What changed, what is still open, and where reviewers should look next.

What changed

Short version first. The dated archive below keeps the longer history.

• Recent extraction hardening adds worst-case extraction and semantic-collapse fuzzing for the Round60 field family. The harness walks public trace API and trace textareas, then tests raw, normalized, prefix-stripped, first-token, sliding-window, and multi-field joined views for recoverable authorization-shaped terms. It also caught and removed cropable certified-use wording from safe-citation and archival copy-target warnings.
• Recent field-binding hardening adds the full Round60 field-binding audit. The scanner checks live trace API, rendered trace HTML, all four trace textareas, OpenAPI JSON, API docs HTML, current-state, updates, and DBAD-ETHICS-817 for raw trust-continuation/class field-family regressions, and is wired into both the composite red-team runner and the standard public contract runner.
• The latest Round62 runway hardening keeps the supplemental reviewer report, prompt-state audit, reviewer-report self-consistency audit, 47-surface peer freshness packet, peer evidence bundle, held review-flow copy, aggregate public-contract sidecars, reviewer-support markdown projections, current artifact-hygiene checks, rendered public baseline body-window marker checks, red-team component inventory checks, runtime --list-components CLI full-command parity proof plus structured CLI timeout failure handling, explicit timeout summary-shape guarding, timeout-threshold seconds projection, active prompt public timeout-threshold disclosure guarding, active prompt, Round62 synthesis send-state boundary, blocked-fetch prompt-state sidecar summary, projected executable exact prompt-state sidecar status dependency, public behavior-canary rows for wrong-marker, partial-marker, and tuple-shape cases across aggregate public-contract, peer bundle, and reviewer report JSON, blocked-fetch bridge label, historical audit-family label boundaries for Round60-named field-binding/extraction aggregate public-contract and reviewer-support harnesses, synthesis historical-marker, compact-prompt size checks, bounded joined-summary checks, compact proof-bundle freshness checks, trace index/detail latency hardening for the linked public trace fleet, bounded contract-version header coverage, lightweight API-doc HTML source canary, public-surface contract 600-second red-team budget sync, and reviewer-support prepared-through projection plus peer-bundle 600-second prompt-state status guarding aligned with DBAD-PUB-1067 while older closure IDs remain in the archive below.
• Round60 peer-review digestion remains incorporated. The concrete display-safe payload claim did not reproduce against current live cache-busted probes, but the useful reviewer ideas were queued and closed before this staged Round62 packet.
• The peer evidence bundle no longer uses stale self-referential manifest hashes. Manifest JSON/markdown paths remain listed, final manifest SHA256 values are printed after serialization, and the manifest itself only contains checksums for stable inputs such as the prompt and freshness artifacts.
• The peer packet distribution checksum/manifest guard was used for the reviewed Round60 packet and now applies to the Round62 / 2026-06-05 / DBAD-PUB-1067 packet, including the 47-surface freshness core with `/break-dbad` and `/break-dbad/report`; audit_dbad_peer_freshness_packet.py fails stale prompt metadata or appended response markers, and build_dbad_peer_evidence_bundle.py writes checksum-bound manifest JSON/markdown for the selected prompt, freshness artifacts, aggregate public-contract artifact, and generated public-contract sidecars, and JSON-only prompt-state sidecar summary when operator send is later reopened.
• DBAD-PUB-955 expands the trace DOM/copy crop attacker harness. The focused copy-payload audit now checks all four canonical trace textareas, trace page source, API docs HTML, and OpenAPI JSON for raw Round59 trust-continuation/class field patterns, while still rejecting raw non-safety true values in ordinary display-safe copy payloads.
• DBAD-PUB-954 adds a compact peer evidence bundle for reviewers whose tools cannot fetch live URLs reliably. The bundle is supplemental only; peers still need live cache-busted fetches for a fixed/not-fixed verdict.
• DBAD-PUB-953 digests Round59 peer reviews and closes the accepted trust-continuation/class field-binding defect. The canonical trace API and projection paths now bind requires_trust_continuation_token_for_authorization, adjacent fresh-check/revalidation requirement fields, and trust_authorization_class as typed non-authorization evidence values instead of raw true or not_authorized. The focused status-field scanner covers those exact keys, and the public API docs/OpenAPI schema describe the bound values.
• DBAD-PUB-952 closes the Round59 self-peer metadata drift found after DBAD-PUB-951. The Round59 prompt, executable peer freshness audit, public proof pages, API docs, owner queue, and recovery docs agreed at that point that the packet declared Round59 / 2026-06-04 / DBAD-PUB-952, and Round59 explicitly asked peers to challenge prompt metadata and handoff-state consistency before treating the packet as fresh.
• DBAD-PUB-951 closes stale peer-prompt state drift after Round59 staging. Current recovery, owner, task, public, and handoff surfaces now say Round57 and Round58 have been sent, Round59 became the compact clean packet at that point, response-appended Round57/Round58 files are archive/synthesis-only, and the aggregate public contract runner now includes audit_dbad_peer_prompt_state_consistency.py so present-tense Round58-as-current wording fails locally.
• DBAD-PUB-950 accepts the Round58 trace-copy crop finding and hardens ordinary canonical trace copy payloads. The #trace-copy-json and #trace-validation-copy-json textareas now copy display-safe JSON with non-safety true booleans projected as NOT_AUTH::not_authorization_boolean_evidence_for_...; literal false values and explicit safety metadata booleans remain contract metadata; GET /api/v1/dbad/traces/<trace_id> remains machine JSON; signed safe citations and archival projections are labeled as machine/verifier artifacts, not display-safe trace JSON. The aggregate public contract runner now includes audit_dbad_trace_copy_payload_display_safety.py, and Round59 became the clean compact peer packet at that point after Round58 prompt-size/tool friction.
• DBAD-PUB-948 bound Round58 prompt metadata into the executable peer freshness artifact at that point in the review chain. That Round58 metadata lock was later superseded by the Round59 / DBAD-PUB-952 lock and is now superseded by the Round60 / DBAD-PUB-957 lock.
• DBAD-PUB-947 recorded that Round57 had been sent to peers and staged Round58 as the then-current clean prompt-only packet. Round59 now supersedes that packet; the Round57 clean packet remains the already-sent artifact and response-appended prompt files remain archive/synthesis-only.
• DBAD-PUB-946 isolates the Round57 clean send packet from prior peer responses. The original file with appended responses remains archived for synthesis, the current send packet is prompt-only, and the executable peer freshness audit now fails any prompt path that contains appended response markers.
• DBAD-PUB-945 makes the structured sidecar manifest summary-required. Manifest rows now require process evidence, structured sidecar validity, and embedded summary status; manifest failures add explicit failure-list entries, the OpenAPI host canonical sidecar now exposes schema dbad_openapi_host_canonical_audit/v1, and exact inventory counts remain in the JSON artifact.
• DBAD-PUB-944 adds a top-level structured sidecar manifest. The aggregate public-contract artifact now lists each required sidecar by label and component key, records sidecar paths, process/artifact/component status, summary status, and sidecar inventory metadata in JSON.
• DBAD-PUB-943 separates process success from structured sidecar validity. The sidecar-bearing aggregate components now expose distinct process, artifact, and combined component evidence fields in JSON; the console result exposes matching process/artifact categories for OpenAPI host canonical, peer freshness, and contract-version coverage checks.
• DBAD-PUB-942 makes aggregate sidecar validity explicit. The aggregate public-contract artifact now includes top-level failure accounting and per-sidecar artifact-validity evidence for OpenAPI host canonical, peer freshness, and contract-version coverage components, so a reviewer does not have to infer sidecar validity from the overall runner status.
• DBAD-PUB-941 embeds the OpenAPI host canonical sidecar summary in the aggregate public-contract artifact. The standard public contract runner now writes the OpenAPI host canonical JSON sidecar, includes its path in the console result, summarizes canonical/ethics/compatibility host status, path count, contract-version header, schema coverage, and positive-shape observation counts, and fails if the structured sidecar is missing or invalid.
• DBAD-PUB-940 embeds the peer freshness packet sidecar summary in the aggregate public-contract artifact. The standard public contract runner now writes peer freshness JSON and markdown sidecars, includes their paths in the console result, and fails if the structured peer freshness sidecar is missing or invalid.
• DBAD-PUB-939 embeds the DBaD contract-version coverage sidecar summary in the aggregate public-contract artifact. The standard public contract runner now writes a full contract-version coverage sidecar JSON, includes its path in the console result, and fails if the sidecar is missing or invalid.
• DBAD-PUB-938 adds distinct URL accounting to the DBaD contract-version audit artifact. The standard public contract runner now reports both contract-relevant request rows and distinct contract-relevant URLs, while preserving the legacy contract_relevant_urls field as an explicit compatibility alias for request-row count.
• DBAD-PUB-937 adds parameterized OpenAPI path accounting to the DBaD contract-version audit artifact. The standard public contract runner now records covered representative substitutions, intentionally excluded operational/private parameterized GET families, and missing representative public GET paths; any missing representative parameterized public GET path fails locally instead of disappearing from the crawl.
• DBAD-PUB-936 adds representative parameterized OpenAPI path coverage to DBaD contract-version audits. The standard public contract runner now materializes public trace API and DBaD whitepaper citation/markdown examples from OpenAPI path templates across canonical/alias hosts, so parameterized no-store/fresh routes cannot hide outside the broad header sweep.
• DBAD-PUB-935 adds OpenAPI contract-version schema coverage. audit_dbad_openapi_host_canonical.py now fails if DecencyMeter/ethics OpenAPI JSON responses lose X-DBaD-Contract-Version: round57_composite_bound or if any documented Cache-Control / X-DBaD-Cache-Status response-header block omits the matching contract-version header schema example.
• DBAD-PUB-933 adds redirect and alias-host coverage to DBaD contract-version audits. The standard public contract runner now includes www.decencymeter.com and checks first-hop redirect responses, so a no-store/fresh redirect cannot satisfy freshness without X-DBaD-Contract-Version: round57_composite_bound.
• DBAD-PUB-932 adds method coverage to DBaD contract-version audits. The standard public contract runner now checks both GET and HEAD requests for sitemap/OpenAPI-discovered DBaD/DecencyMeter routes and fails if any no-store or fresh response loses X-DBaD-Contract-Version: round57_composite_bound.
• DBAD-PUB-931 broadens DBaD contract-version coverage. Any discovered DBaD/DecencyMeter public response that presents itself as no-store or fresh evidence now emits X-DBaD-Contract-Version: round57_composite_bound, and the standard public contract runner fails if sitemap/OpenAPI-discovered no-store or fresh routes lose that marker.
• DBAD-PUB-930 adds a DBaD contract-version header. Current DBaD proof/review responses now emit X-DBaD-Contract-Version: round57_composite_bound, and the Round57 peer freshness audit fails if no-store proof surfaces lose that current contract marker.
• DBAD-PUB-926 closes percent-encoded default-ignorable source-token gaps. Public HTML/API-doc and JavaScript source audits now remove percent-encoded UTF-8 spellings of default-ignorable Unicode characters between ASCII token characters before positive-shape matching, including repeated percent-encoding layers.
• DBAD-PUB-925 closes default-ignorable HTML entity source-token gaps. Public HTML/API-doc source audits now remove named and numeric HTML entity spellings of default-ignorable Unicode characters between ASCII token characters before positive-shape matching, including combinations with HTML comment separators.
• DBAD-PUB-924 closes expanded default-ignorable source-token gaps. Public HTML/API-doc and JavaScript source audits now remove additional default-ignorable Unicode characters such as soft hyphen, Arabic letter mark, Mongolian vowel separator, and variation selectors between token characters.
• DBAD-PUB-923 closes HTML-comment source-token gaps. Public HTML/API-doc source audits now remove HTML comment nodes between ASCII token characters before positive-shape matching.
• DBAD-PUB-922 closes invisible-format source-token gaps. Public HTML/API-doc and JavaScript source audits now remove zero-width and format-control characters between ASCII token characters before positive-shape matching.
• DBAD-PUB-921 closes line-continuation source-token gaps. Public HTML/API-doc and JavaScript source audits now remove JavaScript backslash-newline continuations between ASCII token characters before positive-shape matching.
• DBAD-PUB-920 closes line-comment concatenation source-token gaps. Public HTML/API-doc and JavaScript source audits now remove line-comment-separated quote/backtick joins between ASCII token characters before positive-shape matching.
• DBAD-PUB-919 closes explicit concatenation source-token gaps. Public HTML/API-doc and JavaScript source audits now remove quote/backtick-plus-quote/backtick joins between ASCII token characters before matching split keys and clean positive/status-like values.
• DBAD-PUB-918 closes empty-fragment source-token gaps. Public HTML/API-doc and JavaScript source audits now remove empty quote/backtick fragments between ASCII token characters before positive-shape matching.
• DBAD-PUB-917 closes percent-encoded source-token gaps. Public HTML/API-doc and JavaScript source audits now decode percent-encoded ASCII token characters through eight encoding layers inside source keys and clean positive/status-like values.
• DBAD-PUB-916 closes escaped source-token gaps. Public HTML/API-doc and JavaScript source audits now decode ASCII token-character escapes inside source keys and clean positive/status-like values before positive-shape matching.
• DBAD-PUB-915 closes block-comment source separator gaps. Public HTML/API-doc and JavaScript source audits now strip JavaScript/C-style block comments before source positive-shape matching.
• DBAD-PUB-914 closes implied-positive valueless HTML attribute gaps. Public HTML/API-doc source audits now fail attributes such as data-approved, x-valid, or bare approved unless represented as explicit non-authorization evidence.
• DBAD-PUB-913 closes arbitrary-padded percent-encoded braced-Unicode delimiter gaps. Public HTML/API-doc and JavaScript source audits now normalize encoded \u{...} quote/backtick delimiters with arbitrary leading zero padding through eight encoding layers.
• DBAD-PUB-912 closes legacy octal-style JavaScript quote delimiter gaps. Public HTML/API-doc and JavaScript source audits now normalize direct and repeated percent-encoded octal quote/backtick delimiters before scanning for cropable positive/status-like source snippets.
• DBAD-PUB-911 keeps the DBAD-PUB-910 delimiter coverage but moves repeated percent-encoded delimiter variants into a compact pre-scan normalization step. The public HTML/API-doc source audit stays bounded and practical while preserving coverage for repeated encoded quote/backtick, JavaScript escape, and padded HTML entity delimiters through eight layers.
• DBAD-PUB-910 closes JavaScript braced-Unicode and padded numeric HTML entity delimiter gaps. Public HTML/API-doc source now treats JavaScript \u{...} quote escapes and padded decimal/hex HTML quote entities as quoteable source, including repeated percent-encoded forms through eight layers; public JavaScript source now treats JavaScript \u{...} quote escapes as quoteable source, including repeated percent-encoded forms through eight layers.
• DBAD-PUB-909 replaces the one-layer-at-a-time encoded delimiter list with generated repeated percent-encoded quote forms through eight encoding layers. Public HTML/API-doc source now treats repeated percent-encoded quote/backtick delimiters, JavaScript escape delimiters, and HTML quote/backtick entity delimiters through eight layers as quoteable source; public JavaScript source now treats repeated percent-encoded quote/backtick and JavaScript escape delimiters through eight layers as quoteable source.
• DBAD-PUB-908 closes triple-percent-encoded source delimiter gaps. Public HTML/API-doc source now treats triple-percent-encoded quote/backtick delimiters, triple-percent-encoded JavaScript escape delimiters, and triple-percent-encoded HTML quote/backtick entity delimiters as quoteable source; public JavaScript source now treats triple-percent-encoded quote/backtick delimiters and triple-percent-encoded JavaScript escape delimiters as quoteable source.
• DBAD-PUB-907 closes double-percent-encoded source delimiter gaps. Public HTML/API-doc source now treats double-percent-encoded quote/backtick delimiters, double-percent-encoded JavaScript escape delimiters, and double-percent-encoded HTML quote/backtick entity delimiters as quoteable source; public JavaScript source now treats double-percent-encoded quote/backtick delimiters and double-percent-encoded JavaScript escape delimiters as quoteable source.
• DBAD-PUB-906 closes percent-encoded source delimiter gaps. Public HTML/API-doc source now treats direct percent-encoded quote/backtick delimiters, percent-encoded JavaScript escape delimiters, and percent-encoded HTML quote/backtick entity delimiters as quoteable source; public JavaScript source now treats direct percent-encoded quote/backtick delimiters and percent-encoded JavaScript escape delimiters as quoteable source.
• DBAD-PUB-905 closes encoded backtick delimiter gaps. Public HTML/API-doc source now treats JavaScript escaped backticks and HTML backtick entities as quoteable delimiters, and public JavaScript source now treats JavaScript escaped backticks as quoteable delimiters.
• DBAD-PUB-904 closes template-literal delimiter gaps. Public HTML/API-doc source and public JavaScript source now treat JavaScript template-literal backticks as quoteable delimiters for positive and status-like source snippets.
• DBAD-PUB-903 closes semicolonless HTML entity delimiter gaps. Public HTML/API-doc source now treats named, decimal, and hex HTML quote entities as quoteable delimiters even when a copied source example omits the trailing semicolon.
• DBAD-PUB-902 closes alternate encoded source delimiter gaps. Public HTML/API-doc source now treats hex HTML quote entities and JavaScript Unicode/hex quote escapes as quoteable delimiters, and public JavaScript source now treats Unicode/hex quote escapes as quoteable delimiters.
• DBAD-PUB-901 aligns parsed public JSON and canonical OpenAPI status-string safety metadata behavior. Explicit safety metadata keys are exempt for clean status-like string values and arrays, while ordinary status, health, freshness, liveness, readiness, authority, and permission fields remain guarded.
• DBAD-PUB-900 closes escaped source-string and unquoted HTML status-string gaps. Public HTML/API-doc source and public JavaScript source now treat JavaScript-escaped quote delimiters as quoteable source, public HTML catches unquoted status-like scalar strings, and the DecencyMeter homepage fallback no longer emits a clean health status shortcut.
• DBAD-PUB-899 closes the scalar HTML apostrophe-entity delimiter gap. Public HTML/API-doc source now treats escaped apostrophe entities as quote delimiters for scalar positive-key, status-like, and attribute checks.
• DBAD-PUB-898 closes the status-like one shortcut gap. Public JSON, canonical OpenAPI, public HTML/API-doc source, and public JavaScript source now fail scalar and array status-like numeric-one / quoted string-one shortcuts while exempting explicit safety metadata markers.
• DBAD-PUB-897 closes the scalar status-like bare boolean gap. Public JSON, canonical OpenAPI, public HTML/API-doc source, and public JavaScript source now fail scalar status-like bare booleans while exempting explicit safety metadata markers.
• DBAD-PUB-896 closes the quoted string-true shortcut gap. Public JSON, canonical OpenAPI, public HTML/API-doc source, and public JavaScript source now fail quoted string-true values under bounded positive-shaped keys, with the same segment-aware matcher used by the numeric-one and quoted string-one guards.
• DBAD-PUB-895 closes the quoted string-one shortcut gap. Public JSON, canonical OpenAPI, public HTML/API-doc source, and public JavaScript source now fail quoted string-one values under bounded positive-shaped keys, with the same segment-aware matcher used by the numeric-one guard.
• DBAD-PUB-894 closes the numeric-one shortcut gap. Public JSON, canonical OpenAPI, public HTML/API-doc source, and public JavaScript source now fail exact numeric-one values under bounded positive-shaped keys, while the key matcher treats segmented names such as completion evidence separately from ordinary words such as incomplete.
• DBAD-PUB-893 closes the status-array bare-boolean gap. Public JSON, canonical OpenAPI, public HTML/API-doc source, and public JavaScript source now fail status-like arrays when a list item is a bare positive boolean rather than a bound non-authorization value.
• DBAD-PUB-892 closes the JavaScript-style unquoted status-array source gap. Public HTML/API-doc source and public JavaScript source now fail clean positive list items under status-like arrays when source uses unquoted object-literal keys, including later list positions.
• DBAD-PUB-891 closes the source-only status-array position gap. Public HTML/API-doc source and public JavaScript source now fail clean positive list items under status-like arrays even when the value appears after an earlier neutral list item or uses HTML-escaped single quotes.
• DBAD-PUB-890 extends public JSON, canonical OpenAPI, HTML-source, and JavaScript-source positive-shape guards to status-like arrays. A status, health, or freshness key with first-list-item values such as approved, ready, or current now fails before peer review unless the values carry the non-authorization boundary.
• DBAD-PUB-889 extends the canonical OpenAPI positive-shape audit to the same status-like string vocabulary used by the public JSON/HTML/JS guards. DecencyMeter/ethics OpenAPI now fails if status, health, freshness, liveness, readiness, authority, or permission-style fields expose clean values such as ready, fresh, live, or current without a non-authorization boundary.
• DBAD-PUB-888 extends the runtime public JSON binder and public source audits to health/freshness/liveness/readiness-style keys. Exact values such as ready, fresh, live, and current now fail under those status-like keys, and HTML source now also rejects status-like attributes carrying clean positive values.
• DBAD-PUB-887 extends the public HTML and JavaScript source positive-shape guards to match the DBAD-PUB-886 live JSON vocabulary. Served source now fails if quoted status/result/class-like fields expose exact values such as healthy, clean, or clean state, and public JS source now also catches quoted positive object keys such as a quoted ok key with a bare true value.
• DBAD-PUB-886 extends the live public JSON status-like guard beyond exact values such as ok and passed to exact clean status values such as healthy, clean, and clean state. The pass caught public ethics calculator UI state values and OAuth hygiene timer health status on both canonical hosts; those now bind as NOT_AUTH::not_authorization_... evidence with local machine/display/authority/human-readable companions.
• DBAD-PUB-885 adds scoped OpenAPI positive-text scanning for DBaD/DecencyMeter review metadata. Public OpenAPI summaries, descriptions, titles, and messages for DBaD proof, DecencyMeter advisory, survey, metrics, wall, and matching examples now fail if positive words such as allowed, approved, or certified appear without a same-field non-authorization/evidence boundary.
• DBAD-PUB-884 removes bare positive required-field names from canonical DBaD/DecencyMeter OpenAPI. Root ok remains documented as non-authorization evidence where those public API families still emit it, but canonical schemas no longer require a bare ok field name, and audit_dbad_openapi_host_canonical.py fails if any required array exposes exact positive tokens such as ok, approved, or success.
• DBAD-PUB-883 binds public JSON status/result/class-like clean positive strings. audit_dbad_public_json_positive_shape.py now fails if sitemap/OpenAPI-discovered public JSON routes on DecencyMeter or ethics hosts expose fields such as status, state, class, result, or outcome with clean positive values such as ok or passed. Live ethics status, calculator, and DecencyMeter aggregate stats payloads now bind those values as NOT_AUTH::not_authorization_... evidence with local machine/display/authority/human-readable companions.
• DBAD-PUB-875 through DBAD-PUB-879, plus DBAD-PUB-882, added a public HTML/source positive-shape crawl. audit_dbad_public_html_source_positive_shape.py discovers DecencyMeter and ethics HTML pages from the sitemaps, explicitly includes public API-doc HTML routes, and fails if served source contains quoteable legacy success snippets such as raw validation-success examples, root transport-success examples, redirect-success examples, component-example root-success examples, exact quoted JSON success keys, prefixed quoted JSON keys ending in success-shaped terms, unquoted inline assignment/object-property forms for positive-shaped keys, or quoted status/result/class-style JSON fields carrying clean positive strings. This pass also replaced shared copy-helper local variables that used a success-shaped name in page source.
• DBAD-PUB-880 and DBAD-PUB-881 added a public JavaScript source positive-shape crawl. audit_dbad_public_js_source_positive_shape.py discovers sitemap-listed JavaScript, same-domain script tags from sitemap-listed and core public pages, and the DecencyMeter widget script, then fails bare positive booleans or clean positive status strings in public JS source.
• DBAD-PUB-844 expanded the projection guard beyond trace pages into older public explanatory/demo pages. The fuzzer now checks /examples, /v2-2-demo, /decencymeter/demo, /faq, /glossary, /methodology, /whitepaper, /explained, /why-dbad-exists, and /trust-flow for cropable raw proof language such as legacy validation-success snippets, Allowed actions =, raw continuation-machine enum text, and old standalone valid/allowed/approved framing. The cleaned pages now render those concepts as structural evidence, submitted machine inputs, or non-authorization examples; the final live run covered checked=15566 failures=0.
• DBAD-PUB-845 incorporated the strongest Round56 follow-up ideas. Visible positive checked-rule rows now start with NOT AUTHORIZATION instead of putting the non-authority boundary after the pass-shaped word, and composite proof bundles now sign compact OpenAPI contract samples for both canonical DBaD/DecencyMeter OpenAPI hosts, including response headers and body digests.
• DBAD-PUB-846 hardened peer freshness at the discovery layer. Ethics and DecencyMeter API-doc discovery JSON now emits the same proof freshness headers as other DBaD evidence routes, and audit_public_api_docs_discovery_schema.py fails if /api/docs/index.json, /api/docs/ethics.json, or /api/docs/ethics?format=json lose X-DBaD-Cache-Status: fresh or the no-store cache contract.
• DBAD-PUB-847 removed the next discovery-layer crop risk. Ethics and DecencyMeter discovery JSON no longer exposes a bare root success boolean; it binds ok and api_transaction_status as non-authorization evidence while leaving Church discovery JSON compatibility unchanged.
• DBAD-PUB-849 made the peer freshness proof table executable. audit_dbad_peer_freshness_packet.py now fetches the next peer packet's core public URL set with cache-bust/no-cache headers and records exact URLs, HTTP Date, cache headers, X-DBaD-Cache-Status, optional ETag/Last-Modified, and in-body proof markers before a peer prompt is considered fresh-review ready.
• DBAD-PUB-850 made that freshness audit prompt-aware. The audit now parses the parked Round57 Core Surfaces To Fetch section and fails if the prompt URL set and executable audit URL set drift apart.
• DBAD-PUB-851 removed stale DecencyMeter pressure-test trace links. The synthetic pressure-test IDs remain visible as data, but unavailable synthetic traces no longer render broken /dbad/traces/<id> anchors.
• DBAD-PUB-852 put targeted public internal-link crawling into the standard pre-peer contract runner. run_ethics_public_contract_audit.py now records internal-link process evidence in JSON and fails if the core DBaD proof/navigation surface exposes a broken internal link.
• DBAD-PUB-855 removed a remaining crop-prone stored-operator sentence from trace detail pages. Passing/no-local-blocker traces now say no local blocker evidence is listed and repeat that certified use still requires a fresh trust-continuation check; reset-boundary trace meta descriptions no longer use pass-shaped validation wording.
• DBAD-PUB-856 closed a discoverability gap in the ethics sitemap. /sitemap.xml now lists the core proof surfaces peers need from a cold start, including API docs/discovery JSON, OpenAPI JSON, DBAD-ETHICS-817, trace index, canonical broken trace, representative fixtures, Agents of Chaos, DecencyMeter limits/pressure tests, and the composite proof/status-snapshot APIs. The standard public contract runner now includes audit_dbad_sitemap_discoverability.py and records sitemap process evidence in JSON.
• DBAD-PUB-857 made the same discoverability contract explicit in /robots.txt. The DBaD tenant robots policy now explicitly allows canonical OpenAPI JSON, status snapshot, composite proof bundle, proof-bundle verifier, trace APIs, and validation endpoints, and both robots and sitemap responses emit no-cache freshness headers plus X-DBaD-Cache-Status: fresh. The sitemap discoverability audit now fails if those robots allow lines or freshness headers drift.
• DBAD-PUB-858 and DBAD-PUB-864 extend that discoverability gate to DecencyMeter itself. https://decencymeter.com/sitemap.xml now lists public DecencyMeter pages and advisory/data API surfaces such as the survey PDF, FAQ, media kit, methodology, papers, demo, scoring anomalies, pressure tests, OpenAPI JSON, API-doc discovery, aggregate stats, wall topics, survey breakdown, legacy survey stats, public wall JSON, open-data sample JSON, and widget script. https://decencymeter.com/robots.txt explicitly allows those public API routes, and the standard public contract runner now records DecencyMeter discoverability process evidence in JSON.
• DBAD-PUB-859 tightened the sitemap audit from "listed" to "listed and live." audit_dbad_sitemap_discoverability.py now cache-busts and fetches every required sitemap URL on both ethics and DecencyMeter profiles, failing if a required proof/advisory surface is listed but returns non-200. The canonical broken trace trc_20260428181140_42396240 is now a durable seeded proof artifact as well, so it cannot fall out of the capped trace store while the sitemap, current-state page, and peer prompt still cite it.
• DBAD-PUB-860 tightened the robots audit from "allowed" to "allowed and route-live." audit_dbad_sitemap_discoverability.py now cache-busts and probes every required robots-allowed proof/advisory API route. GET-able proof routes must return live content; POST-only proof contracts may return method-contract statuses such as HTTP 405; and the DBaD trace-prefix allow rule is represented by the durable canonical broken trace API URL.
• DBAD-PUB-861 and DBAD-PUB-864 made representative robots-allowed route samples part of the peer freshness packet itself. audit_dbad_peer_freshness_packet.py now fetches the composite proof-bundle verifier, canonical broken trace API, POST-only validation method-contract route, and DecencyMeter aggregate stats, wall topics, survey breakdown, legacy survey stats, public wall JSON, open-data sample JSON, and widget script with cache-bust/no-cache headers, proof markers, and per-surface expected HTTP statuses. GET /api/v1/dbad/validate is expected to return HTTP 405, proving the route exists while preserving its POST-only contract.
• DBAD-PUB-862 and DBAD-PUB-863 removed root-success crop paths exposed by DecencyMeter advisory JSON. Public DecencyMeter advisory/data JSON routes sampled by Round57 now bind root ok as NOT_AUTH::not_authorization_... evidence with ok_authority_binding=not_authorization_token_bound. The peer freshness packet fails if aggregate stats, wall topics, survey breakdown, legacy survey stats, public wall JSON, or open-data sample JSON regress to a bare root success boolean.
• DBAD-PUB-865 closed the matching OpenAPI example drift. The DecencyMeter/ethics OpenAPI contract now documents those same advisory/data routes with ok=NOT_AUTH::not_authorization_..., ok_authority_binding=not_authorization_token_bound, not_dbad_validation=true, and trust_positive_authorization=false. audit_dbad_openapi_host_canonical.py fails if aggregate stats, wall topics, survey breakdown, legacy survey stats, public wall JSON, or open-data sample examples lose those fields.
• DBAD-PUB-866 closed the same root-success crop path on public uptime endpoints. https://decencymeter.com/healthz and https://ethics.decencymeter.com/healthz now return uptime evidence with no-store proof headers, ok=NOT_AUTH::not_authorization_..., ok_authority_binding=not_authorization_token_bound, not_dbad_validation=true, and trust_positive_authorization=false. The peer freshness packet now fails if either public health endpoint regresses to a bare root success boolean.
• DBAD-PUB-867 closed the same root-success crop path on representative public DBaD/ethics content and discovery APIs. /api/v1/papers, /api/v1/methodology/summary, /api/v1/ethics/status, /api/v1/search/typeahead, and /break-dbad/insights now bind root ok as NOT_AUTH::not_authorization_... evidence with ok_authority_binding=not_authorization_token_bound, public_api_evidence_only=true, not_dbad_validation=true, and trust_positive_authorization=false on DBaD/DecencyMeter hosts. The peer freshness packet fails if those representative public APIs regress to a bare root success boolean.
• DBAD-PUB-868 closed the same root-success crop path on legacy DecencyMeter survey/path JSON APIs. https://decencymeter.com/api/stats/paths, https://decencymeter.com/api/survey/prompts, and https://decencymeter.com/api/survey/vignettes now bind root ok as NOT_AUTH::not_authorization_... evidence with ok_authority_binding=not_authorization_token_bound, public_api_evidence_only=true, not_dbad_validation=true, and trust_positive_authorization=false on DBaD/DecencyMeter hosts. The peer freshness packet now checks those legacy routes directly.
• DBAD-PUB-869 hardened public DecencyMeter write acknowledgments. Successful survey page submissions and thank-you reflection saves now return transport evidence with root ok=NOT_AUTH::not_authorization_..., ok_authority_binding=not_authorization_token_bound, public_api_evidence_only=true, not_dbad_validation=true, and trust_positive_authorization=false on DBaD/DecencyMeter hosts instead of a bare root success boolean.
• DBAD-PUB-870 hardened the surrounding public DecencyMeter scoring flow. Session start, score finalization, and metrics routes now expose advisory payloads with advisory_only=true, not_dbad_validation=true, trust_positive_authorization=false, and bound root ok evidence where a success marker is present. The peer freshness packet now posts through session/page1/score-finalize/page2 on both public hosts and checks metric routes directly.
• DBAD-PUB-871 closed the matching OpenAPI drift for that scoring flow. SurveySessionStartResponseExample, SurveySimpleAckExample, SurveyScoreFinalizeResponseExample, MetricsHeatmapExample, MetricsTrendExample, and MetricsBreakdownExample now show root ok=NOT_AUTH::not_authorization_..., ok_authority_binding=not_authorization_token_bound, advisory_only=true, public_api_evidence_only=true, not_dbad_validation=true, and trust_positive_authorization=false; the canonical OpenAPI host audit now fails if those examples or response schemas drift back to generic success JSON.
• DBAD-PUB-872 closed the remaining component-example crop leak on the canonical DBaD/DecencyMeter OpenAPI hosts. Every component example that formerly exposed a bare root success value from https://decencymeter.com/api/v1/openapi.json or https://ethics.decencymeter.com/api/v1/openapi.json is rewritten to NOT_AUTH::not_authorization_... evidence with root companions, and ApiEnvelope/ApiPagedList bind root ok as string evidence on those hosts. The Church OpenAPI host remains compatibility-only and is not canonical for DBaD/DecencyMeter review.
• DBAD-PUB-873 tightened the same audit beyond component examples. The canonical DBaD/DecencyMeter OpenAPI hosts now fail if any positive-shaped key such as ok, valid, verified, approved, complete, authorized, allowed, success, passed, permission, trusted, or certified carries a bare true, if any enum exposes a clean positive token such as approved, or if any properties.ok schema is still boolean. The public moderation OpenAPI filter uses a display-safe submitted-input alias instead of the clean approval word.
• DBAD-PUB-874 added a live public JSON positive-shape crawl. audit_dbad_public_json_positive_shape.py discovers public JSON routes from the DecencyMeter and ethics sitemaps plus static OpenAPI GET paths and fails if any crop-prone positive-shaped key such as ok, valid, approved, success, or certified carries a bare success value. The first run found and closed a root success boolean on /healthz/oauth-hygiene-timer plus nested check/redirect success booleans on /api/v1/ethics/alias-observability; those now bind as non-authorization evidence and the homepage reads neutral redirect_check_status.
• DBAD-PUB-843 expanded the cross-client projection guard from a few representative traces to the linked public trace fleet. The fuzzer now discovers trace links from /dbad/traces and /dbad-ethics-817, scans up to 80 linked trace pages, and the latest live run covered 71 trace detail pages with checked=14831 failures=0. Trace detail pages now render runtime-validation-overlaid content, compute operator guidance from that overlay, display trace IDs/refs as non-authorization trace-reference evidence labels, and sanitize historical stored guidance phrases that previously contained standalone allowed/approved/valid-shaped words.
• DBAD-PUB-842 closed the first findings from the stronger cross-client display fuzzer. The canonical trace no longer shows cropable "approved continuation" advisory text, the reset fixture scenario uses reset-boundary evidence wording, and operator form status lines no longer print trace-specific mutation URLs that can carry approval-shaped fixture IDs.
• DBAD-PUB-841 made the latest trace-detail display cleanup executable. The cross-client projection fuzzer now checks the canonical broken trace and reset-boundary fixture in addition to the requested trace for raw visible boolean rows, raw continuation enum text, reset-boundary raw snippets, and stale pass/allowed trace phrases.
• DBAD-PUB-840 closed a trace-detail visible-boolean crop gap. The server-rendered validation block and the client-side "Validate this trace" refresh path no longer print raw true/false rows for authority, reset, reliance, coverage, or trust-positive-use metadata; visible rows use non-authorization evidence wording instead.
• DBAD-PUB-839 closed the next public-surface enum/example hygiene gap. Public docs and fixture proof tables no longer show reset-boundary or continue-after-review machine enum values as clean standalone evidence; they describe those values as submitted machine inputs or reset-boundary evidence, while served API/copy outputs remain value-bound as NOT_AUTH::not_authorization_... evidence.
• DBAD-PUB-838 closed the next local extraction gap in nested validation summaries. trust_continuity_confidence and escalation_closure_disposition now bind as non-authorization status evidence instead of exposing reset-restoration or escalation-approval words as standalone values; the status audit and cross-client projection fuzzer now check those paths.
• DBAD-PUB-837 tightened public example hygiene after a local grep pass. Public proof pages and the staged Round56 prompt no longer present legacy raw-positive examples such as validation booleans or root transport success as clean standalone snippets; old shapes are described as formerly raw/non-compliant, and current examples use the NOT_AUTH::not_authorization_... evidence shape.
• Public-page readability pass: this update page now leads with a concise latest summary, while the full dated archive remains below. The ethics API docs now use contained, horizontally scrollable code blocks instead of page-breaking snippets.
• DBAD-PUB-836 closed a second local extraction gap in invariant/reset evidence. Public trace API/copy payloads now value-bind status_field_invariant_verified, prose_reliance_not_machine_verified, and zero_trust_reset_state as non-authorization evidence instead of bare true or raw approved. The status, boolean, and cross-client fuzzers now check these paths, and an extra peer-style JSON extractor found zero permission-shaped values across representative trace APIs and the compliance snapshot.
• DBAD-PUB-835 closed a companion extraction gap in structured reliance evidence. Public trace API/copy payloads and composite proof-bundle samples now value-bind reliance_declaration_mode, reliance_mode, reliance_scope, reliance_contribution_to_outcome, reliance_declaration_complete, reliance_set_integrity, trace_reliance_integrity, and reset-boundary booleans as non-authorization evidence instead of raw complete, machine_bound, or bare true. The status, boolean, and cross-client fuzzers now check these paths.
• DBAD-PUB-834 closed the next local extraction gap in stored trace state. Public trace API/copy payloads now value-bind stored state fields such as state.effective_state, state.local_state, state_history[].effective_state, and historical_contamination.current_effective_state as NOT_AUTH::not_authorization_status_evidence_for_... instead of raw allow/Allow. The status-field audit and cross-client fuzzers now check these paths.
• DBAD-PUB-833 closed a crop/extraction gap in validation rule maps. Successful current_validation.checked_rules.* values now project as NOT_AUTH::not_authorization_boolean_evidence_for_... instead of bare true, while failed rules remain false. The status-field compliance audit now checks this explicitly.
• DBAD-PUB-832 hardened the canonical OpenAPI proof surface. https://decencymeter.com/api/v1/openapi.json, https://ethics.decencymeter.com/api/v1/openapi.json, and the compatibility Church OpenAPI URL now emit Cache-Control: no-store, max-age=0, must-revalidate, Surrogate-Control: no-store, Pragma: no-cache, Expires: 0, and X-DBaD-Cache-Status: fresh. audit_dbad_openapi_host_canonical.py now fails if those freshness headers disappear.
• DBAD-PUB-830 expanded the standard public contract runner again. run_ethics_public_contract_audit.py now also runs API-doc live-route checks, targeted HTML/static health for the four main DBaD proof pages, and the template accessibility audit, so link, asset, and accessibility regressions fail the same pre-peer gate instead of living as separate manual checks.
• DBAD-PUB-829 made the OpenAPI host checks part of the standard public contract runner. run_ethics_public_contract_audit.py now executes the API-doc discovery schema audit and the canonical OpenAPI host audit, so a pre-peer public contract pass fails if the docs discovery payload drops openapi_json=https://decencymeter.com/api/v1/openapi.json or drifts back toward the Church OpenAPI URL as canonical.
• DBAD-PUB-828 made the OpenAPI host correction executable rather than just documented. audit_dbad_openapi_host_canonical.py verifies DecencyMeter and ethics OpenAPI URLs return tenant-correct DBaD/DecencyMeter contracts, the Church URL remains Church-labeled compatibility, and public DBaD pages do not point reviewers to the Church OpenAPI URL as canonical. The public docs JSON discovery payload now exposes openapi_json=https://decencymeter.com/api/v1/openapi.json.
• DBAD-PUB-827 moved the DBaD/DecencyMeter OpenAPI review surface off the Church FQDN. https://decencymeter.com/api/v1/openapi.json and https://ethics.decencymeter.com/api/v1/openapi.json now serve the API v1 OpenAPI contract, while the Church host remains compatibility-only for Church-specific clients while that scope remains active. DBaD contract-depth audits and docs now point to the DecencyMeter URL by default.
• DBAD-PUB-826 closed the next API-depth gap: the served OpenAPI contract now carries DBaD-specific non-authorization envelope, trust-continuation, verifier, composite proof-bundle, and mutation schemas/examples. Critical DBaD operations are marked with x-dbad-non-authorization-contract, document DBaD no-store response headers, avoid root ok examples, and are checked by audit_api_v1_dbad_openapi_contract.py. The composite red-team runner now includes this contract-depth audit.
• API hardening pass: the strict /api/v1 OpenAPI coverage/drift audit is now enrichment-aware and passes with missing_paths=0, missing_operations=0, path_coverage=100.00%, and operation_coverage=100.00%. The enriched OpenAPI contract now documents the DBaD proof/validation/trust-continuation endpoints, public ethics intake/calculator/subscription endpoints, open-data sample, Church public lesson/hymn endpoints, member audio-library endpoints, and the remaining admin report exports.
• Post-Round 54 local self-audit added explicit evidence companion names to trust-continuation responses. /trust-continuation/check now exposes allowed_evidence and trust_continuation_token_issued_evidence with local authority/display/machine/human-readable companions; /trust-continuation/token/verify now exposes allowed_evidence, token_valid_evidence, and historical_verification_attestation_available_evidence. These fields are still non-authorization evidence; the short-lived trust-continuation token remains the credential.
• Round 55 response digestion preserved Copilot's useful hardening ideas as executable work rather than treating them as confirmed defects. The composite red-team runner now includes fuzz_dbad_composite_proof_bundle_scope.py for signed-field and unsigned-shadow-field mutation, copied/delayed bundle replay, token-redaction, no-root-ok, and verifier failure echo-suppression checks; it also includes fuzz_dbad_trust_token_integrity.py for fresh token issuance, valid verification, immediate replay as evidence-only behavior, wrong intended use, tampered token, wrong trace context, wrong receipt, and historical-attestation-as-permission rejection.
• The composite red-team runner now appends compact internal history to /home/dbad/logs/dbad_redteam_history.jsonl, classifies failures by leakage class, and reports an explicitly internal-only regression posture score. That score is operational triage only; it is not DBaD authorization and not public proof of safety.
• A working Authorization Non-Recoverability report package now exists at /home/dbad/docs/DBaD_Authorization_Non_Recoverability_Report_2026-05-31.md. It now includes the Round60 surface-consistent field-bound proof sketch, reproducible verification appendix, blocked-fetch reviewer report command, and claim-language guard; it frames the current implementation as adversarially tested evidence/authorization separation, not a formal proof and not an ethics/safety claim.
• Additional local self-audit now covers evidence-code correlation and cross-client projection drift. audit_dbad_evidence_code_correlation.py records repeated/mixed-kind structural evidence-code groups as advisory exposure and fails on public decode hints or approval-shaped meaning near evidence codes. fuzz_dbad_cross_client_projection.py projects trace API JSON and trace-detail HTML into lossy extracted-value/text views and fails if approval-shaped terms appear without the non-authorization boundary.
• Post-Round 54 local self-audit added audit_dbad_shared_mutation_guards.py and wired it into dbad_redteam_runner.py. The check snapshots the public ethics calculator, runs a DBaD evaluate request, then verifies the calculator's shared weights and dimension_labels were not polluted by status-binding companions.
• The LLM/crop fuzzer now simulates first-token windows, sliding eight-token crops, and prompt-injection-style stripping of NOT_AUTH::not_authorization_*_evidence_for_ prefixes. That stronger fuzzer found cropable source language in status semantics and validation summaries; the served text now avoids positive-looking terminal phrases and uses Deterministic DBaD checks recorded no blocking violations... wording instead of bare pass-shaped validation summaries.
• Post-Round 54 local self-audit added GET /api/v1/dbad/composite-proof-bundle, a signed, cache-bustable, no-store public proof bundle for peers whose tools cannot fetch several live endpoints. Current compact proof-bundle hardening keeps that endpoint inside the Round62 20-second freshness protocol by signing compact status, trace, trust, token-verification, and OpenAPI shape samples marked bundle_local_compact_requires_live_refetch with response headers and body digests. Tokens and historical attestations are redacted, POST /api/v1/dbad/composite-proof-bundle/verify verifies the signature while still returning non-authority evidence only, and negative findings against underlying fields still require fresh live endpoint refetches.
• Trace-detail validation/state/proof blocks now carry a subtle repeated visual crop marker, DBaD EVIDENCE ONLY - NOT AUTHORIZATION, in screen and print CSS. The marker is non-selectable, low contrast enough to preserve readability, and exists only to make cropped screenshots harder to detach from the non-authorization boundary.
• Pre-Round 53 local trust-path self-audit found that a valid trust-continuation check still returned cropable raw positive response booleans at the root, under data.allowed, and under historical-attestation availability. Check/verify response bodies now omit root ok, bind positive response booleans as NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., and keep the trust-continuation token itself as the credential. The focused status-field audit now performs fresh trust-continuation check and token-verify probes.
• Post-hardening documentation scan found and corrected an outdated API-doc client snippet that still used a raw-true comparison for token verification. The snippet now treats allowed, token_verification_status, and current_validation.is_valid as bound evidence strings and gates certified use on HTTP 200 token verification, empty failure states, intended use, and matching non-authority metadata.
• Post-hardening display scan found one remaining human-visible trace-detail metadata row, representation_compliant: true, even though API/copy JSON already exposed representation_compliant=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-.... Trace detail now renders representation_compliant evidence with the display-safe NOT AUTHORIZATION - boolean evidence: structural-evidence-code-v2-... - not permission value, and the fuzz harness fails if the raw row returns.
• Pre-Round 52 local self-audit found a remaining public API envelope gap outside the read-only proof path: DBaD trace mutation endpoints still returned root ok and raw stored trace fragments on write/error responses. Trace mutation APIs now use the same non-authority envelope contract as public proof APIs: no root ok, value-bound api_transaction_status, mutation_result=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-... on success, mutation_success_authoritative_for_trust_positive_use=false, and runtime-validation-overlaid trace payloads. The status-field audit now probes mutation error and success responses directly.
• Pre-Round 51 local self-audit found the next likely extraction issue before peer review: public trace JSON still exposed raw positive validation booleans on validation, nested reliance-summary, and reset-approval paths. Public payload binding now projects those positive booleans as NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-... with local *_authority_binding, *_display_safe=false, *_machine_only=true, and *_human_readable=NOT AUTHORIZATION - boolean evidence: structural-evidence-code-v2-... - not permission companions. False blocking booleans remain false so failure checks and rejection semantics stay clear.
• Round 54 response digestion preserved the useful peer ideas as executable harnesses: fuzz_dbad_boolean_authority_leakage.py checks that sensitive boolean-like fields cannot collapse to raw approval booleans, fuzz_dbad_llm_boolean_simulator.py checks lossy text/summary views for authorization collapse, and dbad_redteam_runner.py runs the composite status, fuzz, boolean, semantic-collapse, and prose-reliance checks in one command.
• Round 49 response digestion accepted the only live API gap: nested verification outcome fields such as verification_posture.latest_outcome and verification_history[].outcome now use NOT_AUTH::not_authorization_outcome_evidence_for_structural-evidence-code-v2-... values and local *_authority_binding=not_authorization_token_bound plus *_human_readable=NOT AUTHORIZATION - status evidence: structural-evidence-code-v2-... - not permission companions. Quoteable representation fields now also carry local companions: representation_class_authority_binding, representation_class_human_readable, representation_compliant_authority_binding, and representation_compliant_human_readable. The served marker is served_hardening_round=round62_field_bound_extraction_resistant_v1, and the fuzz/status audits now check these paths directly.
• Pre-Round 49 local hardening closed a fresh self-scan gap where trace index/detail rows still rendered Trust inheritance: Current validation passed; fresh trust-continuation check required as a cropable phrase. The visible rows now say Trust inheritance evidence and lead with NOT AUTHORIZATION; API-facing trust_inheritance_result.label values for pass/reset/reliance/non-governing/blocked cases now also start with explicit non-authorization wording. The detail page lower cards now render outcome, completeness, verification history, escalation closure, state history, and selected validation metadata as display-safe evidence values, and operator form option labels say evidence-only/not-authorization while preserving the submitted machine values.
• Round 48 response digestion closed the remaining cropable trace-index summary/state gaps. The trace index now renders Current runtime validation evidence with the same NOT AUTHORIZATION - structural validation evidence: structural-evidence-code-v2-... - not permission value used elsewhere, and stored effective-state rows now render as Stored effective-state evidence with display-safe evidence values instead of allow/Allow. Trace detail state-layer rows now render Local/Systemic/Effective state evidence with NOT AUTHORIZATION values, print CSS keeps these labels/values together, and the Round 47 fuzz harness now fails raw runtime/state labels as well as metadata-label regressions.
• The status-field compliance snapshot now value-binds data.sample_status_fields.validation_outcome_class with NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-... and emits the local display-safety companions, removing the last bare structural_pass sample from the public proof endpoint.
• Round 47 response digestion found no confirmed live API/status-code defect. The only fresh actionable presentation concern was crop safety around trace metadata rows, so the trace index labels review, expected, outcome, completeness, and closure rows as evidence, marks blind-spot counts as not authorization, and labels review filters as navigation aids. The Round 47 fuzz harness fetches trace detail and trace index HTML and fails if those rows regress to raw Review status:, Expected:, Outcome:, Completeness:, or Closure: labels.
• Round 46 response digestion closed the remaining reversibility gap in the status evidence code. Status/class/boolean/outcome evidence now uses deterministic hash-based structural-evidence-code-v2-... values rather than base64 or literal semantic suffixes. The verifier can recognize bounded known-code meanings for compliance checks, but field-level extraction, delimiter splitting, and base64 decoding no longer recover clean words such as passed, verified, complete, or true.
• Round 41 response hardening removed the remaining approval-shaped verifier/envelope shortcuts. DBaD non-authorization endpoints now omit root ok, expose ok_removed_for_authorization_safety=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., bind verifier classes as NOT_AUTH::not_authorization_class_evidence_for_..., bind verifier true values as NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., expose status_value_semantics plus status_prefix_stripping_forbidden=true, and report secondary binding failures as missing_secondary_status_binding=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-.... A new public snapshot at /api/v1/dbad/status-field-compliance-snapshot gives cold-start reviewers a cache-bustable proof surface for the current status-field invariant.
• Round 42 response digestion added a focused reproducibility path for peers whose web tools cannot fetch full live payloads: python3 app/scripts/audit_dbad_status_field_compliance.py --base-url https://ethics.decencymeter.com. The script fetches the status-field compliance snapshot with cache-busting, walks the prose-reliance trace API for status-keyed strings, verifies copied safe citation and archival projection artifacts, confirms verifier responses omit root ok and do not echo full payloads, and checks bare-status plus representation-mutation rejection. The public contract now clarifies that status-keyed boolean/class evidence may use typed non-authorization prefixes such as NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-... and NOT_AUTH::not_authorization_class_evidence_for_..., but never bare approval-shaped strings.
• Round 44 response digestion accepted the cache-layer concern as a concrete hardening item. DBaD API routes under /api/v1/dbad/ now force Cache-Control: no-store, max-age=0, must-revalidate, Surrogate-Control: no-store, Pragma: no-cache, Expires: 0, and X-DBaD-Cache-Status: fresh. The status-field compliance audit now verifies those headers on DBaD API responses, in addition to the no-root-ok and status-value binding checks. API docs also warn client frameworks not to synthesize a root ok or authorization boolean from HTTP 200 or object-hydration helpers.
• The Round 41 artifact pass also binds quoteable representation evidence: safe citations now expose representation_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-... and representation_compliant=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., while archival projections expose representation_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-.... The public proof text continues to list machine-only markers such as human_readable_bundle_fingerprint_machine_only and transaction status examples including evaluation_payload_delivered_not_authorization, validation_payload_delivered_not_authorization, safe_citation_verification_delivered_not_authorization, and historical_attestation_verification_delivered_not_authorization.
• The public entry pages were refreshed after the Round 34 value-bound hardening pass: Why DBaD exists now points readers to the current baseline, update notes, API docs, point-in-time evidence boundary, fresh trust-continuation requirement, and DecencyMeter advisory-only separation; DBaD Explained was also layout-hardened for desktop and mobile.
• Validation receipts now expose operator_env_version, operator_env_state_hash, operator_env_id, operator_env_scope, operator_env_authority_level, and trace_validation_version.
• Structured reliance now exposes depends_on_reliance_trace_refs, reliance_validation_versions, and reliance_snapshot_hash.
• Prose-only reliance now exposes display-safe current_validation_status_human_readable=NOT AUTHORIZATION - validation evidence: structural-evidence-code-v2-... - not permission, validation_class=advisory_only_prose, reliance_contribution_to_outcome=NOT_AUTH::not_authorization_outcome_evidence_for_..., and the semantic status name passed_no_valid_reliance_applied is available only through value-bound, machine-only evidence fields. The trace headline says NOT AUTHORIZATION - Structural Validation Evidence (No Machine Reliance Applied). The exposed raw status fields and comparison token fields are all value-bound, for example current_validation_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., validation_status_class=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., validation_outcome_class=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., current_validation_status_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., validation_status_class_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., and validation_outcome_class_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-...; token fields also carry token-specific authority binding, machine-only, and non-display-safe companions.
• Validation JSON now exposes raw_status_fields_display_safe=false, raw_status_fields_machine_only=true, current_validation_status_machine_only=true, validation_status_class_machine_only=true, validation_outcome_class_machine_only=true, current_validation_status_value_authority_binding=not_authorization_value_bound, validation_status_class_value_authority_binding=not_authorization_value_bound, validation_outcome_class_value_authority_binding=not_authorization_value_bound, token companions such as current_validation_status_token_authority_binding=not_authorization_token_bound, current_validation_status_token_display_safe=false, current_validation_status_token_machine_only=true, validation_status_class_token_authority_binding=not_authorization_token_bound, validation_status_class_token_display_safe=false, validation_status_class_token_machine_only=true, validation_outcome_class_token_authority_binding=not_authorization_token_bound, validation_outcome_class_token_display_safe=false, validation_outcome_class_token_machine_only=true, group fields token_fields_display_safe=false, token_fields_machine_only=true, displaying_token_fields_is_non_compliant=true, displaying_raw_status_fields_is_non_compliant=true, preferred_display_fields, trust_positive_authorization=false, trust_authorization_class=NOT_AUTH::not_authorization_class_evidence_for_..., approval_inference_forbidden=true, authorization_status_hard=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., non_authorization_core_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., headline_authority_binding=non_authorization_must_precede_outcome, display-safe validation_outcome_class_human_readable=NOT AUTHORIZATION - structural validation evidence: structural-evidence-code-v2-... - not permission, minimum_safe_fields, required_bundled_fields, bundled_semantic_fields, bundling_hash, bundling_scope=full_validation_semantics_v2, human_readable_bundle_fingerprint_safe_display, served_hardening_round=round62_field_bound_extraction_resistant_v1, status_field_invariant_verified=NOT_AUTH::not_authorization_boolean_evidence_for_..., status_human_readable_truncation_forbidden=true, explicit operator environment identity/scope/authority fields, provenance_class, safe_citation_v1_accepted=false, and requires_trust_continuation_token_for_authorization=NOT_AUTH::not_authorization_boolean_evidence_for_... so clients do not treat legacy raw validation booleans, raw status fields, token fields, or passed* status strings as permission.
• Trust-continuation checks require reliance_snapshot_hash when structured reliance dependencies exist.
• Token verification can fail with transitive_reliance_epoch_mismatch or trace_referenced_no_longer_available.
• Successful token verification now exposes valid_from_utc and valid_until_utc, and emits an optional signed historical_verification_attestation for audit/reporting only, with a signed NOT AUTHORIZATION - HISTORICAL EVIDENCE ONLY header, attestation_class=historical_non_authoritative, authorization_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., and verification_result=historically_valid_non_authoritative.
• Trace detail pages include Copy safe citation, a compact signed JSON artifact that bundles canonical query-free trace URL, status value semantics, the current hardening round, timestamp, freshness window, receipt ID, validation epoch, trace_validation_version, operator environment identity/scope/authority/state hash, provenance_class, validation summary, violations/advisories, non-authority fields, safe display fields, and the fresh-token requirement. The verify endpoint checks tamper evidence but still returns accepted_as_authorization=false; submitted partial projections missing required fields return verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_partial_non_compliant, altered semantic, temporal, receipt, rule-version, operator-environment, provenance, violation, advisory context, missing value binding, or missing token binding returns verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., and current-trace v2-to-v1 downgrades return illegal_version_downgrade_detected. Copy archival projection remains compact archive metadata only; the semantic verifier class is archival_projection_recognized, but the served value is bound as non-authorization class evidence. It verifies with HTTP 422, no root ok, verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., error=archival_projection_not_safe_citation, and archival_projection_accepted_as_safe_citation=false; missing or reordered archival headlines return a bound context_mismatch_non_compliant verifier class.
• Safe-citation verification now separates signature validity from compliance: a signed artifact missing required bundled fields can still report safe_citation_signature_valid=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., but it omits root ok, returns verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_partial_non_compliant, and returns signature_and_authorization_class=NOT_AUTH::not_authorization_class_evidence_for_valid_signature_non_compliant_never_authoritative.
• Round 27 response cleanup now binds the first visible trace-page signal to non-authorization: trace pages lead with NOT AUTHORIZATION, render headline_authority_binding=non_authorization_must_precede_outcome, display operator environment identity/scope/authority plus provenance_class in the first-screen authority banner, current bundle fingerprints begin with NOT_AUTH::, and current v2 required_bundled_fields binds headline_authority_binding plus provenance_class.
• Trace API responses now add root-level non-authority fields and omit root ok: api_transaction_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., api_transport_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., api_delivery_outcome=NOT_AUTH::not_authorization_outcome_evidence_for_structural-evidence-code-v2-..., ok_removed_for_authorization_safety=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., ok_meaning=transport_only_not_authorization, ok_authoritative_for_trust_positive_use=false, api_envelope_ok_authoritative_for_trust_positive_use=false, trust_positive_authorization=false, and unsafe_if_ok_used_for_authorization=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-....
• Pre-Round 29 hardening originally added non-authority envelope fields; Round 41 supersedes the transport shortcut by removing root ok from DBaD non-authorization endpoints. POST /api/v1/dbad/evaluate, POST /api/v1/dbad/validate, POST /api/v1/dbad/safe-citation/verify, and POST /api/v1/dbad/historical-verification-attestation/verify now repeat bound transaction statuses, api_transport_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., ok_removed_for_authorization_safety=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., ok_meaning=transport_only_not_authorization, ok_authoritative_for_trust_positive_use=false, api_envelope_authorization_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., accepted_as_authorization=false, and unsafe_if_ok_used_for_authorization=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-.... Trace detail titles and social descriptions still start with NOT AUTHORIZATION so link previews cannot quote a pass-shaped status without the boundary.
• Round 32 response hardening closes the remaining visible fingerprint crop path. Trace Validation now exposes current_validation_status_human_readable, validation_status_class_human_readable, validation_outcome_class_human_readable, and human_readable_bundle_fingerprint_safe_display; the raw human_readable_bundle_fingerprint remains in machine/copy artifacts for verification, but the visible trace page renders only the safe display projection so pass-shaped fragments cannot be cropped out of a long fingerprint line without adjacent NOT AUTHORIZATION wording.
• Round 35 response hardening closes the comparison-token re-exposure path: extracting only current_validation_status_token, validation_status_class_token, and validation_outcome_class_token still requires adjacent token-specific fields such as *_token_authority_binding=not_authorization_token_bound, *_token_display_safe=false, and *_token_machine_only=true. Safe-citation and archival-projection verifiers reject missing or altered token authority/display-safety binding as context_mismatch_non_compliant.
• Round 37 compatibility closure removes the remaining v1 safe-citation acceptance window. full_validation_semantics_v1 is no longer accepted as a complete safe-citation scope; only full_validation_semantics_v2 can verify as NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-.... This is intentionally breaking because there are no active external API consumers.
• The Agents of Chaos comparison package now maps DBaD controls to the paper's observed agent failure families: non-owner compliance, destructive tool use, resource exhaustion, identity spoofing, cross-agent propagation, and false completion reports.
• Trace-detail navigation now defensively and recursively redirects same-host absolute URLs accidentally placed under /dbad/traces/ back to their canonical route, so malformed paths like /dbad/traces/https://ethics.decencymeter.com/agents-of-chaos-comparison open the comparison page instead of a dead trace URL.
• Round 40 response hardening collapses the old companion-only path: every derived *status* string value, including explicit token fields, must now start with NOT_AUTH:: or NOT AUTHORIZATION and must still carry *_machine_only=true, *_display_safe=false, *_authority_binding=not_authorization_token_bound, and *_human_readable=NOT AUTHORIZATION - status evidence: structural-evidence-code-v2-... - not permission; trace/validation JSON and submitted artifacts expose secondary_status_fields_bound=true, secondary_status_binding_policy, and global_status_field_invariant=Every status field must be value-bound and companion-bound; no bare approval-shaped status token may appear.; verifiers reject submitted artifacts that drop value binding or companions with missing_secondary_status_binding=true; API docs include a status field compliance linter for external renderers.
• Verifier responses for legacy v1 safe citations now include v1_citation_rejection_reason.rejection_code=legacy_bundle_version_rejected, rejection_policy_date=2026-05-29, and a policy URL to make the closure explicit for stored v1 artifacts.
• The DecencyMeter public home page empty-wall card now reads as an intentional reviewed-content empty state instead of placeholder copy, and the wall link uses the site button treatment rather than a browser-default blue link.
• Round 31 response hardening makes the Trace Validation metadata rows crop-safe too: visible current_validation_status, validation_status_class, and validation_outcome_class rows now render values such as NOT AUTHORIZATION - validation class evidence: structural-evidence-code-v2-... - not permission / NOT AUTHORIZATION - structural validation evidence: structural-evidence-code-v2-... - not permission. Print/PDF output also appends [NOT AUTHORIZATION - structural evidence only] to those metadata rows. The visible validation summary line begins NOT AUTHORIZATION - Validation result:, each visible rule result renders pass - not authorization or fail - not authorization, and archival projections add labeled status values so alternative YAML/XML-style serialization cannot preserve only a clean pass-shaped value without a companion non-authorization value.
• Public API discovery now exposes predictable JSON aliases at /api/docs/ethics.json and /api/docs/church.json, matching the existing ?format=json discovery payloads; the ethics robots policy explicitly allows /api/docs/ethics.json.
• The DBaD public-surface update contract is now explicit and audited: DBaD ethics logic/API/code changes must account for /updates, /current-state, /api/docs/ethics, and /dbad-ethics-817, plus running log, recovery file, task queue, and prompt/synthesis updates. The standard public contract audit bundle now also runs API-doc discovery, OpenAPI host, sitemap discoverability, API-doc live-route, HTML/static health, internal-link, template copy-payload, and template accessibility checks.
• The latest pre-peer sweep passed public contract, stale-language consistency, prose-reliance contract, API docs live-route, internal-link, HTML/static health, security-header, template accessibility, canonical-link, API docs discovery schema, host-scoping, and desktop/mobile screenshot-smoke checks.
• API docs now include a historical-attestation quoteability example that distinguishes a valid non-authoritative citation from the invalid claim "DBaD approved this trace."
• Prose-only reliance now leads with an advisory runtime state and stays non-machine-verified.
• Copied/API JSON for prose-only reliance now uses display-safe current_validation_status_human_readable=NOT AUTHORIZATION - validation evidence: structural-evidence-code-v2-... - not permission in addition to the raw machine-only status token.
• Successful reset-boundary and structured-reliance paths now use display-safe pass states such as NOT AUTHORIZATION - validation evidence: structural-evidence-code-v2-... - not permission and NOT AUTHORIZATION - validation evidence: structural-evidence-code-v2-... - not permission, so copied dependency summaries no longer need bare generic pass wording.
• A repeatable prose-reliance contract audit now checks the trace API, trace page, hidden copy JSON payloads, and docs pages for the no-valid-reliance-applied contract.

Public proof links

• Current-state baseline
• Prose reliance advisory fixture
• Structured reliance reset-boundary fixture
• Incomplete reliance rejected fixture
• Composite proof bundle API
• Client-consumption snippets
• Agents of Chaos comparison package
• This update log

Outstanding questions

• Signed historical verification attestations are implemented only as non-authoritative audit artifacts; they return accepted_as_authorization=false and are rejected as trust-positive authorization.
• Persistent DB-backed token revocation and public introspection remain deferred until certified integrations or longer-lived tokens justify the operational plane.
• Signed first-use resource-continuity attestations and verifier quorum are still decision gates, not implemented guarantees.

Next peer-review focus

• After trace-index/detail trust-inheritance and lower-card hardening, can any cropped screenshot still preserve a pass-shaped result while dropping NOT AUTHORIZATION, evidence-only wording, or operator-environment provenance?
• Known-issue cleanup target for the next peer pass: challenge any remaining cross-environment, verifier-response, copied-artifact, API-envelope, lower-card, operator-control, or public-discoverability shape that could make archive, citation, attestation, or validation artifacts look like trust-positive authorization.
• Does the new archival_minimal_non_authoritative projection class make compact archives useful without weakening complete safe citations?
• Do reviewers find any remaining compatibility path that still permits a downgraded or partial artifact to verify as complete?
• Are historical attestations clearly useful as audit evidence without becoming static trust permission, even under partial extraction?
• Are token and reliance epoch failure states diagnostic enough for clients?