feat(sprint-9): close PR #355 Tier-A deferred backlog (4 items) + correct misdiagnosed hpc-extras issue

.claude/board/ISSUES.md

@@ -92,6 +92,17 @@ Cross-ref: `.claude/board/EPIPHANIES.md` 2026-04-20 E-MEMB-1; `.claude/board/EPI
 
 ---
 
+## 2026-05-13 — ndarray:master missing `hpc-extras` feature (latent downstream build break)
+**Status:** Open (upstream-blocked)
+**Priority:** P2
+**Scope:** domain:infra D-NDARRAY-MASTER-HPC-EXTRAS
+
+The `hpc-extras` feature on `ndarray` lives on `AdaWorldAPI/ndarray` branch `claude/burn-A1-dep-gating` (PR #116, **never merged to master**). lance-graph PR #364 (`a3c753f`) declares `features = ["hpc-extras"]` on its `ndarray` path dep — this works for us because the local `/home/user/ndarray` checkout is on the integration branch that carries the feature. **Any consumer that points at `ndarray:master` (post-#142, pre-#116) will hit `feature hpc-extras not found`** — surfaced by MedCare-rs PR #118 (doc-only investigation, merged 2026-05-13). The fix is upstream: `ndarray PR #116 → master`. Outside this session's scope; tracked here so it doesn't get rediscovered.
+
+Cross-ref: MedCare-rs#118, lance-graph PR #364 commit `a3c753f`, ndarray PR #116 (`claude/burn-A1-dep-gating`), ndarray PR #142 (VBMI+Inf clamp, merged but does NOT add hpc-extras to master).
+
+---
+
 (No other tracked open issues. New issues PREPEND here
 in reverse chronological order. Format below.)
 

.claude/board/LATEST_STATE.md

@@ -2,7 +2,7 @@
 
 > **Auto-injected at session start via SessionStart hook.**
 > Updated after every merged PR.
-> **Last updated:** 2026-05-13 (PR #365 merged: 13-worker parallel sprint-5/sprint-6 spec batch + Opus meta review — governance only, ~300 KB of PR-ready specs at .claude/specs/, ready to feed sprint-7 implementation workers; 4 blocking OQs pending user decision). Prior same-day: sprint-5 cross-repo landing complete — lance-graph PR #364 + MedCare-rs#112 + smb-office-rs#31 + ndarray#142 all merged the same day. lance-graph #364 ships D-SDR-3/4/5 + sprint-log-4 governance + sprint-5-9 roadmap + codex P1/P2 surgical fixes (OwlIdentity 3-byte canonical, UnifiedAuditEvent 26 bytes, OgitFamilyTable sparse `HashMap<u16, FamilyEntry>`, audit super_domain via AuditChain). MedCare-rs#112 (PR-B) wires `UnifiedBridge<MedcareBridge>` + medcare-rbac + medcare-realtime substrate (+2963 LOC, 17 files, §73 SGB V + BMV-Ä §57 + BtM regulatory tests). smb-office-rs#31 (PR-C) wires `UnifiedBridge<OgitBridge>` (+111 LOC). ndarray#142 ships VBMI gate for `permute_bytes` (P0 SIGILL fix on Skylake-X / Cascade Lake / Ice Lake-SP) + Inf clamp for `simd_exp_f32`. D-SDR-5 `UnifiedBridge` surface is now consumed end-to-end across MedCare + smb-office. Prior: 2026-05-07 (PR #354). Prior: 2026-05-07 (PR #353). Prior: 2026-05-07 (PR #352). Prior: 2026-05-06 (splat-osint-ingestion-v1 PR 1+2 of 6 in flight). Prior: 2026-04-21 post PR #243.
+> **Last updated:** 2026-05-13 (PR #366 merged: sprint-7 7-worker implementation wave for the sprint-5/6 specs + AuditSink trait unification, ~5 KLOC across 5 crates +2 new (`lance-graph-supervisor`, `lance-graph-consumer-conformance`), ~70 new tests, workspace clippy --tests --no-deps -D warnings exits 0; Opus meta verdict 4A/2B/1B-minus; OQ-7-1/2/3 all locked pre-merge; `UnifiedAuditSink` D-SDR-4 placeholder dropped, all sinks unified on `AuditSink` trait; `UnifiedBridge::with_jsonl_audit()` ergonomic constructor added for MedCare-rs sprint-2 item 5. **Adjacent landings (same day):** MedCare-rs sprint-1 10-PR sweep (#113-#122) including E1-1 OQ-3 direct migration (6 RoleGroups) consuming our `0d725d4` decision. MedCare-rs sprint-2 (5 PRs) is queued on user "go" — item 5 consumes this PR's new constructor. Prior same-day: PR #365 (13 sprint-5/6 specs + meta). Prior: PR #364 (D-SDR-3/4/5 + sprint-log-4 governance + sprint-5-9 roadmap + codex P1/P2 fixes). lance-graph #364 ships D-SDR-3/4/5 + sprint-log-4 governance + sprint-5-9 roadmap + codex P1/P2 surgical fixes (OwlIdentity 3-byte canonical, UnifiedAuditEvent 26 bytes, OgitFamilyTable sparse `HashMap<u16, FamilyEntry>`, audit super_domain via AuditChain). MedCare-rs#112 (PR-B) wires `UnifiedBridge<MedcareBridge>` + medcare-rbac + medcare-realtime substrate (+2963 LOC, 17 files, §73 SGB V + BMV-Ä §57 + BtM regulatory tests). smb-office-rs#31 (PR-C) wires `UnifiedBridge<OgitBridge>` (+111 LOC). ndarray#142 ships VBMI gate for `permute_bytes` (P0 SIGILL fix on Skylake-X / Cascade Lake / Ice Lake-SP) + Inf clamp for `simd_exp_f32`. D-SDR-5 `UnifiedBridge` surface is now consumed end-to-end across MedCare + smb-office. Prior: 2026-05-07 (PR #354). Prior: 2026-05-07 (PR #353). Prior: 2026-05-07 (PR #352). Prior: 2026-05-06 (splat-osint-ingestion-v1 PR 1+2 of 6 in flight). Prior: 2026-04-21 post PR #243.
 >
 > Purpose: prevent new sessions from hallucinating structure that
 > already exists or proposing features already shipped. Read this
@@ -14,6 +14,7 @@
 
 | PR | Merged | Title | What it added |
 |---|---|---|---|
+| **#366** | 2026-05-13 | impl(sprint-7): 7-worker implementation wave + AuditSink trait unification | Sprint-7 CCA2A 6-parallel + 1-sequenced + 1-Opus-meta. **~5 KLOC across 5 crates + 2 new** (`lance-graph-supervisor`, `lance-graph-consumer-conformance`). Workers: **S7-W1** `parse_family_registry()` + Healthcare basins `0x10..=0x19` (unblocks MedCare-rs E1-2/E1-3/E1-4 cascade); **S7-W2** `lance-graph-contract/build.rs` codegen (zero-dep preserved; sorted-slice + binary_search, no phf — OQ-2); **S7-W3** ractor supervisor with separate 18-byte `LifecycleAuditEvent` (CC-2) + `SuperDomain::System` exempt (CC-3); **S7-W4** `assert_consumer_conformance` harness (A1-A10); **S7-W5** `CognitiveBridgeGate` trait + `UnifiedBridgeGate<B>` impl; **S7-W6** new `audit_sink/` module (`AuditSink` trait + `JsonlAuditSink` + `LanceAuditSink` + `CompositeSink`) + `audit_verify` CLI + `prev_merkle` field on UnifiedAuditEvent (canonical_bytes still 26 B); **S7-W7** SMB Foundry `0x80..=0x82` vs BSON `0xA0..=0xAD` disjoint slots (OQ-4). **Post-meta AuditSink trait unification** (`bc530a4`): dropped legacy `UnifiedAuditSink` D-SDR-4 placeholder, `UnifiedBridge::audit_sink: Arc<dyn AuditSink>`, added `with_jsonl_audit()` ergonomic constructor (OQ-7-2 + OQ-7-3 locked). **Pre-existing workspace lint debt** cleaned by Sonnet janitor across ~30 files in `lance-graph` core / `bgz-tensor` / planner / nsm (sprint-7 outputs guardrailed). **Opus meta verdict** at `.claude/board/sprint-log-7/meta-review.md`: 4A/2B/1B-minus/0 C/D/F. **Adjacent landings:** MedCare-rs sprint-1 10-PR sweep #113-#122 (E1-1 OQ-3 consumed our `0d725d4` decision; sprint-2 5 PRs queued). |
 | **#365** | 2026-05-13 | specs(sprint-5-6): 13-worker parallel batch + Opus meta review | Governance-only PR. **13 PR-ready specs at `.claude/specs/`** (~300 KB) from a 12-Sonnet-worker + 1-post-meta-Sonnet-worker + 1-Opus-meta-agent parallel batch. Spec grades: 3 A (W2 d3b-jsonl, W5 pr-graph, W12 conformance), 7 B, 2 C (W10 manifest-modules needs §4.3 sorted-slice rewrite; W11 ractor-supervisor needs LifecycleAuditEvent split). 24 KB Opus meta cross-spec review at `.claude/board/sprint-log-5-6/meta-review.md`. 4 blocking OQs (W3 parser entry, W10 phf vs sorted-slice, W6 Role migration, W13 BSON namespace). CCA2A 12+1+1 pattern validated at scale: ~300 KB of PR-ready output in under an hour wall-clock; 3 workers required respawns for permission denials (settings.json patched for `.claude/board/sprint-log-5-6/**`). |
 | **#364** | 2026-05-13 | D-SDR-3/4/5 + sprint-log-4 governance + sprint 5-9 roadmap + codex P1/P2 | Tier-A substrate close: **D-SDR-3** OgitFamilyTable + FamilyEntry codebook (~300 LOC), **D-SDR-4** merkle-chained UnifiedAuditEvent (~460 LOC, AuditMerkleRoot = u64 FNV-1a), **D-SDR-5** authorize_* through Policy::evaluate with audit emission (~300 LOC). **Codex P1 fix** (`3208743`): OwlIdentity widened u8→u16 slot → 3-byte canonical `[family, slot_lo, slot_hi]`; OgitFamilyTable → sparse `HashMap<u16, FamilyEntry>`; UnifiedAuditEvent canonical_bytes 25→26. **Codex P2 fix** (`e23ce89`): emit_audit uses AuditChain.super_domain() instead of static FAMILY_TO_SUPER_DOMAIN. **CI fix** (`a3c753f`): ndarray/hpc-extras opt-in for blake3. Sprint-log-4 governance corpus (12 worker specs + 2 meta reviews) + sprint-5-through-9 roadmap (70 agents = 60W + 10M across 5 sprints, mandatory 12-step plan-read-order in worker prompts). 97/97 callcenter lib tests pass. All 5 CI checks green on `c8176cb`. Adjacent: ndarray#142 (VBMI gate + Inf clamp) merged same day. |
 | **#354** | 2026-05-07 | gov: #353 post-merge + cross-repo adjacent-landings | Pure governance close-out. PR_ARC entry for #353 + LATEST_STATE row. Documents the 5-PR coordinated landing across 4 repos: lance-graph #352/#353/#354 + OGIT #2 (woa+medcare bridges unblocked for OGIT-O(1)) + woa-rs #2 (cross-repo `--features ontology` integration) + MedCare-rs #109 (`?source=lance` exercising Zone 2 → Zone 3 rewriter chain). Locks: append-only board hygiene durability across 4 sequential prepends; cross-repo coordinated-landing recipe. |

.claude/board/PR_ARC_INVENTORY.md

@@ -35,6 +35,50 @@
 
 ---
 
+## #366 — impl(sprint-7): 7-worker implementation wave for sprint-5/6 specs + AuditSink trait unification (merged 2026-05-13)
+
+**Confidence (2026-05-13):** merged clean. Workspace `cargo clippy --workspace --tests --no-deps -- -D warnings` exits 0; all sprint-7 worker tests pass; `UnifiedAuditEvent::canonical_bytes` 26-byte invariant preserved across the OQ-7-2 trait migration. **Status:** Merged to `main` (commit `3a85ec0`). **Adjacent landings (2026-05-13):** MedCare-rs sprint-1 10-PR sweep (#113 Finding 1 `MedcareOntology::from_registry` → PR-α / #114 FingerprintCodec re-export fold Pattern N → PR-γ / #115 AUTH_LEGACY_TRIPLEDES_MIGRATION cipher reality → PR-δ / #116 ALL_SCHEMAS 4→7 mirrors OGIT PR #3 → Finding 2 / #117 SPRINT5_READINESS_RECON / #118 ndarray hpc-extras investigation upstream-blocked / **#119 medcare_healthcare_policy + 6 RoleGroups consumes our `0d725d4` OQ-3 direct-migration decision** / #120 governance board + tier-0 / #121 sprint-1 meta-retrospective with §8 sprint-2 5-PR queue / #122 codex P2 path-fix). All merged the same day. MedCare-rs sprint-2 is now ready on user "go" — 5 PRs queued, item 5 (Audit-sink decision: JSONL primary + optional Lance projection) consumes this PR's `UnifiedBridge::with_jsonl_audit()` ergonomic constructor.
+
+**Added:**
+- **7 sprint-7 worker outputs** across 5 crates (+2 new), ~5 KLOC, ~70 new tests:
+  - **S7-W1** `pr-d4-family-hydration` — `parse_family_registry()` API + `FAMILY_TABLE` OnceLock + Healthcare basins `0x10..=0x19` (FMA/SNOMED/ICD10/RxNorm/LOINC/MONDO/HPO/DRON/CHEBI/RadLex) seeded via `data/family_registry.ttl`. **Critical-path unblocker for MedCare-rs E1-2/E1-3/E1-4 cascade.** ~560 LOC, 16/16 + 9/9 tests.
+  - **S7-W2** `pr-g1-manifest-modules` — `lance-graph-contract/build.rs` (~260 LOC) + `manifest.rs` (~80 LOC) codegen pipeline reading 6 YAML manifests (dolce / medcare / smb-office / q2-cockpit / fma / hubspot). **CC-7 fix per OQ-2: sorted-slice + `binary_search_by_key`, NOT `phf::Map`. Zero-dep invariant preserved** — `[dependencies]` in `lance-graph-contract` unchanged. ~980 LOC, 8 codegen tests.
+  - **S7-W3** `pr-g2-ractor-supervisor` — new crate `lance-graph-supervisor`. `CallcenterSupervisor` with one-for-one supervision, exponential backoff (100ms × 2ⁿ capped 30s), escalation > 10. **CC-2 fix: separate 18-byte `LifecycleAuditEvent`** (NOT merged into AuthOp / UnifiedAuditEvent). **CC-3 fix: `SuperDomain::System` with hard-lock exemption.** 11 tests + 26-byte regression.
+  - **S7-W4** `sprint-6-conformance-test` — new crate `lance-graph-consumer-conformance`. Generic `assert_consumer_conformance<B: NamespaceBridge>()` with all 10 contract assertions A1-A10. Fixtures for E1/E2/E3; E4/E5 `#[ignore]` scaffolds. A6 exempts `SuperDomain::System` per meta CC-3. 8 pass + 2 ignored, 0 fail.
+  - **S7-W5** `pr-f1-thinking-engine-wire` — `CognitiveBridgeGate` trait in `thinking-engine` + `UnifiedBridgeGate<B: NamespaceBridge>` impl in `lance-graph-callcenter`. Chinese-wall check fires before policy on `tenant_id` mismatch. **No circular dep** (callcenter → thinking-engine only). 329 thinking-engine + 114 callcenter + 12 new gate tests.
+  - **S7-W6** (combined `pr-d3a` + `pr-d3b`) — new `crate::audit_sink` module: `AuditSink` trait, `AuditError`, `MerkleRoot`, `CompositeSink` (FailFast/BestEffort), `JsonlAuditSink` (4096-event buffer, per-tenant-per-day, day-rotation + gzip), `LanceAuditSink` (12-column Arrow schema, `FixedSizeBinary(3)` owl_identity, `super_domain × date` Hive partitioning). New binary `audit_verify` with `verify-jsonl` / `verify-lance` / `cross-verify` (exit codes 0/1/2/3). Adds `prev_merkle: AuditMerkleRoot` field to UnifiedAuditEvent (excluded from `canonical_bytes` — byte layout unchanged at 26). ~2230 LOC, 11 new + 132 total callcenter tests.
+  - **S7-W7** `pr-ogit-ttl-smb-hydration` (lance-graph side) — extends `parse_family_registry()` for `ogit.SMB.bson:` sub-namespace per OQ-4. Foundry slots `0x80..=0x82`, BSON slots `0xA0..=0xAD`. `family_smb_foundry_and_bson_slots_are_disjoint` test locks the invariant. `registry.enumerate("SMB")` still returns exactly 3.
+- **Opus meta cross-impl review (32 KB)** at `.claude/board/sprint-log-7/meta-review.md`. 8 sections. Verdict: **4 A-grade (W1/W2/W4/W5) + 2 B-grade (W3/W7) + 1 B-minus (W6) + 0 C/D/F**. Sprint-7 implementation quality materially higher than sprint-5-6 spec quality.
+- **AuditSink trait unification (post-meta MUST-FIX, commit `bc530a4`):** dropped `UnifiedAuditSink` D-SDR-4 placeholder shim entirely. `UnifiedBridge::audit_sink` retyped to `Arc<dyn AuditSink>`. Added `NoopAuditSink` in `audit_sink/mod.rs`. Added `UnifiedBridge::with_jsonl_audit(super_domain, salt, base_path)` ergonomic constructor per OQ-7-3. Best-effort `let _ = sink.emit(event);` on the authorize hot path (failures must not block).
+- **Pre-existing lint debt cleanup** across `lance-graph` core / `bgz-tensor` / `lance-graph-planner` / `datafusion_planner` / `nsm` (~30 files, ~12 lint categories). Sonnet janitor with sprint-7-outputs guardrail. Commits `9fb666d` + `a472c4a`.
+- **MedCare-rs sprint-1 cross-cut alignment** (`a61fbd8`): W4 conformance MedCare fixture role name `"doctor"` → `"physician"` (MedCare#119 OQ-3 direct migration); W6 `composite.rs` doc example label `LanceAuditSink "primary"` → `JsonlAuditSink "primary"` (MedCare sprint-2 item 5 framing).
+- **3 governance scratchpads + meta-review at `.claude/board/sprint-log-7/`** + 8 worker scratchpads `agent-W{1..7,META}.md` + SPRINT_LOG.md.
+- **`.claude/settings.json` allowlist entries** for `.claude/board/sprint-log-7/**` paths (lessons-learned from sprint-5-6 worker permission failures).
+
+**Locked:**
+- **OQ-7-2 (AuditSink trait migration)** — full migrate, no adapter. CLAUDE.md "no abstractions beyond what task requires" controls. `UnifiedAuditSink` deleted; `AuditSink` is the single canonical trait. Cross-ref EPIPHANIES `9625fb5` + commit `bc530a4`.
+- **OQ-7-3 (UnifiedBridge::new() default)** — keep `NoopAuditSink` default; add `with_jsonl_audit()` ergonomic constructor for explicit opt-in. No silent disk writes. MedCare sprint-2 item 5 consumes the new constructor.
+- **OQ-7-1 (RoleGroup count)** — 6 RoleGroups (Physician + Nurse + Cashier + Researcher + HipaaAudit + Admin), matches MedCare#119 end-state. Earlier "add 4" wording referred to additions (Nurse + 3 renames); same end-state.
+- **CCA2A 6+1+1 implementation pattern validated at scale:** 6 parallel Sonnet workers + 1 sequenced Sonnet (W7 post-W1) + 1 Opus meta produced ~5 KLOC of code across 5 crates + 2 new crates in under one wall-clock hour for the worker phase. Pattern: combine related specs (W6 = D3a + D3b) when they share traits to avoid trait-split merge conflicts. **Sole worker misfire: S7-W6 first attempt invoked the `fewer-permission-prompts` skill instead of implementing audit sinks; respawn with explicit `DO NOT invoke any skill` guardrail succeeded.** Lesson: worker prompts must list `DO NOT invoke any skill` and the specific skill names (`fewer-permission-prompts`, `update-config`, `simplify`, `loop`) when the task is pure implementation.
+- **Clippy-first verification discipline:** user-locked rule — `cargo clippy --workspace --tests --no-deps -- -D warnings` runs BEFORE any `cargo check` / `cargo build` / `cargo test`. Clippy catches type/lint errors in seconds; full compile+test cycles can time out at 20+ minutes when those errors would have surfaced earlier. Now baked into all worker spawn prompts.
+- **Sprint-7 sequencing decision: 1 mega-PR was the right call** for a branch that already mixed thematic scopes. Meta's "3 thematic PRs" recommendation deferred to sprint-8 worker prompts (each impl spec → one PR ceiling).
+
+**Deferred:**
+- **MedCare-rs sprint-2 (5 PRs queued on user "go")** — Researcher access guard (codex P1; D-SDR-15 prep) / bridge-policy parity test / RBAC entity-name realignment to OGIT (consumes #116 + OGIT PR #3) / `auth_legacy::decrypt()` wiring of `legacy_crypt` (D-SDR-38) / Audit-sink decision PR (consumes this PR's `with_jsonl_audit()`).
+- **E1-3 (`MedCareStack` composition) + E1-4 (audit emission cascade)** — cascade-unblocked by this PR's `parse_family_registry()` + Healthcare basin seeding. medcare-rs session can fire them once they pick up the rebase.
+- **E1-5 (HIPAA hard-lock cross-domain matrix, D-SDR-17)** — sprint-8 compliance work.
+- **E1-6 (JWT middleware stub for `praxis_id`)** — blocked on DM-7 upstream (`RlsRewriter::rewrite(LogicalPlan, &ActorContext)` per foundry-roadmap §2).
+- **hiro-rs / hubspot-rs scaffolds** — repo-creation decision pending. `lance-graph-consumer-conformance` has `#[ignore]` scaffolds for E4/E5 ready to consume them.
+- **`ndarray:master hpc-extras` upstream gap** — surfaced by MedCare#118: `hpc-extras` feature lives on `AdaWorldAPI/ndarray` branch `claude/burn-A1-dep-gating` (PR #116, never merged to master). lance-graph PR #364's `features = ["hpc-extras"]` on the ndarray dep works in our environment via local-checkout-on-integration-branch but is a latent compatibility break against `ndarray:master`. Recorded in `ISSUES.md`. Fix is `ndarray PR #116 → master` (outside this session's scope).
+
+**Docs:**
+- `.claude/specs/` — 13 sprint-5-6 specs (predecessor #365); sprint-7 implementations consume them in this PR.
+- `.claude/board/sprint-log-7/SPRINT_LOG.md` + `meta-review.md` + 8 agent scratchpads.
+- `EPIPHANIES.md` 2026-05-13 OQ-7 DECISION entry (preceded by 2026-05-13 4-OQ-PR-#365 DECISION entry).
+- `ISSUES.md` — `ndarray:master hpc-extras` gap entry.
+
+---
+
 ## #365 — specs(sprint-5-6): 13-worker parallel batch + Opus meta review (merged 2026-05-13)
 
 **Confidence (2026-05-13):** governance-only PR, no `.rs` / `Cargo.toml` changes. CI green (format / clippy / build / test / coverage — no code touched). **Status:** Merged to `main`. **OQ resolutions (2026-05-13 post-merge, durable):** OQ-1 → new `parse_family_registry()` API; OQ-2 → sorted-slice + binary search (zero-dep invariant); OQ-3 → direct migration `doctor → physician` + add 4 RoleGroups; OQ-4 → `ogit.SMB.bson:` sub-namespace. Full rationale at `EPIPHANIES.md` 2026-05-13 DECISION entry. Sprint-7 implementation fleet unblocked.