
+- `c14_image_resize.ts` (sharp wrapper — sharp is I/O = c14)
+- `c21_handlers_media.ts` (GET /content/images/...)
+- `c21_handlers_admin_upload.ts` (slash-menu image card target)
+- `c14_openrouter.ts` (HTTP-call) + `c32_ai_edit_block.ts` (validate+transform, sibling-test verplicht) + `c21_handlers_admin_ai.ts` (✨ button)
+- E2E: image upload + AI edit
+- Deploy + verify
+
+### Fase 4 — public renderer + Ghost-look theme
+- `c51_render_theme.ts` (port van podman's Handlebars partials naar TS template-helpers, geen Handlebars-dep)
+- `c51_render_theme_partials.ts` (nav, footer, post-card, post-list)
+- `c31_shortcodes_registry.ts` (built-in lijst + arg-schemas)
+- `c32_shortcodes_substitute.ts` (HTML-rewriter met meta/script-skip) + `.test.ts`
+- `c21_handlers_content.ts` swap: huidige render-paden → nieuwe theme
+- CSS port: `sx-themes/syntax/assets/*` → `public/style.css` (uitgebreid)
+- E2E: visuele parity-checks (`e2e/theme-parity.spec.ts`)
+- Deploy + verify
+
+### Fase 5 — sitemap, RSS, live-preview
+- `c51_render_sitemap.ts` + `c21_handlers_sitemap.ts`
+- `c21_handlers_admin_preview.ts` + live-preview iframe in admin
+- Deploy + verify
+
+### Fase 6 — content-migratie + cutover
+- `scripts/migrate_content_to_sxdoc.ts` lokaal draaien
+- Commit alle `*.sxdoc.json` als één migratie-batch
+- Verwijder oude `c21_handlers_edit.ts` + `c51_render_edit.ts` (block-editor is canoniek)
+- SAMA verify groen (`c32_sama_verify` over alle nieuwe files)
+- Deploy + visual diff t.o.v. pre-migratie
+- Memory updaten: "tdd.md CMS = sxdoc block-editor, Ghost-compat theme, git-canon (of SQLite-canon)"
+
+---
+
+## Risico's
+
+| Risico | Mitigatie |
+|---|---|
+| Block-editor JS is groot (slashmenu + 7 block types) | Bundle on-demand via `c14_client_bundle`, cache in memory. Geen build-step buiten Bun.build. |
+| Ghost-Handlebars helpers (`{{#foreach}}`, `{{date}}`, `{{img_url}}`) — handgeschreven her-implementeren | Klein arsenaal nodig; allemaal in `c51_render_theme.ts` + unit-tested. Geen Handlebars-dep. |
+| SAMA verify struikelt over client/ bestanden | client/ valt buiten cXX-naming-regel; al supported (zie bestaande `e2e/`). |
+| Content-migratie loss-y voor markdown met embedded HTML | sxdoc heeft escape-hatch `html` block; parser valt daarop terug. Visuele parity-check in Fase 6. |
+| Sharp binary in container | Bestaat al niet in tdd.md. Quadlet image-build moet `sharp` meebakken — eenmalige Dockerfile-edit. |
+| `OPENROUTER_API_KEY` ontbreekt in prod | AI ✨ wordt 503 met hint (zoals podman). Niet blokkerend. |
+
+---
+
+## Tellen
+
+- Podman LOC (sx-editor + sx-content + sx-filter, `src/` only): ~6-8k geschat.
+- Tdd.md LOC nu: 7.5k.
+- Port voegt geschat 4-6k toe (geen Handlebars-overhead, hergebruik bestaande c13/c14/c32-laag).
+- Eindstand: ~12-13k LOC, één Bun-proces, één SQLite-file, één bare repo. Geen extra services.
+
+---
+
+## Open vragen (kunnen later)
+
+Voor Fase 1 zijn de gelockte beslissingen voldoende. Deze vragen worden relevant per fase:
+
+1. ~~Storage~~ ✅ B (SQLite-canon + git-mirror) — locked.
+2. **Permalink-vorm** (Fase 4): `/blog/{primary_tag}/{slug}/` (Ghost-style) of `/blog/{slug}/` (huidig)? Aanbevolen: huidig behouden, 9 bestaande URLs blijven werken.
+3. **AI element-edit in prod** (Fase 3): `OPENROUTER_API_KEY` op p620 zetten, of alleen lokaal/dev (503 in prod)?
+4. **Games** (Fase 6): buiten CMS via bestaande `c31_games.ts`, of óók via sxdoc? Aanbevolen: buiten.
+5. **Ghost Content API endpoints** (`/ghost/api/content/...`): meeporten? Aanbevolen: drop, bespaart ~150 LOC. Tdd.md heeft geen externe API-consumers.
+6. **Marketing-blocks** (hero/feature-card/etc.): meeporten of skip? Aanbevolen: skip — niet nodig voor tdd.md content, scheelt ~600 LOC.
diff --git a/research-migration.md b/research-migration.md
new file mode 100644
index 0000000000000000000000000000000000000000..ee83c57dce8186a3e27ca953c0eaecde56d30b62
--- /dev/null
+++ b/research-migration.md
@@ -0,0 +1,567 @@
+# research-migration — porting podman/syntax CMS into SAMA-native tdd.md
+
+Companion to `/var/home/scri/Documents/tdd.md/plan.md`. Read that first
+for the high-level mapping; this goes deep on the points plan.md
+handwaved. All line references are to files in
+`/var/home/scri/Documents/podman/` and `/var/home/scri/Documents/tdd.md/`.
+
+## What I found that plan.md misses
+
+1. **`c32_sama_verify.ts` enforces stricter rules than plan.md
+   assumed.** Layer-prefix whitelist is `{11, 13, 14, 21, 31, 32, 51}`
+   (line 188). Plan.md proposes `c31_image_resize.ts`, but `sharp(...)`
+   is I/O — per `content/sama/architecture.md:13-16` resize belongs in
+   c14, OR c32 with `sharp` passed via DI. Same for plan.md's
+   `c31_ai_edit_block.ts` (calls OpenRouter — must split into c14+c32).
+2. **The verifier's import scanner only inspects relative `./xxx.ts`
+   paths** (line 119-120). A bare `import sharp from "sharp"` in a c31
+   file is invisible to the gate. The "no I/O in c31" rule is
+   discipline, not enforcement.
+3. **Atomic threshold is 700 lines** (line 309). Two podman files
+   over/at the line on day one:
+   `sx-editor/src/client/render.ts` (775 — **violation**),
+   `sx-filter/src/shortcodes.ts` (650 — one new shortcode tips it).
+   Plan.md doesn't budget these splits.
+4. **Placeholder-test detection is part of Atomic** (lines 254-298).
+   Every `test()/it()` body needs ≥1 `expect()`. Snapshot tests
+   (`toMatchSnapshot`) qualify but rule it out as the default.
+5. **Modeled is asymmetric** (lines 219-248). c32 without sibling test
+   = hard violation; c31 missing sibling = informational only. So
+   `c31_sxdoc.ts` (types) is fine without a test;
+   `c32_sxdoc_parse.ts` (logic) is not. Plan.md's `c31_sxdoc_parse.ts`
+   is the wrong layer — the parser is a deterministic transform, not
+   pure types/registry.
+6. **Podman uses subdirectories (`sxdoc/`, `core/`, `db/`, `client/`).**
+   tdd.md's `src/` is flat (verified: no subdirs). SAMA's verifier
+   doesn't walk subdirs, but the convention bans them — server-side
+   files **must** flatten into top-level `cXX_*.ts`. plan.md mentions
+   this only for `client/` and only obliquely.
+7. **Live-preview cannot be commit-driven.** Plan.md picks git-canon
+   (commit on every save), but `/admin/preview` runs on a ~200ms
+   debounce. The preview path must skip `c14_git` entirely and render
+   from in-memory sxdoc. Call this out so the handler is shaped
+   correctly from the start.
+8. **Ghost-style `/blog/{primary_tag}/{slug}/` permalink breaks 9
+   existing post URLs.** Plan.md asks the question but doesn't count.
+   Keep `/blog/{slug}/` unless there's a content reason to migrate.
+
+---
+
+## 1 — SAMA-verifier compliance
+
+### Exact rules (`src/c32_sama_verify.ts`)
+
+| letter | rule | line |
+|---|---|---|
+| S | c1*/c3* must NOT relative-import c5*/c9* (c21 exempt) | 149-185 |
+| A | prefix ∈ {11,13,14,21,31,32,51} | 188 |
+| M | c32_* needs sibling .test.ts (hard); c31_* missing = info only | 219-248 |
+| A | cXX_*.ts ≤ 700 lines; every test() body needs ≥1 expect() | 300-326 |
+
+Verifier walks only `cXX_*.ts` files; everything else under `src/` is
+ignored. **Client-bundle source under `src/client/**.ts` is therefore
+out of scope** — fine.
+
+### Subdirectories
+
+Server code in podman is split across `sx-editor/src/{sxdoc,core,db}/`
+and `sx-content/src/{sxdoc,core,db}/`. tdd.md is flat:
+`ls src/` returns only `cXX_*.ts` + `.test.ts` siblings. SAMA prefix
+replaces folder semantics. **All server-side podman files flatten**:
+- `sxdoc/types.ts` → `c31_sxdoc.ts`
+- `sxdoc/html-to-sx.ts` → `c32_sxdoc_parse.ts` (+ `.test.ts`)
+- `sxdoc/sx-to-html.ts` → `c32_sxdoc_render.ts` (+ `.test.ts`)
+- `sxdoc/db.ts` → `c14_sxdoc_sidecar.ts` (Option A) or `c14_sxdoc_store.ts` (Option B)
+- `core/schema.ts` + `db/sqlite.ts` → merge into existing `c13_database.ts`
+- `core/posts.ts` (editor & content) → one `c13_posts.ts`
+- `core/settings.ts` → extend `c31_site_config.ts`
+- `sxdoc/index.ts` (barrel) → DELETE (SAMA bans barrel re-exports per
+  `content/sama/atomic.md`)
+
+### Client-side placement
+
+tdd.md has **no precedent** for client TS today: `public/` holds
+`og.svg`, `style.css`, `sama-cli` (binary). `e2e/` holds Playwright
+specs. Options for the block-editor client:
+- **A. `src/client/**.ts`** — outside verifier glob, relative imports
+  to `../c31_sxdoc.ts` work, `Bun.build` bundles from here. Recommended.
+- B. `client/` at repo root — separates browser more clearly; new
+  top-level dir.
+- C. `public/src/**.ts` — confusing; `public/` is "served verbatim".
+
+`client/render.ts` (775 lines) **must split** before landing. Natural
+axis: one file per block-kind (matches the existing `blocks/*.ts`
+breakdown) + a small `client/render-dispatch.ts` switch on `block.t`.
+
+### Test convention
+
+tdd.md tests live as siblings under `src/`:
+`c31_commits.test.ts`, `c31_diff_parse.test.ts`,
+`c31_edit_validation.test.ts`, `c31_git_parse.test.ts`,
+`c31_commit_meta.test.ts`, `c31_games.test.ts`,
+`c32_anchor_extract.test.ts`, `c32_edit_resolve.test.ts`,
+`c32_sama_verify.test.ts`.
+
+Podman's `sx-editor/tests/unit.test.ts` and `sx-content/tests/setup.ts`
+are **incompatible** — verifier looks for `<file>.test.ts` next to
+`<file>.ts`. Every kept test becomes a sibling file.
+
+E2E remains in `e2e/*.spec.ts` (Playwright, ignored by verifier).
+
+---
+
+## 2 — Storage-model conflict
+
+### `SxDocument` shape (`sx-editor/src/sxdoc/types.ts`)
+
+`{ v: 1, blocks: SxBlock[] }`. Single-letter keys (`t`, `c`) for
+compactness (line 1-12). 17 block kinds: `p`, `h`, `ul`, `ol`, `li`,
+`quote`, `code`, `img`, `hr`, `html`, `shortcode`, `embed`, plus 7
+typed marketing blocks (`hero`, `feature-card`, `feature-grid`,
+`stats-row`, `steps-grid`, `use-case-card`, `cta-band`). Inline marks
+`b/i/u/s/c`; links are inline.
+
+No footnotes, no tables — tables fall through to `{t:"html"}` escape
+hatch.
+
+### SQLite tables (`sx-editor/src/core/schema.ts`)
+
+Six Ghost-shaped tables: `posts`, `tags`, `users`, `posts_tags`,
+`posts_authors`, `api_keys`, `settings`. Plus `sx_documents` (one row
+per post, holds the typed-block JSON):
+`(post_id PK, doc TEXT, doc_version INT, hash TEXT, updated_at TEXT)`.
+
+### Option A (git-canon, default) write flow
+
+`POST /admin/edit/blog/foo`:
+1. validate + parse form → `(markdown_body, sxdoc_json)`
+2. `c14_git.commitFile({ paths: [
+     {path:"content/blog/foo.md", content:markdown_body},
+     {path:"content/blog/foo.sxdoc.json", content:sxdoc_json} ]})`
+   — **needs new `commitFiles` (multi-path) variant**.
+3. mirror to live FS so the next render reflects it.
+4. show "applied · sha XXXXXXX".
+
+**Commit message**: piggy-back the existing helper
+`buildCommitMessage` from `c31_commit_meta.ts` (already used by
+`c21_handlers_edit.ts:96`). Message format stays as today:
+`Edit: <title> by <author> via /admin\n\n<filePath>`.
+
+`c14_git.commitFile` (lines 192-250) is single-path. Extending to
+multi-path is ~30 added lines — same 5-step flow, with step 3
+(read-tree + update-index) looping over paths.
+
+**Sidecar regen.** Because markdown is canonical and sxdoc is
+derivable, treat sidecars as **cache**. If sidecar missing or older
+than `.md`, regenerate via `marked.parse(md) → htmlToSx(html)`. Makes
+the "drop SQLite index, replay git log" rebuild story plan.md
+mentions actually trivial.
+
+### Real-content survey (assessed by full-read of 3 files + grep)
+
+| file | code fences | tables | embedded HTML | frontmatter |
+|---|---|---|---|---|
+| `content/home.md` (3.2 KB) | 0 | 1 (5 rows) | 0 | no |
+| `content/blog/sama-meets-git-cms.md` | 4 | 0 | 0 | no |
+| `content/blog/three-constraints-agentic-coding.md` | 7 | 0 | 0 | no |
+| `content/sama/architecture.md` | 1 | 1 (4×4) | 0 | no |
+| `content/sama/skill.md` | many | many | 0 | **YES** |
+| (other 13 .md) | many | mixed | 0 | no |
+
+Confirmed by grep: **only `content/sama/skill.md` has YAML
+frontmatter** (`---\nname: …\n---`). Other matches for `^---` are
+markdown horizontal rules (`<hr>`) inside the body of `sama/*.md`
+and a few blog posts — *not* frontmatter. The migration script must
+distinguish: frontmatter = `^---\n[a-zA-Z_]+:` at byte 0.
+
+### What `htmlToSx` handles vs doesn't (`sx-editor/src/sxdoc/html-to-sx.ts`)
+
+Block-level handled: `p`, `h1..h6`, `ul`/`ol`/`li`, `blockquote`,
+`pre`/`code` (with `language-X` detection), `img`, `figure`, `hr`.
+Container divs (`div`, `section`, `article`) recurse into children.
+Everything else → `{t:"html", src: el.outerHTML}` escape hatch
+(line 183).
+
+Inline handled: `<a>`, `<br>`, `<strong>/<b>`, `<em>/<i>`, `<u>`,
+`<s>/<strike>/<del>`, `<code>`. `<span>/<font>` strip wrapper, keep
+content.
+
+**Implication for our content**:
+- Tables → single `html` block per table. Renders identically but
+  un-editable as discrete blocks. **Acceptable.**
+- HR (`---`) → `{t:"hr"}`. Good.
+- Code fences → `{t:"code", lang:"sh", src:"..."}`. Good.
+- Quote-blocks (`> …` markdown) → `<blockquote>` HTML → `{t:"quote",
+  c:[…]}`. Good.
+- Frontmatter (skill.md only) — `marked` doesn't strip it by default
+  in tdd.md's current `c51_render_layout.ts:8` call. **Pre-check
+  what the live site does today** before migrating.
+- Round-trip drift exists: mark order is normalised
+  (`sx-to-html.ts:227`), `<b>` collapses to `<strong>`, whitespace
+  shifts. Acceptable for the migration since markdown stays
+  authoritative.
+
+### Option B (SQLite-canon) trade
+
+git as audit-trail disappears. Compensation table: `content_history
+(id, slug, type, doc, html, edited_at, edited_by, msg)` — append-only.
+Has rollback but no cryptographic immutability, no `git blame`, no
+PR diffs, no mirror story.
+
+The `content/blog/sama-meets-git-cms.md` post (149 lines) is the
+product pitch for "every save = a real commit". B contradicts
+published copy. **Recommend A.** Mechanical concerns (multi-path
+commit, sidecar regen) are small; the "stop saying SAMA meets git"
+cost is large.
+
+---
+
+## 3 — Handlebars-theme port
+
+### Helpers used (exhaustive, source: `sx-content/src/render.ts`)
+
+`Handlebars.registerHelper` calls at lines 78, 86, 93, 109, 129, 135,
+158, 166, 184, 202, 205, 210, 390, 393:
+
+| helper | line | use | TS-port effort |
+|---|---|---|---|
+| `asset` | 78 | `{{asset "css/syntax.css"}}` → `/assets/...` | trivial |
+| `img_url` | 86 | pass-through today (no transforms) | trivial |
+| `post_class` | 93 | join class strings from featured/tags | trivial |
+| `ghost_head` | 109 | 5-10 meta/og tags + codeinjection | medium — existing `c51_render_layout.ts` already emits a similar block |
+| `ghost_foot` | 129 | code injection footer | trivial |
+| `date` | 135 | dual-shape formatter (YYYY/MMM/DD) | small |
+| `content` | 158 | emit body html raw | trivial |
+| `excerpt` | 166 | strip HTML + truncate N words | small |
+| `foreach` | 184 | iteration with `@index/@first/@last/@even/@odd` | medium — TS map gets index; rest unused in current .hbs files (confirmed by grep) |
+| `tag`, `author`, `page`, `post` (block) | 202/205/390/393 | scope-dive | structural; replaced by TS functions that take the scoped object as arg |
+| `reading_time` | 210 | "N min read" | trivial |
+
+Built-in (`{{#if}}`, `{{else}}`, `{{!-- comment --}}`, `{{!< layout}}`)
+are template-language features that go away once we render via TS
+functions; no port needed.
+
+**Mismatches**: `{{#foreach}}`'s `@first/@last/@even/@odd` is the only
+data plumbing TS map doesn't give for free. Grep of `.hbs` files
+confirms none of those data-frame fields are referenced in current
+templates. Safe to drop in the TS port.
+
+### Templates inventory (`sx-themes/syntax/`)
+
+`default.hbs` (14 lines — wrapper), `index.hbs` (757 lines —
+marketing homepage HTML inline; partial `syntax-home.hbs` no longer
+used per `sx-editor/src/index.ts:284-289`), `post.hbs` (37),
+`page.hbs` (40), `tag.hbs` (24), `author.hbs` (24).
+
+`assets/css/syntax.css` is **812 lines**. tdd.md's `public/style.css`
+is ~25 KB. Combining is a real CSS pass; classes like `.hero-content`,
+`.feature-card`, `.use-case-card`, `.gradient-text` don't exist in
+tdd.md today.
+
+### TS-native equivalents land in
+
+- `c51_render_theme.ts` — `renderPost(post)`, `renderPage(page)`,
+  `renderTagArchive(tag, posts)`, `renderAuthorArchive(author, posts)`,
+  `renderHomepage()`. Each replaces one `.hbs` file.
+- `c51_render_meta.ts` (or extend existing `c51_render_layout.ts`) —
+  `ghost_head`-equivalent. tdd.md already emits OG/meta in
+  `c51_render_layout.ts:49+`; combine, don't reimplement.
+- The five small string helpers (`asset`, `date`, `excerpt`,
+  `reading_time`, `post_class`) live inline in `c51_render_theme.ts`
+  as private functions. No external file warranted.
+
+---
+
+## 4 — Shortcode-engine port
+
+### What `sx-filter/src/shortcodes.ts` (650 lines) does
+
+`BUILT_IN` registry at line 546-563. Three categories:
+
+- **Pure** (no I/O): `ping`, `now`, `spec-version`, `event-validate`,
+  `catalog-sample`, `query-demo`, `catalog-lookup` (reads in-process
+  `DEMO_CATALOG`), `emit`+`demo-flow` (writes in-process `events.ts`
+  ring buffer).
+- **HTTP-fetching** (external API): `github-repo`, `npm`, `crate`,
+  `gist`.
+- **Ghost-API-fetching**: `event-count`, `posts-list` (Ghost content
+  API), `login-page` (Ghost `_login-skin` page).
+
+Module-level `SHARED_EVENT_LOG` (line 14) + `DEMO_CATALOG`
+(lines 26-107) push the file to 650 lines. **One more handler tips
+it over 700.**
+
+### SAMA placement
+
+The handlers split by layer:
+- **c32**: pure regex match, format, validate. `query-demo`,
+  `event-validate`, `catalog-sample`, `catalog-lookup`,
+  `event-count` parser (just an int).
+- **c14**: HTTP wrappers for external APIs. `c14_github.ts` already
+  exists. New: `c14_npm.ts`, `c14_crates.ts`, `c14_gist.ts` — or one
+  combined `c14_package_registries.ts` (recommended for fewer files).
+- **c13**: queries against `posts`/`sx_documents` for `posts-list`
+  etc., extending `c13_database.ts`.
+- **c32_event_log.ts**: pure in-memory ring buffer; required only if
+  `emit`/`demo-flow` ship.
+
+### Where the substitute loop lives
+
+`sx-filter/src/index.ts:81-120` does the rewrite:
+1. parse upstream HTML (already-rendered page),
+2. build skip-regions (`<meta>`, `<link>`, `<script>`),
+3. for each `SHORTCODE_RE` match, call handler, splice output.
+
+This is **render-time HTML rewriting**, runs after sxdoc → HTML. It's
+a c51 concern wrapping c14/c32 handlers. **Cannot live in `c11_server.ts`**
+— c11 forbids route logic / HTML rewriting per `content/sama/architecture.md:12`.
+
+Recommended shape:
+- `c32_shortcode_parse.ts` (+test) — extract `{name, args, range}`
+  tokens from text. Pure regex; same pattern as today.
+- Handler functions at their natural layer.
+- `c51_render_post.ts` calls the parser, dispatches handlers inline
+  (~10 lines for a switch). No central registry; each handler is
+  just a function imported where needed.
+
+### Single-process advantage
+
+Podman's filter is a separate Bun service proxying Ghost. tdd.md is
+one process — substitute is a function call, not an HTTP hop. The
+~100 lines of `sx-filter/src/index.ts` doing upstream-proxy wiring
+are deleted; the ~30 lines of skip-region + substitute logic move
+into c51.
+
+---
+
+## 5 — File inventory (server-side, podman → tdd.md)
+
+### sx-editor/src/
+
+- `ai.ts` (317) → `c14_openrouter.ts` + `c32_ai_edit_block.ts` — HTTP
+  client (c14), prompt assembly + JSON validation (c32). plan.md's
+  `c31_ai_edit_block.ts` is wrong layer.
+- `build.ts` (61) → `c14_client_bundle.ts` — calls `Bun.build`, I/O.
+- `db.ts` (124) → split: SQL into `c13_posts.ts`; htmlToSx fallback
+  into the handler. plan.md's `c14_sxdoc_store.ts` is a different
+  file (sx-doc only); db.ts is core posts.
+- `index.ts` (437) → dispatcher entries in `c21_app.ts`; per-route
+  handler bodies in `c21_handlers_admin_{list,edit,new,upload,ai,
+  preview}.ts`. 4-6 files of 80-150 lines.
+- `routes.ts` (44) → merge into existing `c31_site_config.ts`.
+- `templates.ts` (482) → `c51_render_admin.ts`. At Atomic limit;
+  watch for growth.
+- `upload.ts` (87) → `c14_media.ts`.
+- `sxdoc/types.ts` (240) → `c31_sxdoc.ts`. Types only; no sibling
+  test (informational only).
+- `sxdoc/html-to-sx.ts` (315) → `c32_sxdoc_parse.ts` (+ `.test.ts`).
+- `sxdoc/sx-to-html.ts` (266) → `c32_sxdoc_render.ts` (+ `.test.ts`).
+- `sxdoc/db.ts` (64) → `c14_sxdoc_sidecar.ts` (Option A) **or**
+  `c14_sxdoc_store.ts` (Option B). Same shape, different backend.
+- `sxdoc/index.ts` (14) → DELETE (barrel, SAMA-forbidden).
+- `core/posts.ts` (148) → merge into `c13_posts.ts` with content's.
+- `core/schema.ts` (103) → merge into `c13_database.ts`.
+- `db/sqlite.ts` (41) → merge into `c13_database.ts`.
+- `scripts/backfill-sxdoc.ts` → `scripts/migrate_content_to_sxdoc.ts`.
+- `scripts/import-homepage.ts` → discard.
+
+### sx-content/src/
+
+- `db.ts` (11) → merge into `c13_database.ts`. Trivial.
+- `images.ts` (125) → `c14_media.ts` (combined with upload.ts).
+  `sharp` is I/O — **c14, not c31** as plan.md proposed.
+- `index.ts` (536) → `c21_handlers_content.ts` (+ optional
+  `c21_handlers_ghost_api.ts` — see open question 7).
+- `posts.ts` (140) → merge into single `c13_posts.ts`.
+- `render.ts` (398) → `c51_render_theme.ts`. Drops the Handlebars
+  dep.
+- `routes.ts` (199) → split: URL patterns into `c31_site_config.ts`,
+  classifyUrl logic into `c32_url_classify.ts` (+ test).
+- `sitemap.ts` (134) → `c51_render_sitemap.ts` + `c21_handlers_sitemap.ts`.
+- `sxdoc/*` (913 total) → duplicates of editor's; **single source of
+  truth in tdd.md**, both reads and writes use the same c31/c32/c14
+  triplet.
+- `core/posts.ts` (254), `core/schema.ts` (101), `core/settings.ts`
+  (118), `db/sqlite.ts` (43) → merge as listed for editor's
+  equivalents; `core/settings.ts` extends `c31_site_config.ts`.
+
+### sx-filter/src/
+
+- `admin.ts` (114) → DELETE. tdd.md has real auth; no injection.
+- `events.ts` (211) → `c32_event_log.ts` if event-demo shortcodes
+  ship. Otherwise DELETE.
+- `index.ts` (379) → discard proxy logic; substitute loop moves to
+  c51 (described in §4).
+- `login-page-skin.html` (174), `login-page-template.ts` (205) →
+  DELETE (syntax.ai demo asset).
+- `shortcodes.ts` (650) → `c32_shortcode_parse.ts` + handler files
+  at natural layers + dispatch inline in c51. Demo shortcodes
+  (event-* / catalog-* / login-page) are open question 4.
+
+### Non-clean mappings flagged
+
+- Two big dispatcher files (editor `index.ts` 437, content `index.ts`
+  536) **must split**: dispatcher entries go into `c21_app.ts`,
+  handler bodies into per-domain `c21_handlers_*.ts`.
+- `sxdoc/` duplicated between editor and content services — keep one
+  copy in tdd.md.
+- `core/schema.ts`, `db/sqlite.ts` duplicated — one copy.
+- `marked` already in tdd.md deps (`c51_render_layout.ts:8`). The
+  migration uses it; after cutover see open question 12.
+
+### Client (sx-editor/src/client/**)
+
+Lands at `src/client/**` (outside verifier glob). Sizes preserved.
+Key file: `render.ts` (775 — **must split before landing**). Natural
+split per-block-kind matches the existing `blocks/*` and
+`blocks/typed/*` breakdown.
+
+Open: `slashmenu.ts` (590) vs `slashmenu-v2.ts` (216) — figure out
+which is canonical before porting.
+
+---
+
+## 6 — Content migration mechanics
+
+### Algorithm
+
+```ts
+// scripts/migrate_content_to_sxdoc.ts
+for (const file of glob("content/**/*.md")) {
+  if (file.startsWith("content/games/"))       continue;
+  if (file.startsWith("content/git-history/")) continue;
+  const raw = await Bun.file(file).text();
+  const { fm, body } = splitFrontmatter(raw); // skill.md only
+  const html = await marked.parse(body, { gfm: true, breaks: false });
+  let doc: SxDocument;
+  try { doc = htmlToSx(html); }
+  catch (e) {
+    // Fallback: single html-block holding the markdown-rendered HTML.
+    doc = { v: 1, blocks: [{ t: "html", src: html }] };
+  }
+  const sxdocPath = file.replace(/\.md$/, ".sxdoc.json");
+  await Bun.write(sxdocPath, JSON.stringify(doc, null, 2));
+}
+// one batched commit
+git add content/**/*.sxdoc.json
+git commit -m "Migrate content to sxdoc sidecars (one-time)"
+```
+
+### Edge cases
+
+- **Tables** → single `{t:"html"}` block per table. Renders
+  identically; un-editable as discrete blocks in the block editor.
+  Acceptable.
+- **Frontmatter (`skill.md`)** → strip first, parse body. Decide
+  separately what happens to the `name:`/`description:` fields: today
+  they probably render as visible text via marked. Pre-check live
+  site behaviour before migrating.
+- **HR (`---` mid-document)** is NOT frontmatter. Frontmatter pattern:
+  `/^---\n[a-zA-Z_]+:/` at byte 0.
+- **Parse fail** → escape hatch as shown. Page still renders
+  (`sx-to-html.ts:60-62` emits raw HTML untouched). Editor surfaces
+  "open `/edit-raw/...` for this section".
+- **Code fences** all currently `sh` / `ts` / `text` — parsed by
+  `parseLangFromClass` (line 296-298) into `{t:"code", lang, src}`.
+  No issue.
+- **Round-trip drift** — `<b>` collapses to `<strong>`, mark order
+  normalised. Acceptable since `.md` stays authoritative.
+
+### Commit strategy: single batch
+
+18 files → one "Migrate: content → sxdoc" commit. Per-file commits
+add noise without informational value. Future re-migration after
+parser improvements stays a single revertable commit.
+
+### Games confirmed out of scope
+
+`content/games/{fizzbuzz,string-calc}/` are multi-file units:
+`spec.md` + `spec.ts` + `hidden/`. Read by `c31_games.ts` directly,
+not by the CMS; the companion `.ts` and `hidden/` directory make the
+post/page abstraction wrong. Keep games entirely outside the CMS.
+**No `/edit/games/...` route should exist** — edit via vim+git like
+source code.
+
+### git-history out of scope
+
+`content/git-history/syntaxai__tdd.md{,.tests}.json` (160 KB total)
+are generated artifacts read by `c32_real_reports.ts` /
+`c32_real_tests.ts`. Not content.
+
+---
+
+## Open beslismomenten voor de mens
+
+1. **Storage canon — A (git-canon) or B (SQLite-canon)?**
+   plan.md defaults A; my read supports A (the existing
+   `content/blog/sama-meets-git-cms.md` is the product pitch and
+   contradicts B). Confirm A, or pick B and accept rewriting that
+   post + memory update.
+
+2. **sxdoc parser layer — c31 or c32?**
+   plan.md says c31; I argue c32 (deterministic transform with logic,
+   not pure types/registry). Affects file name and whether sibling
+   tests are mandatory (c32 yes, c31 informational).
+
+3. **Single-commit vs two-commit per editor save (Option A).**
+   Either extend `c14_git.commitFile` to multi-path (recommended,
+   ~30 LOC) OR write `.md` and `.sxdoc.json` as two commits (simpler,
+   doubled log noise, atomicity hole if step 2 fails).
+
+4. **Ship the syntax.ai event-demo shortcodes?**
+   `emit`, `catalog-lookup`, `demo-flow`, `login-page`,
+   `event-validate`, `catalog-sample`, `query-demo`, `event-count`,
+   `posts-list`. These exist for syntax.ai's product story; tdd.md is
+   a different product. **Default: off.** Saves ~500 LOC (skip
+   `events.ts` port + 5 handler files + the `DEMO_CATALOG` constant).
+
+5. **Ghost-style permalink `/blog/{primary_tag}/{slug}/` vs current
+   `/blog/{slug}/`?**
+   Switching costs 9 redirects in `c21_app.ts` and breaks external
+   links. **Recommend keep current.**
+
+6. **Typed marketing blocks (`hero`, `feature-card`, `feature-grid`,
+   `stats-row`, `steps-grid`, `use-case-card`, `cta-band`) — port?**
+   tdd.md's `home.md` is text + 1 table + 1 list — none would apply
+   unless we redesign the homepage. **Default: skip.** Saves ~600
+   LOC across `c31_sxdoc.ts` (~80 lines smaller) +
+   `c32_sxdoc_render.ts` (typed renderers) +
+   `client/blocks/typed/*.ts` (7 files).
+
+7. **Ghost Content API compatibility surface
+   (`/ghost/api/content/{posts,pages}/...`) — keep?**
+   `sx-content/src/index.ts:78-115`. No consumers today. **Default:
+   drop.** Saves ~150 LOC.
+
+8. **Client-side TS placement — `src/client/`, `client/`, or
+   `public/src/`?** Recommend `src/client/`. Affects bundler paths
+   and Playwright fixture wiring.
+
+9. **`client/render.ts` (775) split shape.** Per-block-kind
+   (`render-p.ts`, `render-h.ts`, …, 12 small files) or by sub-system
+   (`render-blocks.ts`, `render-marks.ts`, `render-typed.ts`,
+   3 medium files). Affects readability vs file count.
+
+10. **c32 parser tests — snapshot vs explicit-assertion?**
+    Snapshot (`toMatchSnapshot`) qualifies under the placeholder-test
+    check, but explicit asserts are more readable. Decide before
+    writing.
+
+11. **`OPENROUTER_API_KEY` in prod (plan.md open Q3).**
+    Still open. AI ✨ returns 503 with hint when unset
+    (`sx-editor/src/index.ts:367-369`). Acceptable to ship without
+    the key in prod.
+
+12. **Keep `marked` post-migration?**
+    `marked` is used during migration (md → html before sxdoc parse)
+    and currently at runtime by `c51_render_layout.ts:8`. After
+    cutover, sxdoc → HTML is the new render path. Decide: keep
+    `marked` as a runtime dep for legacy paths, or vendor a tiny
+    md-to-blocks shim inside the migration script and drop marked
+    entirely.
+
+13. **`/admin/preview` rendering path.** Plan.md doesn't address
+    that preview cannot go through `c14_git.commitFile` (debounce
+    too tight). Handler must take in-memory sxdoc and call
+    `c32_sxdoc_render` → `c51_render_theme` directly. Shape the
+    handler accordingly from the start; don't refactor later.
diff --git a/sama.profile.toml b/sama.profile.toml
new file mode 100644
index 0000000000000000000000000000000000000000..a4966de94120fb6e3d27f7670fcaef61d487d410
--- /dev/null
+++ b/sama.profile.toml
@@ -0,0 +1,52 @@
+# SAMA v2 profile — declares this repo's filename prefixes and how
+# they map to the four canonical layers (Pure 0 / Core 1 / Adapter 2 /
+# Entry 3). See https://tdd.md/sama/v2 §2 for the profile mechanism
+# and https://tdd.md/sama/v2 §1.1 for the canonical layer table.
+#
+# Order in each `sublayers` array is the dependency order: later
+# entries may import earlier entries, never the reverse (§2.2).
+
+sama_version = "2.0"
+profile = "tdd-md"
+
+# Layer 0 — Pure. Types, constants, pure registries, pure parsers.
+# No I/O, no side effects.
+[layers.0]
+prefixes = ["c31_"]
+
+# Layer 1 — Core. Domain logic and pure render. No network, disk,
+# clock, or framework.
+#   - c32_ holds pure domain logic (judging math, session HMAC,
+#     anchor extraction, edit-target resolution, the v1 verifier).
+#   - c51_ holds pure HTML render functions (markdown → string,
+#     page chrome, no I/O).
+# c51 may import c32 (render uses logic); c32 must never import c51.
+[layers.1]
+sublayers = [
+  { name = "logic",  prefix = "c32_" },
+  { name = "render", prefix = "c51_" },
+]
+
+# Layer 2 — Adapter. The boundary. External input is parsed here.
+# DB, network, filesystem, framework bindings.
+#   - c13_ holds SQLite primitives (the bun:sqlite Database wrapper).
+#   - c14_ holds HTTP / git / filesystem orchestrators that may compose
+#     c13 primitives (e.g. c14_judge runs git clone + saveRun() to db).
+# c14 may import c13; c13 must never import c14.
+[layers.2]
+sublayers = [
+  { name = "data", prefix = "c13_" },
+  { name = "io",   prefix = "c14_" },
+]
+
+# Layer 3 — Entry. Outermost shell: server bootstrap, route table,
+# handlers.
+#   - c21_ holds HTTP handlers and the Bun.serve route table (c21_app).
+#   - c11_ holds the server bootstrap that mounts the route table.
+# c11 may import c21 (the bootstrap pulls in the app); c21 must never
+# import c11.
+[layers.3]
+sublayers = [
+  { name = "handlers", prefix = "c21_" },
+  { name = "server",   prefix = "c11_" },
+]
diff --git a/src/c13_database.ts b/src/c13_database.ts
index ad42187237ba55b578d242491fe06586897f3888..f7303f9a94423e2056dd75fc7654b1cb6e3d3458 100644
--- a/src/c13_database.ts
+++ b/src/c13_database.ts
@@ -1,6 +1,6 @@
 import { Database } from "bun:sqlite";
-import type { ProjectConfig, TestRunner } from "./c31_project_config.ts";
-import type { SxDocument } from "./c31_sxdoc.ts";
+import type { ProjectConfig, TestRunner, ProjectRow } from "./c31_project_config.ts";
+import type { SxDocument, SxDocumentSummary } from "./c31_sxdoc.ts";
 import { SX_DOC_VERSION } from "./c31_sxdoc.ts";
 
 const DB_PATH = process.env.TDD_DB_PATH ?? ":memory:";
@@ -133,18 +133,9 @@ export const latestRun = (owner: string, repo: string): Verdict | null => {
   return JSON.parse(row.verdict_json) as Verdict;
 };
 
-export interface ProjectRow {
-  id: number;
-  registeredBy: string;
-  repoOwner: string;
-  repoName: string;
-  testRunner: TestRunner;
-  trackedBranches: string[];
-  displayName: string | null;
-  team: string | null;
-  registeredAt: number;
-  status: "active" | "paused";
-}
+// ProjectRow is now defined in Layer 0 (c31_project_config) alongside
+// the rest of the project-config types, so c51 render code can
+// reference it without importing from Layer 2.
 
 interface ProjectDbRow {
   id: number;
@@ -240,15 +231,9 @@ export interface SxDocumentRow {
   updatedAt: number;
 }
 
-export interface SxDocumentSummary {
-  id: number;
-  slug: string;
-  type: "page" | "post";
-  title: string;
-  status: "published" | "draft";
-  primaryTag: string | null;
-  updatedAt: number;
-}
+// SxDocumentSummary is the public summary shape; defined in Layer 0
+// (c31_sxdoc) so render code can reference it without crossing the
+// SAMA v2 import direction.
 
 interface SxDocumentDbRow {
   id: number;
diff --git a/src/c14_git.ts b/src/c14_git.ts
index 94af6651ed3e29aa2ea6e569562e1526912110fb..f829ebaeb682e5a67b7bc612c11d66e904d2797f 100644
--- a/src/c14_git.ts
+++ b/src/c14_git.ts
@@ -26,22 +26,15 @@ import {
 
 export const GIT_DIR = process.env.TDD_GIT_DIR ?? "/app/repo";
 
-export interface GitCommitOk {
-  ok: true;
-  commitSha: string;
-}
-
-export interface GitCommitFailure {
-  ok: false;
-  // "conflict" → ref tip moved under us (someone else committed)
-  // "not_found" → branch doesn't exist
-  // "permission" → fs perms on the bare repo
-  // "other" → anything else (look at .message)
-  kind: "conflict" | "not_found" | "permission" | "other";
-  message: string;
-}
-
-export type GitCommitOutcome = GitCommitOk | GitCommitFailure;
+// GitCommitOk / GitCommitFailure / GitCommitOutcome are defined in
+// Layer 0 (c31_git_parse) per SAMA v2 §1.1. Imported here so the
+// adapter's typed return signatures match what callers in Layer 1
+// also import directly.
+import type {
+  GitCommitOk,
+  GitCommitFailure,
+  GitCommitOutcome,
+} from "./c31_git_parse.ts";
 
 interface RunOpts {
   stdin?: string;
@@ -114,12 +107,10 @@ export const readBlobAtRef = async (ref: string, path: string): Promise<string |
 // Returns null when the path doesn't exist at that ref. Each entry
 // keeps the relative name (basename), not the full path — the caller
 // builds full paths from `${path}/${entry.name}`.
-export interface TreeEntry {
-  name: string;            // basename, e.g. "skill.md" or "blog"
-  type: "blob" | "tree" | "commit";
-  sha: string;
-  mode: string;
-}
+// TreeEntry is defined in Layer 0 (c31_git_parse) per SAMA v2 §1.1.
+// Callers import it directly from c31_git_parse, not through this
+// adapter — that's what keeps the import direction Layer N → Layer M < N.
+import type { TreeEntry } from "./c31_git_parse.ts";
 export const lsTree = async (ref: string, path: string): Promise<TreeEntry[] | null> => {
   // `<ref>:<path>` — git lists what's at that tree. For path="" it's
   // the repo root.
diff --git a/src/c14_judge.test.ts b/src/c14_judge.test.ts
new file mode 100644
index 0000000000000000000000000000000000000000..07b8daf80cc58de5154766139cad15a4d3873245
--- /dev/null
+++ b/src/c14_judge.test.ts
@@ -0,0 +1,69 @@
+// Sibling test for c32_judge.ts. The orchestrator itself (judge()) does
+// git clone + test execution and isn't unit-testable without a real
+// agent repo; the pure helpers underneath it (applyMode, explainRefactor)
+// are the structural surface that matters for scoring decisions. Cover
+// the mode-aware penalty math + the operator-facing explanations here.
+
+import { describe, test, expect } from "bun:test";
+import { applyMode, explainRefactor, judge } from "./c14_judge.ts";
+
+describe("c32_judge — applyMode (mode-aware penalty math)", () => {
+  test("positive deltas pass through unchanged in every mode", () => {
+    expect(applyMode(10, "strict")).toBe(10);
+    expect(applyMode(10, "pragmatic")).toBe(10);
+    expect(applyMode(10, "learning")).toBe(10);
+  });
+
+  test("strict mode keeps the full negative penalty", () => {
+    expect(applyMode(-20, "strict")).toBe(-20);
+    expect(applyMode(-5, "strict")).toBe(-5);
+  });
+
+  test("pragmatic mode halves negative deltas (Math.ceil — never below half)", () => {
+    expect(applyMode(-20, "pragmatic")).toBe(-10);
+    expect(applyMode(-10, "pragmatic")).toBe(-5);
+    // -5 / 2 = -2.5 → Math.ceil(-2.5) = -2: the harsher half rounds up
+    // toward zero, which is the documented "softer score" behaviour.
+    expect(applyMode(-5, "pragmatic")).toBe(-2);
+  });
+
+  test("learning mode zeroes out every negative delta", () => {
+    expect(applyMode(-20, "learning")).toBe(0);
+    expect(applyMode(-5, "learning")).toBe(0);
+    expect(applyMode(-1, "learning")).toBe(0);
+  });
+
+  test("zero delta is neutral in every mode", () => {
+    expect(applyMode(0, "strict")).toBe(0);
+    expect(applyMode(0, "pragmatic")).toBe(0);
+    expect(applyMode(0, "learning")).toBe(0);
+  });
+});
+
+describe("c32_judge — explainRefactor", () => {
+  test("passed=true returns the canonical-refactor explanation", () => {
+    const s = explainRefactor(true);
+    expect(s).toContain("stayed green");
+    expect(s).toMatch(/canonical/i);
+  });
+
+  test("passed=false returns guidance to revert or open a new red→green", () => {
+    const s = explainRefactor(false);
+    expect(s).toContain("broke");
+    expect(s).toMatch(/revert|red→green/);
+  });
+
+  test("the two branches return different strings", () => {
+    expect(explainRefactor(true)).not.toBe(explainRefactor(false));
+  });
+});
+
+describe("c32_judge — orchestrator entry point", () => {
+  test("judge is exported as an async function (Promise-returning)", () => {
+    expect(typeof judge).toBe("function");
+    // The orchestrator does git clone + test execution; covering it
+    // end-to-end needs a real agent repo. A type-level check that the
+    // shape didn't drift is the documented minimum for this layer.
+    expect(judge.length).toBe(2);
+  });
+});
diff --git a/src/c14_judge.ts b/src/c14_judge.ts
new file mode 100644
index 0000000000000000000000000000000000000000..052cfe842431ab72d0578e3f47bc83b8179e2a92
--- /dev/null
+++ b/src/c14_judge.ts
@@ -0,0 +1,370 @@
+import { mkdtempSync, rmSync } from "fs";
+import { join } from "path";
+import { tmpdir } from "os";
+import { parseCommit, type Phase } from "./c31_commits.ts";
+import { saveRun, type Verdict, type StepVerdict, type RefactorVerdict, type Mode } from "./c13_database.ts";
+import { loadGame, type Game } from "./c31_games.ts";
+
+type TestRunner = "bun" | "none";
+
+interface TddConfig {
+  mode: Mode;
+  testRunner: TestRunner;
+}
+
+// tdd.config.json from the agent's repo selects the scoring mode and
+// test runner. Falls back to strict / bun when missing or unparseable.
+//
+//   { "mode": "pragmatic", "test_runner": "none" }
+//
+// test_runner: "none" enables trace-only judging — no checkout, no test
+// execution. Useful as a CI gate on projects where Bun can't run the
+// suite (e.g. .NET, Python without bun-compat tests).
+const readConfig = async (cwd: string): Promise<TddConfig> => {
+  const file = Bun.file(join(cwd, "tdd.config.json"));
+  let mode: Mode = "strict";
+  let testRunner: TestRunner = "bun";
+  if (await file.exists()) {
+    try {
+      const cfg = (await file.json()) as { mode?: string; test_runner?: string };
+      if (cfg.mode === "pragmatic" || cfg.mode === "learning") mode = cfg.mode;
+      if (cfg.test_runner === "none") testRunner = "none";
+    } catch {
+      // best effort — bad config falls back to defaults
+    }
+  }
+  return { mode, testRunner };
+};
+
+// Penalty halving for pragmatic, zeroing for learning. Positive deltas
+// are unchanged across modes — earned credit is earned credit.
+export const applyMode = (delta: number, mode: Mode): number => {
+  if (delta >= 0) return delta;
+  if (mode === "learning") return 0;
+  if (mode === "pragmatic") return Math.ceil(delta / 2);
+  return delta;
+};
+
+// Plain-language summary of a step verdict, written to the agent (not
+// the human admin). One short paragraph; named intentionally so callers
+// can see it next to the row in the score table.
+const explainStep = (params: {
+  status: StepVerdict["status"];
+  redSha: string | null;
+  greenSha: string | null;
+  hiddenPassed: boolean | null;
+  mode: Mode;
+}): string => {
+  const { status, hiddenPassed, mode } = params;
+  switch (status) {
+    case "verified":
+      return "Red failed as expected, green passes your tests, and the kata's hidden tests confirm the implementation matches the requirement.";
+    case "discipline-only":
+      return "Red→green discipline holds, but this kata didn't ship hidden tests for the step. Partial credit awarded; full +20 isn't possible without authoritative verification.";
+    case "no-green":
+      return "Red commit landed; the matching green(<step>) commit hasn't been pushed yet. Push your green to lock in the score.";
+    case "red-did-not-fail":
+      return mode === "pragmatic"
+        ? "Combined red+green commit detected. Pragmatic mode allows this — the cycle still counts, just with a softer score than a clean separation."
+        : "Red commit's tests already passed when the step was first introduced — meaning the implementation was added before the test, or the test is tautological. Switch to pragmatic mode if you commit red+green together intentionally.";
+    case "green-did-not-pass":
+      return "Green commit's own tests still fail. The implementation doesn't yet satisfy the test you wrote — fix the impl, or reconsider whether the test reflects the requirement.";
+    case "hidden-tests-failed":
+      return hiddenPassed === false
+        ? "Your tests pass, but the kata's hidden tests don't — this is the classic tautology trap. Tighten your test to mirror the requirement (e.g., assert the actual return value, not just that it runs)."
+        : "Your tests pass, but hidden verification was inconclusive. Re-push to retry.";
+    case "test-deleted":
+      return "Test count dropped between red and green for this step. Once a test exists it must keep existing — refactor it, don't delete it. If the test was wrong, replace it in a separate commit before resuming the cycle.";
+    case "trace-verified":
+      return "Trace-only mode: red→green pair found in the commit log. Tests weren't executed (test_runner: \"none\"). Switch to bun runner for behaviour verification.";
+    case "trace-tests-shrunk":
+      return "Trace-only mode: the green commit's tree has fewer test files than the red commit's tree — looks like deletion. If you renamed or split test files, the tally still drops.";
+  }
+};
+
+export const explainRefactor = (passed: boolean): string =>
+  passed
+    ? "Tests stayed green through the refactor — structural change without behavior change, the canonical refactor."
+    : "Refactor commit broke at least one test. Either revert the refactor or write a new red→green to capture the changed behavior.";
+
+const FORGEJO_INTERNAL = process.env.FORGEJO_URL ?? "https://git.tdd.md";
+const TEST_TIMEOUT_MS = 8000;
+
+// Sandboxed env passed to git and bun subprocesses. Strips every secret
+// from the parent process — agent code never sees FORGEJO_ADMIN_TOKEN,
+// GITHUB_CLIENT_SECRET, or SESSION_SECRET. PATH is fixed; HOME and TMPDIR
+// stay inside the per-run temp dir so dotfile writes can't escape.
+const sandboxEnv = (cwd: string): Record<string, string> => ({
+  PATH: "/usr/local/bin:/usr/bin:/bin",
+  HOME: cwd,
+  TMPDIR: cwd,
+  NODE_ENV: "test",
+});
+
+const runProc = async (
+  cmd: string[],
+  cwd: string,
+  timeoutMs: number,
+): Promise<{ stdout: string; stderr: string; exitCode: number; timedOut: boolean }> => {
+  const proc = Bun.spawn(cmd, {
+    cwd,
+    stdout: "pipe",
+    stderr: "pipe",
+    env: sandboxEnv(cwd),
+  });
+  let timedOut = false;
+  const timer = setTimeout(() => {
+    timedOut = true;
+    proc.kill("SIGKILL");
+  }, timeoutMs);
+  const exitCode = await proc.exited;
+  clearTimeout(timer);
+  const stdout = await new Response(proc.stdout).text();
+  const stderr = await new Response(proc.stderr).text();
+  return { stdout: stdout.trim(), stderr: stderr.trim(), exitCode, timedOut };
+};
+
+const runTests = async (cwd: string): Promise<boolean> => {
+  const r = await runProc(["bun", "test"], cwd, TEST_TIMEOUT_MS);
+  // Bun test exits 0 only when all tests pass.
+  return !r.timedOut && r.exitCode === 0;
+};
+
+// Language-agnostic test-file counter for trace-only mode. Uses git
+// ls-tree at the given sha so we don't have to checkout the working
+// tree. Matches conventional test-file naming across ecosystems:
+//   foo.test.ts, foo.spec.ts, FooTests.cs, FooTest.java, test_foo.py,
+//   foo_test.go, FooSpec.scala, foo_spec.rb.
+const countTestFiles = async (cwd: string, sha: string): Promise<number> => {
+  const r = await runProc(["git", "ls-tree", "-r", "--name-only", sha], cwd, 5000);
+  if (r.exitCode !== 0) return 0;
+  const re = /(?:^|\/)(?:[^/]*\.(?:test|spec)\.[a-z]+|[Tt]ests?\/[^/]+|test_[^/]+|[^/]+_test\.[a-z]+|[^/]+[Tt]ests?\.cs|[^/]+[Tt]est\.java)$/;
+  let count = 0;
+  for (const line of r.stdout.split("\n")) {
+    if (re.test(line)) count++;
+  }
+  return count;
+};
+
+// Count `test(` / `it(` calls in tracked *.test.ts files. Used to detect
+// when an agent deletes tests between red and green to make a regression
+// "pass" — a cardinal TDD sin per the kata spec.
+const countTests = async (cwd: string): Promise<number> => {
+  const r = await runProc(["git", "ls-files", "*.test.ts"], cwd, 5000);
+  if (r.exitCode !== 0) return 0;
+  const files = r.stdout.split("\n").filter((f) => f && !f.includes("__hidden_"));
+  let count = 0;
+  for (const f of files) {
+    const content = await Bun.file(join(cwd, f))
+      .text()
+      .catch(() => "");
+    const matches = content.match(/\b(?:test|it)\s*\(/g);
+    if (matches) count += matches.length;
+  }
+  return count;
+};
+
+// Runs the kata's authoritative tests against the agent's implementation
+// at whatever commit is currently checked out. Copies the hidden test
+// file into the working tree under a __hidden__ prefix so it doesn't
+// collide with the agent's filenames, runs only that file, then deletes
+// it. Returns null if the kata doesn't have hidden tests for this step.
+const runHiddenTests = async (cwd: string, spec: Game, stepId: string): Promise<boolean | null> => {
+  const stepDef = spec.steps.find((s) => s.id === stepId);
+  if (!stepDef) return null;
+  const sourcePath = `./content/games/${spec.id}/${stepDef.hiddenTestFile}`;
+  const sourceFile = Bun.file(sourcePath);
+  if (!(await sourceFile.exists())) return null;
+  const content = await sourceFile.text();
+  const targetName = `__hidden_${stepId}__.test.ts`;
+  const targetPath = join(cwd, targetName);
+  await Bun.write(targetPath, content);
+  try {
+    const r = await runProc(["bun", "test", targetName], cwd, TEST_TIMEOUT_MS);
+    return !r.timedOut && r.exitCode === 0;
+  } finally {
+    try {
+      rmSync(targetPath, { force: true });
+    } catch {
+      // best effort
+    }
+  }
+};
+
+interface CommitInfo {
+  sha: string;
+  phase: Phase;
+  step: string | null;
+}
+
+const readCommits = async (cwd: string): Promise<CommitInfo[]> => {
+  const r = await runProc(["git", "log", "--reverse", "--pretty=format:%H%x1f%B%x1e"], cwd, 10000);
+  if (r.exitCode !== 0) return [];
+  const out: CommitInfo[] = [];
+  for (const block of r.stdout.split("\x1e")) {
+    const t = block.trim();
+    if (!t) continue;
+    const [sha, message = ""] = t.split("\x1f");
+    if (!sha) continue;
+    const p = parseCommit(message);
+    out.push({ sha, phase: p.phase, step: p.step });
+  }
+  return out;
+};
+
+export const judge = async (owner: string, repo: string): Promise<Verdict> => {
+  const cwd = mkdtempSync(join(tmpdir(), `judge-${owner}-${repo}-`));
+  try {
+    // Agent repos default to private. Authenticate via admin token in
+    // an http.extraheader so the token isn't persisted in the cloned
+    // repo's config (extraheader applies to the clone request only).
+    const cloneUrl = `${FORGEJO_INTERNAL}/${owner}/${repo}.git`;
+    const adminToken = process.env.FORGEJO_ADMIN_TOKEN;
+    const gitArgs = adminToken
+      ? ["-c", `http.extraheader=Authorization: token ${adminToken}`, "clone", "--quiet", cloneUrl, "."]
+      : ["clone", "--quiet", cloneUrl, "."];
+    const cloneR = await runProc(["git", ...gitArgs], cwd, 30000);
+    if (cloneR.exitCode !== 0) {
+      throw new Error(`clone failed: ${cloneR.stderr || cloneR.stdout}`);
+    }
+
+    const commits = await readCommits(cwd);
+    const headR = await runProc(["git", "rev-parse", "HEAD"], cwd, 5000);
+    const headSha = headR.stdout;
+
+    // First red per step + first green-after-red per step (chronological).
+    const stepRed = new Map<string, string>();
+    const stepGreen = new Map<string, string>();
+    for (const c of commits) {
+      if (!c.step) continue;
+      if (c.phase === "red" && !stepRed.has(c.step)) {
+        stepRed.set(c.step, c.sha);
+      } else if (c.phase === "green" && stepRed.has(c.step) && !stepGreen.has(c.step)) {
+        stepGreen.set(c.step, c.sha);
+      }
+    }
+
+    // Read the agent's mode + runner preferences from tdd.config.json.
+    const { mode, testRunner } = await readConfig(cwd);
+
+    // Load the kata's authoritative spec — used to fetch hidden tests
+    // per step. Repos that don't match a known kata get scored on red→green
+    // discipline only (no hidden-test verification).
+    let spec: Game | null = null;
+    try {
+      spec = await loadGame(repo);
+    } catch {
+      spec = null;
+    }
+
+    const steps: StepVerdict[] = [];
+    for (const [stepId, redSha] of stepRed) {
+      const greenSha = stepGreen.get(stepId) ?? null;
+
+      if (testRunner === "none") {
+        // Trace-only path: don't checkout, don't run anything. Score
+        // purely from the commit log + a language-agnostic test-file
+        // count via `git ls-tree`. Useful for non-Bun projects.
+        const redFiles = await countTestFiles(cwd, redSha);
+        const greenFiles = greenSha ? await countTestFiles(cwd, greenSha) : redFiles;
+        const filesShrank = greenSha !== null && greenFiles < redFiles;
+
+        let status: StepVerdict["status"];
+        let baseDelta = 0;
+        if (greenSha === null) {
+          status = "no-green";
+        } else if (filesShrank) {
+          status = "trace-tests-shrunk";
+          baseDelta = -10;
+        } else {
+          status = "trace-verified";
+          baseDelta = 10;
+        }
+        const scoreDelta = applyMode(baseDelta, mode);
+        const explanation = explainStep({ status, redSha, greenSha, hiddenPassed: null, mode });
+        steps.push({
+          stepId, redSha, greenSha,
+          redFailed: null, greenPassed: null, hiddenPassed: null,
+          status, scoreDelta, explanation,
+        });
+        continue;
+      }
+
+      await runProc(["git", "checkout", "--quiet", redSha], cwd, 5000);
+      const redTestCount = await countTests(cwd);
+      const redPassed = await runTests(cwd);
+      const redFailed = !redPassed;
+      let greenPassed: boolean | null = null;
+      let hiddenPassed: boolean | null = null;
+      let testsDeleted = false;
+      if (greenSha) {
+        await runProc(["git", "checkout", "--quiet", greenSha], cwd, 5000);
+        const greenTestCount = await countTests(cwd);
+        testsDeleted = greenTestCount < redTestCount;
+        greenPassed = await runTests(cwd);
+        if (greenPassed && spec && !testsDeleted) {
+          hiddenPassed = await runHiddenTests(cwd, spec, stepId);
+        }
+      }
+
+      let status: StepVerdict["status"];
+      let baseDelta = 0;
+      if (greenSha === null) {
+        status = "no-green";
+      } else if (testsDeleted) {
+        status = "test-deleted";
+        baseDelta = -20;
+      } else if (!redFailed) {
+        status = "red-did-not-fail";
+        baseDelta = -5;
+      } else if (greenPassed === false) {
+        status = "green-did-not-pass";
+        baseDelta = -5;
+      } else if (hiddenPassed === false) {
+        status = "hidden-tests-failed";
+        baseDelta = 0;
+      } else if (hiddenPassed === true) {
+        status = "verified";
+        baseDelta = 20;
+      } else {
+        status = "discipline-only";
+        baseDelta = 5;
+      }
+      const scoreDelta = applyMode(baseDelta, mode);
+      const explanation = explainStep({ status, redSha, greenSha, hiddenPassed, mode });
+      steps.push({ stepId, redSha, greenSha, redFailed, greenPassed, hiddenPassed, status, scoreDelta, explanation });
+    }
+
+    // Refactor commits aren't tied to red→green pairs: the spec rewards
+    // any refactor that keeps the existing tests green. A broken refactor
+    // (tests fail at the refactor commit) costs the same as a missed
+    // green — discipline matters even outside red→green pairs.
+    const refactors: RefactorVerdict[] = [];
+    for (const c of commits) {
+      if (c.phase !== "refactor") continue;
+      await runProc(["git", "checkout", "--quiet", c.sha], cwd, 5000);
+      const passed = await runTests(cwd);
+      const baseDelta = passed ? 5 : -5;
+      refactors.push({
+        sha: c.sha,
+        stepId: c.step,
+        testsPassed: passed,
+        scoreDelta: applyMode(baseDelta, mode),
+        explanation: explainRefactor(passed),
+      });
+    }
+
+    const totalScore =
+      steps.reduce((a, s) => a + s.scoreDelta, 0) +
+      refactors.reduce((a, r) => a + r.scoreDelta, 0);
+    const verdict: Verdict = { headSha, mode, steps, refactors, totalScore, judgedAt: Date.now() };
+    saveRun(owner, repo, verdict);
+    return verdict;
+  } finally {
+    try {
+      rmSync(cwd, { recursive: true, force: true });
+    } catch {
+      // best effort cleanup
+    }
+  }
+};
diff --git a/src/c14_real_reports.test.ts b/src/c14_real_reports.test.ts
new file mode 100644
index 0000000000000000000000000000000000000000..1056bebc2dc81845772da47fcce89ed39b1b32ec
--- /dev/null
+++ b/src/c14_real_reports.test.ts
@@ -0,0 +1,101 @@
+// Sibling test for c32_real_reports.ts. buildLiveReports itself fans out
+// to fetchRepoCommits (network) so its end-to-end shape is covered by
+// the live /reports/live route. The pure helpers underneath — agent
+// attribution from commit messages, and the 30-day daily sparkline —
+// are unit-testable here.
+
+import { describe, test, expect } from "bun:test";
+import {
+  detectAgent,
+  buildTrend,
+  buildLiveReports,
+} from "./c14_real_reports.ts";
+import type { GithubCommit } from "./c14_github.ts";
+
+const mkCommit = (date: string, message = ""): GithubCommit => ({
+  sha: "0".repeat(40),
+  commit: {
+    message,
+    author: { name: "test", email: "t@example.com", date },
+    committer: { name: "test", email: "t@example.com", date },
+  },
+  author: null,
+  committer: null,
+} as unknown as GithubCommit);
+
+describe("c32_real_reports — detectAgent", () => {
+  test("recognises a Claude Code commit via Co-Authored-By: Claude", () => {
+    expect(detectAgent("Add feature\n\nCo-Authored-By: Claude <noreply>")).toBe("claude-code");
+  });
+
+  test("recognises a Cursor commit", () => {
+    expect(detectAgent("Fix bug\n\nCo-Authored-By: Cursor <ai@cursor.sh>")).toBe("cursor");
+  });
+
+  test("recognises an Aider commit", () => {
+    expect(detectAgent("Refactor x\n\nCo-Authored-By: aider")).toBe("aider");
+  });
+
+  test("returns unknown when no recognised footer is present", () => {
+    expect(detectAgent("Just a commit")).toBe("unknown");
+    expect(detectAgent("")).toBe("unknown");
+  });
+
+  test("the regex is case-insensitive on the agent token", () => {
+    expect(detectAgent("Co-Authored-By: CLAUDE")).toBe("claude-code");
+    expect(detectAgent("co-authored-by: CURSOR")).toBe("cursor");
+  });
+});
+
+describe("c32_real_reports — buildTrend (30-day daily sparkline)", () => {
+  // Use today (UTC) as the anchor — the function compares against UTC
+  // midnight, so we need ISO strings that fall on the right days.
+  const today = new Date();
+  today.setUTCHours(0, 0, 0, 0);
+  const iso = (daysAgo: number): string => {
+    const d = new Date(today.getTime() - daysAgo * 24 * 60 * 60 * 1000);
+    return d.toISOString();
+  };
+
+  test("returns an array of `days` length", () => {
+    expect(buildTrend([], 30)).toHaveLength(30);
+    expect(buildTrend([], 7)).toHaveLength(7);
+  });
+
+  test("empty input flat-lines at zero", () => {
+    const trend = buildTrend([], 7);
+    expect(trend.every((n) => n === 0)).toBe(true);
+  });
+
+  test("a single commit today increments the last bucket", () => {
+    const trend = buildTrend([mkCommit(iso(0))], 7);
+    expect(trend[trend.length - 1]).toBe(1);
+    expect(trend.slice(0, -1).every((n) => n === 0)).toBe(true);
+  });
+
+  test("multiple commits on the same day stack in the same bucket", () => {
+    const trend = buildTrend([mkCommit(iso(0)), mkCommit(iso(0)), mkCommit(iso(0))], 7);
+    expect(trend[trend.length - 1]).toBe(3);
+  });
+
+  test("commits older than the window are dropped", () => {
+    const trend = buildTrend([mkCommit(iso(99))], 7);
+    expect(trend.every((n) => n === 0)).toBe(true);
+  });
+
+  test("a commit `daysAgo` lands at index `days - 1 - daysAgo`", () => {
+    const trend = buildTrend([mkCommit(iso(2))], 7);
+    // index 6 = today, 5 = yesterday, 4 = 2 days ago
+    expect(trend[4]).toBe(1);
+  });
+});
+
+describe("c32_real_reports — orchestrator entry point", () => {
+  test("buildLiveReports is exported as an async function", () => {
+    expect(typeof buildLiveReports).toBe("function");
+    // End-to-end coverage lives on /reports/live; this is the structural
+    // smoke that the export shape didn't drift. `.length` counts only
+    // non-default params (owner, repo) — perPage carries a default.
+    expect(buildLiveReports.length).toBe(2);
+  });
+});
diff --git a/src/c14_real_reports.ts b/src/c14_real_reports.ts
new file mode 100644
index 0000000000000000000000000000000000000000..2cf694ae531ad0f56a2fa62b6b24be057bb6af67
--- /dev/null
+++ b/src/c14_real_reports.ts
@@ -0,0 +1,170 @@
+// c32 — logic: aggregate real GitHub commit history into the same
+// AgentReport / RecentFlagged shape that c51_render_reports renders.
+// Pure (given fetched commits in, produces report objects out); the
+// I/O happens in c14_github.fetchRepoCommits which we call here.
+//
+// Attribution: Co-Authored-By footers are the agent-attribution channel
+// the existing tdd.md commit history already uses. Anything without a
+// recognised footer is bucketed as "unknown" and reported separately —
+// it's still useful for volume context.
+
+import { parseCommit } from "./c31_commits.ts";
+import { fetchRepoCommits, type GithubCommit } from "./c14_github.ts";
+import type {
+  AgentReport,
+  FailureSlice,
+  RecentFlagged,
+} from "./c31_reports_demo.ts";
+
+type LiveAgentSlug = AgentReport["slug"] | "unknown";
+
+export const detectAgent = (msg: string): LiveAgentSlug => {
+  if (/Co-Authored-By:.*Claude/i.test(msg)) return "claude-code";
+  if (/Co-Authored-By:.*Cursor/i.test(msg)) return "cursor";
+  if (/Co-Authored-By:.*Aider/i.test(msg)) return "aider";
+  return "unknown";
+};
+
+const AGENT_NAMES: Record<AgentReport["slug"], string> = {
+  "claude-code": "Claude Code",
+  cursor: "Cursor",
+  aider: "Aider",
+};
+
+// 30-day daily commit-count series, oldest → newest. When there are no
+// commits in a day, that day's value is 0 — the sparkline still renders
+// but flat-lines, which honestly reflects the data.
+export const buildTrend = (commits: GithubCommit[], days = 30): number[] => {
+  const out = new Array<number>(days).fill(0);
+  const today = new Date();
+  today.setUTCHours(0, 0, 0, 0);
+  for (const c of commits) {
+    const d = new Date(c.commit.author.date);
+    d.setUTCHours(0, 0, 0, 0);
+    const ageDays = Math.floor((today.getTime() - d.getTime()) / (24 * 60 * 60 * 1000));
+    if (ageDays < 0 || ageDays >= days) continue;
+    const idx = days - 1 - ageDays;
+    const cur = out[idx] ?? 0;
+    out[idx] = cur + 1;
+  }
+  return out;
+};
+
+const buildAgentReport = (
+  slug: AgentReport["slug"],
+  agentCommits: GithubCommit[],
+  repoSlug: string,
+): AgentReport => {
+  const tagged = agentCommits.filter((c) => {
+    const phase = parseCommit(c.commit.message).phase;
+    return phase === "red" || phase === "green" || phase === "refactor";
+  });
+  const phaseCoveragePct = agentCommits.length === 0
+    ? 0
+    : Math.round((tagged.length / agentCommits.length) * 100);
+
+  // Score is a proxy: phase-coverage is the only structural signal we
+  // can compute without running the test suite. When coverage is 0 the
+  // agent isn't attempting TDD, so the score is honestly low.
+  const score = phaseCoveragePct;
+
+  // Failure mix collapses to two slices for live data — phase-tagged vs
+  // not. Fine-grained failure modes (red-did-not-fail, test-deleted, etc)
+  // need the runner sliver before they're computable.
+  const failureMix: FailureSlice[] = [
+    { label: "phase-tagged", pct: phaseCoveragePct, tone: "green" },
+    { label: "no phase tag", pct: 100 - phaseCoveragePct, tone: "muted" },
+  ];
+
+  const recent: RecentFlagged[] = agentCommits
+    .slice(0, 5)
+    .map((c) => {
+      const parsed = parseCommit(c.commit.message);
+      const phase = parsed.phase === "red" || parsed.phase === "green" || parsed.phase === "refactor"
+        ? parsed.phase
+        : "green";
+      const failure = parsed.phase === "untagged" || parsed.phase === "init"
+        ? "no phase tag"
+        : `${parsed.phase} (live judge not yet wired)`;
+      return {
+        date: c.commit.author.date.slice(0, 10),
+        repo: repoSlug,
+        sha: c.sha.slice(0, 7),
+        phase,
+        failure,
+        pts: 0,
+      };
+    });
+
+  const topIssueLabel = phaseCoveragePct === 100 ? "no current issues" : "no phase tag";
+  const topIssuePct = 100 - phaseCoveragePct;
+
+  return {
+    slug,
+    name: AGENT_NAMES[slug],
+    score,
+    delta: 0,
+    commits: agentCommits.length,
+    phaseCoveragePct,
+    streak: 0,
+    streakBroken: false,
+    topIssueLabel,
+    topIssuePct,
+    failureMix,
+    trend: buildTrend(agentCommits),
+    recent,
+  };
+};
+
+export interface LiveReports {
+  reports: AgentReport[];
+  unknownCount: number;
+  totalCommits: number;
+  earliest: string | null;
+  latest: string | null;
+  fetchedAt: number;
+}
+
+export const buildLiveReports = async (
+  repoOwner: string,
+  repoName: string,
+  perPage = 100,
+): Promise<LiveReports> => {
+  const commits = await fetchRepoCommits(repoOwner, repoName, perPage);
+  const repoSlug = `${repoOwner}/${repoName}`;
+  const byAgent = new Map<AgentReport["slug"], GithubCommit[]>();
+  let unknownCount = 0;
+
+  for (const c of commits) {
+    const a = detectAgent(c.commit.message);
+    if (a === "unknown") {
+      unknownCount++;
+      continue;
+    }
+    const arr = byAgent.get(a) ?? [];
+    arr.push(c);
+    byAgent.set(a, arr);
+  }
+
+  const order: AgentReport["slug"][] = ["claude-code", "cursor", "aider"];
+  const reports = order
+    .map((slug) => {
+      const list = byAgent.get(slug);
+      if (!list || list.length === 0) return null;
+      return buildAgentReport(slug, list, repoSlug);
+    })
+    .filter((r): r is AgentReport => r !== null);
+
+  const dates = commits.map((c) => c.commit.author.date).sort();
+  const earliest = dates[0] ?? null;
+  const latest = dates[dates.length - 1] ?? null;
+
+  return {
+    reports,
+    unknownCount,
+    totalCommits: commits.length,
+    earliest,
+    latest,
+    fetchedAt: Date.now(),
+  };
+};
diff --git a/src/c14_real_tests.test.ts b/src/c14_real_tests.test.ts
new file mode 100644
index 0000000000000000000000000000000000000000..195891383eedac04d7837fa6d7f7ef62873819e7
--- /dev/null
+++ b/src/c14_real_tests.test.ts
@@ -0,0 +1,66 @@
+// Sibling test for c32_real_tests.ts. buildLiveTestData fans out to
+// loadTestBundle + fetchRepoCommits (both network/disk) so the
+// end-to-end is covered by the live /reports/live/tests route. The
+// pure helpers — agent attribution and the file/name label shortener —
+// are unit-testable here.
+
+import { describe, test, expect } from "bun:test";
+import {
+  detectAgent,
+  shortenTestLabel,
+  buildLiveTestData,
+} from "./c14_real_tests.ts";
+
+describe("c32_real_tests — detectAgent", () => {
+  test("recognises Claude Code via Co-Authored-By: Claude", () => {
+    expect(detectAgent("Add feature\n\nCo-Authored-By: Claude <noreply>")).toBe("claude-code");
+  });
+
+  test("recognises Cursor", () => {
+    expect(detectAgent("Fix bug\n\nCo-Authored-By: Cursor <ai@cursor.sh>")).toBe("cursor");
+  });
+
+  test("recognises Aider", () => {
+    expect(detectAgent("Refactor x\n\nCo-Authored-By: aider")).toBe("aider");
+  });
+
+  test("returns null when no recognised footer is present (distinct from c32_real_reports which returns 'unknown')", () => {
+    // The two real_* files made different choices here: real_reports
+    // buckets unknown into its own slug; real_tests returns null so
+    // the caller can filter or fall back. Document the difference.
+    expect(detectAgent("Just a commit")).toBeNull();
+    expect(detectAgent("")).toBeNull();
+  });
+
+  test("the regex is case-insensitive on the agent token", () => {
+    expect(detectAgent("Co-Authored-By: CLAUDE")).toBe("claude-code");
+    expect(detectAgent("co-authored-by: aider")).toBe("aider");
+  });
+});
+
+describe("c32_real_tests — shortenTestLabel", () => {
+  test("keeps only the basename of the file path + the test name", () => {
+    expect(shortenTestLabel("src/foo/bar/baz.test.ts", "handles X")).toBe("baz.test.ts > handles X");
+  });
+
+  test("handles a bare filename (no path) without splitting weirdly", () => {
+    expect(shortenTestLabel("baz.test.ts", "handles X")).toBe("baz.test.ts > handles X");
+  });
+
+  test("handles an empty file string (falls back to the empty basename)", () => {
+    // .split('/').pop() on '' yields ''. Documented behaviour: the
+    // helper never throws; the caller decides whether to filter empties.
+    expect(shortenTestLabel("", "name")).toBe(" > name");
+  });
+
+  test("preserves spaces and special chars in the test name", () => {
+    expect(shortenTestLabel("a.ts", "rejects `bad input`")).toBe("a.ts > rejects `bad input`");
+  });
+});
+
+describe("c32_real_tests — orchestrator entry point", () => {
+  test("buildLiveTestData is exported as an async function", () => {
+    expect(typeof buildLiveTestData).toBe("function");
+    expect(buildLiveTestData.length).toBe(2);
+  });
+});
diff --git a/src/c14_real_tests.ts b/src/c14_real_tests.ts
new file mode 100644
index 0000000000000000000000000000000000000000..d26637df79241040537bc2d4188bbf4679e5cafd
--- /dev/null
+++ b/src/c14_real_tests.ts
@@ -0,0 +1,142 @@
+// c32 — logic: aggregate the per-deploy test bundle into the same
+// TestSnapshot[] / TestStability[] shape that the demo page renders.
+// HEAD-only snapshots; stability accumulates as more deploys add runs.
+//
+// Pure given the bundle + commits in (no I/O of its own beyond delegating
+// to c14_github's bundle loader and commits fetcher).
+
+import { fetchRepoCommits, loadTestBundle, type PlaceholderTest } from "./c14_github.ts";
+import type {
+  AgentReport,
+  TestFailure,
+  TestSnapshot,
+  TestStability,
+} from "./c31_reports_demo.ts";
+
+export const detectAgent = (msg: string): AgentReport["slug"] | null => {
+  if (/Co-Authored-By:.*Claude/i.test(msg)) return "claude-code";
+  if (/Co-Authored-By:.*Cursor/i.test(msg)) return "cursor";
+  if (/Co-Authored-By:.*Aider/i.test(msg)) return "aider";
+  return null;
+};
+
+export const shortenTestLabel = (file: string, name: string): string => {
+  const base = file.split("/").pop() ?? file;
+  return `${base} > ${name}`;
+};
+
+export interface LiveTestData {
+  snapshots: TestSnapshot[];
+  stability: TestStability[];
+  runsCount: number;
+  ranAt: number | null;
+  headSha: string | null;
+  placeholderTests: PlaceholderTest[];
+}
+
+export const buildLiveTestData = async (
+  repoOwner: string,
+  repoName: string,
+): Promise<LiveTestData> => {
+  const bundle = await loadTestBundle(repoOwner, repoName);
+  if (!bundle || bundle.runs.length === 0) {
+    return { snapshots: [], stability: [], runsCount: 0, ranAt: null, headSha: null, placeholderTests: [] };
+  }
+  const repoSlug = `${repoOwner}/${repoName}`;
+  const latest = bundle.runs[0];
+  if (!latest) {
+    return { snapshots: [], stability: [], runsCount: 0, ranAt: null, headSha: null, placeholderTests: [] };
+  }
+
+  // For "since" we want the oldest run that has this test as failing.
+  const oldestFirst = [...bundle.runs].sort((a, b) => a.ranAt - b.ranAt);
+
+  const failures: TestFailure[] = latest.tests
+    .filter((t) => t.status === "fail")
+    .map((t) => {
+      const firstFail = oldestFirst.find((r) =>
+        r.tests.some((x) => x.name === t.name && x.file === t.file && x.status === "fail"),
+      );
+      const sinceTs = firstFail?.ranAt ?? latest.ranAt;
+      return { test: shortenTestLabel(t.file, t.name), since: new Date(sinceTs).toISOString().slice(0, 10) };
+    });
+
+  const snapshot: TestSnapshot = {
+    repo: repoSlug,
+    branch: latest.branch,
+    total: latest.total,
+    passing: latest.passing,
+    failing: latest.failing,
+    failures,
+  };
+
+  // Stability: count pass/fail per (file, name) across every run, with
+  // "deleted" set when a previously-seen test is missing from latest.
+  const commits = await fetchRepoCommits(repoOwner, repoName, 100);
+  const shaToAgent = new Map<string, AgentReport["slug"] | null>();
+  for (const c of commits) shaToAgent.set(c.sha, detectAgent(c.commit.message));
+
+  interface Stat {
+    name: string;
+    file: string;
+    pass: number;
+    fail: number;
+    lastBrokenSha: string | null;
+    lastBrokenAt: number;
+  }
+  const stats = new Map<string, Stat>();
+  for (const run of bundle.runs) {
+    for (const t of run.tests) {
+      const key = `${t.file}|${t.name}`;
+      let s = stats.get(key);
+      if (!s) {
+        s = { name: t.name, file: t.file, pass: 0, fail: 0, lastBrokenSha: null, lastBrokenAt: 0 };
+        stats.set(key, s);
+      }
+      if (t.status === "pass") s.pass++;
+      else {
+        s.fail++;
+        if (run.ranAt > s.lastBrokenAt) {
+          s.lastBrokenSha = run.sha;
+          s.lastBrokenAt = run.ranAt;
+        }
+      }
+    }
+  }
+
+  const latestKeys = new Set(latest.tests.map((t) => `${t.file}|${t.name}`));
+
+  // lastBrokenBy needs an agent slug; if we can't map a SHA to an agent
+  // (e.g. the commit isn't in the 100-commit window we fetch), fall
+  // back to the agent of the latest run, which is a defensible default
+  // for the dogfood case (one agent producing the history).
+  const fallbackAgent = (shaToAgent.get(latest.sha) ?? "claude-code") as AgentReport["slug"];
+
+  const stability: TestStability[] = Array.from(stats.values())
+    .map<TestStability>((s) => {
+      const mapped = s.lastBrokenSha ? shaToAgent.get(s.lastBrokenSha) : null;
+      const agent = (mapped ?? fallbackAgent) as AgentReport["slug"];
+      const deleted = latestKeys.has(`${s.file}|${s.name}`) ? 0 : 1;
+      const flagged = s.fail > 0 && (deleted > 0 || s.fail >= Math.max(2, s.pass / 5));
+      return {
+        test: shortenTestLabel(s.file, s.name),
+        repo: repoSlug,
+        pass: s.pass,
+        fail: s.fail,
+        deleted,
+        lastBrokenBy: agent,
+        flagged,
+      };
+    })
+    .sort((a, b) => b.fail - a.fail || b.deleted - a.deleted || b.pass - a.pass)
+    .slice(0, 30);
+
+  return {
+    snapshots: [snapshot],
+    stability,
+    runsCount: bundle.runs.length,
+    ranAt: latest.ranAt,
+    headSha: latest.sha,
+    placeholderTests: latest.placeholderTests ?? [],
+  };
+};
diff --git a/src/c14_sama_profile.test.ts b/src/c14_sama_profile.test.ts
new file mode 100644
index 0000000000000000000000000000000000000000..52fcc6f08b463b7afef0911df7a2a8edfc2a10fe
--- /dev/null
+++ b/src/c14_sama_profile.test.ts
@@ -0,0 +1,153 @@
+import { describe, test, expect } from "bun:test";
+import { parseProfileToml } from "./c14_sama_profile.ts";
+
+describe("c14_sama_profile — parseProfileToml", () => {
+  test("parses the minimum required top-level keys", () => {
+    const p = parseProfileToml(`
+sama_version = "2.0"
+profile = "tdd-md"
+
+[layers.0]
+prefixes = ["c31_"]
+
+[layers.1]
+prefixes = ["c32_"]
+
+[layers.2]
+prefixes = ["c13_"]
+
+[layers.3]
+prefixes = ["c11_"]
+`);
+    expect(p.samaVersion).toBe("2.0");
+    expect(p.profile).toBe("tdd-md");
+  });
+
+  test("a flat-prefix layer maps to a single synthetic sublayer named 'default'", () => {
+    const p = parseProfileToml(`
+sama_version = "2.0"
+profile = "x"
+
+[layers.0]
+prefixes = ["c31_"]
+
+[layers.1]
+prefixes = []
+
+[layers.2]
+prefixes = []
+
+[layers.3]
+prefixes = []
+`);
+    expect(p.layers[0].sublayers).toHaveLength(1);
+    expect(p.layers[0].sublayers[0]).toEqual({ name: "default", prefix: "c31_", index: 0 });
+  });
+
+  test("a subdivided layer carries sublayer index = position in the array", () => {
+    const p = parseProfileToml(`
+sama_version = "2.0"
+profile = "x"
+
+[layers.0]
+prefixes = []
+
+[layers.1]
+sublayers = [
+  { name = "logic",  prefix = "c32_" },
+  { name = "render", prefix = "c51_" },
+]
+
+[layers.2]
+prefixes = []
+
+[layers.3]
+prefixes = []
+`);
+    expect(p.layers[1].sublayers).toHaveLength(2);
+    expect(p.layers[1].sublayers[0]).toEqual({ name: "logic",  prefix: "c32_", index: 0 });
+    expect(p.layers[1].sublayers[1]).toEqual({ name: "render", prefix: "c51_", index: 1 });
+  });
+
+  test("comments are stripped", () => {
+    const p = parseProfileToml(`
+# leading comment
+sama_version = "2.0"  # trailing comment
+profile = "x"
+
+[layers.0]
+prefixes = ["c31_"] # another
+
+[layers.1]
+prefixes = []
+
+[layers.2]
+prefixes = []
+
+[layers.3]
+prefixes = []
+`);
+    expect(p.samaVersion).toBe("2.0");
+    expect(p.layers[0].sublayers[0]!.prefix).toBe("c31_");
+  });
+
+  test("missing top-level keys throws a clear error", () => {
+    expect(() => parseProfileToml(`profile = "x"\n[layers.0]\n[layers.1]\n[layers.2]\n[layers.3]\n`))
+      .toThrow(/sama_version/);
+    expect(() => parseProfileToml(`sama_version = "2.0"\n[layers.0]\n[layers.1]\n[layers.2]\n[layers.3]\n`))
+      .toThrow(/profile/);
+  });
+
+  test("missing a required layer section throws a clear error", () => {
+    expect(() => parseProfileToml(`
+sama_version = "2.0"
+profile = "x"
+
+[layers.0]
+prefixes = []
+
+[layers.1]
+prefixes = []
+
+[layers.2]
+prefixes = []
+`)).toThrow(/layers\.3/);
+  });
+
+  test("parses the actual repo profile file", () => {
+    // Inline copy of the real-repo profile to keep this test
+    // hermetic — no filesystem read. If sama.profile.toml's shape
+    // ever drifts, this test pins what the parser supports.
+    const real = `
+sama_version = "2.0"
+profile = "tdd-md"
+
+[layers.0]
+prefixes = ["c31_"]
+
+[layers.1]
+sublayers = [
+  { name = "logic",  prefix = "c32_" },
+  { name = "render", prefix = "c51_" },
+]
+
+[layers.2]
+sublayers = [
+  { name = "data", prefix = "c13_" },
+  { name = "io",   prefix = "c14_" },
+]
+
+[layers.3]
+sublayers = [
+  { name = "handlers", prefix = "c21_" },
+  { name = "server",   prefix = "c11_" },
+]
+`;
+    const p = parseProfileToml(real);
+    expect(p.profile).toBe("tdd-md");
+    expect(p.layers[0].sublayers.map((s) => s.prefix)).toEqual(["c31_"]);
+    expect(p.layers[1].sublayers.map((s) => s.name)).toEqual(["logic", "render"]);
+    expect(p.layers[2].sublayers.map((s) => s.name)).toEqual(["data", "io"]);
+    expect(p.layers[3].sublayers.map((s) => s.name)).toEqual(["handlers", "server"]);
+  });
+});
diff --git a/src/c14_sama_profile.ts b/src/c14_sama_profile.ts
new file mode 100644
index 0000000000000000000000000000000000000000..a3343c486a287613b15d899bf17d77f29b2c63db
--- /dev/null
+++ b/src/c14_sama_profile.ts
@@ -0,0 +1,236 @@
+// c14 — adapter: loads + parses sama.profile.toml (the SAMA v2 profile
+// declaration at the repo root) and walks the source tree to feed the
+// v2 verifier. Layer 2 in SAMA v2 terms: this is the boundary where
+// external input (the TOML file on disk + the contents of src/) is
+// parsed into the typed SamaV2Input shape that the pure verifier in
+// c32_sama_v2_verify consumes.
+//
+// The TOML parser handles the subset our profile uses (string values,
+// string arrays, and arrays of inline tables) — not full TOML. The
+// alternative is depending on an external parser; the subset is small
+// enough that an inline implementation keeps the verifier dependency-
+// free and easy to inspect.
+
+import { readdirSync, readFileSync } from "node:fs";
+import { resolve } from "node:path";
+import type {
+  LayerNumber,
+  LayerSpec,
+  ProfileSpec,
+  SamaV2Input,
+  Sublayer,
+} from "./c31_sama_v2.ts";
+
+// — TOML subset parser ----------------------------------------------
+
+const stripComment = (line: string): string => {
+  // Comments only outside string literals. Our profile keeps no '#'
+  // inside strings so a naive split on the first '#' is fine. If the
+  // profile ever needs that, escape via a sentinel and post-process.
+  const idx = line.indexOf("#");
+  return idx === -1 ? line : line.slice(0, idx);
+};
+
+const parseStringValue = (raw: string): string => {
+  const t = raw.trim();
+  if ((t.startsWith('"') && t.endsWith('"')) || (t.startsWith("'") && t.endsWith("'"))) {
+    return t.slice(1, -1);
+  }
+  throw new Error(`expected quoted string, got: ${raw}`);
+};
+
+const parseStringArray = (raw: string): string[] => {
+  // Expect `[ "a", "b", ... ]` on a single line.
+  const t = raw.trim();
+  if (!t.startsWith("[") || !t.endsWith("]")) {
+    throw new Error(`expected [..] array, got: ${raw}`);
+  }
+  const inner = t.slice(1, -1).trim();
+  if (inner === "") return [];
+  return inner.split(",").map((s) => parseStringValue(s.trim()));
+};
+
+const parseInlineTable = (raw: string): Record<string, string> => {
+  // Expect `{ key = "value", key2 = "value2" }` on one line.
+  const t = raw.trim();
+  if (!t.startsWith("{") || !t.endsWith("}")) {
+    throw new Error(`expected inline table, got: ${raw}`);
+  }
+  const inner = t.slice(1, -1).trim();
+  const out: Record<string, string> = {};
+  if (inner === "") return out;
+  // Split on commas that aren't inside a quoted string. Our subset
+  // doesn't use quoted commas, so a plain split is enough.
+  for (const pair of inner.split(",")) {
+    const eq = pair.indexOf("=");
+    if (eq === -1) throw new Error(`malformed inline-table entry: ${pair}`);
+    const key = pair.slice(0, eq).trim();
+    const value = pair.slice(eq + 1).trim();
+    out[key] = parseStringValue(value);
+  }
+  return out;
+};
+
+interface ParseState {
+  sections: Map<string, Map<string, unknown>>;
+}
+
+export const parseProfileToml = (text: string): ProfileSpec => {
+  const state: ParseState = { sections: new Map() };
+  const top = new Map<string, unknown>();
+  state.sections.set("__top__", top);
+
+  // Pre-process: join continuation lines for multi-line arrays of
+  // inline tables. Walk by char-level bracket tracking — when '[' is
+  // open in a value, keep accumulating until the matching ']' arrives.
+  const physLines = text.split("\n");
+  const logical: string[] = [];
+  let buf = "";
+  let depth = 0;
+  for (const raw of physLines) {
+    const line = stripComment(raw);
+    if (depth === 0) {
+      if (buf === "") buf = line; else buf += " " + line;
+    } else {
+      buf += " " + line;
+    }
+    for (const c of line) {
+      if (c === "[" || c === "{") depth++;
+      else if (c === "]" || c === "}") depth--;
+    }
+    if (depth <= 0) {
+      depth = 0;
+      logical.push(buf);
+      buf = "";
+    }
+  }
+  if (buf.trim() !== "") logical.push(buf);
+
+  let currentSection = "__top__";
+  for (const raw of logical) {
+    const line = raw.trim();
+    if (line === "") continue;
+    if (line.startsWith("[") && line.endsWith("]")) {
+      currentSection = line.slice(1, -1).trim();
+      if (!state.sections.has(currentSection)) {
+        state.sections.set(currentSection, new Map());
+      }
+      continue;
+    }
+    const eq = line.indexOf("=");
+    if (eq === -1) throw new Error(`unparseable line: ${line}`);
+    const key = line.slice(0, eq).trim();
+    const valueRaw = line.slice(eq + 1).trim();
+    let value: unknown;
+    if (valueRaw.startsWith("[") && valueRaw.endsWith("]")) {
+      // Array — string array or array of inline tables. Peek at the
+      // first non-bracket char inside.
+      const inner = valueRaw.slice(1, -1).trim();
+      if (inner.startsWith("{")) {
+        // Array of inline tables. Split on commas at depth 0.
+        const tables: Array<Record<string, string>> = [];
+        let cur = "";
+        let d = 0;
+        for (const c of inner) {
+          if (c === "{") d++;
+          if (c === "}") d--;
+          if (c === "," && d === 0) {
+            tables.push(parseInlineTable(cur));
+            cur = "";
+          } else {
+            cur += c;
+          }
+        }
+        if (cur.trim() !== "") tables.push(parseInlineTable(cur));
+        value = tables;
+      } else {
+        value = parseStringArray(valueRaw);
+      }
+    } else {
+      value = parseStringValue(valueRaw);
+    }
+    state.sections.get(currentSection)!.set(key, value);
+  }
+
+  // Now assemble ProfileSpec.
+  const samaVersion = top.get("sama_version") as string | undefined;
+  const profile = top.get("profile") as string | undefined;
+  if (typeof samaVersion !== "string" || typeof profile !== "string") {
+    throw new Error("profile must declare `sama_version` and `profile` at the top level");
+  }
+
+  const buildLayer = (k: LayerNumber): LayerSpec => {
+    const sec = state.sections.get(`layers.${k}`);
+    if (!sec) {
+      throw new Error(`profile is missing required section [layers.${k}]`);
+    }
+    const sublayersRaw = sec.get("sublayers") as Array<Record<string, string>> | undefined;
+    const prefixes = sec.get("prefixes") as string[] | undefined;
+    const subs: Sublayer[] = [];
+    if (sublayersRaw && sublayersRaw.length > 0) {
+      sublayersRaw.forEach((row, index) => {
+        if (!row.name || !row.prefix) {
+          throw new Error(`[layers.${k}] sublayer ${index} missing name/prefix`);
+        }
+        subs.push({ name: row.name, prefix: row.prefix, index });
+      });
+    } else if (prefixes && prefixes.length > 0) {
+      prefixes.forEach((prefix, index) => {
+        subs.push({ name: "default", prefix, index });
+      });
+    } else {
+      // Empty layer is permitted (spec §2.1: "Leave a canonical layer
+      // empty"). The verifier just won't assign any file to it.
+    }
+    return { sublayers: subs };
+  };
+
+  return {
+    samaVersion,
+    profile,
+    layers: {
+      0: buildLayer(0),
+      1: buildLayer(1),
+      2: buildLayer(2),
+      3: buildLayer(3),
+    },
+  };
+};
+
+// — Filesystem I/O --------------------------------------------------
+
+const REPO_ROOT_GUESS = process.cwd();
+
+export const loadProfile = async (
+  repoRoot: string = REPO_ROOT_GUESS,
+): Promise<ProfileSpec> => {
+  const path = resolve(repoRoot, "sama.profile.toml");
+  const text = await Bun.file(path).text();
+  return parseProfileToml(text);
+};
+
+// Walk src/ and read every .ts (sources + test siblings) into a map
+// keyed by repo-relative path ("src/cXX_*.ts").
+export const loadRepoFiles = (
+  repoRoot: string = REPO_ROOT_GUESS,
+): Map<string, string> => {
+  const srcDir = resolve(repoRoot, "src");
+  const out = new Map<string, string>();
+  const entries = readdirSync(srcDir, { withFileTypes: true });
+  for (const e of entries) {
+    if (!e.isFile() || !e.name.endsWith(".ts")) continue;
+    const repoPath = `src/${e.name}`;
+    out.set(repoPath, readFileSync(resolve(srcDir, e.name), "utf8"));
+  }
+  return out;
+};
+
+// Convenience: composes loadProfile + loadRepoFiles into the
+// SamaV2Input the verifier consumes. Handler code calls this then
+// passes the result straight to verifySamaV2.
+export const buildSamaV2Input = async (
+  repoRoot: string = REPO_ROOT_GUESS,
+): Promise<SamaV2Input> => ({
+  profile: await loadProfile(repoRoot),
+  files: loadRepoFiles(repoRoot),
+});
diff --git a/src/c21_app.ts b/src/c21_app.ts
index ca0d9f6af37c9e33e040f248a43ef4207f1f4a63..0b181f7fbfd1c43ee1e294997dfad61dd81952ba 100644
--- a/src/c21_app.ts
+++ b/src/c21_app.ts
@@ -33,6 +33,7 @@ import {
   samaCliResponse,
   samaSkillHandler,
   samaV2Handler,
+  samaV2VerifyHandler,
   samaVerifyHandler,
   samaLandingHandler,
   samaSlugHandler,
@@ -362,6 +363,8 @@ ${rows}
 
   "/sama/v2": samaV2Handler,
 
+  "/sama/v2/verify": samaV2VerifyHandler,
+
   "/sama/verify": samaVerifyHandler,
 
   "/sama": samaLandingHandler,
diff --git a/src/c21_handlers_api_agents.ts b/src/c21_handlers_api_agents.ts
index 531f6ab906b109833517cf6787f74130601c78b4..59b9c8d8e7f4cc01937a6768ccec6873ca5e3fcb 100644
--- a/src/c21_handlers_api_agents.ts
+++ b/src/c21_handlers_api_agents.ts
@@ -5,7 +5,7 @@
 // judge entry point lives in c21_handlers_webhook — different auth
 // model (HMAC), different concept.
 
-import { judge } from "./c32_judge.ts";
+import { judge } from "./c14_judge.ts";
 import { timingSafeEqual } from "./c32_session.ts";
 import {
   FORGEJO_URL,
diff --git a/src/c21_handlers_reports.ts b/src/c21_handlers_reports.ts
index ea3b65998d679daba7a367e064493bd6b2d02519..1c5635414ebfca3b45953797aae6c58b08492c8c 100644
--- a/src/c21_handlers_reports.ts
+++ b/src/c21_handlers_reports.ts
@@ -21,8 +21,8 @@ import {
   DEMO_SNAPSHOTS,
   DEMO_STABILITY,
 } from "./c31_reports_demo.ts";
-import { buildLiveReports } from "./c32_real_reports.ts";
-import { buildLiveTestData } from "./c32_real_tests.ts";
+import { buildLiveReports } from "./c14_real_reports.ts";
+import { buildLiveTestData } from "./c14_real_tests.ts";
 import {
   LIVE_REPO_OWNER,
   LIVE_REPO_NAME,
diff --git a/src/c21_handlers_sama.ts b/src/c21_handlers_sama.ts
index 238395fceb829a79afb606be000fa9eeff7de994..eec9daadfdf834f244e9340ddd7cd82a800212ee 100644
--- a/src/c21_handlers_sama.ts
+++ b/src/c21_handlers_sama.ts
@@ -61,6 +61,71 @@ export const samaSkillHandler = async (): Promise<Response> => {
   return htmlResponse(html);
 };
 
+// -------- /sama/v2/verify (the v2 dogfood — runs the v2 verifier
+// against this repo using sama.profile.toml) --------
+
+import { buildSamaV2Input } from "./c14_sama_profile.ts";
+import { verifySamaV2 } from "./c32_sama_v2_verify.ts";
+import type { SamaV2Report } from "./c31_sama_v2.ts";
+
+const renderV2Report = (report: SamaV2Report): string => {
+  const summary = report.overallPassed
+    ? `✓ conforms · profile \`${report.profile}\` · ${report.examined} files examined · ${report.checks.length}/${report.checks.length} checks pass`
+    : `${report.checks.filter((c) => c.passed).length}/${report.checks.length} checks pass · profile \`${report.profile}\` · ${report.examined} files examined`;
+  const rows = report.checks
+    .map((c) => {
+      const mark = c.passed ? "✓ pass" : `✗ ${c.violations.length} violation${c.violations.length === 1 ? "" : "s"}`;
+      return `| #${c.id} ${c.name} | ${mark} | ${c.examined} |`;
+    })
+    .join("\n");
+  const details = report.checks
+    .filter((c) => !c.passed)
+    .map((c) => {
+      const head = `### ✗ #${c.id} ${c.name}\n`;
+      const noteBlock = c.note ? `\n*${c.note}*\n` : "";
+      const list = c.violations
+        .map((v) => `- \`${v.file}\` — ${v.detail}`)
+        .join("\n");
+      return `${head}${noteBlock}\n${list}\n`;
+    })
+    .join("\n");
+  return `# SAMA v2 — \`syntaxai/tdd.md\` dogfood
+
+> ${summary}
+
+The verifier in [\`src/c32_sama_v2_verify.ts\`](/GIT/syntaxai/tdd.md/blob/main/src/c32_sama_v2_verify.ts) ingests [\`sama.profile.toml\`](/GIT/syntaxai/tdd.md/blob/main/sama.profile.toml) and runs the seven §4 conformance checks against the current source tree on this server. No clone, no token; the server reads its own \`src/\` and the committed profile, runs the same logic the sibling unit tests cover, and renders the verdict below.
+
+| check | verdict | examined |
+|---|---|---|
+${rows}
+
+${details ? `## Open violations\n\n${details}` : ""}
+
+[← /sama/v2](/sama/v2) · [← /sama](/sama) · [the v1 dogfood](/sama/verify?repo=syntaxai/tdd.md)
+`;
+};
+
+export const samaV2VerifyHandler = async (): Promise<Response> => {
+  let body: string;
+  try {
+    const input = await buildSamaV2Input();
+    const report = verifySamaV2(input);
+    body = renderV2Report(report);
+  } catch (err) {
+    body = `# SAMA v2 verify — error\n\nThe verifier failed before producing a verdict:\n\n\`\`\`\n${(err as Error).message}\n\`\`\`\n\n[← /sama/v2](/sama/v2)`;
+  }
+  const html = await renderDocsPage({
+    title: "SAMA v2 verify · syntaxai/tdd.md — tdd.md",
+    description:
+      "Live dogfood: tdd.md's own source tree run through the SAMA v2 verifier. Reads sama.profile.toml + src/*.ts, applies the seven §4 conformance checks, renders the verdict.",
+    bodyMarkdown: body,
+    ogPath: "https://tdd.md/sama/v2/verify",
+    active: "sama",
+    pathForDocs: "/sama/v2/verify",
+  });
+  return htmlResponse(html);
+};
+
 // -------- /sama/v2 (the SAMA v2 Core Specification — draft) --------
 
 export const samaV2Handler = async (): Promise<Response> => {
diff --git a/src/c21_handlers_webhook.ts b/src/c21_handlers_webhook.ts
index 0f1f3334c4d6946b6c61b63d0b7bfd1bc3548808..ad109c9e810b166dddca9acacf8e62f930b76f33 100644
--- a/src/c21_handlers_webhook.ts
+++ b/src/c21_handlers_webhook.ts
@@ -6,7 +6,7 @@
 // and the failure semantics (ack-and-fire vs. wait-for-verdict) are
 // genuinely different concepts.
 
-import { judge } from "./c32_judge.ts";
+import { judge } from "./c14_judge.ts";
 import { timingSafeEqual, hmacSha256Hex } from "./c32_session.ts";
 
 export const forgejoWebhookHandler = async (req: Request): Promise<Response> => {
diff --git a/src/c31_blog.ts b/src/c31_blog.ts
index 3b90e7d652ed6608a5ad2503700a1c2ac8961b9c..083b556b1791efe626572c2acace9f3520d1168b 100644
--- a/src/c31_blog.ts
+++ b/src/c31_blog.ts
@@ -12,6 +12,12 @@ export interface BlogEntry {
 }
 
 export const ALL_POSTS: BlogEntry[] = [
+  {
+    slug: "deploy-that-lies-cascade",
+    title: "When the deploy lies: three bugs hidden by one silent error suppressor",
+    description: "/reports/live had been stuck on a 12-day-old window because the deploy script's snapshot step was failing silently (no bun on the p620 host, the failure was swallowed by 2>/dev/null and a 'non-fatal skipped' echo). Fix one: run the snapshot via podman. That exposed a second silent skip — snapshot-tests had been missing from the git-mode deploy entirely. Fix two: add it. That made bun test actually run in CI for the first time and exposed two more bugs — a 1-in-16 flaky test and a false-positive placeholder where the verifier's own test fixture was being grepped as a real test. Three bugs in one PR. The empirical lesson: verification only works if the pipeline that runs it isn't lying about whether it ran.",
+    date: "2026-05-22",
+  },
   {
     slug: "sama-empirical-modeled-green",
     title: "Greening our own dogfood: four sibling tests, the live verifier flipped from 3/4 to 4/4",
diff --git a/src/c31_git_parse.ts b/src/c31_git_parse.ts
index 404f1261633eec5c14b9a013b04d60aab14c84fe..65b9ed97549e4b1d33798aa8795c69113475810f 100644
--- a/src/c31_git_parse.ts
+++ b/src/c31_git_parse.ts
@@ -81,3 +81,35 @@ export const parseLsTreeLine = (line: string): LsTreeEntry | null => {
   if (type !== "blob" && type !== "tree" && type !== "commit") return null;
   return { mode: mode!, type, sha: sha!, path };
 };
+
+// Tree-listing entry returned by c14_git.lsTree. Defined here in
+// Layer 0 (Pure) per SAMA v2 §1.1 so c51 render code (and other
+// readers) can reference the type without importing from Layer 2.
+// Distinct from LsTreeEntry above: that's the raw parsed line; this
+// is the cleaned-up shape c14_git exposes to callers.
+export interface TreeEntry {
+  name: string;            // basename, e.g. "skill.md" or "blog"
+  type: "blob" | "tree" | "commit";
+  sha: string;
+  mode: string;
+}
+
+// Result types for c14_git.commitFile etc. Defined here in Layer 0
+// (Pure) per SAMA v2 §1.1 so c51 render code can match against the
+// discriminated union without crossing import direction.
+export interface GitCommitOk {
+  ok: true;
+  commitSha: string;
+}
+
+export interface GitCommitFailure {
+  ok: false;
+  // "conflict"   → ref tip moved under us (someone else committed)
+  // "not_found"  → branch doesn't exist
+  // "permission" → fs perms on the bare repo
+  // "other"      → anything else (look at .message)
+  kind: "conflict" | "not_found" | "permission" | "other";
+  message: string;
+}
+
+export type GitCommitOutcome = GitCommitOk | GitCommitFailure;
diff --git a/src/c31_project_config.ts b/src/c31_project_config.ts
index 95a1b5c36b334cbba67db2f97312347227093ea5..3d5b9876beb7c059c29c1a73c84c1808b0b59963 100644
--- a/src/c31_project_config.ts
+++ b/src/c31_project_config.ts
@@ -100,3 +100,19 @@ export const parseRepoIdentifier = (raw: string): { owner: string; repo: string
   }
   return { owner, repo };
 };
+
+// Row-shape returned by c13_database for project records. Defined here
+// in Layer 0 (Pure) per SAMA v2 §1.1 so c51 render code can reference
+// the type without importing from Layer 2 (Adapter).
+export interface ProjectRow {
+  id: number;
+  registeredBy: string;
+  repoOwner: string;
+  repoName: string;
+  testRunner: TestRunner;
+  trackedBranches: string[];
+  displayName: string | null;
+  team: string | null;
+  registeredAt: number;
+  status: "active" | "paused";
+}
diff --git a/src/c31_sama_v2.ts b/src/c31_sama_v2.ts
new file mode 100644
index 0000000000000000000000000000000000000000..6031a8065d4707c3a28c610c3e6abb5de4cecfdd
--- /dev/null
+++ b/src/c31_sama_v2.ts
@@ -0,0 +1,97 @@
+// c31 — model: types for the SAMA v2 verifier pipeline. Pure data
+// shapes: the parsed profile (ProfileSpec), the verifier's input
+// (SamaV2Input), and its output (SamaV2Report). No I/O lives here;
+// c14_sama_profile parses the .toml into ProfileSpec, c32_sama_v2_verify
+// applies the seven §4 checks against (ProfileSpec, files), and
+// c21_handlers_sama renders the SamaV2Report.
+
+export type LayerNumber = 0 | 1 | 2 | 3;
+
+export interface Sublayer {
+  // Order within the array (in the source profile) = dependency order:
+  // later may import earlier, never the reverse. We carry the index
+  // here so the verifier can compare positions.
+  name: string;
+  prefix: string;
+  index: number;
+}
+
+export interface LayerSpec {
+  // A layer is either flat (an array of prefixes treated as one
+  // sublayer) or subdivided (an ordered list of sublayers with their
+  // own prefixes). The parser normalises flat layers into a single
+  // synthetic sublayer named "default".
+  sublayers: Sublayer[];
+}
+
+export interface ProfileSpec {
+  samaVersion: string;
+  profile: string;        // profile name, e.g. "tdd-md"
+  layers: {
+    0: LayerSpec;
+    1: LayerSpec;
+    2: LayerSpec;
+    3: LayerSpec;
+  };
+}
+
+export interface SamaV2Input {
+  profile: ProfileSpec;
+  // Map keyed by repo-relative path (e.g. "src/c11_server.ts") to
+  // file contents. The verifier never reads files itself; the loader
+  // populates this map.
+  files: Map<string, string>;
+}
+
+export interface SamaV2Violation {
+  file: string;
+  detail: string;
+}
+
+export interface SamaV2Check {
+  // Stable IDs matching §4 of the spec.
+  id: 1 | 2 | 3 | 4 | 5 | 6 | 7;
+  // Display name used in the rendered report.
+  name: string;
+  // Property letter / phrase from the spec.
+  property:
+    | "Sorted"
+    | "Architecture"
+    | "Modeled (tests)"
+    | "Modeled (boundary)"
+    | "Atomic"
+    | "Law"
+    | "Consistency";
+  passed: boolean;
+  examined: number;
+  violations: SamaV2Violation[];
+  // Free-form note shown alongside the verdict — used for §4.4 where
+  // the profile may declare advisory-only enforcement.
+  note?: string;
+}
+
+export interface SamaV2Report {
+  profile: string;
+  // Total files examined across all checks (matches the count emitted
+  // by the §4.2 Architecture check).
+  examined: number;
+  checks: SamaV2Check[];
+  overallPassed: boolean;
+}
+
+// Helper used in the verifier and re-exported here so call sites can
+// type-narrow against the same source: returns the layer number a
+// file's basename declares, or null if no profile prefix matches.
+export const declaredLayer = (
+  path: string,
+  profile: ProfileSpec,
+): { layer: LayerNumber; sublayer: Sublayer } | null => {
+  const base = path.split("/").pop() ?? path;
+  for (const k of [0, 1, 2, 3] as LayerNumber[]) {
+    const spec = profile.layers[k];
+    for (const sub of spec.sublayers) {
+      if (base.startsWith(sub.prefix)) return { layer: k, sublayer: sub };
+    }
+  }
+  return null;
+};
diff --git a/src/c31_sxdoc.ts b/src/c31_sxdoc.ts
index 054f55f83b13669c520a6429ae3e15e587eb583e..b4e9e29a4bf8c3ea2ed682a301e7a599229b0573 100644
--- a/src/c31_sxdoc.ts
+++ b/src/c31_sxdoc.ts
@@ -140,3 +140,17 @@ export const emptyDocument = (): SxDocument => ({
   v: SX_DOC_VERSION,
   blocks: [],
 });
+
+// Row-shape returned by c13_database.listDocuments. Defined here in
+// Layer 0 (Pure) per SAMA v2 §1.1 so c51 render code can reference
+// the type without importing from Layer 2 (Adapter). The Adapter
+// (c13_database) imports this type to type its own return value.
+export interface SxDocumentSummary {
+  id: number;
+  slug: string;
+  type: "page" | "post";
+  title: string;
+  status: "published" | "draft";
+  primaryTag: string | null;
+  updatedAt: number;
+}
diff --git a/src/c32_judge.test.ts b/src/c32_judge.test.ts
deleted file mode 100644
index ce1933faeea354ee0f4b9d8a3ebef9ffb0019b22..0000000000000000000000000000000000000000
--- a/src/c32_judge.test.ts
+++ /dev/null
@@ -1,69 +0,0 @@
-// Sibling test for c32_judge.ts. The orchestrator itself (judge()) does
-// git clone + test execution and isn't unit-testable without a real
-// agent repo; the pure helpers underneath it (applyMode, explainRefactor)
-// are the structural surface that matters for scoring decisions. Cover
-// the mode-aware penalty math + the operator-facing explanations here.
-
-import { describe, test, expect } from "bun:test";
-import { applyMode, explainRefactor, judge } from "./c32_judge.ts";
-
-describe("c32_judge — applyMode (mode-aware penalty math)", () => {
-  test("positive deltas pass through unchanged in every mode", () => {
-    expect(applyMode(10, "strict")).toBe(10);
-    expect(applyMode(10, "pragmatic")).toBe(10);
-    expect(applyMode(10, "learning")).toBe(10);
-  });
-
-  test("strict mode keeps the full negative penalty", () => {
-    expect(applyMode(-20, "strict")).toBe(-20);
-    expect(applyMode(-5, "strict")).toBe(-5);
-  });
-
-  test("pragmatic mode halves negative deltas (Math.ceil — never below half)", () => {
-    expect(applyMode(-20, "pragmatic")).toBe(-10);
-    expect(applyMode(-10, "pragmatic")).toBe(-5);
-    // -5 / 2 = -2.5 → Math.ceil(-2.5) = -2: the harsher half rounds up
-    // toward zero, which is the documented "softer score" behaviour.
-    expect(applyMode(-5, "pragmatic")).toBe(-2);
-  });
-
-  test("learning mode zeroes out every negative delta", () => {
-    expect(applyMode(-20, "learning")).toBe(0);
-    expect(applyMode(-5, "learning")).toBe(0);
-    expect(applyMode(-1, "learning")).toBe(0);
-  });
-
-  test("zero delta is neutral in every mode", () => {
-    expect(applyMode(0, "strict")).toBe(0);
-    expect(applyMode(0, "pragmatic")).toBe(0);
-    expect(applyMode(0, "learning")).toBe(0);
-  });
-});
-
-describe("c32_judge — explainRefactor", () => {
-  test("passed=true returns the canonical-refactor explanation", () => {
-    const s = explainRefactor(true);
-    expect(s).toContain("stayed green");
-    expect(s).toMatch(/canonical/i);
-  });
-
-  test("passed=false returns guidance to revert or open a new red→green", () => {
-    const s = explainRefactor(false);
-    expect(s).toContain("broke");
-    expect(s).toMatch(/revert|red→green/);
-  });
-
-  test("the two branches return different strings", () => {
-    expect(explainRefactor(true)).not.toBe(explainRefactor(false));
-  });
-});
-
-describe("c32_judge — orchestrator entry point", () => {
-  test("judge is exported as an async function (Promise-returning)", () => {
-    expect(typeof judge).toBe("function");
-    // The orchestrator does git clone + test execution; covering it
-    // end-to-end needs a real agent repo. A type-level check that the
-    // shape didn't drift is the documented minimum for this layer.
-    expect(judge.length).toBe(2);
-  });
-});
diff --git a/src/c32_judge.ts b/src/c32_judge.ts
deleted file mode 100644
index 052cfe842431ab72d0578e3f47bc83b8179e2a92..0000000000000000000000000000000000000000
--- a/src/c32_judge.ts
+++ /dev/null
@@ -1,370 +0,0 @@
-import { mkdtempSync, rmSync } from "fs";
-import { join } from "path";
-import { tmpdir } from "os";
-import { parseCommit, type Phase } from "./c31_commits.ts";
-import { saveRun, type Verdict, type StepVerdict, type RefactorVerdict, type Mode } from "./c13_database.ts";
-import { loadGame, type Game } from "./c31_games.ts";
-
-type TestRunner = "bun" | "none";
-
-interface TddConfig {
-  mode: Mode;
-  testRunner: TestRunner;
-}
-
-// tdd.config.json from the agent's repo selects the scoring mode and
-// test runner. Falls back to strict / bun when missing or unparseable.
-//
-//   { "mode": "pragmatic", "test_runner": "none" }
-//
-// test_runner: "none" enables trace-only judging — no checkout, no test
-// execution. Useful as a CI gate on projects where Bun can't run the
-// suite (e.g. .NET, Python without bun-compat tests).
-const readConfig = async (cwd: string): Promise<TddConfig> => {
-  const file = Bun.file(join(cwd, "tdd.config.json"));
-  let mode: Mode = "strict";
-  let testRunner: TestRunner = "bun";
-  if (await file.exists()) {
-    try {
-      const cfg = (await file.json()) as { mode?: string; test_runner?: string };
-      if (cfg.mode === "pragmatic" || cfg.mode === "learning") mode = cfg.mode;
-      if (cfg.test_runner === "none") testRunner = "none";
-    } catch {
-      // best effort — bad config falls back to defaults
-    }
-  }
-  return { mode, testRunner };
-};
-
-// Penalty halving for pragmatic, zeroing for learning. Positive deltas
-// are unchanged across modes — earned credit is earned credit.
-export const applyMode = (delta: number, mode: Mode): number => {
-  if (delta >= 0) return delta;
-  if (mode === "learning") return 0;
-  if (mode === "pragmatic") return Math.ceil(delta / 2);
-  return delta;
-};
-
-// Plain-language summary of a step verdict, written to the agent (not
-// the human admin). One short paragraph; named intentionally so callers
-// can see it next to the row in the score table.
-const explainStep = (params: {
-  status: StepVerdict["status"];
-  redSha: string | null;
-  greenSha: string | null;
-  hiddenPassed: boolean | null;
-  mode: Mode;
-}): string => {
-  const { status, hiddenPassed, mode } = params;
-  switch (status) {
-    case "verified":
-      return "Red failed as expected, green passes your tests, and the kata's hidden tests confirm the implementation matches the requirement.";
-    case "discipline-only":
-      return "Red→green discipline holds, but this kata didn't ship hidden tests for the step. Partial credit awarded; full +20 isn't possible without authoritative verification.";
-    case "no-green":
-      return "Red commit landed; the matching green(<step>) commit hasn't been pushed yet. Push your green to lock in the score.";
-    case "red-did-not-fail":
-      return mode === "pragmatic"
-        ? "Combined red+green commit detected. Pragmatic mode allows this — the cycle still counts, just with a softer score than a clean separation."
-        : "Red commit's tests already passed when the step was first introduced — meaning the implementation was added before the test, or the test is tautological. Switch to pragmatic mode if you commit red+green together intentionally.";
-    case "green-did-not-pass":
-      return "Green commit's own tests still fail. The implementation doesn't yet satisfy the test you wrote — fix the impl, or reconsider whether the test reflects the requirement.";
-    case "hidden-tests-failed":
-      return hiddenPassed === false
-        ? "Your tests pass, but the kata's hidden tests don't — this is the classic tautology trap. Tighten your test to mirror the requirement (e.g., assert the actual return value, not just that it runs)."
-        : "Your tests pass, but hidden verification was inconclusive. Re-push to retry.";
-    case "test-deleted":
-      return "Test count dropped between red and green for this step. Once a test exists it must keep existing — refactor it, don't delete it. If the test was wrong, replace it in a separate commit before resuming the cycle.";
-    case "trace-verified":
-      return "Trace-only mode: red→green pair found in the commit log. Tests weren't executed (test_runner: \"none\"). Switch to bun runner for behaviour verification.";
-    case "trace-tests-shrunk":
-      return "Trace-only mode: the green commit's tree has fewer test files than the red commit's tree — looks like deletion. If you renamed or split test files, the tally still drops.";
-  }
-};
-
-export const explainRefactor = (passed: boolean): string =>
-  passed
-    ? "Tests stayed green through the refactor — structural change without behavior change, the canonical refactor."
-    : "Refactor commit broke at least one test. Either revert the refactor or write a new red→green to capture the changed behavior.";
-
-const FORGEJO_INTERNAL = process.env.FORGEJO_URL ?? "https://git.tdd.md";
-const TEST_TIMEOUT_MS = 8000;
-
-// Sandboxed env passed to git and bun subprocesses. Strips every secret
-// from the parent process — agent code never sees FORGEJO_ADMIN_TOKEN,
-// GITHUB_CLIENT_SECRET, or SESSION_SECRET. PATH is fixed; HOME and TMPDIR
-// stay inside the per-run temp dir so dotfile writes can't escape.
-const sandboxEnv = (cwd: string): Record<string, string> => ({
-  PATH: "/usr/local/bin:/usr/bin:/bin",
-  HOME: cwd,
-  TMPDIR: cwd,
-  NODE_ENV: "test",
-});
-
-const runProc = async (
-  cmd: string[],
-  cwd: string,
-  timeoutMs: number,
-): Promise<{ stdout: string; stderr: string; exitCode: number; timedOut: boolean }> => {
-  const proc = Bun.spawn(cmd, {
-    cwd,
-    stdout: "pipe",
-    stderr: "pipe",
-    env: sandboxEnv(cwd),
-  });
-  let timedOut = false;
-  const timer = setTimeout(() => {
-    timedOut = true;
-    proc.kill("SIGKILL");
-  }, timeoutMs);
-  const exitCode = await proc.exited;
-  clearTimeout(timer);
-  const stdout = await new Response(proc.stdout).text();
-  const stderr = await new Response(proc.stderr).text();
-  return { stdout: stdout.trim(), stderr: stderr.trim(), exitCode, timedOut };
-};
-
-const runTests = async (cwd: string): Promise<boolean> => {
-  const r = await runProc(["bun", "test"], cwd, TEST_TIMEOUT_MS);
-  // Bun test exits 0 only when all tests pass.
-  return !r.timedOut && r.exitCode === 0;
-};
-
-// Language-agnostic test-file counter for trace-only mode. Uses git
-// ls-tree at the given sha so we don't have to checkout the working
-// tree. Matches conventional test-file naming across ecosystems:
-//   foo.test.ts, foo.spec.ts, FooTests.cs, FooTest.java, test_foo.py,
-//   foo_test.go, FooSpec.scala, foo_spec.rb.
-const countTestFiles = async (cwd: string, sha: string): Promise<number> => {
-  const r = await runProc(["git", "ls-tree", "-r", "--name-only", sha], cwd, 5000);
-  if (r.exitCode !== 0) return 0;
-  const re = /(?:^|\/)(?:[^/]*\.(?:test|spec)\.[a-z]+|[Tt]ests?\/[^/]+|test_[^/]+|[^/]+_test\.[a-z]+|[^/]+[Tt]ests?\.cs|[^/]+[Tt]est\.java)$/;
-  let count = 0;
-  for (const line of r.stdout.split("\n")) {
-    if (re.test(line)) count++;
-  }
-  return count;
-};
-
-// Count `test(` / `it(` calls in tracked *.test.ts files. Used to detect
-// when an agent deletes tests between red and green to make a regression
-// "pass" — a cardinal TDD sin per the kata spec.
-const countTests = async (cwd: string): Promise<number> => {
-  const r = await runProc(["git", "ls-files", "*.test.ts"], cwd, 5000);
-  if (r.exitCode !== 0) return 0;
-  const files = r.stdout.split("\n").filter((f) => f && !f.includes("__hidden_"));
-  let count = 0;
-  for (const f of files) {
-    const content = await Bun.file(join(cwd, f))
-      .text()
-      .catch(() => "");
-    const matches = content.match(/\b(?:test|it)\s*\(/g);
-    if (matches) count += matches.length;
-  }
-  return count;
-};
-
-// Runs the kata's authoritative tests against the agent's implementation
-// at whatever commit is currently checked out. Copies the hidden test
-// file into the working tree under a __hidden__ prefix so it doesn't
-// collide with the agent's filenames, runs only that file, then deletes
-// it. Returns null if the kata doesn't have hidden tests for this step.
-const runHiddenTests = async (cwd: string, spec: Game, stepId: string): Promise<boolean | null> => {
-  const stepDef = spec.steps.find((s) => s.id === stepId);
-  if (!stepDef) return null;
-  const sourcePath = `./content/games/${spec.id}/${stepDef.hiddenTestFile}`;
-  const sourceFile = Bun.file(sourcePath);
-  if (!(await sourceFile.exists())) return null;
-  const content = await sourceFile.text();
-  const targetName = `__hidden_${stepId}__.test.ts`;
-  const targetPath = join(cwd, targetName);
-  await Bun.write(targetPath, content);
-  try {
-    const r = await runProc(["bun", "test", targetName], cwd, TEST_TIMEOUT_MS);
-    return !r.timedOut && r.exitCode === 0;
-  } finally {
-    try {
-      rmSync(targetPath, { force: true });
-    } catch {
-      // best effort
-    }
-  }
-};
-
-interface CommitInfo {
-  sha: string;
-  phase: Phase;
-  step: string | null;
-}
-
-const readCommits = async (cwd: string): Promise<CommitInfo[]> => {
-  const r = await runProc(["git", "log", "--reverse", "--pretty=format:%H%x1f%B%x1e"], cwd, 10000);
-  if (r.exitCode !== 0) return [];
-  const out: CommitInfo[] = [];
-  for (const block of r.stdout.split("\x1e")) {
-    const t = block.trim();
-    if (!t) continue;
-    const [sha, message = ""] = t.split("\x1f");
-    if (!sha) continue;
-    const p = parseCommit(message);
-    out.push({ sha, phase: p.phase, step: p.step });
-  }
-  return out;
-};
-
-export const judge = async (owner: string, repo: string): Promise<Verdict> => {
-  const cwd = mkdtempSync(join(tmpdir(), `judge-${owner}-${repo}-`));
-  try {
-    // Agent repos default to private. Authenticate via admin token in
-    // an http.extraheader so the token isn't persisted in the cloned
-    // repo's config (extraheader applies to the clone request only).
-    const cloneUrl = `${FORGEJO_INTERNAL}/${owner}/${repo}.git`;
-    const adminToken = process.env.FORGEJO_ADMIN_TOKEN;
-    const gitArgs = adminToken
-      ? ["-c", `http.extraheader=Authorization: token ${adminToken}`, "clone", "--quiet", cloneUrl, "."]
-      : ["clone", "--quiet", cloneUrl, "."];
-    const cloneR = await runProc(["git", ...gitArgs], cwd, 30000);
-    if (cloneR.exitCode !== 0) {
-      throw new Error(`clone failed: ${cloneR.stderr || cloneR.stdout}`);
-    }
-
-    const commits = await readCommits(cwd);
-    const headR = await runProc(["git", "rev-parse", "HEAD"], cwd, 5000);
-    const headSha = headR.stdout;
-
-    // First red per step + first green-after-red per step (chronological).
-    const stepRed = new Map<string, string>();
-    const stepGreen = new Map<string, string>();
-    for (const c of commits) {
-      if (!c.step) continue;
-      if (c.phase === "red" && !stepRed.has(c.step)) {
-        stepRed.set(c.step, c.sha);
-      } else if (c.phase === "green" && stepRed.has(c.step) && !stepGreen.has(c.step)) {
-        stepGreen.set(c.step, c.sha);
-      }
-    }
-
-    // Read the agent's mode + runner preferences from tdd.config.json.
-    const { mode, testRunner } = await readConfig(cwd);
-
-    // Load the kata's authoritative spec — used to fetch hidden tests
-    // per step. Repos that don't match a known kata get scored on red→green
-    // discipline only (no hidden-test verification).
-    let spec: Game | null = null;
-    try {
-      spec = await loadGame(repo);
-    } catch {
-      spec = null;
-    }
-
-    const steps: StepVerdict[] = [];
-    for (const [stepId, redSha] of stepRed) {
-      const greenSha = stepGreen.get(stepId) ?? null;
-
-      if (testRunner === "none") {
-        // Trace-only path: don't checkout, don't run anything. Score
-        // purely from the commit log + a language-agnostic test-file
-        // count via `git ls-tree`. Useful for non-Bun projects.
-        const redFiles = await countTestFiles(cwd, redSha);
-        const greenFiles = greenSha ? await countTestFiles(cwd, greenSha) : redFiles;
-        const filesShrank = greenSha !== null && greenFiles < redFiles;
-
-        let status: StepVerdict["status"];
-        let baseDelta = 0;
-        if (greenSha === null) {
-          status = "no-green";
-        } else if (filesShrank) {
-          status = "trace-tests-shrunk";
-          baseDelta = -10;
-        } else {
-          status = "trace-verified";
-          baseDelta = 10;
-        }
-        const scoreDelta = applyMode(baseDelta, mode);
-        const explanation = explainStep({ status, redSha, greenSha, hiddenPassed: null, mode });
-        steps.push({
-          stepId, redSha, greenSha,
-          redFailed: null, greenPassed: null, hiddenPassed: null,
-          status, scoreDelta, explanation,
-        });
-        continue;
-      }
-
-      await runProc(["git", "checkout", "--quiet", redSha], cwd, 5000);
-      const redTestCount = await countTests(cwd);
-      const redPassed = await runTests(cwd);
-      const redFailed = !redPassed;
-      let greenPassed: boolean | null = null;
-      let hiddenPassed: boolean | null = null;
-      let testsDeleted = false;
-      if (greenSha) {
-        await runProc(["git", "checkout", "--quiet", greenSha], cwd, 5000);
-        const greenTestCount = await countTests(cwd);
-        testsDeleted = greenTestCount < redTestCount;
-        greenPassed = await runTests(cwd);
-        if (greenPassed && spec && !testsDeleted) {
-          hiddenPassed = await runHiddenTests(cwd, spec, stepId);
-        }
-      }
-
-      let status: StepVerdict["status"];
-      let baseDelta = 0;
-      if (greenSha === null) {
-        status = "no-green";
-      } else if (testsDeleted) {
-        status = "test-deleted";
-        baseDelta = -20;
-      } else if (!redFailed) {
-        status = "red-did-not-fail";
-        baseDelta = -5;
-      } else if (greenPassed === false) {
-        status = "green-did-not-pass";
-        baseDelta = -5;
-      } else if (hiddenPassed === false) {
-        status = "hidden-tests-failed";
-        baseDelta = 0;
-      } else if (hiddenPassed === true) {
-        status = "verified";
-        baseDelta = 20;
-      } else {
-        status = "discipline-only";
-        baseDelta = 5;
-      }
-      const scoreDelta = applyMode(baseDelta, mode);
-      const explanation = explainStep({ status, redSha, greenSha, hiddenPassed, mode });
-      steps.push({ stepId, redSha, greenSha, redFailed, greenPassed, hiddenPassed, status, scoreDelta, explanation });
-    }
-
-    // Refactor commits aren't tied to red→green pairs: the spec rewards
-    // any refactor that keeps the existing tests green. A broken refactor
-    // (tests fail at the refactor commit) costs the same as a missed
-    // green — discipline matters even outside red→green pairs.
-    const refactors: RefactorVerdict[] = [];
-    for (const c of commits) {
-      if (c.phase !== "refactor") continue;
-      await runProc(["git", "checkout", "--quiet", c.sha], cwd, 5000);
-      const passed = await runTests(cwd);
-      const baseDelta = passed ? 5 : -5;
-      refactors.push({
-        sha: c.sha,
-        stepId: c.step,
-        testsPassed: passed,
-        scoreDelta: applyMode(baseDelta, mode),
-        explanation: explainRefactor(passed),
-      });
-    }
-
-    const totalScore =
-      steps.reduce((a, s) => a + s.scoreDelta, 0) +
-      refactors.reduce((a, r) => a + r.scoreDelta, 0);
-    const verdict: Verdict = { headSha, mode, steps, refactors, totalScore, judgedAt: Date.now() };
-    saveRun(owner, repo, verdict);
-    return verdict;
-  } finally {
-    try {
-      rmSync(cwd, { recursive: true, force: true });
-    } catch {
-      // best effort cleanup
-    }
-  }
-};
diff --git a/src/c32_real_reports.test.ts b/src/c32_real_reports.test.ts
deleted file mode 100644
index b8f87ead710214b7dd18da37653025531fbd61dc..0000000000000000000000000000000000000000
--- a/src/c32_real_reports.test.ts
+++ /dev/null
@@ -1,101 +0,0 @@
-// Sibling test for c32_real_reports.ts. buildLiveReports itself fans out
-// to fetchRepoCommits (network) so its end-to-end shape is covered by
-// the live /reports/live route. The pure helpers underneath — agent
-// attribution from commit messages, and the 30-day daily sparkline —
-// are unit-testable here.
-
-import { describe, test, expect } from "bun:test";
-import {
-  detectAgent,
-  buildTrend,
-  buildLiveReports,
-} from "./c32_real_reports.ts";
-import type { GithubCommit } from "./c14_github.ts";
-
-const mkCommit = (date: string, message = ""): GithubCommit => ({
-  sha: "0".repeat(40),
-  commit: {
-    message,
-    author: { name: "test", email: "t@example.com", date },
-    committer: { name: "test", email: "t@example.com", date },
-  },
-  author: null,
-  committer: null,
-} as unknown as GithubCommit);
-
-describe("c32_real_reports — detectAgent", () => {
-  test("recognises a Claude Code commit via Co-Authored-By: Claude", () => {
-    expect(detectAgent("Add feature\n\nCo-Authored-By: Claude <noreply>")).toBe("claude-code");
-  });
-
-  test("recognises a Cursor commit", () => {
-    expect(detectAgent("Fix bug\n\nCo-Authored-By: Cursor <ai@cursor.sh>")).toBe("cursor");
-  });
-
-  test("recognises an Aider commit", () => {
-    expect(detectAgent("Refactor x\n\nCo-Authored-By: aider")).toBe("aider");
-  });
-
-  test("returns unknown when no recognised footer is present", () => {
-    expect(detectAgent("Just a commit")).toBe("unknown");
-    expect(detectAgent("")).toBe("unknown");
-  });
-
-  test("the regex is case-insensitive on the agent token", () => {
-    expect(detectAgent("Co-Authored-By: CLAUDE")).toBe("claude-code");
-    expect(detectAgent("co-authored-by: CURSOR")).toBe("cursor");
-  });
-});
-
-describe("c32_real_reports — buildTrend (30-day daily sparkline)", () => {
-  // Use today (UTC) as the anchor — the function compares against UTC
-  // midnight, so we need ISO strings that fall on the right days.
-  const today = new Date();
-  today.setUTCHours(0, 0, 0, 0);
-  const iso = (daysAgo: number): string => {
-    const d = new Date(today.getTime() - daysAgo * 24 * 60 * 60 * 1000);
-    return d.toISOString();
-  };
-
-  test("returns an array of `days` length", () => {
-    expect(buildTrend([], 30)).toHaveLength(30);
-    expect(buildTrend([], 7)).toHaveLength(7);
-  });
-
-  test("empty input flat-lines at zero", () => {
-    const trend = buildTrend([], 7);
-    expect(trend.every((n) => n === 0)).toBe(true);
-  });
-
-  test("a single commit today increments the last bucket", () => {
-    const trend = buildTrend([mkCommit(iso(0))], 7);
-    expect(trend[trend.length - 1]).toBe(1);
-    expect(trend.slice(0, -1).every((n) => n === 0)).toBe(true);
-  });
-
-  test("multiple commits on the same day stack in the same bucket", () => {
-    const trend = buildTrend([mkCommit(iso(0)), mkCommit(iso(0)), mkCommit(iso(0))], 7);
-    expect(trend[trend.length - 1]).toBe(3);
-  });
-
-  test("commits older than the window are dropped", () => {
-    const trend = buildTrend([mkCommit(iso(99))], 7);
-    expect(trend.every((n) => n === 0)).toBe(true);
-  });
-
-  test("a commit `daysAgo` lands at index `days - 1 - daysAgo`", () => {
-    const trend = buildTrend([mkCommit(iso(2))], 7);
-    // index 6 = today, 5 = yesterday, 4 = 2 days ago
-    expect(trend[4]).toBe(1);
-  });
-});
-
-describe("c32_real_reports — orchestrator entry point", () => {
-  test("buildLiveReports is exported as an async function", () => {
-    expect(typeof buildLiveReports).toBe("function");
-    // End-to-end coverage lives on /reports/live; this is the structural
-    // smoke that the export shape didn't drift. `.length` counts only
-    // non-default params (owner, repo) — perPage carries a default.
-    expect(buildLiveReports.length).toBe(2);
-  });
-});
diff --git a/src/c32_real_reports.ts b/src/c32_real_reports.ts
deleted file mode 100644
index 2cf694ae531ad0f56a2fa62b6b24be057bb6af67..0000000000000000000000000000000000000000
--- a/src/c32_real_reports.ts
+++ /dev/null
@@ -1,170 +0,0 @@
-// c32 — logic: aggregate real GitHub commit history into the same
-// AgentReport / RecentFlagged shape that c51_render_reports renders.
-// Pure (given fetched commits in, produces report objects out); the
-// I/O happens in c14_github.fetchRepoCommits which we call here.
-//
-// Attribution: Co-Authored-By footers are the agent-attribution channel
-// the existing tdd.md commit history already uses. Anything without a
-// recognised footer is bucketed as "unknown" and reported separately —
-// it's still useful for volume context.
-
-import { parseCommit } from "./c31_commits.ts";
-import { fetchRepoCommits, type GithubCommit } from "./c14_github.ts";
-import type {
-  AgentReport,
-  FailureSlice,
-  RecentFlagged,
-} from "./c31_reports_demo.ts";
-
-type LiveAgentSlug = AgentReport["slug"] | "unknown";
-
-export const detectAgent = (msg: string): LiveAgentSlug => {
-  if (/Co-Authored-By:.*Claude/i.test(msg)) return "claude-code";
-  if (/Co-Authored-By:.*Cursor/i.test(msg)) return "cursor";
-  if (/Co-Authored-By:.*Aider/i.test(msg)) return "aider";
-  return "unknown";
-};
-
-const AGENT_NAMES: Record<AgentReport["slug"], string> = {
-  "claude-code": "Claude Code",
-  cursor: "Cursor",
-  aider: "Aider",
-};
-
-// 30-day daily commit-count series, oldest → newest. When there are no
-// commits in a day, that day's value is 0 — the sparkline still renders
-// but flat-lines, which honestly reflects the data.
-export const buildTrend = (commits: GithubCommit[], days = 30): number[] => {
-  const out = new Array<number>(days).fill(0);
-  const today = new Date();
-  today.setUTCHours(0, 0, 0, 0);
-  for (const c of commits) {
-    const d = new Date(c.commit.author.date);
-    d.setUTCHours(0, 0, 0, 0);
-    const ageDays = Math.floor((today.getTime() - d.getTime()) / (24 * 60 * 60 * 1000));
-    if (ageDays < 0 || ageDays >= days) continue;
-    const idx = days - 1 - ageDays;
-    const cur = out[idx] ?? 0;
-    out[idx] = cur + 1;
-  }
-  return out;
-};
-
-const buildAgentReport = (
-  slug: AgentReport["slug"],
-  agentCommits: GithubCommit[],
-  repoSlug: string,
-): AgentReport => {
-  const tagged = agentCommits.filter((c) => {
-    const phase = parseCommit(c.commit.message).phase;
-    return phase === "red" || phase === "green" || phase === "refactor";
-  });
-  const phaseCoveragePct = agentCommits.length === 0
-    ? 0
-    : Math.round((tagged.length / agentCommits.length) * 100);
-
-  // Score is a proxy: phase-coverage is the only structural signal we
-  // can compute without running the test suite. When coverage is 0 the
-  // agent isn't attempting TDD, so the score is honestly low.
-  const score = phaseCoveragePct;
-
-  // Failure mix collapses to two slices for live data — phase-tagged vs
-  // not. Fine-grained failure modes (red-did-not-fail, test-deleted, etc)
-  // need the runner sliver before they're computable.
-  const failureMix: FailureSlice[] = [
-    { label: "phase-tagged", pct: phaseCoveragePct, tone: "green" },
-    { label: "no phase tag", pct: 100 - phaseCoveragePct, tone: "muted" },
-  ];
-
-  const recent: RecentFlagged[] = agentCommits
-    .slice(0, 5)
-    .map((c) => {
-      const parsed = parseCommit(c.commit.message);
-      const phase = parsed.phase === "red" || parsed.phase === "green" || parsed.phase === "refactor"
-        ? parsed.phase
-        : "green";
-      const failure = parsed.phase === "untagged" || parsed.phase === "init"
-        ? "no phase tag"
-        : `${parsed.phase} (live judge not yet wired)`;
-      return {
-        date: c.commit.author.date.slice(0, 10),
-        repo: repoSlug,
-        sha: c.sha.slice(0, 7),
-        phase,
-        failure,
-        pts: 0,
-      };
-    });
-
-  const topIssueLabel = phaseCoveragePct === 100 ? "no current issues" : "no phase tag";
-  const topIssuePct = 100 - phaseCoveragePct;
-
-  return {
-    slug,
-    name: AGENT_NAMES[slug],
-    score,
-    delta: 0,
-    commits: agentCommits.length,
-    phaseCoveragePct,
-    streak: 0,
-    streakBroken: false,
-    topIssueLabel,
-    topIssuePct,
-    failureMix,
-    trend: buildTrend(agentCommits),
-    recent,
-  };
-};
-
-export interface LiveReports {
-  reports: AgentReport[];
-  unknownCount: number;
-  totalCommits: number;
-  earliest: string | null;
-  latest: string | null;
-  fetchedAt: number;
-}
-
-export const buildLiveReports = async (
-  repoOwner: string,
-  repoName: string,
-  perPage = 100,
-): Promise<LiveReports> => {
-  const commits = await fetchRepoCommits(repoOwner, repoName, perPage);
-  const repoSlug = `${repoOwner}/${repoName}`;
-  const byAgent = new Map<AgentReport["slug"], GithubCommit[]>();
-  let unknownCount = 0;
-
-  for (const c of commits) {
-    const a = detectAgent(c.commit.message);
-    if (a === "unknown") {
-      unknownCount++;
-      continue;
-    }
-    const arr = byAgent.get(a) ?? [];
-    arr.push(c);
-    byAgent.set(a, arr);
-  }
-
-  const order: AgentReport["slug"][] = ["claude-code", "cursor", "aider"];
-  const reports = order
-    .map((slug) => {
-      const list = byAgent.get(slug);
-      if (!list || list.length === 0) return null;
-      return buildAgentReport(slug, list, repoSlug);
-    })
-    .filter((r): r is AgentReport => r !== null);
-
-  const dates = commits.map((c) => c.commit.author.date).sort();
-  const earliest = dates[0] ?? null;
-  const latest = dates[dates.length - 1] ?? null;
-
-  return {
-    reports,
-    unknownCount,
-    totalCommits: commits.length,
-    earliest,
-    latest,
-    fetchedAt: Date.now(),
-  };
-};
diff --git a/src/c32_real_tests.test.ts b/src/c32_real_tests.test.ts
deleted file mode 100644
index cd11414f87910f5b3fa4ddc7c63ff20a67fb4da9..0000000000000000000000000000000000000000
--- a/src/c32_real_tests.test.ts
+++ /dev/null
@@ -1,66 +0,0 @@
-// Sibling test for c32_real_tests.ts. buildLiveTestData fans out to
-// loadTestBundle + fetchRepoCommits (both network/disk) so the
-// end-to-end is covered by the live /reports/live/tests route. The
-// pure helpers — agent attribution and the file/name label shortener —
-// are unit-testable here.
-
-import { describe, test, expect } from "bun:test";
-import {
-  detectAgent,
-  shortenTestLabel,
-  buildLiveTestData,
-} from "./c32_real_tests.ts";
-
-describe("c32_real_tests — detectAgent", () => {
-  test("recognises Claude Code via Co-Authored-By: Claude", () => {
-    expect(detectAgent("Add feature\n\nCo-Authored-By: Claude <noreply>")).toBe("claude-code");
-  });
-
-  test("recognises Cursor", () => {
-    expect(detectAgent("Fix bug\n\nCo-Authored-By: Cursor <ai@cursor.sh>")).toBe("cursor");
-  });
-
-  test("recognises Aider", () => {
-    expect(detectAgent("Refactor x\n\nCo-Authored-By: aider")).toBe("aider");
-  });
-
-  test("returns null when no recognised footer is present (distinct from c32_real_reports which returns 'unknown')", () => {
-    // The two real_* files made different choices here: real_reports
-    // buckets unknown into its own slug; real_tests returns null so
-    // the caller can filter or fall back. Document the difference.
-    expect(detectAgent("Just a commit")).toBeNull();
-    expect(detectAgent("")).toBeNull();
-  });
-
-  test("the regex is case-insensitive on the agent token", () => {
-    expect(detectAgent("Co-Authored-By: CLAUDE")).toBe("claude-code");
-    expect(detectAgent("co-authored-by: aider")).toBe("aider");
-  });
-});
-
-describe("c32_real_tests — shortenTestLabel", () => {
-  test("keeps only the basename of the file path + the test name", () => {
-    expect(shortenTestLabel("src/foo/bar/baz.test.ts", "handles X")).toBe("baz.test.ts > handles X");
-  });
-
-  test("handles a bare filename (no path) without splitting weirdly", () => {
-    expect(shortenTestLabel("baz.test.ts", "handles X")).toBe("baz.test.ts > handles X");
-  });
-
-  test("handles an empty file string (falls back to the empty basename)", () => {
-    // .split('/').pop() on '' yields ''. Documented behaviour: the
-    // helper never throws; the caller decides whether to filter empties.
-    expect(shortenTestLabel("", "name")).toBe(" > name");
-  });
-
-  test("preserves spaces and special chars in the test name", () => {
-    expect(shortenTestLabel("a.ts", "rejects `bad input`")).toBe("a.ts > rejects `bad input`");
-  });
-});
-
-describe("c32_real_tests — orchestrator entry point", () => {
-  test("buildLiveTestData is exported as an async function", () => {
-    expect(typeof buildLiveTestData).toBe("function");
-    expect(buildLiveTestData.length).toBe(2);
-  });
-});
diff --git a/src/c32_real_tests.ts b/src/c32_real_tests.ts
deleted file mode 100644
index d26637df79241040537bc2d4188bbf4679e5cafd..0000000000000000000000000000000000000000
--- a/src/c32_real_tests.ts
+++ /dev/null
@@ -1,142 +0,0 @@
-// c32 — logic: aggregate the per-deploy test bundle into the same
-// TestSnapshot[] / TestStability[] shape that the demo page renders.
-// HEAD-only snapshots; stability accumulates as more deploys add runs.
-//
-// Pure given the bundle + commits in (no I/O of its own beyond delegating
-// to c14_github's bundle loader and commits fetcher).
-
-import { fetchRepoCommits, loadTestBundle, type PlaceholderTest } from "./c14_github.ts";
-import type {
-  AgentReport,
-  TestFailure,
-  TestSnapshot,
-  TestStability,
-} from "./c31_reports_demo.ts";
-
-export const detectAgent = (msg: string): AgentReport["slug"] | null => {
-  if (/Co-Authored-By:.*Claude/i.test(msg)) return "claude-code";
-  if (/Co-Authored-By:.*Cursor/i.test(msg)) return "cursor";
-  if (/Co-Authored-By:.*Aider/i.test(msg)) return "aider";
-  return null;
-};
-
-export const shortenTestLabel = (file: string, name: string): string => {
-  const base = file.split("/").pop() ?? file;
-  return `${base} > ${name}`;
-};
-
-export interface LiveTestData {
-  snapshots: TestSnapshot[];
-  stability: TestStability[];
-  runsCount: number;
-  ranAt: number | null;
-  headSha: string | null;
-  placeholderTests: PlaceholderTest[];
-}
-
-export const buildLiveTestData = async (
-  repoOwner: string,
-  repoName: string,
-): Promise<LiveTestData> => {
-  const bundle = await loadTestBundle(repoOwner, repoName);
-  if (!bundle || bundle.runs.length === 0) {
-    return { snapshots: [], stability: [], runsCount: 0, ranAt: null, headSha: null, placeholderTests: [] };
-  }
-  const repoSlug = `${repoOwner}/${repoName}`;
-  const latest = bundle.runs[0];
-  if (!latest) {
-    return { snapshots: [], stability: [], runsCount: 0, ranAt: null, headSha: null, placeholderTests: [] };
-  }
-
-  // For "since" we want the oldest run that has this test as failing.
-  const oldestFirst = [...bundle.runs].sort((a, b) => a.ranAt - b.ranAt);
-
-  const failures: TestFailure[] = latest.tests
-    .filter((t) => t.status === "fail")
-    .map((t) => {
-      const firstFail = oldestFirst.find((r) =>
-        r.tests.some((x) => x.name === t.name && x.file === t.file && x.status === "fail"),
-      );
-      const sinceTs = firstFail?.ranAt ?? latest.ranAt;
-      return { test: shortenTestLabel(t.file, t.name), since: new Date(sinceTs).toISOString().slice(0, 10) };
-    });
-
-  const snapshot: TestSnapshot = {
-    repo: repoSlug,
-    branch: latest.branch,
-    total: latest.total,
-    passing: latest.passing,
-    failing: latest.failing,
-    failures,
-  };
-
-  // Stability: count pass/fail per (file, name) across every run, with
-  // "deleted" set when a previously-seen test is missing from latest.
-  const commits = await fetchRepoCommits(repoOwner, repoName, 100);
-  const shaToAgent = new Map<string, AgentReport["slug"] | null>();
-  for (const c of commits) shaToAgent.set(c.sha, detectAgent(c.commit.message));
-
-  interface Stat {
-    name: string;
-    file: string;
-    pass: number;
-    fail: number;
-    lastBrokenSha: string | null;
-    lastBrokenAt: number;
-  }
-  const stats = new Map<string, Stat>();
-  for (const run of bundle.runs) {
-    for (const t of run.tests) {
-      const key = `${t.file}|${t.name}`;
-      let s = stats.get(key);
-      if (!s) {
-        s = { name: t.name, file: t.file, pass: 0, fail: 0, lastBrokenSha: null, lastBrokenAt: 0 };
-        stats.set(key, s);
-      }
-      if (t.status === "pass") s.pass++;
-      else {
-        s.fail++;
-        if (run.ranAt > s.lastBrokenAt) {
-          s.lastBrokenSha = run.sha;
-          s.lastBrokenAt = run.ranAt;
-        }
-      }
-    }
-  }
-
-  const latestKeys = new Set(latest.tests.map((t) => `${t.file}|${t.name}`));
-
-  // lastBrokenBy needs an agent slug; if we can't map a SHA to an agent
-  // (e.g. the commit isn't in the 100-commit window we fetch), fall
-  // back to the agent of the latest run, which is a defensible default
-  // for the dogfood case (one agent producing the history).
-  const fallbackAgent = (shaToAgent.get(latest.sha) ?? "claude-code") as AgentReport["slug"];
-
-  const stability: TestStability[] = Array.from(stats.values())
-    .map<TestStability>((s) => {
-      const mapped = s.lastBrokenSha ? shaToAgent.get(s.lastBrokenSha) : null;
-      const agent = (mapped ?? fallbackAgent) as AgentReport["slug"];
-      const deleted = latestKeys.has(`${s.file}|${s.name}`) ? 0 : 1;
-      const flagged = s.fail > 0 && (deleted > 0 || s.fail >= Math.max(2, s.pass / 5));
-      return {
-        test: shortenTestLabel(s.file, s.name),
-        repo: repoSlug,
-        pass: s.pass,
-        fail: s.fail,
-        deleted,
-        lastBrokenBy: agent,
-        flagged,
-      };
-    })
-    .sort((a, b) => b.fail - a.fail || b.deleted - a.deleted || b.pass - a.pass)
-    .slice(0, 30);
-
-  return {
-    snapshots: [snapshot],
-    stability,
-    runsCount: bundle.runs.length,
-    ranAt: latest.ranAt,
-    headSha: latest.sha,
-    placeholderTests: latest.placeholderTests ?? [],
-  };
-};
diff --git a/src/c32_sama_v2_verify.test.ts b/src/c32_sama_v2_verify.test.ts
new file mode 100644
index 0000000000000000000000000000000000000000..d61454feafc3764340ab06635829aa78dd5aed43
--- /dev/null
+++ b/src/c32_sama_v2_verify.test.ts
@@ -0,0 +1,247 @@
+import { describe, test, expect } from "bun:test";
+import { verifySamaV2 } from "./c32_sama_v2_verify.ts";
+import type { ProfileSpec, SamaV2Input } from "./c31_sama_v2.ts";
+
+// Minimal fixture profile mirroring the shape this repo's
+// sama.profile.toml declares, but with synthetic prefixes so tests
+// don't change when the live profile evolves.
+const FIXTURE_PROFILE: ProfileSpec = {
+  samaVersion: "2.0",
+  profile: "test-fixture",
+  layers: {
+    0: { sublayers: [{ name: "default", prefix: "p0_", index: 0 }] },
+    1: {
+      sublayers: [
+        { name: "logic",  prefix: "p1a_", index: 0 },
+        { name: "render", prefix: "p1b_", index: 1 },
+      ],
+    },
+    2: {
+      sublayers: [
+        { name: "data", prefix: "p2a_", index: 0 },
+        { name: "io",   prefix: "p2b_", index: 1 },
+      ],
+    },
+    3: {
+      sublayers: [
+        { name: "handlers", prefix: "p3a_", index: 0 },
+        { name: "server",   prefix: "p3b_", index: 1 },
+      ],
+    },
+  },
+};
+
+const mk = (entries: Array<[string, string]>): SamaV2Input => ({
+  profile: FIXTURE_PROFILE,
+  files: new Map(entries),
+});
+
+describe("c32_sama_v2_verify — overall", () => {
+  test("empty repo: every check passes with examined=0 for content-bearing checks", () => {
+    const report = verifySamaV2(mk([]));
+    expect(report.overallPassed).toBe(true);
+    expect(report.checks).toHaveLength(7);
+    for (const c of report.checks) expect(c.passed).toBe(true);
+  });
+
+  test("a minimal Layer-0-only repo conforms", () => {
+    const report = verifySamaV2(mk([
+      ["src/p0_types.ts", "export const x = 1;\n"],
+    ]));
+    expect(report.overallPassed).toBe(true);
+  });
+});
+
+describe("c32_sama_v2_verify — Sorted (#1)", () => {
+  test("a file without a profile-recognised prefix is flagged", () => {
+    const report = verifySamaV2(mk([
+      ["src/unknown_x.ts", "export const x = 1;\n"],
+    ]));
+    const sorted = report.checks.find((c) => c.id === 1)!;
+    expect(sorted.passed).toBe(false);
+    expect(sorted.violations.some((v) => v.file === "src/unknown_x.ts")).toBe(true);
+  });
+
+  test("a profile whose prefixes lex-sort against layer order is flagged", () => {
+    // Swap: Layer 0 prefix sorts AFTER Layer 1 prefix.
+    const bad: ProfileSpec = {
+      samaVersion: "2.0", profile: "bad",
+      layers: {
+        0: { sublayers: [{ name: "default", prefix: "z0_", index: 0 }] },
+        1: { sublayers: [{ name: "default", prefix: "a1_", index: 0 }] },
+        2: { sublayers: [{ name: "default", prefix: "b2_", index: 0 }] },
+        3: { sublayers: [{ name: "default", prefix: "c3_", index: 0 }] },
+      },
+    };
+    const report = verifySamaV2({ profile: bad, files: new Map() });
+    const sorted = report.checks.find((c) => c.id === 1)!;
+    expect(sorted.passed).toBe(false);
+    expect(sorted.violations.length).toBeGreaterThan(0);
+  });
+});
+
+describe("c32_sama_v2_verify — Architecture (#2)", () => {
+  test("an unprefixed src/*.ts file is flagged with a clear reason", () => {
+    const report = verifySamaV2(mk([
+      ["src/random.ts", "export const x = 1;\n"],
+    ]));
+    const arch = report.checks.find((c) => c.id === 2)!;
+    expect(arch.passed).toBe(false);
+    const vio = arch.violations.find((v) => v.file === "src/random.ts")!;
+    expect(vio.detail).toContain("unprefixed");
+  });
+
+  test("a properly-prefixed file is not flagged", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_logic.ts", "export const x = 1;\n"],
+    ]));
+    expect(report.checks.find((c) => c.id === 2)!.passed).toBe(true);
+  });
+});
+
+describe("c32_sama_v2_verify — Modeled tests (#3)", () => {
+  test("a Layer 1 file without a sibling test is flagged", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_logic.ts", "export const x = 1;\n"],
+    ]));
+    const modeled = report.checks.find((c) => c.id === 3)!;
+    expect(modeled.passed).toBe(false);
+    const vio = modeled.violations[0]!;
+    expect(vio.file).toBe("src/p1a_logic.ts");
+    expect(vio.detail).toContain("p1a_logic.test.ts");
+  });
+
+  test("a Layer 1 file with its sibling passes", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_logic.ts",      "export const x = 1;\n"],
+      ["src/p1a_logic.test.ts", "import {expect, test} from \"bun:test\"; test(\"x\", () => { expect(1).toBe(1); });\n"],
+    ]));
+    expect(report.checks.find((c) => c.id === 3)!.passed).toBe(true);
+  });
+
+  test("Layer 0 files don't require sibling tests", () => {
+    const report = verifySamaV2(mk([
+      ["src/p0_types.ts", "export const x = 1;\n"],
+    ]));
+    expect(report.checks.find((c) => c.id === 3)!.passed).toBe(true);
+  });
+});
+
+describe("c32_sama_v2_verify — Modeled boundary (#4)", () => {
+  test("JSON.parse in Layer 1 is flagged", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_naughty.ts", "export const f = (s: string) => JSON.parse(s);\n"],
+    ]));
+    const boundary = report.checks.find((c) => c.id === 4)!;
+    expect(boundary.passed).toBe(false);
+    expect(boundary.violations[0]!.detail).toContain("JSON.parse");
+  });
+
+  test("JSON.parse in Layer 2 is OK (Layer 2 IS the boundary)", () => {
+    const report = verifySamaV2(mk([
+      ["src/p2b_adapter.ts", "export const f = (s: string) => JSON.parse(s);\n"],
+    ]));
+    expect(report.checks.find((c) => c.id === 4)!.passed).toBe(true);
+  });
+
+  test("string literals containing JSON.parse don't false-positive", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_logic.ts", "const explainer = \"to fix, call JSON.parse(input) in Layer 2\";\nexport const x = explainer.length;\n"],
+    ]));
+    expect(report.checks.find((c) => c.id === 4)!.passed).toBe(true);
+  });
+});
+
+describe("c32_sama_v2_verify — Atomic (#5)", () => {
+  test("a file over the 700-line cap is flagged", () => {
+    const fat = Array.from({ length: 720 }, (_, i) => `// line ${i}`).join("\n");
+    const report = verifySamaV2(mk([
+      ["src/p1a_fat.ts", fat],
+    ]));
+    const atomic = report.checks.find((c) => c.id === 5)!;
+    expect(atomic.passed).toBe(false);
+    expect(atomic.violations[0]!.detail).toContain("over the 700-line cap");
+  });
+
+  test("a barrel re-export file is flagged", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_barrel.ts", "export * from \"./p1a_a.ts\";\nexport * from \"./p1a_b.ts\";\n"],
+    ]));
+    const atomic = report.checks.find((c) => c.id === 5)!;
+    expect(atomic.passed).toBe(false);
+    expect(atomic.violations[0]!.detail).toContain("barrel");
+  });
+});
+
+describe("c32_sama_v2_verify — Law §1.2 (#6)", () => {
+  test("upward import (Layer 1 → Layer 2) is flagged", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_logic.ts",   "import { x } from \"./p2a_data.ts\";\nexport const y = x;\n"],
+      ["src/p1a_logic.test.ts", "import { test, expect } from \"bun:test\"; test(\"y\", () => { expect(1).toBe(1); });\n"],
+      ["src/p2a_data.ts",     "export const x = 1;\n"],
+      ["src/p2a_data.test.ts","import { test, expect } from \"bun:test\"; test(\"x\", () => { expect(1).toBe(1); });\n"],
+    ]));
+    const law = report.checks.find((c) => c.id === 6)!;
+    expect(law.passed).toBe(false);
+    expect(law.violations.some((v) => v.detail.includes("upward"))).toBe(true);
+  });
+
+  test("downward import (Layer 2 → Layer 0) passes", () => {
+    const report = verifySamaV2(mk([
+      ["src/p2a_data.ts",      "import type { X } from \"./p0_types.ts\";\nexport const f = (): X => ({} as X);\n"],
+      ["src/p2a_data.test.ts", "import { test, expect } from \"bun:test\"; test(\"f\", () => { expect(1).toBe(1); });\n"],
+      ["src/p0_types.ts",      "export interface X { id: number }\n"],
+    ]));
+    expect(report.checks.find((c) => c.id === 6)!.passed).toBe(true);
+  });
+
+  test("same-layer reversed sublayer is flagged", () => {
+    // p1a_logic is sublayer index 0 (logic), p1b_render is sublayer
+    // index 1 (render). Logic importing render is reverse order.
+    const report = verifySamaV2(mk([
+      ["src/p1a_logic.ts",      "import { r } from \"./p1b_render.ts\";\nexport const y = r;\n"],
+      ["src/p1a_logic.test.ts", "import { test, expect } from \"bun:test\"; test(\"y\", () => { expect(1).toBe(1); });\n"],
+      ["src/p1b_render.ts",     "export const r = 1;\n"],
+      ["src/p1b_render.test.ts","import { test, expect } from \"bun:test\"; test(\"r\", () => { expect(1).toBe(1); });\n"],
+    ]));
+    const law = report.checks.find((c) => c.id === 6)!;
+    expect(law.passed).toBe(false);
+    expect(law.violations.some((v) => v.detail.includes("sublayer"))).toBe(true);
+  });
+
+  test("an import cycle is flagged", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_a.ts",       "import { y } from \"./p1a_b.ts\";\nexport const x = y;\n"],
+      ["src/p1a_a.test.ts",  "import { test, expect } from \"bun:test\"; test(\"x\", () => { expect(1).toBe(1); });\n"],
+      ["src/p1a_b.ts",       "import { x } from \"./p1a_a.ts\";\nexport const y = x;\n"],
+      ["src/p1a_b.test.ts",  "import { test, expect } from \"bun:test\"; test(\"y\", () => { expect(1).toBe(1); });\n"],
+    ]));
+    const law = report.checks.find((c) => c.id === 6)!;
+    expect(law.passed).toBe(false);
+    expect(law.violations.some((v) => v.detail.includes("cycle"))).toBe(true);
+  });
+});
+
+describe("c32_sama_v2_verify — Consistency §3 (#7)", () => {
+  test("Layer 1 file reaching Layer 2 contradicts its declared prefix", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_logic.ts",      "import { f } from \"./p2a_data.ts\";\nexport const y = f;\n"],
+      ["src/p1a_logic.test.ts", "import { test, expect } from \"bun:test\"; test(\"y\", () => { expect(1).toBe(1); });\n"],
+      ["src/p2a_data.ts",       "export const f = 1;\n"],
+      ["src/p2a_data.test.ts",  "import { test, expect } from \"bun:test\"; test(\"f\", () => { expect(1).toBe(1); });\n"],
+    ]));
+    const consistency = report.checks.find((c) => c.id === 7)!;
+    expect(consistency.passed).toBe(false);
+    expect(consistency.violations[0]!.detail).toContain("declared Layer 1");
+    expect(consistency.violations[0]!.detail).toContain("Layer 2");
+  });
+
+  test("downward-only imports are consistent", () => {
+    const report = verifySamaV2(mk([
+      ["src/p1a_logic.ts",      "import type { X } from \"./p0_types.ts\";\nexport const y = (a: X) => a;\n"],
+      ["src/p1a_logic.test.ts", "import { test, expect } from \"bun:test\"; test(\"y\", () => { expect(1).toBe(1); });\n"],
+      ["src/p0_types.ts",       "export interface X { id: number }\n"],
+    ]));
+    expect(report.checks.find((c) => c.id === 7)!.passed).toBe(true);
+  });
+});
diff --git a/src/c32_sama_v2_verify.ts b/src/c32_sama_v2_verify.ts
new file mode 100644
index 0000000000000000000000000000000000000000..ec6e59d19d073552f417095519a671a443d28eb2
--- /dev/null
+++ b/src/c32_sama_v2_verify.ts
@@ -0,0 +1,436 @@
+// c32 — logic: the SAMA v2 verifier. Implements the seven §4
+// conformance checks (Sorted, Architecture, Modeled-tests,
+// Modeled-boundary, Atomic, the Law §1.2, Consistency §3) as pure
+// functions over an in-memory (profile, files) input. Never reads
+// the filesystem — the loader (c14_sama_profile + c21 handler)
+// populates the input map. No mocks, no stubs: every check is a
+// real grep/string-op on the supplied content.
+
+import {
+  declaredLayer,
+  type SamaV2Check,
+  type SamaV2Input,
+  type SamaV2Report,
+  type SamaV2Violation,
+} from "./c31_sama_v2.ts";
+
+// — shared utilities -------------------------------------------------
+
+// A SAMA file is one we expect to obey the layer rules: any *.ts
+// under src/ that isn't a *.test.ts. Tests live next to source as
+// siblings; they're examined for the Modeled check but don't carry
+// their own layer.
+const isSamaFile = (path: string): boolean =>
+  path.startsWith("src/") && path.endsWith(".ts") && !path.endsWith(".test.ts");
+
+const isTestFile = (path: string): boolean =>
+  path.startsWith("src/") && path.endsWith(".test.ts");
+
+// Strip JS/TS string literals and comments to whitespace so a regex
+// that walks the source doesn't trip on test fixtures that contain
+// the very patterns we're scanning for. Same shape as the helper in
+// c32_sama_verify; duplicated here to keep c32_sama_v2_verify a
+// stand-alone module the loader can pull in without dragging the v1
+// verifier with it.
+const stripStringsAndComments = (src: string): string => {
+  let out = "";
+  let i = 0;
+  while (i < src.length) {
+    const c = src[i];
+    const n = src[i + 1];
+    if (c === "/" && n === "/") {
+      out += "  ";
+      i += 2;
+      while (i < src.length && src[i] !== "\n") { out += " "; i++; }
+    } else if (c === "/" && n === "*") {
+      out += "  ";
+      i += 2;
+      while (i < src.length - 1 && !(src[i] === "*" && src[i + 1] === "/")) {
+        out += src[i] === "\n" ? "\n" : " ";
+        i++;
+      }
+      out += "  ";
+      i += 2;
+    } else if (c === '"' || c === "'" || c === "`") {
+      const quote = c;
+      out += " ";
+      i++;
+      while (i < src.length && src[i] !== quote) {
+        if (src[i] === "\\" && i + 1 < src.length) { out += "  "; i += 2; continue; }
+        out += src[i] === "\n" ? "\n" : " ";
+        i++;
+      }
+      out += " ";
+      i++;
+    } else {
+      out += c;
+      i++;
+    }
+  }
+  return out;
+};
+
+// Collect every relative ".ts" import edge in a file. Scans raw
+// source: a stripped copy would erase the quoted import paths along
+// with all other string literals, so the regex must run over the
+// original. To avoid picking up import-like strings inside test
+// fixtures, we cross-check each match position against the stripped
+// mask — if the keyword `from` lands on whitespace in the mask, it
+// was inside a string literal and we skip it.
+const collectRelativeImports = (content: string): string[] => {
+  const mask = stripStringsAndComments(content);
+  const re = /\bfrom\s+["'](\.\/[A-Za-z0-9_./-]+\.ts)["']/g;
+  const out: string[] = [];
+  let m: RegExpExecArray | null;
+  while ((m = re.exec(content)) !== null) {
+    // If the `from` keyword position is whitespace in the mask, the
+    // entire match was inside a string literal (e.g. a test fixture).
+    if (mask[m.index] === " " || mask[m.index] === "\n") continue;
+    if (m[1]) out.push(m[1]);
+  }
+  return out;
+};
+
+// Resolve a relative import like "./c14_git.ts" from the importing
+// file's directory to the repo-relative path used as the input map's
+// key (e.g. "src/c14_git.ts").
+const resolveImport = (fromPath: string, importPath: string): string => {
+  const dir = fromPath.split("/").slice(0, -1).join("/");
+  const rel = importPath.replace(/^\.\//, "");
+  return dir + "/" + rel;
+};
+
+// — Check 1: Sorted -------------------------------------------------
+//
+// "Every file carries a profile-recognised prefix; lexicographic
+// prefix order equals layer order."
+const checkSorted = (input: SamaV2Input): SamaV2Check => {
+  const violations: SamaV2Violation[] = [];
+  let examined = 0;
+  // Collect (prefix, layer) pairs from the profile.
+  const pairs: Array<{ prefix: string; layer: number }> = [];
+  for (const [k, spec] of Object.entries(input.profile.layers)) {
+    const layer = parseInt(k, 10);
+    for (const sub of spec.sublayers) pairs.push({ prefix: sub.prefix, layer });
+  }
+  // For any two prefixes with layer(A) < layer(B), A must lex-sort < B.
+  for (let i = 0; i < pairs.length; i++) {
+    for (let j = 0; j < pairs.length; j++) {
+      if (i === j) continue;
+      const a = pairs[i]!;
+      const b = pairs[j]!;
+      if (a.layer < b.layer && a.prefix > b.prefix) {
+        violations.push({
+          file: a.prefix,
+          detail: `prefix \`${a.prefix}\` (layer ${a.layer}) sorts after \`${b.prefix}\` (layer ${b.layer}) — lex order must equal layer order`,
+        });
+      }
+    }
+  }
+  // Also count source files whose prefix isn't recognised by any
+  // sublayer. They'd be flagged by Architecture too, but the Sorted
+  // rule needs each file to have a recognised prefix.
+  for (const path of input.files.keys()) {
+    if (!isSamaFile(path)) continue;
+    examined++;
+    if (declaredLayer(path, input.profile) === null) {
+      violations.push({ file: path, detail: "no profile-recognised prefix" });
+    }
+  }
+  return {
+    id: 1, name: "Sorted", property: "Sorted",
+    passed: violations.length === 0, examined, violations,
+  };
+};
+
+// — Check 2: Architecture -------------------------------------------
+//
+// "Every file maps to exactly one canonical layer; no file is
+// unprefixed or maps to two layers."
+const checkArchitecture = (input: SamaV2Input): SamaV2Check => {
+  const violations: SamaV2Violation[] = [];
+  let examined = 0;
+  for (const path of input.files.keys()) {
+    if (!isSamaFile(path) && !isTestFile(path)) continue;
+    examined++;
+    const base = path.split("/").pop() ?? path;
+    // Find every profile prefix that matches this filename. Exactly
+    // one is required; zero = unprefixed (caught by Sorted too) but
+    // we surface it here as the canonical "unmapped" failure.
+    const matches: Array<{ layer: number; prefix: string }> = [];
+    for (const [k, spec] of Object.entries(input.profile.layers)) {
+      const layer = parseInt(k, 10);
+      for (const sub of spec.sublayers) {
+        if (base.startsWith(sub.prefix)) matches.push({ layer, prefix: sub.prefix });
+      }
+    }
+    if (matches.length === 0) {
+      violations.push({ file: path, detail: "unprefixed — does not match any profile prefix" });
+    } else if (matches.length > 1) {
+      // Two prefixes claim the same file: profile ambiguity.
+      const distinctLayers = new Set(matches.map((m) => m.layer));
+      if (distinctLayers.size > 1) {
+        violations.push({
+          file: path,
+          detail: `ambiguous — matches multiple layers: ${matches.map((m) => `${m.prefix}→L${m.layer}`).join(", ")}`,
+        });
+      }
+    }
+  }
+  return {
+    id: 2, name: "Architecture", property: "Architecture",
+    passed: violations.length === 0, examined, violations,
+  };
+};
+
+// — Check 3: Modeled (tests) ----------------------------------------
+//
+// "Every Layer 1 and Layer 2 behavior file has a sibling test file."
+const checkModeledTests = (input: SamaV2Input): SamaV2Check => {
+  const violations: SamaV2Violation[] = [];
+  let examined = 0;
+  for (const path of input.files.keys()) {
+    if (!isSamaFile(path)) continue;
+    const decl = declaredLayer(path, input.profile);
+    if (!decl) continue;
+    if (decl.layer !== 1 && decl.layer !== 2) continue;
+    examined++;
+    const siblingPath = path.replace(/\.ts$/, ".test.ts");
+    if (!input.files.has(siblingPath)) {
+      violations.push({
+        file: path,
+        detail: `no sibling test at \`${siblingPath}\` — Layer ${decl.layer} requires one`,
+      });
+    }
+  }
+  return {
+    id: 3, name: "Modeled (tests)", property: "Modeled (tests)",
+    passed: violations.length === 0, examined, violations,
+  };
+};
+
+// — Check 4: Modeled (boundary) -------------------------------------
+//
+// "External input is parsed only in Layer 2."
+//
+// §4.4 is profile-dependent (spec §6). Our profile defines boundary
+// parsing as `JSON.parse(` of arbitrary input (not constant strings)
+// or `new URL(` of arbitrary input — i.e. patterns that turn bytes
+// into typed structures. Platform-provided parsers called *through*
+// Layer 3 entry handlers (`req.json()`, `req.formData()`, route
+// params) are treated as delegation to the platform's own Layer 2,
+// not parsing performed in our Layer 3. The verifier reports any
+// raw JSON.parse / new URL calls landing outside Layer 2.
+const BOUNDARY_PATTERNS = [
+  { name: "JSON.parse", re: /\bJSON\.parse\s*\(/ },
+  { name: "new URL",    re: /\bnew\s+URL\s*\(/    },
+];
+const checkModeledBoundary = (input: SamaV2Input): SamaV2Check => {
+  const violations: SamaV2Violation[] = [];
+  let examined = 0;
+  for (const [path, content] of input.files.entries()) {
+    if (!isSamaFile(path)) continue;
+    const decl = declaredLayer(path, input.profile);
+    if (!decl) continue;
+    examined++;
+    if (decl.layer === 2) continue; // Layer 2 is the legitimate site.
+    const stripped = stripStringsAndComments(content);
+    for (const pat of BOUNDARY_PATTERNS) {
+      if (pat.re.test(stripped)) {
+        violations.push({
+          file: path,
+          detail: `boundary pattern \`${pat.name}\` found in Layer ${decl.layer} — parsing belongs in Layer 2`,
+        });
+      }
+    }
+  }
+  return {
+    id: 4, name: "Modeled (boundary)", property: "Modeled (boundary)",
+    passed: violations.length === 0, examined, violations,
+    note: "profile-dependent (spec §4.4): boundary = raw `JSON.parse` / `new URL` outside Layer 2. Platform parsers reached via `req.json()` etc. are treated as delegation to the platform's own Layer 2.",
+  };
+};
+
+// — Check 5: Atomic -------------------------------------------------
+//
+// "No file exceeds the line cap (default ~700; profile may lower,
+// never raise). No barrel re-export files."
+const ATOMIC_LINE_CAP = 700;
+const checkAtomic = (input: SamaV2Input): SamaV2Check => {
+  const violations: SamaV2Violation[] = [];
+  let examined = 0;
+  for (const [path, content] of input.files.entries()) {
+    if (!isSamaFile(path) && !isTestFile(path)) continue;
+    examined++;
+    const lines = content.split("\n").length;
+    if (lines > ATOMIC_LINE_CAP) {
+      violations.push({
+        file: path,
+        detail: `${lines} lines (over the ${ATOMIC_LINE_CAP}-line cap — split per UI/data domain)`,
+      });
+    }
+    // Barrel detection: a file whose entire body is re-exports.
+    // Heuristic: every non-blank, non-comment line is `export ... from`.
+    const stripped = stripStringsAndComments(content);
+    const codeLines = stripped.split("\n").map((l) => l.trim()).filter((l) => l.length > 0);
+    if (codeLines.length >= 2 && codeLines.every((l) => /^export\s+(\*|\{)/.test(l) && /\bfrom\b/.test(l))) {
+      violations.push({ file: path, detail: "barrel re-export file (all lines are `export … from`)" });
+    }
+  }
+  return {
+    id: 5, name: "Atomic", property: "Atomic",
+    passed: violations.length === 0, examined, violations,
+  };
+};
+
+// — Check 6: The Law (§1.2) -----------------------------------------
+//
+// "Imports always point to a strictly lower layer number — never
+// upward, never sideways across a higher number, never cyclic."
+//
+// Build the import graph from relative-.ts imports, then for each
+// edge A → B require: layer(B) < layer(A), OR same layer + B's
+// sublayer index <= A's sublayer index. Also run a DFS cycle detector.
+const checkLaw = (input: SamaV2Input): SamaV2Check => {
+  const violations: SamaV2Violation[] = [];
+  let examined = 0;
+  // Build adjacency.
+  const adj = new Map<string, string[]>();
+  for (const [path, content] of input.files.entries()) {
+    if (!isSamaFile(path) && !isTestFile(path)) continue;
+    examined++;
+    const out: string[] = [];
+    for (const imp of collectRelativeImports(content)) {
+      const resolved = resolveImport(path, imp);
+      // Only follow edges into known SAMA files (in-tree, in src/).
+      if (input.files.has(resolved)) out.push(resolved);
+    }
+    adj.set(path, out);
+  }
+  // Edge-by-edge layer/sublayer check.
+  for (const [from, outs] of adj.entries()) {
+    const aDecl = declaredLayer(from, input.profile);
+    if (!aDecl) continue; // Unmapped — caught by Architecture.
+    for (const to of outs) {
+      const bDecl = declaredLayer(to, input.profile);
+      if (!bDecl) continue;
+      if (bDecl.layer < aDecl.layer) continue;     // strictly lower — OK
+      if (bDecl.layer > aDecl.layer) {
+        violations.push({
+          file: from,
+          detail: `imports \`${to}\` — Layer ${aDecl.layer} → Layer ${bDecl.layer} (upward, breaks §1.2)`,
+        });
+        continue;
+      }
+      // Same layer: sublayer ordering. The import target must be in
+      // an earlier-or-equal sublayer slot (spec §2.2: later may import
+      // earlier).
+      if (bDecl.sublayer.index > aDecl.sublayer.index) {
+        violations.push({
+          file: from,
+          detail: `imports \`${to}\` — same layer ${aDecl.layer} but sublayer order is reversed (${aDecl.sublayer.name} sublayer-index ${aDecl.sublayer.index} → ${bDecl.sublayer.name} sublayer-index ${bDecl.sublayer.index})`,
+        });
+      }
+    }
+  }
+  // DFS cycle detection on the same graph.
+  const WHITE = 0, GRAY = 1, BLACK = 2;
+  const color = new Map<string, number>();
+  for (const k of adj.keys()) color.set(k, WHITE);
+  const cycles: string[][] = [];
+  const stack: string[] = [];
+  const dfs = (node: string): boolean => {
+    color.set(node, GRAY);
+    stack.push(node);
+    for (const next of adj.get(node) ?? []) {
+      const c = color.get(next) ?? WHITE;
+      if (c === GRAY) {
+        const idx = stack.indexOf(next);
+        if (idx !== -1) cycles.push([...stack.slice(idx), next]);
+        return true;
+      }
+      if (c === WHITE && dfs(next)) {
+        // bubble up
+      }
+    }
+    stack.pop();
+    color.set(node, BLACK);
+    return false;
+  };
+  for (const k of adj.keys()) if (color.get(k) === WHITE) dfs(k);
+  for (const cyc of cycles) {
+    violations.push({
+      file: cyc[0] ?? "(unknown)",
+      detail: `import cycle: ${cyc.join(" → ")}`,
+    });
+  }
+  return {
+    id: 6, name: "Law (§1.2)", property: "Law",
+    passed: violations.length === 0, examined, violations,
+  };
+};
+
+// — Check 7: Consistency (§3) ---------------------------------------
+//
+// "Verifier FAILS if a file imports from a layer that its declared
+// layer is not permitted to import." This is the same set of edges
+// the Law check examines, framed from the file's own perspective:
+// does the prefix lie about what the file actually does?
+//
+// We emit a separate verdict so the report can show both framings.
+// In a profile where no §1.2 violation exists, §3 also passes by
+// construction — both are derived from the same edge set.
+const checkConsistency = (input: SamaV2Input): SamaV2Check => {
+  const violations: SamaV2Violation[] = [];
+  let examined = 0;
+  for (const [path, content] of input.files.entries()) {
+    if (!isSamaFile(path)) continue;
+    const aDecl = declaredLayer(path, input.profile);
+    if (!aDecl) continue;
+    examined++;
+    let ceiling = -1;
+    let ceilingFile: string | null = null;
+    for (const imp of collectRelativeImports(content)) {
+      const resolved = resolveImport(path, imp);
+      const bDecl = declaredLayer(resolved, input.profile);
+      if (!bDecl) continue;
+      if (bDecl.layer > ceiling) { ceiling = bDecl.layer; ceilingFile = resolved; }
+    }
+    // Consistency fails if any import goes to a strictly higher
+    // layer than the file's declared layer. Same-layer with bad
+    // sublayer order is the Law's concern, not Consistency's.
+    if (ceiling > aDecl.layer) {
+      violations.push({
+        file: path,
+        detail: `declared Layer ${aDecl.layer} (prefix \`${aDecl.sublayer.prefix}\`) but imports reach Layer ${ceiling} via \`${ceilingFile}\` — the prefix claims something the imports contradict`,
+      });
+    }
+  }
+  return {
+    id: 7, name: "Consistency (§3)", property: "Consistency",
+    passed: violations.length === 0, examined, violations,
+  };
+};
+
+// — Orchestrator ----------------------------------------------------
+
+export const verifySamaV2 = (input: SamaV2Input): SamaV2Report => {
+  const checks: SamaV2Check[] = [
+    checkSorted(input),
+    checkArchitecture(input),
+    checkModeledTests(input),
+    checkModeledBoundary(input),
+    checkAtomic(input),
+    checkLaw(input),
+    checkConsistency(input),
+  ];
+  // Architecture's examined count is the canonical total — it counts
+  // every file the profile assigns to a layer (or fails to).
+  const examined = checks.find((c) => c.id === 2)?.examined ?? 0;
+  return {
+    profile: input.profile.profile,
+    examined,
+    checks,
+    overallPassed: checks.every((c) => c.passed),
+  };
+};
diff --git a/src/c51_render_admin.ts b/src/c51_render_admin.ts
index e2cd79ebd675a577abac15314a792f8dc3a7528f..b2dcf46d51a6d115073f842754f880d0b45b9ac9 100644
--- a/src/c51_render_admin.ts
+++ b/src/c51_render_admin.ts
@@ -10,7 +10,7 @@
 // here is forward-compatible with the block editor that lands next.
 
 import { escape, renderPage } from "./c51_render_layout.ts";
-import type { SxDocumentSummary } from "./c13_database.ts";
+import type { SxDocumentSummary } from "./c31_sxdoc.ts";
 import type { SxDocument } from "./c31_sxdoc.ts";
 import { sxToHtml } from "./c51_render_sxdoc.ts";
 
diff --git a/src/c51_render_edit.ts b/src/c51_render_edit.ts
index 85b6edf1c848e02bf716445e06a1f515e2ff1391..b0b4fa26100be62b1d363c732ab0c84cc85cfcbb 100644
--- a/src/c51_render_edit.ts
+++ b/src/c51_render_edit.ts
@@ -8,10 +8,7 @@ import {
   escape,
 } from "./c51_render_layout.ts";
 import type { ResolvedEdit } from "./c32_edit_resolve.ts";
-import type {
-  GitCommitOk,
-  GitCommitFailure,
-} from "./c14_git.ts";
+import type { GitCommitOk, GitCommitFailure } from "./c31_git_parse.ts";
 
 const layoutWrap = (innerHtml: string): string =>
   `<main class="md edit-page"><div class="edit-container">${innerHtml}</div></main>`;
diff --git a/src/c51_render_projects.ts b/src/c51_render_projects.ts
index e74463d7d53b97b95526a2eb5d59c1d2132a0ba1..0ff7f21a0544caf01dd174ed0477252bf0c6e29a 100644
--- a/src/c51_render_projects.ts
+++ b/src/c51_render_projects.ts
@@ -1,7 +1,7 @@
 // c51 (projects) — body builders for /projects, /projects/new,
 // /projects/:owner/:repo. Imports chrome helpers from c51_render_layout.
 
-import type { ProjectRow } from "./c13_database.ts";
+import type { ProjectRow } from "./c31_project_config.ts";
 import { PROJECT_CONFIG_PATH } from "./c31_project_config.ts";
 import { escape } from "./c51_render_layout.ts";
 
diff --git a/src/c51_render_repo.ts b/src/c51_render_repo.ts
index d13f5fc2ca0fd821337769575eaf579a347b3946..44f97d12e0c6024350ec7cf6eba289793f79bd57 100644
--- a/src/c51_render_repo.ts
+++ b/src/c51_render_repo.ts
@@ -6,7 +6,7 @@
 
 import { marked } from "marked";
 import { renderPage, escape } from "./c51_render_layout.ts";
-import type { TreeEntry } from "./c14_git.ts";
+import type { TreeEntry } from "./c31_git_parse.ts";
 
 const shortSha = (sha: string): string => sha.slice(0, 7);