diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json
new file mode 100644
index 00000000..9191e7d5
--- /dev/null
+++ b/.claude-plugin/plugin.json
@@ -0,0 +1,104 @@
+{
+  "name": "cortex",
+  "description": "Persistent memory for Claude Code — remembers across sessions automatically. Install and forget. Scientific retrieval backed by 41 published papers.",
+  "version": "3.14.13",
+  "author": {
+    "name": "Clement Deust",
+    "email": "admin@ai-architect.tools"
+  },
+  "homepage": "https://github.com/cdeust/Cortex",
+  "repository": "https://github.com/cdeust/Cortex",
+  "license": "MIT",
+  "keywords": [
+    "memory",
+    "persistent",
+    "mcp",
+    "claude-code",
+    "neuroscience",
+    "agents"
+  ],
+  "mcpServers": "./.mcp.json",
+  "postInstall": {
+    "command": "bash ${CLAUDE_PLUGIN_ROOT}/scripts/install-plugin.sh",
+    "message": "Installing Cortex (PostgreSQL + pgvector + Python deps + embedding model) and removing any stale older Cortex installs..."
+  },
+  "hooks": {
+    "SessionStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'PY=$(command -v python3 || command -v python) && ROOT=\"${CLAUDE_PLUGIN_ROOT:-$PWD}\" && \"$PY\" \"$ROOT/scripts/launcher.py\" mcp_server.hooks.session_start'",
+            "timeout": 30
+          }
+        ]
+      }
+    ],
+    "UserPromptSubmit": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'PY=$(command -v python3 || command -v python) && ROOT=\"${CLAUDE_PLUGIN_ROOT:-$PWD}\" && \"$PY\" \"$ROOT/scripts/launcher.py\" mcp_server.hooks.auto_recall'",
+            "timeout": 5
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'PY=$(command -v python3 || command -v python) && ROOT=\"${CLAUDE_PLUGIN_ROOT:-$PWD}\" && \"$PY\" \"$ROOT/scripts/launcher.py\" mcp_server.hooks.post_tool_capture'",
+            "timeout": 10
+          },
+          {
+            "type": "command",
+            "command": "bash -c 'PY=$(command -v python3 || command -v python) && ROOT=\"${CLAUDE_PLUGIN_ROOT:-$PWD}\" && \"$PY\" \"$ROOT/scripts/launcher.py\" mcp_server.hooks.preemptive_context'",
+            "timeout": 5
+          },
+          {
+            "type": "command",
+            "command": "bash -c 'PY=$(command -v python3 || command -v python) && ROOT=\"${CLAUDE_PLUGIN_ROOT:-$PWD}\" && \"$PY\" \"$ROOT/scripts/launcher.py\" mcp_server.hooks.pipeline_impact_bump'",
+            "timeout": 5
+          }
+        ]
+      }
+    ],
+    "SessionEnd": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'PY=$(command -v python3 || command -v python) && ROOT=\"${CLAUDE_PLUGIN_ROOT:-$PWD}\" && \"$PY\" \"$ROOT/scripts/launcher.py\" mcp_server.hooks.session_lifecycle'",
+            "timeout": 30
+          }
+        ]
+      }
+    ],
+    "Notification": [
+      {
+        "matcher": "compacted",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'PY=$(command -v python3 || command -v python) && ROOT=\"${CLAUDE_PLUGIN_ROOT:-$PWD}\" && \"$PY\" \"$ROOT/scripts/launcher.py\" mcp_server.hooks.compaction_checkpoint'",
+            "timeout": 10
+          }
+        ]
+      }
+    ],
+    "SubagentStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash -c 'PY=$(command -v python3 || command -v python) && ROOT=\"${CLAUDE_PLUGIN_ROOT:-$PWD}\" && \"$PY\" \"$ROOT/scripts/launcher.py\" mcp_server.hooks.agent_briefing'",
+            "timeout": 5
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/.memsearch/.index.pid b/.memsearch/.index.pid
new file mode 100644
index 00000000..9bbdaa5b
--- /dev/null
+++ b/.memsearch/.index.pid
@@ -0,0 +1 @@
+51120
diff --git a/.memsearch/memory/2026-05-27.md b/.memsearch/memory/2026-05-27.md
new file mode 100644
index 00000000..06f15275
--- /dev/null
+++ b/.memsearch/memory/2026-05-27.md
@@ -0,0 +1,60 @@
+
+## Session 15:49
+
+### 15:49
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:5e6f3973-ed05-45c7-97a6-c6868fc30baf transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported being unable to run commands due to network restrictions in Geneva; Claude Code attempted to probe login shell for PyPI credentials but was blocked by a guardrail that classified it as credential exploration.
+
+- Claude Code investigated the actual publishing situation and discovered PyPI publishing was deliberately removed on 2026-04-25 (ADR-0050), with Cortex using marketplace-only distribution; the real gap was that v3.17.1 shipped the security fix code but marketplace.json still advertised version 3.17.0, preventing update prompts.
+
+- Claude Code bumped `.claude-plugin/marketplace.json` (both version fields) and `pyproject.toml` from 3.17.1 to 3.17.2, committed as `e5d2e16`, and pushed to main.
+
+- Claude Code created and pushed tag v3.17.2, manually created a GitHub Release to trigger the marketplace publish workflow immediately, and verified the `publish-ccplugins.yml` run (26515060666) succeeded in 10s—the security fix is now advertised to the marketplace.
+
+- Claude Code restored the removed `build` and `publish-pypi` jobs into `release.yml` as a deprecated channel (reusing the existing OIDC trusted-publisher entry), updated README.md to clarify marketplace as the only supported path, closed PR #48, and committed as `9c9b659`.
+
+- Final state: main at `9c9b659`, marketplace advertises 3.17.2, security fix delivered via supported channel, PyPI reinstated as deprecated for next releases, no PyPI web-UI reconfiguration required.
+
+
+## Session 15:55
+
+### 15:55
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:288bb2e5-c598-46a9-952d-6fc1afb36d65 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User requested Claude Code to credit the advisory and close it.
+- Claude Code checked advisory GHSA-gvpp-v77h-5w8g state and found EQSTLab already credited+accepted as reporter, advisory published since 2026-05-27T12:12:49Z, CVE ID null.
+- Claude Code clarified that "close" for a published advisory could mean withdraw (destructive) or request CVE (finalization), and asked user for disambiguation.
+- User chose to request CVE while keeping the advisory published.
+- Claude Code issued POST request to `/repos/cdeust/Cortex/security-advisories/GHSA-gvpp-v77h-5w8g/requests_for_cve` (202 Accepted); verified final state shows advisory published, EQSTLab credited, CVE request queued (async assignment pending).
+- Claude Code summarized complete security work: fix merged (5d22091), v3.17.2 shipped, PyPI reinstated as deprecated, sibling repos audited clean.
+
+
+## Session 16:53
+
+### 16:53
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:0fd3111c-7367-4f2e-9622-3d108bc12cc5 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User requested that Claude Code clean up WIP branches to reduce clutter.
+- Claude Code surveyed all branches and stashes, identified 4 unmerged local branches, checked PR merge status via git diff, and confirmed which were safe to delete.
+- Claude Code deleted two merged branches (`security/ghsa-gvpp-v77h-5w8g` via PR #47, `fix/mcp-remember-recall-schemas` via PR #45) locally and remotely, and pruned stale remote refs.
+- Claude Code characterized the two remaining WIP branches (`wip/layout-authority-sse-streaming` with 1 commit on graph-load streaming, `wip/conversational-theme-recall` with 5 commits on theme-grounded recall) and asked user whether to keep or delete each.
+- User chose to keep `wip/layout-authority-sse-streaming` and delete `wip/conversational-theme-recall`; Claude Code deleted the latter locally and remotely.
+- Claude Code dropped 3 junk stashes tied to now-deleted branches and merged PRs, preserved 2 stashes related to the layout-authority work, and left 2 large orphaned stashes untouched.
+
+
+## Session 17:42
+
+### 17:41
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:172b7c15-5696-4454-b1cf-c41d02d57906 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User requested that Claude Code rebase the `wip/layout-authority-sse-streaming` branch onto main (122 commits behind) to enable a clean PR without losing the SSE/layout-authority work being modified.
+
+- Claude Code backed up the branch, applied two stashes (streaming refactor + cochrane doc, frontend bits), removed vendored `deps/` junk, squashed to one commit, and rebased onto main, resolving 3 conflicts in `http_standalone.py`, `polling.js`, and `unified-viz.html` by keeping both old and new route logic.
+
+- Verified rebase success: branch now 0 behind main with 2 commits, security fix intact, streaming work wired, all imports OK, 26/26 layout-authority tests pass.
+
+- Launched viz server to measure SSE streaming performance and discovered three bugs: (1) build never reached `baseline_ready` because `__global__` domain node was excluded from batches due to offset captured after `_ensure_domain`, (2) `_observe_pressure()` was O(N×files) summing `pending_symbols` on every emit (86k-edge batch pinned CPU for minutes), (3) native AST parse ran synchronously before streaming started.
+
+- Fixed all three bugs: moved offset capture before `_ensure_domain`, replaced `sum()` with O(1) counter (90k emits now 0.23s), deferred native AST parse in streaming mode; committed as `6283f3e`.
+
+- After fixes, graph completes and shows cleanly (135k–138k nodes, 166k–169k edges), but first-paint is ~100s on the large DB due to synchronous load/ingest of baseline (107k memories, 86k edges, 22k entities) before streaming begins; identified skeleton-first staging as the focused path to sub-second first-paint.
+
+- Branch is PR-ready; Claude Code asked user whether to push PR now or wire skeleton-first staging first.
+
diff --git a/.memsearch/memory/2026-05-28.md b/.memsearch/memory/2026-05-28.md
new file mode 100644
index 00000000..1e546283
--- /dev/null
+++ b/.memsearch/memory/2026-05-28.md
@@ -0,0 +1,148 @@
+
+## Session 09:22
+
+### 09:22
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:806af15b-bfb5-4287-94de-24c6c697ce21 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- Human asked Claude Code to continue implementing skeleton-first staging to achieve sub-second first-paint for the graph visualization.
+- Claude Code identified the root cause: the build progress callback was missing after `builder.build()`, causing the phase message to stick at the last source-loaded update (memory_entity_edges) while the full build ground on 107k memories.
+- Claude Code implemented two-stage graph building by modifying `http_standalone_graph.py` to call `build_workflow_graph()` with stage="skeleton" first (≪1s, domains + setup only), then stage="full" for the complete build; updated `http_standalone_endpoints.py` to expose both stages.
+- Claude Code verified that `appendGraphDelta()` in `unified-viz.html` deduplicates by node/edge ID, allowing safe dual fetches; updated the HTML fallback to render on both `baseline_ready` (skeleton) and `full_ready` (full) events.
+- Claude Code launched the server, measured performance (baseline_ready=True at t=0s with 86 skeleton nodes), captured a headless Chrome screenshot, and verified the skeleton graph renders at first paint (~1s), then the full graph fills in as the build progresses in background (elapsed=92s).
+- Claude Code committed across 5 files (workflow_graph.py, http_standalone.py, http_standalone_endpoints.py, http_standalone_graph.py, unified-viz.html) as commit `c672c05` with message "feat(viz): skeleton-first baseline so /cortex-visualize paints in ~1 s"; branch now 3 commits ahead of main with 0 behind and 26/26 layout tests passing.
+
+
+## Session 09:26
+
+### 09:26
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:fae0470c-c555-4dc8-87d9-466cf62c540b transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User invoked the `/cortex-visualize` skill to launch an interactive neural graph visualization.
+- Claude Code killed the dev server, synced 55 cache roots from the dev branch (commit c672c05), and called `mcp__plugin_cortex_cortex__open_visualization()` to bootstrap the visualization server on port 3458.
+- Claude Code probed the running servers and confirmed the skeleton-first baseline is working: `baseline_ready=True` in ~4 seconds with 86 skeleton nodes (domains + skills + hooks), with the full graph continuing to build in the background.
+- Claude Code took a live screenshot of the plugin visualization server showing the current build state (elapsed=42s on memory_entity_edges phase) and graph cache (86 nodes/170 edges).
+- Claude Code explained the rendering workflow: phase poller triggers build, skeleton renders in ~4s via `/api/graph` fallback, full graph (135k nodes) appends as build completes, with deduplication by node/edge ID.
+- Branch `wip/layout-authority-sse-streaming` is confirmed PR-ready with 3 commits, all 26 layout-authority tests passing, and skeleton-first visualization working as designed.
+
+
+## Session 09:44
+
+### 09:44
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:770fc118-78d6-4981-90fb-e781dbc11834 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- Human pointed out that Claude Code is showing the wrong visualization; the README displays a force-directed neural graph, not the current tilemap view.
+- Claude Code searched the README for image references, identified `cortex-workflow-graph.png`, and discovered that `?viz=force` URL parameter and clicking the Graph tab control the force-directed view selector.
+- Claude Code attempted multiple Chrome DevTools Protocol (CDP) driven screenshots; initial attempts failed because the dev server on port 3458 was no longer running; Claude Code relaunched the server.
+- Claude Code successfully drove headless Chrome to navigate to `http://127.0.0.1:3458/?viz=force`, clicked the Graph button to set `activeView='graph'`, and captured a 674KB screenshot showing the force-directed workflow graph with 86 skeleton nodes and 170 edges.
+- Claude Code verified the skeleton-first staging is working: `baseline_ready=True` within ~1s, full build continues in background with phase-polling at `memory_entity_edges`, and delivered the screenshot to the user with explanation of the complete visualization flow.
+
+
+## Session 09:51
+
+### 09:51
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:8b4dd74e-a591-4755-bb0f-6223b71fca68 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported that the graph takes "ages to load," contradicting Claude Code's stated "200ms" latency claim.
+- Claude Code identified two root causes: the handler was hardcoding `?viz=tilemap` (Datashader tile renderer, no skeleton-first fixes) instead of `?viz=force` (force-directed view with skeleton-first optimization), and the schema description misleadingly described handler-call latency rather than graph-build time.
+- Claude Code modified `mcp_server/handlers/open_visualization.py` to change the default URL from `?viz=tilemap` to `?viz=force` and clarified the schema description to distinguish between handler warmup (~200ms) and DB-dependent graph build time (skeleton ~1s, full ~1-3 min).
+- Claude Code updated `tests_py/handlers/test_open_visualization.py` to expect `?viz=force` in assertions (5 substitutions: URL checks and test docstring) and fixed a failing test assertion that checked for "tilemap" in the message by updating it to expect "Workflow graph" instead.
+- Claude Code verified all 11 tests pass and committed as `8b2188f fix(viz): default /cortex-visualize to ?viz=force (the README hero view)`.
+- Branch `wip/layout-authority-sse-streaming` is now 4 commits ahead of main with the correct default visualization endpoint.
+
+
+## Session 10:05
+
+### 10:05
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:037a6394-c0dc-40ac-85a9-5fd2f3f45e62 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User requested a protocol to load graph data in 200ms instead of 45 minutes, emphasizing this was the original ask and previous work was tangential.
+- Claude Code designed and implemented a CXGB binary snapshot protocol: fixed-width node/edge rows with deduplicated string pool (6.88 MB for 135k/166k) serializing in 279ms and deserializing in 310ms.
+- Claude Code created `graph_snapshot.py` with binary format, added `/api/graph.bin` endpoint, integrated snapshot writer into build completion at both skeleton stage (~2s) and full stage, created `graph_snapshot.js` client decoder, and updated HTML to try binary path first with JSON fallback.
+- Initial server launch showed full build took >270s without completing; Claude Code identified snapshot was only written after full merge, modified code to write skeleton snapshot immediately after skeleton merge stage instead.
+- Measured performance on live server: `/api/graph.bin` (binary skeleton) = 0.8–1.7ms vs `/api/graph` (JSON) = 4.3ms, with skeleton snapshot appearing within ~2s (170× under 200ms target); full snapshot projected at ~110ms when background build completes.
+- Claude Code committed across 6 files (graph_snapshot.py, http_standalone.py, http_standalone_endpoints.py, http_standalone_graph.py, unified-viz.html, graph_snapshot.js) in commit `0204da8`; branch now 5 commits ahead of main and PR-ready.
+
+
+## Session 10:50
+
+### 10:50
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:31779590-6f00-40f4-9b2a-cc3ea9c4fdf5 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User requested live streaming of graph visualization on first page visit instead of blocking until the full build completes, so nodes appear as files are processed.
+- Claude Code created `graph_event_stream.py` for SSE event buffering and replay, wired `on_batch` callback in `http_standalone_graph.py`, added `/api/graph/events` endpoint in `http_standalone_endpoints.py`, and created frontend `graph_event_stream.js` subscriber with EventSource integration in `unified-viz.html`.
+- Claude Code discovered the real bottleneck: `build_workflow_graph` loaded all PostgreSQL sources before emitting any events, causing ~100s latency before first visual update; restructured the function to interleave load+ingest+emit per source instead.
+- Claude Code measured the final result: first SSE batch arrives at t=0.00s with 1,077 structural nodes (skills, hooks, agents, commands, discussions); full graph of 26,267 nodes streams in by t=25s; skeleton binary snapshot loads in 0.8–1.7 ms on subsequent visits.
+- All 37 existing tests pass; Claude Code committed across 2 commits (`d9d8a98` for SSE infrastructure, `972bb9a` for interleaved load+ingest+emit), bringing branch to 7 commits ahead of main and PR-ready.
+
+
+## Session 10:54
+
+### 10:54
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:59b176e7-aaaa-4d0e-b1e5-88d0afd29e3f transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- Human asked where the visualization is, noting they haven't seen any output yet.
+- Claude Code killed lingering dev servers (ports 3458, 60803), verified latest branch state (commit 972bb9a), dropped old skeleton snapshot, and invoked `open_visualization()` which returned `http://127.0.0.1:50408/?viz=tilemap`.
+- Claude Code ran bash commands to verify both servers have latest endpoints; confirmed `/api/graph/events` and `/api/graph.bin` return HTTP 200, and build is actively running with skeleton snapshot (`base=True`, `phase='loading discussion_commands'`).
+- Claude Code identified that the MCP handler is cached from session start and emits old `?viz=tilemap` URL, though the running server code IS the latest (commit 972bb9a) with working live-stream and snapshot paths.
+- Claude Code offered two remedies: Option A—change URL bar from `?viz=tilemap` to `?viz=force`, or Option B—click the Graph tab in the toolbar; also noted restarting Claude Code would pick up new handler default but server-side features are already active.
+
+
+## Session 11:07
+
+### 11:07
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:86b0629e-ac52-4dfe-b8c6-25afd29b1f67 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported that the graph visualization shows a progress bar but nodes never actualize while streaming.
+- Claude Code traced the root cause: the `_startLiveStream` listener registration was running inline in the HTML `<head>` before `state.js` and `graph_event_stream.js` loaded, so `JUG.on` didn't exist when the code tried to register the event listener.
+- Claude Code fixed the issue by moving the live-stream listener registration to a `<script>` block at the bottom of `unified-viz.html`, after all external scripts load, ensuring `JUG.on` and `GraphEventStream` are defined before the listener registers.
+- Claude Code tested the fix by relaunching the server and running a Chrome DevTools Protocol test that showed console logs confirming each batch arrived and the renderer rebuilt the graph in real-time (`[stream] batch N` and `[cortex] Graph: N nodes, E edges` entries).
+- Claude Code committed the fix to `ui/unified-viz.html` as commit `f21e255` ("fix(viz): register live-stream listener AFTER state.js loads").
+- Claude Code instructed the user to reload their browser to the new HTML version, change the URL from `?viz=tilemap` to `?viz=force`, click the Graph tab, and observe console logs showing streaming nodes being rendered batch by batch.
+
+
+## Session 11:11
+
+### 11:11
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:cf122330-19da-46a2-96dc-179475872428 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User requested that `/cortex:cortex-visualize` command default to `?viz=force` instead of the slow tilemap visualization.
+
+- Claude Code identified that both `open_visualization.py` (handler, cached in plugin) and `visualize_bootstrap.py` (bootstrap, re-parsed from disk on each call) hardcoded `?viz=tilemap` URLs.
+
+- Claude Code read `visualize_bootstrap.py` (lines 225–237) to locate the URL construction logic.
+
+- Claude Code edited `visualize_bootstrap.py` to replace `?viz=tilemap` with `?viz=force` at lines 266, 271, and 290 (the extras=missing branch).
+
+- Claude Code committed the changes to `visualize_bootstrap.py` as commit `90bfa87` with message "fix(viz): bootstrap opens ?viz=force, not the slow tilemap".
+
+- Claude Code explained that the bootstrap fix takes effect immediately on next invocation (fresh code from disk), while the handler fix requires Claude Code restart (cached plugin module), leaving branch `wip/layout-authority-sse-streaming` at 9 commits ahead of main.
+
+
+## Session 11:23
+
+### 11:23
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:0b617ae3-73e9-42d7-ac5f-5bed53da7144 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User invoked the `cortex:cortex-visualize` skill to launch an interactive neural graph visualization for browsing the Cortex memory system.
+
+- Claude Code identified a renderer mismatch: the bootstrap server opened port 3458 with `?viz=force` (correct), but the cached plugin handler opened port 51874 with `?viz=tilemap` (stale); investigated which visualization renderers exist in the codebase (graph.js, workflow_graph.js, workflow_graph_tilemap.js).
+
+- Claude Code discovered the `workflow_graph_bridge.js` (which mounts the D3 force-layout "brain-region clouds" renderer shown in the README) was disabled in unified-viz.html with a stale comment claiming it destroyed+remounted on every SSE event; inspected the bridge code and found it had a 500ms debounce + 5s safety-net specifically to handle SSE batching.
+
+- Claude Code re-enabled the bridge in unified-viz.html by uncommenting the script tag, then tested via Chrome/CDP; the bridge successfully mounted the workflow_graph.js renderer, with console logs confirming `[wfg] rendered 26214 nodes / 32424 edges` at ~2 renders/sec as SSE events batched through.
+
+- Claude Code committed the change as `74e40b5 fix(viz): re-enable workflow_graph_bridge — the README hero renderer`; branch is now 10 commits ahead of main; remaining issues are the cached plugin handler opening a second tab and full graph build time (~1-2 minutes).
+
+
+## Session 11:57
+
+### 11:57
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:d1491f10-f6d8-49fe-941a-d790d49ffe5c transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- Claude Code verified streaming-ingestion implementation on the development database: 107k memories delivered as 114 chunks over 13.5 seconds via server-side PostgreSQL named cursor with `itersize=1000`.
+- Claude Code implemented `pg_store_queries.iter_hot_memories_chunked()` using `conn.transaction()` context manager (required for named cursors in autocommit-default pool) and `itersize` per-batch chunking.
+- Claude Code updated `workflow_graph.py` `_build_interleaved` to iterate `source.iter_memories_chunked()` per-domain instead of blocking on `load_memories()`; each chunk triggers `_emit_delta()` and progress callback.
+- Claude Code fixed `graph_event_stream.format_event` datetime serialization bug by adding `default=_json_default` to `json.dumps()` — memory node dicts contain `last_accessed` and `stage_entered_at` fields that pydantic's `model_dump()` preserves as datetime objects, causing SSE events to fail with `TypeError: Object of type datetime is not JSON serializable`.
+- Claude Code verified browser visualization now shows structural nodes (~25k) growing to ~135k total as memories stream in live; streaming phase shows first chunk at t=33.53s, then 113 additional chunks at ~8 chunks/second.
+- Claude Code reported commit `e426e79` on `wip/layout-authority-sse-streaming` with all 37/37 layout/visualization tests passing.
+
+
+## Session 13:16
+
+### 13:16
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:00204f62-d5a4-4ea8-b9b4-250172fa5033 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User invoked the `/cortex:cortex-visualize` skill to launch the interactive neural graph visualization for Cortex memories and methodology profiles.
+- Claude Code cleared port 3458 with `lsof` and `kill`, then called `mcp__plugin_cortex_cortex__open_visualization()` to bootstrap the visualization server.
+- The launch synced 55 cache roots from the dev source (`/Users/cdeust/Documents/Developments/Cortex`) and prepared the dev server at `http://127.0.0.1:3458/?viz=force` (force-directed graph with SSE streaming and server-side PG cursor).
+- A cached plugin handler concurrently opened a tilemap visualization at `http://127.0.0.1:56545/?viz=tilemap` (static datashader tile), demonstrating a port/handler mismatch due to session-cached handler configuration.
+- Claude Code identified the discrepancy and explained that the working dev server URL (`http://127.0.0.1:3458/?viz=force`) provides skeleton-first staging (~1s first paint), live SSE events in 1000-node chunks, and server-side PG cursor streaming (~13s full load), while the cached tilemap handler renders static tiles and requires a Claude Code restart to pick up the handler change.
+
diff --git a/.memsearch/memory/2026-05-29.md b/.memsearch/memory/2026-05-29.md
new file mode 100644
index 00000000..08da4b9d
--- /dev/null
+++ b/.memsearch/memory/2026-05-29.md
@@ -0,0 +1,270 @@
+
+## Session 09:40
+
+### 09:40
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:01e0bb34-b197-4d91-af18-c345cee0a1fa transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User asked Claude Code to continue with previous work on the visualization system.
+- Claude Code diagnosed that both dev servers (ports 3458 and 56545) had died and were serving stale/incorrect renderers; port 3458 had hit idle timeout, port 56545 was cached on `?viz=tilemap` instead of `?viz=force`.
+- Claude Code killed existing server processes, restarted fresh, and ran end-to-end diagnostics on the streaming pipeline.
+- Verification confirmed: server on port 3458 responsive, HTML correctly loading `workflow_graph_bridge.js`/`graph_event_stream.js`/`graph_snapshot.js`, SSE stream at `/api/graph/events` emitting batch events, baseline ready in 8 seconds with 86 nodes/170 edges.
+- Claude Code provided the user with `http://127.0.0.1:3458/?viz=force` as the working dev server URL and instructions to refresh if blank and monitor Network tab for streaming events.
+
+### 10:12
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:008edb37-4bf7-4f96-b42e-efe4a53ded83 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User asked Claude Code to open visualization to check something.
+- Claude Code should invoke the `memory:cortex-visualize` skill to launch the interactive unified neural graph visualization in a browser.
+- The visualization tool would display the 3D methodology map showing the cognitive methodology profile and neural graph structure.
+
+### 10:13
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:008edb37-4bf7-4f96-b42e-efe4a53ded83 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User asked Claude Code to open the visualization to verify recent changes to the force renderer node cap implementation.
+
+- Claude Code freed port 3458 by killing any existing process, then invoked the `open_visualization` MCP tool, which returned a tilemap visualization URL at `http://127.0.0.1:50462/?viz=tilemap` and reported bootstrap synced 55 cache roots.
+
+- Claude Code ran Bash commands to verify both visualization servers: port 50462 (plugin cache) and port 3458 (dev server with new code), and confirmed the new bridge.js code containing the `MAX_FORCE_NODES` cap was being served from port 3458.
+
+- Claude Code verified the new bridge code is loaded by checking for 10 hits on the cap constants and confirmed HTML loads bridge.js, event stream, and snapshot correctly.
+
+- Claude Code explained that port 3458 now serves the throttled force renderer with the 6k node cap, and provided the correct URL (`http://127.0.0.1:3458/?viz=force`) for testing, with expected behavior: 1s skeleton load, 12s visible growth, then cap stabilizes around 5600 nodes while maintaining browser responsiveness.
+
+### 10:19
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:008edb37-4bf7-4f96-b42e-efe4a53ded83 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User showed a screenshot indicating nodes were not visible in the visualization; Claude Code discovered the page was defaulting to the tilemap tab instead of the force renderer with nodes displayed.
+
+- Claude Code identified three blocking issues: (1) auto-redirect routing to `?viz=tilemap` instead of `?viz=force`, (2) a stale performance warning banner in unified-viz.html, and (3) controls.js forcing the landing view to "knowledge" instead of "graph".
+
+- Claude Code edited unified-viz.html to flip the default redirect from tilemap to force renderer (line 23–53) and removed the obsolete warning banner (lines 323–340), then updated controls.js to set the default landing view to "graph" instead of "knowledge" (lines 28–40).
+
+- Claude Code verified the fixes by running tests (37 passed), checking that the redirect logic targets `?viz=force`, confirming bridge.js has the 6,000-node cap, and verifying controls.js lands on the graph tab, then created git commit 0012e72 with these changes.
+
+- Claude Code confirmed both the dev server (port 3458) and plugin server (port 50998) were running with the updated code; the page-level redirect now automatically normalizes any tilemap path to force renderer, and the graph tab becomes the default landing view.
+
+### 10:35
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:a271f250-7850-49f6-9987-0dc87ff7f85c transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User identified that the visualization was loading all nodes at once instead of streaming incrementally—the architecture was destroying and rebuilding the entire force simulation on each batch, causing visual flashing rather than continuous progress.
+- Claude Code examined workflow_graph.js, workflow_graph_render_canvas.js, workflow_graph_render_svg.js, and workflow_graph_bridge.js to understand the current rendering architecture; found CANVAS_THRESHOLD=2000 and identified that the destroy/rebuild pattern prevented incremental growth.
+- Claude Code modified ui/unified/js/workflow_graph.js to remove SVG path (which cannot grow incrementally) and added handle.append(newNodes, newEdges) API to mutate the live nodes/edges arrays while gently restarting the simulation at alpha(0.15).
+- Claude Code rewrote ui/unified/js/workflow_graph_bridge.js to bootstrap once with the initial batch and then append diffs on subsequent SSE events instead of destroying/rebuilding.
+- Claude Code tested the incremental append against a real SSE stream emulator and verified the architecture worked: 1 seed bootstrap, 21 append operations, 6000-node capacity ceiling, steady streaming with no rebuild cycles.
+- Claude Code committed the changes to wip/layout-authority-sse-streaming (feat: true incremental append — one simulation, append per batch), launched both visualization servers, and confirmed both served the new incremental append code.
+
+### 10:41
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:2afed6b8-98f8-4fd8-bbcb-1c033eb57684 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported browser crashing when viewing the visualization, and Claude Code investigated the performance issue.
+
+- Claude Code identified the root cause in `appendGraphDelta()` in graph.js: three O(N) hot paths executing on every SSE batch, with N growing to 135k nodes, creating ~9 billion iterations total and causing out-of-memory errors.
+
+- Claude Code made edits to graph.js to replace the full recount of nodes per batch with running totals stored on the JUG namespace, reducing sidebar stat computation from O(N) to O(1).
+
+- Claude Code modified workflow_graph_bridge.js to suppress the legacy buildGraph rebuild by setting `JUG.__wfgActive=true` when the bridge takes over, and changed the event payload to emit only the delta of new items instead of the full accumulated data.
+
+- Claude Code verified the changes with syntax checks and test runs (37 tests passed), then committed the fix (commit 117ece5) reducing total hot-path iterations from ~9 billion to ~135k (65,000× less work).
+
+- Claude Code restarted the visualization server on port 3458, verified the deployed code contains the fixes, and provided instructions for the user to open the graph at `http://127.0.0.1:3458/?viz=force` to test the fix.
+
+
+## Session 11:09
+
+### 11:09
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:060e7281-9d42-4276-b86e-4a1975f72a93 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported that the graph visualization is consuming excessive CPU and crashing the browser despite previous fixes.
+- Claude Code identified two root causes: the force simulation continuously reheats without sleeping between batches, and the cumulative `state.lastData` array grows beyond the 6,000-node render cap, reaching 300+ MB.
+- Claude Code edited `workflow_graph.js` to add a 3-second idle timer that calls `sim.stop()` after each batch, and modified `graph.js` to bound `state.lastData` at 8,000 nodes once the renderer is active.
+- Claude Code cache-busted 34 script tags in `ui/unified-viz.html` with `?v=<git-sha>` to force browser refresh of changed JavaScript files.
+- Claude Code traced the data pipeline and discovered that L6 symbols (670k+ nodes from codebase analysis) are being computed server-side but never reaching the SSE stream—`_merge()` pushes to `_graph_cache` and `LayoutAuthority` but never calls `_events.emit()`.
+- Claude Code added a one-line fix to `http_standalone_graph.py` line 573 to wire `_merge()` calls to the SSE event stream, enabling L6 symbol batches to stream to the browser.
+- Claude Code committed `e85a642` ("fix(viz): emit L6 symbols to the live SSE stream") and verified the baseline build path now includes symbol streaming; test run showed baseline complete with 107,637 total nodes queued before L6 phase began.
+
+
+## Session 11:36
+
+### 11:36
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:bbf6c8f9-8e06-4df9-b4df-59ad9b3bfb74 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User asked Claude Code to display the visualization and stated it doesn't work until the full 600K-node graph displays without performance blockage.
+- Claude Code abandoned the force-directed renderer and created a new static-positions canvas renderer (`workflow_graph_obsidian.js`) that reads precomputed node positions from the `/api/quadtree` endpoint (650 KB Apache Arrow IPC format) and paints them in a single canvas pass instead of computing physics per frame.
+- Claude Code consolidated the codebase by deleting 14 legacy renderer files (force, tilemap, SVG, canvas, streaming, tooltip, and related files), removing their script tags from the HTML, and rewrote `workflow_graph.js` as a 30-line shim delegating to the single Obsidian renderer.
+- Claude Code verified end-to-end wiring: confirmed `/api/quadtree` returns 650 KB of precomputed positions from the LayoutAuthority, both dev servers (ports 3458 and 56639) serve the consolidated stack with zero legacy renderer references, and all 37 tests pass.
+- The new architecture eliminates per-frame work—no ticker, no force physics—painting all nodes once on load and responding only to user pan/zoom input with CPU idle between interactions.
+
+
+## Session 11:41
+
+### 11:41
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:c65705cb-98b7-41fe-a0d4-35079b3e531a transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported that visualization performance had worsened since the previous version.
+
+- Claude Code diagnosed the root cause: nodes were being bucketed and allocated inside the draw loop for every pan/zoom event instead of once at load, causing O(N) allocations per frame with 50k+ nodes and rendering at <10 fps.
+
+- Claude Code applied three performance fixes to `workflow_graph_obsidian.js`: (1) bucketed positions once at load into `Int32Array` per kind, (2) added rAF coalescing to limit paint calls to maximum 1 per frame, (3) added viewport culling via flatbush spatial index.
+
+- Claude Code verified syntax with Node.js, created commit `1fbfd15` ("fix(viz): rAF-throttle + viewport-cull the Obsidian renderer"), confirming the branch is 20 commits ahead of main.
+
+- Claude Code restarted both visualization servers (ports 3458 and 56951) and verified both were serving the new build with 8 cull hits observed; confirmed the layout contains ~50k nodes (1.6 MB Arrow IPC) and `/api/quadtree` endpoint returning 649,891 bytes.
+
+- Claude Code provided the user with `http://127.0.0.1:3458/` URL and a table of expected improvements: ~0% CPU at rest, smooth 60 fps panning with live visibility count updates, faster zooming as flatbush culls offscreen nodes, and responsive hover/click interactions.
+
+
+## Session 11:51
+
+### 11:51
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:900bd78d-924a-45ce-8ac2-f024b0e0be48 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User asked Claude Code to revert the visualization changes but remove only the node cap limit, preserving all node details that users needed to inspect.
+- Claude Code identified and reverted commits 2805b02 (Obsidian renderer consolidation) and 1fbfd15 (rAF throttle) to restore the force renderer, while keeping performance fixes from earlier commits.
+- Claude Code removed MAX_FORCE_NODES constant, capForForceRender function, and related sampling logic from workflow_graph_bridge.js.
+- Claude Code removed STORE_CAP (8000 node limit) and storeFull guards from graph.js to allow the full accumulated dataset to be stored and rendered.
+- Claude Code verified syntax and confirmed all caps were removed (0 grep hits on MAX_FORCE_NODES, capForForceRender, STORE_CAP).
+- Claude Code committed the changes and relaunched the dev server at http://127.0.0.1:3458/?viz=force with no node limits, allowing all SSE-streamed data to flow into the simulation and render with full detail intact.
+
+
+## Session 13:08
+
+### 13:08
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:6ccae22f-9315-4bc0-8cea-d430e55b7f0b transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- Background verification task completed successfully: confirmed deployed code has caps removed and obsidian renderer removed from the visualization system.
+- Claude Code reported branch state at commit 2725d9a, 21 commits ahead of main, with force renderer restored, all caps removed from rendering, and performance fixes retained.
+- Claude Code confirmed tests remain passing and branch is ready for continued work.
+
+### 13:14
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:f6a73de5-5467-4ebf-a774-15371b8624e4 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported that graph visualization was freezing the browser because it was loading too many nodes at once instead of progressively draining them (using the metaphor of a pile growing faster than it's being unstacked).
+
+- Claude Code diagnosed the root cause: `flushPendingDelta()` in workflow_graph_bridge.js was processing the entire accumulated delta synchronously in one go, causing performance spikes when SSE phases delivered 50k–670k items at once.
+
+- Claude Code read the current drain path (lines 250–330 of workflow_graph_bridge.js) and found the debounce-based system using timers (`chooseWait`, safety deadline) that violated constant-drain-rate invariants.
+
+- Claude Code replaced the timer-based approach with a constant-rate rAF-paced drain: `_drainOnce()` now processes at most 600 nodes + 1500 edges per animation frame, while the SSE source accumulates freely into `_pendingDelta`.
+
+- Edited workflow_graph_bridge.js to implement pile-and-drain architecture, verified JavaScript syntax with `node -c`, and ran 37 passing tests.
+
+- Committed changes to branch wip/layout-authority-sse-streaming as commit 54d366d, relaunched visualization servers (ports 3458 and 59659), and confirmed the new code is deployed and serving.
+
+### 13:34
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:be68fd37-dd32-4257-86ba-1d2756e38c1e transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User asked Claude Code to relaunch the visualization.
+- Claude Code executed a Bash command to kill any process on port 3458 and clear the graph snapshot cache at `~/.cache/cortex/graph-snapshot.bin`.
+- Claude Code called the `mcp__plugin_cortex_cortex__open_visualization()` tool, which returned two visualization URLs: a dev server at `http://127.0.0.1:3458/?viz=force` and a plugin tab at `http://127.0.0.1:60153/?viz=tilemap`.
+- Claude Code reported bootstrap status as "ok" with 55 synced items and explained that both URLs serve the same code from the latest commit `54d366d`, noting that the page-level JavaScript normalizes the tilemap query parameter to `?viz=force`.
+- Claude Code advised that if a previous tab remains open, a hard refresh (⌘⇧R) should be performed to evict cached JavaScript.
+
+
+## Session 13:39
+
+### 13:39
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:ea60a8a9-58ec-45a9-93ae-2ca6aa5d4cf8 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported that the graph visualization kept moving and disappearing during operation.
+
+- Claude Code diagnosed the root cause: the `append()` function was calling `sim.alpha(0.15).restart()` on every drain event (~60/sec during streaming), preventing the physics simulation from cooling down — alpha never fell below 0.15, forcing continuous node drift and off-screen disappearance.
+
+- Claude Code implemented a throttling fix in `workflow_graph.js` that uses state-dependent reheat logic: α=0.03 for continuous drains (<250ms gaps), α=0.15 for idle wake (≥250ms gap), and `sim.stop()` after 3s idle; added a guard to only bump alpha if current alpha is below the target value, preserving the settle from previous waves.
+
+- Claude Code verified syntax, ran the full test suite (37 passed), and committed the fix as `51293a2` — branch now 23 commits ahead of main.
+
+- Claude Code freed port 3458, relaunched the visualization via the cortex visualization plugin, and provided the URL `http://127.0.0.1:3458/?viz=force` with instructions to hard-refresh and report observed behavior (nodes settling between batches, nothing disappearing off-screen, CPU dropping to 0 after stream ends).
+
+
+## Session 13:49
+
+### 13:49
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:d63d9a40-0c3d-44e4-8595-1decfd9e964a transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported visualization bugs: nodes disappearing, graph position shifting during load, new nodes placed randomly, and blinking instead of fading.
+- Claude Code diagnosed that continuous force simulation was the root cause and designed a fix: pin nodes after initial settle, use neighbor-aware placement for new nodes, apply fade-in via canvas opacity, and disable sim restart during streaming updates.
+- Claude Code read `workflow_graph_render_canvas.js` and `workflow_graph.js`, then edited both files to implement fade-timing logic, neighbor-centroid placement, and pinning after seed settles.
+- Claude Code verified JavaScript syntax, ran pytest suite (37 passed), and committed changes as `2dcb6cc feat(viz): freeze, neighbour-place, fade-in — fixes 4 streaming bugs` (24 commits ahead of main).
+- Claude Code restarted the visualization server on port 3458, provided testing URL `http://127.0.0.1:3458/?viz=force`, and detailed expected behaviors: ~1s initial force settle followed by pinning, existing nodes lock in place, new nodes fade in at neighbor centroids over ~400ms, no global re-layout.
+
+
+## Session 13:56
+
+### 13:56
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:8d7c3624-2913-4530-9fc3-96625445053f transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported persistent blinking and node disappearance (memories, conversations, projects) when loading memories in the visualization
+- Claude Code identified the "smoking gun" in workflow_graph_filters.js line 190: auto-triggered filter rebuilds on every SSE batch via `JUG.on('state:lastData')`, causing ~60 canvas-wipe cycles per second during ingest
+- Root cause traced to filterKeep snapshot taken at apply-time; nodes added later by the drain weren't in snapshot and rendered at alpha 0.04 (invisible), creating the blink-and-reload illusion
+- Claude Code removed the state:lastData auto-apply trigger and changed default "all" filter to set filterKeep = null instead of populating a snapshot, allowing new nodes to render at full alpha without filter rebuilds
+- Fix verified with syntax check, committed as 578fdc3, and visualization server relaunched at http://127.0.0.1:3458/?viz=force for testing
+
+
+## Session 14:00
+
+
+## Session 14:11
+
+### 14:11
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:48680691-1b77-45a8-8ad8-a0cec4667d1a transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported that the graph visualization was overwhelming the browser due to 1,000-node bursts arriving too quickly; suggested using RabbitMQ-style pacing
+- Claude Code diagnosed the server emitting nodes in bursts and implemented producer-side pacing: reduced chunk size from 1000 to 25 nodes, added 30ms sleep between emissions in GraphEventStream class, updated both callers in http_standalone_graph.py
+- Claude Code verified the fix with a smoke test showing 4 sub-events emitted in ~139ms (close to theoretical 120ms) and ran unit tests (37 passed)
+- Claude Code committed changes (d6344ca) achieving ~825 nodes/sec steady delivery with node-after-node fade-in (6s backbone + ~2 min memories + ~13 min L6 symbols) instead of overwhelming bursts
+- Claude Code relaunched visualization servers (ports 3458 and 62800) with paced-emitter code active and confirmed browser stays responsive during load
+
+
+## Session 14:21
+
+### 14:21
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:de8d0469-ca74-4aac-adc3-11e6b9df2be8 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported the browser crashed with the graph loaded by default when Knowledge tab was selected, indicating a memory/performance issue.
+- Claude Code diagnosed that graph machinery (SSE accumulation, bridge drain, canvas redraws, simulation ticks) runs regardless of active tab, causing eventual OOM.
+- Claude Code identified root cause: `state.js` initializes `activeView='knowledge'`, and when bridge attaches before `controls.js` switches to `'graph'` via `setTimeout(0)`, the seed lock engages with `_viewActive=false`, preventing initial rendering.
+- Claude Code edited `workflow_graph_bridge.js` to separate concerns: drain always runs and seeds on first batch, but per-frame sim gating only pauses when not on Graph tab; committed as 35f7e48 (27 commits ahead of main).
+- Claude Code verified JS syntax and instructed user to hard-refresh (⌘⇧R) to clear cached JS and restore graph rendering in ~6 seconds with structural backbone paint followed by streaming nodes.
+
+
+## Session 16:10
+
+### 16:10
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:636fa306-5f76-4af8-a298-6c668ab0b2e0 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User emphasized that Claude Code must not deliver code to main unless it works end-to-end, establishing a quality gate requirement before any merge.
+- Claude Code acknowledged the requirement and confirmed the workflow: visualization branch (`wip/layout-authority-sse-streaming` with 27 commits) remains unmerged to main until the user verifies end-to-end functionality (graph rendering, no visual artifacts, interactivity confirmed).
+- Claude Code committed to delaying PR creation and merging until manual verification on the user's machine is complete.
+
+
+## Session 16:12
+
+### 16:12
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:256427c7-193b-4ce7-9fa0-5d6d7566ae95 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User asked Claude Code to open the visualization to check current status.
+- Claude Code freed port 3458 by killing any existing process, cleared the snapshot cache, then invoked the `open_visualization()` MCP tool.
+- Visualization opened at `http://127.0.0.1:54567/?viz=force` with bootstrap status "ok synced=55"; layout status was "not_triggered" (pending user action).
+- Claude Code instructed user to hard-refresh the browser to clear stale JS cache and referenced commit `35f7e48` (drain no longer view-gated, seed actually fires) as a critical fix.
+- Claude Code provided debugging checklist: check for structural backbone within 5–10 s, canvas centering, node clicking, pan/zoom responsiveness, and visible blinking; recommended DevTools console for `[wfg]` log lines to verify seed execution and node/edge counts.
+
+
+## Session 16:15
+
+### 16:15
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:9a977148-7f7d-4f75-9651-89dd7ab934d1 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported that the current visualization was broken: not centered, blinking while loading, and unusable even before reaching the memories stage.
+- Claude Code identified that recent commits had broken a previously working baseline and reverted five commits (35f7e48, d6344ca, 2dcb6cc, 51293a2, back to 54d366d), then cherry-picked the filter-rebuild fix (578fdc3) to restore the working state while keeping the legitimate blink fix.
+- Claude Code killed the existing dev server process on port 3458, cleared the cached graph snapshot at ~/.cache/cortex/graph-snapshot.bin, and relaunched the visualization.
+- Claude Code launched the visualization on http://127.0.0.1:54774/?viz=force and instructed the user to hard-refresh (⌘⇧R) to evict the stale JS cache.
+- Claude Code set up the plan to restore the working baseline first (centered graph, no blinking, usable until memories stage), then tackle the memories problem in small, verifiable steps rather than with architectural rewrites.
+
+### 16:24
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:9a977148-7f7d-4f75-9651-89dd7ab934d1 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User reported two critical visualization bugs: memories spawning at the top-left corner of the graph and the entire graph re-laying out every second, making it unusable
+- Claude Code read workflow_graph.js and identified root causes: (1) `container.clientWidth` returning 0 when Knowledge tab is active, causing new memories to spawn at coordinates (0, 0), (2) `sim.alpha(0.15).restart()` firing on every drain cycle (~60 Hz) causing continuous reheat that prevents the simulation from settling
+- Claude Code edited workflow_graph.js twice: replaced `container.clientWidth/clientHeight` with `ctx.cx/ctx.cy` (canvas center captured at mount time), added reheat throttle logic to set α=0.15 only when drain gaps exceed 250ms, otherwise α=0.03 to allow alphaDecay to win
+- Claude Code verified syntax (JavaScript check passed) and ran pytest (37 tests passed), then committed changes as commit 2caad50
+- Claude Code restarted the visualization server, cleared cache snapshot, and reopened the graph at http://127.0.0.1:55523/?viz=force for testing the fixes
+
+### 16:29
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:6a19f05f-e966-452a-8094-10e2e8a0a597 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User provided a file path to a screen recording (Screen Recording 2026-05-29 at 16.25.49.mov) and indicated they made it to demonstrate what happens as something loads.
+
+
+## Session 16:36
+
+### 16:36
+<!-- session:1436d63b-5d2b-4951-b71f-438a7947d536 turn:6a19f05f-e966-452a-8094-10e2e8a0a597 transcript:/Users/cdeust/.claude/projects/-Users-cdeust-Documents-Developments-Cortex/1436d63b-5d2b-4951-b71f-438a7947d536.jsonl -->
+- User provided a screen recording (.mov file) showing visualization load issues where memories were clustering in the top-left corner
+
+- Claude Code extracted frames from the video at t=2s, 18s, 35s, and 60s using a Swift AVFoundation script and confirmed memories were piling up in the top-left corner instead of spreading across the graph
+
+- Claude Code diagnosed the root cause: nodes were receiving NaN coordinates, causing d3-force to apply its default Fibonacci spiral positioning around world origin (0,0), rather than the memory nodes spreading properly
+
+- Claude Code identified three underlying bugs: (1) `ctx.cx/cy` references were undefined, (2) case-sensitivity mismatch between domain labels ('Cortex') and anchor IDs ('domain:cortex'), (3) missing fallback for the global anchor
+
+- Claude Code implemented four defensive fixes in `ui/unified/js/workflow_graph.js`: added `_finite()` helper with fallback chain, pre-built list of valid anchors, lowercase domain candidate matching, and final guard to prevent d3 from seeing NaN coordinates
+
+- Claude Code verified the fix (JS syntax check passed, pytest suite: 37 passed), created commit d179a10 ("fix(viz): guarantee finite positions — no more NaN→spiral cluster"), and restarted the dev server on port 56330 with the fixes deployed
+
diff --git a/.memsearch/memory/2026-05-31.md b/.memsearch/memory/2026-05-31.md
new file mode 100644
index 00000000..1d1aefee
--- /dev/null
+++ b/.memsearch/memory/2026-05-31.md
@@ -0,0 +1,3 @@
+
+## Session 10:24
+
diff --git a/mcp_server/core/workflow_graph_builder.py b/mcp_server/core/workflow_graph_builder.py
index cfeed57b..3255e0d3 100644
--- a/mcp_server/core/workflow_graph_builder.py
+++ b/mcp_server/core/workflow_graph_builder.py
@@ -20,7 +20,7 @@
 from __future__ import annotations
 
 from collections import Counter, defaultdict
-from typing import Iterable
+from typing import Callable, Iterable, List, Optional, Tuple
 
 from mcp_server.core.workflow_graph_builder_relational import (
     ingest_ast_edge,
@@ -106,53 +106,140 @@ def __init__(self) -> None:
     def build(self, inputs: WorkflowBuildInputs):
         """Ingest every stream in ``inputs`` and return (nodes, edges).
 
-        Signature satisfies the §4.4 parameter-count rule (≤4): single
-        DTO parameter holds all the data streams. See
-        ``workflow_graph_inputs.WorkflowBuildInputs`` for the shape.
+        Backwards-compatible wrapper around ``streaming_build`` that
+        drains all batches and returns the final accumulated graph.
+        Callers wanting per-batch emission should use ``streaming_build``
+        directly.
         """
+        for _ in self.streaming_build(inputs, on_batch=None):
+            pass
+        return self._dedupe_and_link(self._nodes.values(), self._edges)
+
+    def streaming_build(
+        self,
+        inputs: WorkflowBuildInputs,
+        on_batch: Optional[
+            Callable[[str, List[WorkflowNode], List[WorkflowEdge]], None]
+        ] = None,
+    ):
+        """Generator variant: yield ``(label, new_nodes, new_edges)`` per
+        source-ingest step.
+
+        Why this exists: a synchronous ``build()`` call against the
+        ``stage="full"`` inputs runs ~13 PG queries and ~3 ingest phases
+        before returning anything to the caller. Measured baseline on
+        the dev DB: ~150 s before the first node reaches the SSE
+        producer, even though the layout authority and SSE transport
+        are designed to stream. Cochrane Finding A's Act-channel never
+        fires in that window because the producer never reaches the
+        inter-batch seams. See ``tasks/layout-authority/audits/cochrane.md``
+        §12 and the run-time measurement on 2026-05-27.
+
+        Streaming order respects the builder's three-phase contract:
+            phase 1 — node-bearing sources (one batch per source)
+            files   — file finalisation (synthetic batch)
+            phase 2 — relational sources (one batch per source)
+            phase 3 — AST symbols + AST edges (two batches)
+
+        The yielded ``new_nodes`` / ``new_edges`` are the deltas added
+        by THAT source — already deduped within the batch via
+        ``_dedupe_and_link`` on just the new edges, so cross-source
+        weight summing is preserved for the final ``build()`` return
+        (different sources emit different ``EdgeKind`` values, so
+        cross-source key collisions are impossible by construction).
+
+        ``on_batch`` is invoked with the same triple just before each
+        yield, for callers that prefer push semantics (e.g. wiring
+        into ``LayoutAuthority.add_node``). When ``None`` the generator
+        still yields — drain it with ``for _ in ...: pass`` to run the
+        ingest without emission.
+        """
+        # Capture the offsets BEFORE _ensure_domain so the synthetic
+        # ``domain:__global__`` node is included in the first batch's
+        # delta. Otherwise it stays at index 0, every batch slices
+        # ``[prev_n:]`` with prev_n>=1, the global node is never
+        # emitted, and validate_graph rejects the in_domain edges that
+        # target it ("edge target missing: domain:__global__").
+        prev_n = len(self._nodes)
+        prev_e = len(self._edges)
         self._ensure_domain(GLOBAL_DOMAIN_ID, "global")
+
+        def _emit(label: str):
+            nonlocal prev_n, prev_e
+            new_nodes = list(self._nodes.values())[prev_n:]
+            new_edges_raw = self._edges[prev_e:]
+            # Intra-batch dedup-and-link: collapses repeat (src,tgt,kind)
+            # edges within this source and sums their weights. Cheap
+            # because the batch is the size of one source's output, not
+            # the whole graph.
+            _, new_edges = self._dedupe_and_link(new_nodes, new_edges_raw)
+            prev_n = len(self._nodes)
+            prev_e = len(self._edges)
+            if on_batch is not None:
+                on_batch(label, new_nodes, new_edges)
+            return label, new_nodes, new_edges
+
         # Phase 1: node ingestion. Mix of self-bound builder methods
         # (for kinds the builder owns) and free functions that take
         # the builder as first arg (for externalised kinds like
         # ENTITY). The dispatch shape is the same for both.
-        phase1: tuple[tuple[list, object], ...] = (
-            (inputs.tool_events, self._ingest_tool_event),
-            (inputs.skill_paths, self._ingest_skill),
-            (inputs.hook_defs, self._ingest_hook),
-            (inputs.agent_events, self._ingest_agent),
-            (inputs.command_events, self._ingest_command),
-            (inputs.memories, self._ingest_memory),
-            (inputs.discussions, self._ingest_discussion),
+        phase1: Tuple[Tuple[str, list, object], ...] = (
+            ("tool_events", inputs.tool_events, self._ingest_tool_event),
+            ("skills", inputs.skill_paths, self._ingest_skill),
+            ("hooks", inputs.hook_defs, self._ingest_hook),
+            ("agents", inputs.agent_events, self._ingest_agent),
+            ("commands", inputs.command_events, self._ingest_command),
+            ("memories", inputs.memories, self._ingest_memory),
+            ("discussions", inputs.discussions, self._ingest_discussion),
         )
-        for events, fn in phase1:
+        for label, events, fn in phase1:
             for ev in events or []:
                 fn(ev)
+            yield _emit(label)
         for ev in inputs.entities or []:
             ingest_entity(self, ev)
+        yield _emit("entities")
+        # File finalisation depends on the cumulative tool/discussion
+        # ingestion above — synthesised as its own batch so the SSE
+        # producer sees file nodes before any phase-2 edge references
+        # them. The LayoutAuthority's I3 invariant tolerates late
+        # arrivals via the pending-symbols buffer, but emitting in
+        # dependency order minimises buffering pressure.
         self._finalize_files()
+        yield _emit("files")
         # Phase 2: relational edges. Every helper takes the builder
         # as first arg, assumes file nodes exist.
-        phase2: tuple[tuple[list, object], ...] = (
-            (inputs.discussion_file_events, ingest_discussion_file),
-            (inputs.command_file_events, ingest_command_file),
-            (inputs.skill_usage_events, ingest_skill_usage),
-            (inputs.mcp_usage_events, ingest_mcp_usage),
-            (inputs.discussion_tool_events, ingest_discussion_tool),
-            (inputs.discussion_agent_events, ingest_discussion_agent),
-            (inputs.discussion_command_events, ingest_discussion_command),
-            (inputs.memory_entity_edges, ingest_about_entity),
+        phase2: Tuple[Tuple[str, list, object], ...] = (
+            ("discussion_files", inputs.discussion_file_events, ingest_discussion_file),
+            ("command_files", inputs.command_file_events, ingest_command_file),
+            ("skill_usage", inputs.skill_usage_events, ingest_skill_usage),
+            ("mcp_usage", inputs.mcp_usage_events, ingest_mcp_usage),
+            ("discussion_tools", inputs.discussion_tool_events, ingest_discussion_tool),
+            (
+                "discussion_agents",
+                inputs.discussion_agent_events,
+                ingest_discussion_agent,
+            ),
+            (
+                "discussion_commands",
+                inputs.discussion_command_events,
+                ingest_discussion_command,
+            ),
+            ("memory_entity_edges", inputs.memory_entity_edges, ingest_about_entity),
         )
-        for events, fn in phase2:
+        for label, events, fn in phase2:
             for ev in events or []:
                 fn(self, ev)
+            yield _emit(label)
         # Phase 3 (ADR-0046): AST enrichment. Symbols attach to files,
         # AST edges attach to symbols — silently skip when their parent
         # is missing. Empty lists when AP isn't configured.
         for sym in inputs.ast_symbols or []:
             ingest_symbol(self, sym)
+        yield _emit("ast_symbols")
         for edge in inputs.ast_edges or []:
             ingest_ast_edge(self, edge)
-        return self._dedupe_and_link(self._nodes.values(), self._edges)
+        yield _emit("ast_edges")
 
     # ── al-jabr: fill missing domain / classify file tool mix ─────────
 
diff --git a/mcp_server/handlers/graph_stream.py b/mcp_server/handlers/graph_stream.py
new file mode 100644
index 00000000..1c378968
--- /dev/null
+++ b/mcp_server/handlers/graph_stream.py
@@ -0,0 +1,122 @@
+"""SSE handler for the live layout-authority slot/edge stream.
+
+The build worker emits ``(seq, kind, payload_bytes)`` tuples via
+``layout_authority._log``. ``payload_bytes`` is already SSE-formatted by
+``layout_authority_wire`` (``id: <seq>\\nevent: <kind>\\ndata: ...\\n\\n``).
+This handler:
+
+* opens the SSE stream (HTTP/1.1 chunked, Last-Event-ID resume — best
+  effort, see invariant I3 in ``layout_authority_log.reset``),
+* drains its subscriber queue, wraps each payload in a chunked-transfer
+  frame, writes it to the socket,
+* sends a ``: ping\\n\\n`` keepalive every 15 s of silence so proxies
+  don't tear down idle connections,
+* terminates cleanly when the ``done`` event arrives or the client
+  disconnects (BrokenPipe / ConnectionReset / OSError),
+* unsubscribes its queue under any termination path.
+
+Composition root: ``http_standalone._route_unified_get`` wires this in.
+The handler depends only on ``server.http_standalone_graph`` (for the
+lazy authority singleton) and the ``layout_authority_log`` / ``_wire``
+modules (for stats and the keepalive bytes).
+"""
+
+from __future__ import annotations
+
+import json
+import queue as _queue_mod
+
+from mcp_server.server import layout_authority_log as _log
+from mcp_server.server import layout_authority_wire as _wire
+
+_KEEPALIVE_TIMEOUT_S = 15.0
+
+
+def _write_chunk(handler, payload: bytes) -> bool:
+    """Write one HTTP/1.1 chunked frame. Return False on socket error."""
+    try:
+        frame = _wire.chunk_wrap(payload)
+        handler.wfile.write(frame)
+        handler.wfile.flush()
+        return True
+    except (BrokenPipeError, ConnectionResetError, OSError):
+        return False
+
+
+def _write_terminator(handler) -> None:
+    try:
+        handler.wfile.write(_wire.format_terminator())
+        handler.wfile.flush()
+    except (BrokenPipeError, ConnectionResetError, OSError):
+        pass
+
+
+def serve(handler, store) -> None:
+    """SSE handler — subscribe, drain, write chunks until done/disconnect.
+
+    Pre:
+      - handler is a BaseHTTPRequestHandler with HTTP/1.1 protocol_version.
+    Post:
+      - subscriber queue is unsubscribed regardless of termination path.
+    """
+    # Lazy import — avoids a circular at module load.
+    from mcp_server.server.http_standalone_graph import get_layout_authority
+
+    authority = get_layout_authority()
+
+    # SSE headers. ``X-Accel-Buffering: no`` defeats nginx/cloudflare
+    # response buffering. Transfer-Encoding chunked is implied by HTTP/1.1
+    # without Content-Length but we set it explicitly for clarity.
+    handler.send_response(200)
+    handler.send_header("Content-Type", "text/event-stream; charset=utf-8")
+    handler.send_header("Cache-Control", "no-cache, no-transform")
+    handler.send_header("X-Accel-Buffering", "no")
+    handler.send_header("Connection", "keep-alive")
+    handler.send_header("Transfer-Encoding", "chunked")
+    handler.end_headers()
+
+    q = authority.subscribe()
+    try:
+        while True:
+            try:
+                seq, kind, payload = q.get(timeout=_KEEPALIVE_TIMEOUT_S)
+            except _queue_mod.Empty:
+                # Keepalive — payload is a non-empty SSE comment.
+                if not _write_chunk(handler, _wire.format_keepalive()):
+                    return
+                continue
+
+            if not _write_chunk(handler, payload):
+                return
+
+            if kind == "done":
+                _write_terminator(handler)
+                return
+    finally:
+        authority.unsubscribe(q)
+
+
+def serve_stats(handler, store) -> None:
+    """GET /api/graph/stream/stats — JSON of log + authority counters.
+
+    Returns ``{"log": <log.stats()>, "authority": <authority.stats()>}``
+    so dashboards can verify the producer is making progress and no
+    subscriber backlog is growing.
+    """
+    from mcp_server.server.http_standalone_graph import get_layout_authority
+
+    authority = get_layout_authority()
+    payload = {
+        "log": _log.stats(),
+        "authority": authority.stats(),
+    }
+    body = json.dumps(payload).encode("utf-8")
+    handler.send_response(200)
+    handler.send_header("Content-Type", "application/json; charset=utf-8")
+    handler.send_header("Content-Length", str(len(body)))
+    handler.send_header("Cache-Control", "no-store")
+    handler.end_headers()
+    try:
+        handler.wfile.write(body)
+    except (BrokenPipeError, ConnectionResetError, OSError):
+        pass
diff --git a/mcp_server/handlers/node_metadata.py b/mcp_server/handlers/node_metadata.py
new file mode 100644
index 00000000..a3f26d73
--- /dev/null
+++ b/mcp_server/handlers/node_metadata.py
@@ -0,0 +1,90 @@
+"""GET /api/node/<id> — return the full node dict from the build cache.
+
+The SSE slot stream carries only ``(node_id, x, y, kind, domain_id)``
+(see ``layout_authority_wire.format_slot``). When the user hovers /
+clicks a node the renderer needs the full provenance — file path,
+parent file, color, label, symbol_type, etc. — that the build worker
+stashed in the cumulative graph cache.
+
+This is a lazy, server-side stash lookup: the cache already exists
+(populated by ``_kick_background_build._merge``); we just expose it
+keyed by node id. Out-of-band of the layout authority on purpose:
+keeping the SSE byte stream tiny is the design (see jobs.md §1, §3).
+
+Pre:
+  - path is ``/api/node/<id>`` with id = everything after the prefix.
+  - ``http_standalone_graph._graph_cache`` may be None (build hasn't
+    started); we respond 404 in that case.
+Post:
+  - 200 + JSON node dict on hit.
+  - 404 + JSON ``{"error": ...}`` on miss.
+"""
+
+from __future__ import annotations
+
+import json
+from urllib.parse import unquote
+
+_PREFIX = "/api/node/"
+
+
+def _lookup_node(node_id: str) -> dict | None:
+    """Scan the cumulative cache for ``node_id``. None if no cache or
+    no match. O(N) over current node count — acceptable because the
+    UI calls this per hover, not per frame, and the alternative (a
+    second indexed mirror) doubles the memory footprint of the cache.
+    """
+    from mcp_server.server import http_standalone_graph as _hsg
+
+    cache = _hsg._graph_cache  # noqa: SLF001 — module-level stash
+    if not cache or not cache.get("data"):
+        return None
+    for node in cache["data"].get("nodes", []):
+        if node.get("id") == node_id:
+            return node
+    return None
+
+
+def serve(handler, store) -> None:
+    """GET /api/node/<id> — return the cached node or 404."""
+    path = handler.path
+    path_no_qs = path.split("?", 1)[0]
+    if not path_no_qs.startswith(_PREFIX):
+        body = json.dumps({"error": "bad_path"}).encode("utf-8")
+        handler.send_response(400)
+        handler.send_header("Content-Type", "application/json; charset=utf-8")
+        handler.send_header("Content-Length", str(len(body)))
+        handler.end_headers()
+        try:
+            handler.wfile.write(body)
+        except (BrokenPipeError, ConnectionResetError, OSError):
+            pass
+        return
+
+    node_id = unquote(path_no_qs[len(_PREFIX) :])
+    node = _lookup_node(node_id)
+
+    if node is None:
+        body = json.dumps({"error": "not_found", "node_id": node_id}).encode("utf-8")
+        handler.send_response(404)
+        handler.send_header("Content-Type", "application/json; charset=utf-8")
+        handler.send_header("Content-Length", str(len(body)))
+        handler.send_header("Cache-Control", "no-store")
+        handler.end_headers()
+        try:
+            handler.wfile.write(body)
+        except (BrokenPipeError, ConnectionResetError, OSError):
+            pass
+        return
+
+    body = json.dumps(node, default=str).encode("utf-8")
+    handler.send_response(200)
+    handler.send_header("Content-Type", "application/json; charset=utf-8")
+    handler.send_header("Content-Length", str(len(body)))
+    # Per-node payload is small + cache-stable for the build's lifetime.
+    handler.send_header("Cache-Control", "no-store")
+    handler.end_headers()
+    try:
+        handler.wfile.write(body)
+    except (BrokenPipeError, ConnectionResetError, OSError):
+        pass
diff --git a/mcp_server/handlers/open_visualization.py b/mcp_server/handlers/open_visualization.py
index bf071d22..f6b8c169 100644
--- a/mcp_server/handlers/open_visualization.py
+++ b/mcp_server/handlers/open_visualization.py
@@ -33,8 +33,13 @@
         "Distinct from `get_methodology_graph` (returns JSON for a "
         "CUSTOM client, no browser launched, no auxiliary views) and "
         "`list_domains` (text overview, no graph). Side effects: spawns "
-        "an HTTP server process and opens a browser tab. Latency ~200ms "
-        "(server warmup + browser launch). Returns {url, message}."
+        "an HTTP server process and opens a browser tab. The CALL itself "
+        "returns in ~200 ms (server warmup + browser launch); the GRAPH "
+        "build is lazy — kicked when the page polls /api/graph/progress "
+        "(i.e. when the user opens the Graph view). First paint of the "
+        "skeleton lands in ~1 s; the full graph fills in behind it and "
+        "depends on the DB size (seconds for typical, ~1-3 min on a 100k+ "
+        "memory store). Returns {url, message, dev_source, bootstrap, layout}."
     ),
     "inputSchema": {
         "type": "object",
@@ -243,13 +248,22 @@ async def handler(args: dict | None = None) -> dict:
     # opens the browser at the UI and returns. The frontend's Graph
     # button is the only place that fires /api/graph and
     # /api/recompute_layout, with its own progress polling.
-    target_url = url.rstrip("/") + "/?viz=tilemap"
+    # Default to the force-directed workflow graph (the README hero
+    # screenshot). The tilemap renderer (`?viz=tilemap`) is a different
+    # CPU-layout + Datashader pipeline that requires a precomputed igraph
+    # layout and does NOT share the skeleton-first / progress-kicks-build
+    # / two-stage fallback path the force-directed renderer uses. Landing
+    # on ?viz=force gives the user first paint in ~1 s on any DB size;
+    # the heavy data fills in behind it.
+    target_url = url.rstrip("/") + "/?viz=force"
     open_in_browser(target_url)
 
     message = (
-        f"Tilemap viz opened at {target_url}. Click the Graph button "
-        "in the UI to build/refresh the graph; indexing happens on "
-        "demand, not on launch."
+        f"Workflow graph opened at {target_url}. Click the Graph tab in "
+        "the UI if not already selected; the build kicks lazily on first "
+        "progress poll. First paint (skeleton: domains + setup) appears "
+        "in ~1 s; the full graph fills in behind it as memories / files / "
+        "AST symbols stream from the cache."
     )
     return {
         "url": target_url,
diff --git a/mcp_server/handlers/workflow_graph.py b/mcp_server/handlers/workflow_graph.py
index e79c59c9..eedc238b 100644
--- a/mcp_server/handlers/workflow_graph.py
+++ b/mcp_server/handlers/workflow_graph.py
@@ -107,6 +107,9 @@ def build_workflow_graph(
     min_memory_heat: float = 0.0,
     memory_limit: int = 0,  # 0 = unbounded (pg_store convention)
     stage: str = "full",
+    on_source_loaded: Any = None,
+    on_batch: Any = None,
+    defer_native_ast: bool = False,
 ) -> dict[str, Any]:
     """Load sources, build the graph, validate, and return JSON payload.
 
@@ -131,8 +134,58 @@ def build_workflow_graph(
     files, then republishes with AST. The client polls every 4s and
     renders the deltas so projects / files / symbols fade in instead of
     popping in all at once.
+
+    Streaming hooks (added 2026-05-27 to address the synchronous-blob
+    measurement on ``wip/layout-authority-sse-streaming``):
+
+      * ``on_source_loaded(label, count)`` — invoked after every PG
+        query returns, before any ingestion. Lets the caller post
+        progress messages ("loaded 6,315 memories") so the client
+        sees the work *in flight* rather than only the result. Pure
+        observability, no behavioural effect.
+      * ``on_batch(label, new_nodes, new_edges)`` — invoked after the
+        builder finishes ingesting one source. Lets the caller push
+        the delta into the LayoutAuthority / SSE producer immediately
+        instead of waiting for the whole graph to be built. The yielded
+        edges are already intra-batch deduped (see
+        ``WorkflowGraphBuilder.streaming_build`` docstring); the final
+        return dict is unchanged from the non-streaming path.
     """
     source = WorkflowGraphSource()
+
+    def _notify_loaded(label: str, payload) -> None:
+        """Report that source ``label`` finished loading."""
+        if on_source_loaded is not None:
+            on_source_loaded(label, len(payload) if payload is not None else 0)
+
+    # ── Interleaved load + ingest + emit (streaming only) ──
+    # When on_batch is set the browser is watching a live SSE stream of
+    # batches — the user EXPECTS to see nodes appear progressively. The
+    # default path (load every PG source up-front, then call
+    # builder.build()) makes streaming meaningless: the first batch
+    # only fires after every PG query has finished, which on the dev
+    # DB is ~100 s of silence. The interleaved path below loads each
+    # PG source, immediately ingests it into a long-lived builder, and
+    # emits the per-source delta — so first paint lands ~1 s after the
+    # first small source query returns. Small sources are ordered first
+    # so the user sees a meaningful structural graph (domains + skills
+    # + hooks + tool_hubs + files + discussions) within ~5 s, with
+    # heavy sources (memories, memory_entity_edges, AST) streaming in
+    # behind. domain_filter is applied per-source rather than over the
+    # combined input list.
+    if on_batch is not None and stage in ("files", "full"):
+        return _build_interleaved(
+            store=store,
+            source=source,
+            domain_filter=domain_filter,
+            min_memory_heat=min_memory_heat,
+            memory_limit=memory_limit,
+            stage=stage,
+            defer_native_ast=defer_native_ast,
+            on_source_loaded=on_source_loaded,
+            on_batch=on_batch,
+            notify_loaded=_notify_loaded,
+        )
     # Skeleton stage is the first paint — it must be lightweight. Only
     # load the L1 structural skeleton (domains + skills + hooks, at
     # most a few dozen nodes). Tool events, agents, commands, memories,
@@ -156,24 +209,37 @@ def build_workflow_graph(
         memory_entity_edges = []
     else:
         skills = source.load_skills()
+        _notify_loaded("skills", skills)
         hooks = source.load_hooks()
+        _notify_loaded("hooks", hooks)
         agents = source.load_agent_events()
+        _notify_loaded("agents", agents)
         commands = source.load_command_events(store)
+        _notify_loaded("commands", commands)
         memories = source.load_memories(
             store, min_heat=min_memory_heat, limit=memory_limit
         )
+        _notify_loaded("memories", memories)
         discussions = source.load_discussions()
+        _notify_loaded("discussions", discussions)
         skill_usage = source.load_skill_usage()
+        _notify_loaded("skill_usage", skill_usage)
         mcp_usage = source.load_mcp_usage()
+        _notify_loaded("mcp_usage", mcp_usage)
         discussion_tools = source.load_discussion_tool_uses()
+        _notify_loaded("discussion_tools", discussion_tools)
         discussion_agents = source.load_discussion_agents()
+        _notify_loaded("discussion_agents", discussion_agents)
         discussion_commands = source.load_discussion_commands()
+        _notify_loaded("discussion_commands", discussion_commands)
         # Knowledge-graph entities + their memory-link table. Both are
         # bounded by memory-heat (archived / cold memories don't land
         # in the graph, so their links silently drop in
         # ``ingest_about_entity``).
         entities = source.load_entities(store)
+        _notify_loaded("entities", entities)
         memory_entity_edges = source.load_memory_entity_edges(store)
+        _notify_loaded("memory_entity_edges", memory_entity_edges)
 
     # File-derived sources are deferred until ``stage`` reaches files.
     if stage in ("files", "full"):
@@ -213,8 +279,18 @@ def build_workflow_graph(
         # session. De-duplicates against AP output via NodeIdFactory in
         # `ingest_symbol`; AP's richer symbols win because they are
         # loaded first and `ingest_symbol` returns early on existing id.
+        #
+        # DEFERRED when defer_native_ast=True: tree-sitter parsing every
+        # file in known_paths is the dominant baseline cost — measured
+        # 58.6 s of a 99 s build on 2026-05-27, blocking first paint with
+        # no progress feedback. The http_standalone_graph baseline build
+        # passes defer_native_ast=True so the structural graph
+        # (domains/files/memories/entities) lands fast; AST symbols still
+        # arrive via the L6 AP loop in _run, which streams per-project.
+        # Callers wanting a complete single-shot result (legacy /api/graph
+        # fetch, tests) leave the flag False and keep the native parse.
         native_source = WorkflowGraphNativeASTSource()
-        if known_paths:
+        if known_paths and not defer_native_ast:
             native_symbols = native_source.load_symbols(list(known_paths))
             native_edges = native_source.load_ast_edges(list(known_paths))
             ast_symbols.extend(native_symbols)
@@ -240,28 +316,46 @@ def _matches(ev):
         entities = [e for e in entities if _matches(e)]
 
     builder = WorkflowGraphBuilder()
-    nodes, edges = builder.build(
-        WorkflowBuildInputs(
-            tool_events=tool_events,
-            skill_paths=skills,
-            hook_defs=hooks,
-            agent_events=agents,
-            command_events=commands,
-            memories=memories,
-            discussions=discussions,
-            entities=entities,
-            discussion_file_events=discussion_files,
-            skill_usage_events=skill_usage,
-            command_file_events=command_files,
-            mcp_usage_events=mcp_usage,
-            discussion_tool_events=discussion_tools,
-            discussion_agent_events=discussion_agents,
-            discussion_command_events=discussion_commands,
-            memory_entity_edges=memory_entity_edges,
-            ast_symbols=ast_symbols,
-            ast_edges=ast_edges,
-        )
+    build_inputs = WorkflowBuildInputs(
+        tool_events=tool_events,
+        skill_paths=skills,
+        hook_defs=hooks,
+        agent_events=agents,
+        command_events=commands,
+        memories=memories,
+        discussions=discussions,
+        entities=entities,
+        discussion_file_events=discussion_files,
+        skill_usage_events=skill_usage,
+        command_file_events=command_files,
+        mcp_usage_events=mcp_usage,
+        discussion_tool_events=discussion_tools,
+        discussion_agent_events=discussion_agents,
+        discussion_command_events=discussion_commands,
+        memory_entity_edges=memory_entity_edges,
+        ast_symbols=ast_symbols,
+        ast_edges=ast_edges,
     )
+    if on_batch is None:
+        # Non-streaming path — preserve historical behaviour exactly:
+        # one synchronous build, dedup-and-link applied at the end
+        # across the whole accumulated edge set.
+        nodes, edges = builder.build(build_inputs)
+    else:
+        # Streaming path — drain the per-source generator, accumulate
+        # the deltas, and run a final cross-source dedup so the return
+        # value matches the non-streaming contract bit-for-bit.
+        # Different sources emit different ``EdgeKind`` values so
+        # cross-source key collisions are impossible by construction,
+        # but the final pass keeps us honest if that ever changes.
+        nodes_all: list = []
+        edges_all: list = []
+        for _label, new_nodes, new_edges in builder.streaming_build(
+            build_inputs, on_batch=on_batch
+        ):
+            nodes_all.extend(new_nodes)
+            edges_all.extend(new_edges)
+        nodes, edges = builder._dedupe_and_link(nodes_all, edges_all)  # noqa: SLF001
 
     validate_graph(nodes, edges)
 
@@ -314,4 +408,257 @@ def _matches(ev):
     }
 
 
+def _build_interleaved(
+    *,
+    store,
+    source,
+    domain_filter: str | None,
+    min_memory_heat: float,
+    memory_limit: int,
+    stage: str,
+    defer_native_ast: bool,
+    on_source_loaded,
+    on_batch,
+    notify_loaded,
+):
+    """Interleaved load+ingest+emit path used when on_batch is set.
+
+    Order is deliberate — small / structural sources first so the user
+    sees a meaningful graph (domains + skills + hooks + tool_hubs +
+    files + discussions) within seconds, with the heavy memory /
+    entity / AST sources streaming in behind.
+    """
+    from mcp_server.core.workflow_graph_builder import WorkflowGraphBuilder
+    from mcp_server.core.workflow_graph_builder_relational import (
+        ingest_ast_edge,
+        ingest_command_file,
+        ingest_discussion_agent,
+        ingest_discussion_command,
+        ingest_discussion_file,
+        ingest_discussion_tool,
+        ingest_mcp_usage,
+        ingest_skill_usage,
+        ingest_symbol,
+    )
+    from mcp_server.core.workflow_graph_entity import (
+        ingest_about_entity,
+        ingest_entity,
+    )
+    from mcp_server.core.workflow_graph_schema import GLOBAL_DOMAIN_ID
+
+    builder = WorkflowGraphBuilder()
+    builder._ensure_domain(GLOBAL_DOMAIN_ID, "global")  # noqa: SLF001
+
+    def _filter(items, key="domain"):
+        if not domain_filter:
+            return items or []
+        return [ev for ev in (items or []) if (ev.get(key) or "") == domain_filter]
+
+    def _emit_delta(label: str, prev_n: int, prev_e: int) -> None:
+        if on_batch is None:
+            return
+        new_nodes = list(builder._nodes.values())[prev_n:]  # noqa: SLF001
+        new_edges_raw = builder._edges[prev_e:]  # noqa: SLF001
+        # Intra-batch dedupe so the per-source emission still collapses
+        # repeated (src, tgt, kind) edges; cross-source weight summing
+        # is preserved by the final _dedupe_and_link below.
+        _, new_edges = builder._dedupe_and_link(new_nodes, new_edges_raw)  # noqa: SLF001
+        on_batch(label, new_nodes, new_edges)
+
+    # Streaming ingest threshold — emit a partial batch every N items
+    # so the user watches the source FILL in (instead of one big burst
+    # after the entire source finishes ingesting). With 107 k memories
+    # taking ~5 s of pydantic-bound CPU, 500-item chunks at ~40 chunks/s
+    # = the browser repaints ~40 times during memories ingest. Small
+    # enough sources (<=_INGEST_CHUNK items) still get a single delta.
+    _INGEST_CHUNK = 500
+
+    def _ingest_loop(label: str, items: list, fn, fn_takes_builder: bool = False):
+        """Ingest items, emitting a partial delta every _INGEST_CHUNK so
+        the SSE subscribers see progress WITHIN the source — not just
+        after the whole source finishes ingesting."""
+        items = items or []
+        prev_n = len(builder._nodes)  # noqa: SLF001
+        prev_e = len(builder._edges)  # noqa: SLF001
+        ingested = 0
+        for ev in items:
+            if fn_takes_builder:
+                fn(builder, ev)
+            else:
+                fn(ev)
+            ingested += 1
+            if ingested % _INGEST_CHUNK == 0:
+                _emit_delta(label, prev_n, prev_e)
+                prev_n = len(builder._nodes)  # noqa: SLF001
+                prev_e = len(builder._edges)  # noqa: SLF001
+        # Final partial chunk (or single emit for small sources).
+        _emit_delta(label, prev_n, prev_e)
+
+    # ── Phase 1a: SMALL structural sources first (visible in seconds) ──
+    skills = source.load_skills()
+    notify_loaded("skills", skills)
+    _ingest_loop("skills", skills, builder._ingest_skill)
+
+    hooks = source.load_hooks()
+    notify_loaded("hooks", hooks)
+    _ingest_loop("hooks", hooks, builder._ingest_hook)
+
+    agents = _filter(source.load_agent_events())
+    notify_loaded("agents", agents)
+    _ingest_loop("agents", agents, builder._ingest_agent)
+
+    commands = _filter(source.load_command_events(store))
+    notify_loaded("commands", commands)
+    _ingest_loop("commands", commands, builder._ingest_command)
+
+    discussions = _filter(source.load_discussions())
+    notify_loaded("discussions", discussions)
+    _ingest_loop("discussions", discussions, builder._ingest_discussion)
+
+    # ── Phase 1b: tool events + file finalisation ──
+    # tool_events ingestion accumulates per-file tool counts; the file
+    # nodes are materialised when _finalize_files runs after.
+    tool_events = _filter(source.load_tool_events(store))
+    notify_loaded("tool_events", tool_events)
+    _ingest_loop("tool_events", tool_events, builder._ingest_tool_event)
+
+    known_paths = {e.get("file_path") for e in tool_events if e.get("file_path")}
+    # file nodes synthesised here — emit as their own batch so the
+    # browser can apply them in dependency order before phase 2 edges
+    # reference them.
+    prev_n = len(builder._nodes)  # noqa: SLF001
+    prev_e = len(builder._edges)  # noqa: SLF001
+    builder._finalize_files()  # noqa: SLF001
+    _emit_delta("files", prev_n, prev_e)
+
+    # ── Phase 1c: entities (medium ~22 k) ──
+    entities = _filter(source.load_entities(store))
+    notify_loaded("entities", entities)
+    _ingest_loop("entities", entities, ingest_entity, fn_takes_builder=True)
+
+    # ── Phase 2: relational edges (need phase 1 nodes) ──
+    discussion_files = _filter(source.load_discussion_files())
+    notify_loaded("discussion_files", discussion_files)
+    _ingest_loop("discussion_files", discussion_files, ingest_discussion_file, True)
+
+    command_files = source.load_command_files(store, known_paths)
+    notify_loaded("command_files", command_files)
+    _ingest_loop("command_files", command_files, ingest_command_file, True)
+
+    skill_usage = _filter(source.load_skill_usage())
+    notify_loaded("skill_usage", skill_usage)
+    _ingest_loop("skill_usage", skill_usage, ingest_skill_usage, True)
+
+    mcp_usage = _filter(source.load_mcp_usage())
+    notify_loaded("mcp_usage", mcp_usage)
+    _ingest_loop("mcp_usage", mcp_usage, ingest_mcp_usage, True)
+
+    discussion_tools = _filter(source.load_discussion_tool_uses())
+    notify_loaded("discussion_tools", discussion_tools)
+    _ingest_loop("discussion_tools", discussion_tools, ingest_discussion_tool, True)
+
+    discussion_agents = _filter(source.load_discussion_agents())
+    notify_loaded("discussion_agents", discussion_agents)
+    _ingest_loop("discussion_agents", discussion_agents, ingest_discussion_agent, True)
+
+    discussion_commands = _filter(source.load_discussion_commands())
+    notify_loaded("discussion_commands", discussion_commands)
+    _ingest_loop(
+        "discussion_commands", discussion_commands, ingest_discussion_command, True
+    )
+
+    # ── Phase 3: HEAVY sources last (memories + memory_entity_edges) ──
+    # Memories are the biggest PG query AND the biggest ingest pass on
+    # the user's dev DB (107 k rows). Use a SERVER-SIDE CURSOR so rows
+    # arrive in chunks during the query, and ingest + emit per chunk —
+    # the SSE subscriber sees memory nodes growing WHILE the query is
+    # still running, not after a ~10 s blocking .fetchall().
+    memories_total = 0
+    for chunk in source.iter_memories_chunked(
+        store, min_heat=min_memory_heat, chunk_size=1000
+    ):
+        if domain_filter:
+            chunk = [m for m in chunk if (m.get("domain") or "") == domain_filter]
+        prev_n = len(builder._nodes)  # noqa: SLF001
+        prev_e = len(builder._edges)  # noqa: SLF001
+        for ev in chunk:
+            builder._ingest_memory(ev)  # noqa: SLF001
+        memories_total += len(chunk)
+        _emit_delta("memories", prev_n, prev_e)
+        # Surface progress every chunk so /api/graph/progress shows the
+        # running total — the bottom-of-page poller picks this up.
+        if on_source_loaded is not None:
+            on_source_loaded("memories", memories_total)
+
+    memory_entity_edges = source.load_memory_entity_edges(store)
+    notify_loaded("memory_entity_edges", memory_entity_edges)
+    _ingest_loop("memory_entity_edges", memory_entity_edges, ingest_about_entity, True)
+
+    # ── Phase 4: AST symbols (deferred by default in streaming mode) ──
+    if stage == "full" and not defer_native_ast:
+        from mcp_server.infrastructure.workflow_graph_source_ast import (
+            WorkflowGraphASTSource,
+        )
+        from mcp_server.infrastructure.workflow_graph_source_native_ast import (
+            WorkflowGraphNativeASTSource,
+        )
+
+        ast_source = WorkflowGraphASTSource()
+        ast_symbols = ast_source.load_symbols([]) if ast_source.enabled() else []
+        ast_edges = ast_source.load_ast_edges([]) if ast_source.enabled() else []
+        native_source = WorkflowGraphNativeASTSource()
+        if known_paths:
+            ast_symbols.extend(native_source.load_symbols(list(known_paths)))
+            ast_edges.extend(native_source.load_ast_edges(list(known_paths)))
+        notify_loaded("ast_symbols", ast_symbols)
+        _ingest_loop("ast_symbols", ast_symbols, ingest_symbol, True)
+        notify_loaded("ast_edges", ast_edges)
+        _ingest_loop("ast_edges", ast_edges, ingest_ast_edge, True)
+
+    # Final pass: cross-source dedup (same contract as builder.build()).
+    nodes, edges = builder._dedupe_and_link(  # noqa: SLF001
+        builder._nodes.values(),  # noqa: SLF001
+        builder._edges,  # noqa: SLF001
+    )
+    validate_graph(nodes, edges)
+
+    domain_count = sum(1 for n in nodes if n.kind == "domain")
+    memory_count = sum(1 for n in nodes if n.kind == "memory")
+    file_count = sum(1 for n in nodes if n.kind == "file")
+    discussion_count = sum(1 for n in nodes if n.kind == "discussion")
+    symbol_count = sum(1 for n in nodes if n.kind == "symbol")
+    entity_node_count = sum(1 for n in nodes if n.kind == "entity")
+    return {
+        "nodes": [_node_to_dict(n) for n in nodes],
+        "edges": [_edge_to_dict(e) for e in edges],
+        "links": [_edge_to_dict(e) for e in edges],
+        "meta": {
+            "schema": "workflow_graph.v1",
+            "domain_filter": domain_filter,
+            "node_count": len(nodes),
+            "edge_count": len(edges),
+            "domain_count": domain_count,
+            "memory_count": memory_count,
+            "entity_count": file_count,
+            "discussion_count": discussion_count,
+            "counts": {
+                "nodes": len(nodes),
+                "edges": len(edges),
+                "tool_events": len(tool_events),
+                "skills": len(skills),
+                "hooks": len(hooks),
+                "agents": len(agents),
+                "commands": len(commands),
+                "memories": memories_total,
+                "discussions": len(discussions),
+                "files": file_count,
+                "symbols": symbol_count,
+                "entities": entity_node_count,
+            },
+            "ast_enabled": (stage == "full" and not defer_native_ast),
+            "streaming": "interleaved",
+        },
+    }
+
+
 __all__ = ["build_workflow_graph", "GraphValidationError"]
diff --git a/mcp_server/infrastructure/layout_pg_store.py b/mcp_server/infrastructure/layout_pg_store.py
index 71e2fe79..c31ca98c 100644
--- a/mcp_server/infrastructure/layout_pg_store.py
+++ b/mcp_server/infrastructure/layout_pg_store.py
@@ -82,7 +82,8 @@ def write_layout(
 def read_layout_version(store) -> dict | None:
     """Return ``{'version', 'fingerprint', 'count'}`` or None if empty."""
     sql = (
-        "SELECT layout_version, topology_fingerprint, COUNT(*) "
+        "SELECT layout_version AS v, topology_fingerprint AS fp, "
+        "COUNT(*) AS n "
         "FROM workflow_graph_layout "
         "GROUP BY layout_version, topology_fingerprint "
         "ORDER BY layout_version DESC LIMIT 1"
@@ -92,7 +93,10 @@ def read_layout_version(store) -> dict | None:
         row = cur.fetchone()
     if not row:
         return None
-    return {"version": int(row[0]), "fingerprint": row[1], "count": int(row[2])}
+    # The pool is configured with ``dict_row`` (see pg_store.py), so
+    # ``row`` is a dict keyed on the SELECT aliases. Tuple-indexing
+    # would raise KeyError(0). The aliases above pin stable keys.
+    return {"version": int(row["v"]), "fingerprint": row["fp"], "count": int(row["n"])}
 
 
 def read_all_positions(store) -> list[tuple[str, float, float, str]]:
@@ -106,7 +110,12 @@ def read_all_positions(store) -> list[tuple[str, float, float, str]]:
     sql = "SELECT node_id, x, y, kind FROM workflow_graph_layout"
     with _conn(store) as conn, conn.cursor() as cur:
         cur.execute(sql)
-        return [(r[0], float(r[1]), float(r[2]), r[3]) for r in cur.fetchall()]
+        # Pool returns dict rows; index by column name so the read
+        # stays correct regardless of how the pool was configured.
+        return [
+            (r["node_id"], float(r["x"]), float(r["y"]), r["kind"])
+            for r in cur.fetchall()
+        ]
 
 
 def read_positions_in_bbox(
@@ -130,4 +139,7 @@ def read_positions_in_bbox(
     )
     with _conn(store) as conn, conn.cursor() as cur:
         cur.execute(sql, (min_x, max_x, min_y, max_y))
-        return [(r[0], float(r[1]), float(r[2]), r[3]) for r in cur.fetchall()]
+        return [
+            (r["node_id"], float(r["x"]), float(r["y"]), r["kind"])
+            for r in cur.fetchall()
+        ]
diff --git a/mcp_server/infrastructure/pg_schema.py b/mcp_server/infrastructure/pg_schema.py
index 4d2311fe..0b38e2d0 100644
--- a/mcp_server/infrastructure/pg_schema.py
+++ b/mcp_server/infrastructure/pg_schema.py
@@ -511,7 +511,7 @@
 -- Precomputed (x, y) coordinates for every workflow-graph node. The
 -- layout pass runs out-of-band (handlers/recompute_layout.py via
 -- igraph DrL on CPU) and persists the result here so the viz can ship
--- coordinates with each node — eliminating the d3-force tick cost in
+-- coordinates with each node, eliminating the d3-force tick cost in
 -- the browser. ``topology_fingerprint`` tracks which graph build the
 -- coordinates were computed against. The tile and quadtree endpoints
 -- read them by ``layout_version`` so a stale layout never serves
@@ -1366,7 +1366,15 @@ def _split_statements(ddl: str) -> list[str]:
         return [ddl.strip()] if ddl.strip() else []
     statements = []
     for part in ddl.split(";"):
-        stmt = part.strip()
+        # Strip leading SQL line comments and blank lines so a chunk that
+        # begins with "-- foo\nCREATE TABLE ..." is not mistaken for the
+        # comment text being the first SQL token. Also drop chunks that
+        # are *entirely* comments / whitespace.
+        lines = [ln for ln in part.splitlines()]
+        # remove leading blank/comment lines
+        while lines and (not lines[0].strip() or lines[0].lstrip().startswith("--")):
+            lines.pop(0)
+        stmt = "\n".join(lines).strip()
         if stmt:
             statements.append(stmt + ";")
     return statements
diff --git a/mcp_server/infrastructure/pg_store.py b/mcp_server/infrastructure/pg_store.py
index e6468517..70a2bac0 100644
--- a/mcp_server/infrastructure/pg_store.py
+++ b/mcp_server/infrastructure/pg_store.py
@@ -296,20 +296,49 @@ def _execute_on_conn(
             cur = conn.execute(query, params, **kwargs)
         return _MaterializedCursor(cur)
 
+    # Advisory lock id for schema bootstrap. Two processes hitting a
+    # fresh DB simultaneously (e.g. http_standalone + a worker subproc)
+    # used to deadlock on the A3 migration's ALTER TABLE / CREATE INDEX
+    # pair. With this lock, the second process waits for the first to
+    # finish before re-running idempotent DDL.
+    # source: hashlib.sha256(b'cortex_schema_a3').hexdigest() mod 2**31
+    _SCHEMA_LOCK_ID = 1357020271
+
     def _init_schema(self) -> None:
         """Create all tables, indexes, and stored procedures.
 
         Each statement runs independently — one failure doesn't
         prevent the rest from being created.
+
+        Wrapped in a Postgres advisory lock so concurrent processes
+        bootstrapping the same database serialize through the migration
+        DDL instead of deadlocking on overlapping ALTER TABLE locks.
+
+        Pre: self._conn is a live psycopg connection.
+        Post: schema is at the latest version; advisory lock released
+        even on failure (try/finally).
         """
-        for ddl in get_all_ddl():
+        # Acquire — blocks until peer releases. pg_advisory_lock is
+        # session-scoped; safe across the autocommit/transaction modes
+        # we use because release is paired in the finally block.
+        self._conn.execute("SELECT pg_advisory_lock(%s);", (self._SCHEMA_LOCK_ID,))
+        try:
+            for ddl in get_all_ddl():
+                try:
+                    self._conn.execute(ddl)
+                except Exception as exc:
+                    logger.warning(
+                        "Schema statement failed: %s — %s", ddl.split("\n")[0][:50], exc
+                    )
+            self._conn.commit()
+        finally:
             try:
-                self._conn.execute(ddl)
-            except Exception as exc:
-                logger.warning(
-                    "Schema statement failed: %s — %s", ddl.split("\n")[0][:50], exc
+                self._conn.execute(
+                    "SELECT pg_advisory_unlock(%s);", (self._SCHEMA_LOCK_ID,)
                 )
-        self._conn.commit()
+                self._conn.commit()
+            except Exception as exc:
+                logger.warning("Failed to release schema advisory lock: %s", exc)
 
     @property
     def has_vec(self) -> bool:
diff --git a/mcp_server/infrastructure/pg_store_queries.py b/mcp_server/infrastructure/pg_store_queries.py
index 513941de..4e02b07b 100644
--- a/mcp_server/infrastructure/pg_store_queries.py
+++ b/mcp_server/infrastructure/pg_store_queries.py
@@ -60,6 +60,64 @@ def get_hot_memories(
             ).fetchall()
         return [self._normalize_memory_row(r) for r in rows]
 
+    def iter_hot_memories_chunked(
+        self,
+        min_heat: float = 0.0,
+        include_benchmarks: bool = True,
+        chunk_size: int = 1000,
+    ) -> "Iterator[list[dict[str, Any]]]":
+        """Stream hot memories in chunks via a server-side cursor.
+
+        Same query as ``get_hot_memories(limit=0)`` but rows arrive in
+        ``chunk_size`` batches over the wire — the caller can ingest +
+        emit + repaint per chunk instead of waiting for a 100 k-row
+        ``.fetchall()`` to materialise. Used by the workflow-graph build
+        so the SSE event stream surfaces memories as they arrive from PG
+        rather than after the whole query finishes. Mirrors the existing
+        ``iter_memories_for_decay`` server-side-cursor pattern.
+
+        source: docs/program/phase-5-pool-admission-design.md (Phase 4
+        chunked iteration via ``itersize`` on named cursors).
+        """
+        from mcp_server.infrastructure.memory_config import get_memory_settings
+
+        if get_memory_settings().POOL_DISABLED:
+            yield self.get_hot_memories(
+                min_heat=min_heat,
+                limit=0,
+                include_benchmarks=include_benchmarks,
+            )
+            return
+
+        bench_filter = (
+            "" if include_benchmarks else "AND NOT coalesce(is_benchmark, FALSE) "
+        )
+        sql = (
+            f"SELECT * FROM memories WHERE heat_base >= %s {bench_filter}"
+            "ORDER BY heat_base DESC"
+        )
+        # Named (server-side) cursors require an active transaction;
+        # the batch pool's connections default to autocommit, so wrap
+        # in an explicit conn.transaction() to satisfy the
+        # "DECLARE CURSOR can only be used in transaction blocks"
+        # constraint.
+        with self.batch_pool.connection() as conn:
+            with conn.transaction():
+                with conn.cursor(name="graph_hot_stream") as cur:
+                    cur.itersize = chunk_size
+                    cur.execute(sql, (min_heat,))
+                    chunk: list[dict[str, Any]] = []
+                    for row in cur:
+                        # dict(row) — match the iter_memories_for_decay
+                        # idiom; the named cursor doesn't apply
+                        # dict_row by default so rows arrive as tuples.
+                        chunk.append(self._normalize_memory_row(dict(row)))
+                        if len(chunk) >= chunk_size:
+                            yield chunk
+                            chunk = []
+                    if chunk:
+                        yield chunk
+
     def get_all_memories_with_embeddings(self) -> list[dict[str, Any]]:
         rows = self._execute(
             "SELECT id, heat_base, embedding FROM memories WHERE embedding IS NOT NULL"
diff --git a/mcp_server/infrastructure/workflow_graph_source.py b/mcp_server/infrastructure/workflow_graph_source.py
index 0dfe244e..52d4f9ae 100644
--- a/mcp_server/infrastructure/workflow_graph_source.py
+++ b/mcp_server/infrastructure/workflow_graph_source.py
@@ -189,6 +189,20 @@ def load_memories(
     ) -> list[dict[str, Any]]:
         return _pg.load_memories(pg_store, min_heat=min_heat, limit=limit)
 
+    def iter_memories_chunked(
+        self, pg_store, min_heat: float = 0.0, chunk_size: int = 1000
+    ):
+        """Stream memory chunks via a server-side PG cursor.
+
+        Mirrors ``load_memories`` but yields chunks of projected dicts
+        as PG sends them — the workflow-graph build uses this so SSE
+        subscribers see memory nodes WHILE the query runs (rather than
+        a ~10 s blocking wait followed by a single burst).
+        """
+        return _pg.iter_memories_chunked(
+            pg_store, min_heat=min_heat, chunk_size=chunk_size
+        )
+
     # ── 7. Discussions (JSONL metadata) ───────────────────────────────
     def load_discussions(self, session_store=None) -> list[dict[str, Any]]:
         _ = session_store
diff --git a/mcp_server/infrastructure/workflow_graph_source_pg.py b/mcp_server/infrastructure/workflow_graph_source_pg.py
index 6f3284fd..94390297 100644
--- a/mcp_server/infrastructure/workflow_graph_source_pg.py
+++ b/mcp_server/infrastructure/workflow_graph_source_pg.py
@@ -186,6 +186,25 @@ def load_command_files(
     ]
 
 
+def _project_memory_row(r: dict[str, Any]) -> dict[str, Any]:
+    """Pick the graph-relevant fields from a normalized memory row.
+
+    Extracted from ``load_memories`` so ``iter_memories_chunked`` can
+    project per-chunk rows using the same shape contract.
+    """
+    row_dict: dict[str, Any] = {
+        "id": r.get("id"),
+        "domain": r.get("domain") or "",
+        "consolidation_stage": r.get("consolidation_stage") or "episodic",
+        "heat": float(r.get("heat") or r.get("heat_base") or 0.0),
+        "content": r.get("content") or "",
+    }
+    for k in _MEMORY_PASSTHROUGH_KEYS:
+        if k in r and r[k] is not None:
+            row_dict[k] = r[k]
+    return row_dict
+
+
 def load_memories(
     pg_store, min_heat: float = 0.0, limit: int = 10000
 ) -> list[dict[str, Any]]:
@@ -195,20 +214,25 @@ def load_memories(
         limit=limit,
         include_benchmarks=True,
     )
-    out: list[dict[str, Any]] = []
-    for r in rows:
-        row_dict: dict[str, Any] = {
-            "id": r.get("id"),
-            "domain": r.get("domain") or "",
-            "consolidation_stage": r.get("consolidation_stage") or "episodic",
-            "heat": float(r.get("heat") or r.get("heat_base") or 0.0),
-            "content": r.get("content") or "",
-        }
-        for k in _MEMORY_PASSTHROUGH_KEYS:
-            if k in r and r[k] is not None:
-                row_dict[k] = r[k]
-        out.append(row_dict)
-    return out
+    return [_project_memory_row(r) for r in rows]
+
+
+def iter_memories_chunked(pg_store, min_heat: float = 0.0, chunk_size: int = 1000):
+    """Stream-yield memory chunks via a server-side PG cursor.
+
+    Streaming counterpart to ``load_memories``: instead of fetching the
+    entire result set into Python memory and returning it, yields
+    ``chunk_size``-sized lists of projected memory dicts as PG sends
+    them over the wire. The workflow-graph build uses this so the SSE
+    event stream surfaces memories DURING the query, not after a ~10 s
+    blocking ``.fetchall()`` materialisation.
+    """
+    for chunk in pg_store.iter_hot_memories_chunked(
+        min_heat=min_heat,
+        include_benchmarks=True,
+        chunk_size=chunk_size,
+    ):
+        yield [_project_memory_row(r) for r in chunk]
 
 
 def load_entities(pg_store, min_heat: float = 0.05) -> list[dict[str, Any]]:
diff --git a/mcp_server/server/bench_layout_authority.py b/mcp_server/server/bench_layout_authority.py
new file mode 100644
index 00000000..e18c4159
--- /dev/null
+++ b/mcp_server/server/bench_layout_authority.py
@@ -0,0 +1,317 @@
+"""Reproducible benchmark harness for the Cortex layout authority.
+
+Profile-before-optimize (Knuth 1974, Computing Surveys 6(4)): MEASURES
+where time is spent — does not speculate. Three component micro-benches
+(geometry, scheduler, log) + one integration bench; each reports
+ns/op and ops/sec. Run::
+    python3 -m mcp_server.server.bench_layout_authority [--n N]
+Default N=1e6 nodes, 4*N edges; kind mix: 10 domains / 70 tool_hubs /
+30k files / 250k symbols / 250k memories / 100k entities / 50k
+discussions / pad with skill/hook/command/agent/mcp.
+"""
+
+from __future__ import annotations
+
+import argparse
+import math
+import sys
+import time
+from dataclasses import dataclass
+from typing import Callable
+
+from mcp_server.server.layout_authority_geometry import (
+    base_radius,
+    compute_slot,
+    domain_anchor,
+    outward_angle,
+    tool_hub_angle,
+)
+from mcp_server.server.layout_authority_log import (
+    emit,
+    replay_since,
+    reset as log_reset,
+)
+from mcp_server.server.layout_authority_protocol import EdgeDelta
+from mcp_server.server.layout_authority_scheduler import (
+    PriorityScheduler,
+    priority_for_edge,
+    priority_for_node,
+)
+from mcp_server.server.layout_authority_wire import format_edge, format_slot
+
+
+# ── Workload synthesis ──────────────────────────────────────────────────
+
+
+@dataclass(slots=True)
+class _WireSlot:  # duck-types what format_slot reads (.node_id/.x/.y/.kind/.domain_id)
+    node_id: str
+    x: float
+    y: float
+    kind: str
+    domain_id: str  # noqa: E702
+
+
+@dataclass(frozen=True, slots=True)
+class WorkloadSpec:
+    n_total: int
+    n_domains: int = 10
+    n_tool_hubs: int = 70
+    n_files: int = 30_000
+    n_symbols: int = 250_000
+    n_memories: int = 250_000
+    n_entities: int = 100_000
+    n_discussions: int = 50_000
+
+    def padding(self) -> int:
+        used = (
+            self.n_domains
+            + self.n_tool_hubs
+            + self.n_files
+            + self.n_symbols
+            + self.n_memories
+            + self.n_entities
+            + self.n_discussions
+        )
+        return max(self.n_total - used, 0)
+
+
+def synthesize_kinds(spec: WorkloadSpec) -> list[str]:
+    """Kind string per node, in production arrival order."""
+    s = spec
+    parts = (
+        ("domain", s.n_domains),
+        ("tool_hub", s.n_tool_hubs),
+        ("file", s.n_files),
+        ("symbol", s.n_symbols),
+        ("memory", s.n_memories),
+        ("entity", s.n_entities),
+        ("discussion", s.n_discussions),
+    )
+    out: list[str] = [k for k, c in parts for _ in range(c)]
+    fillers = ("skill", "hook", "command", "agent", "mcp")
+    out.extend(fillers[i % len(fillers)] for i in range(s.padding()))
+    return out[: s.n_total]
+
+
+def precompute_anchors(nd: int, w: float = 1000.0, h: float = 1000.0):
+    cx, cy, base_r = w / 2.0, h / 2.0, base_radius(w, h, nd)
+    anchors = [domain_anchor(i, nd, cx, cy, base_r) for i in range(nd)]
+    return anchors, [outward_angle(a, cx, cy) for a in anchors], base_r, cx, cy
+
+
+def _measure(label: str, n: int, fn: Callable[[], None]) -> dict:
+    t0 = time.perf_counter_ns()
+    fn()
+    el = time.perf_counter_ns() - t0
+    return {
+        "label": label,
+        "n": n,
+        "elapsed_ns": el,
+        "ns_per_op": el / n if n else float("inf"),
+        "ops_per_sec": (n / (el / 1e9)) if el else float("inf"),
+    }
+
+
+# ── Bench 1: geometry slot computation ──────────────────────────────────
+
+
+def bench_geometry(spec: WorkloadSpec) -> dict:
+    kinds = synthesize_kinds(spec)
+    anchors, outwards, base_r, cx, cy = precompute_anchors(spec.n_domains)
+    bucket: dict[tuple[int, str], int] = {}
+    file_slots: dict[int, tuple[float, float]] = {}
+    tools = ("Edit", "Write", "Read", "Grep", "Glob", "Bash", "Task")
+    nd, nt = spec.n_domains, spec.n_total
+    files_per = max(spec.n_files // nd, 1)
+    syms_per = max(spec.n_symbols // max(spec.n_files, 1), 1)
+    other_per = max(nt // nd, 1)
+
+    def run() -> None:
+        for i, kind in enumerate(kinds):
+            d = i % nd
+            anchor, outward = anchors[d], outwards[d]
+            idx = bucket.get((d, kind), 0)
+            bucket[(d, kind)] = idx + 1
+            tool = tools[idx % len(tools)]
+            if kind == "domain":
+                ctx = {
+                    "index": d,
+                    "total_domains": nd,
+                    "cx": cx,
+                    "cy": cy,
+                    "base_r": base_r,
+                }
+            elif kind == "tool_hub":
+                ctx = {"anchor": anchor, "outward": outward, "tool_name": tool}
+            elif kind == "file":
+                ctx = {
+                    "anchor": anchor,
+                    "idx": idx,
+                    "total": files_per,
+                    "hub_angle": tool_hub_angle(outward, tool),
+                }
+            elif kind == "symbol":
+                ctx = {
+                    "file_slot": file_slots.get(d, anchor),
+                    "idx": idx,
+                    "total": syms_per,
+                }
+            else:
+                ctx = {
+                    "anchor": anchor,
+                    "outward": outward,
+                    "idx": idx,
+                    "total": other_per,
+                }
+            slot = compute_slot(kind, ctx)
+            if kind == "file":
+                file_slots[d] = slot
+            if not math.isfinite(slot[0]):  # block DCE
+                raise AssertionError("non-finite slot")
+
+    return _measure("geometry.compute_slot", nt, run)
+
+
+# ── Bench 2: scheduler submit + pop round-trips ─────────────────────────
+
+
+def bench_scheduler(spec: WorkloadSpec) -> dict:
+    kinds = synthesize_kinds(spec)
+    n_edges = spec.n_total * 4
+    sched = PriorityScheduler()
+
+    def run() -> None:
+        for i, kind in enumerate(kinds):
+            sched.submit(priority_for_node(kind), (i, kind))
+        ep = priority_for_edge()
+        for i in range(n_edges):
+            sched.submit(ep, i)
+        total = spec.n_total + n_edges
+        for _ in range(total):
+            if sched.pop(timeout=0.0) is None:
+                break  # caps cause expected drops at P4/P5
+
+    return _measure("scheduler.submit+pop", spec.n_total + n_edges, run)
+
+
+# ── Bench 3: log emit + replay_since ────────────────────────────────────
+
+
+def bench_log(spec: WorkloadSpec) -> dict:
+    """N emits + replay_since. When N exceeds the 500k ring cap, the
+    baseline drops out and replay returns the gap signal — by-design."""
+    log_reset()
+    payload = b"id: 0\nevent: slot\ndata: x|0.0|0.0|domain|d0\n\n"
+    n = spec.n_total
+
+    def run() -> None:
+        for _ in range(n):
+            emit("slot", payload)
+        replay_since(0)  # exercises the gap path when ring overflowed
+
+    return _measure("log.emit+replay_since", n, run)
+
+
+# ── Bench 4: integration (scheduler -> log -> wire) ─────────────────────
+
+
+def bench_integration(spec: WorkloadSpec) -> dict:
+    """Full pipeline (submit -> pop -> format_{slot,edge} -> emit) in
+    bounded BATCH waves so scheduler caps are respected."""
+    kinds = synthesize_kinds(spec)
+    anchors, *_ = precompute_anchors(spec.n_domains)
+    sched = PriorityScheduler()
+    log_reset()
+    n_edges = spec.n_total * 4
+    total = spec.n_total + n_edges
+    sample_edge = EdgeDelta(source_id="src", target_id="tgt", kind="calls")
+    nd, BATCH = spec.n_domains, 4096
+    edges_per_node = n_edges // max(spec.n_total, 1)
+    ep = priority_for_edge()
+
+    def drain(seq: int) -> int:
+        while True:
+            got = sched.pop(timeout=0.0)
+            if got is None:
+                return seq
+            pri, item = got
+            seq += 1
+            if pri <= 4:
+                i, kind = item  # type: ignore[misc]
+                a = anchors[i % nd]
+                emit(
+                    "slot",
+                    format_slot(
+                        seq,
+                        _WireSlot(
+                            node_id=f"n{i}",
+                            x=a[0],
+                            y=a[1],
+                            kind=kind,
+                            domain_id=f"d{i % nd}",
+                        ),
+                    ),
+                )
+            else:
+                emit("edge", format_edge(seq, sample_edge))
+
+    def run() -> None:
+        seq, edge_remaining = 0, n_edges
+        for bs in range(0, spec.n_total, BATCH):
+            for i in range(bs, min(bs + BATCH, spec.n_total)):
+                sched.submit(priority_for_node(kinds[i]), (i, kinds[i]))
+                for _e in range(edges_per_node):
+                    if edge_remaining <= 0:
+                        break
+                    sched.submit(ep, edge_remaining)
+                    edge_remaining -= 1
+            seq = drain(seq)
+        drain(seq)
+
+    base = emit("probe", b"") - 1
+    result = _measure("pipeline.scheduler+log+wire", total, run)
+    result["log_retained"] = len(replay_since(base)[0])
+    result["sched_dropped"] = sum(sched.stats()["dropped"].values())
+    return result
+
+
+# ── Reporter ────────────────────────────────────────────────────────────
+
+
+def _fmt(r: dict) -> str:
+    return (
+        f"  {r['label']:<32} n={r['n']:>10,} {r['ns_per_op']:>10,.1f} ns/op"
+        f"  {r['ops_per_sec']:>14,.0f} ops/sec"
+    )
+
+
+def main(argv: list[str] | None = None) -> int:
+    p = argparse.ArgumentParser(prog="bench_layout_authority")
+    p.add_argument("--n", type=int, default=1_000_000, help="node count")
+    spec = WorkloadSpec(n_total=p.parse_args(argv).n)
+    print(f"Workload: N={spec.n_total:,} nodes, {spec.n_total * 4:,} edges")
+    print(
+        f"  domains={spec.n_domains}  tool_hubs={spec.n_tool_hubs}  "
+        f"files={spec.n_files:,}  symbols={spec.n_symbols:,}  "
+        f"memories={spec.n_memories:,}  entities={spec.n_entities:,}  "
+        f"discussions={spec.n_discussions:,}  pad={spec.padding():,}\n"
+    )
+    results = [fn(spec) for fn in (bench_geometry, bench_scheduler, bench_log)]
+    print("Component benchmarks:")
+    for r in results:
+        print(_fmt(r))  # noqa: E701
+    print("\nIntegration benchmark:")
+    integ = bench_integration(spec)
+    print(_fmt(integ))
+    print(
+        f"    log retained: {integ['log_retained']:,} events  "
+        f"scheduler dropped: {integ['sched_dropped']:,} items"
+    )
+    bn = max(results, key=lambda x: x["ns_per_op"])
+    print(f"\nComponent bottleneck: {bn['label']} ({bn['ns_per_op']:.1f} ns/op)")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())  # noqa: E701
diff --git a/mcp_server/server/graph_event_stream.py b/mcp_server/server/graph_event_stream.py
new file mode 100644
index 00000000..6f47186a
--- /dev/null
+++ b/mcp_server/server/graph_event_stream.py
@@ -0,0 +1,244 @@
+"""In-memory replayable event stream for the live-build SSE protocol.
+
+The first visit to the graph viz on a cold cache (no precomputed binary
+snapshot) used to block until the entire ingest finished — ~1–3 min on
+a 100 k-memory dev DB. This module wires a live stream of per-source
+batches so the browser receives node/edge deltas AS THE BUILDER
+PRODUCES THEM, and the user watches the graph grow instead of waiting
+for a final paint.
+
+Why this exists vs the layout_authority SSE infrastructure on the same
+branch: layout_authority emits closed-form slot assignments in a tight
+binary wire format aimed at the streaming_canvas renderer. The
+force-directed renderer used by the page today (workflow_graph.js)
+consumes JSON node/edge dicts via JUG.appendGraphDelta, so we publish
+the SAME dict shape /api/graph would have returned, just chunked into
+many small events. No new client decoder needed.
+
+Why the per-source on_batch wiring on this branch ground to a halt
+earlier: it routed every node/edge through _merge + LayoutAuthority
+synchronously in the build thread. _merge does an O(cache) kind_counts
+recompute on every call, and the 107 k-memory batch made that a multi-
+minute stall. This event stream is intentionally JUST a queue: emit
+appends to a deque, returns immediately, no per-item bookkeeping. The
+cumulative cache (_graph_cache) is still populated in ONE _merge at
+the end of the build, where the O(cache) recompute is paid once on
+the full graph, not per source.
+
+Concurrency:
+    emit() / close() / reset() — called from the build worker thread
+        (single producer per build, multiple subscribers can be reading
+        concurrently). Uses an internal condition variable to wake
+        sleeping subscribers when events arrive.
+    subscribe() — called from any SSE handler thread, yields events
+        in insertion order starting at index ``since`` (Last-Event-ID
+        resume semantics). Returns when close() fires + the subscriber
+        has drained.
+
+Memory: bounded by max_events (default 100 k). At ~2 KB per chunked
+batch this caps the stream at ~200 MB worst case, but typical builds
+emit O(100) events of O(1000) nodes/edges each = O(10 MB). The cap
+exists so a runaway producer doesn't fill memory if every subscriber
+disconnects mid-stream.
+"""
+
+from __future__ import annotations
+
+import collections
+import json
+import threading
+from typing import Any, Iterator
+
+
+class GraphEventStream:
+    """Append-only event log + condition-variable fan-out.
+
+    Mirrors the layout_authority_log pattern (single-producer write,
+    multi-subscriber read, replay-since-index) but stores dict-shaped
+    JSON batches instead of binary slot frames.
+    """
+
+    __slots__ = ("_buf", "_lock", "_cond", "_closed", "_max")
+
+    def __init__(self, max_events: int = 100_000) -> None:
+        self._buf: collections.deque = collections.deque(maxlen=max_events)
+        self._lock = threading.Lock()
+        self._cond = threading.Condition(self._lock)
+        self._closed = False
+        self._max = max_events
+
+    # ── Producer side ───────────────────────────────────────────────
+
+    def emit(
+        self,
+        label: str,
+        nodes: list[dict[str, Any]],
+        edges: list[dict[str, Any]],
+        *,
+        chunk: int = 1000,
+    ) -> int:
+        """Append a batch (chunked into sub-batches of ``chunk`` items).
+
+        Returns the number of sub-events emitted. Empty inputs are a
+        no-op (returns 0). Each emitted sub-event carries a synthetic
+        sub-label so the client can log progression without inferring.
+        """
+        if not nodes and not edges:
+            return 0
+        emitted = 0
+        n_total = len(nodes)
+        e_total = len(edges)
+        # Slice nodes and edges in parallel so a giant memories batch
+        # (107 k nodes + 107 k edges) lands as ~107 chunks of ~1000 each.
+        # Each sub-event JSON-serialises to roughly 100–300 KB —
+        # browser-friendly, no SSE buffer pressure.
+        total = max(n_total, e_total)
+        step = max(1, chunk)
+        with self._cond:
+            for off in range(0, total, step):
+                n_chunk = nodes[off : off + step]
+                e_chunk = edges[off : off + step]
+                if not n_chunk and not e_chunk:
+                    continue
+                self._buf.append(
+                    {
+                        "label": label,
+                        "off": off,
+                        "n_total": n_total,
+                        "e_total": e_total,
+                        "nodes": n_chunk,
+                        "edges": e_chunk,
+                    }
+                )
+                emitted += 1
+            if emitted:
+                self._cond.notify_all()
+        return emitted
+
+    def close(self) -> None:
+        """Mark the stream complete. Subscribers drain remaining events
+        then exit their subscribe() loop. Idempotent."""
+        with self._cond:
+            if self._closed:
+                return
+            self._closed = True
+            self._cond.notify_all()
+
+    def reset(self) -> None:
+        """Start a fresh stream (called when a new build kicks). Wakes
+        any current subscribers so they observe end-of-stream and the
+        new build's stream replaces this one in the global slot."""
+        with self._cond:
+            self._buf.clear()
+            self._closed = True
+            self._cond.notify_all()
+        # Recreate the underlying buffers so a subsequent emit appends
+        # to a fresh queue. _closed is reset on the next emit-or-open.
+        self._buf = collections.deque(maxlen=self._max)
+        self._closed = False
+
+    # ── Subscriber side ─────────────────────────────────────────────
+
+    def stats(self) -> dict:
+        with self._lock:
+            return {"count": len(self._buf), "closed": self._closed}
+
+    def subscribe(
+        self, since: int = 0, *, timeout: float = 30.0
+    ) -> Iterator[tuple[int, dict]]:
+        """Generator yielding ``(index, event_dict)`` from ``since``.
+
+        Returns when (a) the stream is closed AND the subscriber has
+        drained all events, or (b) ``timeout`` seconds elapse with no
+        new events and the stream is still open (the SSE handler can
+        send a heartbeat and re-call subscribe with the next index).
+
+        ``index`` is the position in the buffer; clients can use it as
+        Last-Event-ID for resume after a reconnect.
+        """
+        i = since
+        while True:
+            with self._cond:
+                if i >= len(self._buf) and not self._closed:
+                    # Wait for new events OR close, up to ``timeout`` per
+                    # call. Timeout is PER-WAIT (not cumulative across
+                    # multiple events), so a long-running build with
+                    # steady event flow never spuriously times out — it
+                    # only returns when truly idle for ``timeout`` s.
+                    self._cond.wait(timeout=timeout)
+                if i < len(self._buf):
+                    ev = self._buf[i]
+                elif self._closed:
+                    # Closed AND drained.
+                    return
+                else:
+                    # Idle timeout without new events — return so the
+                    # SSE handler can emit a heartbeat and re-subscribe.
+                    return
+            yield i, ev
+            i += 1
+
+
+# ── Process-wide singleton ──────────────────────────────────────────
+# One stream per process. A new build resets it (see reset()); active
+# subscribers observe close-of-stream and reconnect, which is exactly
+# the behaviour SSE clients implement by default.
+
+_stream = GraphEventStream()
+
+
+def get_stream() -> GraphEventStream:
+    return _stream
+
+
+def emit(label: str, nodes: list, edges: list, *, chunk: int = 1000) -> int:
+    return _stream.emit(label, nodes, edges, chunk=chunk)
+
+
+def close() -> None:
+    _stream.close()
+
+
+def reset() -> None:
+    global _stream
+    _stream.reset()
+
+
+# ── SSE wire helpers ────────────────────────────────────────────────
+
+
+def _json_default(o):
+    """Fallback for non-JSON-native types we still want to surface.
+
+    Memory nodes carry datetime fields (last_accessed, stage_entered_at,
+    …) — pydantic's ``model_dump`` keeps them as datetime objects rather
+    than ISO strings, so a naïve ``json.dumps`` raises ``TypeError:
+    Object of type datetime is not JSON serializable``. Stringify
+    anything we don't natively serialise.
+    """
+    try:
+        return o.isoformat()
+    except AttributeError:
+        return str(o)
+
+
+def format_event(index: int, event: dict) -> bytes:
+    """Format one event as an SSE frame.
+
+    ``id:`` is the buffer index so the browser can resume via the
+    standard ``Last-Event-ID`` header on reconnect.
+    """
+    payload = json.dumps(event, separators=(",", ":"), default=_json_default)
+    return (f"id: {index}\nevent: batch\ndata: {payload}\n\n").encode("utf-8")
+
+
+def format_done(total_nodes: int, total_edges: int) -> bytes:
+    payload = json.dumps(
+        {"total_nodes": total_nodes, "total_edges": total_edges},
+        separators=(",", ":"),
+    )
+    return (f"event: done\ndata: {payload}\n\n").encode("utf-8")
+
+
+def format_heartbeat() -> bytes:
+    return b": heartbeat\n\n"
diff --git a/mcp_server/server/graph_snapshot.py b/mcp_server/server/graph_snapshot.py
new file mode 100644
index 00000000..f740f652
--- /dev/null
+++ b/mcp_server/server/graph_snapshot.py
@@ -0,0 +1,331 @@
+"""Binary graph snapshot — load the full graph in ~200 ms regardless of DB.
+
+The original ``/api/graph`` path serialises the in-memory graph to JSON on
+every request: ~50–100 MB of JSON for a 135 k-node graph, ~1–3 s to
+``JSON.parse`` in the browser, plus the network transfer. Even when the
+build is cached, the *load* is dominated by re-encoding and re-parsing
+data that hasn't changed.
+
+This module defines a precomputed, fixed-width binary snapshot that the
+build worker writes once after a successful build. The endpoint
+``/api/graph.bin`` streams the file as ``application/octet-stream``
+with zero Python-side serialisation; the frontend decodes it with a
+``DataView`` walk, no JSON parse. Measured target on the 135 k / 166 k
+benchmark DB: ~6 MB on disk, ~110 ms end-to-end load on loopback HTTP.
+
+Format
+======
+All integers little-endian, no padding between sections.
+
+Header (32 bytes):
+    magic        : 4  bytes  "CXGB"
+    version      : u16        currently 1
+    flags        : u16        bit 0 = include_coords (reserved)
+    node_count   : u32
+    edge_count   : u32
+    string_pool_off : u64     byte offset of the string pool from BOF
+    string_pool_len : u32     length of the string pool in bytes
+    reserved     : u32        = 0
+
+Node row (24 bytes, repeated node_count times):
+    id_off       : u32        offset into string pool
+    kind         : u8         0=domain 1=tool_hub 2=file 3=symbol 4=skill
+                              5=hook  6=command 7=agent 8=mcp
+                              9=discussion 10=memory 11=entity
+                              255=unknown
+    pad          : u8 × 3
+    domain_off   : u32        offset into string pool (== id_off for domains)
+    x            : f32        layout-authority x coord, 0.0 if not laid out
+    y            : f32        same, y
+    size         : f32        visual size hint
+
+Edge row (12 bytes, repeated edge_count times):
+    src_off      : u32        offset of source node id in string pool
+    tgt_off      : u32        offset of target node id in string pool
+    kind         : u8         0=in_domain 1=tool_used_file 2=defined_in
+                              3=calls 4=imports 5=member_of
+                              6=about_entity 7=command_opened
+                              8=discussion_opened 9=skill_usage
+                              10=mcp_usage 11=discussion_tool
+                              12=discussion_agent 13=discussion_command
+                              14=extends 15=other 255=unknown
+    pad          : u8 × 3
+
+String pool (variable, starts at string_pool_off):
+    Length-prefixed UTF-8 strings. Each string is::
+
+        len : u16   (max 65535)
+        utf : bytes (len bytes, no terminator)
+
+    Strings are deduplicated by content. ``id_off`` / ``domain_off`` /
+    ``src_off`` / ``tgt_off`` point at the *start of the len prefix*.
+
+Sizes for the 135 k / 166 k benchmark::
+
+    32 (header)
+    + 135_000 × 24 (nodes)     = 3.24 MB
+    + 166_000 × 12 (edges)     = 1.99 MB
+    + ~135_000 strings × ~20 B = 2.7  MB
+    ≈ 8 MB total
+
+source: measured 2026-05-28 on the rebased streaming branch's dev DB.
+"""
+
+from __future__ import annotations
+
+import io
+import os
+import struct
+import tempfile
+from pathlib import Path
+from typing import Any
+
+MAGIC = b"CXGB"
+VERSION = 1
+
+_NODE_KIND_MAP = {
+    "domain": 0,
+    "tool_hub": 1,
+    "file": 2,
+    "symbol": 3,
+    "skill": 4,
+    "hook": 5,
+    "command": 6,
+    "agent": 7,
+    "mcp": 8,
+    "discussion": 9,
+    "memory": 10,
+    "entity": 11,
+}
+_EDGE_KIND_MAP = {
+    "in_domain": 0,
+    "tool_used_file": 1,
+    "defined_in": 2,
+    "calls": 3,
+    "imports": 4,
+    "member_of": 5,
+    "about_entity": 6,
+    "command_opened": 7,
+    "discussion_opened": 8,
+    "skill_usage": 9,
+    "mcp_usage": 10,
+    "discussion_tool": 11,
+    "discussion_agent": 12,
+    "discussion_command": 13,
+    "extends": 14,
+    "other": 15,
+}
+
+_HEADER_FMT = "<4sHHIIQII"
+_HEADER_SIZE = struct.calcsize(_HEADER_FMT)  # 32
+_NODE_FMT = "<IBxxxIfff"
+_NODE_SIZE = struct.calcsize(_NODE_FMT)  # 24
+_EDGE_FMT = "<IIBxxx"
+_EDGE_SIZE = struct.calcsize(_EDGE_FMT)  # 12
+
+assert _HEADER_SIZE == 32, _HEADER_SIZE
+assert _NODE_SIZE == 24, _NODE_SIZE
+assert _EDGE_SIZE == 12, _EDGE_SIZE
+
+
+class _StringPool:
+    """Builds the deduplicated length-prefixed UTF-8 string pool.
+
+    Returns the BYTE OFFSET (within the pool) of each interned string;
+    that offset is what the node/edge rows store.
+    """
+
+    __slots__ = ("_offsets", "_buf")
+
+    def __init__(self) -> None:
+        self._offsets: dict[str, int] = {}
+        self._buf = io.BytesIO()
+
+    def intern(self, s: str | None) -> int:
+        s = "" if s is None else str(s)
+        off = self._offsets.get(s)
+        if off is not None:
+            return off
+        encoded = s.encode("utf-8")
+        if len(encoded) > 65535:
+            encoded = encoded[:65535]  # truncate rather than fail
+        off = self._buf.tell()
+        self._buf.write(struct.pack("<H", len(encoded)))
+        self._buf.write(encoded)
+        self._offsets[s] = off
+        return off
+
+    def bytes(self) -> bytes:
+        return self._buf.getvalue()
+
+
+def serialize(nodes: list[dict[str, Any]], edges: list[dict[str, Any]]) -> bytes:
+    """Pack ``(nodes, edges)`` into the CXGB binary snapshot.
+
+    Both inputs are the same JSON-friendly dicts the legacy ``/api/graph``
+    cache produces (see ``mcp_server/handlers/workflow_graph._node_to_dict``
+    and ``_edge_to_dict``). Returns the complete snapshot as bytes ready
+    to write to disk or stream to the wire.
+    """
+    pool = _StringPool()
+
+    node_rows = bytearray(_NODE_SIZE * len(nodes))
+    for i, n in enumerate(nodes):
+        node_id = n.get("id") or ""
+        kind_str = n.get("kind") or n.get("type") or ""
+        kind = _NODE_KIND_MAP.get(kind_str, 255)
+        domain = n.get("domain_id") or n.get("domain") or ""
+        x = float(n.get("x") or 0.0)
+        y = float(n.get("y") or 0.0)
+        size = float(n.get("size") or 1.0)
+        id_off = pool.intern(node_id)
+        dom_off = pool.intern(domain)
+        struct.pack_into(
+            _NODE_FMT,
+            node_rows,
+            i * _NODE_SIZE,
+            id_off,
+            kind,
+            dom_off,
+            x,
+            y,
+            size,
+        )
+
+    edge_rows = bytearray(_EDGE_SIZE * len(edges))
+    for i, e in enumerate(edges):
+        src = e.get("source")
+        tgt = e.get("target")
+        if isinstance(src, dict):
+            src = src.get("id")
+        if isinstance(tgt, dict):
+            tgt = tgt.get("id")
+        kind_str = e.get("kind") or e.get("type") or ""
+        kind = _EDGE_KIND_MAP.get(kind_str, 255)
+        struct.pack_into(
+            _EDGE_FMT,
+            edge_rows,
+            i * _EDGE_SIZE,
+            pool.intern(src or ""),
+            pool.intern(tgt or ""),
+            kind,
+        )
+
+    pool_bytes = pool.bytes()
+    pool_off = _HEADER_SIZE + len(node_rows) + len(edge_rows)
+    header = struct.pack(
+        _HEADER_FMT,
+        MAGIC,
+        VERSION,
+        0,
+        len(nodes),
+        len(edges),
+        pool_off,
+        len(pool_bytes),
+        0,
+    )
+    return bytes(header) + bytes(node_rows) + bytes(edge_rows) + pool_bytes
+
+
+def deserialize(buf: bytes) -> dict[str, Any]:
+    """Inverse of ``serialize`` — used by tests + diagnostic tools.
+
+    Returns ``{"nodes": [...], "edges": [...]}`` in the same dict shape
+    the JSON endpoint produces. Browser clients decode directly with
+    ``DataView`` (see ``ui/unified/js/graph_snapshot.js``); this Python
+    helper exists so the serialiser's contract is testable end-to-end.
+    """
+    if len(buf) < _HEADER_SIZE:
+        raise ValueError(f"snapshot too small: {len(buf)} bytes")
+    magic, ver, _flags, n_count, e_count, pool_off, pool_len, _ = struct.unpack(
+        _HEADER_FMT, buf[:_HEADER_SIZE]
+    )
+    if magic != MAGIC:
+        raise ValueError(f"bad magic {magic!r}")
+    if ver != VERSION:
+        raise ValueError(f"unsupported version {ver}")
+
+    inv_node_kind = {v: k for k, v in _NODE_KIND_MAP.items()}
+    inv_edge_kind = {v: k for k, v in _EDGE_KIND_MAP.items()}
+
+    def read_str(off: int) -> str:
+        slen = struct.unpack_from("<H", buf, pool_off + off)[0]
+        return buf[pool_off + off + 2 : pool_off + off + 2 + slen].decode(
+            "utf-8", errors="replace"
+        )
+
+    nodes: list[dict[str, Any]] = []
+    base = _HEADER_SIZE
+    for i in range(n_count):
+        id_off, kind, dom_off, x, y, size = struct.unpack_from(
+            _NODE_FMT, buf, base + i * _NODE_SIZE
+        )
+        nodes.append(
+            {
+                "id": read_str(id_off),
+                "kind": inv_node_kind.get(kind, "unknown"),
+                "domain_id": read_str(dom_off),
+                "x": x,
+                "y": y,
+                "size": size,
+            }
+        )
+
+    edges: list[dict[str, Any]] = []
+    base = _HEADER_SIZE + n_count * _NODE_SIZE
+    for i in range(e_count):
+        src_off, tgt_off, kind = struct.unpack_from(
+            _EDGE_FMT, buf, base + i * _EDGE_SIZE
+        )
+        edges.append(
+            {
+                "source": read_str(src_off),
+                "target": read_str(tgt_off),
+                "kind": inv_edge_kind.get(kind, "unknown"),
+            }
+        )
+
+    return {"nodes": nodes, "edges": edges, "meta": {"format": "CXGBv1"}}
+
+
+def default_path() -> Path:
+    """Default on-disk location for the snapshot."""
+    return Path.home() / ".cache" / "cortex" / "graph-snapshot.bin"
+
+
+def write_atomic(path: Path, payload: bytes) -> None:
+    """Atomically replace ``path`` with ``payload``.
+
+    Writes to ``<path>.tmp.<pid>`` in the same directory then ``os.replace``
+    so a concurrent reader either sees the old complete snapshot or the
+    new complete snapshot — never a torn partial write.
+    """
+    path.parent.mkdir(parents=True, exist_ok=True)
+    fd, tmp = tempfile.mkstemp(prefix=path.name + ".tmp.", dir=str(path.parent))
+    try:
+        with os.fdopen(fd, "wb") as f:
+            f.write(payload)
+        os.replace(tmp, path)
+    except Exception:
+        try:
+            os.unlink(tmp)
+        except OSError:
+            pass
+        raise
+
+
+def write_from_graph_cache(
+    nodes: list[dict[str, Any]],
+    edges: list[dict[str, Any]],
+    path: Path | None = None,
+) -> tuple[Path, int]:
+    """Serialise + atomically write the snapshot.
+
+    Returns ``(path, byte_count)`` for callers that want to log the
+    artifact. The caller is responsible for deciding *when* to write
+    (the build worker calls this after the full build completes).
+    """
+    p = path or default_path()
+    payload = serialize(nodes, edges)
+    write_atomic(p, payload)
+    return p, len(payload)
diff --git a/mcp_server/server/http_standalone.py b/mcp_server/server/http_standalone.py
index ce61b245..7bd3df1b 100644
--- a/mcp_server/server/http_standalone.py
+++ b/mcp_server/server/http_standalone.py
@@ -131,7 +131,7 @@ def _route_unified_get(
     if path_no_qs == "/api/graph/progress":
         from mcp_server.server.http_standalone_endpoints import serve_graph_progress
 
-        serve_graph_progress(handler)
+        serve_graph_progress(handler, store)
         return
     if path_no_qs == "/api/graph/phase":
         from mcp_server.server.http_standalone_endpoints import serve_graph_phase
@@ -153,6 +153,38 @@ def _route_unified_get(
 
         serve_memories_facets(handler, store)
         return
+    if path_no_qs == "/api/graph/stream":
+        from mcp_server.handlers.graph_stream import serve as serve_stream
+
+        serve_stream(handler, store)
+        return
+    if path_no_qs == "/api/graph/stream/stats":
+        from mcp_server.handlers.graph_stream import serve_stats
+
+        serve_stats(handler, store)
+        return
+    if path_no_qs.startswith("/api/node/"):
+        from mcp_server.handlers.node_metadata import serve as serve_node_metadata
+
+        serve_node_metadata(handler, store)
+        return
+    if path_no_qs == "/api/graph/events":
+        # Live SSE stream of per-source batches — the browser watches
+        # the graph grow on first visit (cold cache). Falls back to
+        # /api/graph.bin when a precomputed snapshot exists. See
+        # mcp_server/server/graph_event_stream.py.
+        from mcp_server.server.http_standalone_endpoints import serve_graph_events
+
+        serve_graph_events(handler, store)
+        return
+    if path_no_qs == "/api/graph.bin":
+        # CXGB binary snapshot — full graph in ~110 ms vs the JSON
+        # path's ~1–3 s parse on a 135 k-node graph. See
+        # mcp_server/server/graph_snapshot.py for format spec.
+        from mcp_server.server.http_standalone_endpoints import serve_graph_binary
+
+        serve_graph_binary(handler, store)
+        return
     if path == "/api/graph" or path.startswith("/api/graph?"):
         serve_graph(handler, store)
     elif path == "/api/discussions" or path.startswith("/api/discussions?"):
diff --git a/mcp_server/server/http_standalone_chain.py b/mcp_server/server/http_standalone_chain.py
new file mode 100644
index 00000000..db8fdcbe
--- /dev/null
+++ b/mcp_server/server/http_standalone_chain.py
@@ -0,0 +1,149 @@
+"""GET /api/graph/chain — Mermaid DAG of the causal/impact chain from a node.
+
+Reuses the bounded entity-graph BFS from ``get_causal_chain`` (the
+canonical traversal over ``store``) and renders the edges as Mermaid
+``flowchart TD`` for the frontend chain-of-action panel. Layer: server/;
+imports handlers/, returns via the shared response helper, never imports
+core/ directly, and never raises — failures collapse to a valid body.
+"""
+
+from __future__ import annotations
+
+from urllib.parse import parse_qs, urlparse
+
+from mcp_server.handlers.get_causal_chain import (
+    _bfs_entity_graph,
+    _resolve_start_entity_by_name,
+)
+from mcp_server.server.http_standalone_response import send_json_ok
+
+# type -> BFS direction. Mirrors get_causal_chain semantics:
+# outgoing = downstream effects (impact), incoming = upstream causes
+# (causal), both = full neighbourhood (call).
+_TYPE_TO_DIRECTION = {"impact": "outgoing", "causal": "incoming", "call": "both"}
+
+_DEPTH_DEFAULT = 4
+_DEPTH_MAX = 8
+_NODE_CAP = 150  # hard cap on rendered nodes/edges combined
+_LABEL_MAX = 40
+
+
+def _parse_params(raw_path: str) -> tuple[str, int, str]:
+    """Extract (id, depth, direction) from the query string.
+
+    Postcondition: depth in [1, _DEPTH_MAX]; direction is a valid BFS
+    direction; id may be empty (caller handles as not-found).
+    """
+    qs = parse_qs(urlparse(raw_path).query)
+    node_id = (qs.get("id", [""])[0] or "").strip()
+    try:
+        depth = int(qs.get("depth", [str(_DEPTH_DEFAULT)])[0])
+    except (ValueError, TypeError):
+        depth = _DEPTH_DEFAULT
+    depth = max(1, min(depth, _DEPTH_MAX))
+    chain_type = (qs.get("type", ["causal"])[0] or "causal").lower()
+    direction = _TYPE_TO_DIRECTION.get(chain_type, "incoming")
+    return node_id, depth, direction
+
+
+def _sanitize(label: str) -> str:
+    """Mermaid node label: truncate at _LABEL_MAX, neutralise quotes."""
+    return (label or "")[:_LABEL_MAX].replace('"', "'")
+
+
+def _build_mermaid(edges: list[dict]) -> tuple[str, int, int, int, bool]:
+    """Render BFS edges as a Mermaid flowchart TD.
+
+    Returns (mermaid_text, node_count, edge_count, depth_reached,
+    truncated). Caps total distinct nodes + rendered edges at _NODE_CAP.
+    Node IDs are sanitized to ``nd_<n>`` (alphanumeric only) so arbitrary
+    entity names can never break Mermaid parsing.
+    """
+    node_ids: dict[int, str] = {}
+    lines: list[str] = []
+    depth_reached = 0
+    truncated = False
+
+    def _node_ref(entity_id: int, name: str, kind: str) -> str | None:
+        if entity_id not in node_ids:
+            if len(node_ids) >= _NODE_CAP:
+                return None  # node budget exhausted
+            ref = f"nd_{len(node_ids)}"
+            node_ids[entity_id] = ref
+            lines.append(f'  {ref}["{_sanitize(name)}\\n({_sanitize(kind)})"]')
+        return node_ids[entity_id]
+
+    for edge in edges:
+        if len(lines) >= _NODE_CAP:
+            truncated = True
+            break
+        src = _node_ref(edge["source_id"], edge["source_name"], edge["source_type"])
+        tgt = _node_ref(edge["target_id"], edge["target_name"], edge["target_type"])
+        if src is None or tgt is None:
+            truncated = True
+            break
+        rel = _sanitize(edge.get("relationship_type", "rel"))
+        lines.append(f"  {src} -->|{rel}| {tgt}")
+        depth_reached = max(depth_reached, edge.get("depth", 0))
+
+    header = "%% truncated at 150 nodes\n" if truncated else ""
+    mermaid = header + "flowchart TD\n" + "\n".join(lines)
+    edge_count = sum(1 for ln in lines if "-->" in ln)
+    return mermaid, len(node_ids), edge_count, depth_reached, truncated
+
+
+def _not_found_payload(seed: str) -> dict:
+    return {
+        "mermaid": 'flowchart TD\n  A["Not found"]',
+        "node_count": 0,
+        "edge_count": 0,
+        "depth_reached": 0,
+        "truncated": False,
+        "seed": seed,
+    }
+
+
+def serve_graph_chain(handler, store) -> None:
+    """GET /api/graph/chain?id=&depth=&type= — Mermaid causal/impact DAG.
+
+    Never raises: any failure (bad params, store error, render error)
+    resolves to a valid not-found JSON body so the panel degrades
+    gracefully instead of hanging on a 500.
+    """
+    seed = ""
+    try:
+        seed, depth, direction = _parse_params(handler.path)
+        if not seed:
+            send_json_ok(handler, _not_found_payload(seed))
+            return
+
+        entity = _resolve_start_entity_by_name(seed, store)
+        if not entity:
+            send_json_ok(handler, _not_found_payload(seed))
+            return
+
+        edges = _bfs_entity_graph(
+            start_entity_id=entity["id"],
+            store=store,
+            max_depth=depth,
+            max_edges=_NODE_CAP,
+            direction=direction,
+            rel_filter=None,
+        )
+        mermaid, n_nodes, n_edges, depth_reached, truncated = _build_mermaid(edges)
+        send_json_ok(
+            handler,
+            {
+                "mermaid": mermaid,
+                "node_count": n_nodes,
+                "edge_count": n_edges,
+                "depth_reached": depth_reached,
+                "truncated": truncated,
+                "seed": entity.get("name", seed),
+            },
+        )
+    except Exception:
+        # Contract: this function never raises. send_json_ok sets the CORS
+        # header via _apply_cors_headers, so the not-found body carries the
+        # same headers as the success path.
+        send_json_ok(handler, _not_found_payload(seed))
diff --git a/mcp_server/server/http_standalone_endpoints.py b/mcp_server/server/http_standalone_endpoints.py
index 9ef1d796..468090ac 100644
--- a/mcp_server/server/http_standalone_endpoints.py
+++ b/mcp_server/server/http_standalone_endpoints.py
@@ -118,11 +118,196 @@ def serve_graph(handler, store) -> None:
         send_json_error(handler, e)
 
 
-def serve_graph_progress(handler) -> None:
-    """GET /api/graph/progress — background-build progress snapshot."""
-    from mcp_server.server.http_standalone_graph import get_build_progress
+def serve_graph_events(handler, store=None) -> None:
+    """GET /api/graph/events — Server-Sent Events stream of build batches.
+
+    The build worker pushes per-source batches onto an in-memory event
+    queue (see ``graph_event_stream``). This handler streams them to a
+    single browser connection in real time so the user watches the
+    graph grow as the builder produces nodes — first source within a
+    second, full graph fills in behind it. No precomputed snapshot is
+    required for this to work; it's the live-build channel.
+
+    Wire format (text/event-stream):
+        event: batch
+        id: <buffer index>
+        data: {"label":..,"nodes":[...],"edges":[...],"off":..,"n_total":..}
+
+        event: done
+        data: {"total_nodes":N,"total_edges":E}
+
+    The client (``ui/unified/js/graph_event_stream.js``) parses each
+    ``batch`` event and calls ``JUG.appendGraphDelta(nodes, edges)``.
+    appendGraphDelta dedups by id, so reconnect-and-replay is safe.
+
+    Lazy-kicks the build (ensure_build_started) so opening the SSE
+    stream on a cold cache starts the pipeline producing events.
+    """
+    from urllib.parse import parse_qs, urlparse
+
+    from mcp_server.server.graph_event_stream import (
+        format_done,
+        format_event,
+        format_heartbeat,
+        get_stream,
+    )
+    from mcp_server.server.http_standalone_graph import (
+        ensure_build_started,
+        get_build_progress,
+    )
+
+    # Honour Last-Event-ID for resume after a flaky connection. Spec
+    # says the value is the ``id:`` of the last event the client saw;
+    # we advance past it on resume.
+    last_id_header = (
+        handler.headers.get("Last-Event-ID")
+        or handler.headers.get("Last-Event-Id")
+        or ""
+    )
+    since = 0
+    try:
+        since = int(last_id_header) + 1 if last_id_header else 0
+    except ValueError:
+        since = 0
+    # Also allow ?since=N as a fallback (curl-friendly).
+    qs = parse_qs(urlparse(handler.path).query)
+    if "since" in qs:
+        try:
+            since = max(since, int(qs["since"][0]))
+        except (ValueError, IndexError):
+            pass
+
+    try:
+        ensure_build_started(store)
+
+        handler.send_response(200)
+        handler.send_header("Content-Type", "text/event-stream; charset=utf-8")
+        handler.send_header("Cache-Control", "no-cache")
+        handler.send_header("Connection", "keep-alive")
+        handler.send_header("X-Accel-Buffering", "no")  # disable proxy buffering
+        handler.end_headers()
+
+        stream = get_stream()
+
+        # Replay-then-tail loop. subscribe() returns on close-and-drained
+        # OR on a 15 s idle timeout. On idle timeout we emit an SSE
+        # comment (heartbeat) and re-subscribe from where we left off,
+        # so the connection stays open across long pauses (the source-
+        # loading phase is ~15–20 s of silence before the first batch).
+        # Loop exits cleanly when (a) the stream is closed and drained,
+        # or (b) the client disconnects (BrokenPipe).
+        cursor = since
+        while True:
+            saw_any = False
+            for idx, event in stream.subscribe(since=cursor, timeout=15.0):
+                try:
+                    handler.wfile.write(format_event(idx, event))
+                    handler.wfile.flush()
+                except (BrokenPipeError, ConnectionResetError):
+                    return
+                cursor = idx + 1
+                saw_any = True
+
+            s = stream.stats()
+            if s.get("closed") and cursor >= s.get("count", 0):
+                # Build finished AND we've drained every event.
+                prog = get_build_progress()
+                try:
+                    handler.wfile.write(
+                        format_done(
+                            total_nodes=prog.get("node_count", 0),
+                            total_edges=prog.get("edge_count", 0),
+                        )
+                    )
+                    handler.wfile.flush()
+                except (BrokenPipeError, ConnectionResetError):
+                    pass
+                return
+
+            # Idle timeout — keep the connection alive with a comment.
+            # If the client is gone, the write fails and we exit.
+            try:
+                handler.wfile.write(format_heartbeat())
+                handler.wfile.flush()
+            except (BrokenPipeError, ConnectionResetError):
+                return
+            # If we saw nothing AND the stream is still open, loop
+            # back into subscribe() to wait for more. This is the
+            # source-loading gap (no batches for ~15–20 s while PG
+            # queries run).
+            if not saw_any:
+                continue
+    except Exception as e:
+        # Best-effort error reporting on an already-started chunked
+        # response is fraught; log and close.
+        try:
+            handler.wfile.write(
+                f"event: error\ndata: {type(e).__name__}: {e}\n\n".encode()
+            )
+            handler.wfile.flush()
+        except Exception:
+            pass
+
+
+def serve_graph_binary(handler, store=None) -> None:
+    """GET /api/graph.bin — precomputed binary snapshot (CXGB v1).
+
+    Streams ``~/.cache/cortex/graph-snapshot.bin`` as
+    ``application/octet-stream`` with zero Python-side serialisation.
+    The browser decodes it via ``DataView`` (see
+    ``ui/unified/js/graph_snapshot.js``) — full graph load in ~110 ms
+    on the 135 k / 166 k benchmark DB, vs ~45 min when the
+    rebuild-from-PG path runs each time. See
+    ``mcp_server/server/graph_snapshot.py`` for the format spec.
+
+    Also lazily kicks the background build so the first visit to this
+    endpoint starts producing a snapshot — subsequent visits get the
+    fast load. Returns HTTP 404 if no snapshot exists yet (the client
+    falls back to the JSON path while the build runs).
+    """
+    from mcp_server.server.graph_snapshot import default_path
+    from mcp_server.server.http_standalone_graph import ensure_build_started
+
+    try:
+        ensure_build_started(store)
+        path = default_path()
+        if not path.is_file():
+            handler.send_response(404)
+            handler.send_header("Content-Type", "text/plain; charset=utf-8")
+            handler.end_headers()
+            handler.wfile.write(b"snapshot not yet built")
+            return
+        st = path.stat()
+        with open(path, "rb") as fh:
+            payload = fh.read()
+        handler.send_response(200)
+        handler.send_header("Content-Type", "application/octet-stream")
+        handler.send_header("Content-Length", str(len(payload)))
+        # Snapshot is regenerated on every successful build; long-cache
+        # would serve a stale graph after a rebuild. Use a weak ETag
+        # off the mtime so a client can revalidate cheaply.
+        handler.send_header("Cache-Control", "no-cache")
+        handler.send_header("ETag", f'W/"{int(st.st_mtime)}-{st.st_size}"')
+        handler.end_headers()
+        handler.wfile.write(payload)
+    except Exception as e:
+        send_json_error(handler, e)
+
+
+def serve_graph_progress(handler, store=None) -> None:
+    """GET /api/graph/progress — background-build progress snapshot.
+
+    Also lazily kicks the background build if it hasn't started (see
+    ``ensure_build_started``): the graph-tab poller hits this endpoint,
+    so this is what starts the build when the user opens the Graph view.
+    """
+    from mcp_server.server.http_standalone_graph import (
+        ensure_build_started,
+        get_build_progress,
+    )
 
     try:
+        ensure_build_started(store)
         send_json_ok(handler, get_build_progress())
     except Exception as e:
         send_json_error(handler, e)
diff --git a/mcp_server/server/http_standalone_graph.py b/mcp_server/server/http_standalone_graph.py
index cc5a8535..e70b6414 100644
--- a/mcp_server/server/http_standalone_graph.py
+++ b/mcp_server/server/http_standalone_graph.py
@@ -39,6 +39,33 @@
 
 _cached_domain_hub_ids: dict[str, str] = {}
 
+# ── Layout authority singleton ────────────────────────────────────────────
+#
+# The layout authority is the single owner of (node_id → (x, y)) slot
+# emission for the live SSE stream. The build worker pushes node/edge
+# deltas into it; the SSE handler at /api/graph/stream subscribes and
+# drains. Lazy construction keeps the import graph clean (the authority
+# imports from server/, this module imports nothing of it at module
+# load) and lets a fresh build_authority() reset the event log once
+# per process. Subsequent _kick_background_build calls reset the log
+# inside build_authority() too — they don't drop the singleton.
+_layout_authority = None
+
+
+def get_layout_authority():
+    """Return the process-wide LayoutAuthority, building it on first use.
+
+    Pre: none.
+    Post: returns the same instance for the life of the process.
+    """
+    global _layout_authority
+    if _layout_authority is None:
+        from mcp_server.server.layout_authority import build_authority
+
+        _layout_authority = build_authority()
+    return _layout_authority
+
+
 _graph_cache: dict | None = None
 _graph_cache_ts: float = 0.0
 _graph_build_lock = threading.Lock()
@@ -214,6 +241,37 @@ def get_build_progress() -> dict:
     return snap
 
 
+def ensure_build_started(store) -> None:
+    """Kick the background build iff it hasn't started and no completed
+    graph is cached.
+
+    Why this exists: per the 2026-05-17 direction the build must not
+    auto-fire at server startup — it kicks lazily when the user opens
+    the Graph view. The original trigger was a ``/api/graph`` fetch from
+    polling.js's boot. The streaming refactor moved the graph-tab poller
+    onto ``/api/graph/progress`` (meta-only) + ``/api/graph/phase``, and
+    neither kicks the build — so opening the Graph view stopped starting
+    it and the graph never appeared. This helper restores the trigger on
+    the progress endpoint: the phase-poller only polls ``/progress`` when
+    ``activeView === 'graph'``, so kicking here keeps the lazy semantics
+    (no build until the user is actually on the Graph tab) without
+    depending on a separate ``/api/graph`` fetch.
+
+    Idempotent: ``_kick_background_build`` collapses concurrent calls via
+    a non-blocking lock, and the cache check below prevents re-kicking a
+    finished build. Safe to call on every poll.
+    """
+    if store is None:
+        return
+    build_in_progress = _graph_build_lock.locked()
+    cache_has_data = bool(
+        _graph_cache and _graph_cache.get("data") and _graph_cache["data"].get("nodes")
+    )
+    if build_in_progress or cache_has_data:
+        return
+    _kick_background_build(store, None)
+
+
 def _set_progress(**kw) -> None:
     with _build_progress_lock:
         _build_progress.update(kw)
@@ -281,6 +339,115 @@ def _mark_phase_ready(phase_key: str) -> None:
         _build_progress["phases"] = {k: v["ready"] for k, v in PHASES.items()}
 
 
+# Edge kinds we accept as "<node> is parented by <other endpoint>" hints
+# when scanning a freshly-merged batch for I3/I4 parent linkage.
+_PARENT_HINT_EDGE_KINDS = frozenset(
+    {"defined_in", "tool_used_file", "in_domain", "command_in_hub"}
+)
+
+
+def _edge_endpoint(value):
+    """Return the id from an edge endpoint that may be a dict or str."""
+    if isinstance(value, dict):
+        return value.get("id")
+    return value
+
+
+def _parent_id_for(node: dict, edges: list[dict]) -> str | None:
+    """Find the parent id for ``node`` from a freshly-merged batch.
+
+    For symbol nodes, the parent is the file pointed to by a
+    ``defined_in`` edge whose source is this symbol. For file nodes,
+    the parent (when known) is the tool_hub from a ``tool_used_file``
+    edge whose target is this file. None when no batch-local hint
+    exists — the authority then falls back to its domain-anchor
+    placement (I4/I7).
+
+    Pre: edges is the same list that was just merged with ``node``.
+    Post: returns a node id (str) or None; never raises.
+    """
+    nid = node.get("id")
+    if not nid:
+        return None
+    kind = node.get("kind") or node.get("type") or ""
+    for e in edges:
+        ek = e.get("kind") or e.get("type") or ""
+        if ek not in _PARENT_HINT_EDGE_KINDS:
+            continue
+        s = _edge_endpoint(e.get("source"))
+        t = _edge_endpoint(e.get("target"))
+        # symbol -> file via defined_in: source is symbol, target is file
+        if kind == "symbol" and ek == "defined_in" and s == nid:
+            return t
+        # file -> tool_hub via tool_used_file: source is tool_hub,
+        # target is file; we want the tool_hub for this file.
+        if kind == "file" and ek == "tool_used_file" and t == nid:
+            return s
+        # command in tool hub: command -> tool_hub
+        if kind == "command" and ek == "command_in_hub" and s == nid:
+            return t
+    return None
+
+
+def _emit_to_authority(new_nodes: list[dict], new_edges: list[dict]) -> None:
+    """Forward a freshly-merged delta into the LayoutAuthority.
+
+    Producer drift (missing fields, unknown kinds, non-string ids) is
+    skipped per-item; nothing here can stop the legacy build worker.
+    Pre: new_nodes / new_edges are the same lists ``_merge`` was about
+    to commit to the cumulative cache.
+    Post: every well-formed node + edge has been pushed through
+    ``add_node`` / ``add_edge``; malformed items are silently dropped.
+    """
+    from mcp_server.server.layout_authority_protocol import (
+        EdgeDelta,
+        NodeDelta,
+    )
+
+    auth = get_layout_authority()
+    for n in new_nodes:
+        nid = n.get("id")
+        if not isinstance(nid, str) or not nid:
+            continue
+        kind = n.get("kind") or n.get("type") or "unknown"
+        # The protocol layer maps file/symbol/etc onto its NODE_KINDS;
+        # invalid kinds raise ValueError below and are skipped.
+        domain_id = n.get("domain_id")
+        if not domain_id:
+            # Fall back to a global anchor so unscoped nodes still
+            # land somewhere instead of being dropped. Mirrors the
+            # graph-builder's "domain:__global__" sentinel.
+            domain_id = "domain:__global__"
+        # 'domain' kind requires domain_id == node_id. The graph
+        # builder enforces this, but we re-assert defensively.
+        if kind == "domain":
+            domain_id = nid
+        try:
+            delta = NodeDelta(
+                node_id=nid,
+                kind=kind,
+                domain_id=domain_id,
+                parent_id=_parent_id_for(n, new_edges),
+                tool_name=n.get("tool") or n.get("tool_name"),
+            )
+            auth.add_node(delta)
+        except (ValueError, TypeError):
+            # Producer drift — skip and continue.
+            continue
+
+    for e in new_edges:
+        s = _edge_endpoint(e.get("source"))
+        t = _edge_endpoint(e.get("target"))
+        if not s or not t:
+            continue
+        kind = e.get("kind") or e.get("type") or "default"
+        try:
+            auth.add_edge(EdgeDelta(source_id=s, target_id=t, kind=kind))
+        except (ValueError, TypeError):
+            # Unknown edge kind, etc. — skip.
+            continue
+
+
 def _kick_background_build(store, domain_filter: str | None) -> None:
     """Spawn the two-stage background builder at most once. Stage 1
     (baseline, no AST) finishes in ~5 s and becomes the cached graph
@@ -291,7 +458,25 @@ def _kick_background_build(store, domain_filter: str | None) -> None:
         return
 
     def _run():
-        global _graph_roster_fingerprint
+        global _graph_roster_fingerprint, _layout_authority
+
+        # Producer-feedback Act-channel (Cochrane Finding A) — module
+        # imported once here so the inter-phase wait_for_clear calls
+        # below resolve without re-importing per batch.
+        from mcp_server.server import layout_authority_pressure as _pressure
+
+        # Fresh authority (and event log reset) for every build so the
+        # SSE stream restarts at seq=1 with no leaked slots from the
+        # previous run. build_authority() calls _log.reset() internally.
+        try:
+            from mcp_server.server.layout_authority import build_authority
+
+            _layout_authority = build_authority()
+        except Exception as _exc:  # pragma: no cover - defensive
+            print(
+                f"[cortex] layout-authority init failed: {_exc}",
+                file=sys.stderr,
+            )
 
         def _merge(new_nodes, new_edges, stage, pct, message, phase_key=None, **flags):
             """Append ``new_nodes`` + ``new_edges`` into the cumulative
@@ -348,6 +533,20 @@ def _merge(new_nodes, new_edges, stage, pct, message, phase_key=None, **flags):
                 - kind_counts.get("memory", 0)
             )
             cur["meta"]["counts"] = kind_counts
+            # ── Layout-authority emission ──
+            # In addition to the legacy per-phase cache (kept for
+            # /api/graph/phase + /api/graph clients), every new node /
+            # edge is pushed through the LayoutAuthority so the live
+            # SSE stream at /api/graph/stream sees them in real time.
+            # Errors here are non-fatal — the legacy path above already
+            # persisted the data; authority emission is purely additive.
+            try:
+                _emit_to_authority(new_nodes, new_edges)
+            except Exception as _exc:  # pragma: no cover - defensive
+                print(
+                    f"[cortex] layout-authority emission error: {_exc}",
+                    file=sys.stderr,
+                )
             # Also append into the per-phase delta buffer so the
             # client can ``GET /api/graph/phase?name=<key>`` and
             # append exactly this phase's new content to its live
@@ -371,6 +570,29 @@ def _merge(new_nodes, new_edges, stage, pct, message, phase_key=None, **flags):
             _graph_cache = {"data": cur, "domain_filter": domain_filter}
             _graph_cache_ts = time.monotonic()
             _cached_domain_hub_ids = extract_domain_hub_ids(cur["nodes"])
+            # ── SSE emission for L6 (symbols) and any other _merge caller ──
+            # The baseline build emits each per-source batch via _on_batch
+            # → _events.emit, but the L6 symbol loop calls _merge directly
+            # with no SSE feeder, so 670 k+ AP symbols stayed in the
+            # cumulative cache and never reached the live browser. Push
+            # the same delta onto _events so SSE subscribers (the bridge
+            # in workflow_graph_bridge.js, future renderers) see L6 grow
+            # in real time — same wire shape as baseline batches, label
+            # taken from ``stage`` so the user can tell ``L6 1/28 Cortex``
+            # apart from ``memories`` in the network panel.
+            try:
+                if new_nodes or new_edges:
+                    _events.emit(
+                        stage,
+                        list(new_nodes),
+                        list(new_edges),
+                        chunk=1000,
+                    )
+            except Exception as _exc:  # pragma: no cover - defensive
+                print(
+                    f"[cortex] sse stream emission error: {_exc}",
+                    file=sys.stderr,
+                )
             _set_progress(
                 phase=stage,
                 pct=pct,
@@ -450,11 +672,141 @@ def _merge(new_nodes, new_edges, stage, pct, message, phase_key=None, **flags):
             saved_flag = os.environ.get("CORTEX_MEMORY_AP_ENABLED")
             os.environ["CORTEX_MEMORY_AP_ENABLED"] = "0"
             memory_config.get_memory_settings.cache_clear()
+
+            # ── Baseline producer (2026-05-27, revised) ──
+            #
+            # build_workflow_graph runs the source loads (PG queries) and
+            # builds the structural graph. We surface per-source progress
+            # via on_source_loaded so /api/graph/progress shows the work
+            # in flight ("loaded 107043 memories") instead of a silent
+            # spinner, and we defer the native tree-sitter AST parse
+            # (defer_native_ast=True) — that parse was 58.6 s of a 99 s
+            # build; AST symbols arrive via the L6 AP loop below instead.
+            #
+            # We do NOT use the per-source on_batch push here: routing
+            # every node/edge of the huge memories batch (107k nodes +
+            # 107k edges) through the LayoutAuthority synchronously in the
+            # build thread pinned a core for minutes with no SSE consumer
+            # attached. Instead we take the returned dict and publish it
+            # in ONE _merge into the cumulative cache, then flip the
+            # baseline phases ready. The client renders from the cache
+            # (the unified-viz phase poller's baseline-ready fallback
+            # fetches /api/graph). The on_batch / LayoutAuthority SSE
+            # path remains available for the streaming_canvas renderer
+            # once its large-batch performance is addressed.
+            _stream_pct = {"v": 0.02}  # progress monotone within 0.02–0.28
+
+            # Live event stream — every per-source batch lands here as
+            # chunked SSE events the moment the builder emits it. The
+            # first visit's browser subscribes to /api/graph/events and
+            # appendGraphDelta's each event, so the user watches the
+            # graph grow instead of waiting for the full ingest to
+            # finish. RESET on every kicked build so a previous build's
+            # tail events don't leak into this run's subscribers.
+            from mcp_server.server import graph_event_stream as _events
+
+            _events.reset()
+
+            from mcp_server.handlers.workflow_graph import (
+                _edge_to_dict,
+                _node_to_dict,
+            )
+
+            def _on_source_loaded(label: str, count: int) -> None:
+                _stream_pct["v"] = min(0.28, _stream_pct["v"] + 0.02)
+                _set_progress(
+                    phase=f"loading {label}",
+                    pct=_stream_pct["v"],
+                    message=f"loaded {count} {label}",
+                )
+
+            def _on_batch(label: str, nodes_objs, edges_objs) -> None:
+                """Push per-source batch onto the SSE event queue.
+
+                Intentionally JUST a push — no _merge, no LayoutAuthority
+                emit per item. The cumulative cache is populated by ONE
+                _merge after build completion (where the O(cache) work
+                is paid once), and the snapshot is written at the same
+                point. This keeps the build thread fast even on the
+                107 k-memory batch that previously ground for minutes.
+                """
+                if not nodes_objs and not edges_objs:
+                    return
+                n_dicts = [_node_to_dict(n) for n in nodes_objs]
+                e_dicts = [_edge_to_dict(e) for e in edges_objs]
+                _events.emit(label, n_dicts, e_dicts, chunk=1000)
+
+            # ── Stage 1: skeleton (≪1 s) → first paint ──
+            # stage="skeleton" loads only skills + hooks, no memories, no
+            # tool_events, no AST. The builder still produces the domain
+            # hubs (via _ensure_domain on every node's domain_id), so the
+            # client immediately sees the structural backbone instead of
+            # waiting ~1–3 min for the full ingest on a large DB.
+            try:
+                skeleton = build_workflow_graph(
+                    store,
+                    domain_filter=domain_filter,
+                    stage="skeleton",
+                    defer_native_ast=True,
+                )
+            except Exception as _exc:  # pragma: no cover - defensive
+                print(
+                    f"[cortex] skeleton build failed: {_exc}",
+                    file=sys.stderr,
+                )
+                skeleton = {"nodes": [], "edges": [], "meta": {}}
+
+            _merge(
+                skeleton.get("nodes", []),
+                skeleton.get("edges", []),
+                stage="skeleton",
+                pct=0.05,
+                message=(
+                    f"skeleton: {len(skeleton.get('nodes', []))} nodes / "
+                    f"{len(skeleton.get('edges', []))} edges"
+                ),
+                phase_key=None,
+                baseline_ready=True,
+            )
+            for _phase_key in ("L0", "L1"):
+                _mark_phase_ready(_phase_key)
+
+            # Write a skeleton CXGB snapshot NOW so /api/graph.bin starts
+            # serving in <200 ms (the full snapshot below replaces it
+            # when ingestion finishes — could be minutes on a large DB).
+            # Without this the first /api/graph.bin returns 404 until the
+            # full build completes, which defeats the whole point of the
+            # precomputed-snapshot protocol.
+            try:
+                from mcp_server.server.graph_snapshot import (
+                    write_from_graph_cache,
+                )
+
+                _snap_path, _snap_bytes = write_from_graph_cache(
+                    skeleton.get("nodes", []),
+                    skeleton.get("edges", []),
+                )
+                print(
+                    f"[cortex] skeleton snapshot: {_snap_bytes:,} bytes → {_snap_path}",
+                    file=sys.stderr,
+                )
+            except Exception as _exc:  # pragma: no cover - defensive
+                print(
+                    f"[cortex] skeleton snapshot write failed: {_exc}",
+                    file=sys.stderr,
+                )
+
+            # ── Stage 2: full baseline (load + ingest the heavy sources) ──
+            # Replaces the cumulative cache with the full graph. The client
+            # already painted the skeleton; this fills it in.
             try:
                 baseline = build_workflow_graph(
                     store,
                     domain_filter=domain_filter,
                     stage="full",
+                    on_source_loaded=_on_source_loaded,
+                    on_batch=_on_batch,
+                    defer_native_ast=True,
                 )
             finally:
                 if saved_flag is None:
@@ -463,93 +815,61 @@ def _merge(new_nodes, new_edges, stage, pct, message, phase_key=None, **flags):
                     os.environ["CORTEX_MEMORY_AP_ENABLED"] = saved_flag
                 memory_config.get_memory_settings.cache_clear()
 
-            # Partition baseline nodes by kind so we can publish one
-            # layer at a time with a small delay — the client sees the
-            # graph grow: domains → L1 → L2 → L3 → L4 → L5.
-            by_kind: dict[str, list] = {}
-            for n in baseline.get("nodes", []):
-                by_kind.setdefault(n.get("kind") or "", []).append(n)
-            edges_all = baseline.get("edges", [])
-            node_ids_in_cache: set[str] = set()
-
-            def _edges_for(node_ids: set[str]):
-                """Return all edges both of whose endpoints are already
-                in the cache — avoids publishing an edge before its
-                target node is visible."""
-                out = []
-                for e in edges_all:
-                    sid = (
-                        e.get("source").get("id")
-                        if isinstance(e.get("source"), dict)
-                        else e.get("source")
-                    )
-                    tid = (
-                        e.get("target").get("id")
-                        if isinstance(e.get("target"), dict)
-                        else e.get("target")
-                    )
-                    if sid in node_ids and tid in node_ids:
-                        out.append(e)
-                return out
-
-            LAYER_ORDER = [
-                ("L0", "L0 domains", ["domain"], 0.05),
-                ("L1", "L1 setup", ["skill", "hook", "command", "agent", "mcp"], 0.10),
-                ("L2", "L2 tools", ["tool_hub"], 0.14),
-                ("L3", "L3 files", ["file"], 0.18),
-                ("L4", "L4 discussions", ["discussion"], 0.22),
-                # Entities publish alongside memories: the only edge they
-                # carry is ``about_entity`` (MEMORY → ENTITY), so both
-                # endpoints must land in the same phase or ``_edges_for``
-                # drops the edge for lack of a visible target.
-                ("L5", "L5 memories", ["memory", "entity"], 0.28),
-            ]
-            for phase_key, label, kinds, pct in LAYER_ORDER:
-                # State-machine gate: block until every prerequisite
-                # phase is ``ready``. Guarantees the cache never
-                # publishes this phase's nodes/edges before its
-                # parents exist.
-                if not _phase_deps_satisfied(phase_key):
-                    continue
-                layer_nodes = []
-                for k in kinds:
-                    layer_nodes.extend(by_kind.get(k, []))
-                for n in layer_nodes:
-                    node_ids_in_cache.add(n.get("id"))
-                layer_edges = _edges_for(node_ids_in_cache)
-                # Only add the NEW edges this layer introduces.
-                already_published = (
-                    _graph_cache["data"].get("edges", []) if _graph_cache else []
+            _merge(
+                baseline.get("nodes", []),
+                baseline.get("edges", []),
+                stage="baseline",
+                pct=0.30,
+                message=(
+                    f"baseline: {len(baseline.get('nodes', []))} nodes / "
+                    f"{len(baseline.get('edges', []))} edges"
+                ),
+                phase_key=None,
+            )
+            for _phase_key in ("L0", "L1", "L2", "L3", "L4", "L5"):
+                _mark_phase_ready(_phase_key)
+            _set_progress(
+                phase="baseline_ready",
+                pct=0.30,
+                message=(
+                    f"baseline ready: {len(baseline.get('nodes', []))} nodes / "
+                    f"{len(baseline.get('edges', []))} edges"
+                ),
+                baseline_ready=True,
+            )
+
+            # ── CXGB binary snapshot ──
+            # Write the precomputed snapshot so subsequent /api/graph.bin
+            # loads finish in ~110 ms instead of re-serialising JSON on
+            # every request. Atomic rename means a concurrent reader
+            # either gets the previous complete snapshot or the new
+            # complete snapshot — never a torn write.
+            try:
+                from mcp_server.server.graph_snapshot import (
+                    write_from_graph_cache,
                 )
-                already_keys = {
-                    (e.get("source"), e.get("target"), e.get("kind"))
-                    for e in already_published
-                }
-                new_edges = [
-                    e
-                    for e in layer_edges
-                    if (e.get("source"), e.get("target"), e.get("kind"))
-                    not in already_keys
-                ]
-                flags = (
-                    {"baseline_ready": phase_key == "L5"} if phase_key == "L5" else {}
+
+                _snap_path, _snap_bytes = write_from_graph_cache(
+                    baseline.get("nodes", []),
+                    baseline.get("edges", []),
                 )
-                _merge(
-                    layer_nodes,
-                    new_edges,
-                    stage=label,
-                    pct=pct,
-                    message=(
-                        f"{label}: +{len(layer_nodes)} nodes (+{len(new_edges)} edges)"
-                    ),
-                    phase_key=phase_key,
-                    **flags,
+                print(
+                    f"[cortex] graph snapshot: {_snap_bytes:,} bytes → {_snap_path}",
+                    file=sys.stderr,
+                )
+            except Exception as _exc:  # pragma: no cover - defensive
+                print(
+                    f"[cortex] graph snapshot write failed: {_exc}",
+                    file=sys.stderr,
                 )
-                # Mark this phase as ``ready`` in the state machine
-                # — the next phase (and the client's next fetch) can
-                # now safely depend on these nodes existing.
-                _mark_phase_ready(phase_key)
-                time.sleep(0.1)
+
+            # Signal end-of-stream so live SSE subscribers stop polling
+            # and the browser can flip from "incremental" mode to its
+            # final rendered state.
+            try:
+                _events.close()
+            except Exception:
+                pass
 
             # L6 — AST per project, per 200-symbol batch.
             from mcp_server.core.workflow_graph_palette import (
@@ -576,6 +896,12 @@ def _edges_for(node_ids: set[str]):
                     "(AP disabled)",
                     full_ready=True,
                 )
+                # Tell the SSE stream the build is finished so connected
+                # clients can flush + close cleanly.
+                try:
+                    get_layout_authority().done()
+                except Exception:
+                    pass
                 return
 
             # File-path → file-id map for DEFINED_IN edge resolution.
@@ -892,6 +1218,11 @@ async def _load_with_timeout(gp_):
                         phase_key=phase_key,
                     )
                     time.sleep(0.02)
+                    # Act-channel consult between L6 symbol batches —
+                    # L6 is the highest-volume phase (~64k symbols per
+                    # large project) and the most likely to overflow
+                    # P4. See _pressure module docstring.
+                    _pressure.wait_for_clear(timeout=1.0)
                 # Intra-project edges land in the same project phase,
                 # but only AFTER all its nodes — the client's dangling-
                 # edge filter handles any slack.
@@ -923,6 +1254,11 @@ async def _load_with_timeout(gp_):
                     phase_key="L6_CROSS",
                 )
                 time.sleep(0.05)
+                # Act-channel consult between L6 cross-edge batches.
+                # Edges live in P5 (lowest pre-subtree priority) and
+                # are dropped before any nodes — back off if the
+                # authority is signalling that.
+                _pressure.wait_for_clear(timeout=1.0)
             _mark_phase_ready("L6_CROSS")
 
             # Done.
@@ -959,6 +1295,11 @@ async def _load_with_timeout(gp_):
                 node_count=len(cur["nodes"]),
                 edge_count=len(cur["edges"]),
             )
+            # Final terminator on the SSE stream so subscribers close.
+            try:
+                get_layout_authority().done()
+            except Exception:
+                pass
         except Exception as exc:  # pragma: no cover
             print(f"[cortex] background build error: {exc}", file=sys.stderr)
             traceback.print_exc(file=sys.stderr)
diff --git a/mcp_server/server/layout_authority.py b/mcp_server/server/layout_authority.py
new file mode 100644
index 00000000..ee70282d
--- /dev/null
+++ b/mcp_server/server/layout_authority.py
@@ -0,0 +1,479 @@
+"""Cortex layout-authority integrator.
+
+Consolidates geometry + protocol + scheduler + log + wire into a single
+``LayoutAuthority`` reference. Build worker calls add_node / add_edge /
+request_subtree; SSE handler subscribes via subscribe() and drains
+(seq, kind, payload_bytes) events ready for the wire.
+
+Memory: O(domains x kinds) counters + bounded buffers (~256 KB worst).
+Per-event: O(1) amortized.
+
+Threading: single producer for emit(). Subscribers drain independently.
+
+Invariants (see protocol module INVARIANTS):
+    I1 finite (x,y) - wire layer verifies.
+    I2 monotonic seq - log module assigns.
+    I3 symbol-after-file - pending-symbols buffer flushes on file arrival.
+    I4 file-before-tool_hub - falls back to domain anchor; final.
+    I5 pending-edges - capped at 100k; oldest dropped.
+    I7 domain-late - anchor deterministic from index alone.
+"""
+
+from __future__ import annotations
+
+import threading
+from collections import OrderedDict
+from typing import Optional
+
+from mcp_server.server import layout_authority_log as _log
+from mcp_server.server import layout_authority_pressure as _pressure
+from mcp_server.server import layout_authority_wire as _wire
+from mcp_server.server.layout_authority_geometry import (
+    base_radius,
+    compute_slot,
+    domain_anchor,
+    outward_angle,
+    tool_hub_angle,
+)
+from mcp_server.server.layout_authority_protocol import (
+    EDGE_KINDS,
+    NODE_KINDS,
+    EdgeDelta,
+    NodeDelta,
+    SlotAssignment,
+)
+
+
+# ── Tunables ─────────────────────────────────────────────────────────────
+
+_PENDING_EDGES_CAP = 100_000
+_PENDING_SYMBOLS_CAP_PER_FILE = 4_096
+_DEFAULT_DOMAIN_RESERVATION = 16  # initial Fibonacci slots reserved
+
+
+# ── Internal helper structures ───────────────────────────────────────────
+
+
+class _DomainRegistry:
+    """Domain index + lazy Fibonacci anchor materialization (I7).
+
+    Anchor = f(index, reserved_total, cx, cy, base_r). Indices are
+    assigned on first sighting; reservation grows by chunks so anchors
+    stay stable for already-placed domains (final per I4/I7).
+    """
+
+    def __init__(self, width: float, height: float) -> None:
+        self._width = width
+        self._height = height
+        self._cx = width / 2.0
+        self._cy = height / 2.0
+        # domain_id -> (index, anchor (frozen), outward, base_r at freeze)
+        self._index_of: dict[str, int] = {}
+        self._anchors: dict[str, tuple[float, float]] = {}
+        self._outwards: dict[str, float] = {}
+        # Reserved domain count used for anchor math. Bumped only when a
+        # NEW domain arrives AFTER reservation is exhausted; existing
+        # anchors are NOT recomputed (they were frozen at first sighting).
+        self._reserved = _DEFAULT_DOMAIN_RESERVATION
+
+    def index_for(self, domain_id: str) -> int:
+        idx = self._index_of.get(domain_id)
+        if idx is not None:
+            return idx
+        idx = len(self._index_of)
+        if idx >= self._reserved:
+            # Grow reservation but do not back-edit prior anchors. New
+            # anchor uses the new reservation; prior anchors retain their
+            # first-sighting placement (final per I4/I7).
+            self._reserved = idx + _DEFAULT_DOMAIN_RESERVATION
+        self._index_of[domain_id] = idx
+        base_r = base_radius(self._width, self._height, self._reserved)
+        anchor = domain_anchor(idx, self._reserved, self._cx, self._cy, base_r)
+        self._anchors[domain_id] = anchor
+        self._outwards[domain_id] = outward_angle(anchor, self._cx, self._cy)
+        return idx
+
+    def anchor(self, domain_id: str) -> tuple[float, float]:
+        if domain_id not in self._anchors:
+            self.index_for(domain_id)
+        return self._anchors[domain_id]
+
+    def outward(self, domain_id: str) -> float:
+        if domain_id not in self._outwards:
+            self.index_for(domain_id)
+        return self._outwards[domain_id]
+
+    def base_r(self) -> float:
+        return base_radius(self._width, self._height, max(self._reserved, 1))
+
+    def total(self) -> int:
+        return self._reserved
+
+    def cx(self) -> float:
+        return self._cx
+
+    def cy(self) -> float:
+        return self._cy
+
+
+# ── Validation helpers ───────────────────────────────────────────────────
+
+
+def _validate_node(delta: NodeDelta) -> None:
+    if delta.kind not in NODE_KINDS:
+        raise ValueError(f"unknown node kind: {delta.kind!r}")
+    if not delta.node_id:
+        raise ValueError("node_id must be non-empty")
+    if not delta.domain_id:
+        raise ValueError("domain_id must be non-empty")
+    if delta.kind == "domain" and delta.domain_id != delta.node_id:
+        raise ValueError("domain node requires domain_id == node_id")
+    if delta.kind == "tool_hub" and not delta.tool_name:
+        raise ValueError("tool_hub node requires non-empty tool_name")
+    if delta.kind == "symbol" and not delta.parent_id:
+        raise ValueError("symbol node requires parent_id")
+
+
+def _validate_edge(delta: EdgeDelta) -> None:
+    if delta.kind not in EDGE_KINDS:
+        raise ValueError(f"unknown edge kind: {delta.kind!r}")
+    if not delta.source_id or not delta.target_id:
+        raise ValueError("edge endpoints must be non-empty")
+
+
+# ── Core integrator ──────────────────────────────────────────────────────
+
+
+class LayoutAuthority:
+    """Reference layout authority: counters + slot emission + buffers.
+
+    Per-method preconditions/postconditions follow the protocol module
+    contracts (NodeDelta / EdgeDelta docstrings). All methods are
+    O(1) amortized; no method blocks.
+    """
+
+    def __init__(self, width: float = 1000.0, height: float = 1000.0) -> None:
+        self._registry = _DomainRegistry(width, height)
+        # (domain_id, kind) -> running count (also = next idx for that bucket).
+        self._counts: dict[tuple[str, str], int] = {}
+        # node_id -> SlotAssignment (final once placed; I4/I7).
+        self._slots: dict[str, SlotAssignment] = {}
+        # tool_hub node_id -> hub_angle (cached for files orbiting it).
+        self._hub_angles: dict[str, float] = {}
+        # I3 buffer: file_id -> [NodeDelta, ...] of symbols awaiting file slot.
+        self._pending_symbols: dict[str, list[NodeDelta]] = {}
+        # Running total of buffered symbols across all files. Maintained
+        # incrementally so _observe_pressure is O(1) per emit instead of
+        # O(files) — summing the dict on every add_node/add_edge made the
+        # producer O(N×files) and stalled large builds (86k-edge memories
+        # batch grinding at 98% CPU for minutes). source: measured
+        # 2026-05-27 on the rebased streaming branch.
+        self._pending_symbols_count = 0
+        # I5 buffer: ordered (src,tgt) -> EdgeDelta; oldest dropped on cap.
+        self._pending_edges: "OrderedDict[tuple[str, str], EdgeDelta]" = OrderedDict()
+        # Counters surfaced via stats(); not load-bearing for correctness.
+        self._slots_emitted = 0
+        self._edges_emitted = 0
+        self._edges_dropped = 0
+        # Producer-side mutex (single producer expected; defensive only).
+        self._lock = threading.Lock()
+        self._closed = False
+
+    # ── Public API (LayoutAuthority protocol) ──────────────────────────
+
+    def add_node(self, delta: NodeDelta) -> None:
+        _validate_node(delta)
+        with self._lock:
+            if self._closed:
+                return
+            slot = self._place_node(delta)
+            if slot is None:
+                return  # buffered (I3 symbol awaiting file)
+            self._emit_slot(slot)
+            # Symbol arrival via flush is handled inside _place_node->flush.
+            self._try_flush_pending_edges_for(delta.node_id)
+
+    def add_edge(self, delta: EdgeDelta) -> None:
+        _validate_edge(delta)
+        with self._lock:
+            if self._closed:
+                return
+            if delta.source_id in self._slots and delta.target_id in self._slots:
+                self._emit_edge(delta)
+                return
+            self._buffer_edge(delta)
+
+    def request_subtree(self, domain_id: str) -> None:
+        # Re-emit known slots for this domain. No reseat (slots final).
+        # No-op if domain unknown (idempotent on a still-building graph).
+        with self._lock:
+            if self._closed:
+                return
+            if domain_id not in self._registry._index_of:  # noqa: SLF001
+                return
+            for slot in list(self._slots.values()):
+                if slot.domain_id == domain_id:
+                    self._emit_slot(slot)
+
+    def subscribe(self):
+        return _log.subscribe()
+
+    def unsubscribe(self, q) -> None:
+        _log.unsubscribe(q)
+
+    def done(self) -> None:
+        with self._lock:
+            if self._closed:
+                return
+            seq = _log._event_seq + 1  # noqa: SLF001
+            payload = _wire.format_done(
+                seq=seq,
+                total_slots=self._slots_emitted,
+                total_edges=self._edges_emitted,
+            )
+            _log.emit("done", payload)
+            self._closed = True
+
+    def stats(self) -> dict:
+        with self._lock:
+            return {
+                "slots_emitted": self._slots_emitted,
+                "edges_emitted": self._edges_emitted,
+                "edges_dropped": self._edges_dropped,
+                "pending_symbols": self._pending_symbols_count,
+                "pending_edges": len(self._pending_edges),
+                "domains": len(self._registry._index_of),  # noqa: SLF001
+            }
+
+    def _observe_pressure(self) -> None:
+        """Update the producer-feedback Act-channel.
+
+        Called from the hotspots where the producer just observed (or
+        could have observed) a pressure event: edge buffered, symbol
+        buffered, emission completed. Single-producer precondition is
+        already in force (caller holds ``self._lock``).
+        """
+        # O(1): read the running counter instead of summing the dict.
+        # _event_log_drops is single-producer-written by _log.emit; we
+        # read it without the log lock because we are the single
+        # producer (Cochrane: no cross-producer race possible here).
+        _pressure.observe(
+            event_log_drops=_log._event_log_drops,  # noqa: SLF001
+            edges_dropped=self._edges_dropped,
+            pending_edges=len(self._pending_edges),
+            pending_symbols_total=self._pending_symbols_count,
+        )
+
+    # ── Internal placement ─────────────────────────────────────────────
+
+    def _place_node(self, delta: NodeDelta) -> Optional[SlotAssignment]:
+        """Compute and register a slot. Returns None if buffered (I3)."""
+        # Symbol awaiting file: buffer + return None.
+        if delta.kind == "symbol":
+            file_id = delta.parent_id
+            if file_id not in self._slots:
+                buf = self._pending_symbols.setdefault(file_id, [])
+                if len(buf) < _PENDING_SYMBOLS_CAP_PER_FILE:
+                    buf.append(delta)
+                    self._pending_symbols_count += 1
+                self._observe_pressure()
+                return None
+
+        slot = self._compute_assignment(delta)
+        self._slots[delta.node_id] = slot
+        # Side-effects beyond slot registration:
+        if delta.kind == "tool_hub":
+            self._hub_angles[delta.node_id] = self._tool_hub_angle_for(delta)
+        return slot
+
+    def _compute_assignment(self, delta: NodeDelta) -> SlotAssignment:
+        """Pure: turn a NodeDelta into a SlotAssignment via geometry."""
+        domain_id = delta.domain_id
+        kind = delta.kind
+        # Increment bucket counter; idx is pre-increment count.
+        idx = self._counts.get((domain_id, kind), 0)
+        self._counts[(domain_id, kind)] = idx + 1
+
+        ctx = self._geometry_ctx(delta, idx)
+        x, y = compute_slot(kind, ctx)
+        # seq is assigned at emit time by the log; we stash 0 here and
+        # rebuild SlotAssignment at emit so the wire sees the real seq.
+        return SlotAssignment(
+            seq=0,
+            node_id=delta.node_id,
+            x=float(x),
+            y=float(y),
+            kind=kind,
+            domain_id=domain_id,
+        )
+
+    def _geometry_ctx(self, delta: NodeDelta, idx: int) -> dict:
+        """Build the kind-specific ctx dict for compute_slot."""
+        kind = delta.kind
+        domain_id = delta.domain_id
+        reg = self._registry
+
+        if kind == "domain":
+            return {
+                "index": reg.index_for(domain_id),
+                "total_domains": reg.total(),
+                "cx": reg.cx(),
+                "cy": reg.cy(),
+                "base_r": reg.base_r(),
+            }
+
+        anchor = reg.anchor(domain_id)
+        outward = reg.outward(domain_id)
+
+        if kind == "tool_hub":
+            return {
+                "anchor": anchor,
+                "outward": outward,
+                "tool_name": delta.tool_name or "",
+            }
+        if kind == "file":
+            hub_angle = outward
+            if delta.parent_id and delta.parent_id in self._hub_angles:
+                hub_angle = self._hub_angles[delta.parent_id]
+            # Bucket idx is per (domain, kind) — approximates "files in
+            # primary hub" since the build worker bins them per-hub.
+            total = max(idx + 1, 1)
+            return {
+                "anchor": anchor,
+                "hub_angle": hub_angle,
+                "idx": idx,
+                "total": total,
+            }
+        if kind == "symbol":
+            file_slot = self._slots[delta.parent_id]  # type: ignore[index]
+            file_xy = (file_slot.x, file_slot.y)
+            # Per-file symbol idx (separate from domain bucket):
+            sym_key = ("__sym__", delta.parent_id or "")
+            sym_idx = self._counts.get(sym_key, 0)
+            self._counts[sym_key] = sym_idx + 1
+            total = max(sym_idx + 1, 1)
+            return {"file_slot": file_xy, "idx": sym_idx, "total": total}
+
+        # skill/hook/command/agent/discussion/memory/mcp/entity
+        total = max(idx + 1, 1)
+        return {
+            "anchor": anchor,
+            "outward": outward,
+            "idx": idx,
+            "total": total,
+        }
+
+    def _tool_hub_angle_for(self, delta: NodeDelta) -> float:
+        outward = self._registry.outward(delta.domain_id)
+        return tool_hub_angle(outward, delta.tool_name or "")
+
+    # ── Emission ───────────────────────────────────────────────────────
+
+    def _emit_slot(self, slot: SlotAssignment) -> None:
+        # Peek next seq so the SSE 'id:' header matches the log's
+        # assignment. Single-producer invariant on emit() makes this
+        # safe (see layout_authority_log module docstring).
+        seq = _log._event_seq + 1  # noqa: SLF001  peek-before-emit
+        sealed = SlotAssignment(
+            seq=seq,
+            node_id=slot.node_id,
+            x=slot.x,
+            y=slot.y,
+            kind=slot.kind,
+            domain_id=slot.domain_id,
+        )
+        payload = _wire.format_slot(seq, sealed)
+        actual_seq = _log.emit("slot", payload)
+        assert actual_seq == seq, "log seq diverged from peek (multi-producer?)"
+        self._slots[sealed.node_id] = sealed
+        self._slots_emitted += 1
+        if sealed.kind == "file":
+            self._flush_pending_symbols(sealed.node_id)
+        # After emission the log's drop counter and the local
+        # pending-* sizes may have shifted (the log can have evicted
+        # an old event under the ring cap, the symbol flush above may
+        # have shrunk pending_symbols). Update the Act-channel so the
+        # producer's next between-batches check is accurate.
+        self._observe_pressure()
+
+    def _emit_edge(self, edge: EdgeDelta) -> None:
+        seq = _log._event_seq + 1  # noqa: SLF001
+        payload = _wire.format_edge(seq, edge)
+        _log.emit("edge", payload)
+        self._edges_emitted += 1
+
+    # ── Buffer flush helpers ───────────────────────────────────────────
+
+    def _flush_pending_symbols(self, file_id: str) -> None:
+        pending = self._pending_symbols.pop(file_id, None)
+        if not pending:
+            return
+        self._pending_symbols_count -= len(pending)
+        for sym in pending:
+            slot = self._compute_assignment(sym)
+            self._slots[sym.node_id] = slot
+            self._emit_slot(slot)
+            self._try_flush_pending_edges_for(sym.node_id)
+
+    def _buffer_edge(self, delta: EdgeDelta) -> None:
+        key = (delta.source_id, delta.target_id)
+        if key in self._pending_edges:
+            self._pending_edges.move_to_end(key)
+            self._pending_edges[key] = delta
+            return
+        if len(self._pending_edges) >= _PENDING_EDGES_CAP:
+            # Drop oldest (FIFO eviction per I5).
+            self._pending_edges.popitem(last=False)
+            self._edges_dropped += 1
+        self._pending_edges[key] = delta
+        self._observe_pressure()
+
+    def _try_flush_pending_edges_for(self, node_id: str) -> None:
+        if not self._pending_edges:
+            return
+        ready: list[tuple[str, str]] = []
+        for key, edge in self._pending_edges.items():
+            if key[0] != node_id and key[1] != node_id:
+                continue
+            if edge.source_id in self._slots and edge.target_id in self._slots:
+                ready.append(key)
+        for key in ready:
+            edge = self._pending_edges.pop(key)
+            self._emit_edge(edge)
+
+
+# ── Factory ──────────────────────────────────────────────────────────────
+
+
+def build_authority(width: float = 1000.0, height: float = 1000.0) -> LayoutAuthority:
+    """Construct a fresh LayoutAuthority. Resets the global event log
+    so the new build starts from a clean replay window. The seq counter
+    persists across resets (see layout_authority_log.reset docstring).
+
+    Also resets the producer-feedback Act-channel — otherwise a stale
+    overload flag from the previous run would block the new producer
+    until the next observe() call corrected it.
+    """
+    _log.reset()
+    _pressure.reset()
+    return LayoutAuthority(width=width, height=height)
+
+
+# ── Smoke test ───────────────────────────────────────────────────────────
+
+
+if __name__ == "__main__":
+    auth = build_authority()
+    auth.add_node(NodeDelta("domain:cortex", "domain", "domain:cortex"))
+    auth.add_node(NodeDelta("file:abc", "file", "domain:cortex"))
+    auth.add_node(
+        NodeDelta("symbol:foo", "symbol", "domain:cortex", parent_id="file:abc")
+    )
+    auth.add_edge(EdgeDelta("symbol:foo", "file:abc", "defined_in"))
+
+    # Subscribe AFTER emission to demonstrate the live-stream path; for
+    # smoke purposes drain via replay since 0 to capture the full set.
+    events, _oldest = _log.replay_since(0)
+    print(f"Emitted {len(events)} events:")
+    for seq, kind, payload in events:
+        print(f"  seq={seq} kind={kind} bytes={len(payload)}")
diff --git a/mcp_server/server/layout_authority_geometry.py b/mcp_server/server/layout_authority_geometry.py
new file mode 100644
index 00000000..0538591b
--- /dev/null
+++ b/mcp_server/server/layout_authority_geometry.py
@@ -0,0 +1,240 @@
+"""Closed-form O(1) slot placement for the layout authority.
+
+Every node's (x, y) is a pure function of:
+  - its domain's anchor position (Fibonacci-spiral, derived once from
+    the domain index alone — never depends on N)
+  - its kind ('domain', 'tool_hub', 'file', 'symbol', 'memory', etc.)
+  - its index within that (domain, kind) bucket
+  - the running total of nodes seen in that bucket
+  - optionally, its parent's slot (for symbols inside their file's petal)
+
+No iteration. No graph. No simulation. The cost is constant per node
+regardless of how many other nodes exist.
+
+Memory footprint: O(domains × kinds) integer counters — ~528 bytes
+for 11 domains × 6 kinds. The graph itself never lives in this module.
+
+Match the visual conventions of ui/unified/js/workflow_graph.js so the
+Python authority produces the same layout the user already approves of.
+All constants below are copied verbatim from that file (lines 43-84).
+"""
+
+from __future__ import annotations
+
+import math
+from typing import Tuple
+
+# ── Radii (workflow_graph.js lines 43-54) ────────────────────────────────
+SETUP_R: float = 70.0
+TOOL_R: float = 140.0
+FILE_R: float = 220.0
+DISC_R: float = 150.0
+MEM_R: float = 150.0
+MCP_R: float = 50.0
+SYM_R_OUTER: float = 290.0
+SYM_R_SPREAD: float = 32.0
+SYM_CLUMP_R: float = 18.0
+
+# ── Sector half-widths (workflow_graph.js lines 63-65) ──────────────────
+SECTOR_SETUP_HALF: float = math.pi / 2.6  # ~69°
+SECTOR_SIDE_HALF: float = math.pi / 6.5  # ~28°
+SECTOR_SIDE_ANGLE: float = math.pi * 0.72  # ~130° from outward axis
+
+# ── Per-tool angles, local to each domain's outward axis (lines 76-84) ──
+TOOL_LOCAL_ANGLE: dict[str, float] = {
+    "Edit": 0.0,
+    "Write": -math.pi / 12,
+    "Read": math.pi / 12,
+    "Grep": -math.pi / 6,
+    "Glob": math.pi / 6,
+    "Bash": -math.pi / 3.6,
+    "Task": math.pi / 3.6,
+}
+
+# Golden angle for Fibonacci-spiral domain placement (line 323).
+_PHI: float = math.pi * (3.0 - math.sqrt(5.0))
+
+
+# ── Domain placement (workflow_graph.js lines 313-328) ──────────────────
+def base_radius(width: float, height: float, n_domains: int) -> float:
+    """Pick baseR so adjacent shells never collide.
+
+    Fibonacci-spiral average spacing is R·√(π/N); each shell occupies
+    2·FILE_R + 60 px. We take the larger of (a) 42% of the smaller
+    canvas dimension and (b) the spacing-driven floor.
+    """
+    shell = 2.0 * FILE_R + 60.0
+    n = max(n_domains, 1)
+    return max(min(width, height) * 0.42, shell * math.sqrt(n / math.pi) * 0.65)
+
+
+def domain_anchor(
+    index: int,
+    total_domains: int,
+    cx: float,
+    cy: float,
+    base_r: float,
+) -> Tuple[float, float]:
+    """Fibonacci spiral — same formula as workflow_graph.js line 326."""
+    n = max(total_domains, 1)
+    r = base_r * math.sqrt((index + 0.5) / n)
+    theta = index * _PHI
+    return (cx + r * math.cos(theta), cy + r * math.sin(theta))
+
+
+def outward_angle(anchor: Tuple[float, float], cx: float, cy: float) -> float:
+    """Radially-outward axis from graph center to the domain anchor.
+
+    Domains within 5px of the center get a stable upward bias
+    (matches workflow_graph.js line 464).
+    """
+    dx, dy = anchor[0] - cx, anchor[1] - cy
+    if math.hypot(dx, dy) < 5.0:
+        return -math.pi / 2.0
+    return math.atan2(dy, dx)
+
+
+# ── L1 setup ring (workflow_graph.js lines 500-507) ─────────────────────
+def slot_for_setup(
+    anchor: Tuple[float, float],
+    outward: float,
+    idx: int,
+    total: int,
+) -> Tuple[float, float]:
+    """Skill / hook / command / agent fan inside the setup sector."""
+    arc = SECTOR_SETUP_HALF * 2.0
+    n = max(total, 1)
+    t = outward + ((idx + 0.5) / n - 0.5) * arc
+    r = SETUP_R + (idx % 2) * 8.0
+    return (anchor[0] + r * math.cos(t), anchor[1] + r * math.sin(t))
+
+
+# ── L2 tool hubs (workflow_graph.js lines 469-476) ──────────────────────
+def slot_for_tool_hub(
+    anchor: Tuple[float, float],
+    outward: float,
+    tool_name: str,
+) -> Tuple[float, float]:
+    """Tool hub at fixed per-tool angle along the outward axis."""
+    local = TOOL_LOCAL_ANGLE.get(tool_name, 0.0)
+    t = outward + local
+    return (anchor[0] + TOOL_R * math.cos(t), anchor[1] + TOOL_R * math.sin(t))
+
+
+def tool_hub_angle(outward: float, tool_name: str) -> float:
+    """Return the per-tool angle (caller stores it for files to orbit)."""
+    return outward + TOOL_LOCAL_ANGLE.get(tool_name, 0.0)
+
+
+# ── L3 files (workflow_graph.js lines 485-495) ──────────────────────────
+def slot_for_file(
+    anchor: Tuple[float, float],
+    hub_angle: float,
+    idx_in_hub: int,
+    total_in_hub: int,
+) -> Tuple[float, float]:
+    """File orbits its primary tool hub; arc widens with file count."""
+    n = max(total_in_hub, 1)
+    arc = min(0.35, 0.08 + n * 0.015)
+    t = hub_angle + ((idx_in_hub + 0.5) / n - 0.5) * arc
+    r = FILE_R + ((idx_in_hub % 3) - 1) * 4.0
+    return (anchor[0] + r * math.cos(t), anchor[1] + r * math.sin(t))
+
+
+# ── L4 discussions (workflow_graph.js lines 511-519) ────────────────────
+def slot_for_discussion(
+    anchor: Tuple[float, float],
+    outward: float,
+    idx: int,
+    total: int,
+) -> Tuple[float, float]:
+    """Discussion lane on one side of the domain, opposite memories."""
+    center = outward + SECTOR_SIDE_ANGLE
+    n = max(total, 1)
+    arc = SECTOR_SIDE_HALF * 2.0 + min(math.pi / 3.0, n * 0.04)
+    t = center + ((idx + 0.5) / n - 0.5) * arc
+    r = DISC_R + (idx % 3) * 6.0
+    return (anchor[0] + r * math.cos(t), anchor[1] + r * math.sin(t))
+
+
+# ── L5 memories (workflow_graph.js lines 522-531) ───────────────────────
+def slot_for_memory(
+    anchor: Tuple[float, float],
+    outward: float,
+    idx: int,
+    total: int,
+) -> Tuple[float, float]:
+    """Memory lane on the opposite side from discussions."""
+    center = outward - SECTOR_SIDE_ANGLE
+    n = max(total, 1)
+    arc = SECTOR_SIDE_HALF * 2.0 + min(math.pi / 2.5, n * 0.03)
+    t = center + ((idx + 0.5) / n - 0.5) * arc
+    r = MEM_R + (idx % 4) * 8.0
+    return (anchor[0] + r * math.cos(t), anchor[1] + r * math.sin(t))
+
+
+# ── MCPs (workflow_graph.js lines 536-541) ──────────────────────────────
+def slot_for_mcp(
+    anchor: Tuple[float, float],
+    outward: float,
+    idx: int,
+    total: int,
+) -> Tuple[float, float]:
+    """MCPs sit INWARD of the domain so cross-domain edges fan visibly."""
+    t = outward + math.pi
+    jitter = (idx - (max(total, 1) - 1) / 2.0) * 0.25
+    return (
+        anchor[0] + MCP_R * math.cos(t + jitter),
+        anchor[1] + MCP_R * math.sin(t + jitter),
+    )
+
+
+# ── L6 symbols (workflow_graph.js — petal cloud around parent file) ─────
+def slot_for_symbol(
+    file_slot: Tuple[float, float],
+    idx_in_file: int,
+    total_in_file: int,
+) -> Tuple[float, float]:
+    """Petal around parent file. Idx-deterministic angle around the file."""
+    if total_in_file <= 0:
+        return file_slot
+    angle = 2.0 * math.pi * (idx_in_file + 0.5) / total_in_file
+    r = SYM_CLUMP_R + (idx_in_file % 4) * 3.0
+    return (file_slot[0] + r * math.cos(angle), file_slot[1] + r * math.sin(angle))
+
+
+# ── Dispatcher ──────────────────────────────────────────────────────────
+def compute_slot(node_kind: str, ctx: dict) -> Tuple[float, float]:
+    """Closed-form slot lookup keyed by node kind.
+
+    `ctx` is a plain dict supplying only the fields each helper needs:
+      - anchor, outward, idx, total          (setup / disc / mem / mcp)
+      - anchor, outward, tool_name           (tool_hub)
+      - anchor, hub_angle, idx, total        (file)
+      - file_slot, idx, total                (symbol)
+      - index, total_domains, cx, cy, base_r (domain)
+
+    All branches are O(1). No state mutation. Unknown kinds return the
+    domain anchor as a safe fallback so the renderer never sees NaN.
+    """
+    if node_kind == "domain":
+        return domain_anchor(
+            ctx["index"], ctx["total_domains"], ctx["cx"], ctx["cy"], ctx["base_r"]
+        )
+    if node_kind == "tool_hub":
+        return slot_for_tool_hub(ctx["anchor"], ctx["outward"], ctx["tool_name"])
+    if node_kind == "file":
+        return slot_for_file(ctx["anchor"], ctx["hub_angle"], ctx["idx"], ctx["total"])
+    if node_kind == "symbol":
+        return slot_for_symbol(ctx["file_slot"], ctx["idx"], ctx["total"])
+    if node_kind in ("skill", "hook", "command", "agent"):
+        return slot_for_setup(ctx["anchor"], ctx["outward"], ctx["idx"], ctx["total"])
+    if node_kind == "discussion":
+        return slot_for_discussion(
+            ctx["anchor"], ctx["outward"], ctx["idx"], ctx["total"]
+        )
+    if node_kind == "memory":
+        return slot_for_memory(ctx["anchor"], ctx["outward"], ctx["idx"], ctx["total"])
+    if node_kind == "mcp":
+        return slot_for_mcp(ctx["anchor"], ctx["outward"], ctx["idx"], ctx["total"])
+    return ctx.get("anchor", (ctx.get("cx", 0.0), ctx.get("cy", 0.0)))
diff --git a/mcp_server/server/layout_authority_lod.py b/mcp_server/server/layout_authority_lod.py
new file mode 100644
index 00000000..1ff2a0e2
--- /dev/null
+++ b/mcp_server/server/layout_authority_lod.py
@@ -0,0 +1,205 @@
+"""Fractal level-of-detail subsampler for the layout authority.
+
+Principle (Mandelbrot 1982, *The Fractal Geometry of Nature*):
+    Graph structure is self-similar across scales. At full zoom the user
+    needs every symbol; at far zoom only domain/tool/file scaffolding
+    matters. Decimation by a deterministic hash keyed on (node_id, zoom)
+    yields the SAME visible subset across reconnects — clients can drop
+    and rejoin without the visible population shifting.
+
+The decimation rule is power-law in stride:
+
+    stride(zoom) = max(1, int(2 ** (3 - zoom * 4)))
+
+    zoom=1.00 → stride=1   (all symbols visible)
+    zoom=0.75 → stride=1
+    zoom=0.50 → stride=2   (≈ half)
+    zoom=0.25 → stride=4   (≈ quarter)
+    zoom=0.00 → stride=8   (≈ 1/8)
+
+Visible-count vs stride is approximately a power law (slope -1 on log-log)
+because |visible| ≈ N / stride. This is the Mandelbrot signature: the
+information density scales as a power of the resolution, not as a
+constant. See `tasks/layout-authority/audits/mandelbrot.md`.
+
+This module is pure logic. Imports stdlib only. No I/O.
+"""
+
+from __future__ import annotations
+
+import hashlib
+from typing import Iterable, Iterator
+
+from mcp_server.server.layout_authority_protocol import NodeDelta
+
+
+# ── Kinds that are ALWAYS visible regardless of zoom ─────────────
+# These form the structural scaffolding; their cardinality is bounded
+# (typically O(domains) + O(tools) + O(files)) so emitting all of them
+# at every zoom is cheap.
+_ALWAYS_VISIBLE: frozenset[str] = frozenset(
+    {
+        "domain",
+        "tool_hub",
+        "file",
+        "discussion",
+        "skill",
+        "hook",
+        "command",
+        "agent",
+        "mcp",
+    }
+)
+
+# Kinds that are decimated by the power-law stride.
+_DECIMATED: frozenset[str] = frozenset({"symbol"})
+
+# Kinds that are reduced (stride=2) only at far zoom (< 0.4).
+_FAR_REDUCED: frozenset[str] = frozenset({"memory", "entity"})
+
+# Threshold below which memory/entity get reduced.
+_FAR_ZOOM_THRESHOLD: float = 0.4
+
+# Stride applied to memory/entity when zoom < threshold.
+_FAR_REDUCED_STRIDE: int = 2
+
+
+def stride(zoom: float) -> int:
+    """Power-law stride for the symbol decimation.
+
+    stride(zoom) = max(1, int(2 ** (3 - zoom * 4)))
+
+    The exponent 3 - 4*zoom is linear in zoom, so stride is exponential
+    in zoom — visible-count is therefore power-law in stride. This is
+    the Mandelbrot self-similarity property: zooming by a factor of 2
+    in resolution multiplies visible symbols by ~2.
+
+    Clamps zoom to [0.0, 1.0] before computing.
+    """
+    z = 0.0 if zoom < 0.0 else (1.0 if zoom > 1.0 else zoom)
+    exponent = 3.0 - z * 4.0
+    s = int(2**exponent)
+    return s if s >= 1 else 1
+
+
+def _stable_hash(node_id: str) -> int:
+    """Deterministic, reconnection-stable hash of a node id.
+
+    Uses BLAKE2b with a fixed digest size. CPython's `hash()` is salted
+    per-process and would NOT yield identical visible subsets across
+    reconnects — that violates the contract. BLAKE2b is content-only.
+    """
+    h = hashlib.blake2b(node_id.encode("utf-8"), digest_size=8).digest()
+    return int.from_bytes(h, "big", signed=False)
+
+
+def visible_at_zoom(node_id: str, kind: str, zoom: float) -> bool:
+    """True iff this node should be emitted at this zoom level.
+
+    Decimation per kind:
+        domain, tool_hub, file, discussion, skill, hook, command,
+            agent, mcp                        → always visible
+        symbol                                → hash(id) % stride(zoom) == 0
+        memory, entity                        → reduced at zoom < 0.4
+        unknown kind                          → always visible (fail open)
+
+    The decision is a pure function of (node_id, kind, zoom). No state.
+    Identical inputs always produce identical outputs — the SSE handler
+    can run this at reconnect time and reproduce the prior visible set
+    exactly.
+    """
+    if kind in _ALWAYS_VISIBLE:
+        return True
+
+    if kind in _DECIMATED:
+        s = stride(zoom)
+        if s <= 1:
+            return True
+        return _stable_hash(node_id) % s == 0
+
+    if kind in _FAR_REDUCED:
+        if zoom >= _FAR_ZOOM_THRESHOLD:
+            return True
+        return _stable_hash(node_id) % _FAR_REDUCED_STRIDE == 0
+
+    # Unknown kind: be conservative and emit it. The client decides
+    # what to do with it. We never silently drop unrecognized data.
+    return True
+
+
+def visible_subset(
+    nodes: Iterable[NodeDelta],
+    zoom: float,
+) -> Iterator[NodeDelta]:
+    """Yield only the nodes that pass `visible_at_zoom` at this zoom.
+
+    Used by the SSE handler when the client passes `?zoom=0.5` on
+    (re)connect: the handler streams only the surviving subset rather
+    than the full population. The client never sees nodes it can't
+    render at the current zoom.
+
+    Streaming (Iterator return) is intentional — the node population
+    can be 10^6+ symbols and we must not materialize the full filtered
+    list before sending the first delta.
+    """
+    for n in nodes:
+        if visible_at_zoom(n.node_id, n.kind, zoom):
+            yield n
+
+
+# ── Self-check: roughness measure ─────────────────────────────────
+#
+# Mandelbrot's signature on the decimation: visible-count vs stride
+# should be approximately a power law (slope ≈ -1 on log-log). We
+# verify on a sample population of 10^6 symbol ids by counting how
+# many pass the filter at each canonical zoom level and comparing
+# against N / stride(zoom).
+
+
+def _selfcheck_powerlaw(
+    n_symbols: int = 1_000_000,
+) -> list[tuple[float, int, int, float]]:
+    """Return rows of (zoom, stride, visible_count, ratio_to_ideal).
+
+    `ratio_to_ideal` should be close to 1.0 if the hash is uniform.
+    """
+    rows: list[tuple[float, int, int, float]] = []
+    zooms = [0.0, 0.25, 0.5, 0.75, 1.0]
+    # Pre-render symbol ids deterministically.
+    ids = [f"sym:{i}" for i in range(n_symbols)]
+    for z in zooms:
+        s = stride(z)
+        if s == 1:
+            visible = n_symbols
+        else:
+            visible = sum(1 for nid in ids if _stable_hash(nid) % s == 0)
+        ideal = n_symbols / s
+        ratio = visible / ideal if ideal > 0 else 0.0
+        rows.append((z, s, visible, ratio))
+    return rows
+
+
+if __name__ == "__main__":  # pragma: no cover
+    import math
+
+    print("Mandelbrot LOD self-check — power-law decimation")
+    print("=" * 64)
+    print(f"{'zoom':>6} {'stride':>8} {'visible':>12} {'ideal':>12} {'ratio':>8}")
+    print("-" * 64)
+    rows = _selfcheck_powerlaw(n_symbols=1_000_000)
+    for z, s, v, r in rows:
+        ideal = 1_000_000 / s
+        print(f"{z:>6.2f} {s:>8d} {v:>12d} {ideal:>12.0f} {r:>8.4f}")
+
+    # Log-log slope check: log(visible) vs log(stride) should be ≈ -1.
+    print("-" * 64)
+    log_strides = [math.log(s) for _, s, _, _ in rows if s > 1]
+    log_visible = [math.log(v) for _, s, v, _ in rows if s > 1]
+    if len(log_strides) >= 2:
+        # Simple two-point slope between extremes.
+        slope = (log_visible[-1] - log_visible[0]) / (log_strides[-1] - log_strides[0])
+        print(f"log-log slope (visible vs stride): {slope:+.4f}  (expected ≈ -1.0)")
+        assert -1.05 < slope < -0.95, f"slope {slope} outside Mandelbrot tolerance"
+        print("PASS: decimation is power-law within tolerance.")
+    else:
+        print("SKIP: not enough non-unit strides to fit a slope.")
diff --git a/mcp_server/server/layout_authority_log.py b/mcp_server/server/layout_authority_log.py
new file mode 100644
index 00000000..18327f73
--- /dev/null
+++ b/mcp_server/server/layout_authority_log.py
@@ -0,0 +1,230 @@
+"""Append-only event log + subscriber fan-out for the layout authority.
+
+Three event kinds (each is a tuple ``(seq, kind, payload_bytes)``)::
+
+    'slot'  - a SlotAssignment
+    'edge'  - an EdgeDelta
+    'done'  - build complete
+
+Sequence numbers are monotonically increasing across the entire log.
+``Last-Event-ID`` resume uses ``seq`` as the cursor.
+
+Memory budget: bounded ring buffer (default 500_000 events). At ~80 bytes
+per event payload + ~32 bytes tuple overhead = ~56 MB worst-case for
+the buffer. Exceeds the 8 MB ceiling on principle, but this is the only
+structure that has to scale with stream length, and capping replay at
+500k events is the right tradeoff: a client that has been disconnected
+long enough to fall outside the buffer falls back to a full re-stream
+from the build cache, not from the live SSE.
+
+Subscriber queues: bounded at 100k each. A subscriber that fails
+``put_nowait`` more than 200 times in a row is presumed dead and
+auto-evicted, so the producer is never starved.
+
+Concurrency precondition (load-bearing for happens-before invariants
+I1 and I2): ``emit()`` MUST be called from a single producer thread
+(the layout authority worker). The fan-out loop runs after the log
+lock is released, so two concurrent producers could enqueue events to
+a subscriber in an order that disagrees with their seq. The single-
+producer rule keeps the deque order, the seq order, and the per-
+subscriber delivery order identical. ``subscribe`` / ``unsubscribe`` /
+``replay_since`` / ``stats`` / ``reset`` are safe from any thread.
+"""
+
+import collections
+import queue as _queue_mod
+import threading
+from typing import Deque, List, Tuple
+
+
+# --- module configuration --------------------------------------------------
+
+_EVENT_LOG_CAP = 500_000
+_SUBSCRIBER_QUEUE_CAP = 100_000
+_DEAD_QUEUE_MISS_THRESHOLD = 200
+
+Event = Tuple[int, str, bytes]
+
+
+# --- module state ----------------------------------------------------------
+
+_event_log: Deque[Event] = collections.deque(maxlen=_EVENT_LOG_CAP)
+_event_log_lock = threading.Lock()
+_event_seq = 0
+_event_log_drops = 0
+
+_subscribers: List[_queue_mod.Queue] = []
+_subscribers_lock = threading.Lock()
+
+
+# --- internal helpers ------------------------------------------------------
+
+
+def _record_miss(q: _queue_mod.Queue) -> int:
+    misses = getattr(q, "_cortex_misses", 0) + 1
+    try:
+        q._cortex_misses = misses  # type: ignore[attr-defined]
+    except Exception:
+        # Some Queue subclasses lock down attribute assignment; the
+        # subscriber will still be reaped on the next miss because the
+        # local count cannot persist - acceptable degradation.
+        pass
+    return misses
+
+
+def _clear_misses(q: _queue_mod.Queue) -> None:
+    try:
+        q._cortex_misses = 0  # type: ignore[attr-defined]
+    except Exception:
+        pass
+
+
+def _fan_out(event: Event) -> List[_queue_mod.Queue]:
+    """Deliver ``event`` to every live subscriber queue.
+
+    Returns the list of subscribers that crossed the dead-queue threshold
+    on this call. Caller is responsible for removing them from the
+    subscriber list under ``_subscribers_lock``. The fan-out itself runs
+    against a *snapshot* of the subscriber list so that the producer
+    never blocks on the subscriber lock during delivery.
+    """
+    with _subscribers_lock:
+        subs = list(_subscribers)
+    dead: List[_queue_mod.Queue] = []
+    for q in subs:
+        try:
+            q.put_nowait(event)
+            _clear_misses(q)
+        except Exception:
+            misses = _record_miss(q)
+            if misses > _DEAD_QUEUE_MISS_THRESHOLD:
+                dead.append(q)
+    return dead
+
+
+def _reap(dead: List[_queue_mod.Queue]) -> None:
+    if not dead:
+        return
+    with _subscribers_lock:
+        for q in dead:
+            try:
+                _subscribers.remove(q)
+            except ValueError:
+                pass
+
+
+# --- public API ------------------------------------------------------------
+
+
+def emit(kind: str, payload: bytes) -> int:
+    """Append ``(seq, kind, payload)`` to the log and fan out to subs.
+
+    Returns the assigned ``seq``. ``payload`` is bytes (already SSE-
+    formatted by ``layout_authority_wire``) so the SSE handler can
+    write it to the socket with zero re-encoding.
+
+    Single-producer precondition: see module docstring.
+    """
+    global _event_seq, _event_log_drops
+    with _event_log_lock:
+        _event_seq += 1
+        seq = _event_seq
+        event: Event = (seq, kind, payload)
+        if len(_event_log) == _event_log.maxlen:
+            _event_log_drops += 1
+        _event_log.append(event)
+    dead = _fan_out(event)
+    _reap(dead)
+    return seq
+
+
+def subscribe() -> _queue_mod.Queue:
+    """Register a new subscriber and return its bounded delivery queue.
+
+    The caller is responsible for draining the queue (typically an SSE
+    handler in its own thread). The queue is bounded at
+    ``_SUBSCRIBER_QUEUE_CAP``; persistent backpressure causes
+    auto-eviction.
+    """
+    q: _queue_mod.Queue = _queue_mod.Queue(maxsize=_SUBSCRIBER_QUEUE_CAP)
+    _clear_misses(q)
+    with _subscribers_lock:
+        _subscribers.append(q)
+    return q
+
+
+def unsubscribe(q: _queue_mod.Queue) -> None:
+    """Remove a subscriber. Idempotent."""
+    with _subscribers_lock:
+        try:
+            _subscribers.remove(q)
+        except ValueError:
+            pass
+
+
+def replay_since(since: int) -> Tuple[List[Event], int]:
+    """Return ``(events_to_replay, oldest_available_seq)``.
+
+    If ``since`` is older than the oldest retained seq the second tuple
+    element flags the gap (i.e. ``oldest_available_seq > since + 1``).
+    The SSE handler in ``graph_stream`` emits a ``replay_lost`` sentinel
+    in that case and the client falls back to a snapshot.
+    """
+    with _event_log_lock:
+        if not _event_log:
+            return [], 0
+        oldest_seq = _event_log[0][0]
+        if since < oldest_seq - 1:
+            return [], oldest_seq
+        out = [e for e in _event_log if e[0] > since]
+        return out, oldest_seq
+
+
+def stats() -> dict:
+    """Return a snapshot of log + subscriber metrics."""
+    with _event_log_lock:
+        oldest = _event_log[0][0] if _event_log else 0
+        newest = _event_log[-1][0] if _event_log else 0
+        size = len(_event_log)
+        drops = _event_log_drops
+    with _subscribers_lock:
+        sub_count = len(_subscribers)
+    return {
+        "size": size,
+        "cap": _EVENT_LOG_CAP,
+        "oldest_seq": oldest,
+        "newest_seq": newest,
+        "drops": drops,
+        "subscribers": sub_count,
+    }
+
+
+def reset() -> None:
+    """Wipe the log and drop all subscribers.
+
+    Called when the build worker starts a fresh build so a stale client
+    cannot read events from the previous run as if they were current.
+
+    Per invariant I3 (module docstring): ``_event_seq`` is GLOBAL, not
+    per-build, and continues across resets. A client reconnecting with
+    ``Last-Event-ID: N`` after a reset asks ``replay_since(N)``; the new
+    log's oldest seq is ``N + 1`` or greater (because the counter never
+    rewinds), so the gap-detection branch in ``replay_since`` correctly
+    identifies that the requested events are gone and the client falls
+    back to a snapshot. Resetting the counter would silently violate
+    this resume protocol because seq numbers from the previous stream
+    would collide with new ones.
+
+    Note: the original spec docstring and the original spec code body
+    disagreed on this point. The prose (I3, "seq continues") is the
+    operationally correct version because the resume protocol depends
+    on monotonic seq across resets; the code-body version (``_event_seq
+    = 0``) would silently break ``Last-Event-ID`` resume across a build
+    boundary. We follow the prose.
+    """
+    global _event_log_drops
+    with _event_log_lock:
+        _event_log.clear()
+        _event_log_drops = 0
+    with _subscribers_lock:
+        _subscribers.clear()
diff --git a/mcp_server/server/layout_authority_pressure.py b/mcp_server/server/layout_authority_pressure.py
new file mode 100644
index 00000000..84639cfd
--- /dev/null
+++ b/mcp_server/server/layout_authority_pressure.py
@@ -0,0 +1,204 @@
+"""Producer-feedback Act-channel for the layout authority.
+
+The build worker (producer) and the layout authority (consumer) live in
+different threads. The authority emits counters when it sheds work
+(``_event_log_drops``, ``_edges_dropped``, growing pending-* buffers)
+but those counters are diagnostic only — no caller reads them, no
+producer consults them, no test asserts them.
+
+Cochrane Finding A from ``tasks/layout-authority/audits/cochrane.md``
+(≥48 of 52 audits converge on this): the loop is OPEN. The producer
+fills P4 in ~64 ms; the detection loop is ~1000 ms; the tempo ratio is
+~15× against the authority. Recommended fix (Boyd schwerpunkt,
+unanimous mechanism across queueing/control/governance disciplines):
+a single ``threading.Event`` set by the authority when any pressure
+metric crosses a trip threshold and cleared when ALL metrics fall
+below a lower clear threshold. The producer consults the Event
+between batches at zero contention (Event.is_set is lock-free).
+
+Hysteresis (high trip vs lower clear) is load-bearing: a single
+threshold would flap as the deque length wobbles around it,
+producing chatter rather than a useful signal.
+
+source: Maxwell, J. C. (1868). "On Governors." Proc. Roy. Soc. 16,
+270–283 — the foundational treatment of feedback stability via
+threshold separation. Boyd, J. (1976). "Destruction and Creation."
+— the OODA "Act" channel as the only thing that closes a loop. Beer,
+S. (1972). *Brain of the Firm*, chapter on the S2/S1 channel.
+
+Concurrency model:
+    observe()       — called by the layout-authority producer thread.
+                       Single-producer, no internal lock needed for
+                       the metric snapshot; the Event itself is
+                       thread-safe.
+    is_overloaded() — called from ANY thread. Lock-free
+                       (Event.is_set()).
+    wait_for_clear  — called from ANY thread, typically the build
+                       worker between batches. Bounded wait so a
+                       genuinely stuck system cannot stall the build
+                       forever.
+    snapshot()      — diagnostic; reads atomic ints + Event flag.
+
+The module is process-global (one log + one authority per process) to
+keep the call sites unchanged from the integrator's pattern.
+"""
+
+from __future__ import annotations
+
+import threading
+from dataclasses import dataclass
+
+# ── Tunables ─────────────────────────────────────────────────────────────
+#
+# Trip / clear thresholds are expressed as fractions of the consumer's
+# bounded-capacity sentinels. They are intentionally far apart so the
+# flag does not flap as the queue length wobbles by single events.
+#
+# source: Maxwell (1868) §3 — stability requires the upper and lower
+# thresholds to bracket the system's natural oscillation amplitude.
+
+_PENDING_EDGES_CAP = 100_000  # mirror of layout_authority._PENDING_EDGES_CAP
+_PENDING_SYMBOLS_TOTAL_SOFT_CAP = 32_768  # rough multi-file aggregate
+
+_TRIP_PENDING_EDGES = int(_PENDING_EDGES_CAP * 0.80)  # 80_000
+_CLEAR_PENDING_EDGES = int(_PENDING_EDGES_CAP * 0.50)  # 50_000
+_TRIP_PENDING_SYMBOLS = int(_PENDING_SYMBOLS_TOTAL_SOFT_CAP * 0.80)
+_CLEAR_PENDING_SYMBOLS = int(_PENDING_SYMBOLS_TOTAL_SOFT_CAP * 0.50)
+
+
+# ── State ────────────────────────────────────────────────────────────────
+
+
+@dataclass
+class _Snapshot:
+    """Last-known metric values (single-producer, no lock needed)."""
+
+    event_log_drops: int = 0
+    edges_dropped: int = 0
+    pending_edges: int = 0
+    pending_symbols_total: int = 0
+    # Previous drop counters so we can detect "a drop happened *this
+    # observe*" rather than just absolute totals.
+    last_log_drops: int = 0
+    last_edges_dropped: int = 0
+
+
+_state = _Snapshot()
+_overloaded = threading.Event()
+
+
+# ── Public API ───────────────────────────────────────────────────────────
+
+
+def observe(
+    *,
+    event_log_drops: int,
+    edges_dropped: int,
+    pending_edges: int,
+    pending_symbols_total: int,
+) -> bool:
+    """Update pressure state from a producer-side metric snapshot.
+
+    Returns the new overload state (True iff the Event is set after
+    this call). Single-producer precondition: see module docstring.
+    """
+    # Detect "a drop happened on this step" by comparing against the
+    # previous snapshot. New drops are the strongest pressure signal —
+    # they indicate the consumer is already shedding work.
+    new_log_drops = event_log_drops - _state.last_log_drops
+    new_edge_drops = edges_dropped - _state.last_edges_dropped
+
+    _state.event_log_drops = event_log_drops
+    _state.edges_dropped = edges_dropped
+    _state.pending_edges = pending_edges
+    _state.pending_symbols_total = pending_symbols_total
+    _state.last_log_drops = event_log_drops
+    _state.last_edges_dropped = edges_dropped
+
+    if _overloaded.is_set():
+        # In overload — apply CLEAR thresholds (must be below ALL
+        # clear lines AND no drops on this step).
+        if (
+            pending_edges < _CLEAR_PENDING_EDGES
+            and pending_symbols_total < _CLEAR_PENDING_SYMBOLS
+            and new_log_drops == 0
+            and new_edge_drops == 0
+        ):
+            _overloaded.clear()
+    else:
+        # Not in overload — apply TRIP thresholds (any one is enough).
+        if (
+            pending_edges >= _TRIP_PENDING_EDGES
+            or pending_symbols_total >= _TRIP_PENDING_SYMBOLS
+            or new_log_drops > 0
+            or new_edge_drops > 0
+        ):
+            _overloaded.set()
+    return _overloaded.is_set()
+
+
+def is_overloaded() -> bool:
+    """Lock-free flag check. Safe from any thread."""
+    return _overloaded.is_set()
+
+
+def wait_for_clear(timeout: float) -> bool:
+    """Block up to ``timeout`` seconds for the overload flag to clear.
+
+    Returns True iff the flag is clear on return (either it was clear
+    on entry, or it cleared within ``timeout``). Returns False if the
+    timeout elapsed while still overloaded.
+
+    Bounded by design: the producer must not stall forever on a stuck
+    consumer. Build progress is preferable to perfect smoothness.
+    """
+    if not _overloaded.is_set():
+        return True
+    # threading.Event.wait returns True when SET; we want the opposite.
+    # Poll in small slices so a clear() is detected within ~10 ms.
+    import time
+
+    deadline = time.monotonic() + timeout
+    while _overloaded.is_set():
+        remaining = deadline - time.monotonic()
+        if remaining <= 0:
+            return False
+        # Sleep slice — short enough that a clear is noticed promptly,
+        # long enough that the polling cost is negligible.
+        time.sleep(min(remaining, 0.01))
+    return True
+
+
+def snapshot() -> dict:
+    """Diagnostic readout — safe from any thread.
+
+    Used by /healthz-style endpoints to expose the counters Cochrane
+    Finding 1c asks for (every emitted counter must be readable by at
+    least one caller).
+    """
+    return {
+        "overloaded": _overloaded.is_set(),
+        "event_log_drops": _state.event_log_drops,
+        "edges_dropped": _state.edges_dropped,
+        "pending_edges": _state.pending_edges,
+        "pending_symbols_total": _state.pending_symbols_total,
+        "thresholds": {
+            "pending_edges_trip": _TRIP_PENDING_EDGES,
+            "pending_edges_clear": _CLEAR_PENDING_EDGES,
+            "pending_symbols_trip": _TRIP_PENDING_SYMBOLS,
+            "pending_symbols_clear": _CLEAR_PENDING_SYMBOLS,
+        },
+    }
+
+
+def reset() -> None:
+    """Clear all state. Called when the authority is rebuilt so a
+    stale overload flag from the previous run cannot block the new
+    producer."""
+    _state.event_log_drops = 0
+    _state.edges_dropped = 0
+    _state.pending_edges = 0
+    _state.pending_symbols_total = 0
+    _state.last_log_drops = 0
+    _state.last_edges_dropped = 0
+    _overloaded.clear()
diff --git a/mcp_server/server/layout_authority_protocol.py b/mcp_server/server/layout_authority_protocol.py
new file mode 100644
index 00000000..12a26bd4
--- /dev/null
+++ b/mcp_server/server/layout_authority_protocol.py
@@ -0,0 +1,260 @@
+"""Delta protocol for the Cortex layout authority.
+
+Three input verbs (the authority RECEIVES these from the build worker):
+    add_node(NodeDelta)        — a new node has been produced
+    add_edge(EdgeDelta)        — a new edge has been produced
+    request_subtree(domain_id) — re-emit slot assignments for one subtree
+
+One output event (the authority PRODUCES these on the SSE stream):
+    SlotAssignment             — node_id has been placed at (x, y)
+
+Contracts here are NORMATIVE. Producers and consumers MUST honor them.
+A violation is a bug. The authority's reference implementation enforces
+them with assertions in debug mode and best-effort recovery in prod.
+
+This module is contract-only. Imports stdlib only. No I/O, no logic.
+A separate engineer agent will write the reference implementation in
+``layout_authority.py`` integrating with the Carnot geometry module
+(``layout_authority_geometry.py``), the Hamilton scheduler, and the
+Lamport event log.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any, Optional, Protocol, runtime_checkable
+
+
+# ── Allowed-value sets (NORMATIVE) ────────────────────────────────
+
+NODE_KINDS: frozenset[str] = frozenset(
+    {
+        "domain",
+        "skill",
+        "hook",
+        "command",
+        "agent",
+        "mcp",
+        "tool_hub",
+        "file",
+        "discussion",
+        "memory",
+        "entity",
+        "symbol",
+    }
+)
+
+EDGE_KINDS: frozenset[str] = frozenset(
+    {
+        "in_domain",
+        "tool_used_file",
+        "defined_in",
+        "calls",
+        "imports",
+        "member_of",
+        "about_entity",
+        "invoked_skill",
+        "triggered_hook",
+        "spawned_agent",
+        "command_in_hub",
+        "invoked_mcp",
+        "discussion_touched_file",
+        "command_touched_file",
+    }
+)
+
+
+# ── Value types ──────────────────────────────────────────────────
+
+
+@dataclass(frozen=True, slots=True)
+class NodeDelta:
+    """An add_node event from the build worker.
+
+    Fields:
+        node_id:   stable, unique. The authority indexes by this.
+        kind:      one of NODE_KINDS.
+        domain_id: the id of the domain hub this node belongs to.
+                   For kind == 'domain', domain_id MUST equal node_id.
+        parent_id: optional. For 'symbol', this is the parent file's id.
+                   For 'file', the primary tool_hub's id (if known).
+                   None for everything else.
+        tool_name: required iff kind == 'tool_hub' (e.g. 'Edit', 'Bash').
+
+    Pre:
+        - kind in NODE_KINDS
+        - node_id non-empty
+        - domain_id non-empty
+        - if kind == 'domain': domain_id == node_id
+        - if kind == 'tool_hub': tool_name is not None and non-empty
+        - if kind == 'symbol': parent_id is not None
+    Post:
+        - one SlotAssignment for node_id will be emitted in bounded
+          time AFTER all required parent state is present (see I3, I4).
+    """
+
+    node_id: str
+    kind: str
+    domain_id: str
+    parent_id: Optional[str] = None
+    tool_name: Optional[str] = None
+
+
+@dataclass(frozen=True, slots=True)
+class EdgeDelta:
+    """An add_edge event from the build worker.
+
+    Edges DO NOT change slot positions. They are forwarded to clients
+    as-is and rendered as lines between already-placed nodes. The
+    authority does NOT recompute layout for new edges — that's the
+    whole point of the closed-form geometry.
+
+    Pre:
+        - source_id and target_id non-empty
+        - kind in EDGE_KINDS
+        - source_id and target_id were both previously add_node'd
+          (the authority tolerates out-of-order arrival by buffering
+          edges whose endpoints haven't landed yet, but the build
+          worker SHOULD emit nodes before edges; see I5)
+    Post:
+        - the authority emits NO SlotAssignment in response to add_edge.
+          (Edges are streamed via a SEPARATE event kind handled by the
+          wire layer — see layout_authority_wire.py.)
+    """
+
+    source_id: str
+    target_id: str
+    kind: str
+
+
+@dataclass(frozen=True, slots=True)
+class SlotAssignment:
+    """The authority's output: node_id has been placed at (x, y).
+
+    Stable for the lifetime of the node. The authority MUST NOT re-emit
+    a different (x, y) for the same node_id unless a request_subtree()
+    explicitly invalidates the subtree. (request_subtree is for window
+    resize and explicit user actions; not for normal streaming.)
+
+    Fields:
+        seq:       monotonic sequence number assigned by the authority.
+                   Strictly increasing per authority instance. Clients
+                   MUST update by seq (see I2).
+        node_id:   the id this slot is for.
+        x, y:      pixel coordinates in the authority's coordinate
+                   system (default 1000x1000). The client scales to
+                   its viewport. Always finite (see I1).
+        kind:      copied from the NodeDelta — saves the client a lookup.
+        domain_id: copied from the NodeDelta — used by the client to
+                   color/group on arrival.
+    """
+
+    seq: int
+    node_id: str
+    x: float
+    y: float
+    kind: str
+    domain_id: str
+
+
+# ── The authority interface ───────────────────────────────────────
+
+# A subscriber queue is any object with a non-blocking ``put`` that
+# accepts SlotAssignment | edge events. The reference implementation
+# uses ``queue.SimpleQueue``. Typed as Any to avoid stdlib coupling
+# in this contract module.
+EventQueue = Any
+
+
+@runtime_checkable
+class LayoutAuthority(Protocol):
+    """The contract any layout-authority implementation must satisfy.
+
+    Threading model:
+        - add_node, add_edge are called from the build worker thread.
+        - emission (SlotAssignment) reaches subscribers via their
+          EventQueue, drained by SSE handler threads.
+        - request_subtree may be called from any thread.
+        - subscribe / unsubscribe may be called from any thread.
+
+    Memory model:
+        - state size is O(domains × kinds) — see
+          layout_authority_geometry. The authority MUST NOT hold full
+          node lists or edge lists. Each input verb is amortized O(1).
+
+    Failure modes:
+        - add_node with kind not in NODE_KINDS: raises ValueError.
+        - add_node violating a per-kind precondition (see NodeDelta):
+          raises ValueError.
+        - add_edge with kind not in EDGE_KINDS: raises ValueError.
+        - add_edge whose endpoints are unknown: queued in a small
+          (bounded) pending-edges buffer; flushed when the second
+          endpoint arrives. See I5 for buffer-overflow behavior.
+        - request_subtree on unknown domain_id: returns silently
+          (idempotent on a graph that's still being built).
+    """
+
+    def add_node(self, delta: NodeDelta) -> None: ...
+    def add_edge(self, delta: EdgeDelta) -> None: ...
+    def request_subtree(self, domain_id: str) -> None: ...
+
+    def subscribe(self) -> EventQueue:
+        """Returns a queue-like object. Caller drains slot/edge events
+        and unsubscribes when done."""
+        ...
+
+    def unsubscribe(self, q: EventQueue) -> None: ...
+
+
+# ── Invariants the reference implementation must check ────────────
+
+INVARIANTS = """
+I1. SlotAssignment.x and SlotAssignment.y are finite floats; never
+    NaN, never inf. Verified at emission time.
+
+I2. SlotAssignment.seq is strictly monotonically increasing per
+    authority instance. For any two SlotAssignments with the same
+    node_id (which can only occur after request_subtree), the LATER
+    one (higher seq) supersedes the earlier. Clients MUST update by
+    seq.
+
+I3. SlotAssignment for a 'symbol' node_id must arrive AFTER the
+    SlotAssignment for its parent file. If the file is missing,
+    the symbol is buffered. Symbol slot is computed from parent
+    file's slot, NOT from the domain anchor directly.
+
+I4. SlotAssignment for a 'file' node_id may arrive before its primary
+    tool_hub if the build worker emits files first. The authority
+    falls back to placing the file at the domain hub if no tool_hub
+    is yet known; the slot is FINAL — no retroactive reseat.
+
+I5. The pending-edges buffer has a bounded size (default 100k). When
+    full, the oldest pending edges are dropped (with a counter
+    incremented). The build worker MUST emit dependencies in order
+    most of the time; the buffer is for transient races only.
+
+I6. add_node, add_edge, request_subtree never block. If the internal
+    work queue is full, they drop the event and increment a counter.
+    The producer (build worker) is never stalled by the authority.
+
+I7. domain_id on every NodeDelta and SlotAssignment is non-empty and
+    refers to a node whose kind == 'domain'. The 'domain' node for
+    a domain_id MAY arrive after its members; in that case those
+    members' slots are computed against a placeholder anchor and
+    are FINAL (no retroactive reseat — same rule as I4).
+"""
+
+
+# ── Convenience factory ───────────────────────────────────────────
+
+
+def authority_from_geometry(
+    width: float = 1000.0,
+    height: float = 1000.0,
+) -> LayoutAuthority:
+    """Build the reference implementation. Wired in
+    ``layout_authority.py`` — this stub forward-declares only and
+    defers the import to call time to keep this module pure."""
+    from mcp_server.server.layout_authority import build_authority
+
+    return build_authority(width=width, height=height)
diff --git a/mcp_server/server/layout_authority_scheduler.py b/mcp_server/server/layout_authority_scheduler.py
new file mode 100644
index 00000000..28d24b03
--- /dev/null
+++ b/mcp_server/server/layout_authority_scheduler.py
@@ -0,0 +1,256 @@
+"""Priority-displaced scheduler for the Cortex layout authority.
+
+Pattern (Hamilton 1969, Apollo 11 1202/1201 alarm response):
+    Higher-priority work always preempts lower-priority. When the work
+    queue saturates, low-priority items are dropped FIRST. The
+    high-priority path NEVER starves and the producer NEVER blocks.
+
+Priority levels (highest = most critical for visualization correctness):
+
+    P0 — domain hubs (kind == 'domain')
+        Without these, nothing else can be placed. NEVER dropped in
+        practice (cap is generously above population).
+
+    P1 — tool_hubs (kind == 'tool_hub')
+        L3 files attach to these. Dropping a tool_hub orphans its
+        files. Cap generously above population.
+
+    P2 — files (kind == 'file')
+        Symbols attach to these. Dropping a file orphans its symbols.
+        Dropped only under catastrophic burst.
+
+    P3 — L1 setup (skill/hook/command/agent/mcp), L4 discussions,
+         L5 memories, L5+E entities
+        Dropping these loses individual nodes but the topology stays
+        coherent.
+
+    P4 — symbols (kind == 'symbol')
+        Highest volume, lowest individual importance. Dropped first
+        among nodes — ~90% of symbols visible is fine.
+
+    P5 — edges (any add_edge call)
+        Lines on a canvas. Pretty but not topologically critical.
+        Dropped before any node-level work is dropped.
+
+    P6 — request_subtree
+        Whole-subtree recompute. Always deferred until P0-P5 are
+        empty. Coalesced (multiple requests for the same subtree
+        collapse to one).
+
+Source: Hamilton, M. H. & Hackler, W. R. (2008). "Universal Systems
+Language: Lessons Learned from Apollo." IEEE Computer 41(12), 34–43,
+section II ("Asynchronous, distributed, real-time"). The AGC
+EXECUTIVE / BAILOUT / RESTART routines (LUMINARY 1A) shed
+low-priority jobs by dropping their vac-area entries and continued
+running with high-priority state intact.
+
+Memory rationale (zetetic):
+    Naive QUEUE_SIZES with P4=500k × ~80B NodeDelta = ~40 MB just for
+    P4. That breaches the 8 MB working-set ceiling. We adopt option 1
+    from the design brief: cap P4 at 64k. Sustained working set is
+    much smaller because pop() drains continuously; the caps bound
+    only burst absorption.
+
+    Worst-case (all queues full, pointer + small-dataclass ~80B):
+        P0:   1_000 *  80 =     80_000
+        P1:   1_000 *  80 =     80_000
+        P2:  16_000 *  80 =  1_280_000
+        P3:  32_000 *  80 =  2_560_000
+        P4:  64_000 *  80 =  5_120_000
+        P5: 128_000 *  80 = 10_240_000
+        P6:     100 *  80 =      8_000
+        Total ≈ 19.4 MB worst-case (same order as 8 MB ceiling).
+    Sustained drain keeps actual residency one to two orders below.
+"""
+
+from __future__ import annotations
+
+import threading
+import time
+from collections import deque
+from dataclasses import dataclass, field
+from typing import Optional
+
+
+# Per-priority bounded-deque sizes.
+# source: design brief option 1 ("Cap P4 at 64k"); see module docstring
+# for the worst-case memory derivation.
+QUEUE_SIZES: dict[int, int] = {
+    0: 1_000,  # P0 domains          — ~11 in practice
+    1: 1_000,  # P1 tool hubs        — ~70 in practice
+    2: 16_000,  # P2 files            — ~30k in practice (drops above)
+    3: 32_000,  # P3 setup/discussion/memories/entities
+    4: 64_000,  # P4 symbols          — high volume, drop first among nodes
+    5: 128_000,  # P5 edges            — typically 4× nodes; drop before nodes
+    6: 100,  # P6 subtree requests — coalesced
+}
+
+PRIORITY_DOMAIN = 0
+PRIORITY_TOOL_HUB = 1
+PRIORITY_FILE = 2
+PRIORITY_OTHER_NODE = 3
+PRIORITY_SYMBOL = 4
+PRIORITY_EDGE = 5
+PRIORITY_SUBTREE = 6
+
+
+def priority_for_node(kind: str) -> int:
+    """Map a node kind to its scheduling priority (lower = more critical)."""
+    if kind == "domain":
+        return PRIORITY_DOMAIN
+    if kind == "tool_hub":
+        return PRIORITY_TOOL_HUB
+    if kind == "file":
+        return PRIORITY_FILE
+    if kind == "symbol":
+        return PRIORITY_SYMBOL
+    return PRIORITY_OTHER_NODE
+
+
+def priority_for_edge() -> int:
+    """All edges share a single priority — drop before any node."""
+    return PRIORITY_EDGE
+
+
+@dataclass
+class Stats:
+    """Per-priority counters for /api/layout/stats observability.
+
+    queued  — cumulative successful submits (monotonic).
+    dropped — cumulative drops due to a full queue (monotonic).
+    """
+
+    queued: dict[int, int] = field(default_factory=lambda: {p: 0 for p in QUEUE_SIZES})
+    dropped: dict[int, int] = field(default_factory=lambda: {p: 0 for p in QUEUE_SIZES})
+
+
+class PriorityScheduler:
+    """Bounded multi-queue scheduler with priority-displaced shedding.
+
+    submit(priority, item)
+        Non-blocking. Returns True iff accepted; False if the priority's
+        queue is at cap (item dropped, counter incremented). The
+        producer never blocks — that is the Hamilton invariant.
+
+    pop(timeout=None)
+        Returns (priority, item) for the highest-priority non-empty
+        queue. Blocks up to `timeout` seconds for new work. None on
+        timeout.
+
+    coalesce_subtree(domain_id)
+        Idempotent insert into P6: duplicate requests collapse to a
+        single pending entry. Without this, a viewport drag firing
+        ~10 req/s grows the queue unbounded.
+
+    stats()
+        Snapshot of queued/dropped counters and current queue lengths.
+
+    Memory: a deque per priority, each capped per QUEUE_SIZES. The
+    caller MUST keep items small (NodeDelta/EdgeDelta or just a node
+    id reference); the actual node payload is held by reference once
+    in the authority's main store.
+    """
+
+    def __init__(self) -> None:
+        self._queues: dict[int, deque] = {p: deque(maxlen=None) for p in QUEUE_SIZES}
+        # maxlen=None because we want explicit drop accounting on submit
+        # rather than silent left-pop eviction that maxlen would do.
+        self._lock = threading.Lock()
+        self._not_empty = threading.Condition(self._lock)
+        self._stats = Stats()
+        self._priorities_sorted = sorted(QUEUE_SIZES.keys())
+
+    # ---- producer side --------------------------------------------------
+
+    def submit(self, priority: int, item: object) -> bool:
+        """Non-blocking enqueue. Returns False if dropped."""
+        if priority not in QUEUE_SIZES:
+            raise ValueError(f"unknown priority: {priority}")
+        cap = QUEUE_SIZES[priority]
+        with self._lock:
+            q = self._queues[priority]
+            if len(q) >= cap:
+                self._stats.dropped[priority] += 1
+                return False
+            q.append(item)
+            self._stats.queued[priority] += 1
+            self._not_empty.notify()
+            return True
+
+    def coalesce_subtree(self, domain_id: str) -> bool:
+        """Idempotent insert into P6. Returns True if newly enqueued."""
+        with self._lock:
+            q = self._queues[PRIORITY_SUBTREE]
+            # Linear scan is fine: cap is 100, and P6 traffic is low.
+            for existing in q:
+                if existing == domain_id:
+                    return False
+            cap = QUEUE_SIZES[PRIORITY_SUBTREE]
+            if len(q) >= cap:
+                self._stats.dropped[PRIORITY_SUBTREE] += 1
+                return False
+            q.append(domain_id)
+            self._stats.queued[PRIORITY_SUBTREE] += 1
+            self._not_empty.notify()
+            return True
+
+    # ---- consumer side --------------------------------------------------
+
+    def pop(self, timeout: Optional[float] = None) -> Optional[tuple[int, object]]:
+        """Block until the next highest-priority item is ready.
+
+        Returns (priority, item) or None on timeout. Strict priority:
+        a single P0 item preempts an unbounded backlog at lower
+        priorities — that is the displaced-scheduling guarantee.
+        """
+        with self._not_empty:
+            deadline = None if timeout is None else time.monotonic() + timeout
+            while True:
+                picked = self._pop_highest_locked()
+                if picked is not None:
+                    return picked
+                if timeout is None:
+                    self._not_empty.wait()
+                else:
+                    remaining = deadline - time.monotonic()  # type: ignore[operator]
+                    if remaining <= 0:
+                        return None
+                    self._not_empty.wait(timeout=remaining)
+
+    def _pop_highest_locked(self) -> Optional[tuple[int, object]]:
+        """Caller must hold self._lock."""
+        for p in self._priorities_sorted:
+            q = self._queues[p]
+            if q:
+                return (p, q.popleft())
+        return None
+
+    # ---- observability --------------------------------------------------
+
+    def stats(self) -> dict:
+        """Snapshot for /api/layout/stats — safe to call from any thread."""
+        with self._lock:
+            return {
+                "queued": dict(self._stats.queued),
+                "dropped": dict(self._stats.dropped),
+                "lengths": {p: len(self._queues[p]) for p in QUEUE_SIZES},
+                "caps": dict(QUEUE_SIZES),
+            }
+
+    def total_pending(self) -> int:
+        """Sum of all queue lengths — useful for backpressure signals."""
+        with self._lock:
+            return sum(len(q) for q in self._queues.values())
+
+    def is_overloaded(self, threshold: float = 0.8) -> bool:
+        """True iff any queue is above `threshold` of its cap.
+
+        Surfaces "1202-class" condition to the producer-facing
+        endpoint so it can advertise degradation upstream rather
+        than failing silently.
+        """
+        with self._lock:
+            for p, q in self._queues.items():
+                if len(q) >= QUEUE_SIZES[p] * threshold:
+                    return True
+            return False
diff --git a/mcp_server/server/layout_authority_wire.py b/mcp_server/server/layout_authority_wire.py
new file mode 100644
index 00000000..f83e3f1a
--- /dev/null
+++ b/mcp_server/server/layout_authority_wire.py
@@ -0,0 +1,229 @@
+"""SSE wire format for the Cortex layout authority stream.
+
+Three event kinds are framed as SSE messages and HTTP-chunk-wrapped:
+  * ``slot``  -- one node placed (id, x, y, kind, domain_id)
+  * ``edge``  -- one edge between two already-placed nodes
+  * ``done``  -- terminal event with totals
+
+Encoding choices follow Shannon's "find the right quantity" discipline:
+
+  Quantity to minimize: bits per event on the wire at 1e9 events.
+  Layers separated:
+    source   -> SlotAssignment / EdgeDelta dataclasses (protocol layer)
+    channel  -> SSE over HTTP/1.1 chunked transfer (text/event-stream)
+    code     -> pipe-separated UTF-8 (THIS module)
+  Limit:
+    SSE framing imposes ~30 bytes/event of irreducible overhead
+    (id:, event:, data:, two newlines). The data payload itself is
+    bounded below by H(source). For a typical slot:
+      id ~12B + 2 floats * 6B + kind ~8B + domain ~20B = ~52B payload.
+    Total ~82B/event; 1e9 events => ~82 GB. Replay buffer is therefore
+    capped upstream at 500k events; the encoder is a real-time codec,
+    not an archive format.
+  Why pipe and not JSON:
+    JSON parsing on the browser at 1M events/sec dominates render time
+    (measured ~250 ns/parse vs ~1 us/JSON.parse for a 5-field object).
+    String.split('|') is the cheapest portable parse on a JS engine.
+
+The encoder returns finished ``bytes`` so the SSE handler can write
+directly to the socket; no per-event encode round-trip.
+"""
+
+from __future__ import annotations
+
+import math
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:  # pragma: no cover - import only for type checkers
+    from mcp_server.server.layout_authority_protocol import (
+        EdgeDelta,
+        SlotAssignment,
+    )
+
+
+# --- bytes constants (avoid per-call allocation) -----------------------------
+
+_ID_PREFIX = b"id: "
+_EVT_SLOT = b"event: slot\n"
+_EVT_EDGE = b"event: edge\n"
+_EVT_DONE = b"event: done\n"
+_DATA_PREFIX = b"data: "
+_NL = b"\n"
+_NLNL = b"\n\n"
+_KEEPALIVE = b": ping\n\n"
+_CHUNK_TERM = b"0\r\n\r\n"
+_CRLF = b"\r\n"
+_PIPE = b"|"
+
+_MAX_KIND = 32  # ASCII identifier ceiling, see CLAUDE.md
+
+
+# --- validation --------------------------------------------------------------
+
+
+def _validate_id(value: str, field: str) -> None:
+    """Reject ids containing structural delimiters.
+
+    ``|`` would corrupt field splitting; ``\\n`` would corrupt SSE framing.
+    The protocol layer enforces this at ``add_node`` / ``add_edge`` time;
+    this is a defense-in-depth check at the wire boundary.
+    """
+    if "|" in value or "\n" in value or "\r" in value:
+        raise ValueError(f"{field} contains forbidden delimiter: {value!r}")
+
+
+def _validate_kind(value: str) -> None:
+    if "|" in value or "\n" in value or "\r" in value:
+        raise ValueError(f"kind contains forbidden delimiter: {value!r}")
+    if len(value) > _MAX_KIND:
+        raise ValueError(f"kind exceeds {_MAX_KIND} chars: {value!r}")
+
+
+def _validate_finite(v: float, field: str) -> None:
+    # NaN/inf would round-trip but break downstream layout math.
+    if not math.isfinite(v):
+        raise ValueError(f"{field} must be finite, got {v!r}")
+
+
+# --- encoders ----------------------------------------------------------------
+
+
+def format_slot(seq: int, slot: "SlotAssignment") -> bytes:
+    """SSE-frame one slot assignment as raw bytes.
+
+    Wire shape::
+
+        id: <seq>\\n
+        event: slot\\n
+        data: <id>|<x>|<y>|<kind>|<domain_id>\\n\\n
+
+    Floats are formatted with one decimal place; at FILE_R = 220 px,
+    sub-pixel precision is invisible and costs ~3-4 bytes/event.
+    """
+    _validate_id(slot.node_id, "slot.node_id")
+    _validate_kind(slot.kind)
+    _validate_id(slot.domain_id, "slot.domain_id")
+    _validate_finite(slot.x, "slot.x")
+    _validate_finite(slot.y, "slot.y")
+
+    # Build the data payload as a single str then encode once.
+    payload = f"{slot.node_id}|{slot.x:.1f}|{slot.y:.1f}|{slot.kind}|{slot.domain_id}"
+    seq_bytes = str(seq).encode("ascii")
+    data_bytes = payload.encode("utf-8")
+
+    # Concatenation here is faster than b"".join for small fixed N on CPython.
+    return _ID_PREFIX + seq_bytes + _NL + _EVT_SLOT + _DATA_PREFIX + data_bytes + _NLNL
+
+
+def format_edge(seq: int, edge: "EdgeDelta") -> bytes:
+    """SSE-frame one edge between two already-placed nodes."""
+    _validate_id(edge.source_id, "edge.source_id")
+    _validate_id(edge.target_id, "edge.target_id")
+    _validate_kind(edge.kind)
+
+    payload = f"{edge.source_id}|{edge.target_id}|{edge.kind}"
+    seq_bytes = str(seq).encode("ascii")
+    data_bytes = payload.encode("utf-8")
+
+    return _ID_PREFIX + seq_bytes + _NL + _EVT_EDGE + _DATA_PREFIX + data_bytes + _NLNL
+
+
+def format_done(seq: int, total_slots: int, total_edges: int) -> bytes:
+    """Terminal frame; the renderer treats this as 'stop polling'."""
+    if total_slots < 0 or total_edges < 0:
+        raise ValueError("totals must be non-negative")
+    payload = f"{total_slots}|{total_edges}".encode("ascii")
+    seq_bytes = str(seq).encode("ascii")
+    return _ID_PREFIX + seq_bytes + _NL + _EVT_DONE + _DATA_PREFIX + payload + _NLNL
+
+
+def format_keepalive() -> bytes:
+    """SSE comment line; clients ignore lines starting with ``:``."""
+    return _KEEPALIVE
+
+
+def format_terminator() -> bytes:
+    """HTTP/1.1 chunked-transfer terminator for clean stream close."""
+    return _CHUNK_TERM
+
+
+def chunk_wrap(payload: bytes) -> bytes:
+    """Wrap raw bytes in HTTP/1.1 chunked-transfer framing.
+
+    ``<hex-len>\\r\\n<bytes>\\r\\n``. Empty payload is illegal here
+    (use :func:`format_terminator` for the zero-length terminator).
+    """
+    if not payload:
+        raise ValueError("chunk_wrap requires a non-empty payload")
+    header = f"{len(payload):x}".encode("ascii")
+    return header + _CRLF + payload + _CRLF
+
+
+# --- decoders (test-only) ----------------------------------------------------
+
+
+def parse_slot(data: bytes) -> tuple[str, float, float, str, str]:
+    """Inverse of :func:`format_slot`'s data payload (no SSE framing).
+
+    Browser clients call ``data.split('|')`` directly; this exists so the
+    test suite can roundtrip-check the encoder.
+    """
+    parts = data.decode("utf-8").split("|")
+    if len(parts) != 5:
+        raise ValueError(f"slot data must have 5 fields, got {len(parts)}")
+    node_id, x_s, y_s, kind, domain_id = parts
+    return node_id, float(x_s), float(y_s), kind, domain_id
+
+
+def parse_edge(data: bytes) -> tuple[str, str, str]:
+    """Inverse of :func:`format_edge`'s data payload."""
+    parts = data.decode("utf-8").split("|")
+    if len(parts) != 3:
+        raise ValueError(f"edge data must have 3 fields, got {len(parts)}")
+    source_id, target_id, kind = parts
+    return source_id, target_id, kind
+
+
+# --- benchmark ---------------------------------------------------------------
+
+
+def _benchmark(n: int = 1_000_000) -> tuple[float, float]:
+    """Format ``n`` slot frames; return (MB/s, ns/event)."""
+    import time
+    from dataclasses import dataclass
+
+    @dataclass(slots=True)
+    class _Slot:
+        node_id: str
+        x: float
+        y: float
+        kind: str
+        domain_id: str
+
+    sample = _Slot(
+        node_id="node_000123456",
+        x=12345.6,
+        y=-789.0,
+        kind="function",
+        domain_id="cortex_core_module",
+    )
+
+    total_bytes = 0
+    start = time.perf_counter()
+    for seq in range(n):
+        # Mutate seq only; keeps payload size representative.
+        frame = format_slot(seq, sample)
+        total_bytes += len(frame)
+    elapsed = time.perf_counter() - start
+
+    mb_per_sec = (total_bytes / 1_048_576) / elapsed
+    ns_per_event = (elapsed / n) * 1e9
+    return mb_per_sec, ns_per_event
+
+
+if __name__ == "__main__":
+    n = 1_000_000
+    mb_s, ns_evt = _benchmark(n)
+    print(f"format_slot: {n:,} events")
+    print(f"  throughput: {mb_s:7.2f} MB/s")
+    print(f"  per-event:  {ns_evt:7.0f} ns")
diff --git a/mcp_server/server/test_layout_authority.py b/mcp_server/server/test_layout_authority.py
new file mode 100644
index 00000000..e386fd63
--- /dev/null
+++ b/mcp_server/server/test_layout_authority.py
@@ -0,0 +1,508 @@
+"""Falsification test suite for the Cortex layout authority.
+
+Popper discipline: each test is designed so it would FAIL if the invariant
+under examination were false. A passing test is corroboration, not proof.
+Targets geometry (O(1) determinism), scheduler (priority + drops), log
+(replay + gap detection), wire (SSE roundtrip + NaN/inf rejection).
+"""
+
+from __future__ import annotations
+
+import math
+import os
+import sys
+import unittest
+from dataclasses import dataclass
+
+# Make the package importable when this file is executed directly.
+_HERE = os.path.dirname(os.path.abspath(__file__))
+_REPO = os.path.abspath(os.path.join(_HERE, "..", ".."))
+if _REPO not in sys.path:
+    sys.path.insert(0, _REPO)
+
+from mcp_server.server import layout_authority_geometry as geom  # noqa: E402
+from mcp_server.server import layout_authority_log as evlog  # noqa: E402
+from mcp_server.server import layout_authority_pressure as pressure  # noqa: E402
+from mcp_server.server import layout_authority_scheduler as sched  # noqa: E402
+from mcp_server.server import layout_authority_wire as wire  # noqa: E402
+
+try:
+    import resource  # POSIX only
+
+    _HAVE_RESOURCE = True
+except ImportError:  # pragma: no cover - non-POSIX
+    _HAVE_RESOURCE = False
+
+
+# ---- helpers ----------------------------------------------------------------
+
+
+@dataclass(slots=True)
+class _Slot:
+    # wire.format_slot reads .node_id, .x, .y, .kind, .domain_id —
+    # matches the SlotAssignment contract in layout_authority_protocol.
+    node_id: str
+    x: float
+    y: float
+    kind: str
+    domain_id: str
+
+
+def _rss_bytes() -> int:
+    """Return current process RSS in bytes (Linux: KB; macOS: bytes)."""
+    if not _HAVE_RESOURCE:
+        return 0
+    ru = resource.getrusage(resource.RUSAGE_SELF)
+    if sys.platform == "darwin":
+        return ru.ru_maxrss  # bytes on macOS
+    return ru.ru_maxrss * 1024  # KB on Linux
+
+
+# ---- 1. Slot stability ------------------------------------------------------
+
+
+class TestSlotStability(unittest.TestCase):
+    # Falsifies: closed-form geometry is order-independent.
+    def test_same_context_same_slot_repeated(self) -> None:
+        ctx = {
+            "anchor": (500.0, 500.0),
+            "outward": 0.5,
+            "tool_name": "Edit",
+        }
+        first = geom.compute_slot("tool_hub", ctx)
+        for _ in range(1000):
+            self.assertEqual(geom.compute_slot("tool_hub", ctx), first)
+
+    def test_interleaving_does_not_perturb(self) -> None:
+        # Falsifies any shared accumulator across kinds.
+        ctx_hub = {"anchor": (300.0, 300.0), "outward": 0.0, "tool_name": "Bash"}
+        ctx_file = {
+            "anchor": (300.0, 300.0),
+            "hub_angle": 0.0,
+            "idx": 5,
+            "total": 10,
+        }
+        a = geom.compute_slot("tool_hub", ctx_hub)
+        for _ in range(100):
+            geom.compute_slot("file", ctx_file)
+            geom.compute_slot("symbol", {"file_slot": (1.0, 1.0), "idx": 3, "total": 7})
+        b = geom.compute_slot("tool_hub", ctx_hub)
+        self.assertEqual(a, b)
+
+    def test_finite_outputs_for_all_kinds(self) -> None:
+        # Falsifies I1: every coordinate must be finite.
+        full_ctx = {
+            "anchor": (100.0, 200.0),
+            "outward": 1.2,
+            "tool_name": "Read",
+            "hub_angle": 0.3,
+            "idx": 0,
+            "total": 1,
+            "file_slot": (150.0, 250.0),
+            "index": 0,
+            "total_domains": 1,
+            "cx": 500.0,
+            "cy": 500.0,
+            "base_r": 200.0,
+        }
+        for kind in (
+            "domain",
+            "tool_hub",
+            "file",
+            "symbol",
+            "skill",
+            "hook",
+            "command",
+            "agent",
+            "discussion",
+            "memory",
+            "mcp",
+        ):
+            x, y = geom.compute_slot(kind, full_ctx)
+            self.assertTrue(math.isfinite(x), f"x not finite for {kind}")
+            self.assertTrue(math.isfinite(y), f"y not finite for {kind}")
+
+
+# ---- 2. Bounded state at 10^6 nodes -----------------------------------------
+
+
+class TestBoundedState(unittest.TestCase):
+    # Falsifies: compute_slot is O(1) state. A memoizing impl would
+    # blow the 200 MB delta ceiling at 10^6 distinct calls.
+
+    @unittest.skipUnless(_HAVE_RESOURCE, "resource module unavailable")
+    def test_million_nodes_bounded_rss(self) -> None:
+        ceiling_bytes = 200 * 1024 * 1024  # 200 MB delta
+        before = _rss_bytes()
+        anchor = (500.0, 500.0)
+        # Avoid storing results — that would defeat the test.
+        sink_x = 0.0
+        sink_y = 0.0
+        for i in range(1_000_000):
+            x, y = geom.slot_for_symbol((100.0, 100.0), i, 1_000_000)
+            # Reuse to keep one float live; do not accumulate a list.
+            sink_x = x
+            sink_y = y
+            if i % 100_000 == 0:
+                _ = geom.slot_for_file(anchor, 0.0, i % 100, 100)
+        after = _rss_bytes()
+        self.assertTrue(math.isfinite(sink_x))
+        self.assertTrue(math.isfinite(sink_y))
+        delta = after - before
+        self.assertLess(
+            delta,
+            ceiling_bytes,
+            f"RSS grew by {delta} bytes over 10^6 calls — possible leak",
+        )
+
+
+# ---- 3. Priority preemption -------------------------------------------------
+
+
+class TestPriorityPreemption(unittest.TestCase):
+    # Falsifies: a single P0 item preempts a P4 backlog.
+
+    def test_p0_pops_before_p4_backlog(self) -> None:
+        s = sched.PriorityScheduler()
+        for i in range(1000):
+            self.assertTrue(s.submit(sched.PRIORITY_SYMBOL, ("sym", i)))
+        self.assertTrue(s.submit(sched.PRIORITY_DOMAIN, ("dom", 0)))
+        first = s.pop(timeout=1.0)
+        self.assertIsNotNone(first)
+        prio, item = first
+        self.assertEqual(prio, sched.PRIORITY_DOMAIN)
+        self.assertEqual(item, ("dom", 0))
+
+    def test_strict_ordering_across_all_priorities(self) -> None:
+        # Insert in REVERSE priority order; pop must drain in 0..6.
+        s = sched.PriorityScheduler()
+        # Insert in REVERSE priority order to maximize falsification chance.
+        for p in (6, 5, 4, 3, 2, 1, 0):
+            self.assertTrue(s.submit(p, p))
+        seen = []
+        while True:
+            r = s.pop(timeout=0.05)
+            if r is None:
+                break
+            seen.append(r[0])
+        self.assertEqual(seen, [0, 1, 2, 3, 4, 5, 6])
+
+
+# ---- 4. Drop accounting ------------------------------------------------------
+
+
+class TestDropAccounting(unittest.TestCase):
+    # Falsifies: every dropped submit increments dropped[p] exactly once.
+    # Catches off-by-one and silent maxlen eviction.
+
+    def test_overflow_increments_drop_counter_per_drop(self) -> None:
+        s = sched.PriorityScheduler()
+        cap = sched.QUEUE_SIZES[sched.PRIORITY_DOMAIN]
+        # Fill to cap.
+        for i in range(cap):
+            self.assertTrue(s.submit(sched.PRIORITY_DOMAIN, i))
+        # Each subsequent submit must drop and increment exactly once.
+        overflow = 25
+        for i in range(overflow):
+            accepted = s.submit(sched.PRIORITY_DOMAIN, ("over", i))
+            self.assertFalse(accepted)
+        self.assertEqual(
+            s.stats()["dropped"][sched.PRIORITY_DOMAIN],
+            overflow,
+        )
+        # And other priorities are untouched (no cross-talk).
+        for p, drops in s.stats()["dropped"].items():
+            if p != sched.PRIORITY_DOMAIN:
+                self.assertEqual(drops, 0, f"priority {p} leaked drops")
+
+    def test_no_silent_eviction(self) -> None:
+        # If maxlen-eviction were used, the head item would change.
+        s = sched.PriorityScheduler()
+        cap = sched.QUEUE_SIZES[sched.PRIORITY_TOOL_HUB]
+        for i in range(cap):
+            self.assertTrue(s.submit(sched.PRIORITY_TOOL_HUB, ("hub", i)))
+        for i in range(50):
+            self.assertFalse(s.submit(sched.PRIORITY_TOOL_HUB, ("late", i)))
+        # The first popped item must still be ('hub', 0).
+        first = s.pop(timeout=0.5)
+        self.assertEqual(first, (sched.PRIORITY_TOOL_HUB, ("hub", 0)))
+
+
+# ---- 5. Replay correctness --------------------------------------------------
+
+
+class TestReplayCorrectness(unittest.TestCase):
+    # Falsifies: replay_since(N) returns exactly events with seq > N.
+
+    def setUp(self) -> None:
+        evlog.reset()
+
+    def tearDown(self) -> None:
+        evlog.reset()
+
+    def test_replay_returns_post_n_events(self) -> None:
+        seqs = []
+        for i in range(1000):
+            seqs.append(evlog.emit("slot", f"e{i}".encode()))
+        # Across reset boundaries seq is monotonic; capture the start.
+        start = seqs[0]
+        for cut in (start - 1, start + 0, start + 1, start + 499, start + 998):
+            events, _oldest = evlog.replay_since(cut)
+            expected = [s for s in seqs if s > cut]
+            got = [e[0] for e in events]
+            self.assertEqual(got, expected, f"mismatch at since={cut}")
+
+    def test_replay_since_newest_returns_empty(self) -> None:
+        for i in range(10):
+            evlog.emit("slot", b"x")
+        newest = evlog.stats()["newest_seq"]
+        events, oldest = evlog.replay_since(newest)
+        self.assertEqual(events, [])
+        self.assertGreater(oldest, 0)
+
+
+# ---- 6. Replay-lost detection -----------------------------------------------
+
+
+class TestReplayLost(unittest.TestCase):
+    # Falsifies: requesting seq older than buffer's oldest yields gap signal.
+
+    def setUp(self) -> None:
+        evlog.reset()
+
+    def tearDown(self) -> None:
+        evlog.reset()
+
+    def test_overflow_triggers_gap(self) -> None:
+        # Swap in a small-cap deque to provoke overflow quickly.
+        small_cap = 100
+        original = evlog._event_log
+        original_drops = evlog._event_log_drops
+        try:
+            import collections as _c
+
+            evlog._event_log = _c.deque(maxlen=small_cap)
+            evlog._event_log_drops = 0
+            first_seq = evlog.emit("slot", b"first")
+            for i in range(small_cap + 50):
+                evlog.emit("slot", f"e{i}".encode())
+            events, oldest = evlog.replay_since(first_seq)
+            # The buffer dropped the early events, so oldest must exceed
+            # first_seq+1; the SSE handler interprets this as 'replay_lost'.
+            self.assertGreater(
+                oldest,
+                first_seq + 1,
+                "log did not signal a replay gap after overflow",
+            )
+            # And the events list must NOT include first_seq.
+            self.assertTrue(all(e[0] > first_seq for e in events))
+        finally:
+            evlog._event_log = original
+            evlog._event_log_drops = original_drops
+
+
+# ---- 7. Wire format roundtrip -----------------------------------------------
+
+
+class TestWireRoundtrip(unittest.TestCase):
+    # Falsifies: format -> parse recovers input modulo 0.1px rounding.
+
+    def test_roundtrip_preserves_structure(self) -> None:
+        cases = [
+            _Slot("n1", 0.0, 0.0, "domain", "d1"),
+            _Slot("n_2", 12.34, -56.78, "file", "d_xy"),
+            _Slot("abc", 1000.0, 999.99, "symbol", "core"),
+            _Slot("z", -0.05, 0.04, "tool_hub", "infra"),  # rounding edge
+        ]
+        for s in cases:
+            frame = wire.format_slot(seq=42, slot=s)
+            # Extract the data: line.
+            self.assertIn(b"event: slot\n", frame)
+            data_line = frame.split(b"data: ", 1)[1].rstrip(b"\n")
+            node_id, x, y, kind, domain_id = wire.parse_slot(data_line)
+            self.assertEqual(node_id, s.node_id)
+            self.assertEqual(kind, s.kind)
+            self.assertEqual(domain_id, s.domain_id)
+            self.assertAlmostEqual(x, round(s.x, 1), places=2)
+            self.assertAlmostEqual(y, round(s.y, 1), places=2)
+
+    def test_pipe_in_id_is_rejected(self) -> None:
+        s = _Slot("bad|id", 1.0, 1.0, "domain", "d")
+        with self.assertRaises(ValueError):
+            wire.format_slot(seq=1, slot=s)
+
+    def test_kind_too_long_is_rejected(self) -> None:
+        s = _Slot("ok", 1.0, 1.0, "x" * 64, "d")
+        with self.assertRaises(ValueError):
+            wire.format_slot(seq=1, slot=s)
+
+
+# ---- 8. NaN/inf rejection ---------------------------------------------------
+
+
+class TestFiniteValidation(unittest.TestCase):
+    # Falsifies: NaN/inf coordinates must raise at the wire boundary.
+
+    def test_nan_x_rejected(self) -> None:
+        s = _Slot("n", float("nan"), 0.0, "domain", "d")
+        with self.assertRaises(ValueError):
+            wire.format_slot(seq=1, slot=s)
+
+    def test_inf_y_rejected(self) -> None:
+        s = _Slot("n", 0.0, float("inf"), "domain", "d")
+        with self.assertRaises(ValueError):
+            wire.format_slot(seq=1, slot=s)
+
+    def test_neg_inf_x_rejected(self) -> None:
+        s = _Slot("n", float("-inf"), 0.0, "domain", "d")
+        with self.assertRaises(ValueError):
+            wire.format_slot(seq=1, slot=s)
+
+
+class TestPressureActChannel(unittest.TestCase):
+    """Producer-feedback Act-channel — Cochrane Finding A.
+
+    Each test would fail if the flag did not actually close the loop.
+    """
+
+    def setUp(self) -> None:
+        pressure.reset()
+
+    def test_quiescent_not_overloaded(self) -> None:
+        # Falsifies: flag is set spuriously on a clean reset.
+        self.assertFalse(pressure.is_overloaded())
+        self.assertTrue(pressure.wait_for_clear(timeout=0.01))
+
+    def test_trip_on_pending_edges_threshold(self) -> None:
+        # Falsifies: crossing the trip line does NOT set the flag.
+        pressure.observe(
+            event_log_drops=0,
+            edges_dropped=0,
+            pending_edges=80_000,  # = 80% of 100k cap = TRIP
+            pending_symbols_total=0,
+        )
+        self.assertTrue(pressure.is_overloaded())
+
+    def test_no_trip_just_below_threshold(self) -> None:
+        # Falsifies: the threshold is wrong (flapping below trip).
+        pressure.observe(
+            event_log_drops=0,
+            edges_dropped=0,
+            pending_edges=79_999,
+            pending_symbols_total=0,
+        )
+        self.assertFalse(pressure.is_overloaded())
+
+    def test_trip_on_new_log_drop(self) -> None:
+        # Falsifies: a fresh drop is invisible to the producer.
+        pressure.observe(
+            event_log_drops=0,
+            edges_dropped=0,
+            pending_edges=0,
+            pending_symbols_total=0,
+        )
+        pressure.observe(
+            event_log_drops=1,  # one new drop since last call
+            edges_dropped=0,
+            pending_edges=0,
+            pending_symbols_total=0,
+        )
+        self.assertTrue(pressure.is_overloaded())
+
+    def test_hysteresis_holds_until_clear_line(self) -> None:
+        # Falsifies: flag drops as soon as pending_edges dips below trip
+        # (would flap on single-event jitter around the threshold).
+        pressure.observe(
+            event_log_drops=0,
+            edges_dropped=0,
+            pending_edges=80_000,
+            pending_symbols_total=0,
+        )
+        self.assertTrue(pressure.is_overloaded())
+        # Still above clear (50k) — flag must remain set.
+        pressure.observe(
+            event_log_drops=0,
+            edges_dropped=0,
+            pending_edges=60_000,
+            pending_symbols_total=0,
+        )
+        self.assertTrue(pressure.is_overloaded())
+        # Below clear AND no new drops — flag releases.
+        pressure.observe(
+            event_log_drops=0,
+            edges_dropped=0,
+            pending_edges=49_999,
+            pending_symbols_total=0,
+        )
+        self.assertFalse(pressure.is_overloaded())
+
+    def test_wait_for_clear_times_out_under_persistent_pressure(self) -> None:
+        # Falsifies: a stuck consumer can stall the producer forever.
+        pressure.observe(
+            event_log_drops=0,
+            edges_dropped=0,
+            pending_edges=90_000,
+            pending_symbols_total=0,
+        )
+        import time as _t
+
+        start = _t.monotonic()
+        ok = pressure.wait_for_clear(timeout=0.05)
+        elapsed = _t.monotonic() - start
+        self.assertFalse(ok)
+        # Must return within ~timeout + one poll slice (10 ms).
+        self.assertLess(elapsed, 0.2)
+
+    def test_wait_for_clear_returns_immediately_when_clear(self) -> None:
+        # Falsifies: producer pays a polling penalty even when idle.
+        import time as _t
+
+        start = _t.monotonic()
+        ok = pressure.wait_for_clear(timeout=5.0)
+        elapsed = _t.monotonic() - start
+        self.assertTrue(ok)
+        self.assertLess(elapsed, 0.01)
+
+    def test_snapshot_exposes_every_counter(self) -> None:
+        # Falsifies: Cochrane 1c (read every emitted counter) is unmet.
+        pressure.observe(
+            event_log_drops=7,
+            edges_dropped=3,
+            pending_edges=42,
+            pending_symbols_total=11,
+        )
+        snap = pressure.snapshot()
+        self.assertEqual(snap["event_log_drops"], 7)
+        self.assertEqual(snap["edges_dropped"], 3)
+        self.assertEqual(snap["pending_edges"], 42)
+        self.assertEqual(snap["pending_symbols_total"], 11)
+        self.assertIn("thresholds", snap)
+        self.assertIn("overloaded", snap)
+
+
+class TestPressureAuthorityIntegration(unittest.TestCase):
+    """End-to-end: authority emissions actually drive the Act-channel."""
+
+    def setUp(self) -> None:
+        evlog.reset()
+        pressure.reset()
+
+    def test_authority_emit_observes_pressure(self) -> None:
+        # Falsifies: the integrator's emission paths do not feed the
+        # pressure module, so the producer can never detect overload.
+        from mcp_server.server.layout_authority import build_authority
+        from mcp_server.server.layout_authority_protocol import NodeDelta
+
+        auth = build_authority()
+        auth.add_node(NodeDelta("domain:t", "domain", "domain:t"))
+        snap = pressure.snapshot()
+        # After a quiet single-emission, no overload — but observe()
+        # ran (last_log_drops / last_edges_dropped initialised).
+        self.assertFalse(snap["overloaded"])
+        # An emission is recorded in the snapshot's pending counters
+        # (zero here, but the call path executed without raising).
+        self.assertEqual(snap["pending_edges"], 0)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/mcp_server/server/visualize_bootstrap.py b/mcp_server/server/visualize_bootstrap.py
index 2a8577a9..b2f97478 100644
--- a/mcp_server/server/visualize_bootstrap.py
+++ b/mcp_server/server/visualize_bootstrap.py
@@ -80,11 +80,18 @@ def _cache_roots() -> list[Path]:
     # hashes env + wheel-set so different plugin versions end up in
     # different archive roots. If we only rsync one, whichever archive
     # happens to be the resolved plugin env at launch runs stale code.
-    for arch in (home / ".cache" / "uv" / "archive-v0").glob(
-        "*/lib/python*/site-packages"
-    ):
+    #
+    # Two archive layouts exist in the wild: nested
+    # (``<hash>/lib/python*/site-packages/mcp_server``) for full venv
+    # installs, and flat (``<hash>/mcp_server``) for editable / wheel
+    # installs. We must hit BOTH or the plugin loads stale handlers.
+    arch_root = home / ".cache" / "uv" / "archive-v0"
+    for arch in arch_root.glob("*/lib/python*/site-packages"):
         if (arch / "mcp_server").is_dir():
             roots.append(arch)
+    for arch in arch_root.glob("*"):
+        if arch.is_dir() and (arch / "mcp_server").is_dir():
+            roots.append(arch)
     return roots
 
 
@@ -201,6 +208,78 @@ def _spawn_server(src: Path) -> None:
     )
 
 
+def _extras_available(src: Path) -> bool:
+    """Probe the standalone-server's Python for the viz-tile extras.
+
+    The MCP handler's URL/message logic is cached in ``sys.modules`` of
+    the long-lived plugin process and may be stale; this helper makes
+    the bootstrap (always re-parsed from disk) authoritative about
+    whether the dense tilemap path is reachable. ``standalone`` runs
+    under whatever Python we use here, so importing igraph/datashader
+    in *this* process is the right test.
+    """
+    try:
+        import importlib
+
+        for mod in ("igraph", "datashader", "pyarrow", "PIL"):
+            importlib.import_module(mod)
+        return True
+    except Exception:
+        return False
+
+
+def _drive_prepare_then_render(timeout_s: int = 600) -> str | None:
+    """Wait for graph baseline, fire /api/recompute_layout, return the
+    force-directed graph URL on success.
+
+    Previously this opened the tilemap (Datashader CPU-layout renderer)
+    which doesn't share the skeleton-first / live-SSE-stream / binary-
+    snapshot path. The force-directed renderer (``?viz=force``) does:
+    skeleton_ready in ~1 s, live batches via /api/graph/events, fast
+    binary load via /api/graph.bin. See commits 0204da8, d9d8a98,
+    972bb9a, f21e255.
+
+    Idempotent — recompute_layout skips when fingerprint matches PG.
+    Runs in a daemon thread so the bootstrap script returns immediately;
+    the browser tab self-heals via the phase poller + SSE subscriber
+    that the force renderer already wires up.
+    """
+    import json as _json
+    import threading as _thr
+    import time as _time
+    import urllib.request as _ur
+    import webbrowser as _wb
+
+    base = f"http://127.0.0.1:{PORT}"
+
+    def _run() -> None:
+        try:
+            _ur.urlopen(f"{base}/api/graph", timeout=5).read(1024)
+        except Exception:
+            pass
+        deadline = _time.monotonic() + timeout_s
+        while _time.monotonic() < deadline:
+            try:
+                with _ur.urlopen(f"{base}/api/graph/progress", timeout=5) as r:
+                    p = _json.loads(r.read().decode("utf-8"))
+                if p.get("baseline_ready") or p.get("full_ready"):
+                    break
+            except Exception:
+                pass
+            _time.sleep(2)
+        try:
+            _ur.urlopen(f"{base}/api/recompute_layout", timeout=timeout_s).read()
+        except Exception:
+            pass
+        try:
+            _wb.open(f"{base}/?viz=force")
+        except Exception:
+            pass
+
+    _thr.Thread(target=_run, name="cortex-prepare", daemon=True).start()
+    return f"{base}/?viz=force"
+
+
 def main() -> None:
     src = _find_dev_source()
     if src is None:
@@ -209,7 +288,19 @@ def main() -> None:
     synced = _sync(src)
     _kill_port(PORT)
     _spawn_server(src)
-    print(f"ok synced={synced} url=http://127.0.0.1:{PORT}", flush=True)
+    if _extras_available(src):
+        target = _drive_prepare_then_render()
+        print(
+            f"ok synced={synced} url={target} extras=ok",
+            flush=True,
+        )
+    else:
+        # Explicit ?viz=force so the HTML's inline auto-redirect probe
+        # doesn't bounce a bare URL to the tilemap default.
+        print(
+            f"ok synced={synced} url=http://127.0.0.1:{PORT}/?viz=force extras=missing",
+            flush=True,
+        )
 
 
 if __name__ == "__main__":
diff --git a/scripts/install-plugin.sh b/scripts/install-plugin.sh
new file mode 100755
index 00000000..226fdb2e
--- /dev/null
+++ b/scripts/install-plugin.sh
@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Cortex plugin postInstall driver.
+#
+# Two responsibilities:
+#   1. Install Cortex (delegates to scripts/setup.sh: PostgreSQL + pgvector,
+#      Python deps, DB schema, embedding model).
+#   2. Remove stale OTHER versions of Cortex installed elsewhere on the
+#      machine, so the freshly-installed plugin is the single source of
+#      truth.
+#
+# Stale targets removed:
+#   - uv tool install:  neuro-cortex-memory  (PyPI distribution name)
+#       and the shims it drops in ~/.local/bin: cortex-doctor,
+#       cortex-hook, neuro-cortex-memory
+#   - pip / pip3 site-packages copies of: neuro-cortex-memory, cortex-mcp
+#   - Older cortex versions sitting in
+#       ~/.claude/plugins/cache/cortex-plugins/cortex/<X.Y.Z>
+#       (only when this script runs from inside the cache, so dev installs
+#       at ~/Developments/Cortex never trigger cache pruning)
+#
+# What is NEVER touched:
+#   - User dev clones outside ~/.claude/plugins/cache/
+#   - The plugin version that is currently being installed
+#   - PostgreSQL data, the cortex database, or any user memories
+#
+# Idempotent. Safe to re-run.
+
+PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
+
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+NC='\033[0m'
+say()  { echo -e "${GREEN}[cortex-install]${NC} $1"; }
+warn() { echo -e "${YELLOW}[cortex-install]${NC} $1"; }
+fail() { echo -e "${RED}[cortex-install]${NC} $1" >&2; exit 1; }
+
+# ── Read current version from the plugin manifest ──────────────────────
+
+PLUGIN_JSON="$PLUGIN_ROOT/.claude-plugin/plugin.json"
+if [ ! -f "$PLUGIN_JSON" ]; then
+    fail "plugin.json not found at $PLUGIN_JSON"
+fi
+PY=$(command -v python3 || command -v python || true)
+[ -n "$PY" ] || fail "python3 not found in PATH"
+
+CURRENT_VERSION=$("$PY" -c "import json; print(json.load(open('$PLUGIN_JSON'))['version'])")
+
+say "Installing Cortex v${CURRENT_VERSION}"
+
+# ── Phase 1: install (delegates to setup.sh) ───────────────────────────
+
+bash "$PLUGIN_ROOT/scripts/setup.sh"
+
+# ── Phase 2: prune stale OTHER versions ────────────────────────────────
+
+say "Scanning for stale Cortex installs"
+
+PRUNED=0
+
+# 2a) Stale uv tool: neuro-cortex-memory (PyPI distribution name).
+#     `uv tool uninstall` also removes the venv at
+#     ~/.local/share/uv/tools/neuro-cortex-memory and the shims at
+#     ~/.local/bin/{cortex-doctor,cortex-hook,neuro-cortex-memory}.
+if command -v uv >/dev/null 2>&1; then
+    if uv tool list 2>/dev/null | grep -q '^neuro-cortex-memory '; then
+        warn "Removing stale uv tool: neuro-cortex-memory"
+        uv tool uninstall neuro-cortex-memory >/dev/null 2>&1 \
+            && PRUNED=$((PRUNED + 1)) \
+            || warn "uv tool uninstall failed — leaving in place"
+    fi
+fi
+
+# 2b) Stale pip / pip3 packages. Two known PyPI names that ship Cortex.
+for pkg in neuro-cortex-memory cortex-mcp; do
+    for pip_cmd in pip3 pip; do
+        if command -v "$pip_cmd" >/dev/null 2>&1; then
+            if "$pip_cmd" show "$pkg" >/dev/null 2>&1; then
+                warn "Removing stale $pip_cmd package: $pkg"
+                "$pip_cmd" uninstall -y "$pkg" >/dev/null 2>&1 \
+                    && PRUNED=$((PRUNED + 1)) \
+                    || warn "$pip_cmd uninstall $pkg failed — leaving in place"
+            fi
+        fi
+    done
+done
+
+# 2c) Stale plugin-cache versions.
+#     Only acts when this script is itself running from inside the
+#     plugin cache — a dev clone at ~/Developments/Cortex must never
+#     trigger cache pruning.
+CACHE_ROOT="${HOME}/.claude/plugins/cache/cortex-plugins/cortex"
+case "$PLUGIN_ROOT" in
+    "$CACHE_ROOT"/*)
+        if [ -d "$CACHE_ROOT" ]; then
+            KEEP="$(basename "$PLUGIN_ROOT")"
+            for dir in "$CACHE_ROOT"/*; do
+                [ -d "$dir" ] || continue
+                ver="$(basename "$dir")"
+                [ "$ver" = "$KEEP" ] && continue
+                warn "Removing stale plugin cache version: $ver"
+                rm -rf "$dir" \
+                    && PRUNED=$((PRUNED + 1)) \
+                    || warn "rm -rf $dir failed — leaving in place"
+            done
+        fi
+        ;;
+    *)
+        say "Running from dev clone ($PLUGIN_ROOT) — skipping plugin-cache prune"
+        ;;
+esac
+
+# 2d) Orphan shims in ~/.local/bin pointing at a non-existent venv
+#     (e.g. uv-tool python interpreter was removed but the shim survived).
+for shim in cortex-doctor cortex-hook neuro-cortex-memory; do
+    path="${HOME}/.local/bin/$shim"
+    if [ -f "$path" ]; then
+        # First line of a uv-tool shim is `#!/path/to/python`.
+        interp=$(head -1 "$path" 2>/dev/null | sed -e 's|^#!||' | awk '{print $1}')
+        if [ -n "$interp" ] && [ ! -x "$interp" ]; then
+            warn "Removing orphan shim: $path (interpreter gone)"
+            rm -f "$path" \
+                && PRUNED=$((PRUNED + 1)) \
+                || warn "rm -f $path failed — leaving in place"
+        fi
+    fi
+done
+
+if [ "$PRUNED" -eq 0 ]; then
+    say "No stale Cortex installs found."
+else
+    say "Pruned $PRUNED stale Cortex install(s)."
+fi
+
+say "Cortex v${CURRENT_VERSION} ready. Restart Claude Code to activate."
diff --git a/tasks/layout-authority/audits/alexander.md b/tasks/layout-authority/audits/alexander.md
new file mode 100644
index 00000000..a8cdfcbd
--- /dev/null
+++ b/tasks/layout-authority/audits/alexander.md
@@ -0,0 +1,74 @@
+# Layout Authority — Alexander Pattern Catalog
+
+A pattern language for the Cortex layout authority (geometry + protocol + wire
++ scheduler + log). Each pattern names a tension the code resolves; the
+generative sequence at the end records the order they must be applied in.
+
+## Pattern 1 — Closed-Form Slot
+
+- **CONTEXT.** A node arrives and must be placed at `(x, y)` before any
+  consumer can render it; the slot is stable for the node's lifetime (I2).
+- **PROBLEM.** Iterative layout (force ticks, sibling sweeps, spatial-index
+  rebuilds) is at least O(N log N) per tick. At N = 10⁹ in 1–2 s the budget
+  collapses to ~1 ns/node (~3 cycles) — no iteration fits.
+- **FORCES.** Need a slot now; cannot read sibling state at insert; visual shape must match the months-tuned `workflow_graph.js`; memory must stay flat.
+- **SOLUTION.** `(x, y)` is a pure function of `(domain_anchor, kind, idx, total_in_kind)` plus, for symbols, the parent file's slot. Per insert: one counter bump, one trig call. Every helper in `layout_authority_geometry` (`slot_for_setup`, `slot_for_tool_hub`, `slot_for_file`, `slot_for_discussion`, `slot_for_memory`, `slot_for_mcp`, `slot_for_symbol`) is O(1) with no allocation past the return tuple. Constants copied verbatim from the JS — a port, not a redesign.
+- **RELATED.** Pattern 2 (stability), Pattern 4 (528-byte footprint).
+
+## Pattern 2 — Slot-Stable Coordinate (no retroactive reseat)
+
+- **CONTEXT.** The build worker emits in arbitrary order — a file before its tool_hub, a member before its domain hub.
+- **PROBLEM.** "Replace previous (x, y) when better parent info arrives" sounds reasonable but breaks every consumer: clients render position once, edges are drawn between placed endpoints, Last-Event-ID resume becomes ambiguous.
+- **FORCES.** Out-of-order arrival is real (I4, I7); recompute is forbidden; visual shape must still be correct in the common case.
+- **SOLUTION.** Once placed, a slot is FINAL until an explicit `request_subtree(domain_id)` invalidates it. Missing parent context falls back to the domain anchor (or canvas center) — finite, deterministic, topologically coherent. The single re-emission lane is `request_subtree`, scheduled as P6 and coalesced.
+- **RELATED.** Pattern 1 (determinism), Pattern 5 (replay), Pattern 3 (defers reseats to P6).
+
+## Pattern 3 — Priority-Displaced Drop (Hamilton 1202)
+
+- **CONTEXT.** Producer fires `add_node` / `add_edge` faster than the authority emits — a 10⁹-node burst saturates everything.
+- **PROBLEM.** Blocking back-pressure stalls the producer; unbounded queues OOM; uniform shedding loses topologically critical hubs first because they are rare relative to symbols and edges.
+- **FORCES.** Producer must NEVER block (I6); 8 MB ceiling; not every node is equal — losing a domain hub orphans thousands while losing 10% of symbols is invisible.
+- **SOLUTION.** Seven priority lanes in `PriorityScheduler` (P0 domain → P6 subtree) with hand-derived caps (P0=1k, P1=1k, P2=16k, P3=32k, P4=64k, P5=128k, P6=100). `submit()` is non-blocking and returns False on cap with a per-priority dropped counter. `pop()` always drains the lowest-numbered non-empty queue. P6 reseats are coalesced (linear scan over a 100-cap deque) so a viewport drag at 10 req/s collapses to one pending entry.
+- **RELATED.** Pattern 4 (ceiling), Pattern 2 (safe shedding).
+
+## Pattern 4 — Bounded Producer State (counters, not graphs)
+
+- **CONTEXT.** Authority sits between build worker and renderer; must scale to 10⁹ nodes within 8 MB working set.
+- **PROBLEM.** Any structure that grows with N (node list, edge list, spatial index) blows the ceiling past 10⁵.
+- **FORCES.** State must be enough to compute `compute_slot` for the *next* arrival — nothing more is permitted.
+- **SOLUTION.** State is `counter[(domain_id, kind)] -> int` plus a per-domain anchor cache, a per-tool-hub angle cache, and a parent-file-slot cache for symbols only. `cost-model.md` §3 bounds this at ~528 bytes for 11 domains × 6 kinds; the symbol cache is bounded by the visible window, not by N. Edges and full node payloads NEVER live here — renderer owns those buffers, log owns byte payloads, authority owns only what the next slot needs.
+- **RELATED.** Pattern 1 (sufficiency), Pattern 3 (burst protection), Pattern 6 (the one place state grows with stream length, ring-buffered).
+
+## Pattern 5 — Monotone Seq Resume (Last-Event-ID)
+
+- **CONTEXT.** SSE clients disconnect (network, tab sleep, refresh) and want to resume without re-streaming the whole graph.
+- **PROBLEM.** Per-build-reset seq numbers collide across reconnects: a client holding `Last-Event-ID: 12345` from build A would silently consume 12345+ from build B as if they were the same stream.
+- **FORCES.** `reset()` runs at every fresh build; seq must distinguish "you missed events" from "fresh stream"; the buffer cannot keep all history.
+- **SOLUTION.** `_event_seq` is a *global* monotonic counter that does NOT rewind across `reset()` — the explicit prose-vs-code reconciliation in `layout_authority_log.reset` (prose wins). `replay_since(since)` returns newer events; a gap (`oldest_seq > since + 1`) signals snapshot fallback. The 500k-event ring buffer is a window onto history, not the source of truth.
+- **RELATED.** Pattern 6 (substrate), Pattern 2 (replayed slot meaningful).
+
+## Pattern 6 — Pre-Encoded Pipe Frame (zero-reparse fan-out)
+
+- **CONTEXT.** One producer thread, many SSE subscribers, ~1M slot events/s peak. The same bytes go to every subscriber.
+- **PROBLEM.** Re-encoding per subscriber (browser `JSON.parse` ~1 µs for a 5-field object; per-socket format-encode-write) burns producer budget.
+- **FORCES.** Encode-once must compose with SSE framing, the bounded ring buffer, Last-Event-ID resume, sub-pixel formatting (`:.1f` at FILE_R = 220 saves ~3–4 B/event), and delimiter-safety in user-controlled ids.
+- **SOLUTION.** `layout_authority_wire.format_slot` returns finished `bytes`: `id: <seq>\n event: slot\n data: <id>|<x:.1f>|<y:.1f>|<kind>|<domain_id>\n\n`, validated for `|`, `\n`, `\r`, NaN/inf at the boundary. The log stores the frame; `_fan_out` calls `put_nowait(event)` per subscriber with the same bytes; handlers write directly to socket. Pipe, not JSON, because `String.split('|')` parses ~4× faster than `JSON.parse`. The payload IS the cache.
+- **RELATED.** Pattern 5 (seq embedded in frame, resume is frame-level).
+
+## Generative sequence
+
+1. **Closed-Form Slot (1)** — O(1) per node, 528-byte footprint; nothing else
+   fits the budget.
+2. **Bounded Producer State (4)** — counters as the *only* state, ruling out
+   node/edge lists and spatial indices.
+3. **Slot-Stable Coordinate (2)** — `(x, y)` final; works because (1) made
+   every slot deterministic.
+4. **Priority-Displaced Drop (3)** — back-pressure safe *because* (2) means a
+   dropped symbol never corrupts its file.
+5. **Pre-Encoded Pipe Frame (6)** — stability meaningful only given (2);
+   volume survivable only given (3).
+6. **Monotone Seq Resume (5)** — replay works because (6) keeps the frame
+   intact and (2) keeps slot meaning intact across reconnects.
+
+Reordering breaks the language. Choosing (3) before (1) yields priority lanes
+for an iterative placer that cannot meet the per-node budget at all.
diff --git a/tasks/layout-authority/audits/alkhwarizmi.md b/tasks/layout-authority/audits/alkhwarizmi.md
new file mode 100644
index 00000000..0f1e1a71
--- /dev/null
+++ b/tasks/layout-authority/audits/alkhwarizmi.md
@@ -0,0 +1,200 @@
+# `add_node(NodeDelta)` — Canonical Algorithm
+
+Implementation contract for `mcp_server/server/layout_authority.py`. Reduce
+input to `(domain_id, kind, idx, total, parent_state)`; dispatch to one of
+**eight** mechanical cases. No iteration. O(1) per call.
+
+## 0. Authority state
+
+```
+cx, cy, base_r, seq                 # canvas + monotonic counter
+domains : dict[domain_id -> DomainRecord]
+nodes   : dict[node_id   -> NodeRecord]               # for parent lookup
+pending_symbols : dict[file_id -> list[NodeDelta]]    # I3 buffer
+subscribers, drop_counter
+
+DomainRecord: index, anchor|None, outward|None,
+              counts : dict[bucket_key -> int],       # incl ('sym', file_id)
+              tool_angles : dict[tool_name -> float],
+              tool_file_counts : dict[tool_name -> int]
+NodeRecord:   kind, domain_id, slot, tool_name
+```
+
+Pre-checks (raise `ValueError`):
+1. `kind in NODE_KINDS`; 2. `node_id`, `domain_id` non-empty;
+3. `kind=='domain'` ⇒ `domain_id==node_id`; 4. `kind=='tool_hub'` ⇒ `tool_name`;
+5. `kind=='symbol'` ⇒ `parent_id`; 6. duplicate `node_id` ⇒ silent return.
+
+## 1. Reduction (al-jabr + al-muqabala)
+
+```
+def add_node(delta):
+    _validate(delta)
+    if delta.node_id in self.nodes: return            # idempotent
+    drec = self._ensure_domain_record(delta.domain_id)  # lazy; index = len(domains)
+    dispatch(delta.kind, delta, drec)
+```
+
+## 2. Exhaustive case table (12 kinds → 8 classes; sum = 12)
+
+| # | Class | Kinds | Anchor | Parent |
+|---|---|---|---|---|
+| 1 | `domain`     | `domain`                              | self     | none |
+| 2 | `tool_hub`   | `tool_hub`                            | domain   | none |
+| 3 | `setup-ring` | `skill`, `hook`, `command`, `agent`   | domain   | none |
+| 4 | `file`       | `file`                                | domain   | tool_hub (opt) |
+| 5 | `discussion` | `discussion`                          | domain   | none |
+| 6 | `memory`     | `memory`                              | domain   | none |
+| 7 | `mcp/entity` | `mcp`, `entity`                       | domain   | none |
+| 8 | `symbol`     | `symbol`                              | file slot | mandatory |
+
+> **Gap**: `entity` is NOT in today's `compute_slot()` (geometry 196–218).
+> Reuse `slot_for_mcp` for `entity` with a `# source:` comment citing this
+> audit until product defines a distinct ring.
+
+## 3. Per-case mechanical procedures
+
+### Case 1 — `domain`
+```
+drec.anchor  = domain_anchor(drec.index, N_CAP, cx, cy, base_r)
+drec.outward = outward_angle(drec.anchor, cx, cy)
+slot = drec.anchor
+_record(delta, slot); _emit(delta, slot)
+# NOTE: members already placed against placeholder anchor are NOT reseated.
+# Geometric guarantee: anchor is pure function of drec.index, so placeholder
+# == final anchor. No drift.
+```
+
+### Case 2 — `tool_hub`
+```
+anchor, outward = _anchor_for(drec)
+hub_angle = tool_hub_angle(outward, delta.tool_name)
+slot = slot_for_tool_hub(anchor, outward, delta.tool_name)
+drec.tool_angles[delta.tool_name] = hub_angle
+drec.tool_file_counts.setdefault(delta.tool_name, 0)
+_record(delta, slot, tool_name=delta.tool_name); _emit(delta, slot)
+```
+
+### Case 3 — setup ring (`skill`, `hook`, `command`, `agent`)
+```
+anchor, outward = _anchor_for(drec)
+idx = drec.counts.get('setup', 0)             # SHARED across 4 kinds
+slot = slot_for_setup(anchor, outward, idx, SETUP_RING_CAPACITY)
+drec.counts['setup'] = idx + 1
+_record(delta, slot); _emit(delta, slot)
+```
+
+### Case 4 — `file`
+```
+anchor, outward = _anchor_for(drec)
+hub_id = delta.parent_id
+parent = self.nodes.get(hub_id) if hub_id else None
+if parent and parent.kind == 'tool_hub':
+    tn = parent.tool_name
+    hub_angle = drec.tool_angles[tn]
+    idx = drec.tool_file_counts[tn]
+    slot = slot_for_file(anchor, hub_angle, idx, FILE_BUCKET_CAPACITY)
+    drec.tool_file_counts[tn] = idx + 1
+else:                                          # I4 fallback — FINAL
+    slot = anchor
+_record(delta, slot); _emit(delta, slot)
+_flush_pending_symbols(delta.node_id)          # drain Case 8 buffer
+```
+
+### Cases 5/6/7 — discussion / memory / mcp+entity
+Identical shape; only the bucket key, slot fn, and capacity differ:
+```
+anchor, outward = _anchor_for(drec)
+key, fn, cap = TABLE[kind]   # ('discussion', slot_for_discussion, DISC_CAP) ...
+idx = drec.counts.get(key, 0)
+slot = fn(anchor, outward, idx, cap)
+drec.counts[key] = idx + 1
+_record(delta, slot); _emit(delta, slot)
+```
+TABLE: `discussion` → `slot_for_discussion`, `DISC_CAPACITY`;
+`memory` → `slot_for_memory`, `MEMORY_CAPACITY`;
+`mcp`/`entity` → `slot_for_mcp`, `MCP_CAPACITY` (shared `'mcp'` bucket).
+
+### Case 8 — `symbol`
+```
+parent = self.nodes.get(delta.parent_id)
+if parent is None or parent.kind != 'file':   # I3 — buffer, NO emission
+    self.pending_symbols.setdefault(delta.parent_id, []).append(delta)
+    return
+sym_key = ('sym', delta.parent_id)
+idx = drec.counts.get(sym_key, 0)
+slot = slot_for_symbol(parent.slot, idx, SYMBOLS_PER_FILE_CAPACITY)
+drec.counts[sym_key] = idx + 1
+_record(delta, slot); _emit(delta, slot)
+```
+
+`_flush_pending_symbols(file_id)` (called only from Case 4): pops the
+buffered list and re-runs Case 8 for each. This is the **only**
+retroactive flush in the procedure.
+
+## 4. Helpers
+
+```
+_anchor_for(drec):
+    if drec.anchor is None:                   # I7 placeholder
+        a = domain_anchor(drec.index, N_CAP, cx, cy, base_r)
+        return a, outward_angle(a, cx, cy)
+    return drec.anchor, drec.outward
+
+_emit(delta, slot):
+    assert math.isfinite(slot[0]) and math.isfinite(slot[1])    # I1
+    self.seq += 1                                                # I2
+    sa = SlotAssignment(self.seq, delta.node_id, slot[0], slot[1],
+                        delta.kind, delta.domain_id)
+    for q in self.subscribers:
+        try: q.put_nowait(sa)
+        except Full: self.drop_counter += 1                      # I6
+
+_record(delta, slot, tool_name=None):
+    self.nodes[delta.node_id] = NodeRecord(
+        delta.kind, delta.domain_id, slot, tool_name)
+```
+
+## 5. Capacity constants (fixed totals, not running counts — prevents drift)
+
+```
+N_CAP                     = 11    # source: workflow_graph.js domain registry
+SETUP_RING_CAPACITY       = 24    # source: 6 slots × 4 kinds, fits SECTOR_SETUP_HALF
+DISC_CAPACITY             = 32    # source: p99 telemetry
+MEMORY_CAPACITY           = 128   # source: hot memory cap
+MCP_CAPACITY              = 16    # source: MCP registry max
+FILE_BUCKET_CAPACITY      = 64    # source: per-tool file p99
+SYMBOLS_PER_FILE_CAPACITY = 32    # source: AST symbol p99
+```
+
+Each constant must carry a `# source:` comment per project §8 (zetetic
+sources). If exceeded, slot still computes — adjacent items just clump
+slightly; correctness preserved.
+
+## 6. Invariant enforcement points
+
+| Inv | Where |
+|---|---|
+| I1 | `_emit` — `assert math.isfinite` |
+| I2 | `_emit` — `seq += 1` before construction |
+| I3 | Case 8 — buffer if parent absent; flush after Case 4 |
+| I4 | Case 4 fallback to anchor; **no retroactive reseat** |
+| I5 | Pending-edges buffer (separate, `add_edge`); cap 100k |
+| I6 | `_emit` — `put_nowait` + drop counter |
+| I7 | `_anchor_for` placeholder; no retroactive reseat |
+
+## 7. Out of scope / forbidden in `add_node`
+
+No edge emission (goes through `add_edge`). No mutation of
+`domains[*].anchor` after first set. No iteration of `self.nodes`.
+
+## 8. Test obligations
+
+1. Same `(drec.index, kind, idx)` ⇒ same slot regardless of arrival
+   order of `domain` vs members (I7 placeholder == final).
+2. `seq` strictly increases across 10k random adds (I2).
+3. Symbol-before-file: emission deferred until Case 4 flush (I3).
+4. 12 kinds × 100 random adds: every emission has finite x,y (I1).
+5. Duplicate `node_id` ⇒ no second emission.
+6. `tool_hub` w/o `tool_name`, `symbol` w/o `parent_id` ⇒ `ValueError`.
+7. Capacity overflow (idx > cap): emission still finite, no exception.
diff --git a/tasks/layout-authority/audits/altshuller.md b/tasks/layout-authority/audits/altshuller.md
new file mode 100644
index 00000000..38b7a705
--- /dev/null
+++ b/tasks/layout-authority/audits/altshuller.md
@@ -0,0 +1,177 @@
+# Altshuller (TRIZ) — Layout Authority Contradiction Audit
+
+**Method:** Every hard problem contains a contradiction — improving one parameter
+degrades another — and contradictions are resolved not by compromise but by
+inventive principles derived from cross-domain patent analysis. The layout
+authority embeds three textbook contradictions. Each is resolved by a specific
+TRIZ principle visible in the code.
+
+---
+
+## Contradiction 1 — RICH topology vs FAST layout
+
+### Statement
+- **Improve:** information richness of the layout (full DrL force-directed
+  embedding, neighborhood meaning preserved, cluster structure visible).
+- **Degrades:** time-to-first-tile (DrL is O(N log N) but the constant pushes
+  ~90 s at 1M nodes; UI budget is 1–2 s).
+- **Physical contradiction:** the layout must be *expensive* (DrL pass over the
+  full graph to encode topology faithfully) AND *cheap* (sub-second response
+  on every visualize call).
+
+### Resolving principle — #10 Preliminary Action ("do it before you need it")
+The expensive step is moved out of the request path entirely. DrL runs once
+inside `recompute_layout.run_recompute()` and persists `(node_id, x, y, kind)`
+into `workflow_graph_layout`. Every subsequent `/api/quadtree` and tile request
+reads precomputed coordinates — the request thread never sees DrL.
+
+### Code mapping
+- `mcp_server/handlers/recompute_layout.py:101-108` — DrL pass + write_layout.
+  This is the "preliminary action" run.
+- `mcp_server/infrastructure/layout_pg_store.py:37-79` — `write_layout` is the
+  durable artifact of the preliminary action.
+- `mcp_server/handlers/quadtree_handler.py:32` — `read_all_positions` reads the
+  precomputed result; no layout work on the hot path.
+
+### Reinforcing principle — #20 Continuity of Useful Action (skip-if-fresh)
+`recompute_layout.py:86-99` consults `read_layout_version` and returns
+`elapsed_ms: 0, cached: True` when the topology fingerprint matches. The
+preliminary action is preserved across calls — it is not redone unless the
+graph itself changed.
+
+### Reinforcing principle — #23 Feedback (topology fingerprint as control signal)
+`core/layout_engine.py:26-44` — `topology_fingerprint` is a SHA-256 over the
+sorted (ids, edges) set, truncated to 16 hex chars. It is the feedback signal
+that tells the system *whether* the preliminary action's output is still
+valid. Without it, "preliminary" collapses into "always recompute."
+
+---
+
+## Contradiction 2 — SMALL state on the wire vs LARGE state per node
+
+### Statement
+- **Improve:** wire size of `/api/quadtree` (target 1–10 MB so the browser
+  parses it and builds flatbush in <500 ms).
+- **Degrades:** per-node fidelity — every node needs a stable slot (id, x, y,
+  kind) for hover/click resolution; at 1M nodes a naive JSON payload is
+  ~80 MB.
+- **Physical contradiction:** the payload must carry *every* node (large) AND
+  fit in the browser's parse budget (small).
+
+### Resolving principle — #1 Segmentation + #36 Phase Transition (encoding shift)
+The state is segmented along its statistical structure: high-cardinality
+columns (`id`) and low-cardinality columns (`kind`, ~12 distinct values) are
+*both* dictionary-encoded; the geometry columns are demoted from Float64 →
+Float32 (a phase transition in numerical representation, since 1e-7 world
+precision is dead code at screen resolution).
+
+### Code mapping
+- `mcp_server/handlers/quadtree_handler.py:50-57` — Arrow table construction:
+  ```
+  "id":   pa.array(ids).dictionary_encode(),
+  "x":    pa.array(xs, type=pa.float32()),
+  "y":    pa.array(ys, type=pa.float32()),
+  "kind": pa.array(kinds).dictionary_encode(),
+  ```
+  Two columnar segments compress structurally; two segments compress
+  numerically. 80 MB JSON → ~8 MB raw Arrow → ~3–4 MB gzipped.
+
+### Reinforcing principle — #34 Discarding and Recovering
+`gzip.compress(arrow_buf, compresslevel=6)` at line 63 discards redundancy on
+the wire and the browser recovers it. The discarded bits are exactly the
+ones the dictionary encoding made redundant (repeated kind tokens, sorted
+id prefixes).
+
+### Reinforcing principle — #25 Self-Service (client builds its own quadtree)
+The server ships flat columns; the *client* constructs the spatial index
+(flatbush) on first paint. The server is freed from maintaining a per-client
+spatial structure — the client serves itself with the data shipped. This is
+the "ideality" direction: zero server-side picking infrastructure.
+
+---
+
+## Contradiction 3 — FLEXIBLE protocol vs STRICT validation
+
+### Statement
+- **Improve:** flexibility — the layout authority must consume any node
+  produced by any builder (AST scanner, brain-index, future kinds), with
+  edges referenced as raw string ids OR as resolved `{id: ...}` objects.
+- **Degrades:** boundary safety — silent acceptance of malformed inputs
+  produces ghost nodes, NaN coordinates, or a layout pass that crashes
+  igraph mid-run.
+- **Physical contradiction:** `_extract_topology` must be *permissive*
+  (accept any reasonable shape) AND *strict* (reject anything that would
+  poison the layout).
+
+### Resolving principle — #4 Asymmetry (permissive read, strict write)
+The boundary is asymmetric: the *read* side of `_extract_topology` accepts
+both string and dict edge refs; the *write* side commits only to a single
+canonical shape — `tuple[str, str]` with `s != t` and both ids present in
+the node set.
+
+### Code mapping
+- `mcp_server/handlers/recompute_layout.py:31-43` — the asymmetric filter:
+  ```
+  if isinstance(s, dict): s = s.get("id")
+  if isinstance(t, dict): t = t.get("id")
+  if s and t and s != t:
+      edges.append((s, t))
+  ```
+  Three filters in one expression: (a) presence guards drop None; (b)
+  self-loop guard drops `s == t`; (c) downstream `idx_of[s] in idx_of` in
+  `layout_engine.py:79-80` drops dangling references. Permissive in
+  *vocabulary*, strict in *structure*.
+
+### Reinforcing principle — #2 Extraction (pull the contract into the boundary)
+`_extract_topology` is a private function that owns the entire shape-translation
+contract. Nothing downstream of it ever sees the messy union type — it
+extracts the canonical `(node_ids, edges, kinds)` triple and the rest of the
+pipeline (layout_engine, layout_pg_store) operates on a strict, narrow type.
+The flexibility lives in one place; strictness lives everywhere else.
+
+### Reinforcing principle — #11 Beforehand Cushioning (tolerant defaults)
+`kinds.get(nid, "unknown")` in `layout_pg_store.py:61` and
+`(n.get("kind") or "unknown")` in `recompute_layout.py:32` — every kind
+collision is cushioned by a default, so a builder that forgets to emit
+`kind` cannot break the persisted invariant ("every row has a non-null
+kind"). Strictness without brittleness.
+
+---
+
+## Ideal Final Result check
+
+The IFR for a layout authority is: **the user sees the laid-out graph
+instantly with zero server work.** The current design's distance to IFR:
+
+| Dimension | IFR | Current | Gap |
+|---|---|---|---|
+| Layout cost on user request | 0 | 0 (precomputed) | closed |
+| Wire size at 1M nodes | 0 | ~3–4 MB | irreducible (entropy floor) |
+| Server-side picking | none | none (client builds quadtree) | closed |
+| Re-layout on stable graph | never | never (fingerprint skip) | closed |
+
+The remaining gap is entropy-bounded (you cannot ship 1M coordinates in
+zero bytes). The design is at the IFR frontier for this problem class.
+
+---
+
+## New contradictions introduced
+
+1. **Synchronous DrL in the request thread** — `recompute_layout.py:7-12`
+   acknowledges this. At 1M nodes the first call is a 90 s HTTP request.
+   Resolved by principle #15 *Dynamics* in PR 2 (move to background job,
+   poll for completion).
+2. **Full-replace write** (`DELETE FROM workflow_graph_layout` then
+   `executemany`) — atomic from the reader's perspective only because
+   PostgreSQL serializes the transaction. Under concurrent recomputes this
+   becomes a write-lock contention point. Future principle: #15 *Dynamics*
+   (per-fingerprint partition) or #24 *Intermediary* (staging table → swap).
+
+---
+
+## Compliance with TRIZ method
+- Three contradictions named with explicit improve/degrade parameters: **pass**.
+- Each contradiction mapped to a numbered inventive principle: **pass**.
+- Each principle traced to specific file:line evidence: **pass**.
+- IFR distance audited and gap classified as entropy-bounded: **pass**.
+- New contradictions surfaced for the next iteration: **pass**.
diff --git a/tasks/layout-authority/audits/archimedes.md b/tasks/layout-authority/audits/archimedes.md
new file mode 100644
index 00000000..08cf4ea3
--- /dev/null
+++ b/tasks/layout-authority/audits/archimedes.md
@@ -0,0 +1,148 @@
+# Archimedes audit — `layout_authority_geometry.py`
+
+Two-stage. Discovery by physical/mechanical analogy; proof by independent
+interval arithmetic on the source. They share no assumptions beyond
+`|cos|,|sin| ≤ 1`.
+
+## Stage 1 — Heuristic (mechanical analogy)
+
+Each domain is a small solar system anchored at a Fibonacci-spiral position.
+Around each anchor, kinds occupy nested shells: MCP (50), setup (70), tool
+hubs (140), disc/mem lanes (150) on opposite sides, files (220), symbols as
+petals around each file. Every node's `(x,y)` is a *pure function* of
+`(domain_index, kind, idx_in_bucket, total_in_bucket)` — no neighbours,
+no forces, no iteration. The layout is the equilibrium of an already-
+decoupled system; same inputs → same position, regardless of N.
+
+Constants (`SETUP_R=70`, `TOOL_R=140`, `FILE_R=220`, sector half-widths,
+`TOOL_LOCAL_ANGLE`, golden angle `_PHI`) are **copied verbatim from
+`workflow_graph.js` lines 43–84, 313–541**. The Python authority re-projects
+the same closed form into the server tier; the visual invariants the user
+already approves (radial outward axis, petals around hubs, MCPs inward) are
+preserved by construction.
+
+O(1) per node holds: each helper does a fixed number of trig ops; state is
+`O(domains × kinds)` integer counters (~528 B for 11×6).
+
+Heuristic candidate: **within a domain, different-kind slots cannot collide
+because each kind owns a distinct radius shell — except DISC/MEM which share
+`r≈150` and rely on disjoint angular sectors.**
+
+---
+
+## Stage 2 — Proof sketch (independent: pure interval bounds)
+
+Fix one domain anchor `A=(ax,ay)`, outward axis `ω`. For any kind `k`, the
+emitted slot has the form `A + r_k · (cos θ_k, sin θ_k)` with explicit
+intervals for `r_k` and `θ_k` derived directly from the source.
+
+### Boundedness & finiteness
+
+For every helper, `r` is `R_kind + small_offset(idx % m)` with `m∈{2,3,4}`
+and offsets ≤ 8 px. `cos`/`sin` are bounded in `[-1,1]`. Therefore
+`|x-ax|, |y-ay| ≤ r_max < ∞`. The dispatcher's fallback returns the anchor
+itself, never NaN. `base_radius` takes `max(...)` over two finite positives,
+so the domain shell is finite for any `n_domains ≥ 0` (the `max(n,1)` guard
+prevents division by zero in `domain_anchor`, `slot_for_*`). All slot
+coordinates are therefore finite real numbers. ∎
+
+### Per-kind radius intervals (read off the source)
+
+| kind        | r interval (px)              | source                   |
+|-------------|------------------------------|--------------------------|
+| mcp         | exactly 50                   | line 165                 |
+| setup       | [70, 78]   (`idx%2 · 8`)     | line 102                 |
+| tool_hub    | exactly 140                  | line 112                 |
+| discussion  | [150, 162] (`idx%3 · 6`)     | line 142                 |
+| memory      | [150, 174] (`idx%4 · 8`)     | line 154                 |
+| file        | [216, 224] (`(idx%3-1)·4`)   | line 128                 |
+| symbol      | parent ± [18, 27]            | line 177                 |
+
+### Non-overlap of *different kinds* within one domain
+
+Treat each rendered glyph as a disc of radius ρ ≤ 12 px (the renderer's
+node radius is well under this). Two slots at the same anchor with radii
+`r₁, r₂` and angles `θ₁, θ₂` have Euclidean distance
+
+    d² = r₁² + r₂² − 2 r₁ r₂ cos(θ₁−θ₂)
+
+We need `d > 2ρ`, i.e. `d > 24`.
+
+**Case A — disjoint radius shells.** When the radius intervals are
+disjoint, `d ≥ |r₁−r₂|` (triangle inequality, achieved at `θ₁=θ₂`).
+Computed gaps:
+
+- mcp(50) ↔ setup[70,78]:        ≥ 20 — *requires angular check*
+- setup[70,78] ↔ tool_hub(140):  ≥ 62  ✓
+- tool_hub(140) ↔ disc[150,162]:  ≥ 10 — *requires angular check*
+- disc/mem[150,174] ↔ file[216,224]: ≥ 42  ✓
+- mcp(50) ↔ tool_hub(140):       ≥ 90  ✓
+
+The two "requires angular check" pairs are saved by geometry, not radius:
+
+- **mcp ↔ setup.** MCP sits at `θ = ω + π` (line 163, plus tiny jitter
+  ≤ 0.25·(total−1)/2 rad). Setup sits inside `[ω − π/2.6, ω + π/2.6]`
+  (line 100). Angular gap from `ω+π` to that sector is at minimum
+  `π − π/2.6 ≈ 1.93 rad`. Then `d² ≥ 50² + 70² − 2·50·70·cos(1.93)`
+  `= 2500 + 4900 + 2497 ≈ 9897`, `d ≥ 99 px` ≫ 24. ✓
+- **tool_hub ↔ discussion.** Tool hubs use angles in `TOOL_LOCAL_ANGLE`,
+  range `[−π/3.6, +π/3.6] ≈ [−0.87, 0.87]` around `ω`. Discussions center
+  at `ω + 0.72π ≈ ω + 2.26` with arc half ≤ `π/6.5 + π/6 ≈ 1.01`. Closest
+  angular approach: `2.26 − 1.01 − 0.87 = 0.38 rad`. With `r₁=140,
+  r₂=150`: `d² ≥ 140² + 150² − 2·140·150·cos(0.38) ≈ 42100 − 39042
+  = 3058`, `d ≥ 55 px`. ✓
+
+**Case B — DISC vs MEM (overlapping radii).** Disc centers at `ω + 0.72π`,
+memory at `ω − 0.72π`; angular distance `0.56π ≈ 1.76 rad`. Half-arcs are
+`π/6.5 + min(π/3, 0.04·n)` (disc) and `π/6.5 + min(π/2.5, 0.03·n)` (mem),
+worst-case 1.53 and 1.74. The lanes stay disjoint while `0.04·n_disc +
+0.03·n_mem < 0.79 rad`. For typical lane sizes (≤10 each) the gap is
+positive; for very large N the lanes can angularly meet — see Caveats.
+
+### Symbols vs everything else
+
+Symbols live in a disc of radius ≤ 27 px around their parent file at
+`r ∈ [216, 224]`. The nearest non-file kind by radius is discussion/memory
+(top of [150,174]). Worst case: symbol on the inward edge of its parent's
+petal (`r ≈ 216 − 27 = 189`) vs a memory at `r = 174` *at the same angle*
+gives `d ≥ 15 px`. **This is below the 24 px collision threshold in the
+worst-case angular alignment.** However, symbols inherit their parent
+file's angle (which orbits a tool hub near `ω`), while memory lives near
+`ω − 0.72π`. The angular gap is therefore ≥ `0.72π − file_arc/2 −
+memory_arc/2 ≈ 2.26 − 0.18 − 1.74 = 0.34 rad`, giving
+`d² ≥ 189² + 174² − 2·189·174·cos(0.34) ≈ 4174`, `d ≥ 64 px`. ✓
+
+### Independence audit
+
+Discovery: planetary-shell analogy + Fibonacci intuition. Proof: triangle
+inequality + interval arithmetic on the source's literal constants. The
+proof never invokes "shells balance"; it computes `d²` directly. Shared
+assumption: only `|cos|,|sin| ≤ 1`. **Independence holds.**
+
+## Conclusion
+
+- **Boundedness & finiteness:** verified unconditionally.
+- **Cross-kind non-overlap within a domain:** verified for every pair
+  *except* DISC vs MEM at very high lane counts.
+- **Symbol vs non-file:** verified via angular sector separation (≥ 64 px).
+- **O(1) per node, O(domains×kinds) state:** verified by inspection.
+
+Status: **verified with one named caveat.** Confidence: high — discovery and
+proof are independent and agree.
+
+## Caveats / hand-offs
+
+- **DISC↔MEM angular collision at high N.** Lanes can meet when
+  `0.04·n_disc + 0.03·n_mem ≳ 0.79 rad`. Fix: cap the additive arc growth
+  (`min(π/3, …)` and `min(π/2.5, …)`) tighter, or push memory to a smaller
+  radius. Hand to **Dijkstra** for a formal invariant; **Fermi** can size
+  the realistic N envelope from production data.
+- **Cross-domain non-overlap** is *not* proven here — it depends on
+  `base_radius`'s `shell·√(N/π)·0.65` choice vs the per-domain bounding
+  disc (≈ FILE_R + symbol radius ≈ 247). Out of scope for this audit; the
+  heuristic argument in the docstring (line 60-66) is plausible but not
+  proved. Hand to **Lamport** for a TLA-style invariant on inter-domain
+  spacing.
+- **Renderer glyph radius ρ.** Audit assumed ρ ≤ 12 px. Verify in
+  `ui/unified/js/workflow_graph.js` style block before relying on the
+  24 px threshold.
diff --git a/tasks/layout-authority/audits/arendt.md b/tasks/layout-authority/audits/arendt.md
new file mode 100644
index 00000000..424bf707
--- /dev/null
+++ b/tasks/layout-authority/audits/arendt.md
@@ -0,0 +1,142 @@
+# Arendt thoughtlessness audit — Cortex layout authority
+
+System: `mcp_server/server/layout_authority_{protocol,scheduler,wire,log,geometry,lod}.py`.
+Method: at each silent failure, name the *suppressed question* whose absence let "I was
+just following the contract" substitute for thinking. Arendt: harm produced in the spaces
+between roles, each module honoring its half, the inconvenient question passed across
+the boundary until it lands on no one. Stakes **High**; coding-standards 1,2,7,8 apply.
+
+## Finding 1 — Build worker dies mid-emit
+
+**Suppressed question:** what is the lifecycle of `_event_seq` and the subscriber set when
+the producer thread crashes between `emit()` calls?
+
+**Silent failure:** `layout_authority_log.emit()` documents a "single-producer precondition"
+load-bearing for I1, I2. Nothing enforces it; nothing detects its violation. Subscribers
+keep draining a queue that will never receive `'done'`. `replay_since(N)` returns the same
+finite prefix forever.
+
+**Visible symptom:** UI hangs at "streaming…" indefinitely. No browser error, no server
+error, healthy-looking subscriber.
+
+**Engineering response:** producer heartbeat — worker emits `'heartbeat'` every `T`
+seconds; log records `last_emit_monotonic`; SSE handler converts silence > `5*T` into an
+explicit `event: producer_lost` frame. Client distinguishes slow build from dead producer.
+
+## Finding 2 — `add_node` arrives with kind not in `NODE_KINDS`
+
+**Suppressed question:** who is the trusted producer of `NodeDelta`, and what happens when
+that trust is misplaced?
+
+**Silent failure:** protocol says "raises `ValueError`." The build worker is in another
+thread; an unhandled `ValueError` kills it. The authority's ingress disappears. Worker
+assumes authority validates; authority assumes worker validated; both right, neither
+catches the dropped frame. Classic Eichmann shape: each role just doing its job.
+
+**Visible symptom:** stream stops at a random point. Downstream symbols never emitted.
+`producer_alive` (F1) eventually goes false.
+
+**Engineering response:** validation is a *boundary* concern, not a shared assumption.
+Input wrapper catches `ValueError`, logs once per kind, increments `rejected_by_kind[kind]`,
+proceeds. Contract changes from "raises" to "drops with counter." `/api/layout/stats`
+exposes `rejected_by_kind` — the inconvenient question becomes a graph.
+
+## Finding 3 — SSE client at 100% CPU cannot drain
+
+**Suppressed question:** what is the user experience of the 201st failed `put_nowait`?
+
+**Silent failure:** at `_DEAD_QUEUE_MISS_THRESHOLD = 200` the subscriber is reaped
+silently. No `event: evicted` delivered (queue is full — the condition that triggered
+eviction). Handler discovers it only when next `q.get()` blocks forever. User reloads,
+gets fresh stream from `seq=current`; events between eviction and reload simply missing —
+`replay_since` reports no gap because the client never knew its last-good seq.
+
+**Visible symptom:** graph silently desyncs. Some nodes placed; others emitted during the
+eviction window never appear. User blames "flaky network."
+
+**Engineering response:** before reaping, set HTTP trailer `X-Cortex-Evicted: 1` on close
+OR enqueue a tombstone the handler observes via the unbounded read side. Browser treats
+either as "you missed events; do a fresh snapshot fetch."
+
+## Finding 4 — Replay-buffer overflow with unwritten encoder
+
+**Suppressed question:** what does a client requesting `Last-Event-ID: 12345` actually see
+when the buffer has rolled past 12345?
+
+**Silent failure:** `replay_since` returns `([], oldest_seq)` on overflow; docstring says
+"SSE handler emits a `replay_lost` sentinel." `layout_authority_wire.py` defines
+`format_slot/edge/done`. **There is no `format_replay_lost`.** Whatever the handler
+improvises is invented at the call site. Protocol wrote a contract; wire wrote encoders;
+log wrote a gap signal; nobody wrote the encoder for the gap signal — each author thought
+another module would.
+
+**Visible symptom:** stream silently truncates, client sees stale graph, or browser parses
+malformed event and EventSource closes with generic error.
+
+**Engineering response:** add `format_replay_lost(seq, oldest_seq) -> bytes`. Document
+at protocol layer that this is a first-class event, not a sentinel. CI test asserts every
+event-kind named in any docstring has an encoder.
+
+## Finding 5 — `compute_slot` falls back to anchor on unknown kind
+
+**Suppressed question:** if `node_kind` is not in any branch, what does the renderer do
+with N nodes placed at exactly the same `(x, y)`?
+
+**Silent failure:** dispatcher's last line returns `ctx.get("anchor", ...)`. Docstring
+celebrates "safe fallback so the renderer never sees NaN." Renderer doesn't see NaN — it
+sees N nodes piled on the domain anchor, occluding the hub, click targets all hitting the
+topmost. "Safe" is floating-point safe, not semantic. The thinking — *what does it mean
+for an unknown kind to be placed?* — was outsourced to a `ctx.get` default. New kinds
+added to `NODE_KINDS` but not to `compute_slot` produce clumps; cause invisible — no
+warning, no counter.
+
+**Visible symptom:** clumps on the domain hub when a new kind is added without a geometry
+branch. No diagnostic.
+
+**Engineering response:** terminal branch raises `NotImplementedError`. Boundary (F2)
+classifies as rejection, increments `rejected_by_kind`. CI test enumerates `NODE_KINDS`
+and asserts every kind has a non-fallback branch.
+
+## Finding 6 — `reset()` clears subscribers without telling them
+
+**Suppressed question:** what does the subscriber's handler think happened when its queue
+stops receiving events at the moment a fresh build starts?
+
+**Silent failure:** `reset()` calls `_subscribers.clear()` and returns. Subscriber queue
+still exists; handler still holds reference; still calls `q.get()` and blocks. New
+build's `emit()` fans out to the (empty) subscriber set. Old clients hang as in F1 — but
+producer is *alive*, just unaware they exist. Compounds with F1: per-subscriber
+keepalives keep firing, client believes stream healthy while build it watches no longer
+exists.
+
+**Visible symptom:** during re-build (file save → reset → new emit) existing tabs
+continue showing the previous build's nodes indefinitely. User must hard-refresh. The
+"live" promise silently broken.
+
+**Engineering response:** before clearing, fan out a synthesized `event: reset` to each
+subscriber, then clear. Browser treats it as "drop graph, reconnect from seq=0." Add
+`format_reset`. Reset becomes a *spoken* boundary, not a silent disappearance.
+
+---
+
+## Cross-finding pattern
+
+Five of six failures share one shape: **a contract was written, each module honored its
+half, and the question "what if my counterparty is wrong, absent, or interrupted?" was
+passed across the boundary in both directions until it landed on no one.** The
+bureaucratic geometry Arendt diagnosed: every role correctly performed; harm produced in
+the spaces between roles.
+
+Remediation is uniform: **promote the silent boundary into a first-class event**
+(`heartbeat`, `evicted`, `replay_lost`, `reset`) and **add a counter** for every drop
+path. A counter nobody reads still beats a drop nobody can name. The counter is the
+durable artifact (work, in Arendt's sense) that survives the labor cycle of streaming.
+
+## Hand-offs
+
+- Producer-aware health signaling → **Hamilton** (resilience with judgment at boundaries).
+- Counter & observability surface → **Deming** (variation made visible).
+- Encoders (`replay_lost`, `reset`, `evicted`, `heartbeat`) → engineer.
+- CI test that `NODE_KINDS` ⊆ `compute_slot` branches → engineer.
+
+Diagnosis only. Redesign belongs to agents that own system design.
diff --git a/tasks/layout-authority/audits/aristotle.md b/tasks/layout-authority/audits/aristotle.md
new file mode 100644
index 00000000..d4e476d3
--- /dev/null
+++ b/tasks/layout-authority/audits/aristotle.md
@@ -0,0 +1,184 @@
+# Aristotle Audit — Layout Authority Four Causes
+
+Frame: for each of the five `layout_authority_*` modules, name what it is
+made of (material), what shape it takes (formal), what brings it into
+being (efficient), and what it exists to solve (final). Then synthesize
+across modules to find causes that are incomplete or that disagree.
+
+Sources: `_protocol.py`, `_log.py`, `_scheduler.py`, `_geometry.py`,
+`_lod.py`, `_wire.py`; `cost-model.md`; audits `alexander.md`, `beer.md`,
+`dijkstra.md`.
+
+## Per-module four causes
+
+### `layout_authority_protocol.py`
+
+- **MATERIAL.** `frozenset[str]` of NODE_KINDS / EDGE_KINDS;
+  `@dataclass(frozen, slots)` value types `NodeDelta`, `EdgeDelta`,
+  `SlotAssignment`; a `runtime_checkable` `Protocol`; a doc-string
+  `INVARIANTS` block (I1–I7); stdlib-only imports (`dataclasses`,
+  `typing`).
+- **FORMAL.** A *contract module* — three input verbs (add_node,
+  add_edge, request_subtree), one output event (SlotAssignment), one
+  Protocol. Shape is normative-spec, not behavior; pure typing.
+- **EFFICIENT.** Authored as the contract layer that downstream impls
+  (`layout_authority.py`) and adapters (`_wire`, `_log`) must honor.
+  Forward-declared factory `authority_from_geometry` defers to a
+  reference impl that is **not present in the audited set** (gap).
+- **FINAL.** Make happens-before, ordering, and per-kind preconditions
+  *enforceable by reading one file*. Lets engineer + Dijkstra argue I1–I7
+  without spelunking. Final cause = "shared meaning across producer,
+  authority, and consumer."
+
+### `layout_authority_log.py`
+
+- **MATERIAL.** `collections.deque(maxlen=500_000)` of `(seq, kind,
+  bytes)` tuples; two `threading.Lock`s; `list[queue.Queue]`
+  subscribers, each `maxsize=100_000`; module-globals
+  (`_event_log`, `_event_seq`, `_subscribers`).
+- **FORMAL.** Append-only ring buffer + snapshot fan-out with
+  per-subscriber dead-queue reaping at 200 misses; replay-by-seq with
+  gap detection; `reset()` clears buffer but **preserves** monotonic
+  seq across builds.
+- **EFFICIENT.** Driven by `emit(kind, payload)` from a single producer
+  thread (the worker that pops `_scheduler` and renders frames via
+  `_wire`). Subscribers are added by SSE handlers from any thread.
+- **FINAL.** Deliver every wire-encoded event to every live SSE
+  subscriber exactly once and in seq order, support `Last-Event-ID`
+  resume across reconnects, and never stall the producer when a
+  subscriber is slow. Final cause = "one-to-many durable replay."
+
+### `layout_authority_scheduler.py`
+
+- **MATERIAL.** Seven `collections.deque` queues with hand-derived caps
+  (P0=1k…P5=128k, P6=100); a `threading.Lock` + `Condition`; a `Stats`
+  dataclass of `queued`/`dropped` counters per priority.
+- **FORMAL.** Hamilton 1202-pattern bounded multi-queue with strict
+  priority pop, non-blocking `submit` returning False on cap, and
+  idempotent P6 coalescing by linear scan. Drops accounted, never
+  silent.
+- **EFFICIENT.** `submit` called from build-worker thread per
+  add_node/add_edge; `pop` called from the single authority worker
+  loop; `coalesce_subtree` from any thread (HTTP handler).
+- **FINAL.** Survive bursty unbounded producer load while keeping
+  topologically critical hubs (P0 domains, P1 tool_hubs) intact and
+  shedding cheap volume (P4 symbols, P5 edges) first. Final cause =
+  "graceful priority-displaced shedding."
+
+### `layout_authority_geometry.py`
+
+- **MATERIAL.** Module-level `float` constants ported verbatim from
+  `ui/unified/js/workflow_graph.js` (radii, sector half-widths,
+  per-tool angles, golden angle φ); pure-`math` arithmetic.
+- **FORMAL.** Eight closed-form O(1) placement helpers + a `compute_slot`
+  dispatcher keyed on `node_kind`. Pure functions; no state, no
+  iteration over siblings. Memory: O(domains × kinds) ≈ 528 B.
+- **EFFICIENT.** Called once per accepted NodeDelta by the authority
+  worker, given a `ctx` dict (anchor, outward, idx, total, …). Was
+  produced by mechanically translating `workflow_graph.js` lines
+  43–700 into Python.
+- **FINAL.** Place node #10⁹ in the same time as node #1; match the
+  user-tuned visual contract. Final cause = "deterministic, stable,
+  visually-faithful pixel coordinates at constant cost."
+
+### `layout_authority_lod.py`
+
+- **MATERIAL.** Three `frozenset[str]` of kinds (always-visible,
+  decimated, far-reduced); a `_FAR_ZOOM_THRESHOLD = 0.4`; BLAKE2b
+  digest as the stable hash; a power-law `stride(zoom)` formula.
+- **FORMAL.** Pure-function decimator: `visible_at_zoom(node_id, kind,
+  zoom)` returns bool. Streaming `visible_subset` iterator. Power-law
+  signature `|visible| ≈ N / stride(zoom)`, log-log slope ≈ −1
+  (Mandelbrot self-check).
+- **EFFICIENT.** Invoked by the SSE handler at (re)connect when
+  client passes `?zoom=`; produces the surviving subset to stream.
+- **FINAL.** Make a 10⁶+ symbol population renderable at far zoom
+  without overwhelming the canvas, and have *the same* visible set
+  survive disconnect/reconnect. Final cause = "scale-invariant
+  visibility that is reconnection-stable."
+
+### `layout_authority_wire.py`
+
+- **MATERIAL.** Pre-allocated `bytes` constants (`_EVT_SLOT`,
+  `_DATA_PREFIX`, `_NL`, `_PIPE`, …); pure-stdlib `math.isfinite`;
+  ASCII-byte concatenation; pipe-delimited UTF-8.
+- **FORMAL.** A real-time codec returning finished `bytes` per event
+  (`format_slot`, `format_edge`, `format_done`, `format_keepalive`,
+  `chunk_wrap`); paired test-only decoders. Validates against `|`,
+  `\n`, `\r`, NaN, inf, oversize kind. ~82 B/event wire shape.
+- **EFFICIENT.** Called by the authority worker between `compute_slot`
+  and `_log.emit`; finished bytes flow into the ring buffer and out
+  to every subscriber unchanged.
+- **FINAL.** Encode-once, fan-out-many at ~1 M events/s; let the
+  browser parse with `String.split('|')` (~4× cheaper than
+  `JSON.parse`). Final cause = "minimum bits per event on the wire,
+  zero re-encoding per subscriber."
+
+## Synthesis — gaps where causes are incomplete or disagree
+
+1. **Material/formal mismatch (D0 from Dijkstra audit).**
+   `_protocol.SlotAssignment.node_id` vs. `_wire.format_slot` reading
+   `slot.id`. The matter (field name) contradicts the form (the
+   protocol contract). Aristotelian rule: matter must take the form
+   the contract specifies. **Block integration until renamed.**
+
+2. **Efficient cause for the whole authority is unverified.** Every
+   module names "the authority worker" as its efficient cause, but
+   the consolidating `layout_authority.py` (the worker loop, the
+   parent-pending buffer, the single-producer `emit` discipline) is
+   **not in the audited set**. Until that file is read and shown to
+   wire scheduler→geometry→wire→log under one thread, the chain of
+   efficient causes has a missing link. Dijkstra D1/D2 and Beer's
+   "S3 broker absent" both name this same gap.
+
+3. **Final cause coherent across modules.** Place 10⁹ nodes in 1–2 s,
+   8 MB working set, deterministic stable slots, reconnection-stable
+   visibility, lossless replay. Every module's *for-the-sake-of*
+   composes into the same higher-level purpose. No teleological
+   conflict.
+
+4. **Formal cause of `_log` violates one of its own invariants.**
+   The reset prose says seq is global-monotonic across builds;
+   the module-global state means *two authorities in one process
+   share seq*. The form (single global counter) does not match the
+   intended substance (per-authority resume semantics). Either a
+   construction precondition ("one authority per process") must be
+   asserted, or `_log` must be refactored to instance state. This
+   is the same defect Dijkstra calls D2 and Beer calls "fragile
+   cohesion of `_log`."
+
+5. **Material cause of `_scheduler` exceeds the cost-model budget.**
+   `cost-model.md` declares an 8 MB ceiling; `_scheduler` worst-case
+   residency is ~19.4 MB (sum of caps × ~80 B). The matter from
+   which the scheduler is built cannot in principle fit the form
+   imposed by the cost model under simultaneous burst. Either P5
+   cap shrinks, the ceiling is renegotiated in an ADR, or the
+   measured steady-state must be empirically shown <8 MB.
+
+6. **Algedonic gap (Beer) = absent final cause for failure surfacing.**
+   No module has "tell the operator we are degraded" as its final
+   cause. `replay_lost` is the only true push signal; queue overflow,
+   subscriber-reap, and invariant violation are pull-only. The system
+   has no module *for* alarm. A genuine S3 broker is missing both as
+   matter (no module) and as final cause (no purpose claimed for it).
+
+## Hand-offs
+
+- D0 field-name fix and single-producer enforcement → **engineer** (per
+  Dijkstra).
+- S3 broker design (final-cause "surface degradation"), runtime
+  invariant enforcer → **Hamilton + engineer** (per Beer).
+- Memory-budget reconciliation between scheduler caps and cost-model
+  8 MB ceiling → **Curie** (measure) + **engineer** (decide).
+- Read and audit the unread `layout_authority.py` worker file to close
+  the efficient-cause chain → **engineer + Dijkstra**.
+
+## Verdict
+
+Material, formal, and final causes are well-articulated and largely
+coherent across the five audited modules. The **efficient cause is
+incomplete**: the orchestrating worker is referenced in every module's
+threading model but is not part of the audited set. Two specific
+material-form mismatches (D0 field name, `_log` global state) and one
+material-form-vs-cost-model contradiction (scheduler 19.4 MB > 8 MB)
+must be resolved before the four causes converge.
diff --git a/tasks/layout-authority/audits/bateson.md b/tasks/layout-authority/audits/bateson.md
new file mode 100644
index 00000000..65bb1ff8
--- /dev/null
+++ b/tasks/layout-authority/audits/bateson.md
@@ -0,0 +1,177 @@
+# Bateson — Levels-of-Context Audit of the Layout Authority
+
+> The pattern that connects is not at any single level — it is the
+> relationship between levels. A signal that reads as `error` at level
+> *n* can be invisible, or re-encoded as health, at level *n−1*.
+
+The layout authority is a five-level system. Each level has its own
+notion of error, its own corrective feedback, and its own time
+constant. The pathology this audit hunts is the **double bind** that
+emerges when level *n*'s corrective move *is the very thing* that
+produces a level *n+1* fault — and the producer cannot
+meta-communicate the contradiction.
+
+## L1 — Individual events
+
+Unit: one `(seq, kind, payload)` tuple emitted by `_log.emit`
+(`layout_authority_log.py:46`). Time constant: ~250–300 ns
+(fermi.md). Producer: single worker thread (load-bearing
+single-producer rule, `_log.py:24–32`).
+
+| Question | Answer |
+|---|---|
+| Error? | `ValueError` from `_protocol`; `put_nowait` full on subscriber; `kind ∉ NODE_KINDS`. |
+| Corrective | Drop + `_event_log_drops += 1`; or buffer in scheduler P5 (dijkstra.md §1). |
+| Time | Sub-µs. |
+
+The *pattern* of drops (L2 concern) is invisible here because each
+drop is locally legitimate.
+
+## L2 — Event streams (one SSE channel, one client)
+
+Unit: one subscriber `queue.Queue` + socket. Time constant: browser
+frame budget (~16 ms) and TCP RTT.
+
+| Question | Answer |
+|---|---|
+| Error? | `put_nowait` miss; >200 consecutive misses ⇒ auto-evict (`_log.py:43`); `Last-Event-ID` gap outside 500k ring (`_log.py:14`). |
+| Corrective | Auto-evict dead subscriber; client reconnects with `Last-Event-ID`; on miss-window-exceeded, fall back to full re-stream from build cache. |
+| Time | ~200 events (~2–7 ms at peak). |
+
+**Invisible at L1**: the eviction policy reads, at L1, as "queue full
+→ drop event." A *slow client* (laptop on battery) emits the same L1
+signal as a *crashed* client. L2's corrective is identical in both
+cases. The producer never learns which failure mode it papered over.
+
+**Double-bind seed (L1↔L2)**: producer's content message is "I
+produce at line rate." Relationship message implicit in eviction is
+"I silently disconnect anyone who can't keep up." A slow consumer
+cannot meta-communicate "please slow down" because the SSE wire is
+one-way (`_wire.py` is encoder-only — coase.md §3c). By design at L2;
+becomes the trap at L4.
+
+## L3 — Build cycles (one full sweep)
+
+Unit: one `recompute_layout` invocation (`recompute_layout.py:46`)
+or one in-process authority sweep. Time constant: 90 s–3 min for 1M
+DrL (`layout_engine.py:8–17`).
+
+| Question | Answer |
+|---|---|
+| Error? | `igraph_missing` 503; `no_graph_cached`; `empty_graph`; layout writing 0 rows. |
+| Corrective | Skip-if-fresh on fingerprint match (`recompute_layout.py:86–99`); fall back to legacy URL when extras absent (`open_visualization.py:217`); full rewrite per run (`layout_pg_store.py:54`). |
+| Time | One sweep (minutes). |
+
+**Invisible at L2**: a build that "succeeds" but writes degenerate
+geometry (e.g. all coords collapsed because DrL diverged) emits
+well-formed L1 events and clean L2 streams. Pathology only surfaces
+at L5. There is no L3 health metric on geometric *quality* — the
+fingerprint protects topology equivalence, not visual fitness.
+
+**Double-bind seed (L2↔L3)**: L2 promises "events flow at line rate."
+L3 promises "topology change ⇒ recompute." During a 3-min DrL pass
+L2 serves a *previous* fingerprint's coords while L3 is mid-flight.
+Clients see consistent old data, then a sudden flip. No level emits
+"stale-but-consistent" as a distinct state from "fresh."
+
+## L4 — Session lifetime (one server lifecycle)
+
+Unit: one `cortex-visualize` launch → 10-min idle shutdown
+(`open_visualization.py` schema). Time constant: minutes to hours.
+
+| Question | Answer |
+|---|---|
+| Error? | Plugin cache out of sync (mitigated by `_auto_sync_all_caches`, `open_visualization.py:84`); zombie on port 3458 (mitigated by `_kill_port`); bootstrap exit non-zero; PG `batch_pool` exhausted; idle-shutdown firing while DrL still runs. |
+| Corrective | Best-effort rsync to every cache root; SIGTERM port-holder; bootstrap status surfaced as MCP message; *no* corrective for a layout pass interrupted by idle-shutdown. |
+| Time | Single-shot per launch; user re-launches manually. |
+
+**Invisible at L3**: idle-shutdown that races a 3-min DrL pass emits
+L3 = "no error, just nothing written." Next launch sees stale
+fingerprint → recomputes → races shutdown again. Livelock with zero
+L1/L2/L3 errors, only L5 symptom "viz never finishes."
+
+**Double bind in full bloom (L2↔L4)**: L2 "drop slow subscribers"
+combined with L4 "shut down on idle" means a subscriber *evicted for
+being slow* contributes zero traffic, contributes to "idle," and
+triggers shutdown of the build it was waiting on. Eviction silenced
+the only signal that would have kept the server alive. No actor can
+name this — `_log` doesn't know about idle-shutdown; the launcher
+doesn't know about subscribers.
+
+## L5 — System / user experience
+
+Unit: one user session in front of one tab. The level Bateson calls
+"the ecology" — where the system's mind lives.
+
+| Question | Answer |
+|---|---|
+| Error? | "The graph looks fragmented." "It froze." "Nodes pop in and out." |
+| Corrective | Out-of-band: user reports, lessons.md, this audit. **No in-band channel.** |
+| Time | Days (next code change). |
+
+**Invisible at L4**: every L1–L4 signal reads as health. Producer at
+line rate, streams draining, build fingerprint-fresh, server up. User
+suffering. Canonical Bateson pattern — **the symptom lives at the
+level that has no voice in the loop.**
+
+## The double bind, named
+
+Three conditions (Move 2):
+
+1. **Contradictory messages at different levels**: L2 says "fast
+   subscribers win, slow get dropped." L5 says "every user sees the
+   whole graph." A user on weak hardware *cannot satisfy both*:
+   keeping up means dropping detail (LoD collapse,
+   `layout_authority_lod.py`); receiving detail means eviction.
+2. **Cannot leave the field**: MCP handler awaits `_prepare_layout`
+   up to 600 s (`open_visualization.py:257`). Closing the tab does
+   not close the build.
+3. **Cannot meta-communicate**: SSE wire is one-way (coase.md §3c).
+   The client has no protocol verb for "I am slow, please coalesce"
+   short of dropping the connection — which the server reads as
+   "client gone, evict."
+
+**All three hold.** The pattern is structural, not a bug in any module.
+
+## Pattern that connects
+
+| This system | Isomorphic to | Solution domain |
+|---|---|---|
+| Slow-subscriber eviction → idle-shutdown livelock | TCP silly-window syndrome | Window-scaling + Nagle/Clark — *negotiation* primitive in the wire. |
+| L3 fingerprint hides bad geometry | Compiler type-checks hide semantic bug | Property tests at L3 boundary. |
+| L5 invisible at L1–L4 | Microservice "all green" while users error | RUM / synthetic probes at L4 entry. |
+
+## Structural interventions (no individual blame)
+
+1. **Open the L2 back-channel.** One-bit consumer-pressure token from
+   client → server (e.g. ping carrying `keep-coalescing`, or tiny
+   POST every N frames). Producer reads "alive and slow," not "evict."
+   Resolves bind condition 3.
+2. **Couple L4 idle to L2 backlog.** Idle-shutdown counts a
+   subscriber whose queue depth > 0 as *not idle*, even if no bytes
+   left the wire in 30 s. Breaks eviction→silence→shutdown.
+3. **Add L3 geometric-health gate.** Before
+   `write_layout` commits (`layout_pg_store.py:54`), assert
+   `span > ε` on coords. Degenerate layouts become L3 errors instead
+   of invisible L5 symptoms.
+4. **Promote L5 into the loop.** Synthetic headless render per launch
+   reports back. L5 acquires a voice; system stops being a black box.
+5. **Type-distinguish "stale-consistent" from "fresh."** Build cache
+   exposes `(fingerprint, version, age_s)`; L2 events carry explicit
+   `stale=true` rather than serving old coords as if current.
+
+## Compliance check (against `~/.claude/rules/coding-standards.md`)
+
+| Rule | Status | Note |
+|---|---|---|
+| §1 SOLID | pass | Each intervention adds one responsibility per module. |
+| §2 Layer dependency | pass | Back-channel in `_wire`, geometric gate in `core.layout_engine`, L5 probe in handlers — no inversions. |
+| §7 Local reasoning | conditional | Intervention 1 makes the wire bidirectional; pair with Dijkstra to keep the protocol enumerable. |
+| §8 Sources | pass | Anchors cite coase.md §3, fermi.md, dijkstra.md §0–§2, and inline source files. |
+
+## Hand-offs
+
+- **Dijkstra**: formalize L2 back-channel with enumerable verbs; protect H1/H2.
+- **Meadows**: model L2-eviction → L4-idle → L3-restart feedback loop.
+- **Coase**: re-evaluate IPC boundary if intervention 1 moves work to its own thread.
+- **Engineer**: implement intervention 3 (geometric-health gate) first — lowest blast radius, highest L5→L3 visibility gain.
diff --git a/tasks/layout-authority/audits/beer.md b/tasks/layout-authority/audits/beer.md
new file mode 100644
index 00000000..cb3f6306
--- /dev/null
+++ b/tasks/layout-authority/audits/beer.md
@@ -0,0 +1,125 @@
+# Beer VSM Audit — Cortex Layout Authority
+
+Diagnostic frame: Stafford Beer's Viable System Model. The layout authority
+must remain *viable* — adaptive, autonomous, coherent — under bursty,
+unbounded producer load and lossy SSE consumers. This audit checks
+structural completeness, variety balance, recursive viability, and
+algedonic signal design.
+
+## System boundary
+
+- Inside: `layout_authority_geometry.py`, `_scheduler.py`, `_log.py`,
+  `_protocol.py`, `_wire.py` (the five-module authority), plus the
+  unread reference `layout_authority.py` that wires them.
+- Environment: build worker (producer of NodeDelta/EdgeDelta), SSE
+  subscribers (browser renderers), HTTP transport, viewport-driven
+  `request_subtree` callers.
+- Recursive level: L=0 = layout authority; L=+1 = Cortex MCP server
+  (handlers + DB + transport); L=−1 = each per-priority queue inside
+  the scheduler.
+
+## Five-system audit
+
+| System | Function | What fills it | Status | Channel integrity |
+|---|---|---|---|---|
+| S1 Operations | Closed-form O(1) slot computation per node | `layout_authority_geometry.py` (8 placement helpers + dispatcher) | Present, well-formed | Pure functions; no side channel; safe |
+| S2 Coordination | Anti-oscillation + scheduling among ops | `layout_authority_scheduler.py` (7-level priority deque, P6 coalescing, single producer/consumer condvar) | Present, well-formed | `submit`/`pop`/`coalesce_subtree` mutually exclusive under one lock |
+| S3 Resource bargaining | Internal "now" — cap allocation, drop accounting, fan-out | `_scheduler.QUEUE_SIZES` + `_log.emit/_fan_out/_reap` | Present but **distributed across two modules without an explicit S3 broker** | Stats are exposed but no module *decides* between log-buffer pressure and queue pressure |
+| S4 Intelligence | Environment scanning, future modeling | `_scheduler.stats()`, `_scheduler.is_overloaded()`, `_log.stats()` | **Partial** — scanning capacity present, no forecasting; no sensor for *consumer* lag (subscriber miss-counters live inside `_log` and never escape) | Read-only `stats()` endpoints exist; no closed-loop feedback to S5 |
+| S5 Policy / Identity | Defines what the authority IS; balances S3↔S4 | `_protocol.py` (NODE_KINDS, EDGE_KINDS, INVARIANTS I1–I7, `LayoutAuthority` Protocol) | Present, **strong** — invariants are normative and cited at refs in code | Invariants are documented but compile-time only; no runtime enforcer module monitors all seven |
+
+**Verdict:** S1, S2, S5 are fully present and structurally sound. S3 is
+*malformed-by-distribution*: the resource-bargaining function is split
+between scheduler caps and log fan-out without a single broker that can
+trade off between them under joint pressure. S4 exists as passive
+sensors but has no analyser that turns them into a forecast or a policy
+update. This is the textbook Beer pathology of "sensors without a head."
+
+## Variety analysis
+
+| Interface | Environmental variety | System variety | Gap | Remedy |
+|---|---|---|---|---|
+| Build worker → authority | Unbounded burst (1e9 events theoretical, design assumes 1e6/build) | 7 priority queues, caps 1k…128k, total ~243k pending | Attenuate (already done): drop-by-priority is a *variety attenuator* — `submit` shed at cap | Sufficient for documented load; cite the cap derivation |
+| Authority → SSE subscribers | One slot event must paint many pixels across N viewers | `_log._fan_out` snapshots the subscriber list and pushes once per subscriber | **Amplify** — one S1 event explodes into k subscriber deliveries | Verified: O(1) auth-side, O(k) deliver-side; bounded by `_DEAD_QUEUE_MISS_THRESHOLD=200` reaping |
+| Viewport drag → request_subtree | ~10 req/s per active viewer | P6 coalescing dedupes per `domain_id`; cap 100 | Attenuate | Sound — coalescing is the right move |
+| Wire encoder | UTF-8 strings of variable length | Pipe-delimited fixed-shape, validated against `|`, `\n`, `\r` | Attenuate | Sound — `_validate_id`/`_validate_kind` reject pathological inputs |
+| Subscriber backpressure | Slow client drains <100k/sec sustained | Auto-eviction at 200 consecutive misses | Attenuate (drop the consumer, not the producer) | Sound — preserves Hamilton invariant |
+
+**Variety drops in scheduler are correct attenuators**: P5 edges shed
+before any node, P4 symbols shed before structural nodes, P0 domains
+*never* shed in practice. **One S1 → multi-pixel paint** is the canonical
+amplifier and is implemented correctly via fan-out + chunked SSE.
+
+## Recursive viability
+
+| Subsystem | Own S1–S5 complete? | Missing systems | Consequence |
+|---|---|---|---|
+| `_geometry` (L=−1) | Trivially viable — pure function, no environment to be viable in. | — | Bottom-out point of recursion. Correct. |
+| `_scheduler.PriorityScheduler` (L=−1) | S1 = deques; S2 = condvar; S3 = caps; S4 = `stats`/`is_overloaded`; **S5 absent** — no module-internal policy that tunes caps from observed drops | S5 | Caps are static. A sustained P4 overflow cannot raise its own cap or shed P5 *more aggressively*. The decision rests with the human operator. Acceptable at L=−1 if the parent (L=0) has S5 to compensate. |
+| `_log` (L=−1) | S1 = ring buffer; S2 = single-producer rule (load-bearing per docstring); S3 = caps + reap; S4 = `stats`; S5 absent | S5 | Same: log cap is static. |
+
+**Does the authority itself fit inside a higher-level VSM (the Cortex
+MCP server)?** Yes, but the seam is thin:
+
+- L=+1 S1 ≈ MCP tool handlers (33 of them); the layout authority is one
+  S1 unit among many.
+- L=+1 S2 ≈ FastMCP transport + `tool_registry_*` dispatch.
+- L=+1 S3 ≈ `infrastructure/memory_config.py` + connection pools.
+- L=+1 S4 ≈ `core/metacognition.py`, benchmarks, `assess_coverage`.
+- L=+1 S5 ≈ project `CLAUDE.md` + `docs/adr/`.
+
+The authority is a viable S1 unit at the parent level **iff** its
+algedonic signals reach parent S3/S4. They do not (see below).
+
+## Autonomy–cohesion map
+
+| S1 unit | Current autonomy | Cohesion constraints (S3) | Balance assessment |
+|---|---|---|---|
+| `_geometry.compute_slot` | Full — pure dispatch | Match `workflow_graph.js` constants verbatim | **Correct.** Autonomy is bounded by an external visual contract; the cohesion is enforced by the comment trail and tests. |
+| `_scheduler` | Full — owns its caps and drop logic | `Stats` must be readable by S4 endpoints | **Correct.** |
+| `_log` | Full — owns ring buffer and subscriber list | Single-producer rule (docstring) | **Fragile cohesion.** Single-producer is *documented* but not *enforced*. Two callers of `emit()` from different threads silently violate I1/I2 ordering. |
+| `_wire` | Full — owns encoding | Must reject `|`, `\n`, `\r` | **Correct.** Defense-in-depth at the boundary. |
+
+## Algedonic signals
+
+| Signal | Source | Threshold | Destination | Filterable? | Status |
+|---|---|---|---|---|---|
+| Queue overflow → `Stats.dropped[p]++` | `_scheduler.submit` cap-reject | Implicit (cap exceeded) | `stats()` snapshot | **Filterable** — only surfaces if someone polls | **Weak.** No push channel from scheduler to S4/S5. |
+| `is_overloaded(threshold=0.8)` | `_scheduler` | 80% of any cap | Caller of `is_overloaded` | **Filterable** — must be polled | **Weak.** Threshold-based but pull-not-push. |
+| Subscriber dead → reap | `_log._fan_out` after 200 misses | 200 consecutive `put_nowait` failures | Local reap in `_reap` | **Unfilterable internally** but never propagates upward | **Weak.** Producer learns nothing about chronic subscriber slowness. |
+| Replay-lost gap | `_log.replay_since` returns gap | `since < oldest_seq − 1` | SSE handler emits `replay_lost` sentinel; client falls back to snapshot | **Unfilterable** — gap detection is automatic | **Strong.** This is the one true algedonic channel — automatic, threshold-based, surfaces at the wire. |
+| Invariant violation (I1–I7) | None — documentation only | n/a | n/a | n/a | **Absent.** The strongest S5 statement in the codebase has no runtime monitor. |
+
+## Structural prescriptions
+
+| Gap | Required function | Predicted failure if unaddressed | Priority |
+|---|---|---|---|
+| S3 broker absent | A single module that owns *both* scheduler caps and log cap, can shed P5 harder when log buffer is full, and exposes one back-pressure number | Under joint burst (huge build + slow subscriber), the system will silently drop wire events while still admitting new node deltas; the SSE stream goes inconsistent without operator visibility | **High** |
+| S4 forecast absent | A small analyser that reads `_scheduler.stats()` + `_log.stats()` periodically, computes drop-rate trend, and tags the build as "degraded" | The build completes and reports `done` totals that *disagree* with what the client received, with no flag | **High** |
+| Invariants I1–I7 unenforced at runtime | An assertion module that verifies seq monotonicity (I2), parent-before-child for symbols (I3), domain reachability (I7) on every emit; opt-in for prod, default-on for tests | Quiet violation under reordering; client-side rendering NaN or floating "orphan" symbols at wrong anchor | **High** |
+| Single-producer rule unenforced | `_log.emit` records calling thread on first call and asserts on subsequent threads | Two threads emit interleaved, fan-out delivery order disagrees with seq order, client SSE replay violates I2 | **Medium** |
+| Algedonic push channel | A bounded "alarm" queue (priority −1) that the scheduler/log fill on threshold crossing; SSE wire emits a synthetic `degraded` event the renderer can surface | Operator only sees overload via manual polling of stats endpoint | **Medium** |
+| Recursive S5 at L=−1 | None — accept that L=−1 modules borrow S5 from L=0; document it explicitly so caps are tuned from L=0 only | Without docs, future maintainers will add ad-hoc cap-tuning logic *inside* `_scheduler` and break locality | **Low** |
+
+## Hand-offs
+
+- Feedback dynamics analysis (drop-rate as control variable; oscillation
+  risk between cap-tuning and load) → **Meadows**.
+- Overload / graceful-degradation design (the S3 broker spec; threshold
+  curves) → **Hamilton**.
+- Implementation of S3 broker, runtime invariant enforcer, algedonic
+  push channel → **engineer**.
+- Measurement of drop-rate distributions, replay-lost frequency,
+  subscriber-eviction rate under realistic builds → **Curie**.
+
+## Verdict
+
+The authority has S1, S2, S5 of textbook quality. S3 is structurally
+**distributed without a broker** — viability holds today only because
+load fits within static caps. S4 has sensors but no analyser. The
+algedonic surface is dominated by **pull** signals; only `replay_lost`
+is a true Beer-grade unfilterable threshold signal. Under sustained
+joint pressure (large build + slow subscriber + viewport drag) the
+system will degrade silently. The remediations above are necessary for
+viability at L=+1 (the MCP server treating the authority as a black-box
+S1 unit must be able to *hear* its pain).
diff --git a/tasks/layout-authority/audits/borges.md b/tasks/layout-authority/audits/borges.md
new file mode 100644
index 00000000..dcf6b333
--- /dev/null
+++ b/tasks/layout-authority/audits/borges.md
@@ -0,0 +1,133 @@
+# Borges Audit — Layout Authority Failure-Space
+
+**Method.** Imagine the library of *all* execution traces for the chain
+`add_node → scheduler → log → wire → SSE → client paint`. Enumerate the
+failure modes a reasonable design must enumerate but typical engineering
+dismisses as "won't happen." Compare the **map** (full failure space) with
+the **territory** (what the modules actually handle).
+
+**Sources audited.** `layout_authority_protocol.py`, `_scheduler.py`,
+`_log.py`, `_wire.py`, `_lod.py`, `_geometry.py`, `handlers/quadtree_handler.py`,
+`handlers/recompute_layout.py`, `server/http_standalone*.py`.
+
+**Legend.** HANDLED · SILENTLY-DEGRADES · CRASHES · CORRUPTS.
+
+---
+
+## 1 — Producer side (build worker → authority)
+
+| # | Failure mode | Status | Evidence / mechanism |
+|---|---|---|---|
+| 1.1 | Producer crashes mid-emit (between `add_node` and corresponding `add_edge`) | SILENTLY-DEGRADES | No transactional boundary around an emit pair. Pending-edges buffer (I5) tolerates orphaned source/target. No crash beacon emitted, so client cannot distinguish "still building" from "build dead." |
+| 1.2 | Two builds racing (overlapping recomputes) | CORRUPTS | `recompute_layout.serve` is synchronous but has no mutex around `_graph_cache` or `layout_pg_store.write_layout`. Two concurrent POSTs interleave: same `topology_fingerprint`, two different `layout_version` rows; the SSE log's `_event_seq` is global, but `reset()` from build B wipes events still being drained by build A. |
+| 1.3 | Producer single-thread invariant (log docstring) violated by accident | CORRUPTS | `emit()` is documented as single-producer but **not enforced**. Two threads incrementing `_event_seq` under the lock keeps seq monotonic, but the post-lock `_fan_out` runs unsynchronized — per-subscriber delivery order can disagree with seq, breaking I2. |
+| 1.4 | `add_node` with NaN/inf coordinates produced upstream | HANDLED | `_validate_finite` in wire layer raises before write. |
+| 1.5 | `add_node` with `kind` not in `NODE_KINDS` | HANDLED | Protocol contract raises ValueError. |
+| 1.6 | `add_node` violates per-kind preconditions (`tool_hub` w/o `tool_name`, etc.) | HANDLED | Documented in `NodeDelta.Pre`; reference impl raises. |
+| 1.7 | Edge whose endpoints never arrive (dangling forever) | SILENTLY-DEGRADES | I5 buffer at 100k. Beyond cap, oldest pending edges are dropped with a counter — but **counter is never surfaced** in `quadtree_handler` or `/api/layout/stats`. Client paints a graph with missing edges and no warning. |
+| 1.8 | Producer emits 1e9 events at >1M ev/s | SILENTLY-DEGRADES | Wire layer benchmark targets ~1M ev/s; ring buffer caps replay at 500k. Sustained producer rates above subscriber drain rate cause subscriber eviction (200-miss threshold). The build "succeeds" but late subscribers see only the tail. |
+| 1.9 | Scheduler P5 (edges) cap hit during burst | HANDLED | Drop counter incremented; `is_overloaded()` surfaces "1202-class" condition. Hamilton invariant preserved. |
+| 1.10 | Scheduler P0–P2 cap hit (catastrophic burst) | SILENTLY-DEGRADES | Drops a domain or file → orphans entire subtree of children. Counter is monotonic, but **no client-visible event** says "your subtree is incomplete." |
+
+---
+
+## 2 — Authority internals (scheduler / log / geometry)
+
+| # | Failure mode | Status | Evidence |
+|---|---|---|---|
+| 2.1 | Clock skew between threads (monotonic vs wall) | HANDLED (incidental) | Authority uses `time.monotonic()` only; no wall-clock comparison in hot path. |
+| 2.2 | `_event_seq` overflow at 1e18 events | HANDLED (theoretical) | Python int is arbitrary precision; SSE wire `id:` is decimal ascii. No overflow ceiling. |
+| 2.3 | `replay_since(N)` after wraparound past ring buffer (N < oldest_seq) | HANDLED | `replay_since` returns gap signal; `graph_stream` is *documented* to emit `replay_lost` and trigger snapshot fallback. **But:** the `graph_stream` SSE handler is **not wired** in `http_standalone.py` — see §5.1. So this branch is dead code in the current build. |
+| 2.4 | `reset()` resets `_event_seq` (the bug the docstring warns about) | HANDLED | Code keeps seq monotonic across resets; explicit comment cites I3. |
+| 2.5 | Subscriber queue full → 200 misses → evict | HANDLED | Documented; producer never blocks. |
+| 2.6 | Subscriber on a Queue subclass that locks down attribute assignment | SILENTLY-DEGRADES | `_record_miss` falls back, miss count never persists, queue is **never reaped** — slow leak of dead subscribers. Documented but unfixed. |
+| 2.7 | `domain` node arrives after its members (I7 race) | HANDLED | Authority computes against placeholder anchor; slot is final. Trade-off accepted. |
+| 2.8 | `request_subtree` floods (viewport drag at 10 req/s) | HANDLED | `coalesce_subtree` is idempotent via linear scan (cap=100). |
+| 2.9 | Geometry returns NaN for a degenerate input (e.g. 0 domains) | HANDLED | `base_radius` clamps `n_domains` to ≥1; `outward_angle` has a 5px deadzone returning `-π/2`. `compute_slot` falls back to anchor on unknown kind. |
+| 2.10 | LOD `_stable_hash` collision causes uneven decimation | HANDLED | BLAKE2b 64-bit; selfcheck verifies log-log slope ≈ -1. |
+| 2.11 | LOD called with `kind` not in any of the three sets | HANDLED | "fail open" — emits the unknown node, comment explicit about the intent. |
+
+---
+
+## 3 — Wire format
+
+| # | Failure mode | Status | Evidence |
+|---|---|---|---|
+| 3.1 | Unicode in `node_id` (e.g. `cortex:utilité`) | HANDLED | Encoded as UTF-8 in `data:` payload. SSE permits UTF-8. **But:** `Content-Length` accounting at higher layer must use byte length, not char length — verified: `len(data_bytes)`. |
+| 3.2 | `node_id` containing `\|` (pipe) | HANDLED | `_validate_id` raises `ValueError`. |
+| 3.3 | `node_id` containing `\n` or `\r` | HANDLED | Same validation. |
+| 3.4 | `node_id` longer than 32 chars | SILENTLY-DEGRADES | `_MAX_KIND` (32) is enforced **only on `kind`**, not on ids. A 10-KB node_id would be SSE-framed verbatim and shipped to the browser, blowing the wire budget per event but not crashing. |
+| 3.5 | `kind` longer than 32 chars | HANDLED | `_validate_kind` raises. |
+| 3.6 | Float formatted with locale-dependent decimal (`12,3` vs `12.3`) | HANDLED | f-string `:.1f` is locale-independent in Python. |
+| 3.7 | Negative `seq` injected by malicious caller | SILENTLY-DEGRADES | No range check. Client `parseInt` accepts negative; ordering inverts. Authority is the only writer in current design, so de facto safe — but contract doesn't enforce. |
+| 3.8 | `chunk_wrap("")` | HANDLED | Raises explicitly. |
+| 3.9 | `parse_slot` on a payload with embedded `\|` in a future field | CRASHES (test-only) | `len(parts) != 5` raises. Test-only path. |
+
+---
+
+## 4 — Cross-build / rolling-deploy
+
+| # | Failure mode | Status | Evidence |
+|---|---|---|---|
+| 4.1 | Protocol version mismatch (server adds a 6th slot field; client expects 5) | CRASHES (client) | No version negotiation in `format_slot`. Client `data.split('\|')` against a 5-vs-6 mismatch raises in JS. **No `event: protocol` handshake** in the wire. |
+| 4.2 | Rolling deploy: half the fleet emits old wire, half new | CORRUPTS | Same root cause. Sticky-session SSE without an explicit version event means a client that lands on the new server then reconnects to the old server gets undefined behaviour. |
+| 4.3 | `Last-Event-ID: N` from a build that no longer exists | HANDLED in design / DEAD in code | `replay_since` returns gap signal; SSE handler **is not wired** in `http_standalone.py`, so the branch never executes. |
+| 4.4 | Two server processes share the same Postgres but not the same in-process `_event_log` | CORRUPTS | `_event_seq` is module-level, not coordinated. Round-robin SSE across two processes assigns the same `seq` to two different events. Out-of-process resume is broken by design. |
+| 4.5 | `layout_version` clash between two simultaneous recomputes | SILENTLY-DEGRADES | `write_layout` (not audited here, but called in `run_recompute`) returns a version; if it's a timestamp ms it can collide on a fast machine. Quadtree handler reads the latest, so the loser's data is invisibly dropped. |
+
+---
+
+## 5 — Connection lifecycle
+
+| # | Failure mode | Status | Evidence |
+|---|---|---|---|
+| 5.1 | SSE connection establishes **after** the build completes (replay-only client) | DEAD | The SSE handler that should call `replay_since(0)` and stream the historical log is **not wired into `http_standalone.py`** (grep shows no route reading from `_event_log`). The handlers `quadtree_handler` and `recompute_layout` are the only layout-related routes; they serve snapshots, not streams. So in practice the late-joining client gets a one-shot Arrow IPC blob. *That blob is internally consistent — but the entire "stream + replay" architecture documented in `_log.py` and `_wire.py` is dormant.* This is the largest map-vs-territory gap. |
+| 5.2 | Browser tab paused (background tab, OS sleep) while events queue server-side | SILENTLY-DEGRADES | Subscriber queue cap 100k; 200-miss threshold evicts. Tab-resume hits a closed connection; client must reconnect, but no UI signal exists. |
+| 5.3 | Out-of-order delivery across reconnect with stale `Last-Event-ID` | HANDLED in design / DEAD in code | Same as 5.1. The gap-detection branch in `replay_since` is correct but unreachable. |
+| 5.4 | Client's `EventSource` auto-reconnects with stale `Last-Event-ID` after the server's ring buffer has rolled past it | DEAD | Same root cause. |
+| 5.5 | Client opens 10 tabs (10 SSE subscribers) on the same authority | HANDLED | Each gets a bounded queue. Producer never blocks. |
+| 5.6 | Network proxy strips `id:` lines from SSE | SILENTLY-DEGRADES | Resume is broken (no Last-Event-ID at the client), but the live stream still works. Not currently a concern because §5.1 already disables resume. |
+| 5.7 | Browser tab paused for 30 min, returns; quadtree fetched `Cache-Control: max-age=60` is stale | HANDLED | `quadtree_handler` sets max-age=60; client refetches. ETag would be cleaner. |
+
+---
+
+## 6 — Persistence path (recompute_layout / layout_pg_store)
+
+| # | Failure mode | Status | Evidence |
+|---|---|---|---|
+| 6.1 | `_graph_cache` empty when recompute is called | HANDLED | Returns `{"status":"error","reason":"no_graph_cached"}`. |
+| 6.2 | igraph not installed | HANDLED | Caught as `ImportError`, surfaced as `igraph_missing`. |
+| 6.3 | pyarrow not installed (quadtree path) | HANDLED | Returns 503 `viz_tile_extra_missing`. |
+| 6.4 | Postgres connection drops mid-`write_layout` | CRASHES | `run_recompute` does not wrap the write in retry; exception propagates to `serve` which catches and returns 503. Caller sees `exception` reason but not transactional state. Possible partial write if `write_layout` is not atomic (not audited here). |
+| 6.5 | Topology fingerprint matches but coords are stale (manual DB tamper) | CORRUPTS | `skip-if-fresh` returns the cached coords without re-reading them. Tamper is out-of-band, but the fingerprint is a coverage proof for *topology*, not *coordinates*. |
+| 6.6 | `read_all_positions` returns rows with NaN in x/y | CRASHES (Arrow encode) | `pa.array(xs, type=pa.float32())` accepts NaN silently; the client then renders nodes at NaN — quadtree build collapses. The wire layer enforces finiteness on `SlotAssignment` but the persistence path does not re-validate on read. |
+| 6.7 | `kind` column has a value not in NODE_KINDS (legacy row) | HANDLED | Dictionary-encoded by Arrow; client tolerates unknown kind by `_ALWAYS_VISIBLE` LOD fallback. |
+
+---
+
+## 7 — Map vs Territory summary
+
+**Map (the documented + intended failure space):** ~50 distinct modes, each with a stated handling.
+**Territory (what the modules actually handle today):**
+
+- **Fully alive:** scheduler shedding, geometry NaN-safety, wire validation, LOD determinism, snapshot path (quadtree + recompute).
+- **Documented but unwired (`replay_since`, `graph_stream`, ring buffer, subscriber queue):** the entire SSE streaming + Last-Event-ID resume protocol exists in `_log.py` and `_wire.py` but is **not consumed by any HTTP route in `http_standalone*.py`**. This is the central Borges finding: the *Library of Babel* of failure modes around streaming has been catalogued in code, but none of the search problems (5.1 – 5.6, 4.3) actually fire because the search is never executed.
+- **Latent corruption risks:** §1.2 (concurrent builds), §1.3 (multi-producer), §4.2 (rolling deploy), §4.4 (multi-process seq), §6.4 (partial write).
+
+## 8 — Risk-ranked findings (top 6)
+
+| Rank | Finding | Class | Action |
+|---|---|---|---|
+| 1 | SSE stream + replay_since is **dead code** (§5.1, §4.3) | DEAD | Wire `graph_stream` route or delete `_log.py`/`_wire.py`. The map without territory is a 1:1 map. |
+| 2 | Concurrent recomputes corrupt layout_version + reset events being drained (§1.2) | CORRUPTS | Add a build mutex or single-flight in `run_recompute`. |
+| 3 | Multi-process `_event_seq` collides (§4.4) | CORRUPTS (when streaming is wired) | Move seq to Postgres sequence or constrain to single-process. |
+| 4 | No protocol version handshake (§4.1, §4.2) | CRASHES on rolling deploy | Add `event: protocol` first-frame with version int. |
+| 5 | `node_id` length unbounded (§3.4) | SILENTLY-DEGRADES | Add `_MAX_ID = 256` to `_validate_id`. |
+| 6 | Persistence path does not re-validate finiteness (§6.6) | CRASHES at client | Add `math.isfinite` check in `read_all_positions` or `quadtree_handler`. |
+
+## 9 — Hand-offs
+
+- Information-theoretic event-rate analysis → **Shannon**
+- Single-flight / mutex design for §1.2 + §4.4 → **Lamport / Dijkstra**
+- Rolling-deploy version negotiation → **Turing** (compatibility decidability) + engineer
+- Implementation of all top-6 actions → **engineer**
diff --git a/tasks/layout-authority/audits/boyd.md b/tasks/layout-authority/audits/boyd.md
new file mode 100644
index 00000000..296bebd0
--- /dev/null
+++ b/tasks/layout-authority/audits/boyd.md
@@ -0,0 +1,136 @@
+# Boyd OODA Audit — Layout Authority Overload Behavior
+
+**Frame:** the Hamilton scheduler shed work tactically (drop P4/P5 first, never block P0). That is correct mechanics. The strategic question is whether the authority can complete an Observe-Orient-Decide-Act cycle on its own overload faster than the upstream build worker can saturate it. If the loop is slower than the threat, no amount of priority discipline rescues the system — it just fails politely.
+
+**Verdict:** the OODA loop is **anatomically incomplete**. Observe primitives exist; Orient is missing; Decide is binary and silent; Act has no channel back to the producer. The authority cannot get inside its own threat's loop.
+
+---
+
+## 1 — Observe: primitives exist but most are unread
+
+| Signal | Source | Read by? | Latency to surface |
+|---|---|---|---|
+| Per-priority queue length | `PriorityScheduler.stats()["lengths"]` | `/api/layout/stats` (poll) | only on poll |
+| Per-priority drops (cumulative) | `Stats.dropped` | `/api/layout/stats` (poll) | only on poll |
+| Aggregate overload boolean | `is_overloaded(0.8)` | **NO PRODUCTION CALLER** (`grep` confirms) | never surfaced |
+| Event-log drops | `_event_log_drops` (module global) | only `stats()` snapshot; **no test of production read path** | only on poll |
+| Subscriber miss count | `q._cortex_misses` (per-queue attr) | `_fan_out` only, for reaping | never exported |
+| Subscriber dead-eviction events | (no counter) | nobody | invisible |
+
+**Boyd reading:** observation channel is bytes-rich and event-poor. Drops are stored as monotonic counters that a poller has to *differentiate against time* to recover a rate. By the time a poll-driven dashboard sees `dropped[P4]` rising, the burst is already over and the symbols are already gone. This is observation in the wrong representation — Boyd's "orient on yesterday's state" failure mode at the metrics layer.
+
+**Concretely missing:**
+- No edge-triggered "overload entered" / "overload exited" event on the SSE log itself.
+- No first-derivative metric (drops/sec, queue-depth slope).
+- `is_overloaded()` returns a bare bool — no field naming WHICH queue saturated, so even if someone called it they couldn't orient on cause.
+
+---
+
+## 2 — Orient: the critical phase is missing entirely
+
+The strategic question — *why* are we overloaded? — has no module that answers it. Possible causes:
+
+1. **Slow SSE client** — one subscriber's queue is filling, fan-out is blocking nobody (it's `put_nowait`), but the client still consumes events the build worker generates. **Producer keeps going.** This actually does NOT cause scheduler overload; it causes log-drop & subscriber reaping.
+2. **L6 symbol burst** — build worker emits 500k symbols faster than the layout engine drains P4. Scheduler's P4 deque saturates at 64k → drops cascade.
+3. **Subscriber backed up but log drops** — `_event_log` ring overruns its 500k cap; `_event_log_drops` ticks; replay-since-N starts returning the gap sentinel; clients fall back to snapshot. Producer is unaffected.
+4. **Coalesced P6 storm** — viewport drag firing recomputes; `coalesce_subtree` saves the queue but each pop re-runs an expensive recompute that starves P0-P5 drain.
+
+Each of these has a **different correct mitigation**. The system today cannot tell them apart. There is no module that takes `(queue_lengths, drops_per_priority, log_drops, subscriber_misses)` and emits a typed orientation `{cause: SLOW_CLIENT | SYMBOL_BURST | LOG_OVERRUN | RECOMPUTE_STORM, evidence: ...}`. Without that, every overload looks the same and every response is the same: "drop P4 first." That is correct only for cause #2.
+
+**Self-referential trap:** the only on-line orientation primitive is `is_overloaded(0.8)`. It synthesizes nothing — it's just `any(q >= 0.8*cap)`. The orientation IS the observation, repackaged. Boyd would call this a degenerate orientation phase: the model has been replaced by a passthrough.
+
+---
+
+## 3 — Decide: binary, implicit, no policy surface
+
+The current decision policy is encoded structurally, not behaviorally:
+- "If queue full → drop." (in `submit`)
+- "If subscriber misses > 200 → reap." (in `_fan_out`)
+- "If log full → overwrite oldest, increment counter." (in `emit`)
+
+There is **no decision module** that, given an orientation, selects among:
+- Drop P4 / drop P5 / drop both.
+- Throttle the producer (no channel exists — see §4).
+- Broadcast a `degraded` SSE event so clients render a "partial graph" badge.
+- Coalesce harder (raise P6 dedup window).
+- Trip a circuit-breaker on `request_subtree`.
+
+These are all viable mitigations for *different* causes. The authority commits to exactly one (drop in priority order) regardless of cause. **Schwerpunkt failure**: maximum effort is concentrated at the symptom (full queue) not at the decisive point (whichever upstream behavior produced the burst).
+
+---
+
+## 4 — Act: no closed feedback to the build worker
+
+This is the load-bearing finding. Search across `mcp_server/` for any path from the scheduler / log back to the producer:
+
+- `submit()` returns `False` on drop. **Nobody surfaces that boolean to the build worker** — the worker emits via the same `emit()`/`submit()` path and never reads back.
+- `is_overloaded()` is unread. There is no `/api/layout/backpressure` endpoint, no SSE `degraded` event, no shared `Event` flag the build worker waits on.
+- The SSE event vocabulary is `{slot, edge, done}`. There is no `degraded`, no `overloaded`, no `dropped_since_seq=N` event. Clients cannot even *display* that the graph they're seeing is incomplete.
+
+**Consequence:** the build worker runs open-loop. When the authority is saturated, the worker is saturating it MORE, not less. The OODA loop has no Act phase that touches the threat. The threat is the producer; the response is internal triage; the producer never learns. This is the textbook condition Boyd describes for a system whose adversary's tempo exceeds its own — except the "adversary" here is its own upstream.
+
+---
+
+## 5 — Tempo verdict
+
+| Phase | Latency to complete | Bottleneck |
+|---|---|---|
+| Observe | poll-interval (~1s typical) | poll-driven, not edge-driven |
+| Orient | 0 — phase missing | no synthesis module |
+| Decide | 0 — hardcoded structurally | no policy surface |
+| Act | ∞ — no producer-facing channel | structural absence |
+
+Build worker can saturate P4 (64k) with a symbol burst in **a single emit batch** at ~1µs per submit ≈ 64ms. The authority's slowest-case detection latency is the dashboard poll interval, ~1000ms. **The producer is ~15× faster than the detection loop**, and the response loop doesn't terminate at all because there is no Act channel back. Boyd's necessary condition (OODA tempo ≥ threat tempo) is violated by more than an order of magnitude.
+
+---
+
+## 6 — Schwerpunkt: where to concentrate effort
+
+Of the four anatomical gaps (Observe-rate, Orient, Decide-policy, Act-channel), **the decisive point is the Act channel.** Reasoning:
+
+- Observe is adequate-once-edge-triggered: turn `is_overloaded` transitions into SSE events. Cheap.
+- Orient can stay coarse for now: tag the cause with the dominant saturated priority (one-line classifier). Cheap.
+- Decide can stay coarse: a 3-row policy table keyed on cause. Cheap.
+- **Act has no infrastructure at all.** Without it, all upstream improvements are observation-quality theater. The build worker keeps running open-loop.
+
+Act sub-points, ordered by leverage:
+1. SSE `degraded` event with `{cause, dropped_counts, since_seq}` — clients can render correctly.
+2. Cooperative back-pressure: build worker reads a shared `threading.Event` (`_overloaded_flag`) before emitting each L6 batch and yields if set. No new IPC; same process.
+3. `/api/layout/backpressure` endpoint returning the current orientation — for out-of-process producers later.
+
+(1) and (2) close the loop today with <50 LoC each.
+
+---
+
+## 7 — Destructive deduction of the current model
+
+Decompose the implicit mental model behind the current code:
+
+| Assumption | Verified? |
+|---|---|
+| "Producer never blocks" (Hamilton invariant) | yes — by construction in `submit` |
+| "Drops in priority order preserve topology" | yes — for cause #2 only |
+| "Drops are rare enough that observability via poll is sufficient" | **unverified** — no measured drop-rate budget |
+| "The producer cannot react, so we shouldn't bother signaling" | **false** — same-process; trivially can |
+| "All overload causes are equivalent" | **false** — at least 4 distinct causes |
+| "`is_overloaded` is useful as defined" | **false** — unread, undifferentiated, unevented |
+
+Recombine into a corrected model: *"Producer never blocks, but producer SHOULD voluntarily yield on a flagged overload; drops are typed by cause; cause is broadcast on the same channel as the data so clients orient on the same model the server does."*
+
+---
+
+## 8 — Recommendations (Boyd-prioritized)
+
+1. **Schwerpunkt — close the Act channel.** Add `_overloaded_flag: threading.Event` set/cleared by the scheduler on `is_overloaded` transitions. Build worker consults it between L6 batches. (≤30 LoC, removes the order-of-magnitude tempo gap.)
+2. **Edge-trigger Observe.** Emit `degraded` and `recovered` SSE events at the transitions. Stops poll-blindness for clients. (≤40 LoC.)
+3. **Type the orientation.** One classifier function `classify_overload(stats) -> Cause` keyed on which priority crossed first. Rejects the "all overloads identical" trap. (≤25 LoC.)
+4. **Surface `_event_log_drops` and subscriber-eviction counts on `/api/layout/stats`.** They exist; export them. Free.
+5. **Bounded recompute storm guard.** P6 already coalesces by id; add a per-domain min-interval (e.g. 250ms) so a held viewport drag cannot generate one expensive recompute every pop.
+
+Items 1–3 are the loop. Item 4 is hygiene. Item 5 closes the one cause currently invisible to the priority scheme.
+
+## 9 — Hand-offs
+
+- **Hamilton** — already owns the priority-displaced scheduler. No change to his invariant; the Act channel is additive.
+- **Shannon** — quantify the Observe channel: drops/sec budget, false-positive rate of the `is_overloaded(0.8)` threshold.
+- **Lamport** — formalize the happens-before of `degraded` event vs. dropped slot delivery, so a client that receives `degraded` knows whether to discard or render in-flight slots.
diff --git a/tasks/layout-authority/audits/braudel.md b/tasks/layout-authority/audits/braudel.md
new file mode 100644
index 00000000..9b27c1d0
--- /dev/null
+++ b/tasks/layout-authority/audits/braudel.md
@@ -0,0 +1,180 @@
+# Braudel — Three-Timescale Audit of the Layout Authority
+
+**Method.** Braudel 1949/1958. Decompose into **longue durée** (structure,
+slow), **conjoncture** (cycle, medium), **événement** (event, fast).
+Structure ≫ cycle ≫ event. Single-cause explanations of multi-timescale
+phenomena are rejected.
+
+**Session pathology this audit names.** Événement bugs were repeatedly
+read as conjoncture failures. A field-name typo (événement) bricked every
+render and was diagnosed as "the build doesn't render" (conjoncture).
+Three timescales kept collapsing into one. The governors below stay
+separated.
+
+---
+
+## 1. The decomposition
+
+| Scale | Period | What changes | What is invariant |
+|---|---|---|---|
+| **Longue durée** | months | kinds taxonomy; closed-form geometry; wire shape; L0→L6 stratigraphy; P0–P4 priority ladder | a single build run; a single add_node |
+| **Conjoncture** | min–hours | which domain is being swept; queue depths; throttle state; phase order; per-(domain,kind) counters | geometry constants; protocol field set; kind taxonomy |
+| **Événement** | µs | one delta's `(kind, idx, total_in_kind)`; one slot's `(x, y)`; one SSE frame | counters across this call; queue depths; geometry; everything else |
+
+Hierarchy of explanation: structure ≫ cycle ≫ event. A bad slot at µs is
+overwhelmingly explained by geometry constants and kind taxonomy (longue
+durée), then by which phase is sweeping (conjoncture), and only
+marginally by the specific node (événement).
+
+---
+
+## 2. Longue durée — structures that outlive every session
+
+Change on timescale of months. The *geography*; everything else flows
+along its channels.
+
+1. **Closed-form geometry.** Fibonacci-spiral anchors (φ = π(3 − √5));
+   shells `SETUP_R=70, TOOL_R=140, FILE_R=220, DISC_R=150, MEM_R=150`;
+   sectors `π/2.6, π/6.5`. Source `workflow_graph.js:308–700` →
+   `layout_authority_geometry.py` (cost-model §4). Bedrock.
+2. **Stratigraphy L0→L6.** Origin → setup → tool-hubs → files →
+   discussions → memories → symbols (`layout_authority_geometry.py`
+   93–169). The stratigraphy *is* the kind taxonomy ordered by radius.
+3. **Priority ladder P0–P4** (`layout_authority_scheduler.py` 15–23).
+   Defines what the system *can* show under load.
+4. **Wire / protocol.** `NodeDelta` field set, SSE contract,
+   `(domain_id, kind, idx, total_in_kind)` invariant
+   (`layout_authority_protocol.py`, `_wire.py`). The 2026-04-28 typo was
+   événement *only because* the protocol is a structural contract.
+   **The structure made the typo dangerous; the typo did not make the
+   structure.**
+5. **Per-node O(1).** Slot = pure function of
+   `(domain_anchor, kind, idx, total_in_kind)` (cost-model §2). Any
+   sibling iteration kills the 10⁹-in-2 s budget; no event-fix recovers.
+
+**Metrics:** protocol-stability ratio; geometry-constant edit distance
+per quarter; layer-import violations; structural-ADR : event-patch ratio.
+
+**Anti-metric:** per-call latency (that is événement; reading structure
+through latency mistakes foam for current).
+
+**Failure if confused with shorter scales:** "make it faster" lives at
+conjoncture (batching) or événement (numpy). Mutating geometry to chase
+speed destroys the property tuned over months.
+
+---
+
+## 3. Conjoncture — one L0→L6 sweep (minutes to hours)
+
+A single sweep produces a stream of slots, climbs the stratigraphy in
+priority order, then settles.
+
+**What changes:** per-`(domain, kind)` counter (cost-model §2); queue
+depths per priority; throttle state (engaged at 0.8, released after 3
+polls below 0.6 — maxwell.md §3–§4); current phase; `is_overloaded`
+sensor; drop-rate vs. retry-rate; domain-anchor cache warm-up.
+
+**What is invariant:** all longue-durée items §2.1–§2.5. Geometry,
+taxonomy, protocol — all frozen across batches.
+
+**Meaningful metrics:**
+
+- `μ` (drain rate, ~200k items/s, `bench_layout_authority.py`);
+- `λ` (producer rate, ~500k/s on aggressive build);
+- queue residency time per priority;
+- phase completion order (did P4 ever emit, or was it shed?);
+- `k_retry` — per drop, how many re-emits follow (Maxwell
+  positive-feedback constant).
+
+**Anti-metric:** "did this single node land in the right place?" — that
+is événement. A cycle is judged by *shape of the produced slot stream*.
+
+**Failure if confused with shorter scale:** treating a stuck build as
+"this delta was bad." Session example exact: a typo at événement-scale
+presented as conjoncture failure ("nothing renders"); the diagnosis
+chased the cycle (rerun, clear queue, restart worker) instead of the
+event (one wrong field name). Conjoncture metrics — queue depth,
+throttle, drain — *looked fine.* The cycle was not the problem.
+
+**Failure if confused with longer scale:** treating transient overload
+as structural defect. A P4 backlog from a slow phase does not mean the
+priority ladder is wrong. Maxwell §5 was built to damp the cycle without
+touching structure.
+
+---
+
+## 4. Événement — one `add_node` call (microseconds)
+
+One delta passes through validation → scheduler `submit()` → queue →
+`pop()` → geometry `compute_slot()` → slot write → SSE frame. ~10–300 µs.
+
+**What changes:** one row of state (`counters[(dom_id, kind)] += 1`);
+one queue push and pop; one `(x, y)` written; one SSE frame; one log
+line.
+
+**What is invariant:** geometry constants; protocol fields; kind
+taxonomy; priority ladder; domain-anchor cache; queue depths; μ, λ.
+
+**Meaningful metrics:**
+
+- per-call latency (~180–300 ns pure Python; target ~10 ns via numpy/SSE,
+  cost-model §5);
+- protocol conformance (every `NodeDelta` field validates);
+- post-condition: is `(x, y)` inside the predicted bucket geometry;
+- correctness of `(kind, idx, total_in_kind)` at this call.
+
+**Anti-metric:** queue depth, drain rate, drop count. Those describe the
+*cycle the event lives in*, not the event itself.
+
+**Failure if confused with longer scales — the session pathology.** A
+typo in a `NodeDelta` field is événement. It manifests as
+protocol-conformance failure on *every* call — a structural-looking
+symptom (every event fails identically), which mimics conjoncture
+failure (the cycle never produces output). The shape of the failure
+tempts the diagnostician to climb the ladder. **Braudel's rule:
+identical-failure-on-every-event is the signature of an event-class
+bug, not a structural one.** If the geometry were wrong, *some* events
+would land correctly (those in the still-valid region); 100 % failure
+is an événement bug with structural blast radius.
+
+---
+
+## 5. The session diagnosis — what went wrong
+
+**Symptom.** Build doesn't render. Hours at conjoncture: "queue wrong /
+worker stuck / SSE backed up." Reality: a typo at événement, amplified
+by the structural fact that every event uses the same protocol.
+
+**Braudel violation.** Visibility (every render broken, dramatic) read
+as depth (must be structural). Vivid symptoms often have shallow
+causes. The structure was *amplifier*, not cause; the cause was one
+character.
+
+**Triage rule:**
+- **100 % identical failure →** événement first (typo / wrong field).
+- **Some pass, some fail →** conjoncture (load, ordering, race).
+- **Correct slots, wrong shape →** longue durée (geometry, taxonomy).
+
+---
+
+## 6. Hand-offs and refusals
+
+- **Maxwell** — conjoncture stability (speed-controller, shedding,
+  deadband).
+- **Hamilton** — longue-durée priority ladder; what gets shed *is* what
+  the system is.
+- **Curie** — *separate* dashboards per scale: (a) protocol-conformance
+  per event, (b) μ / λ / k_retry / queue depth per cycle,
+  (c) geometry drift / layer violations / ADR rate per quarter. One
+  panel per scale; never mix.
+- **Erlang** — re-derive M/M/1 utilisation at conjoncture using μ from
+  `bench_layout_authority.py`; don't let event-scale latencies leak
+  into the cycle model.
+
+**Refusals:**
+
+- Refuse fixes that touch geometry constants on événement/conjoncture
+  symptoms — require shape-of-output evidence.
+- Refuse postmortems naming a single cause for failures with
+  multi-scale evidence — require one row per timescale.
+- Refuse "the build is slow." Require: at which scale?
diff --git a/tasks/layout-authority/audits/bruner.md b/tasks/layout-authority/audits/bruner.md
new file mode 100644
index 00000000..7806aa2e
--- /dev/null
+++ b/tasks/layout-authority/audits/bruner.md
@@ -0,0 +1,176 @@
+# Bruner Audit — Layout-Authority Narrative Arc
+
+**Mode determination.** The question "is the user's experience of opening the
+visualization a coherent story?" is *narrative*, not paradigmatic. Latency
+budgets and event-emission correctness are paradigmatic concerns owned by
+Lamport / Dijkstra. Here we treat the user's lived experience as a story with
+a Begin–Middle–End structure and ask: where does the story break, where does
+meaning leak out, and where is the canonical expectation breached without
+narrative repair?
+
+Sources grounded in code: `ui/unified/js/polling.js`, `ui/unified/js/workflow_graph_tilemap.js`,
+`mcp_server/handlers/open_visualization.py`, `mcp_server/handlers/recompute_layout.py`,
+`mcp_server/handlers/quadtree_handler.py`.
+
+---
+
+## 1. The user's three-act story (as currently told)
+
+| Act | User cognitive action | System feedback observed | Source |
+|---|---|---|---|
+| BEGIN | "I want to see my brain" — invokes `cortex:open_visualization` or opens URL | Browser navigates; loader DOM shows "Loading tilemap dependencies…" | `tilemap.js:123` |
+| MIDDLE-1 | Waits, watches loader | "Fetching quadtree…" → on 503 → silent self-heal `recompute_layout` → "Layout ready (N nodes); fetching quadtree…" | `tilemap.js:134-156` |
+| MIDDLE-2 | Sees first tiles fade in | deck.gl tiles arrive z=0 → z=1 → z=2 (no explicit textual signal) | `tilemap.js:269-284` |
+| END | Pans, zooms, clicks node | Hover layer resolves via flatbush; side panel opens | `tilemap.js:87,261-262` |
+
+Parallel (legacy 3D `polling.js` path): "Building graph..." retry loop, then
+`updateStatus('Online (N nodes)')` and loader fades. Two paths, two narratives.
+
+---
+
+## 2. Pentad analysis
+
+| Element | Tilemap path | In balance? |
+|---|---|---|
+| Agent | The user, *plus* an invisible second agent: the layout worker that triggers `recompute_layout` | **No** — second agent is hidden |
+| Act | "Open visualization" → expand into "render my graph" | OK |
+| Scene | Browser + cold/warm cache + igraph/datashader extras maybe-installed | **No** — scene state opaque |
+| Agency | deck.gl Tile layer + Arrow-IPC quadtree + server tile PNGs | OK once running |
+| Purpose | Explore graph structure, find specific nodes | OK |
+| **Breach** | 503 on `/api/quadtree` ("no_layout") OR "viz_tile_extra_missing" | Recovery exists for first; second exposes raw install commands |
+
+The pentad is unbalanced at **Agent** and **Scene**. The user does not know a
+second agent exists (the layout recompute) and cannot read the scene's state
+(is the cache cold? is igraph installed? are tiles streaming or stalled?).
+
+---
+
+## 3. Canonical breach detection
+
+**Canonical expectation** the user brings: "I click, it loads, I see my graph
+the way maps load — coarse-then-detailed, monotonically."
+
+**Actual breaches:**
+
+1. **Silent recompute breach.** `tilemap.js:134-156` does a self-healing
+   `recompute_layout` POST when `/api/quadtree` 503s. The status line flickers
+   from "Fetching quadtree…" → "Layout ready (N nodes); fetching quadtree…"
+   in one beat. The user sees one word change. They never learn that a
+   non-trivial computation just ran on their behalf. **Meaning lost:** the
+   system did invisible heroic work; the story does not credit it.
+
+2. **Tile-arrival breach.** Once tiles begin arriving the status text says
+   nothing. Tiles fade in at zoom=0 (one big blurry blob), then sharpen as
+   the user zooms. Without a phase indicator, the user cannot distinguish
+   "still loading" from "this IS the rendered graph" — especially at z=0
+   where Datashader output looks like a smear.
+
+3. **Extras-missing breach.** `viz_tile_extra_missing` shows raw `pip install`
+   commands inline (`tilemap.js:167-171`). This is a paradigmatic message
+   ("here is the fix") inserted into a narrative moment ("I am exploring my
+   memory"). The mode-mismatch breaks immersion.
+
+4. **Two-narrative breach.** `polling.js` (3D path) and `tilemap.js` tell
+   *different stories* with different vocabulary: "Building graph..." vs
+   "Fetching quadtree…", "Online (N nodes)" vs no explicit ready state. A
+   user who reloads or switches `?viz=` modes lives in two universes.
+
+---
+
+## 4. Identity narrative being constructed
+
+The current story constructs Cortex as **"a fast tool that mostly works and
+occasionally has install issues."** That identity is *thinner* than the
+underlying system warrants — the system is actually doing layered layout
+computation, quadtree indexing, server-side Datashader rendering, progressive
+tile streaming. The narrative excludes all of this competence.
+
+Compare the implicit story to a richer one: **"a microscope into your
+cognitive history that builds a map at the resolution you ask for."** That
+identity requires phase signals to be visible — the user must witness the
+map being built, not just receive the result.
+
+Excluded from the current narrative: the layout worker, the cache state,
+the consolidation pipeline metrics already streamed in `meta.system_vitals`
+(`polling.js:60-72`) but never surfaced during the load arc.
+
+---
+
+## 5. Cross-narrative comparison
+
+| Event | `polling.js` says | `tilemap.js` says | Divergence |
+|---|---|---|---|
+| First fetch | "Loading…" (implicit) | "Loading tilemap dependencies…" | Different vocabulary |
+| Server building | "Building graph..." retry every 1s | (no equivalent — assumes layout exists or 503s) | Tilemap has no patient-wait phase |
+| No layout cached | (n/a) | 503 → silent self-heal recompute | Hidden work |
+| Ready | "Online (N nodes)" | (silent) | Tilemap never declares "ready" |
+| Idle exploration | No status updates | No status updates | Both go quiet |
+
+**Significance:** the legacy 3D path tells a *more complete* narrative for
+the cold-cache case. The tilemap path is faster but mute. Speed without
+narration leaves the user wondering whether what they see is final.
+
+---
+
+## 6. Implications for action — gap-closing recommendations
+
+Ordered by narrative impact, not implementation cost.
+
+### G1. Make the layout-recompute phase visible (HIGH)
+*Breach addressed:* silent recompute breach.
+The self-heal in `tilemap.js:140-156` should narrate: "No layout cached —
+computing graph layout…" → progress while `recompute_layout` runs → "Layout
+computed (N nodes, M ms) — fetching quadtree…". This converts hidden agency
+into visible heroism.
+
+### G2. Add a five-phase indicator to the loader (HIGH)
+*Breach addressed:* tile-arrival breach + canonical expectation.
+Replace the binary "loader / no loader" with a labeled phase strip:
+
+  `[1 deps] → [2 layout] → [3 quadtree] → [4 first tiles] → [5 ready]`
+
+Each phase lights up as the corresponding promise resolves. Phase 5 fires
+when the first non-zero-zoom tile has rendered (deck.gl `onTileLoad`), not
+when fetches complete. This is the END signal the tilemap currently lacks.
+
+### G3. Unify vocabulary across `polling.js` and `tilemap.js` (MEDIUM)
+*Breach addressed:* two-narrative breach.
+Pick one story per phase: "preparing", "building layout", "streaming tiles",
+"ready". Use the same words in both files. Identity coherence requires
+narrative coherence.
+
+### G4. Translate the install-extras error into narrative form (MEDIUM)
+*Breach addressed:* extras-missing breach.
+`tilemap.js:167-171` should say: "Your viz environment is missing the tile
+renderer. To finish the setup, run …". Then the install command. The order
+matters — narrative frame first, paradigmatic instruction second.
+
+### G5. Surface system_vitals during load, not only after (LOW)
+*Breach addressed:* identity-thinness.
+`meta.system_vitals` is already populated by `polling.js:60-72`. During the
+"building layout" phase show "10,432 memories · 2,108 entities · pipeline
+healthy". This lets the loading time itself communicate scale and capability,
+turning dead time into identity-building time.
+
+### G6. Emit SSE phase events from `open_visualization` and the layout worker (LOW, structural)
+*Breach addressed:* both clients reinventing phase tracking via polling.
+Currently neither `open_visualization.py` nor `recompute_layout.py` emits
+SSE; clients infer phase from HTTP status codes. A single
+`/api/graph/events` SSE stream with `event: phase` / `data: {name, pct}`
+would let G2 be implemented without ad-hoc client polling. This is the
+structural change the other gaps quietly assume.
+
+---
+
+## 7. Hand-offs and zetetic note
+
+- Latency budgets per phase, idempotency of silent recompute under concurrent
+  opens → **Lamport / Dijkstra**.
+- "Are users actually confused by the silent recompute?" — comparative test
+  of G2 with/without phase indicator → **Mill**.
+- "Why did tilemap ship without the narrative the 3D path had?" → **Foucault**.
+
+Claims in §1 and §3 are line-cited. Recommendations in §6 are ordered by
+narrative reasoning, not measured user impact — G1, G2, G3 should be
+validated by observation before locking in. No user-study data was
+consulted; if it exists, it overrides these priorities.
diff --git a/tasks/layout-authority/audits/champollion.md b/tasks/layout-authority/audits/champollion.md
new file mode 100644
index 00000000..2ef61034
--- /dev/null
+++ b/tasks/layout-authority/audits/champollion.md
@@ -0,0 +1,197 @@
+# Champollion Audit — Bilingual Decoding of the Layout Law
+
+**Rosetta Stone:** the layout law exists in two languages.
+- **Greek text (known, original):** `ui/unified/js/workflow_graph.js` (734 lines, JavaScript)
+- **Hieroglyphs (translated):** `mcp_server/server/layout_authority_geometry.py` (218 lines, Python)
+
+**Anchors used:** the radius constants and `TOOL_LOCAL_ANGLE` proper names — they cannot be "translated," only spelled identically. Verified pass-through.
+
+**Counting argument.** JS: 8 radii + 3 sector angles + 7 tool angles + 4 entity + 14 edge dist + 14 edge str + 12 kind radii + 12 kind colors + 2 cross-domain + 1 canvas = **77**. Python: 9 radii + 3 sector + 7 tool + 0 else = **19**. The 58-constant gap is a deliberate scope boundary (Py = slot geometry; JS = rendering+physics+styling) — correct unless Py becomes the single source of truth.
+
+---
+
+## Constants Table — every numeric, both sides
+
+### Slot geometry — IN PYTHON, must agree byte-for-byte
+
+| Constant | JS value | JS line | Python value | Py line | Drift |
+|---|---|---|---|---|---|
+| SETUP_R | 70 | 43 | 70.0 | 28 | none |
+| TOOL_R | 140 | 44 | 140.0 | 29 | none |
+| FILE_R | 220 | 45 | 220.0 | 30 | none |
+| DISC_R | 150 | 46 | 150.0 | 31 | none |
+| MEM_R | 150 | 47 | 150.0 | 32 | none |
+| MCP_R | 50 | 48 | 50.0 | 33 | none |
+| SYM_R_OUTER | 290 | 52 | 290.0 | 34 | **declared, never used in Py** |
+| SYM_R_SPREAD | 32 | 53 | 32.0 | 35 | **declared, never used in Py** |
+| SYM_CLUMP_R | 18 | 54 | 18.0 | 36 | none (Py uses) |
+| SECTOR_SETUP_HALF | π/2.6 | 63 | math.pi/2.6 | 39 | none |
+| SECTOR_SIDE_HALF | π/6.5 | 64 | math.pi/6.5 | 40 | none |
+| SECTOR_SIDE_ANGLE | π·0.72 | 65 | math.pi*0.72 | 41 | none |
+| TOOL_LOCAL_ANGLE.Edit | 0 | 77 | 0.0 | 45 | none |
+| TOOL_LOCAL_ANGLE.Write | -π/12 | 78 | -math.pi/12 | 46 | none |
+| TOOL_LOCAL_ANGLE.Read | π/12 | 79 | math.pi/12 | 47 | none |
+| TOOL_LOCAL_ANGLE.Grep | -π/6 | 80 | -math.pi/6 | 48 | none |
+| TOOL_LOCAL_ANGLE.Glob | π/6 | 81 | math.pi/6 | 49 | none |
+| TOOL_LOCAL_ANGLE.Bash | -π/3.6 | 82 | -math.pi/3.6 | 50 | none |
+| TOOL_LOCAL_ANGLE.Task | π/3.6 | 83 | math.pi/3.6 | 51 | none |
+| golden angle (φ) | π·(3-√5) | 323 | math.pi*(3-√5) | 55 | none |
+| baseR floor coeff | 0.42 | 320 | 0.42 | 68 | none |
+| baseR shell pad | 60 | 318 | 60.0 | 66 | none |
+| baseR scale | 0.65 | 321 | 0.65 | 68 | none |
+| outward upward-bias threshold | 5 px | 464 | 5.0 px | 88 | none |
+| Setup jitter step | 8 (idx%2) | 504 | 8.0 (idx%2) | 101 | none |
+| File jitter step | 4 ((idx%3)-1) | 492 | 4.0 ((idx%3)-1) | 128 | none |
+| File arc base / scale / cap | 0.08 / 0.015 / 0.35 | 489 | 0.08 / 0.015 / 0.35 | 126 | none |
+| Disc jitter step | 6 (idx%3) | 516 | 6.0 (idx%3) | 141 | none |
+| Disc arc widen / cap | 0.04 / π/3 | 513 | 0.04 / math.pi/3 | 139 | none |
+| Mem jitter step | 8 (idx%4) | 528 | 8.0 (idx%4) | 154 | none |
+| Mem arc widen / cap | 0.03 / π/2.5 | 525 | 0.03 / math.pi/2.5 | 152 | none |
+| MCP jitter step | 0.25 | 538 | 0.25 | 164 | none |
+| Symbol clump idx coeff | n/a (no slot) | — | 3.0 (idx%4) | 177 | **JS-NULL vs Py-DETERMINISTIC** |
+| Symbol seed past-file | 30..150 random | 236 | n/a | — | **JS only** |
+| Symbol angular jitter | ±0.075 random | 237 | n/a | — | **JS only** |
+
+### Entity layer (L5+E, ADR-0047) — JS ONLY
+
+| Constant | JS value | Py | Status |
+|---|---|---|---|
+| ENTITY_DOMAIN_BLEND | 0.15 | absent | Py cannot slot entities |
+| ENTITY_ORPHAN_R | FILE_R+40 = 260 | absent | Py cannot slot orphans |
+| ENTITY_HEAT_TAU | 0.25 | absent | no heat gate server-side |
+| ENTITY_TOPN | 40 | absent | no per-domain floor server-side |
+
+### Rendering / physics / styling — JS ONLY (out of Py scope)
+
+KIND_RADIUS (12), KIND_COLOR (12), SHELL_LEVELS (4), EDGE_DISTANCE (14),
+EDGE_STRENGTH (14), CROSS_DOMAIN_{DISTANCE=260, STRENGTH=0.02},
+CANVAS_THRESHOLD=2000, charge (-620/-140/-80/-22/-28), alphaDecay (0.018/0.022),
+velocityDecay 0.78, slotK (1.2/0.85), distanceMax 180, collide 0.92,
+symMultiCenter 0.06, interDomain k=0.08·8000. **JS only — by design.**
+
+---
+
+## Drift Findings
+
+### Drift 1 — Symbol slotting semantics diverge (BYTE-LEVEL DRIFT)
+
+JS (lines 595–601): symbols intentionally have **no slot**. They are seeded once
+in `mount()` (lines 216–243) along the outward ray with `Math.random()` past-file
+distance ∈ [30, 150] and angular jitter ±0.075 rad, then `defined_in / calls /
+imports / member_of` forces position them.
+
+Python `slot_for_symbol` (lines 170–179) places each symbol on a **deterministic
+petal**: `angle = 2π·(idx+0.5)/total_in_file`, `r = SYM_CLUMP_R + (idx%4)·3 ∈
+{18, 21, 24, 27}`. No randomness, no force interaction.
+
+This is a **dual-nature collision**. JS is force-driven; Python is closed-form
+geometric. They will produce visibly different layouts for any graph with
+symbols. The Python module's docstring claims "Match the visual conventions of
+ui/unified/js/workflow_graph.js" — for symbols this is false.
+
+**Resolution required:** decide which language is authoritative. Either
+(a) Python drops `slot_for_symbol` and emits no slot for `kind == "symbol"`
+(matching JS), or (b) JS adopts the deterministic petal (replacing the random
+seed in mount()). The audit recommends (a) — preserves the force-driven
+"flow into interlock space" semantic that Alexander's multi-centroid force
+relies on.
+
+### Drift 2 — SYM_R_OUTER (290) and SYM_R_SPREAD (32) imported but dead in Python
+
+Python declares both constants at module load but never references them. They
+are parameters of the JS-side symbol shell that Python's petal does not honor.
+Per project rule "no dead code" — either remove them, or use them. If Drift 1
+is fixed by route (a), they should be deleted from the Python file.
+
+### Drift 3 — Entity layer absent server-side
+
+JS slots entities as Kekulé centroids of linked memories blended 15% to the
+domain hub, with heat-gate OR top-N visibility. Python has no `slot_for_entity`.
+Today this is silent because the server pipeline does not yet emit entity
+positions; if entity slotting moves server-side, Python will need:
+  - `slot_for_entity(domain_hub, mem_slots, heats, blend=0.15)`
+  - `slot_for_orphan_entity(domain_hub, entity_id_hash, r=FILE_R+40)`
+  - `entity_visible(idx, heat, top_n=40, tau=0.25)` predicate
+
+### Drift 4 — Polysemy hand-off (Wittgenstein-flagged)
+
+`outward` is used as both *radial direction from center* (line 462) and *axis
+from which local tool angles are measured* (line 472, `t = outward + local`).
+Both files share the collision; not byte-level drift but recorded for the SoT.
+
+---
+
+## Stone Tablet — Single Source of Truth
+
+The values below are canonical. Both `workflow_graph.js` and
+`layout_authority_geometry.py` MUST agree byte-for-byte. Any future change
+edits this table first, both files second, and ships only when both match.
+
+```
+SETUP_R                = 70
+TOOL_R                 = 140
+FILE_R                 = 220
+DISC_R                 = 150
+MEM_R                  = 150
+MCP_R                  = 50
+SYM_R_OUTER            = 290    # JS-side symbol shell
+SYM_R_SPREAD           = 32     # JS-side symbol shell
+SYM_CLUMP_R            = 18     # symbol seed clump
+
+SECTOR_SETUP_HALF      = π / 2.6
+SECTOR_SIDE_HALF       = π / 6.5
+SECTOR_SIDE_ANGLE      = π · 0.72
+
+TOOL_LOCAL_ANGLE = {
+    Edit:  0,
+    Write: -π / 12,
+    Read:   π / 12,
+    Grep:  -π /  6,
+    Glob:   π /  6,
+    Bash:  -π / 3.6,
+    Task:   π / 3.6,
+}
+
+GOLDEN_ANGLE           = π · (3 − √5)
+BASE_R_FLOOR_COEFF     = 0.42
+BASE_R_SHELL_PAD       = 60
+BASE_R_SCALE           = 0.65
+OUTWARD_BIAS_THRESHOLD = 5.0
+
+# Per-kind slot jitter
+SETUP_JITTER           = (idx % 2) · 8
+FILE_JITTER            = ((idx % 3) − 1) · 4
+DISC_JITTER            = (idx % 3) · 6
+MEM_JITTER             = (idx % 4) · 8
+MCP_JITTER_STEP        = 0.25
+
+# Per-kind arc widening
+FILE_ARC               = min(0.35, 0.08 + n · 0.015)
+DISC_ARC               = SECTOR_SIDE_HALF·2 + min(π/3,   n · 0.04)
+MEM_ARC                = SECTOR_SIDE_HALF·2 + min(π/2.5, n · 0.03)
+SETUP_ARC              = SECTOR_SETUP_HALF · 2
+
+# Symbols: NO slot. Force-driven from `defined_in / calls / imports / member_of`.
+# Initial seed (JS only): outward ray past parent file, distance random ∈ [30,150]
+# px, angular jitter ±0.075 rad. Python should match by emitting no slot.
+
+# Entity layer (JS only today; promote to tablet if entity slotting moves server-side):
+ENTITY_DOMAIN_BLEND    = 0.15        # ADR-0047
+ENTITY_ORPHAN_R        = FILE_R + 40 # ADR-0047
+ENTITY_HEAT_TAU        = 0.25        # ADR-0047
+ENTITY_TOPN            = 40          # ADR-0047
+```
+
+---
+
+## Verdict
+
+- **35 slot-geometry constants** match byte-for-byte; translation faithful.
+- **1 byte-level semantic drift**: `slot_for_symbol` is deterministic in Py vs. force-driven in JS — visible divergence guaranteed for any graph with symbols.
+- **2 dead constants** in Py (`SYM_R_OUTER`, `SYM_R_SPREAD`) — no callers.
+- **4 entity constants** missing in Py (acceptable today; tracked for promotion).
+- **58 rendering/physics constants** legitimately JS-only (out of Py scope).
+
+**Recommendation:** apply Drift-1 route (a) — drop `slot_for_symbol`, drop
+`SYM_R_OUTER`/`SYM_R_SPREAD`. Promote the tablet block to
+`tasks/layout-authority/SPEC.md` that both files cite by line in their headers.
diff --git a/tasks/layout-authority/audits/coase.md b/tasks/layout-authority/audits/coase.md
new file mode 100644
index 00000000..42ecfb1f
--- /dev/null
+++ b/tasks/layout-authority/audits/coase.md
@@ -0,0 +1,168 @@
+# Coase — Transaction-Cost Audit of the Layout Authority Boundary
+
+> Design memo: "write the layout authority as a separate Python process."
+> Implementation: in-process modules (`layout_authority_{geometry,scheduler,
+> log,wire,protocol,lod}.py`, all imported into `mcp_server.server`).
+> Question: is the boundary in the right place?
+
+## 1. Boundary definition
+
+- **Inside**: counters, scheduler, slot math, event log, SSE encoder.
+- **Outside**: HTTP launcher, MCP handlers, browser renderer.
+- **What crosses**: `(NodeDelta | EdgeDelta) → SlotAssignment | EdgeOut`,
+  ~80–112 B per event, peak ~10⁴–10⁵ evt/s sustained (Fermi §realistic peak).
+
+## 2. Quantification — anchors
+
+Source: cost-model.md §5 (geometry 180–300 ns/slot pure-Py),
+fermi.md (encoder ~250–300 ns/event, deque/lock ~50–100 ns,
+realistic peak ~3·10⁴–10⁵ evt/s), thompson.md (single-process holds to
+~10⁶, breaks at 10⁷). Linux/macOS syscall and IPC numbers from Drepper
+2007, Brendan Gregg flamegraph studies, kernel(7) man pages.
+
+| Quantity | In-proc (a) | Worker thread (b) | socketpair (c) | stdin/stdout pipe (d) |
+|---|---|---|---|---|
+| Per-event submit | ~50 ns dict+deque | ~100 ns + 1 lock | ~3–5 µs (write+read+ctx) | ~5–10 µs (line-buf + parse) |
+| Serialization cost | 0 (object ref) | 0 | ~80 B already-encoded bytes copy (memcpy) | encode+decode ~250 ns + framing |
+| Context switches/event | 0 | 1 if cross-core | 2 (writer→reader→writer) | 2 + line-discipline |
+| Setup latency (startup) | 0 | ~1 ms thread start | ~50 ms `fork+exec` | ~50 ms `fork+exec` + handshake |
+| Crash blast radius | full server | full server | authority-only | authority-only |
+| Observability | one PID, one log | one PID | 2 PIDs, 2 logs | 2 PIDs, 2 logs |
+| Deploy units | 1 | 1 | 2 (parent + worker bin) | 2 + protocol versioning |
+| Backpressure mechanism | bounded `queue.Queue` (free) | same | SO_SNDBUF tuning | OS pipe buffer (64 KB Linux) |
+
+At realistic peak **10⁵ evt/s**, per-event budget is 10 µs. Options (c)
+and (d) consume **30–100% of the entire budget on the boundary
+crossing**, before the encoder runs.
+
+## 3. Cost-side comparison
+
+### (a) In-process modules — current
+
+**Coordination costs (inside)**:
+- Single GIL-shared module set; producer thread invariant (Hamilton I1/I2
+  in `_log.py:25–32`) is a 7-line docstring plus a single-call discipline.
+- Test surface: pytest imports modules directly. Zero IPC mocks.
+- Deploy: one `pip install`, one process. Zero cross-process versioning.
+- Hidden cost: GIL contention if a renderer endpoint tries CPU work in
+  the same process. Mitigated because all CPU-heavy paths (numpy batch
+  geometry, future) release the GIL.
+
+**Transaction costs avoided**: zero serialization, zero IPC syscalls,
+zero schema-version negotiation, zero "is the worker still alive" probe,
+zero crash-recovery state transfer.
+
+### (b) Separate worker thread
+
+Adds one `threading.Thread` boundary; submit ~50→100 ns (extra lock).
+Shared memory, shared logs, shared crash domain. Re-introduces a
+two-producer race the `_log.py` I1/I2 invariant forbids unless yet
+another lock is added. **Strict regression vs (a).**
+
+### (c) Separate process via `socketpair(AF_UNIX, SOCK_SEQPACKET)`
+
+Adds ~3–5 µs/event (Drepper 2007 §4 Unix-socket round-trip); requires
+**bidirectional** codec (current `_wire.py` is one-way SSE only);
+needs supervisor for SIGCHLD + counter rebuild + `seq` persistence;
+two logs to correlate; per-OS SO_SNDBUF tuning (256 KB Linux / 8 KB
+macOS). At 10⁵ evt/s the boundary alone consumes **~30% of the per-
+event budget** before any work runs. Buys authority-crash isolation
+that no rule currently demands. **Premature isolation.**
+
+### (d) Separate process via stdin/stdout pipe
+
+All of (c) plus byte-stream framing (length-prefix or newline-terminated;
+current pipe-format is newline-free *by accident* — a `discussion`
+payload with `\n` breaks it silently); macOS 16 KB default pipe buffer
+holds <200 events, less than one P4 burst (cost-model §3). **Strictly
+worse than (c). Refuse.**
+
+## 4. Differentiator vs commodity
+
+The layout authority is a **core differentiator**: the closed-form O(1)
+slot math (cost-model §1–2) is the load-bearing invention; everything
+else (HTTP, SSE, Postgres) is commodity. Williamson (1985) asset-
+specificity argument: the authority's invariants (I1–I5 in
+`layout_authority_protocol.py`) are *highly specific* to Cortex's
+domain-anchored Fibonacci layout. There is no market for this
+component; outsourcing it across an IPC boundary buys nothing the
+in-proc form does not already provide and imposes a perpetual tax.
+
+## 5. Transition cost
+
+Moving from (a)→(c) is **one-way and expensive**:
+- New `layout_worker_main.py` entry point + supervisor (~300 LOC).
+- Bidirectional wire format (replaces one-way SSE encoder).
+- Crash-recovery state machine (rebuild counters from log on restart).
+- Test harness: subprocess fixtures, fake socketpair, port allocation.
+- Empirical cost from the untracked `mcp_server/server/layout_worker_main.py`
+  in this branch: someone started this and stopped — evidence that the
+  transition cost is non-trivial and was not justified by measured benefit.
+
+Payback period at 10⁵ evt/s peak: **never**, because the IPC tax is
+paid on every event forever and the only purchased property
+(authority-crash isolation) does not currently rank in the top-10
+production incidents (no incident log shows authority crashes).
+
+## 6. Non-economic constraints check
+
+| Constraint | Forces process boundary? | Why |
+|---|---|---|
+| Security / sandboxing | No | All modules trust the same input set. |
+| Compliance | No | No regulated data crosses this boundary. |
+| Fault isolation | Marginal | Authority is pure-Py + closed-form; crash modes are bugs (caught by tests), not hardware faults. Hand off to Hamilton. |
+| GIL contention | Not yet | Geometry releases GIL in numpy path (§5 cost-model). If a *separate CPU-bound* renderer-side workload appears, revisit. |
+| Memory pressure | No | Authority working set ≤ 56 MB (`_log.py`) — fits one process trivially. |
+
+None override the cost analysis at current scale.
+
+## 7. Scaling re-evaluation (cross-ref Thompson)
+
+Thompson's table shows the boundary should move at **N ≥ 10⁷**, not
+because of IPC economics but because the *form itself* must change
+(per-domain sharding, then tile pyramid). At that point the question
+is no longer "thread vs socketpair" but "11 sharded authorities vs
+one tile-server". Moving to (c) *now* prepays a cost for the wrong
+problem.
+
+## 8. Recommendation
+
+**Keep (a) in-process modules.** The shipped agents made the right
+call against the design memo. Justification:
+
+1. At realistic peak (10⁴–10⁵ evt/s) options (c)/(d) consume 30–100%
+   of the per-event budget on boundary crossing alone.
+2. The single-producer invariant (`_log.py` I1/I2) is *cheaper* to
+   enforce in-proc than to re-implement across an IPC channel.
+3. No non-economic constraint forces a process boundary at this scale.
+4. The Coase test: coordination cost inside (one producer-thread
+   discipline, ~10 lines of docstring) ≪ transaction cost outside
+   (bidirectional wire codec + supervisor + crash recovery + per-OS
+   buffer tuning + dual log correlation).
+5. Williamson asset-specificity is high; the component is a
+   differentiator; in-house = in-proc is the cost-minimizing form.
+
+**The boundary moves only when**: (i) Thompson's 10⁶→10⁷ shard transition
+arrives, at which point the new boundary is **per-domain authority
+shards over shared memory**, not parent/child pipes; or (ii) a measured
+authority-crash incident causes user-visible HTTP downtime — at which
+point fault isolation becomes a real, not hypothetical, budget item.
+
+## 9. Hand-offs
+
+- **Hamilton**: design the SHM/mmap shard boundary for the 10⁷ transition.
+- **Thompson**: confirm form-change point (10⁶ → 10⁷) with measured
+  end-to-end at 10⁶.
+- **Engineer**: delete the untracked `layout_worker_main.py` stub or
+  document it as "explored, rejected — see coase.md".
+- **Curie**: instrument actual authority-crash frequency before any
+  future fault-isolation argument is admitted.
+
+## 10. Compliance check (against `~/.claude/rules/coding-standards.md`)
+
+| Rule | Status | Note |
+|---|---|---|
+| §1 SOLID | pass | Decision preserves SRP per module; rejecting (b) avoids LSP breakage of the single-producer invariant. |
+| §2 Layer dependency | pass | (a) keeps server-layer composition intact; (c)/(d) would require new infra/transport modules with no current caller. |
+| §7 Local reasoning | pass | (a) keeps behavior readable from the surrounding text; (c)/(d) defeat local reasoning across the process boundary. |
+| §8 Sources | pass | All quantitative claims sourced to cost-model.md, fermi.md, thompson.md, Drepper 2007, kernel man pages. |
diff --git a/tasks/layout-authority/audits/cochrane.md b/tasks/layout-authority/audits/cochrane.md
new file mode 100644
index 00000000..a6971a17
--- /dev/null
+++ b/tasks/layout-authority/audits/cochrane.md
@@ -0,0 +1,227 @@
+# Cochrane Meta-Review — Layout Authority Audit Synthesis
+
+> Method: Cochrane/Glass systematic review across 52 independent audits in
+> `tasks/layout-authority/audits/*.md`. Each audit is treated as one
+> "study" with its own discipline (TRIZ, OODA, mass-balance, fragility,
+> queueing, …) applied to the same artifact (`layout_authority_*.py` +
+> wire + bridge). Findings are pooled by **vote count** (how many
+> independent audits surface the same finding) and weighted by GRADE
+> certainty (high = mechanistic + reproducible, low = single-discipline
+> conjecture). Affirmation = audit explicitly endorses the decision OR
+> takes it as given without objection. Questioning = audit explicitly
+> recommends changing or replacing it.
+
+## 1. Protocol (pre-registered)
+
+- **Question:** across the corpus of independent audits, which design
+  decisions are *converged on* (act-now), which are *contested*
+  (investigate), and which are *one-off claims* (defer)?
+- **Inclusion:** all 52 `*.md` audits in this directory.
+- **Effect-size metric:** `(affirming audits) / (audits that take a
+  position)`, plus questioning-audit names (qualitative) and signal
+  strength (mechanistic vs metaphorical).
+- **Heterogeneity probe:** if questioning audits cluster on one
+  failure mode, treat as moderator (real signal); if scattered, treat
+  as noise.
+- **Pooling rule:** a finding raised in ≥10 audits across ≥3 distinct
+  disciplines (correctness, capacity, semantics, governance) is HIGH
+  certainty; 5–9 audits is MODERATE; 2–4 is LOW; 1 is VERY LOW.
+- **Publication-bias note:** the corpus is *commissioned* (one author
+  per genius), so file-drawer effect is small. The risk is the
+  opposite — every audit feels obligated to find something, inflating
+  the number of "issues." Counter-weight: only count concrete,
+  mechanism-named findings.
+
+## 2. Forest plot — five core design decisions
+
+| Decision | Affirms | Questions | Pooled effect | I² | GRADE |
+|---|---|---|---|---|---|
+| **Closed-form geometry (`compute_slot`, O(1), pure)** | ~36 (taken as given, several explicitly endorse: archimedes, ramanujan, galileo-as-ideal, noether, dijkstra D0, taleb-static) | 4 (galileo, midgley, peirce, taleb on NaN propagation) | **STRONG positive** — closed-form is correct *under typed input*; questioning audits attack input validation, not the formula | Low | **HIGH** |
+| **Priority shedding (Hamilton lanes, drop P4/P5 first)** | ~25 (mechanics endorsed by erlang, simon, meadows, maxwell, knuth, dijkstra) | 5 (boyd, einstein, feynman, jobs, taleb) | **CONTESTED** — lane mechanics are sound, but every questioner says the *same thing*: shedding without an Act-channel is a symptom-relief, not a control loop | LOW (questioners agree) | **MODERATE** |
+| **Single-producer append-only log** | ~24 (noether-as-symmetry, panini, lavoisier-structure, dijkstra, hopper, alkhwarizmi) | 5 (beer, lavoisier, galileo, meadows, taleb on `_event_log` ring + lock-while-fanout) | **POSITIVE with caveats** — invariant is sound; *implementation* (ring buffer 500k, lock held during fan-out, drop-counter that nobody reads) is fragile | Moderate | **MODERATE** |
+| **Replay buffer / snapshot fallback** | ~28 (taken as given by most; explicitly endorsed by alkhwarizmi, dijkstra, kay, popper) | 1 (borges — failure-space catalogue of replay edge cases) | **STRONG positive** — the only questioner is exhaustive enumeration, not refutation | Very low | **HIGH** |
+| **Slim wire (pre-encoded, click-time metadata fetch)** | ~47 (almost universal — dijkstra, panini, eco, hopper, kay, wittgenstein, alexander, taleb-as-ROBUST) | 3 (lavoisier on counter leaks, panini on grammar gaps, taleb on schema drift) | **STRONG positive** — slim wire is the most-affirmed decision in the corpus | Very low | **HIGH** |
+
+## 3. Median finding across 52 audits
+
+The **modal audit conclusion** — what the typical genius says when the
+specifics are stripped — is:
+
+> "The static structure is sound. The dynamic feedback is missing.
+> Counters are emitted but never read. Drops happen but are
+> invisible. The producer cannot see what the authority is suffering."
+
+This is the single largest signal in the corpus: **closed-loop
+control is absent**. Forty-eight of fifty-two audits (92 %) name this
+in some form — Boyd calls it "no Act channel," Beer calls it "missing
+S2 → S1 channel," Maxwell calls it "open loop," Deming calls it
+"PDSA without S," Lavoisier calls it "leaking counters," Meadows
+puts it at leverage-point 3 (information flow), Jobs calls it "the
+unowned seam." Different vocabulary, identical structural claim.
+
+## 4. Strongest signal (HIGH certainty, act first)
+
+**Finding A — "Close the loop on overload."** (cited by ≥48 audits;
+mechanism converged across queueing, control, and governance
+disciplines)
+
+- Symptom: `_event_log_drops`, `_subscriber_drops`, parent-pending
+  buffer growth, format failures all increment counters that no
+  caller reads, no producer consults, no test asserts.
+- Boyd's quantitative bound: producer fills P4 in ~64 ms; detection
+  loop is ~1000 ms; tempo ratio ~15× against the authority. Erlang,
+  Maxwell, Thompson all converge on the same order of magnitude.
+- Recommended action (Boyd schwerpunkt): a single
+  `_overloaded_flag: threading.Event` set/cleared by the scheduler,
+  consulted by the build worker between batches. ≤30 LoC.
+- GRADE: **HIGH** — mechanistic, reproducible, multi-discipline,
+  cheap to verify by ablation.
+
+**Finding B — "The integrator does not exist."** (cited explicitly
+by feynman, jobs, kahneman, dijkstra, alkhwarizmi; implicit in
+~15 more)
+
+- Six `layout_authority_*.py` modules exist; no module owns the
+  composition root that would wire scheduler → log → wire → SSE.
+- Feynman: every "missing" thing in the freshman walkthrough lives
+  in this nonexistent integrator.
+- Jobs: "every iteration sanded the same seam from a different side
+  because no one owned the seam itself."
+- GRADE: **HIGH** — testable by `grep -r layout_authority\\.py`;
+  result is empirically verifiable today.
+
+## 5. Strong-but-narrower signals (MODERATE, act second)
+
+**Finding C — Validation gap at protocol boundary.** (31 audits)
+- NaN coordinates, unknown `kind`, missing `parent_id`, schema drift
+  on `slot.id` all flow downstream silently.
+- Taleb classifies every module as FRAGILE on input dimension.
+- Recommended: `__post_init__` validation on `NodeDelta`/`EdgeDelta`,
+  HTTP-boundary `kind ∈ NODE_KINDS` check.
+
+**Finding D — `_event_log` fan-out lock contention.** (5 audits,
+all with mechanistic argument: taleb, beer, galileo, lavoisier,
+meadows)
+- Lock held across N subscribers × `Q.put_nowait`; one slow
+  subscriber stalls the producer-visible path.
+- Recommended: copy subscriber list under lock, fan out lock-free.
+
+## 6. Weakest signals (LOW / VERY LOW, defer or investigate)
+
+**One-off conjectures (cited by exactly one audit each):**
+- Tetralemma framing of slot recomputation (nagarjuna) — interesting,
+  no engineering action attached.
+- Pattern-language naming (alexander) — taxonomy, not a fix.
+- Hopfield-style content-addressable replay (none in this corpus,
+  but cf. erdos probabilistic placement) — speculative.
+- Fractal LOD scaling beyond current quadtree (mandelbrot,
+  thompson) — relevant only at >1M nodes, current load is far below.
+- Borges replay-edge-case enumeration — exhaustive but no single
+  case has been observed in production traces.
+
+These are LOW certainty *not because the audits are wrong* but
+because the corpus contains no second discipline that converges on
+the same finding. Per Cochrane: "a single source is a hypothesis."
+
+## 7. Heterogeneity & publication-bias check
+
+- I² across the 52 audits is **low for findings A, B, D, E** (the
+  questioners agree on the mechanism even when they disagree on the
+  vocabulary) and **moderate for finding C** (validation discipline
+  splits between "type the input" and "validate at boundary").
+- File-drawer risk: near-zero (commissioned corpus), but
+  *confirmation* risk is real — every audit was written knowing
+  there were issues to find. Mitigated by counting only findings
+  with named mechanism + concrete fix.
+- Funnel-plot proxy: the most-cited findings are also the
+  cheapest-to-verify (Boyd flag, integrator existence). No
+  evidence that high citation correlates with implementation cost
+  — i.e., the corpus is not biased toward "easy wins."
+
+## 8. GRADE summary table
+
+| Finding | Citations | Disciplines converged | Mechanism named | GRADE |
+|---|---|---|---|---|
+| A. Close the Act/feedback loop | 48 | 6+ (control, queueing, governance, OODA, mass-balance, fragility) | Yes (overloaded flag, ack channel) | **HIGH** |
+| B. Integrator/composition root missing | 5 explicit + 15 implicit | 4 (integrity, integration, cognition, correctness) | Yes (`layout_authority.py` wiring file) | **HIGH** |
+| C. Input validation gap | 31 | 3 (typing, fragility, mass-balance) | Yes (`__post_init__`, boundary check) | **MODERATE** |
+| D. Fan-out lock contention | 5 | 3 (fragility, capacity, governance) | Yes (copy-then-fanout) | **MODERATE** |
+| E. Slim wire correct as-is | 47 | 5+ (semantics, encoding, late-binding, lang-game, taxonomy) | N/A — affirmation | **HIGH** |
+| F. Closed-form geometry correct | 36 | 4 (physics, symmetry, ideal-limit, conjecture) | N/A — affirmation | **HIGH** |
+| G. Replay buffer correct | 28 | 3 (algorithm, falsification, late-binding) | N/A — affirmation | **HIGH** |
+| H. One-off conjectures (nagarjuna, alexander, fractal-LOD, borges-edges) | 1 each | 1 | Sometimes | **VERY LOW** |
+
+## 9. Recommendations (Cochrane priority order)
+
+1. **Act now (HIGH certainty, cheap, multi-confirmed):**
+   a. Build the missing integrator (`mcp_server/server/layout_authority.py`
+      composition root). Without it findings A, C, D have nowhere to
+      live.
+   b. Add `_overloaded_flag` Act-channel (Boyd schwerpunkt). ≤30 LoC.
+   c. Read every emitted counter (`_event_log_drops`,
+      `_subscriber_drops`, `parent_pending`, `format_failures`)
+      somewhere — at minimum a `/healthz` endpoint.
+
+2. **Act next (MODERATE certainty, mechanism named):**
+   d. Boundary validation on `NodeDelta`/`EdgeDelta` and HTTP entry.
+   e. Copy-then-fan-out in `_event_log` to release the subscriber lock
+      before iterating.
+
+3. **Investigate, do not act (LOW / VERY LOW certainty):**
+   f. Fractal LOD scaling — only relevant if node count exceeds
+      current operating envelope by >10×.
+   g. Tetralemma / pattern-language framings — taxonomic, not
+      actionable until they generate a falsifiable claim.
+
+4. **Affirm and defend (HIGH-certainty positives — do NOT redesign):**
+   h. Closed-form geometry, slim wire, and replay buffer are the
+      most-affirmed decisions in the corpus. Future iterations
+      should treat these as fixed and concentrate change budget
+      on findings A–D.
+
+## 10. Confidence delta vs single-audit reading
+
+Reading any *one* audit produces an impression of "many issues, hard
+to prioritize." Pooling produces the opposite: **the corpus is highly
+convergent.** Three decisions are robustly affirmed (E, F, G), one
+finding is overwhelmingly converged (A), one structural absence is
+empirically verifiable (B), and the rest are MODERATE-or-lower. The
+meta-review *raises* confidence in closed-form/slim-wire/replay,
+*concentrates* attention on the Act-channel + integrator, and
+*lowers* confidence in any single-audit conjecture not yet
+triangulated by a second discipline.
+
+## 11. Hand-offs
+
+- Implementation of findings 1a–1c → engineer (mechanical, ≤200 LoC total).
+- Validation discipline (finding 2d) → fisher / popper for test
+  design.
+- Lock-contention micro-benchmark (finding 2e) → knuth (profile-then-fix).
+- Re-run this meta-review after the integrator lands; expect findings
+  C and D to either resolve or sharpen.
+
+## 12. Implementation log
+
+- **Finding 1a (integrator)** — LANDED on commit `0dfd4f4`:
+  `mcp_server/server/layout_authority.py` is the composition root.
+- **Finding 1b (Act-channel `_overloaded_flag`)** — LANDED in this
+  follow-up commit. Owned by
+  `mcp_server/server/layout_authority_pressure.py`. Updated from the
+  authority's hot paths (`_buffer_edge`, `_place_node`, `_emit_slot`).
+  Consulted by the build worker at every inter-phase / inter-batch
+  seam in `http_standalone_graph.py::_run` via `wait_for_clear` with
+  a bounded timeout (so a stuck consumer cannot stall the build).
+  Hysteresis: trip at 80% of pending-edges cap or any new drop;
+  clear only at 50% AND no new drops. 9 falsification tests added
+  to `test_layout_authority.py`.
+- **Finding 1c (`/healthz`)** — DEFERRED. The pressure module
+  exposes `snapshot()` which already aggregates every counter
+  Cochrane named; an HTTP endpoint binding it would be ~10 LoC and
+  is the natural next follow-up.
+- **Finding 2d (boundary `__post_init__` validation)** — DEFERRED.
+  Existing helper functions (`_validate_node`/`_validate_edge` in
+  `layout_authority.py`) guard the integrator. Moving them into the
+  dataclasses themselves remains as type-system polish.
+- **Finding 2e (copy-then-fan-out)** — already LANDED on `0dfd4f4`
+  (verified: `_fan_out` snapshots `_subscribers` under the lock then
+  iterates without holding it).
diff --git a/tasks/layout-authority/audits/curie.md b/tasks/layout-authority/audits/curie.md
new file mode 100644
index 00000000..167a56aa
--- /dev/null
+++ b/tasks/layout-authority/audits/curie.md
@@ -0,0 +1,174 @@
+# Curie measurement-discipline audit — Layout Authority
+
+**Procedure:** the instrument is the arbiter. Every quantitative claim must
+point to (a) apparatus, (b) unit and noise floor, (c) next experiment that
+would falsify it. Estimates without a protocol are carriers-of-an-unknown.
+
+Files audited: 6× `layout_authority_*.py`, `bench_layout_authority.py`,
+`cost-model.md`.
+
+---
+
+## 1. Survey of every quantitative claim
+
+| # | Claim | Source file:line | Class |
+|---|---|---|---|
+| C1  | "10⁹ nodes in 1–2 s" budget | cost-model.md:5 | derived ceiling |
+| C2  | "1 ns / node ≈ 3 cycles" | cost-model.md:11–14 | architectural axiom |
+| C3  | "~10 ns / node single-core Python at 10⁸" | cost-model.md:18 | extrapolation, no measurement |
+| C4  | "8 MB working set ceiling" | cost-model.md:5,42 | self-imposed budget |
+| C5  | "11 domains × 6 kinds × 8B = 528 B" counter state | cost-model.md:50 | arithmetic, exact |
+| C6  | "7 tools × 11 domains × 16B ≈ 1.2 KB" angle cache | cost-model.md:53 | arithmetic, exact |
+| C7  | Per-kind benchmarks: 180.1 / 211.9 / 295.7 / 201.6 / 198.6 ms per 1M ops | cost-model.md:80–85 | one measured run, single machine |
+| C8  | "3.4–5.6 M slots/s per core ≈ 180–300 ns/slot" | cost-model.md:87 | derived from C7 |
+| C9  | "20–30× faster needed via numpy/SSE writes" | cost-model.md:88 | unmeasured speculation |
+| C10 | "numpy vectorised ~30–50 ns/slot, ~50× speedup" | cost-model.md:91 | unmeasured speculation |
+| C11 | "8-core parallel write 5–8× on top" | cost-model.md:93 | unmeasured speculation |
+| C12 | Event log cap = 500_000 events | _log.py:42 | hardcoded |
+| C13 | "~80 B / event payload + 32 B tuple" → ~56 MB worst case | _log.py:13 | arithmetic from estimate |
+| C14 | Subscriber queue cap = 100_000 | _log.py:43 | hardcoded |
+| C15 | Dead-queue miss threshold = 200 consecutive failures | _log.py:44 | hardcoded |
+| C16 | Pending-edges buffer = 100k (default) | _protocol.py:I5 | spec, not yet implemented |
+| C17 | QUEUE_SIZES per priority: 1k / 1k / 16k / 32k / 64k / 128k / 100 | _scheduler.py:78–86 | hardcoded |
+| C18 | Scheduler worst-case ≈ 19.4 MB | _scheduler.py:54–62 | arithmetic from 80 B/item estimate |
+| C19 | "P4=500k × 80 B = 40 MB breaches 8 MB" → cap at 64k | _scheduler.py:50 | arithmetic, dependent on 80 B claim |
+| C20 | `is_overloaded` threshold = 0.8 of cap | _scheduler.py:253 | hardcoded |
+| C21 | LOD power-law `stride = 2^(3 − 4·zoom)` | _lod.py:10–18 | declared model |
+| C22 | LOD log-log slope tolerance ±0.05 around −1.0 | _lod.py:190 | tolerance only, no real-data measurement |
+| C23 | Far-zoom threshold = 0.4, far-reduced stride = 2 | _lod.py:52–55 | hardcoded |
+| C24 | "JSON parse ~250 ns vs JSON.parse ~1 µs / 5-field object" | _wire.py:24 | unsourced micro-bench |
+| C25 | "SSE framing ≈ 30 B / event irreducible" | _wire.py:16 | arithmetic from format string |
+| C26 | "typical slot payload ~52 B → ~82 B / event" | _wire.py:18–20 | example, not population mean |
+| C27 | Float format `:.1f` "sub-pixel invisible at FILE_R=220" | _wire.py:99–101 | qualitative, not measured |
+| C28 | Coordinate radii: 70 / 140 / 220 / 150 / 150 / 50 / 290 / 32 / 18 | _geometry.py:28–36 | copied from JS upstream |
+| C29 | Sector half-widths: π/2.6, π/6.5, 0.72π | _geometry.py:39–41 | copied from JS upstream |
+| C30 | base_radius "42 % of min(W,H)" + spacing floor | _geometry.py:67 | copied from JS upstream |
+
+---
+
+## 2. Per-claim measurement protocol
+
+### Geometry (C2, C3, C7–C11)
+- Instrument of record: `bench_geometry` — `perf_counter_ns()`, ns/op.
+  Noise floor ≈100 ns on macOS. C7 is the only measured claim, single
+  run, single machine, no error bars.
+- C3, C9, C10, C11 are speculation. Required:
+  1. `bench_geometry_numpy`: vectorise over 64k-node batches per kind;
+     pass criterion ≤50 ns/op median, 5 runs.
+  2. `bench_geometry_parallel`: `ProcessPool` N=1..8; pass
+     criterion scaling ≥0.7·N up to 8 cores.
+  3. Run on ≥3 machines; report median + IQR.
+- C2 (3 cycles) is a reasoning aid, not a budget — flag in cost-model.
+
+### Memory ceiling (C4, C5, C6, C13, C18, C19)
+- Instrument missing. No RSS / `tracemalloc` anywhere. C13 and C18
+  are arithmetic on an estimated 80 B/item that is itself unverified.
+- Required: `bench_memory_residency` using `tracemalloc.start()` +
+  `get_traced_memory()` peak per component and per priority queue at
+  saturation; verify 80 B/item with `sys.getsizeof(NodeDelta(...))`
+  plus deque overhead. Falsifier: peak > 8 MB during integration bench.
+
+### Event log (C12, C14, C15)
+- C12 (500k cap): no protocol justifies the specific number. Required:
+  per-build histogram of `(now − client_last_event_id_age)` at
+  reconnect. Cap should sit at the 95th percentile of stream-events-
+  during-reconnect-window.
+- C14 (100k subscriber queue): not measured. Required: harness driving
+  `emit()` at 100k events/s into a simulated 1 MB/s consumer; verify
+  queue depth distribution.
+- C15 (200 misses → dead): arbitrary. Required: measure the
+  consecutive-`put_nowait`-failure distribution on a healthy-but-slow
+  consumer; set threshold at 99.9th percentile, not at a round number.
+
+### Scheduler (C17, C19, C20)
+- C17 (per-priority caps): each cap should = (drain rate × tolerated
+  burst latency) − steady-state population. None of those three
+  quantities is measured. Required: instrument submit/pop timestamps,
+  report 90th-percentile residency time per priority on a real build.
+- C19 (P4=64k): chain "500k × 80 B = 40 MB > 8 MB" depends on the
+  unverified 80 B. Re-derive once C13 lands.
+- C20 (overload = 0.8): pick by measurement. At what fill ratio does
+  drop-rate become non-zero in steady state? That value is the
+  actionable threshold; 0.8 is a guess.
+
+### LOD power law (C21, C22, C23)
+- C22 is **the strongest protocol in the module**: `_selfcheck_powerlaw`
+  materialises 10⁶ ids, fits log-log slope, asserts ±0.05 of −1.
+  Right shape.
+- Gaps: (a) test uses synthetic `sym:i` ids; real workloads use
+  `<file>:<symbol>` strings — re-run on production sample. (b)
+  Tolerance ±0.05 is asserted, not derived; should be a KS
+  goodness-of-fit on the hash distribution.
+- C23 (zoom 0.4 / stride 2): both numbers are guesses. Required:
+  measure user-perceived missing-data at each canonical zoom.
+
+### Wire (C24, C25, C26, C27)
+- C24 ("250 ns split vs 1 µs JSON.parse"): unsourced. Required:
+  committed node.js + browser microbench with the same sample
+  payload. Until then, pipe-vs-JSON is preference, not evidence.
+- C25/C26 (30 B framing + 52 B payload): arithmetic on one sample.
+  Required: histogram of `len(format_slot(...))` over a 1M-slot
+  workload — tail nodes may double payload size.
+- C27 (`:.1f` sub-pixel): untested. Required: render at DPR ∈
+  {1.0, 1.5, 2.0, 3.0}, confirm no visible jitter under pan/zoom;
+  bump to `:.2f` for retina if it fails.
+
+### Geometry constants (C28, C29, C30)
+- Provenance is the strongest in the module — every constant carries
+  `source: ui/unified/js/workflow_graph.js:<line>`. That is "two
+  independent methods" applied to constants.
+- Missing: pixel-level golden test. For a fixed RNG seed at N=1k,
+  Python and JS layouts must agree.
+
+---
+
+## 3. Top-priority next experiments (ordered)
+
+1. **`bench_memory_residency`** (C4, C13, C18) — `tracemalloc` peak
+   bytes per component. One day's work; resolves four unmeasured
+   claims at once.
+2. **Numpy / multi-core geometry bench** (C3, C9, C10, C11) — without
+   this, the "10⁹ in 1–2 s" budget is aspiration, not engineering.
+3. **Real-id LOD self-check** (C22) — re-run `_selfcheck_powerlaw`
+   on a sample of production node ids; refit slope.
+4. **SSE consumer drain harness** (C14, C15) — drives a slow
+   consumer; reports queue-depth distribution and miss-streak
+   distribution. Sets C15 from the 99.9th percentile of healthy.
+5. **Pixel-level JS/Python golden test** (C28–C30) — confirms the
+   port preserves the upstream layout.
+6. **Browser pipe-vs-JSON microbench** (C24) — closes the encoding
+   choice with evidence, not preference.
+
+---
+
+## 4. Refusal markers
+
+- C2 ("3 cycles per node") is a *reasoning aid*, not a budget. No
+  measurement protocol can confirm it for a Python program; flag
+  in cost-model.md.
+- C9–C11 are speculation chains. They MUST be tagged
+  `// HYPOTHESIS — no measurement` until experiments 2 above runs.
+- C24 must not be cited as evidence in design discussions until
+  the browser microbench is committed.
+
+---
+
+## 5. Hand-offs
+
+- **Mechanism / "why does the SSE consumer slow down"** → Pearl
+  (causal-graph audit of consumer pipeline).
+- **Implementation of `bench_memory_residency` and numpy variant** →
+  engineer agent. Specs in §3 above.
+- **Statistical audit of the hash uniformity used by `_stable_hash`**
+  → Fisher / Mandelbrot (already started in mandelbrot.md).
+
+---
+
+## 6. One-line verdict
+
+The module has **one** claim with a real measurement protocol
+(LOD power-law self-check); **one** claim with a real but
+under-reported measurement (geometry ns/op on one machine); and
+**twenty-eight** claims that are estimates, arithmetic on
+estimates, or speculation. The carriers of those residuals are
+named above; isolation procedures are in §3.
diff --git a/tasks/layout-authority/audits/darwin.md b/tasks/layout-authority/audits/darwin.md
new file mode 100644
index 00000000..69aad4d1
--- /dev/null
+++ b/tasks/layout-authority/audits/darwin.md
@@ -0,0 +1,108 @@
+# Darwin Variation-Enumeration Audit — Layout Authority
+
+**Method:** Catalogue every kind of "specimen" the layout authority must accept, predict its behaviour from the contracts (`layout_authority_protocol.py`, `layout_authority_geometry.py`, `layout_authority_wire.py`), and leave the **observed** column open for the engineer's integration to fill in. The Darwin discipline: patient enumeration of every variant — typical, edge, pathological — before any single specimen is granted theoretical weight.
+
+**Sources of predicted behaviour**
+- `layout_authority_protocol.py` lines 30–69 (NODE_KINDS, NodeDelta preconditions, I1–I7).
+- `layout_authority_geometry.py` lines 183–218 (`compute_slot` dispatcher, fallback to `anchor`).
+- `layout_authority_wire.py` lines 58–85 (`_MAX_KIND=32`, pipe / `\n` / `\r` rejection, finite-float check at emission).
+
+**Notation**
+- *Predicted* = behaviour required by the contracts as currently written.
+- *Observed* = to be filled by the engineer once `layout_authority.py` (the reference impl wiring `add_node` → counters → `compute_slot` → `SlotAssignment` → wire) lands and the integration tests run.
+- `BUFFER` means the delta is queued in the pending-edges/pending-symbols buffer pending I3/I4/I5 resolution.
+- `REJECT@protocol` means `ValueError` raised in `add_node` per the precondition (lines 60–65).
+- `REJECT@wire` means accepted by the authority but rejected at SSE emission per wire validators (lines 71–79).
+
+---
+
+## Specimen catalogue
+
+### A. Typical specimens (the centre of the distribution)
+
+| # | Variant | Predicted behaviour | Observed |
+|---|---|---|---|
+| A1 | `domain` node, `node_id == domain_id == "Cortex"` | `compute_slot` → `domain_anchor(index, total, cx, cy, base_r)`; one `SlotAssignment` emitted, finite (x,y). | _to fill_ |
+| A2 | `tool_hub` node, `tool_name="Edit"`, known domain_id | `slot_for_tool_hub` along outward axis; finite, deterministic. | _to fill_ |
+| A3 | `file` node with `parent_id` = a known tool_hub | `slot_for_file` orbiting hub_angle; finite, monotonic seq. | _to fill_ |
+| A4 | `file` with **5 symbols** under it, symbols arrive after file | Each symbol → `slot_for_symbol(file_slot, idx, total=5)`; petal cloud at SYM_CLUMP_R. | _to fill_ |
+| A5 | `memory`, `discussion`, `mcp` ordinary insertions | Respective `slot_for_*` helpers; all O(1). | _to fill_ |
+
+### B. Edge specimens — within-spec but stressing the contracts
+
+| # | Variant | Predicted behaviour | Observed |
+|---|---|---|---|
+| B1 | `file` with **0 symbols** | File placed normally; no symbol assignments emitted. No call to `slot_for_symbol` (guard at `total_in_file <= 0` returns `file_slot` if ever invoked — geometry.py line 174). | _to fill_ |
+| B2 | `file` with **1000 symbols** | Each symbol gets a deterministic angle `2π·(i+0.5)/1000`; all finite; clumped within SYM_CLUMP_R petal. State cost: one int counter; no per-symbol allocation. | _to fill_ |
+| B3 | Unicode in `node_id` (e.g. `"Cørtex/файл.py"`) | **Accepted at protocol** (no charset check in NodeDelta). **Accepted at wire** unless it contains `\|`, `\n`, `\r` (wire.py line 71). UTF-8 bytes pass through. | _to fill_ |
+| B4 | `node_id` of length 256 (no delimiter) | Accepted at protocol and wire (no length cap on `node_id`; `_MAX_KIND` applies only to `kind`). | _to fill_ |
+| B5 | `node_id` of length 4096 | Accepted; SSE frame grows linearly. No bound enforced today — flag for engineer: **contract gap**, no max-id-length is documented. | _to fill_ |
+| B6 | `symbol` arrives **before** parent file | Per I3: buffered in pending-symbols until file lands, then emitted. Authority MUST NOT compute symbol from domain anchor directly. | _to fill_ |
+| B7 | `file` arrives before its tool_hub | Per I4: file placed at domain hub fallback; slot is **FINAL**, no retroactive reseat when tool_hub later lands. | _to fill_ |
+| B8 | `domain` node arrives **after** its members | Per I7: members computed against placeholder anchor, slots are FINAL. Late-arriving domain node gets its own anchor; existing member slots NOT updated. (This is documented behaviour but visually surprising — note for engineer.) | _to fill_ |
+| B9 | `request_subtree(domain_id)` for known domain | Re-emits all slots in subtree with **higher seq** (I2); clients update by seq. | _to fill_ |
+| B10 | `request_subtree(domain_id)` for unknown domain | Returns silently (idempotent — protocol line 166). | _to fill_ |
+
+### C. Pathological specimens — out-of-spec; contract dictates rejection or graceful degradation
+
+| # | Variant | Predicted behaviour | Observed |
+|---|---|---|---|
+| C1 | `kind` not in `NODE_KINDS` (e.g. `"frobnicator"`) | `REJECT@protocol`: `ValueError` per protocol line 158. (If the impl forwards instead of validating, geometry's dispatcher falls back to `anchor` — geometry.py line 218 — which masks the bug. The reference impl MUST validate first.) | _to fill_ |
+| C2 | `kind = "domain"` but `node_id != domain_id` | `REJECT@protocol`: precondition line 63. | _to fill_ |
+| C3 | `kind = "tool_hub"` with `tool_name = None` or `""` | `REJECT@protocol`: precondition line 64. | _to fill_ |
+| C4 | `kind = "symbol"` with `parent_id = None` | `REJECT@protocol`: precondition line 65. | _to fill_ |
+| C5 | `node_id = ""` (empty) | `REJECT@protocol`: precondition line 61. | _to fill_ |
+| C6 | `domain_id = ""` (empty) | `REJECT@protocol`: precondition line 62 + I7. | _to fill_ |
+| C7 | `node_id` containing `\|` (pipe) | Accepted at protocol (no delimiter check). **`REJECT@wire`** at emission (wire.py line 71). The slot computation runs but the assignment cannot be serialised. **Contract gap:** this means a slot is computed and counters incremented, but no event reaches clients. Engineer must decide: validate at protocol entry (preferred) or accept the silent drop. | _to fill_ |
+| C8 | `node_id` containing `\n` | Same as C7 — protocol accepts, wire rejects. Same gap. | _to fill_ |
+| C9 | `kind` length > 32 chars | If `kind` is in `NODE_KINDS`, this cannot occur (longest is "discussion"=10). If a non-NODE_KINDS string sneaks past C1, wire rejects via line 78. Defence in depth holds. | _to fill_ |
+| C10 | Duplicate `node_id` submitted twice (same kind, same domain) | Authority MUST be idempotent OR emit two assignments with same (x,y) and increasing seq. Contract is **unspecified** here — flag as gap. Reasonable behaviour: dedupe and ignore the second; otherwise counter double-increments and breaks O(1) determinism for siblings. | _to fill_ |
+| C11 | Duplicate `node_id` re-submitted with **different kind** | Contract unspecified. Recommended: reject; otherwise position would change for a node already painted on the client. Flag as gap. | _to fill_ |
+| C12 | `parent_id` pointing to a node that was never `add_node`'d | For `symbol`: per I3, buffered indefinitely (or until pending buffer drops it per I5). For `file`: per I4, fallback to domain anchor — slot is FINAL. | _to fill_ |
+| C13 | `parent_id` pointing to a previously-deleted node | **No delete verb exists** in the protocol (lines 3–10 list only add_node / add_edge / request_subtree). Deletion is out of scope. Flag if engineer adds one — it would break I2/I3/I4. | _to fill_ |
+| C14 | `domain_id` self-loop (`domain_id == node_id` but `kind != "domain"`) | Protocol does not forbid this directly (only line 63 enforces the converse). The node would be placed as a member of a domain whose anchor is itself — i.e. depending on order: if the "domain" with that id never arrives, the placeholder anchor is used. Visually nonsensical but not crashing. **Contract gap:** add a precondition "if kind != 'domain' then domain_id != node_id". | _to fill_ |
+| C15 | NaN-attempting context (e.g. `total_domains = 0`) | `base_radius` / `domain_anchor` use `max(n, 1)` (geometry.py lines 67, 75). NaN cannot arise from division. I1 holds. | _to fill_ |
+| C16 | Float overflow attempt (huge canvas, e.g. `cx = 1e308`) | `r * cos(theta)` may overflow to ±inf. Wire emission rejects via `math.isfinite` (line 84). Authority must clamp `cx, cy, base_r` at construction OR rely on wire rejection. **Contract gap:** authority does not currently bound canvas dimensions. | _to fill_ |
+| C17 | `kind = "entity"` (in NODE_KINDS line 32 but not handled in `compute_slot`) | Falls through to `ctx.get("anchor", (cx, cy))` — line 218. Slot = domain anchor (or origin). Does not crash; produces a degenerate but finite assignment. **Contract gap:** "entity" is in NODE_KINDS but has no geometry — either remove from NODE_KINDS or add a slot helper. | _to fill_ |
+| C18 | Edge with unknown source or target | Per protocol line 162: queued in pending-edges buffer (bounded, I5 default 100k). When second endpoint arrives, edge flushed. On overflow: oldest dropped, drop counter incremented. | _to fill_ |
+| C19 | Edge with `kind` not in `EDGE_KINDS` | `REJECT@protocol` line 161: ValueError. | _to fill_ |
+| C20 | `add_node` called from a thread other than the build worker | Per protocol line 145: only `request_subtree` and `subscribe`/`unsubscribe` are documented thread-safe. `add_node` from a foreign thread is undefined. Engineer must either widen the contract or add a lock. **Contract gap.** | _to fill_ |
+
+---
+
+## Predicted-behaviour summary by category
+
+| Category | Count | Disposition |
+|---|---:|---|
+| Typical (A) | 5 | All produce one finite, deterministic SlotAssignment in O(1). |
+| Edge within-spec (B) | 10 | All resolved by I3/I4/I7 buffering rules; slots are FINAL. |
+| Pathological well-defined (C1–C6, C9, C12, C15, C18–C19) | 11 | Either `REJECT@protocol`, `REJECT@wire`, or buffered per I5 — all behaviours specified. |
+| Pathological with **contract gaps** (C7, C8, C10, C11, C13, C14, C16, C17, C20) | 9 | Behaviour is **unspecified** in the current protocol. The reference implementation must choose, and the choice must be documented as a new invariant. |
+
+---
+
+## Contract gaps surfaced by enumeration (hand-off to engineer)
+
+1. **C7/C8** — pipe / newline in `node_id`: silent drop at wire after counter incremented. Validate at protocol entry instead.
+2. **C10/C11** — duplicate `node_id` submission: idempotent? double-emit? reject? Spec it.
+3. **C13** — no delete verb; if added later it breaks I2–I4. Document the explicit decision to forbid deletion.
+4. **C14** — `domain_id == node_id` for non-domain kinds: add a precondition.
+5. **C16** — finite-canvas guarantees rely on wire rejection; consider bounding canvas dimensions at authority construction.
+6. **C17** — `"entity"` is in `NODE_KINDS` (line 32) but has no geometry helper. Either remove or implement.
+7. **C20** — `add_node` thread-safety is documented as build-worker-only. If subscribers can ever produce, add a lock.
+8. **B5** — no maximum length on `node_id` is documented. SSE frames grow unboundedly. Pick a cap (e.g. 1024 bytes UTF-8 encoded).
+
+---
+
+## Stopping rule
+
+This audit catalogues the variants the contracts permit me to enumerate from the protocol and geometry sources alone. The hardest case for the theory "the layout authority is O(1) and finite for every input it accepts" is **C16 + C17 jointly**: a kind in `NODE_KINDS` that has no geometry helper combined with extreme canvas values produces a degenerate-but-finite slot at origin — technically within I1 but visually a crash. Both cases are explicit contract gaps.
+
+The audit ships in this state because every entry has either a predicted behaviour grounded in a cited line of the protocol/geometry/wire modules, or an explicit "contract gap" flag. Further refinement requires the reference `layout_authority.py` to land so the *observed* column can be filled — the Darwin stopping rule (Move 6).
+
+## Hand-offs
+
+- Reference impl + integration tests filling the *Observed* column → **engineer**.
+- Empirical RSS / latency under each variant at scale → **Curie** (instrumented isolation).
+- Quantitative power analysis on which variants matter most → **Fisher**.
+- Falsification tests for the 9 contract gaps once spec'd → **Popper**.
diff --git a/tasks/layout-authority/audits/deming.md b/tasks/layout-authority/audits/deming.md
new file mode 100644
index 00000000..887370a9
--- /dev/null
+++ b/tasks/layout-authority/audits/deming.md
@@ -0,0 +1,161 @@
+# Deming PDCA Audit — Layout Authority Self-Learning Capacity
+
+**Frame:** Boyd's audit found OODA's *Act-channel* missing — no signal back to the producer. Deming asks the orthogonal question: even within the authority's own walls, does each module **close** its own PDSA cycle? A measurement that nobody studies and nobody acts on is *waste*. A correction that doesn't feed the next plan is *tampering*. The Hamilton priority discipline produces output; the question is whether the output is *learned from*.
+
+**Verdict:** the authority is a **rich emitter, an empty learner**. CHECK exists at every module (counters, stats endpoints, SSE log size). ACT exists almost nowhere. No module's measurement updates that module's own plan. Every loop is open. The system does not learn from its own data; it merely publishes it.
+
+Per Deming's central distinction: most "anomalies" the authority would surface are **common-cause variation** (produced by fixed caps, fixed strides, fixed thresholds). Reacting to individual events would be *tampering*. The fix is **system redesign** — change the caps/strides/thresholds based on observed distribution. That redesign capacity does not exist in code today.
+
+---
+
+## 1 — Per-module PDCA dissection
+
+| Module | PLAN (implicit) | DO | CHECK (metric observed) | ACT (corrective action) | Loop closed? |
+|---|---|---|---|---|---|
+| `layout_authority_geometry` | "closed-form O(1) placement matches ui/unified/js conventions" | emit (x,y) per node | **NONE** — no collision metric, no overlap rate, no shell-saturation count | NONE | **OPEN** — the geometry has no observation of whether it actually fits the population it received |
+| `layout_authority_lod` | "stride(zoom)=2^(3−4·zoom) yields ≈power-law visible count" | hash-decimate symbols | **NONE in module** — relies on a downstream Mandelbrot audit script for slope check | NONE — stride formula is hardcoded | **OPEN** — actual N×|visible| measurements never fed back to retune stride exponent |
+| `layout_authority_scheduler` | "P0…P6 caps absorb expected burst" | non-blocking submit; priority pop | `Stats.queued`, `Stats.dropped`, `lengths`, `is_overloaded(0.8)` | **NONE** — `is_overloaded` has no production caller (Boyd §1) | **OPEN** — drops are counted but no policy adjusts caps, threshold, or producer rate |
+| `layout_authority_log` | "500k ring buffer + 100k subscriber queue absorbs typical slowness" | append-only emit + fan-out | `_event_log_drops`, `_cortex_misses` per queue, dead-eviction (no counter) | reap dead subscriber after 200 misses | **HALF-CLOSED for subscribers only** — `_event_log_drops` is read by `stats()` but no caller adjusts `_EVENT_LOG_CAP`, `_DEAD_QUEUE_MISS_THRESHOLD`, or notifies clients of the drop |
+| `layout_authority_protocol` | "contracts validated at boundary" | dataclass freeze | NONE — no violation counter | NONE | **OPEN** — contract violations are raised but never aggregated; the system cannot tell if a producer is chronically misshaping deltas |
+| `layout_authority_wire` | "pipe-separated SSE minimizes bytes/event" | encode bytes | NONE — no per-event size histogram, no encode-time histogram | NONE | **OPEN** — Shannon claim ("~82B/event") is asserted in docstring; never measured against reality |
+
+**Pattern:** five of six modules emit metrics or could emit metrics. Exactly **zero** consume their own metrics to alter their own behavior. The only feedback edge in the entire authority is the dead-subscriber reaper — and that is a special-cause response (specific event: client died), not a system-redesign response (the whole subscriber-cap policy never changes regardless of distribution).
+
+---
+
+## 2 — Common vs special cause classification
+
+Deming's first move: classify variation before acting on it. Apply to the metrics that *do* exist:
+
+| Metric | Likely cause class | Evidence | Correct response |
+|---|---|---|---|
+| `Stats.dropped[P4]` ticking under steady symbol traffic | **common-cause** — cap of 64k is part of the system | drops occur because P4 cap is fixed; producer rate is by-design > drain rate during burst | **Redesign**: raise cap, raise drain priority, OR lower producer batch size — system change, NOT per-event triage |
+| `Stats.dropped[P4]` ticking once per build | **special-cause** — specific event (cold start, large repo) | one-shot at build start | Investigate that build's input size; not the system |
+| `_event_log_drops` ticking | **common-cause** — 500k cap vs build size | structural; will tick on any repo > 500k events | **Redesign**: raise cap OR add a "spillover to disk" tier OR reset seq per-build (currently rejected by I3) |
+| Subscriber dead-eviction | mixed | one client tab being slow = special; many = common (we are overloading the SSE format) | currently treated as special only |
+| `is_overloaded(0.8)` flips True | common-cause threshold (the 0.8 is arbitrary) | unread anyway | first **read it**, then classify each transition |
+
+The current code treats every drop as "fine, just count it." That is neither tampering nor learning — it is **agnosis**. Deming's term: *management without information*. The information is collected; the management never receives it; the system never improves.
+
+---
+
+## 3 — The four PDCA-closure failures
+
+### 3.1 PLAN without prediction
+The geometry, LOD, and scheduler all encode plans (formulas, strides, caps). **None of them states a prediction the system could later check**: e.g. "at 10⁸ symbols, P4 will exceed 50% capacity 0% of the time," or "stride=4 should keep visible-symbol count within ±5% of N/4." Because no prediction is recorded, no later run can be compared against it. PLAN exists, but as a frozen artifact, not a hypothesis.
+
+### 3.2 CHECK without aggregation
+`/api/layout/stats` is a *snapshot* endpoint. It reports current counters. It does NOT compute:
+- rolling-window drop rates (drops/sec over last 60s)
+- distributional summaries (p50/p99 queue length over the build)
+- transition events (overloaded ↔ recovered, with timestamps)
+- ratios (drops as % of submits per priority)
+
+A poll-only counter endpoint is what Boyd called "yesterday's state." Deming would add: it is also "no state at all" because monotonic counters without a baseline are not yet a measurement.
+
+### 3.3 ACT without authority
+Even if a human reads `stats()` and sees P4 chronically dropping, **no module accepts a change**. Caps are module-level constants (`QUEUE_SIZES`). Stride exponent is in a docstring formula. The dead-queue threshold is `_DEAD_QUEUE_MISS_THRESHOLD = 200`. There is no `set_cap()`, no `set_stride_curve()`, no config-reload path, no admin endpoint. The Act phase requires a code change, a build, a redeploy. PDSA at deploy-time tempo cannot keep up with build-time variation.
+
+### 3.4 No comparison against prediction
+PDSA's discriminating element is **Study compares to Plan's prediction**. The closest thing today is the Mandelbrot audit script that checks the LOD slope — but that is offline, run by a human, and feeds nothing back into the running module. The slope could drift to −0.7 across releases and no one would notice unless they re-ran the audit.
+
+---
+
+## 4 — Sub-optimization risk (system appreciation)
+
+Deming Move 3: never optimize a component without understanding the system. The Hamilton scheduler optimizes for *producer never blocks*. That is correct in isolation. As a system property:
+
+- Producer never blocks → producer keeps emitting → P4 saturates → drops cascade → log fills → subscribers miss → clients render incomplete graphs.
+- The local optimum (Hamilton invariant preserved) **degrades the system goal** (every node visible at appropriate zoom).
+- The geometry module's O(1)-per-node optimum prevents per-node feedback by construction; you cannot decimate adaptively if the placement function refuses to look at population statistics.
+
+This is not a bug in either module. It is the predictable consequence of optimizing each in isolation. Deming's antidote: **a module above them whose job is the system aim** (here: "every legitimately-needed node reaches every connected client"). That module does not exist.
+
+---
+
+## 5 — Fear / signal-suppression check
+
+Deming Point 8 maps awkwardly to code, but operationally: are signals being suppressed somewhere they should be visible?
+
+| Signal | Suppressed where? |
+|---|---|
+| `_event_log_drops` | exposed via `stats()` only — no SSE event, no log line, no alert |
+| Subscriber eviction | silent — no counter, no event, no log |
+| Contract violations in `add_node` / `add_edge` | raised exception then **lost** — no aggregator |
+| `is_overloaded` transitions | unsurfaced; the function is uncalled |
+| Per-build geometry overlap rate | never measured |
+
+These are all data the system needs to self-correct, and all of them are dropped on the floor. Not from fear — from **inattention**. Deming would say the effect on the loop is identical: the source of corruption is upstream of the data, and no improvement method downstream can recover what was never recorded.
+
+---
+
+## 6 — Recommendations: instrumentation that closes the loops
+
+Listed in **PDSA-cycle leverage order**, not module order. Each item names which module and which loop it closes.
+
+### R1 — Add prediction artifacts (PLAN gets teeth) — *all modules*
+For each tunable constant, write next to it the prediction it embodies:
+```python
+# QUEUE_SIZES[4] = 64_000
+# prediction: P4 drop rate < 0.1% on repos with ≤ 5e6 symbols.
+# check: scheduler_stats.drops[4] / scheduler_stats.queued[4] over a build.
+```
+Cheap. Forces the implicit hypothesis to surface so future Studies can compare.
+
+### R2 — Rolling-window aggregator on `stats()` — *scheduler + log*
+Add a `RateWindow` (60s, 600s, build-lifetime) computing drops/sec, submit/sec, queue-depth p50/p99 per priority. Without this, every metric is a counter, not a measurement. ≤80 LoC, pure logic.
+
+### R3 — Edge-triggered PDSA events on the SSE log — *scheduler + log*
+Emit `event: pdsa` with payload `{phase, prediction, actual, gap}` when `is_overloaded` transitions, when `_event_log_drops` ticks, when subscriber-eviction fires. Couples directly to Boyd's `degraded` recommendation but adds the *prediction-vs-actual* field that turns observation into Study.
+
+### R4 — Make caps/strides/thresholds runtime-mutable via a single `LayoutPolicy` object — *all modules*
+Pass `LayoutPolicy` into scheduler, log, and lod constructors. Expose a `policy.update(...)` method validated against the prediction record. This is the **ACT channel that doesn't exist today**. Without it, every learning is deploy-cycle slow. ≤120 LoC; the modules already keep their state private — surface a controlled mutator.
+
+### R5 — Common-cause classifier — *scheduler*
+A 20-line function `classify_drops(stats_window) -> CauseLabel` that distinguishes:
+- chronic uniform pressure (common-cause → adjust cap),
+- one-shot burst at build start (special-cause → ignore),
+- single-priority anomaly (cause-specific → narrow fix).
+Routes each cause to the matching ACT (R4 mutator) or to "log and wait" if special-cause.
+
+### R6 — Geometry observation hook — *geometry*
+Add an optional callback `on_place(node_delta, x, y, shell_count)`. The default is no-op. A monitor module can subscribe and aggregate (overlap rate, shell saturation) without violating O(1)-per-node — the work is offloaded to the subscriber. Closes the geometry loop without sacrificing its memory or compute claim.
+
+### R7 — Contract violation counter — *protocol*
+The dataclasses raise on bad input; the call sites catch-or-not by chance. Add a module-level `_violations: dict[str, int]` incremented in a `__post_init__` validator. Surface in `stats()`. Turns "the producer is malformed" from an invisible exception spray into a measurable rate.
+
+### R8 — Per-build PDSA report — *new module `layout_authority_pdsa.py`*
+At build end (the `done` event), emit a report:
+```
+{
+  "predictions": [...],         # from R1 annotations
+  "actuals": {...},             # from R2 windows
+  "gaps": [...],                # |predicted - actual|
+  "classifications": [...],     # from R5
+  "recommended_policy_delta": {...},
+}
+```
+The build-cache stores this alongside the slot/edge events. *This is the Study artifact* — the only place where PLAN is compared with DO and the gap is recorded. Without R8 the system cannot learn across builds; with it, R4's policy mutations become evidence-backed.
+
+---
+
+## 7 — Priority ordering (where one improvement unlocks others)
+
+1. **R1 (prediction artifacts)** — prerequisite for R8; does not require code change to runtime modules.
+2. **R2 (rolling windows)** — turns counters into measurements; prerequisite for R5, R8.
+3. **R4 (LayoutPolicy + mutator)** — the missing ACT channel. Without it, R5/R8 produce recommendations that can only be applied by redeploy.
+4. **R3 (PDSA SSE events)** — closes the loop to clients (complements Boyd `degraded`).
+5. **R5 (cause classifier)** — gates whether ACT should fire.
+6. **R6 (geometry hook), R7 (contract counter), R8 (build report)** — finish coverage of the modules currently silent.
+
+R1+R2+R4 together make the authority *capable of learning at build tempo*. The other items are completeness; these three are sufficiency.
+
+---
+
+## 8 — Hand-offs
+
+- **Boyd** — R3 (`degraded` SSE event) is the same edge as Boyd's `Act-channel` recommendation; merge implementations.
+- **Hamilton** — R4 (`LayoutPolicy.update`) must preserve the never-block invariant; no mutator path can synchronously block `submit`.
+- **Shannon** — R2's rolling-window rates need a budget: what drop rate per priority counts as a *signal* vs *noise*? The 0.8 threshold in `is_overloaded` is currently arbitrary.
+- **Fisher** — R5's classifier needs a power analysis: how many samples in a window before "chronic vs one-shot" is statistically distinguishable?
+- **Lamport** — R3's PDSA events must respect the same happens-before as `slot`/`edge` events so a client's Study reconstructs a consistent run.
diff --git a/tasks/layout-authority/audits/dijkstra.md b/tasks/layout-authority/audits/dijkstra.md
new file mode 100644
index 00000000..7e02711e
--- /dev/null
+++ b/tasks/layout-authority/audits/dijkstra.md
@@ -0,0 +1,178 @@
+# Dijkstra Audit — `layout_authority.py` Correctness Obligations
+
+Scope: the consolidated `mcp_server/server/layout_authority.py` wiring
+`_protocol`, `_geometry`, `_scheduler`, `_log`, `_wire`. What follows
+must be **proved or defended**; tests supplement, do not replace, the
+argument. Stakes: **High** — concurrency, bounded-state under unbounded
+arrival, client-observable ordering. Local reasoning across module
+boundaries is mandatory.
+
+## 0. Pre-flight contract defects (resolve before integration)
+
+- **D0 — Field-name mismatch.** `_protocol.SlotAssignment.node_id`;
+  `_wire.format_slot` reads `slot.id`. Protocol is normative — fix
+  `_wire`. Without this, integration cannot type-check.
+- **D1 — Single-producer rule is implicit.** `_log.emit` documents it
+  in prose only. Integration must enforce structurally: ONE worker
+  thread pops `_scheduler` and calls `emit`. Otherwise H1/H2 break.
+  Add thread-id assertion at `emit` entry.
+- **D2 — `_log` is module-global state.** Two authorities in one
+  process share log + seq. Either declare "one authority per process"
+  as construction precondition (assert at build time), or refactor
+  `_log` to instance state. Default-refuse module globals (§7.2 of
+  coding standards) requires explicit ADR if kept.
+
+## 1. Entry-point pre/postconditions
+
+**`add_node(delta)`** — *Pre:* `kind ∈ NODE_KINDS`; ids non-empty,
+delimiter-free (`|`, `\n`, `\r`) at protocol boundary not deferred to
+`_wire`; per-kind constraints from `NodeDelta`; `kind=='domain' ⇒
+domain_id==node_id`. *Post:* non-blocking; either submitted at
+`priority_for_node(kind)` OR dropped+counter (never both, never
+neither); EXACTLY ONE `SlotAssignment` emitted in bounded time iff
+parent state present (I3/I4/I7), else buffered. *Test:* Pre raises
+`ValueError`; property — any valid arrival order ⇒ one slot per
+accepted node_id.
+
+**`add_edge(delta)`** — *Pre:* `kind ∈ EDGE_KINDS`; ids non-empty,
+delimiter-free. *Post:* non-blocking; pushed to P5, buffered (I5), or
+dropped+counter; ZERO slots emitted; `'edge'` event in bounded time iff
+both endpoints present. *Test:* assert slot counter unchanged on
+`add_edge`; buffered edges flush within K events of second endpoint.
+
+**`request_subtree(domain_id)`** — *Pre:* non-empty. *Post:* idempotent
++ coalesced (N back-to-back calls ⇒ ≤1 P6 entry); on service, re-emit
+with strictly higher seq than prior (I2). *Test:* coalesce assertion;
+seq strict-increase.
+
+**`subscribe()` / `unsubscribe(q)`** — *Post (sub):* queue registered
+before return; any `emit()` after return delivers to it. *Post
+(unsub):* idempotent; no delivery *initiated* later goes to `q`;
+in-flight from concurrent fan-out snapshot is permitted. *Test:* stress
+with rapid sub/unsub under load.
+
+## 2. Happens-before: `add_node → slot emission → SSE write`
+
+Chain (single worker):
+
+```
+producer:  add_node(N) → scheduler.submit(prio, item)        [HB-0]
+worker:    pop() → compute_slot → wire.format_slot
+           → log.emit:
+              under _event_log_lock: seq += 1; append        [HB-A]
+              release lock
+              _fan_out: snapshot subs under _subscribers_lock [HB-B]
+                        for each q: q.put_nowait(event)      [HB-C]
+SSE thread: q.get() happens-after HB-C for that q
+           → socket.send
+```
+
+- **H1 — Seq strict-monotonic per instance.** `+=` and `append` under
+  one lock; single worker calls `emit`. *Argument by construction.*
+  Verify: assert `seq == _event_log[-1][0]` in `emit`; multi-priority fuzz.
+- **H2 — Per-subscriber delivery order = seq order.** Single producer
+  + FIFO `queue.Queue` ⇒ preserved. Broken if two threads call `emit`.
+  Verify: thread-id assertion at `emit` entry; chaos test with second
+  emitter confirms assertion fires.
+- **H3 — `_fan_out` snapshot semantics.** Subs added during fan-out
+  may or may not see in-flight event; subs removed may still see it
+  (reap is post-fan-out). Acceptable iff `unsubscribe` doesn't promise
+  "no more events" (it doesn't).
+- **H4 — Parent-before-child for symbols (I3).** P2 (file) < P4
+  (symbol) ⇒ strict-priority drains files before symbols. Symbols
+  arriving before parent's `add_node` ⇒ parent-pending buffer keyed by
+  `parent_id`, flush on parent emit. Bounded; overflow drops+counter.
+  Verify: arrival-permutation property test; assert no symbol slot
+  before its parent file's.
+- **H5 — Edges happen-after both endpoint slots.** Same I5 pattern.
+  Client renders edges between known nodes; pre-endpoint emit dangles.
+
+## 3. Bounded state under sustained 10⁶ events/sec
+
+Cost-model says ≤10 ns/node at 10⁹ in 1–2 s; pure-Python bench is
+180–300 ns/slot. At sustained 10⁶/sec arrival, **the worker cannot
+keep up in pure Python** — the scheduler fills and sheds by design.
+
+- **B1 — Scheduler residency ≤ Σ(QUEUE_SIZES × ~80B) ≈ 19.4 MB
+  worst-case** (`_scheduler` docstring). **Exceeds 8 MB cost-model
+  ceiling.** Engineer picks one: (a) shrink P5 cap (edges alone =
+  10.2 MB); (b) ADR that 8 MB is non-burst steady-state; (c) bench
+  residency <8 MB under 10⁶/sec. Verify: `tracemalloc` every 100 ms
+  for 60 s; report max delta + per-priority drop rates.
+- **B2 — Event log = 500k × ~80B ≈ 40 MB.** Only structure scaling
+  with stream length. Defend in ADR or shrink. Verify: assert
+  `len(_event_log) ≤ _EVENT_LOG_CAP`; bench RSS plateau.
+- **B3 — Subscriber queues = 100k × N_subs.** Steady-state bounded by
+  drain rate iff reaping fires. Show: (a) SSE drain ≥ producer emit at
+  10⁶/sec, or (b) reaping fires within 200-miss window before queue
+  residency dominates. Verify: slow-subscriber bench; assert reap.
+- **B4 — Pending-edges (I5, 100k) + parent-pending (32k by analogy
+  with P3) bounded; overflow drops+counter.** Verify: fill test.
+- **B5 — Per-domain counters O(domains × kinds), ~528 B for 11×6.**
+  Linear in `n_domains`; hard cap (e.g. 1000) or ADR.
+- **B6 — No per-event allocation growth.** `_wire` constants
+  pre-encoded; `format_slot` is O(1). `tracemalloc` 1M events; assert
+  linear, no leak.
+
+## 4. Deadlock freedom across `event_log_lock` and `subscribers_lock`
+
+- **D1 — Strict never-nested order in `emit`.** Releases
+  `_event_log_lock` BEFORE `_fan_out` takes `_subscribers_lock`; never
+  held simultaneously. Argument by code reading; debug thread-local
+  "held set" asserts empty before each acquire.
+- **D2 — No re-entrancy.** `emit` calls no function that calls `emit`;
+  `_fan_out` calls only `q.put_nowait` (queue-internal). Textual.
+- **D3 — Scheduler lock disjoint.** `_scheduler._lock` held only in
+  scheduler methods, none of which call into `_log`. Worker pops, then
+  releases, then emits.
+- **D4 — `q.put_nowait` non-blocking.** Full ⇒ Full exception, caught.
+  Subscriber backpressure cannot deadlock producer.
+- **D5 — `_log.reset()` takes both locks (event_log first, then
+  subscribers).** If any other path reverses, AB/BA deadlock possible.
+  Engineer audits: no other path takes both, or enforces same order
+  everywhere. Lockdep instrumentation in debug.
+- **D6 — External callers must not hold their own lock when calling
+  `emit`/`subscribe`.** API-boundary contract; watchdog test that
+  violates it and asserts timeout fires.
+
+## 5. Testing coverage vs. required argument
+
+| Property | Testable | Beyond tests |
+|---|---|---|
+| Entry-point Pre/Post | yes | body assertions |
+| I1 finite floats | yes | property test on `compute_slot` |
+| I2 seq monotonic | partial | + single-producer thread-id assertion |
+| I3/I4/I7 parent-first | partial | + single-worker construction argument |
+| I5 bounded buffers | yes | overflow test |
+| I6 non-blocking submit | partial | bench + `submit` code argument |
+| Bounded state under load | **no** | instrumented bench + cap argument |
+| Deadlock freedom | **no** | static lock-order proof; lockdep DiD |
+| Happens-before chain | partial | thread-id + single-producer argument |
+| 10⁶/sec sustained | yes (bench) | max RSS, drop rates, p50/p99 latency |
+
+**Dijkstra's rule applies in full.** Properties marked **no** or partial
+must be argued, not tested-into-existence. Engineer's `derivation.md`
+must contain explicitly: the lock-order argument (§4), the
+single-producer argument (H1/H2), the bounded-state argument (§3).
+
+## 6. Compliance (coding-standards.md)
+
+- §1.1 SRP — PASS iff `layout_authority.py` is placement coordination
+  only (no detection/persistence/HTTP).
+- §2.2 layers — `_protocol` contract-only; `_geometry` pure;
+  `_scheduler`/`_log`/`_wire` stdlib-only; this file is composition
+  root. PASS.
+- §4.1 ≤500 lines — likely needs split (worker loop, parent-pending,
+  pending-edges).
+- §7.2 default-refuse module globals — `_log` triggers; ADR (D2) or
+  refactor to instance state.
+- §8 sources — `_geometry`↦`workflow_graph.js`; `_scheduler`↦Hamilton
+  1969; `_wire`↦Shannon. PASS.
+
+## 7. Hand-offs
+
+- D0 field-name fix, single-producer enforcement, `_log` instance-state
+  refactor → **engineer**.
+- Bounded-state defense at 10⁶/sec, RSS budget → **engineer + Curie**.
+- Lock-order formal proof beyond static argument → **Lamport** (TLA+)
+  if desired; otherwise lockdep instrumentation suffices.
diff --git a/tasks/layout-authority/audits/eco.md b/tasks/layout-authority/audits/eco.md
new file mode 100644
index 00000000..7df62b98
--- /dev/null
+++ b/tasks/layout-authority/audits/eco.md
@@ -0,0 +1,157 @@
+# Eco Audit — The Model Client of the Layout Authority Wire
+
+> Method: profile the Model Reader (Model Client) the artifact
+> presupposes; separate what the wire *carries* from what the consumer
+> must already *know*; classify each implicit-knowledge dependency as
+> (a) make explicit, or (b) delete. Open/closed named per dimension.
+> Sources: Eco, *The Role of the Reader* (1979); *The Open Work* (1962);
+> *The Limits of Interpretation* (1990).
+
+Artifact: SSE stream from `layout_authority_wire.py`. Producer:
+`_geometry.py` + `_protocol.py`. Consumer: any renderer subscribing
+to `event: slot` / `event: edge` / `event: done`.
+
+---
+
+## 1. Profile of the Model Client
+
+The wire `id|x|y|kind|domain_id` tells the consumer almost nothing on
+its own. The Model Client is *heavily competent* — pre-equipped with
+out-of-band convention:
+
+- **MC-A Coordinates.** Knows `(x, y)` are pixels in a 1000×1000
+  authority frame, y-down screen convention. `_protocol.py:117`
+  documents it; the wire does not.
+- **MC-B Kind vocabulary.** Knows the 12 `NODE_KINDS` values and which
+  maps to which color (`KIND_COLOR` in `workflow_graph.js:19-32`). Wire
+  ships the kind string; the kind→color dictionary lives only in JS.
+- **MC-C Domain grouping.** Knows `domain_id` references a node with
+  `kind == 'domain'` (I7), that members share `domain_id`, that the
+  canonical render groups/colors by domain. Wire ships the id; the
+  **meaning of membership** is convention.
+- **MC-D Geometric frame** (load-bearing). Knows radii (`SETUP_R=70,
+  TOOL_R=140, FILE_R=220, DISC_R=150, MEM_R=150, MCP_R=50`), sector
+  half-widths, Fibonacci `_PHI = π·(3−√5)`, and `TOOL_LOCAL_ANGLE`.
+  Required because the renderer draws **L-band rings and sector labels
+  on top of the emitted points** (`workflow_graph.js:33-38, 43-84`).
+  Both ends carry the constants independently —
+  `_geometry.py:28-52` vs. `workflow_graph.js:43-84`. **Noether H2.**
+- **MC-E Sequence/idempotency.** Knows `seq` is monotone (I2), later
+  supersedes earlier, `done` means stop polling.
+- **MC-F Edges.** Knows edges are straight lines between placed slots
+  and `kind` is one of 14 styling tags, not a routing instruction.
+
+---
+
+## 2. What a naive client can discover from the stream alone
+
+Discoverable: `node_id` uniqueness, an empirical `(x, y)` bounding box,
+the finite kind alphabet (after enough samples), spatial clustering
+of `domain_id`. **Not** discoverable: canvas size, y-axis convention,
+kind→color mapping, that `domain_id` references a sibling node, the
+L-band ring structure, `request_subtree` invalidation semantics, the
+guarantee that edge endpoints eventually land.
+
+---
+
+## 3. Implicit-knowledge dependencies — table
+
+| # | Dependency | Producer source | Consumer source | Classification | Recommendation |
+|---|---|---|---|---|---|
+| D1 | Canvas size & y-down convention | `_protocol.py:117` | renderer assumption | implicit | **Make explicit** — `meta` event. |
+| D2 | Kind-vocabulary (12 values) | `_protocol.py:30` | renderer enum | implicit | **Make explicit** — `meta` event. |
+| D3 | Kind → color mapping | absent server-side | `workflow_graph.js:19-32` | one-sided convention | **Move to wire** if server cares about palette; otherwise **declare client-owned** (delete the dependency from the producer's mental model). |
+| D4 | Radii (`SETUP/TOOL/FILE/DISC/MEM/MCP_R`) | `_geometry.py:28-36` | `workflow_graph.js:43-48` | **dual-source duplication (Noether H2)** | **Make explicit** — emit once in `meta`. |
+| D5 | Sector half-widths & angles | `_geometry.py:39-41` | `workflow_graph.js:63-65` | dual-source duplication | **Make explicit** — `meta`. |
+| D6 | `_PHI` and Fibonacci formula | `_geometry.py:55,76` | `workflow_graph.js:326` | dual-source duplication | **Delete dependency** — server already emits `(x, y)`; client needs the constant **only** to draw the L-band rings. Either (a) emit ring radii in `meta`, or (b) emit the rings as first-class slot events. |
+| D7 | `TOOL_LOCAL_ANGLE` map | `_geometry.py:44-52` | `workflow_graph.js:76-84` | dual-source duplication | **Delete dependency** — same logic as D6. The client never needs this if the authority is the sole layout author. |
+| D8 | `domain_id` ⇒ exists-a-domain-node | I7 (`_protocol.py:212`) | renderer assumption | structural | **Make explicit** — emit `domain` slots before any member slot, or include a `domain_present: bool` hint. |
+| D9 | `seq` monotonicity & supersession | I2 | renderer assumption | structural | Already in SSE `id:` line; **document at handshake** in `meta`. |
+| D10 | `done` ⇒ stop polling | wire convention | renderer assumption | structural | Already explicit; OK. |
+| D11 | Edge endpoints land eventually | I5 buffer | renderer assumption | temporal | **Make explicit** — include drop-counter snapshot in `done` payload. |
+| D12 | Pixel-precision: `.1f` floats (sub-pixel discarded) | `wire.py:110` | renderer assumption | encoding | OK to leave implicit; it is loss-tolerant. |
+
+**The dependencies that hurt now: D4, D5, D6, D7.** *Dual-source* —
+identical numeric constants in two languages with no test pinning
+them. Change `FILE_R = 220` in Python without matching JS and the
+renderer draws labels at the wrong ring while points sit at the right
+one. Precisely Noether H2.
+
+---
+
+## 4. Open vs. closed classification (per dimension)
+
+| Dimension | Classification | Deliberate? | Verdict |
+|---|---|---|---|
+| Wire payload (`id\|x\|y\|kind\|domain_id`) | **closed** — fixed shape, no extension | yes (Shannon discipline, §1 of `wire.py`) | appropriate |
+| Kind alphabet | **closed** — 12 values frozen in `_protocol.py` | yes | appropriate |
+| Color palette | **open** — client decides | accidental (no server statement either way) | **clarify** — declare in ADR which side owns it |
+| Layout geometry | **closed at producer**, **echoed at consumer** | accidental | **make closed at producer only** — emit constants in `meta` |
+| `request_subtree` semantics | **closed**, but invisible to passive subscribers | yes | OK; document in handshake |
+
+The accidentally-open dimensions (palette, geometry-echo) are where
+producer and consumer drift independently. Eco's rule: when two
+parties must agree on a code, the mediating artifact must *carry*
+the code, not assume it.
+
+---
+
+## 5. Recommendation — the `meta` event (highest leverage fix)
+
+Add one event kind, emitted **first on every stream**, before any
+`slot` or `edge`:
+
+```
+event: meta
+data: {"canvas":[1000,1000],"y_axis":"down","node_kinds":[…12…],
+       "edge_kinds":[…14…],"radii":{"SETUP_R":70,"TOOL_R":140,
+       "FILE_R":220,"DISC_R":150,"MEM_R":150,"MCP_R":50},
+       "sectors":{"setup_half":1.208,"side_half":0.483,
+                  "side_angle":2.262},"phi":2.39996,
+       "tool_local_angle":{"Edit":0.0,"Write":-0.262,…},
+       "protocol_version":"layout-authority/1.0"}
+```
+
+This collapses D1, D2, D4, D5, D7, D9 into one self-describing
+preamble. The new Model Client is much weaker — a renderer that knows
+only "JSON in `meta`, pipe-separated in `slot`/`edge`" works. D6 is
+then resolvable: keep `_PHI` implicit (mathematically derived) or fold
+ring radii into `meta.radii` so the client never needs `_PHI` unless
+it wants extra spiral guides.
+
+D3 (kind→color) needs an explicit ADR: either server publishes
+`KIND_COLOR` in `meta`, or the spec states "palette is client-owned."
+Either is valid; *unstated* is not.
+
+---
+
+## 6. Limits of interpretation (what this audit is **not** licensing)
+
+The wire's structure (intentio operis) does **not** support these
+readings:
+
+- "`kind=symbol` implies the symbol is a function" — `kind` is a
+  layout/visual category, not a semantic-type tag.
+- "Two slots with similar `(x, y)` are semantically related" — only
+  the underlying graph (which the wire does not transmit) supports
+  that claim. Spatial proximity is a *side-effect* of layout.
+- "`done` means the graph is complete" — `done` means *this stream
+  segment* is complete; `request_subtree` can re-emit at any time.
+
+These are overinterpretations to refuse, not features to add.
+
+---
+
+## 7. Hand-offs
+
+- **Shannon** — quantify the byte cost of the proposed `meta` event;
+  it is a one-shot ~400-byte payload, amortizes to near-zero on any
+  non-trivial stream.
+- **Noether** — H2 (dual-source constants) is resolved by D4/D5
+  becoming wire-explicit; add a golden-vector test that hashes
+  `meta.radii ∪ meta.sectors ∪ meta.tool_local_angle` against a
+  fixture committed alongside `_geometry.py`.
+- **Engineer** — add `format_meta()` to `layout_authority_wire.py`,
+  invoke it once at subscribe time before draining the queue.
+- **Liskov** — restate the Model Client contract as a typed protocol;
+  any renderer that handles `meta` first satisfies it.
diff --git a/tasks/layout-authority/audits/einstein.md b/tasks/layout-authority/audits/einstein.md
new file mode 100644
index 00000000..77b95b58
--- /dev/null
+++ b/tasks/layout-authority/audits/einstein.md
@@ -0,0 +1,191 @@
+# Einstein gedankenexperiment — riding one event through the layout authority
+
+**Method.** I am a single `add_node` event traveling through the pipeline.
+At each frame I record: what is conserved, what changes form, what the
+local observer believes, what could go wrong.
+
+**The event I am.** `add_node(NodeDelta(node_id='symbol:abc',
+kind='symbol', domain_id='domain:cortex', parent_id='file:xyz'))`.
+Conserved across every frame: `node_id`. Everything else transforms.
+
+## Frame 1 — Build worker thread
+
+**Form.** Frozen Python dataclass, ~80 B, five named fields. Typed.
+**Observer.** Sees full semantics; `kind='symbol'` implies `parent_id`
+mandatory (precondition in `NodeDelta` docstring).
+**Risk.** Field-name divergence with the wire layer
+(`SlotAssignment.node_id` vs `format_slot` reading `slot.id`,
+wire.py:103) is invisible from here. Feynman §1.8 flagged it.
+
+## Frame 2 — `authority.add_node`
+
+**Form change.** Dataclass → "intent to enqueue".
+`priority_for_node('symbol')` → `PRIORITY_SYMBOL = 4`
+(scheduler.py:106). Then `submit(4, self)`.
+**Observer.** Sees only my `kind`. `domain_id`, `parent_id`,
+`tool_name` are opaque payload at this layer.
+**Risk.** P4 cap is 64,000 (scheduler.py:83). Full → `submit` returns
+`False`, `_stats.dropped[4] += 1`, no exception, no log. Silent drop
+unless the integrator inspects the bool — and **the integrator
+(`layout_authority.py`) does not exist yet** (Feynman §4).
+
+## Frame 3 — In the P4 deque
+
+**Form.** A reference inside `collections.deque` under
+`threading.Lock`. Cross-thread.
+**Observer.** Pure FIFO position. P0–P3 must drain first. Hamilton
+"1202" guarantee: high priority always wins (scheduler.py:8–13).
+**Risk.** Indefinite starvation under sustained P0–P3 load. The
+scheduler does not promise liveness for low priorities; this is a
+documented feature.
+
+## Frame 4 — Authority pop + context assembly
+
+**Form.** Back to `NodeDelta` in worker thread.
+**Observer.** For `kind='symbol'`, `compute_slot` needs `file_slot`,
+`idx`, `total` (geometry.py:170–179). The integrator must look up
+`file_slot` for `parent_id='file:xyz'` from a "main store"
+(scheduler.py:154 references it; not yet coded).
+
+**Risk — the I3 case.** If `file:xyz` has not yet been processed,
+its slot does not exist. Per protocol I3 (protocol.py:194), I am
+buffered. **That buffer does not exist as code in the six audited
+modules** — only in prose. Same for I5 (pending edges). The
+integrator owns it. Naive integrator → I sit forever.
+
+**Equivalence-principle observation.** From the consumer's vantage,
+*"buffered symbol"* and *"dropped symbol"* are empirically
+indistinguishable: both produce no slot event for me. The producer
+distinguishes them via `dropped[4]` counter. **This is a covariance
+gap between producer-belief and consumer-observation.** Either emit
+a `pending` event or document the frame dependence.
+
+## Frame 5 — `slot_for_symbol`
+
+Assume parent landed and I am replayed.
+**Form change.** Three values: `(file_slot, idx_in_file, total_in_file)`.
+**Math.** angle = 2π·(idx+0.5)/total; r = 18 + (idx%4)·3;
+return `(file_slot.x + r·cos(angle), file_slot.y + r·sin(angle))`
+(geometry.py:170–179). O(1), pure, stateless.
+**Observer.** *Sees only floats.* `node_id` is invisible here.
+Identity is held outside this frame by the integrator's bookkeeping.
+**Risk — silent NaN.** If `file_slot` contains NaN (because the
+file landed before its tool_hub and got a placeholder anchor — I4
+edge case), my `(x, y)` inherits NaN and is rejected at the wire
+layer three frames later. **No frame in the geometry chain checks
+finiteness.** The math is "covariant under finiteness" only if every
+input is finite; geometry trusts its caller.
+
+## Frame 6 — `SlotAssignment` + `format_slot`
+
+**Form.** `SlotAssignment(seq, node_id, x, y, kind, domain_id)`
+(protocol.py:103–129) → bytes.
+**The hard bug.** `wire.format_slot` reads `slot.id` (wire.py:103);
+the dataclass field is `node_id`. **`AttributeError`** here in
+current code. The wire benchmark hides it with a local `_Slot` whose
+field is `id` (wire.py:209). One-side rename fixes it.
+**If fixed.** Bytes:
+`b"id: 42\nevent: slot\ndata: symbol:abc|123.4|567.8|symbol|domain:cortex\n\n"`.
+**Conserved.** `node_id` is the first pipe-field. `seq` is added —
+Lamport-style logical timestamp; *not* identity.
+**Form change.** Type system erased. UTF-8 bytes. Five fields by
+string position, recovered by `.split('|')`.
+**Risk.** A `node_id` containing `|` or `\n` collapses framing.
+`_validate_id` (wire.py:64) catches at emit; protocol layer rejects
+earlier. Two defenses for one invariant — fine.
+
+## Frame 7 — Event log + fan-out
+
+**Form.** Tuple `(seq, 'slot', bytes)` in 500k-cap deque (log.py:42).
+`put_nowait` to every subscriber (cap 100k each, log.py:43).
+**Observer.** Log sees opaque bytes. Routing by kind string only.
+Strict per-instance seq monotonicity (log.py:217–223).
+**Risk.** Slow subscriber: `put_nowait` raises Full, miss counter
+increments, after 200 consecutive misses the subscriber is reaped.
+A reader's view diverges permanently from the log's view. Fall-out
+of 500k buffer → `replay_since(N)` returns `oldest > N+1` and the
+client falls back to a snapshot. Lamport "causal cut" by design.
+
+## Frame 8 — SSE handler → socket
+
+**Form.** `chunk_wrap` wraps payload in HTTP/1.1 chunked framing
+(`<hex-len>\r\n<bytes>\r\n`, wire.py:162). Bytes go to TCP.
+**Observer.** Wire layer sees length-prefix only. Kernel sees TCP.
+Identity invisible at this layer; `node_id` survives only as a
+substring of opaque bytes.
+**Risk.** Connection drop → reconnect with `Last-Event-ID`. If my
+seq is still in the ring buffer, I am replayed; if not, snapshot
+fallback re-derives me from the build cache (outside this audit).
+
+## Frame 9 — Browser `EventSource.onmessage`
+
+**Form.** `MessageEvent` with `.data =
+"symbol:abc|123.4|567.8|symbol|domain:cortex"` and `.lastEventId =
+"42"`. JS does `event.data.split('|')`.
+**Important fact.** Grep across `ui/` shows **no `EventSource`
+consumer wired today**. The frontend currently fetches
+`/api/quadtree` (Apache Arrow IPC, gzipped) — snapshot, not stream
+(workflow_graph_tilemap.js:53). Frames 9–10 describe the wired
+future state. Today my event dies at Frame 7 (in the log; no
+visualization subscriber drains it).
+**Risk (when wired).** If the consumer keys by `node_id` and
+overwrites unconditionally, behavior matches the contract in the
+happy path but diverges under out-of-order delivery (proxies, WAN
+reorder). Contract I2 says: **update by seq, higher wins**.
+*The contract is observer-frame-dependent unless consumers respect
+seq.* Two valid implementations are not empirically equivalent under
+`request_subtree`-driven reseat.
+
+## Frame 10 — Canvas paint
+
+**Form.** `(x, y)` mapped from authority coords (1000×1000 default,
+geometry.py header) to viewport pixels. Color from
+`KIND_COLOR['symbol'] = [100, 116, 139, 230]`
+(workflow_graph_tilemap.js:31). `node_id` lives in a parallel
+array; flatbush spatial index resolves clicks back to id.
+**Observer.** A grey-blue dot near the file's cyan dot. The user
+recovers `node_id` only on hover/click.
+**Conserved.** Spatial coincidence with parent file — geometry
+guarantees this by construction.
+**Risk.** If the file reseated via `request_subtree` after my
+geometry was computed (Frame 5), I am drawn at the *old* file
+position. I3 says symbols never reseat retroactively. I float,
+orphaned. **Observable covariance violation:** my position is meant
+to be a function of parent position, but the function evaluation
+is frozen at my creation time.
+
+---
+
+## Operational definitions surfaced
+
+1. **"a node arrived."** Wire emitted a `slot` event with this id and
+   log assigned a seq. **Not** "build worker called `add_node`" —
+   that may have been silently dropped at P4 cap.
+2. **"a node was dropped."** Producer `submit` returned `False` AND
+   no later `request_subtree` reseated it. **Indistinguishable from
+   "buffered awaiting parent" to a pure-stream consumer.**
+3. **"a node is at (x, y)."** Most recent `SlotAssignment` for that
+   id (highest `seq`) places it there. Older `(x, y)` for the same
+   id are superseded. **Holds only if consumers update by seq.**
+
+## Equivalence audit
+
+| Pair | Distinguishable? | Verdict |
+|---|---|---|
+| Buffered vs dropped (consumer-only view) | No (until parent arrives) | Same observable; producer counters disagree → covariance gap |
+| Out-of-order vs in-order slot for same id, seq-keyed consumer | No | Same |
+| Out-of-order vs in-order, id-keyed consumer | Yes (different final (x,y) under reseat) | Different — protocol must mandate seq-keyed |
+| "No JS consumer wired" vs "all events delivered nowhere" | No (from producer side) | Same — current state of the system |
+
+## Hand-offs
+
+- **Reseat invariance ↔ conserved quantity** → Noether.
+- **Quantity of dropped vs buffered events on the wire** → Shannon
+  (separate stats stream so consumers can reconstruct producer
+  belief).
+- **End-to-end latency `add_node` → canvas paint** → Curie. Today
+  the chain is broken at Frame 4 (no integrator) and Frame 9 (no
+  EventSource consumer); measurement is meaningful only after both
+  exist.
+- **Field-name bug `slot.id` vs `slot.node_id`** → engineer (trivial;
+  Feynman flagged independently — convergent finding).
diff --git a/tasks/layout-authority/audits/ekman.md b/tasks/layout-authority/audits/ekman.md
new file mode 100644
index 00000000..416bf7da
--- /dev/null
+++ b/tasks/layout-authority/audits/ekman.md
@@ -0,0 +1,179 @@
+# Ekman observable-signal audit — Layout Authority
+
+**Procedure.** Treat "is the authority healthy?" as a domain currently
+read by holistic impression. Convert it into an objective coding
+system: enumerate the smallest observable signals (FACS-style atoms),
+anchor each to a code path, classify each as load-bearing or noise,
+and build a signal → symptom mapping two on-call operators converge on.
+
+Files audited: `layout_authority.py`, `_log.py`, `_scheduler.py`,
+`_protocol.py`, `_wire.py`, `_lod.py`, `ui/unified/js/streaming_canvas.js`.
+
+---
+
+## 1. Codebook — atomic observable signals (the AUs)
+
+Each row is one independently-variable signal. "Anchor" = the exact
+producer; "Resolution" = the temporal grain at which the signal is
+present (Move 2 — leakage is in the small window).
+
+| # | Signal | Anchor (producer) | Resolution | Class |
+|---|---|---|---|---|
+| S1 | SSE event `kind == "slot"` | `_log.emit("slot", …)` `layout_authority.py:359` | per node | load-bearing |
+| S2 | SSE event `kind == "edge"` | `_log.emit("edge", …)` `layout_authority.py:369` | per edge | load-bearing |
+| S3 | SSE event `kind == "done"` | `_log.emit("done", …)` `layout_authority.py:226` | per build | load-bearing (terminal) |
+| S4 | SSE sentinel `replay_lost` | SSE handler in `graph_stream` (`_log.py:170` doc) | per reconnect | load-bearing |
+| S5 | `_event_log_drops` counter | `_log.py:54,134` | per dropped event | load-bearing |
+| S6 | `_dead_subscribers` count via `stats()` | `_log.py:_fan_out` (200-miss threshold) | per dead consumer | load-bearing |
+| S7 | Per-priority `Stats.dropped[p]` | `_scheduler.py:179,196` | per dropped delta | load-bearing (P0/P1 only) |
+| S8 | Per-priority `Stats.queued[p]` | `_scheduler.py:182,199` | per submit | noise (cumulative; counter only) |
+| S9 | Current queue length per priority | `_scheduler.py:242` | per `stats()` poll | load-bearing (saturation) |
+| S10 | `Scheduler.is_overloaded(0.8)` | `_scheduler.py:253` | per poll | load-bearing |
+| S11 | `slots_emitted` / `edges_emitted` totals | `layout_authority.py:167–168` | per build | noise (rate-derivable from S1/S2) |
+| S12 | Protocol violation `ValueError` | `layout_authority.py:128–132` | per bad delta | load-bearing |
+| S13 | `_log` peek-vs-actual seq assert | `layout_authority.py:360` | per emit | load-bearing (invariant breach) |
+| S14 | Subscriber `put_nowait` miss streak | `_log.py:_fan_out` 0…200 | per fan-out | noise individually; load-bearing as streak |
+| S15 | LOD `_selfcheck_powerlaw` slope drift | `_lod.py:190` ±0.05 of −1.0 | per build sample | load-bearing |
+| S16 | SSE keepalive `: ping\n\n` | wire layer | per 15 s | NOISE (transport-only) |
+| S17 | Log oldest/newest seq gap | `_log.stats()` | per poll | load-bearing (replay window depth) |
+| S18 | `replay_since` returns `None` | `_log.py:174` | per reconnect | load-bearing (precedes S4) |
+
+Independence (Move 1): S1/S2/S3 mutually exclusive kinds. S5 (log
+ring overflow, post-emit) and S7 (scheduler drops, pre-emit) measure
+*different layers* — not redundant. S14 aggregates into S6.
+
+---
+
+## 2. Baseline — what "healthy" looks like (Move 3)
+
+Report **deviation from baseline**, not absolute thresholds. Targets
+below are calibration slots, not invented constants.
+
+| Signal | Baseline | Source |
+|---|---|---|
+| S1 rate | matches scheduler drain rate steady-state | Curie §3.4 |
+| S3 latency | one `done`/build within (wall × 1.05) | e2e bench |
+| S4, S5, S6, S12, S13 | 0 | structural / invariant |
+| S7 P0/P1 | 0 | invariant — never drop hubs |
+| S7 P2..P5 | ≤0.1 % of S8 at same priority | saturation bench |
+| S9 length | < 0.5 cap p50, < 0.8 cap p99 | `_scheduler.py:78–86` |
+| S10 | False at p99 over 60 s | poll loop |
+| S14 streak | < 5 per healthy-but-slow consumer | Curie §3.4 |
+| S15 slope | ±0.05 of −1.0 on production ids | `_selfcheck_powerlaw` |
+| S17 | client `last_event_id` ≥ oldest_seq | `replay_since` precondition |
+
+---
+
+## 3. Signal → symptom mapping (two-coder agreement target)
+
+Each row is the form: **observed deviation → classified state → action**.
+Designed so a second operator, given only the signals, reaches the
+same classification.
+
+| Observed deviation | State | Diagnosis | Action |
+|---|---|---|---|
+| All S1..S3 absent for >2 s after build start | **broken** | producer thread stalled or never started | inspect authority worker; check S12 |
+| S3 never arrives, S1 rate >0 | **degraded** | build never seals; scheduler drain ≠ producer | check S9 high-priority lengths |
+| S5 > 0 (single event) | **degraded** | event log ring overflow; some consumer is replaying impossibly old | check S6, S17; client should resync via S4 |
+| S4 fired on a client | **degraded for that client** | client `last_event_id` < oldest_seq; gap > replay window | client snapshot-resync (designed path) |
+| S6 ≥ 1 (dead subscriber) | **degraded** | one consumer crossed 200-miss streak (S14) | drop confirmed; investigate that consumer |
+| S7[P0] > 0 or S7[P1] > 0 | **broken** | invariant violation: domain/tool hubs MUST NOT drop | scheduler caps wrong or producer overrunning P0/P1 |
+| S7[P2..P5] > baseline | **degraded** | sustained backpressure; LOD will mask but signal real | shed lower priority before higher; verify S10 |
+| S9[p] ≥ 0.8 cap sustained | **degraded** | scheduler saturated at priority p | S10 should already report True; if not, polling stale |
+| S10 True for > 60 s | **degraded** | system not draining | check downstream SSE consumer; cf Pearl audit |
+| S12 ≥ 1 | **broken** (producer bug) | malformed delta from caller | reject + log; do not heal silently |
+| S13 assert fires | **broken** (invariant breach) | multi-producer to `_log.emit` | crash; do not continue — seq monotonicity gone |
+| S15 \|slope+1.0\| > 0.05 | **degraded** (LOD) | hash distribution skewed on real ids | re-calibrate stride; cf Curie C22 |
+| S17 gap shrinking faster than S1 rate | **degraded** | replay window collapsing; future S4 likely | enlarge `_EVENT_LOG_CAP` or shed |
+| Only S16 (keepalives) on stream | **healthy idle** | no work in flight | none |
+
+Two-coder calibration (Move 6): give two operators the same 60 s
+`stats()` trace + SSE tap. Cohen's κ on {healthy, degraded, broken}
+must exceed 0.8 before this codebook is declared usable.
+
+---
+
+## 4. Micro-temporal leakage (Move 2)
+
+`stats()` polls at 1 Hz hide signals living below 1 s:
+
+- **Burst drop on S7[P5]**: 50 ms window where edges burst past 128 k
+  cap, dropped, queue drains. Invisible at 1 Hz. → Histogram with
+  10 ms buckets, or per-emit dropped-counter delta.
+- **Subscriber miss-streak (S14 → S6)**: 200 misses × ~1 ms = 200 ms
+  window. S6 fires only *after* death; the streak is the leading
+  indicator. → Expose `max_current_miss_streak` in `stats()`.
+- **`done` arrival jitter**: smoothed mean hides 2-of-100 stalls. →
+  Per-build histogram, not running mean.
+- **S13 peek-vs-actual race**: passes silently 99.999 % of the time;
+  the one frame it fires IS the multi-producer breach. Crash on
+  assert is correct — there is no slower signal that captures it.
+
+---
+
+## 5. Cross-context calibration (Move 4)
+
+| Context A | Context B | Survives? |
+|---|---|---|
+| 1k-node smoke | 10⁸-node prod | S1..S3 invariant; S7[P5] threshold local |
+| 1 SSE consumer | 10 concurrent | S6/S14 only surface with N≥2 |
+| Local net | Cross-region | S14 baseline shifts; cap stays |
+| Fast disk | Throttled disk | drain baseline shifts; deviation logic survives |
+
+Universal: S1/S2/S3 protocol, S4 sentinel, S12/S13 invariants. Local
+(display rules): exact thresholds for S9/S14/S17 — calibrate per
+deployment. AUs universal; caps cultural.
+
+---
+
+## 6. Coverage boundary (what this codebook CANNOT code)
+
+- **Renderer correctness** — slots emit OK but visually wrong. Pixel
+  golden test (Curie §3.5).
+- **Geometry quality** — clumping, sector overflow not coded here.
+- **End-to-end latency caller→paint** — network + renderer out of scope
+  (Hamilton, transport).
+- **Memory residency** (RSS/heap) — no byte-level signal here (Curie
+  C4/C13/C18).
+- **"Why is the consumer slow"** — Pearl, not Ekman.
+
+A green dashboard on this codebook ≠ system correct; only healthy in
+the coded dimensions.
+
+---
+
+## 7. Refusal markers
+
+- Any operator claim of "authority is degraded" without naming one of
+  S1–S18 with a deviation from §2 baseline → reject; no signal, no
+  state.
+- Any new metric added to `stats()` without classification (load-
+  bearing vs. noise) and a baseline → refuse; uncoded metrics
+  inflate the dashboard and reduce inter-operator agreement.
+- S5/S7[P0]/S7[P1]/S12/S13 ≠ 0 must page; they are invariant
+  breaches, not gradients.
+
+---
+
+## 8. Hand-offs
+
+- **Inter-operator κ ≥ 0.8 calibration run** → engineer agent (build
+  the trace fixture, run two-coder labelling on §3 table).
+- **Histogram exposure for S7[P5] burst, S14 streak, S3 jitter** →
+  engineer agent (extend `Scheduler.stats()` and `_log.stats()`).
+- **Why does the SSE consumer slow down (S10 sustained True)?** →
+  Pearl (causal-graph audit of consumer pipeline).
+- **Pixel/geometry correctness (coverage gap)** → Curie §3.5
+  golden-test follow-up.
+- **Replay-window cap calibration (S17/S4)** → Curie §3.3 (already
+  named: 95th percentile of reconnect-window).
+
+---
+
+## 9. Verdict
+
+18 signals: 3 noise (S8, S11, S16), 15 load-bearing. Five (S5, S7[P0],
+S7[P1], S12, S13) are invariant breaches that must page; rest are
+gradients requiring baseline + cross-context calibration. The code
+emits the right atoms; what was missing is this codebook plus the
+trained-coder agreement protocol (§3 κ ≥ 0.8 target).
diff --git a/tasks/layout-authority/audits/engelbart.md b/tasks/layout-authority/audits/engelbart.md
new file mode 100644
index 00000000..6d135824
--- /dev/null
+++ b/tasks/layout-authority/audits/engelbart.md
@@ -0,0 +1,138 @@
+# Engelbart augment-vs-automate audit — Layout Authority
+
+**Procedure:** every design decision is classified as either AUGMENT (extends
+the user's reach: more nodes visible, more metadata accessible, faster
+navigation, finer control) or AUTOMATE (the system decides for the user, often
+silently, and removes the decision from their hand). The user's stated stance
+is unambiguous and on the record: *"track everything"*, *"no loss of
+metadata"*, *"real time streaming"*. That is an augmentation brief. Every
+silent automation in the path between memory and pixel is a regression against
+that brief unless the automation is explicitly justified and reversible.
+
+Files audited: 8× `layout_authority_*.py`, `cost-model.md`, `polling.js`,
+`workflow_graph_tilemap.js`, `workflow_graph_filters.js`,
+`workflow_graph_bridge.js`.
+
+---
+
+## 1. Per-module classification
+
+| Module | Decision it makes | A/A | Aligned with user brief? |
+|---|---|---|---|
+| `layout_authority_geometry.py` | (x,y) from (kind, idx, total_in_kind, parent) — closed-form, deterministic, lossless | **AUGMENT** | Yes. Pure positional rendering; metadata untouched. |
+| `layout_authority.py` (counters, anchors) | Bumps counter and emits slot per `add_node` | **AUGMENT** | Yes. One slot per node; no aggregation. |
+| `layout_authority_protocol.py` | Three input verbs, one output event | **AUGMENT** | Yes. Verbs are additive; nothing collapses. |
+| `layout_authority_log.py` (500 K event cap, 100 K subscriber queue) | Drops oldest events when cap reached | **AUTOMATE** ⚠ | Partial. Cap is silent and unsurfaced — the user is not told that history before event N was discarded. *"Track everything"* is violated under sustained burst. |
+| `layout_authority_scheduler.py` (Hamilton priority) | P4 symbols dropped before P2 files; P5 edges dropped before any node | **AUTOMATE** ⚠⚠ | **Conflict.** The user said *no loss of metadata*. The scheduler drops symbols and edges silently when saturated. *Edges* are the relational metadata; dropping them means the user sees a node but not what it connects to. |
+| `layout_authority_lod.py` (power-law stride decimation of `symbol`, `memory`, `entity`) | At zoom < 1.0 only every k-th symbol is emitted | **AUTOMATE** ⚠⚠⚠ | **Direct conflict.** This is the textbook commercial-software pattern Engelbart warned against: optimize the floor (smooth zoom-out for novice eyes) by lowering the ceiling (expert can no longer trust that what they see is what exists). The decimation is deterministic-by-hash, not user-chosen. |
+| `layout_authority_wire.py` (SSE serialization) | What fields cross the wire | depends — see §2 | Risk: any field omitted here is metadata loss the user cannot recover. |
+| `polling.js` (client polling cadence) | When to ask the server | **AUGMENT** | Yes. User can read-faster but cannot be starved. |
+| `workflow_graph_tilemap.js` (auto-fit, viewport culling) | Default zoom on load; which tiles to fetch | **AUTOMATE** ⚠ | Mixed. Viewport culling is legitimate (off-screen pixels carry no info). Auto-fit-on-load is a one-shot decision that takes the framing out of the user's hand without an explicit "back to my view" affordance. |
+| `workflow_graph_filters.js` | What kinds are checked by default | **AUTOMATE** ⚠ | Default-hide-anything is a metadata-suppression decision. The user said *track everything* — so the *default state* should be "show everything," and the filter is the user's tool to subtract, never the system's tool to subtract on their behalf. |
+| `workflow_graph_bridge.js` (kind→layer mapping) | Which renderer pipeline a kind is sent to | **AUGMENT** | Yes — routing, not filtering. |
+
+Legend: ⚠ = automation that should be surfaced to the user; ⚠⚠ = automation
+in conflict with stated brief; ⚠⚠⚠ = automation that *defines the conflict*.
+
+---
+
+## 2. The three places augmentation is silently downgraded to automation
+
+### 2.1 LOD decimation (`layout_authority_lod.py`)
+The stride formula `2^(3 − 4·zoom)` is a server-side decision that *some*
+symbols will not reach the client at zooms < 1.0. The user has no UI affordance
+that says *"you are seeing 1/4 of symbols at this zoom — click here to override"*.
+For a *user trying to understand their own cognitive memory*, this is the
+worst possible failure: the system is deciding what is forgettable. The
+Mandelbrot fractal-self-similarity argument is mathematically correct for
+*rendering bandwidth* but does not justify hiding the existence of the omitted
+nodes from the user's awareness. **Fix:** emit a per-zoom badge ("showing
+124 K / 487 K symbols, stride 4 — [show all]"). The override must be one click.
+
+### 2.2 Scheduler drops on saturation (`layout_authority_scheduler.py`)
+P5 edges and P4 symbols are dropped under burst. Edges are relational
+metadata: a memory linked to a symbol that is linked to a file is the entire
+shape of the cognitive graph. Silently dropping edges turns *augmentation of
+the user's structural understanding* into *automation of "what looks
+important to the system."* **Fix:** every drop must increment a per-kind
+counter that is streamed to the client and surfaced as a visible "N edges
+deferred — replay" affordance. Backpressure must be *visible*, not silent.
+
+### 2.3 Default-hidden filter state (`workflow_graph_filters.js`)
+If any kind ships with `checked: false` by default the system has automated
+the "this kind is noise" decision on the user's behalf. The user's brief is
+the opposite: show everything; subtraction is a user verb. **Fix:** every
+kind defaults to visible. A "Reset to all visible" button is mandatory.
+
+---
+
+## 3. Where the design correctly augments
+
+- **Closed-form geometry** (`_geometry.py`): O(1) per node, no force
+  simulation, no clustering. Node #10⁹ is placed identically to node #1.
+  This is augmentation: the user can drop a billion nodes and the
+  *positional answer is the same shape* they'd get for ten. No emergent
+  layout drift, no "the system decided to cluster these for you."
+- **Counter-only state** (`_authority.py`): O(kinds) memory, not O(nodes).
+  The authority never *summarizes*; it *places*. Summarization would be
+  automation; placement is augmentation.
+- **SSE real-time streaming**: every `add_node` produces a `SlotAssignment`
+  the user sees within tens of ms. The user is *in* the loop of seeing
+  their memory grow, not handed a finished picture.
+
+---
+
+## 4. The bootstrap test
+
+Engelbart's load-bearing question: *does the team building the tool use the
+tool for their own work?* For the layout authority specifically — does the
+maintainer **watch their own session** in the unified visualization while
+they code? If yes, the LOD decimation will be felt the first time they zoom
+out and lose the symbol they were just editing. If no, the decimation will
+ship and only burn external users. **Recommendation:** make the visualization
+the maintainer's primary debugging surface for the next two weeks. The pain
+points found there are the design specification.
+
+---
+
+## 5. The ceiling test
+
+What can an expert user do with this visualization after a month of daily
+use? Under the *current* design with default LOD + default filters + silent
+drops:
+
+- Novice (first hour): can zoom and pan a smooth-looking graph. **Floor: high.**
+- Expert (after a month): cannot trust that absence-of-node means
+  absence-of-memory. They have to double-check via `recall` for every
+  empty region. **Ceiling: collapsed back to the floor.**
+
+This is the exact ARC → Xerox PARC regression Engelbart spent his late
+career protesting. The augmentation tool is being commercially smoothed
+into an automation tool by default settings. The fix is small: surface
+every silent decision, make every override one click, default to
+"show everything." The geometry layer is already correct; only the
+visibility/scheduling/filter defaults need to flip.
+
+---
+
+## 6. Hand-offs
+
+- **Hopper:** the badge "showing 124K/487K — [show all]" is a level-of-
+  abstraction primitive; design it as a reusable component for any
+  decimating surface.
+- **UX-designer:** every ⚠ row above needs an affordance spec.
+- **Curie:** measure how often the scheduler actually drops under realistic
+  burst rates. If drops are rare, the fix is cheap; if frequent, it is
+  load-bearing.
+- **Feynman:** integrity check on the LOD claim — does the power-law stride
+  actually preserve "structural understanding" or does it just preserve
+  *visual smoothness*? Those are different properties.
+
+---
+
+## 7. One-line verdict
+
+The geometry is augmentation. The scheduler, LOD, and filter defaults are
+automation that the user did not ask for and that conflict with the
+stated *"track everything / no loss of metadata"* brief. Flip the defaults,
+surface the deferrals, and the tool returns to the augmentation contract.
diff --git a/tasks/layout-authority/audits/erdos.md b/tasks/layout-authority/audits/erdos.md
new file mode 100644
index 00000000..1375160e
--- /dev/null
+++ b/tasks/layout-authority/audits/erdos.md
@@ -0,0 +1,170 @@
+# Erdos Audit — Probabilistic Placement Within Kind-Buckets
+
+> **STATUS: existence proof + threshold analysis.** The claim is *not* "random
+> beats deterministic." The claim is *the bucket structure carries the
+> topology, so a random placement scheme exists that produces a coherent
+> graph at scale with overlap probability < 0.01.* That is an Erdős-style
+> existence statement, not a recommendation to ship random placement.
+
+## 1. Problem characterization
+
+- **Type:** existence (probabilistic) + threshold (phase transition in N).
+- **Property sought:** "node positions are non-overlapping AND domain/kind
+  topology is visually preserved."
+- **Structure class:** point sets in 2D, partitioned into (domain, kind)
+  buckets whose support is a fixed geometric region.
+- **Model:** three placement schemes within the SAME bucket geometry —
+  - (a) **deterministic** — current `compute_slot()` closed form
+    (`workflow_graph.js:308–700` / proposed `layout_authority_geometry.py`).
+  - (b) **uniform random** — sample `(x, y) ~ Uniform(bucket_region)`.
+  - (c) **Poisson-disk** — sample with rejection so no two points lie
+    within radius r_PD; r_PD chosen per-bucket from N (Bridson 2007).
+- **Bucket geometry (from cost-model.md §4):** 11 domains × 6 kinds.
+  Front sector (`SECTOR_SETUP_HALF = π/2.6`), side sectors
+  (`SECTOR_SIDE_HALF = π/6.5`); kind shells `SETUP_R=70, TOOL_R=140,
+  FILE_R=220, DISC_R=150, MEM_R=150`. Per-domain disk-around-anchor
+  radius `(2·FILE_R+60)/2 = 250 px`, area **A ≈ 1.96·10⁵ px²**.
+
+## 2. Existence proof (the Erdős move)
+
+**Claim.** A random placement scheme exists whose probability of any
+overlapping node-pair within a bucket is < 0.01.
+
+**Construction.** Inside one (domain, kind) bucket of area A, draw N
+points i.i.d. uniformly. Two points overlap iff their centres are within
+`d = 2·node_r = 16 px`. The expected number of overlapping pairs is
+
+```
+E[overlaps] = C(N,2) · π·d² / A = N(N−1)/2 · π(2r)²/A
+```
+
+(union-bound / first-moment method, Alon & Spencer 2016, ch. 4.)
+
+For **P[no overlap] ≥ 0.99** we need `E[overlaps] ≤ 0.01`, giving
+
+```
+N_safe(uniform) ≤ √(0.02 · A / (π·(2r)²)) ≈ 2.2          (per bucket)
+```
+
+Uniform random fails almost immediately. But Poisson-disk sampling with
+radius `r_PD = √(A · η / (π · N))` (η ≈ 0.55, jamming density,
+Torquato 2010) gives **zero pair-overlaps by construction** for all N up
+to capacity `N_max = A·η / (π·r²)`. With r = 8 px, `N_max ≈ 537` per
+bucket. With 66 buckets that is **~3.5·10⁴ nodes** before any bucket
+saturates — and at saturation we shrink r_PD continuously.
+
+So scheme (c) **provably** satisfies the property at scale. **Existence
+established.** This does NOT mean we should ship it (see §6).
+
+## 3. Phase transition (the Erdős–Rényi move)
+
+The interesting fact is not "uniform random fails." It is *where* it
+fails, and what the threshold reveals about the bucket geometry.
+
+Per-bucket Erdős–Rényi-style threshold for `E[overlap] = 1`:
+
+```
+N*(bucket) = √(2A / (π·(2r)²)) ≈ 22            (per bucket, r=8)
+```
+
+This is sharp. Below ~22 nodes per bucket, uniform random is *almost
+surely* clean; above, overlaps appear suddenly. Across 66 buckets the
+**system threshold** for the property "no bucket has any overlap" sits
+at total `N ≈ 22 · 66 ≈ 1.5·10³` nodes. This matches the empirically
+observed regime (`tasks/graph-viz-1M-investigation-ginzburg.md`) where
+deterministic placement was viable up to ~10k and started clumping
+beyond.
+
+**Practical reading.** The current per-kind ring layout
+(workflow_graph.js:474–516) is a **deterministic Poisson-disk
+*approximation*** — points distributed at fixed radii on an arc with
+i % 3 stagger. It works because it implicitly enforces a minimum
+separation (`r_PD ≈ TOOL_LOCAL_ANGLE · TOOL_R`). Above the
+saturation threshold, even the deterministic scheme starts to crowd —
+the JS file's stagger-by-±4 trick (`r = FILE_R + ((i % 3) − 1)·4`) is
+exactly a band-limited dithering against this saturation.
+
+## 4. Three schemes — comparison table
+
+| Scheme | Small N (per bucket ≤ 20) | Medium (50–500) | Large (≥ 5k/bucket, total ≥ 10⁵) |
+|---|---|---|---|
+| (a) Deterministic | Cleanest. Predictable. Stable across reloads. | Stagger-by-3 trick keeps it readable. | Saturates; overlaps unavoidable without shrinking r. |
+| (b) Uniform random | **Already overlapping** (N_safe ≈ 2). Looks wrong. | Visibly clumped. | Indistinguishable from noise. |
+| (c) Poisson-disk | Indistinguishable from (a) to the eye. | Equivalent to (a). | Best — **smooth** density gradient because r_PD shrinks continuously, no banding artefacts. |
+
+**Cleanest at large N: (c) Poisson-disk.** Cleanest at small N: (a)
+deterministic — because human eyes detect angular regularity below the
+noise floor. The deterministic scheme essentially *is* a Poisson-disk
+sample drawn from a distribution concentrated on a few rings.
+
+## 5. The portable insight
+
+> **The kind-based bucket structure carries the topology, not the
+> intra-bucket placement law.**
+
+Existence proof: replace `compute_slot()`'s exact placement formula with
+*any* sampler whose support is the same bucket region. Re-render. The
+graph still reads as 11-domain Fibonacci spiral with 6 concentric kind
+shells. **The reader sees buckets, not points.** Bucket-level structure
+is the load-bearing semantic; intra-bucket placement is decoration.
+
+This is the Erdős lesson: the random version proves what the
+deterministic version was *also* doing — using bucket membership as the
+information channel. Both schemes encode the same bits.
+
+## 6. Why we still ship the deterministic version
+
+Existence ≠ recommendation. Three reasons (per Erdős blind spot #1):
+
+1. **Stability across reloads.** Random placement re-rolls every render.
+   alkhwarizmi.md `add_node` requires monotone `seq` and stable
+   coordinates for the renderer's incremental contract. Random violates
+   stability without an explicit seed-per-node.
+2. **Closed-form O(1) per node.** cost-model.md §1 forbids per-node
+   work above ~10 ns. Poisson-disk rejection sampling is O(1) amortized
+   *per attempt* but not *per accepted point* — at saturation, rejection
+   rate explodes. Deterministic stays O(1) at all densities.
+3. **Stagger-by-3 is good enough.** The JS code's `((i%3)-1)*4` radial
+   stagger achieves the visual benefit of Poisson-disk (broken angular
+   regularity → smooth density) at zero cost. **This is the Book proof
+   of the visual:** simplest possible code that produces the
+   anti-banding effect. Erdős would approve.
+
+## 7. Hand-offs
+
+- **Carnot** — efficiency analysis: cost of Poisson-disk rejection
+  sampling vs. closed-form, including the rejection-rate phase
+  transition near jamming density η=0.55.
+- **engineer** — keep deterministic; document the stagger-by-3 line as
+  intentional anti-banding (it currently reads as a bug).
+- **Lamport** — formal verification: prove that the deterministic
+  scheme's minimum pairwise distance is bounded below by a constant
+  ≥ 2·node_r within each bucket for N up to bucket capacity.
+
+## 8. Refusal conditions met
+
+- Random model **specified**: uniform i.i.d. on bucket support, or
+  Poisson-disk with rejection threshold r_PD.
+- Probability bound **derived from first-moment method** (not asserted).
+- Threshold **named with model and property**:
+  `threshold(model = uniform, property = no-overlap, A = 1.96·10⁵ px²,
+  r = 8 px) = 22 nodes/bucket`.
+- Empirical verification **referenced**:
+  `tasks/graph-viz-1M-investigation-ginzburg.md` reports clumping onset
+  in the 10⁴ regime, consistent with the 1.5·10³ system threshold given
+  the visible-window subsampling currently active in the renderer.
+
+## 9. Sources
+
+- Erdős, P. (1947). "Some remarks on the theory of graphs." Bull. AMS 53.
+- Erdős, P. & Rényi, A. (1959). "On Random Graphs I." Publ. Math. 6.
+- Alon, N. & Spencer, J. H. (2016). *The Probabilistic Method*, 4th ed.
+  Wiley. Ch. 4 (first-moment / union bound).
+- Bridson, R. (2007). "Fast Poisson Disk Sampling in Arbitrary
+  Dimensions." SIGGRAPH sketches.
+- Torquato, S. (2010). "Jammed hard-particle packings." Rev. Mod. Phys.
+  82 (η ≈ 0.547 for 2D random close packing).
+- `ui/unified/js/workflow_graph.js:308–700` — current deterministic
+  scheme; the stagger lines 492 (`r = FILE_R + ((i%3)-1)*4`), 504, 516
+  are the load-bearing anti-banding trick.
+- `tasks/layout-authority/cost-model.md` §1, §4 — per-node budget.
diff --git a/tasks/layout-authority/audits/erlang.md b/tasks/layout-authority/audits/erlang.md
new file mode 100644
index 00000000..de50caee
--- /dev/null
+++ b/tasks/layout-authority/audits/erlang.md
@@ -0,0 +1,197 @@
+# Erlang audit — layout authority capacity, blocking, and tip-over
+
+**Discipline:** Erlang (1909, 1917). Measure λ and μ, compute ρ, derive
+blocking probability from finite-capacity formulas, identify the tier
+where ρ → 1 first. No optimisation before the math.
+
+## 1. System decomposition
+
+```
+build worker  ──submit──▶  per-priority deques  ──pop──▶  authority worker  ──emit──▶  SSE per-client queues  ──flush──▶  browser
+   λ events/s              c=1, K_p slots                  μ ≈ 7.28·10^5/s         δ ≈ 5·10^4/s/client       (network)
+```
+
+Three serial tiers, each with finite capacity. The composite system
+fails at the **first** tier whose offered load A = λ/μ_tier exceeds 1
+(Move 1: arrival-service balance).
+
+## 2. Measured parameters (sources)
+
+| Symbol | Value | Source |
+|---|---|---|
+| μ_authority | 7.28·10⁵ events/s | knuth.md integration bench, run 2 |
+| K_P0..P6 | 1 000 / 1 000 / 16 000 / 32 000 / 64 000 / 128 000 / 100 | `layout_authority_scheduler.QUEUE_SIZES` |
+| K_log_ring | 500 000 events | `layout_authority_log._EVENT_LOG_CAP:42` |
+| K_sse_subscriber | 100 000 events | `layout_authority_log._SUBSCRIBER_QUEUE_CAP:43` |
+| δ_sse | 5·10⁴ events/s/client | localhost-SSE assumption (loopback ~8 Gbit, ~200 B/event ⇒ 5·10⁶/s wire ceiling; Python json+queue dominates → 50k as the per-client realistic drain) |
+| service-time CV² | ~0.4 (sub-exponential, dispatch chain) | knuth.md run-to-run variance < 7% |
+| seed_project node count | 10⁶ nodes + 4·10⁶ edges | knuth.md workload table |
+
+Service-time CV² ≈ 0.4 (sub-exponential), so M/M/1/K is a conservative
+upper bound; Pollaczek-Khinchine would lower predicted queueing delay by
+~30 % at the same ρ. We provision against the upper bound.
+
+## 3. Tier 1 — per-priority deques (finite-capacity loss queues)
+
+Each deque is **independent** under strict-priority drain — the
+authority drains P0 fully before P1, P1 before P2, etc. (Move 5 with
+priority displacement, Hamilton's domain). For the **lowest-priority
+deque that is non-empty**, the upstream service rate is μ_authority;
+higher-priority deques effectively see μ = ∞ unless they themselves are
+full at the same instant.
+
+For each priority p, model the deque as M/M/1/K_p with
+ρ_p = λ_p / μ_authority. Erlang loss formula for finite buffer:
+
+```
+P_block(K, ρ) = ρ^K · (1-ρ) / (1 - ρ^(K+1))     (ρ ≠ 1)
+P_block(K, 1) = 1 / (K+1)
+```
+
+### 3a. Nominal load (sustained)
+
+Assume seed_project at sustained λ = μ_authority / 2 = 3.64·10⁵ events/s
+(the producer cannot outrun the worker indefinitely — Little's Law,
+Move 3). Per-priority share from knuth workload:
+
+| Priority | items | share | λ_p (events/s) | ρ_p | K_p | P_block_p |
+|---|---|---|---|---|---|---|
+| P0–P2  | trivial    | < 10⁻⁴ share | < 10⁴/s | < 0.02 | ≥ 1 000 | < 10⁻³⁰⁰⁰ |
+| P3 other  | 619 920 | 0.620  | 2.26·10⁵ | 0.310 | 32 000 | < 10⁻¹⁶⁰⁰⁰ |
+| P4 symbol | 250 000 | 0.250  | 9.1·10⁴  | 0.125 | 64 000 | < 10⁻⁵⁰⁰⁰⁰ |
+| P5 edge   | 4·10⁶   | (×4 nodes) | δ-bounded | — | 128 000 | see §3b |
+
+At sustained nominal load, **no priority blocks**. Every deque sits at
+ρ < 0.5; we are deep on the flat part of the hyperbola.
+
+### 3b. Bursty load (λ = 10·μ for 100 ms)
+
+Producer bursts at λ_burst = 10·μ = 7.28·10⁶ events/s for Δt = 0.1 s.
+Total burst = 7.28·10⁵ events. Drain rate during burst = μ. Net
+accumulation = 9·μ·Δt = 6.55·10⁵ events.
+
+ρ_burst = 10. The closed-form Erlang B at ρ ≥ 1 collapses to
+P_block(K,ρ) → (ρ−1)/(ρ − ρ^{−K}) ≈ 1 − 1/ρ. For ρ=10: **P_block ≈ 0.90**
+on whichever priority absorbs the burst. The burst distributes
+proportionally to the workload mix (§3a):
+
+| Priority | burst items | K_p | overflow drops |
+|---|---|---|---|
+| P0..P2   | < K_p | — | 0 |
+| P3       | 4.06·10⁵ | 32 000 | **3.74·10⁵ dropped** |
+| P4       | 1.64·10⁵ | 64 000 | **1.00·10⁵ dropped** |
+| P5 edge  | (×4) 2.91·10⁶ | 128 000 | **2.78·10⁶ dropped** |
+
+**Burst verdict: P5 edges absorb 95 % of the drops; P3+P4 nodes drop
+~470 k.** This is by-design (edges drop before nodes; Hamilton's
+priority-displaced shedding). The deque tier behaves as advertised.
+
+## 4. Tier 2 — authority worker (single-server bottleneck)
+
+c = 1, μ = 7.28·10⁵ /s. By Move 1, **the system tips into sustained
+backlog at λ ≥ μ**, i.e. at any sustained input above ~728 k events/s.
+Utilisation–latency curve (M/M/1, Move 2):
+
+ρ = 0.5 → W = 2× service time; 0.7 → 3.3×; 0.8 → 5×; 0.9 → 10×;
+0.95 → 20×; 0.99 → 100×.
+
+**The knee is at ρ ≈ 0.7** (W = 3.3·service_time). Provision so that
+sustained λ ≤ 0.7·μ ≈ **510 k events/s**.
+
+## 5. Tier 3 — SSE per-client queues
+
+Each client has K_sse = 100 000 slots, drained at δ ≈ 5·10⁴ /s. Offered
+load per client = full authority output = μ ≈ 7.28·10⁵ /s.
+
+ρ_sse = μ / δ = **14.6** — catastrophically over capacity.
+
+P_block(100 000, 14.6) ≈ 1 − 1/14.6 = **0.93**. **The SSE tier is the
+binding bottleneck**, not the deques and not the worker. At any
+sustained authority output above δ ≈ 50 k/s **per client**, the SSE
+queue fills in under 2 s (100 000 / (7.28·10⁵ − 5·10⁴) = 0.15 s) and
+stays full, dropping 93 % of events.
+
+The 500 k-event log ring (§ knuth.md) backs this up: at μ=728 k/s the
+ring wraps every **0.69 s**, forcing every SSE client whose lag exceeds
+that to take the gap-snapshot path (already implemented; correct
+behaviour by I3).
+
+## 6. Bottleneck ranking
+
+| Rank | Tier | Tip-over λ | Sustained P_block at λ=μ |
+|---|---|---|---|
+| 1 (binding) | SSE per-client | δ ≈ 5·10⁴ /s | 0.93 |
+| 2 | authority worker | μ = 7.28·10⁵ /s | 1.00 (queue grows unbounded) |
+| 3 | priority deques (P5 edge, then P4 symbol) | depends on burst shape | < 10⁻³ at sustained ρ ≤ 0.5 |
+| 4 | log ring (gap-fallback path) | μ until lag > 0.69 s | gap-snapshot triggered, not data loss |
+
+**The system is SSE-bound by a factor of ~15× over the worker.** No
+amount of worker optimisation moves the binding constraint.
+
+## 7. Little's Law sanity check
+
+At the binding constraint (SSE), L = λ·W. With δ=50 k/s and target
+W ≤ 1 s end-to-end client latency: L ≤ 50 000 events in flight per
+client. Current K_sse = 100 000 → **2× the steady-state need**. Cap is
+correctly sized for the drain rate, not for the producer rate.
+
+## 8. Recommended queue sizes (minimise total drops)
+
+The deque caps are already conservative. The mismatch is at the SSE
+boundary. Two distinct levers:
+
+**(a) Match SSE cap to drain rate × tolerated lag.** Current 100 000 ÷
+50 000/s = 2 s of lag absorption. Adequate for transient bursts,
+ineffective against sustained overload (no buffer can fix ρ > 1; Move 1).
+
+**(b) Throttle authority emission to per-client δ when an SSE client
+is the only consumer.** This is the correct fix: the worker should not
+run faster than the slowest SSE client minus a margin. Otherwise the
+ring-gap path triggers continuously and the client lives on snapshots,
+not deltas.
+
+**Concrete recommendations:**
+
+| Tier | Current | Recommended | Rationale |
+|---|---|---|---|
+| P0 domain     | 1 000   | 1 000   | unchanged — saturates at < 10⁻³⁰⁰⁰ |
+| P1 tool_hub   | 1 000   | 1 000   | unchanged |
+| P2 file       | 16 000  | 16 000  | unchanged |
+| P3 other      | 32 000  | 32 000  | unchanged — burst drops are by-design |
+| P4 symbol     | 64 000  | 64 000  | unchanged |
+| P5 edge       | 128 000 | 128 000 | unchanged — first-to-drop is correct |
+| P6 subtree    | 100     | 100     | coalesced; correctly tiny |
+| log ring      | 500 000 | 500 000 | gap-fallback handles overflow |
+| SSE per-client| 100 000 | **100 000 + emission throttle** | cap is fine; **add producer-side rate limiter at min(δ_clients) · 0.7** |
+
+## 9. Retry amplification check
+
+SSE clients reconnect on disconnect with snapshot-then-delta protocol.
+If reconnect rate r and snapshot cost = full graph (1 M nodes), then
+effective λ_eff = λ + r · N. At r = 1 reconnect/s (one flapping client)
+and N = 10⁶, λ_eff = λ + 10⁶/s — **single flapping client alone exceeds
+worker capacity**. Mitigation: snapshot must be served from a
+pre-computed tile cache (already true per `mcp_server/handlers/quadtree_handler.py`),
+not regenerated. **Verify cache hit rate ≥ 99 % under reconnect storms.**
+
+## 10. Hand-offs
+
+- **Hamilton:** SSE-tier emission throttle is priority-displaced
+  shedding under a different name — design the back-pressure protocol
+  so the worker drops *edges first, symbols second* when δ_min < μ.
+- **Maxwell:** the snapshot-on-reconnect feedback loop is a
+  potential positive-feedback oscillator. Verify damping.
+- **Curie:** measure δ_sse on a real browser client (the 5·10⁴/s
+  number is a loopback estimate; over a real LAN to a real Chrome it
+  is plausibly 1–2·10⁴/s, which would tighten the binding constraint
+  by 3–5×).
+- **Knuth:** worker μ=728 k/s is comfortable headroom over the SSE
+  bottleneck — **do not optimise compute_slot**; the geometry path is
+  not the binding constraint by ~15×.
+
+## Files referenced
+
+- `/Users/cdeust/Developments/Cortex/mcp_server/server/layout_authority_scheduler.py:78-86` — QUEUE_SIZES
+- `/Users/cdeust/Developments/Cortex/mcp_server/server/layout_authority_log.py:42-43` — log + SSE caps
+- `/Users/cdeust/Developments/Cortex/tasks/layout-authority/audits/knuth.md` — measured μ
+- `/Users/cdeust/Developments/Cortex/tasks/layout-authority/cost-model.md` — geometry budget
diff --git a/tasks/layout-authority/audits/euler.md b/tasks/layout-authority/audits/euler.md
new file mode 100644
index 00000000..4f06e069
--- /dev/null
+++ b/tasks/layout-authority/audits/euler.md
@@ -0,0 +1,169 @@
+# Layout Authority — Notation-as-Infrastructure Audit (Euler)
+
+**Method:** read the six `layout_authority_*.py` modules as if their identifiers were a notational system. Names that compose cleanly (e.g. `compute_slot(kind, ctx)` reads like math; `priority_for_node(kind)` is a function lookup) are RIGHT. Names that overload one word with multiple meanings, or that drop a qualifier the reader needs to disambiguate, are WRONG — and like the `slot.id` vs `slot.node_id` audit cost, they compound.
+
+The standard is Euler's: notation is infrastructure. The right name makes the next four audits cheap; the wrong name makes them quadratic.
+
+---
+
+## 1. The notation that is RIGHT (keep verbatim)
+
+These read like math. Do not touch them.
+
+- `compute_slot(node_kind, ctx)` (geometry.py:183) — pure dispatch; reads as `slot = f(kind, ctx)`.
+- `domain_anchor(index, total_domains, cx, cy, base_r)` — every parameter has a unit; `total_domains` is unambiguous.
+- `slot_for_setup` / `_tool_hub` / `_file` / `_symbol` / `_discussion` / `_memory` / `_mcp` — verb-prefixed family; the shared prefix `slot_for_*` IS the notation.
+- `priority_for_node(kind)` / `priority_for_edge()` — symmetric pair; function name encodes the dispatch.
+- `NodeDelta`, `EdgeDelta`, `SlotAssignment` — suffix declares the role: `Delta` = input verb, `Assignment` = output event.
+- `NODE_KINDS`, `EDGE_KINDS`, `TOOL_LOCAL_ANGLE`, `PRIORITY_DOMAIN..._SUBTREE` — UPPER_CASE lookup tables; the table IS the notation.
+
+---
+
+## 2. The notation that is WRONG — concrete renames
+
+### 2.1 `total` is overloaded six ways (Wittgenstein-flagged)
+
+`total` means a different thing in nearly every signature it appears in. This is the worst offender — every consumer of these functions has to re-derive what `total` counts.
+
+| Site | What `total` actually means | Proposed name |
+|---|---|---|
+| `slot_for_setup(anchor, outward, idx, total)` (geometry.py:96) | total nodes in the (domain, setup-kind) bucket | `n_in_setup_sector` |
+| `slot_for_discussion(anchor, outward, idx, total)` (132) | total discussions in this domain | `n_discussions_in_domain` |
+| `slot_for_memory(…, total)` (146) | total memories in this domain | `n_memories_in_domain` |
+| `slot_for_mcp(…, total)` (159) | total mcp nodes in this domain | `n_mcps_in_domain` |
+| `slot_for_file(anchor, hub_angle, idx_in_hub, total_in_hub)` (121) | already disambiguated — KEEP | (keep `total_in_hub`) |
+| `slot_for_symbol(file_slot, idx_in_file, total_in_file)` (170) | already disambiguated — KEEP | (keep `total_in_file`) |
+| `format_done(seq, total_slots, total_edges)` (wire.py:139) | global cumulative count — KEEP | (keep) |
+| `Stats.queued: dict[int, int]` / `Stats.dropped` (scheduler.py:123) | per-priority cumulative — fine | (keep) |
+
+**Rule:** every numeric parameter named `total` must answer *"total of what, scoped where?"* with a qualifier in the name. The two functions that already do this (`total_in_hub`, `total_in_file`) prove the pattern works. Apply it to the other four.
+
+The same rule applies to `idx`: `idx_in_hub` and `idx_in_file` are right; bare `idx` in `slot_for_setup`/`_discussion`/`_memory`/`_mcp` should become `idx_in_sector` / `idx_in_lane`.
+
+### 2.2 `kind` versus `node_kind` versus implicit kind in name
+
+- `compute_slot(node_kind, ctx)` uses `node_kind` (geometry.py:183).
+- `priority_for_node(kind)` uses bare `kind` (scheduler.py:97).
+- `NodeDelta.kind` and `EdgeDelta.kind` are bare `kind` on a typed object (protocol.py:71, 100).
+- `SlotAssignment.kind` is bare `kind` on the output (protocol.py:128).
+- `visible_at_zoom(node_id, kind, zoom)` is bare `kind` (lod.py:87).
+
+The dataclass attributes (`NodeDelta.kind`) are FINE — the type prefix is the qualifier. The free-function parameters that take a node kind should standardise on **`node_kind`** (the geometry module's choice). Edges have their own `kind` parameter set; `edge_kind` should be the convention there.
+
+| Site | Rename |
+|---|---|
+| `priority_for_node(kind)` → `priority_for_node(node_kind)` | scheduler.py:97 |
+| `visible_at_zoom(node_id, kind, zoom)` → `visible_at_zoom(node_id, node_kind, zoom)` | lod.py:87 |
+| `_validate_kind(value)` → `_validate_kind_token(value)` | wire.py:75 (it validates either node_kind or edge_kind; it's a token-level check, not a kind-typed check) |
+
+This costs one rename per call site and removes a lookup the next reader has to perform.
+
+### 2.3 `seq` versus `since` versus `event_seq` (the cursor is one thing)
+
+The wire/log layer has a single cursor concept used four ways:
+
+- `SlotAssignment.seq` — the assigned sequence number (protocol.py:124).
+- `_event_seq` (module global) — the producer's monotonic counter (log.py:53).
+- `replay_since(since: int)` — the consumer's resume cursor (log.py:165).
+- `Last-Event-ID` header — the wire form of the same cursor.
+
+The reader has to mentally connect four words for one quantity. Recommend:
+
+| Site | Current | Proposed |
+|---|---|---|
+| `_event_seq` (module global) | `_event_seq` | keep — it IS the producer's seq |
+| `replay_since(since)` | parameter `since` | rename parameter to `cursor_seq` (return tuple stays; function name stays) |
+| docstrings | "Last-Event-ID" / "since" / "seq" mixed | standardise on **"event seq"** wherever a number references this cursor |
+
+Tiny patch, high readability gain — the next audit immediately sees that `Last-Event-ID == cursor_seq == event seq`.
+
+### 2.4 `kind` event-tagging in the log conflicts with `node.kind`
+
+In `log.py`, `Event = Tuple[int, str, bytes]` and `emit(kind, payload)` use `kind` ∈ {`'slot'`, `'edge'`, `'done'`} — these are EVENT kinds, not NODE kinds, so `grep "kind"` interleaves two taxonomies. Rename `emit(kind, …)` → `emit(event_kind, …)` and document the `Event` tuple slot as `event_kind`. Five-line patch; cleanly separates the namespaces.
+
+### 2.5 `_DECIMATED` / `_FAR_REDUCED` / `_ALWAYS_VISIBLE` — name the rule, not the verdict
+
+The three frozensets in `lod.py` are predicates on node kinds; their current names describe the OUTCOME, not the membership rule, so reading `visible_at_zoom` forces a back-lookup at each branch. Rename to:
+
+- `_ALWAYS_VISIBLE` → `_KINDS_NEVER_DECIMATED`
+- `_DECIMATED` → `_KINDS_DECIMATED_BY_ZOOM`
+- `_FAR_REDUCED` → `_KINDS_REDUCED_AT_FAR_ZOOM` (parallels `_FAR_ZOOM_THRESHOLD`)
+
+Then `visible_at_zoom` reads top-to-bottom and the set name IS the conditional.
+
+### 2.6 `field` (parameter) shadows `dataclasses.field`
+
+In `_validate_id(value: str, field: str)` (wire.py:64) and `_validate_finite(v: float, field: str)` (wire.py:82) the parameter `field` shadows `dataclasses.field` (which `scheduler.py` imports). Rename to `field_name` — costs five characters per site, removes a name-collision footgun.
+
+### 2.7 `n` reused as both "domain count" and "current bucket count"
+
+In `geometry.py` the local `n = max(<something>, 1)` recurs across five functions, sometimes meaning "total domains", sometimes "items in this bucket". Local scope contains the damage; optional rename to `safe_n_<scope>`.
+
+---
+
+## 3. The notation that is MISSING (introduce, don't rename)
+
+### 3.1 No name for "(domain, kind) bucket counter"
+
+The geometry module repeatedly uses an implicit pair `(domain_id, node_kind)` indexing a counter. The bucket is unnamed. The `compute_slot` ctx dict carries `idx` and `total` for it but the TYPE has no name. Introduce in `protocol.py`:
+
+```python
+@dataclass(frozen=True, slots=True)
+class BucketKey:
+    domain_id: str
+    node_kind: str
+```
+
+…and let the scheduler / authority store `dict[BucketKey, int]` for the running counter. Three benefits:
+
+1. A type the next reader can grep for.
+2. The "O(domains × kinds)" memory claim in `geometry.py`'s docstring becomes literal: `len(counters) == |BucketKey set|`.
+3. `request_subtree(domain_id)` becomes naturally describable as "all `BucketKey` with this `domain_id`".
+
+### 3.2 No vocabulary for "domain-anchor cache" vs "tool-hub-angle cache"
+
+The geometry comments mention that the caller "stores [the tool-hub angle] for files to orbit" (geometry.py:117). Files orbit a `hub_angle`, symbols orbit a `file_slot`. These are two derived quantities the authority must cache. Today they're implicit in the ctx dict. Recommend the authority expose them as named slots:
+
+```python
+@dataclass(frozen=True, slots=True)
+class DomainGeometry:
+    anchor: tuple[float, float]
+    outward: float
+    base_r: float
+
+@dataclass(frozen=True, slots=True)
+class ToolHubAnchor:
+    bucket: BucketKey
+    hub_angle: float
+```
+
+Then the `compute_slot` dispatcher can take typed inputs instead of a free-form `dict`, and the "out-of-order arrival" tolerance described in invariant I4 has a natural place to live (the `ToolHubAnchor` is None until the hub arrives; the file slot derives from `DomainGeometry` only as a fallback).
+
+This is a larger change — flag as a separate refactor PR, not the small notation-cleanup PR below.
+
+---
+
+## 4. Recommended notation-cleanup PR (small, mechanical)
+
+Scope it tightly. These are all rename-only edits with mechanical test impact.
+
+| File | Change | Lines touched |
+|---|---|---|
+| `layout_authority_geometry.py` | `total` → qualified name in 4 functions; `idx` → `idx_in_sector` / `idx_in_lane` | ~20 |
+| `layout_authority_scheduler.py` | `priority_for_node(kind)` → `(node_kind)` | 3 |
+| `layout_authority_lod.py` | `visible_at_zoom(node_id, kind, zoom)` → `(…, node_kind, …)`; rename three frozensets | ~25 |
+| `layout_authority_log.py` | `Event` second slot named `event_kind`; `emit(kind, payload)` → `emit(event_kind, payload)`; `replay_since(since)` → `replay_since(cursor_seq)` | ~10 |
+| `layout_authority_wire.py` | `field` parameter → `field_name` in two helpers; `_validate_kind` → `_validate_kind_token` | ~8 |
+| Tests | follow renames (mechanical) | ~30 |
+
+**Total:** roughly 90–100 lines of mechanical change. No behavioural change. Single commit, single PR, single review pass.
+
+**Skip in this PR (separate work):** the `BucketKey` / `DomainGeometry` / `ToolHubAnchor` typed-context refactor (§3) — that one changes the geometry dispatch surface and deserves its own discussion.
+
+---
+
+## 5. Compliance against the Euler standard
+
+- **Move 1 (notation as infrastructure):** seven concrete renames eliminate re-derivation at the call site.
+- **Move 4 (productive generalization):** `total` → `total_in_<scope>` is a family-level fix; same pattern fixes `idx` and `n`.
+- **Refusal trigger respected:** every rename has a named call-site cost and a named utility. No ornament.
diff --git a/tasks/layout-authority/audits/feinstein.md b/tasks/layout-authority/audits/feinstein.md
new file mode 100644
index 00000000..f0374cda
--- /dev/null
+++ b/tasks/layout-authority/audits/feinstein.md
@@ -0,0 +1,183 @@
+# Feinstein/Sackett Differential — Layout-Authority Iterations
+
+**Method.** Each of today's 10 iterations is treated as a clinical
+presentation. For each: ranked differential, discriminating sign, test
+that would have decided. Meta-analysis at the end identifies the
+candidate the team kept off the differential entirely until the very
+end: **"missing integrator — no component calls `add_node`."**
+
+I1–I6 are explicit corpus events (kahneman.md ledger, git log). I7–I10
+are intermediate cycles implied by feynman.md / popper.md (geometry
+tweaks, contract patches, queue-cap fixes, end-to-end blank UI) that
+landed without distinct commits. **Dx** = differential. **LR+** ≈
+likelihood ratio for the leading candidate given the discriminating
+sign. Priors sum to ~1.
+
+---
+
+## I1 — d3-force on full graph. CC: stalls at ~5k nodes.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | Wrong family: O(N log N)/tick × hundreds of ticks | 60% |
+| 2 | Force params (alpha, link strength) mistuned | 25% |
+| 3 | DOM/SVG render bottleneck, not the sim | 10% |
+| * | **Must-not-miss**: target N is 6 OOM beyond family's regime | 5% |
+
+**Sign:** `T_per_node = T/N = 1 ns` at design target — any per-tick iteration consumes >>1 ns/node. **Test:** one division on day 0. **LR+ ≈ 50.** Threshold crossed by arithmetic alone.
+
+## I2 — `prepareTopology` per phase. CC: seconds per recompute at 50k.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | O(N+E) recompute called per event | 70% |
+| 2 | E grows superlinearly | 15% |
+| 3 | Phase detection itself slow | 10% |
+| * | Insert #N costs more than insert #1 (cost-model invariant 2) | 5% |
+
+**Sign:** wall-clock grows monotone in N per insert. **Test:** time at N=10⁴ vs 10⁵. **LR+ ≈ 20.**
+
+## I3 — force-graph + spatial index rebuild. CC: insert spikes per batch.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | Quadtree rebuilt on insert (O(N log N) construction) | 65% |
+| 2 | GC pauses from index churn | 20% |
+| 3 | Render contention | 10% |
+| * | Same family as I1–I2 with new wrapper (anchoring) | 5% |
+
+**Sign:** insert-cost ∝ N log N. **Test:** log-log slope across three N. **LR+ ≈ 15.**
+
+## I4 — Datashader pivot (`dba2f16`). CC: can't render 10⁶ nodes.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | **Substitution**: solving rendering when bottleneck is placement | 50% |
+| 2 | Genuine render bottleneck post-placement | 30% |
+| 3 | Identity loss (no per-node pickability) acceptable | 15% |
+| * | Pixel pipeline does not answer "where does node #10⁹ go?" | 5% |
+
+**Sign:** can the system return `(x,y)` of `file:abc` after the pivot? **No.** **Test:** identity round-trip at N=10⁵. **LR+ ≈ 8.**
+
+## I5 — Six `layout_authority_*.py` modules. CC: tests pass; system doesn't run.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | **Missing integrator** — `layout_authority.py` absent; nothing calls `add_node` | 55% |
+| 2 | Wire/protocol field mismatch (`slot.id` vs `node_id`) | 20% |
+| 3 | idx/total counters orphaned across modules | 15% |
+| 4 | Tests cover modules-in-isolation, not composition | 10% |
+
+**Sign:** `grep -r build_authority mcp_server/` returns only the protocol declaration. **Test:** `import layout_authority` → `ModuleNotFoundError`. **LR+ ≈ 100.** *This is the iteration where "missing integrator" should have entered the differential. It did not.*
+
+## I6 — Tilemap auto-recover (`4a41aff`). CC: `/api/quadtree` returns `no_layout`.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | Frontend doesn't retry on transient not-ready | 55% |
+| 2 | **Layout was never produced** — `compute_slot` never called | 30% |
+| 3 | Race: query landed before build completed | 10% |
+| 4 | Endpoint contract: should be 404 not `no_layout` | 5% |
+
+**Sign:** does `/api/quadtree` *ever* succeed for this graph? **Test:** poll 60s; if always `no_layout`, retry shim cannot help. **LR+ for #2 ≈ 30.** Patch shipped on hypothesis #1; root cause was #2.
+
+## I7 — Geometry parameter retuning. CC: nodes overlap / cluster wrong.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | Constants drifted from `workflow_graph.js` reference port | 40% |
+| 2 | Domain anchor placeholder (I7 invariant: no retroactive reseat) | 35% |
+| 3 | `hub_angle` undefined when `parent_id=None` (silent fallback) | 15% |
+| * | Tuning is moot if integrator never calls `compute_slot` | 10% |
+
+**Sign:** golden-image diff vs JS reference on identical input. **LR+ ≈ 10.**
+
+## I8 — Wire field-name fix. CC: `AttributeError` at the wire boundary.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | Wire reads `slot.id`; protocol exposes `node_id` (popper.md §1) | 70% |
+| 2 | Two parallel slot dataclasses drifted — no canonical owner | 20% |
+| 3 | Serialization library version drift | 10% |
+
+**Sign:** `format_slot(SlotAssignment(...))` raises. **Test:** unit test against the protocol dataclass directly. **LR+ ≈ 30.** Underlying: nobody owns the canonical schema — because no integrator owns anything.
+
+## I9 — Scheduler queue-cap drops. CC: some nodes never appear.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | P2 queue (cap 16k) full; submit returns False; bool ignored | 50% |
+| 2 | Strict-priority starvation of P2 by P0/P1 | 25% |
+| 3 | idx/total drift → silent geometry placeholder | 15% |
+| * | Caller-ignores-bool **is** the integrator's job | 10% |
+
+**Sign:** `_stats.dropped[2] > 0` with no log. **Test:** instrument; assert `dropped[2]==0` for <16k workload. **LR+ ≈ 25.**
+
+## I10 — End-to-end "passes" but UI blank. CC: green build, empty quadtree, blank tiles.
+
+| # | Candidate | Prior |
+|---|---|---|
+| 1 | **No integrator → no `add_node` call → no slots → empty quadtree** | 75% |
+| 2 | Slots written to wrong store / schema mismatch | 10% |
+| 3 | Tilemap stale cache | 8% |
+| 4 | Auth/route on `/api/quadtree` | 7% |
+
+**Sign:** `SELECT count(*) FROM layout_slots` = 0 after green build. **Test:** one DB query post-build. **LR+ ≈ 50.** Threshold crossed without further investigation; all roads lead back to building the integrator.
+
+---
+
+## Meta-analysis — the candidate the team kept missing
+
+> **"There is no component that calls `add_node`. The placement pipeline is not slow; it does not exist."**
+
+| Iter | Implicit #1 hypothesis | "Missing integrator" position |
+|---|---|---|
+| I1 | wrong force params | not on list |
+| I2 | recompute too slow | not on list |
+| I3 | spatial index too slow | not on list |
+| I4 | renderer too slow | not on list |
+| I5 | modules not yet wired (vague) | adjacent, unnamed |
+| I6 | frontend retry missing | not on list |
+| I7 | geometry constants wrong | not on list |
+| I8 | schema drift | adjacent (no canonical owner) |
+| I9 | queue too small | adjacent (caller behavior unowned) |
+| I10 | tile cache stale | forced onto list by zero-row evidence |
+
+### Five biases (Sackett/Kassirer) that produced the blind spot
+
+1. **Anchoring** — "graph viz" frame anchored every iteration on *replacing or tuning a placement library*. The hypothesis "no placement library is being called at all" was never generated.
+2. **Premature closure** — each cycle found a plausible local cause and stopped before exhausting the differential.
+3. **Availability** — the most recent visible failure (`no_layout`, `AttributeError`, blank tile) dominated each cycle.
+4. **Base-rate neglect** — mid-refactor, "required component renamed/split and caller never rebuilt" is the single most common defect class; its prior should have been ≥30% on every cycle, was implicitly 0%.
+5. **Confirmation** — green per-module unit tests were read as system-works evidence. No test exercised composition (popper.md §"Notable findings" #2).
+
+### Treatment threshold — when to have acted
+
+By **I5** at latest. Discriminating test (`grep -r build_authority mcp_server/`) takes 200 ms. LR+ ≈ 100 — the module's absence is deterministic, not probabilistic. False-positive cost (~1 engineer-day building the integrator) << false-negative cost (the five subsequent failed iterations actually observed). Threshold crossed by inspection. The team did not act because the hypothesis was not on the differential.
+
+### Evidence grading on shipped symptom-fixes
+
+| Commit | Claim | Level | Required (Sackett) |
+|---|---|---|---|
+| `dba2f16` | "renderer is the bottleneck" | 6 (expert opinion) | 3 (cohort: place-vs-render time at three N) |
+| `54f443d` | "this is the right control flow" | 6 | 2–3 (controlled: slot writes precede tile reads) |
+| `4a41aff` | "transient `no_layout` is recoverable" | 6 | 4 (case-control: does endpoint *ever* succeed?) |
+
+All three shipped on Level-6 evidence. None would have shipped under the hierarchy if the missing-integrator hypothesis had been formally listed and tested.
+
+### Process gates that would have caught I1–I10
+
+| Bias | Gate |
+|---|---|
+| Anchoring | Each iteration: ≥3 differential candidates **including one "missing component"** candidate. |
+| Premature closure | Patch PR cannot land while ≥1 differential candidate remains untested. |
+| Availability | 5-Whys in PR description (kahneman.md §3). |
+| Base-rate neglect | During refactor: assume P(missing caller) ≥ 0.3 on every defect. |
+| Confirmation | Every module-test PR must add one composition test exercising ≥2 modules via the public API. |
+
+## Hand-offs
+
+- **Build the integrator** (`mcp_server/server/layout_authority.py`: composes six modules, owns counters, calls `compute_slot`, handles `submit` drops) → engineer.
+- **Composition test** that fails red until integrator exists → popper / engineer.
+- **PR-template gates** (5-Whys, ≥3 candidates incl. "missing component") → adopt from kahneman.md §3.
+- **Cost-model row** for "missing-component" defect class so future cycles include it by default → cost-model.md §6.
diff --git a/tasks/layout-authority/audits/fermi.md b/tasks/layout-authority/audits/fermi.md
new file mode 100644
index 00000000..27d68f8d
--- /dev/null
+++ b/tasks/layout-authority/audits/fermi.md
@@ -0,0 +1,100 @@
+# Fermi audit — layout authority thresholds
+
+Bracket every constant to within an order of magnitude. One-line defense per constant: WHY this magnitude, what next-up costs, what next-down costs. Bracket = [low, high] interpreted as the range over which the constant remains operationally correct; anything outside breaks something concrete.
+
+## `layout_authority_geometry.py` — radii and sectors
+
+Anchors: a Cortex graph viewport is ~1280×800 px (10^3 px). A node glyph reads at ~10 px (10^1). Therefore radii should live in 10^1..10^3 px; the only question is the ratio of one shell to the next.
+
+| Const | Value | Bracket | One-line defense |
+|---|---|---|---|
+| `SETUP_R` | 70 | [50, 100] | Inside file shell; ×10 down (7 px) collides with domain glyph; ×10 up (700 px) crosses into other domains. |
+| `TOOL_R` | 140 | [100, 200] | 2× setup so tool hubs visibly own a ring; ×0.1 = 14 px overlaps domain dot; ×10 = 1400 px exceeds canvas. |
+| `FILE_R` | 220 | [150, 300] | 1.5× tool ring leaves room for file glyph + label; ×0.1 puts files inside tools (semantic inversion); ×10 escapes viewport. |
+| `DISC_R` | 150 | [100, 250] | Side lane between tool and file rings; same magnitude argument. |
+| `MEM_R` | 150 | [100, 250] | Mirror of DISC_R on the opposite side. |
+| `MCP_R` | 50 | [30, 80] | Inward of domain hub; ×10 down (5 px) is invisible; ×10 up (500 px) puts MCPs in the next domain's territory. |
+| `SYM_R_OUTER` | 290 | [220, 400] | Just outside FILE_R so symbols visually orbit their file; ×0.1 collapses into file; ×10 unmoors symbols from parent. |
+| `SYM_R_SPREAD` | 32 | [16, 64] | Symbol scatter around file center; ×10 down indistinguishable; ×10 up overlaps neighbour file. |
+| `SYM_CLUMP_R` | 18 | [10, 32] | Petal cluster radius; ×10 down hides symbols, ×10 up crosses into adjacent file petal. |
+| `SECTOR_SETUP_HALF` | π/2.6 ≈ 69° | [45°, 90°] | Front sector for L1 fan; ×10 down (~7°) crowds skills/hooks/commands/agents into a stripe; ×10 up wraps the ring. |
+| `SECTOR_SIDE_HALF` | π/6.5 ≈ 28° | [15°, 45°] | Side lane half-angle; ×10 down collapses lane to a line; ×10 up overlaps front sector. |
+| `SECTOR_SIDE_ANGLE` | 0.72π ≈ 130° | [90°, 150°] | Lane offset from outward; bracket fixed by geometry — must be > setup_half + side_half (~97°) to avoid overlap, < 180° to stay non-symmetric. |
+
+All radii are *copies* from `ui/unified/js/workflow_graph.js`; the source-of-truth bracket is "whatever the JS already shipped that users approved" — Move 2 anchor. Order-of-magnitude sanity: 10× any of them and the layout escapes the canvas; 0.1× and shells fuse.
+
+## `layout_authority_scheduler.py` — queue caps and priorities
+
+Anchors. A NodeDelta/EdgeDelta is ~80 B (pointer + small dataclass). Sustained drain rate at a single producer thread doing closed-form O(1) slot math: ~10^5 items/sec (Move 2 — Python attribute access ~100 ns, dict lookup ~50 ns, deque.append ~50 ns). Therefore queues only have to absorb *bursts*, not steady-state.
+
+| Const | Value | Bracket | Defense |
+|---|---|---|---|
+| `QUEUE_SIZES[0]` (P0 domain) | 1 000 | [100, 10 000] | Population is ~10^1 in practice; cap is 100× over so it cannot drop. ×10 down (100) is still 10× population — fine. ×10 up (10k) wastes 800 KB. |
+| `QUEUE_SIZES[1]` (P1 tool_hub) | 1 000 | [100, 10 000] | Population ~70; same argument. |
+| `QUEUE_SIZES[2]` (P2 file) | 16 000 | [4k, 64k] | Files in a typical Cortex graph: ~30k. Cap < population by design — drops above are explicit, scheduler's job is burst absorb not full storage. ×10 down (1.6k) drops most files. ×10 up (160k × 80 B = 13 MB) breaks 8 MB ceiling. |
+| `QUEUE_SIZES[3]` (P3 setup/disc/mem) | 32 000 | [10k, 100k] | Mid-volume mid-importance kinds. Same memory ceiling argument up; ×10 down would drop healthy session loads. |
+| `QUEUE_SIZES[4]` (P4 symbol) | 64 000 | [16k, 256k] | "~90% of symbols visible is fine" per docstring; symbol population at 10^9 nodes is dominated by this priority. Naive 500k cap = 40 MB busts ceiling (already documented in module). ×10 down (6.4k) loses too many symbols visibly; ×10 up (640k × 80 B = 51 MB) blows budget. |
+| `QUEUE_SIZES[5]` (P5 edge) | 128 000 | [32k, 512k] | Edges typically 4× nodes; cap is 2× P4 so the 4:1 ratio survives a burst. ×10 up = 10 MB just for edges. ×10 down loses too many edges to keep topology readable. |
+| `QUEUE_SIZES[6]` (P6 subtree) | 100 | [10, 1 000] | Coalesced; even a viewport-drag at 10 req/s × 10 s = 100. ×10 down (10) drops legitimate user requests; ×10 up (1k) is 80 KB — wasted but harmless; coalescence keeps real depth at O(domains) = ~10. |
+
+Total worst-case memory ≈ 19 MB (per docstring). Bracket [8 MB, 50 MB]: 8 MB target is the project ceiling; 50 MB is where Python overhead alone (interpreter + numpy + libs at ~150 MB RSS) makes this allocation negligible. Sustained residency is 1–2 orders below.
+
+## `layout_authority_log.py` — event log + subscriber thresholds
+
+| Const | Value | Bracket | Defense |
+|---|---|---|---|
+| `_EVENT_LOG_CAP` | 500 000 | [100k, 1M] | At ~80–112 B/event (tuple overhead + payload), 500k × 112 B ≈ 56 MB — already documented as exceeding 8 MB ceiling on principle. ×10 down (50k events ≈ 5–6 MB) restricts replay window to ~5–50 s of stream which would force snapshot-fallback for any client hiccup. ×10 up (5M ≈ 560 MB) is process-OOM territory. Bracketed range is "client survives a 30 s tab-switch but server stays under 100 MB". |
+| `_SUBSCRIBER_QUEUE_CAP` | 100 000 | [10k, 1M] | One slow subscriber × 100k × ~112 B ≈ 11 MB. ×10 down means a subscriber 1 s behind at 10^4 evt/s gets reaped; ×10 up means a single dead client can hold 110 MB. Current value tolerates ~10 s lag at 10^4 evt/s. |
+| `_DEAD_QUEUE_MISS_THRESHOLD` | 200 | [50, 1 000] | 200 consecutive failed `put_nowait` ≈ 200 events = ~20 ms at 10^4 evt/s. ×10 down (20) reaps a momentarily slow but recoverable client; ×10 up (2k) lets a dead client hold its 11 MB queue for ~200 ms longer. The cost asymmetry favours the current value. |
+
+## `layout_authority_wire.py` — encoder constants
+
+| Const | Value | Bracket | Defense |
+|---|---|---|---|
+| `_MAX_KIND` | 32 chars | [8, 128] | Identifier ceiling per CLAUDE.md. ×10 down (3) cuts off real kind names like `tool_hub`; ×10 up (320) admits abuse-vector long strings that bloat every event by 10×. ASCII-identifier convention pegs this. |
+| Float fmt `:.1f` | 1 decimal | [0, 2 decimals] | At FILE_R = 220 px, sub-pixel precision is invisible. 0 decimals saves ~3 B but loses snap-to-grid feel; 2 decimals adds ~3 B/coord = ~6 B/event = 6% bloat at no visible benefit. |
+
+There is no explicit chunk-size constant in `_wire.py` — the encoder returns finished `bytes` per event and the SSE handler writes directly. Implicit chunk size = one event ≈ 80–110 B. Bracket [50 B, 4 KB]: smaller than 50 B is below TCP-segment-overhead efficiency threshold; bigger than 4 KB delays first-byte for downstream parser.
+
+## Realistic peak event rate
+
+Decompose: Rate = (Producer throughput) × (channel capacity gate) × (consumer parse rate).
+
+| Factor | Low | High | Anchor |
+|---|---|---|---|
+| Producer (Python deque + closed-form geometry) | 3×10^5 evt/s | 1×10^6 evt/s | Module benchmark `_benchmark` claims ~250 ns/event ≈ 4×10^6 evt/s for encoding alone; submission + lock + fan-out ~1 µs realistically. |
+| SSE-over-localhost channel | 10^4 evt/s | 10^5 evt/s | Given anchor in the prompt. |
+| Browser parse + render | 10^4 evt/s | 10^5 evt/s | `String.split('|')` ~250 ns; render upper-bounds at 60 fps × ~10^3 nodes/frame batch = 6×10^4 evt/s. |
+
+Bottleneck = SSE channel ∩ browser parse. **Realistic peak ≈ 3×10^4–10^5 evt/s.** Dominant uncertainty: whether the Datashader/tile pipeline batches events into render frames (raises ceiling toward 10^5) or renders per-event (caps at ~10^4).
+
+## Bracket: full build + stream at 10^9 nodes
+
+Decompose. Total wall time = max(build_compute, stream_throughput, render_throughput).
+
+| Factor | Low | High | Notes |
+|---|---|---|---|
+| Build compute @ ~10^6 slots/s closed-form | 10^3 s | 10^4 s | 10^9 / 10^6 = 1000 s; Python overhead and GC may cost 10×. |
+| Stream wire bandwidth | 2×10^4 s | 10^5 s | 10^9 events × 100 B = 10^11 B = 100 GB; over 1 GB/s loopback = 100 s; over realistic 10–100 MB/s SSE = 10^3–10^4 s. |
+| Browser render at 10^4–10^5 evt/s | 10^4 s | 10^5 s | This is the binding constraint. |
+| Edges (typically 4× nodes) | ×4 | ×4 | Multiplies all of above. |
+
+**Bracket: 10^4 s–10^5 s ≈ 3 hours to 30 hours for nodes alone, ×4 with edges → 10–100 hours.**
+
+Cross-check (independent decomposition): at 10^9 nodes the event log cap (500k) holds ~5 ms of stream — therefore *no client* can replay; full re-stream from cache is the only path, confirming the system is not designed for live 10^9-node streaming. Either build is offline + tile-served (current direction per `tasks/tile-server-plan.md`) or the renderer drops to aggregate tiles (current `unified-viz.html` Datashader path).
+
+## Dominant uncertainty
+
+The widest bracket is **browser render throughput** (10^4–10^5 evt/s, ×10 spread). Every other factor is either cheaper (Python compute) or already mitigated (server-side tiling). Move 5: refine *only* this bracket — instrument actual sustained event-application rate in the existing tilemap renderer at 10^6 nodes and extrapolate. That single measurement collapses the 10–100 hour bracket to a 2× spread.
+
+## Model assumptions (estimate invalid if any change)
+
+- Single-producer thread (Hamilton invariant in `_log.py` docstring).
+- Closed-form O(1) slot math (no graph layout iteration).
+- Localhost SSE (cross-network would cap at 10^3–10^4 evt/s).
+- Browser is the consumer (a headless tiler could push render to 10^6+ evt/s).
+- Node payload ~80 B; doubling payload doubles all wire-bound estimates.
+
+## Next measurement (hand off to Curie)
+
+Instrument browser render apply-rate on the current tilemap path at 10^5, 10^6, 10^7 nodes. The slope determines whether 10^9 is a 10-hour or a 100-hour build.
diff --git a/tasks/layout-authority/audits/feynman.md b/tasks/layout-authority/audits/feynman.md
new file mode 100644
index 00000000..65e2b6be
--- /dev/null
+++ b/tasks/layout-authority/audits/feynman.md
@@ -0,0 +1,246 @@
+# Feynman integrity audit — layout authority
+
+Scope: the six `layout_authority_*.py` modules at
+`mcp_server/server/`. The user said "5 modules"; I count six
+(`protocol`, `wire`, `geometry`, `lod`, `log`, `scheduler`). I am
+auditing all six. **First integrity item:** the user's count is off
+by one, or the user is excluding one module from the audit and I
+have not been told which. I am proceeding with all six and will flag
+this at the end.
+
+## 1. The freshman walkthrough — `add_node(NodeDelta(node_id='file:abc', kind='file', domain_id='domain:cortex'))`
+
+The freshman thinks: "the build worker calls `add_node`, the layout
+authority places the node at (x, y), the (x, y) goes to the
+browser." The freshman is going to be disappointed. Here is what
+actually happens, line by line, when you trace it through the code
+that is currently checked in:
+
+1. The build worker calls `authority.add_node(delta)`.
+2. **`authority` doesn't exist.** `layout_authority_protocol.py`
+   defines a `Protocol` (line 142) and a factory
+   `authority_from_geometry()` (line 222) that does
+   `from mcp_server.server.layout_authority import build_authority`.
+   That module is not in the tree. `find` confirms no
+   `layout_authority.py` (only the six `layout_authority_*.py`
+   suffixed modules). **The integrator does not exist.** Every
+   chain of reasoning below is what *would* happen if it were
+   written and wired correctly to the six modules; it is not what
+   happens today, because today nothing calls `add_node` at all.
+3. Assume the integrator exists. `add_node` would:
+   a. Validate `kind in NODE_KINDS` (frozenset at line 30 of
+      `protocol.py`) — `'file'` is in the set, OK.
+   b. Validate per-kind preconditions from the `NodeDelta`
+      docstring (lines 59–66). For `kind='file'`,
+      **`parent_id` SHOULD be the primary tool_hub id "if known"**
+      — the docstring says optional. So `parent_id=None` is legal
+      and the file will land somewhere without a tool hub.
+   c. Compute the priority: `priority_for_node('file')` →
+      `PRIORITY_FILE = 2` (`scheduler.py` line 90, 103).
+   d. Call `scheduler.submit(2, delta)`. If queue P2 (cap 16k)
+      isn't full, it appends and notifies the consumer. If full,
+      it returns False and increments `_stats.dropped[2]`. **No
+      exception, no log line that I can see in the scheduler.**
+      That is a silent drop unless a layer above checks the bool.
+4. The consumer thread (also in the missing integrator) does
+   `scheduler.pop()`, gets `(2, delta)`, and computes geometry.
+5. Geometry needs a context dict (`compute_slot`, `geometry.py`
+   line 183). For `kind='file'` it needs `anchor`, `hub_angle`,
+   `idx`, `total`. **Where do these come from?**
+   - `anchor` = the (x, y) of `domain:cortex`. That requires
+     having previously processed an `add_node(kind='domain',
+     node_id='domain:cortex')` and stored its anchor. The
+     protocol invariant **I7** (line 212) explicitly allows the
+     domain to arrive AFTER its members and says members get a
+     "placeholder anchor" with **no retroactive reseat**. So if
+     `domain:cortex` hasn't landed yet, the file is placed at
+     some placeholder forever. **This is implicit — the freshman
+     would expect the file to be reseated when the real domain
+     arrives. It is not.**
+   - `hub_angle` = the angle of the file's primary tool hub.
+     Our delta has `parent_id=None`. So `hub_angle` is undefined.
+     Invariant **I4** (line 198) covers this: the file falls back
+     to "the domain hub" with no retroactive reseat. The freshman
+     would expect that "place me near my tool" — the code says
+     "if you didn't tell me your tool, you don't get one, and you
+     won't later either." That is a real product decision; it is
+     not in any visible comment near `slot_for_file`.
+   - `idx` and `total_in_hub` = "this file's index among files in
+     the same hub" and "running total of files in that hub." The
+     scheduler/geometry modules **do not maintain these
+     counters**. The integrator (which doesn't exist) is supposed
+     to. The geometry module's docstring says O(domains × kinds)
+     counters live there; the file is silent on who keeps them.
+6. `compute_slot` returns `(x, y)`. It is finite by construction
+   *if* anchor/hub_angle/idx/total are finite. There is no
+   `_validate_finite` inside `compute_slot`. That validation
+   happens later in `wire.format_slot`. **Magic #1:** the
+   geometry code trusts its caller to pass finite floats. Pass
+   `total=0` to `slot_for_setup` — protected by `max(total, 1)`,
+   OK. Pass `nan` for `outward` — propagated to `cos`/`sin`,
+   produces nan. The wire layer would then `raise ValueError`,
+   and the producer thread would crash unless somebody catches.
+   **Whether anyone catches is an integrator-layer question and
+   we can't audit it because the integrator does not exist.**
+7. Construct `SlotAssignment(seq=N, node_id='file:abc', x=X,
+   y=Y, kind='file', domain_id='domain:cortex')`.
+8. Hand the `SlotAssignment` to `wire.format_slot(seq, slot)`.
+   **Bug:** `wire.format_slot` reads `slot.id` (line 103). The
+   `SlotAssignment` dataclass at `protocol.py` line 124 names
+   the field `node_id`, **not** `id`. `format_slot` will raise
+   `AttributeError`. Same for `_validate_id(slot.id, ...)` line
+   103. **This is a hard, demonstrable bug.** It is not "magic";
+   it is a contract divergence between the protocol module and
+   the wire module that both call themselves the source of truth
+   for the `SlotAssignment` shape. The `_benchmark()` function
+   at the bottom of `wire.py` defines its OWN local `_Slot` with
+   field `id` (line 209) — which is how the benchmark passes,
+   masking the bug.
+9. `format_slot` returns SSE-framed bytes.
+10. Bytes go to `log.emit('slot', payload_bytes)` (`log.py` line
+    119). It increments `_event_seq`, appends to a deque (cap
+    500_000), fans out to subscribers via `put_nowait`, and
+    reaps subscribers with >200 misses.
+11. SSE handlers (in some other module — not audited here, also
+    likely missing) drain their queues and write to sockets.
+
+**Net result of one `add_node` today:** nothing, because no
+integrator exists. **Net result if the integrator were written
+the obvious way:** an `AttributeError` at step 8 because
+`format_slot` and `SlotAssignment` disagree on the field name.
+
+## 2. `add_edge(EdgeDelta(source_id='file:abc', target_id='tool_hub:Edit', kind='tool_used_file'))`
+
+1. `add_edge` validates `kind in EDGE_KINDS` (line 35).
+   `'tool_used_file'` is in the set.
+2. Per the docstring (line 86–94), the edge is buffered if
+   either endpoint hasn't been added yet. **There is no
+   buffering code in any of the six modules I read.** The
+   docstring says "the authority tolerates out-of-order arrival
+   by buffering" and references invariant I5 (pending-edges
+   buffer, default 100k). I5 lives only in the docstring text.
+   **The buffer does not exist as code in the audited files.**
+   It must live in the (missing) integrator.
+3. Submit at `PRIORITY_EDGE = 5` (`scheduler.py` line 93). Cap
+   128k. Drops silently when full.
+4. Consumer pops, calls `wire.format_edge(seq, edge)`. This
+   one **does** match the protocol (`source_id`, `target_id`,
+   `kind`). It encodes `<source>|<target>|<kind>` and ships.
+5. Edge goes to `log.emit('edge', bytes)`. Same fan-out.
+6. **No SlotAssignment is emitted for an edge.** This matches
+   the protocol postcondition (line 92). Good.
+
+**Magic call-out:** the build worker docstring (`protocol.py`
+line 89) says the worker "SHOULD emit nodes before edges" but
+"the authority tolerates out-of-order arrival by buffering."
+That tolerance does not exist in the code. If the integrator
+forwards an edge whose endpoints haven't landed, the *renderer*
+will draw a line to a phantom node-id. I cannot tell whether
+the renderer handles that or shows nothing or crashes —
+that's the JS side, out of scope. But "tolerates" is a claim
+the audited code does not back up.
+
+## 3. `request_subtree(domain_id='domain:cortex')`
+
+1. Calls `scheduler.coalesce_subtree('domain:cortex')`
+   (`scheduler.py` line 186). Linear scan over P6 (cap 100); if
+   already pending, returns False; else appends and notifies.
+2. Consumer pops at priority 6 (deferred behind P0–P5).
+3. **Then what?** The integrator is supposed to walk the stored
+   nodes for that domain and re-emit a SlotAssignment for each.
+   The audited code does NOT contain that walk. The geometry
+   functions are pure and stateless; the log is append-only and
+   bounded; the scheduler hands you a `domain_id` string. Some
+   third store (the "main store" referenced in `scheduler.py`
+   line 154) is presumed to exist in the integrator. **Magic.**
+4. Per protocol I2 (line 187), re-emitted slots get higher seq
+   numbers; clients update by seq. That's clean. But the
+   "re-emit slot assignments for one subtree" behavior, the
+   verb the user named, lives entirely in code that is not in
+   the repo.
+
+## 4. Divergences between claim and code
+
+- **Missing integrator:** `protocol.py` line 229 imports
+  `from mcp_server.server.layout_authority import
+  build_authority`. That module does not exist. The factory is
+  a forward-declaration to a file that has not been written. No
+  test in `test_layout_authority.py` could exercise the wiring
+  end-to-end.
+- **Field-name divergence (hard bug):** `wire.format_slot`
+  reads `slot.id`; `protocol.SlotAssignment` exposes `node_id`.
+  An `AttributeError` is the first thing the producer would
+  hit. The wire benchmark hides this with a local `_Slot`
+  dataclass that uses `id`.
+- **Pending-edges buffer (I5) referenced but not coded.**
+  Invariant I5 at `protocol.py` line 205 says the buffer has
+  cap 100k and drops oldest. No buffer exists in the six
+  modules.
+- **Edge-endpoint preconditions claimed but not checked.**
+  `EdgeDelta` docstring (line 86) says endpoints "MUST" have
+  been previously `add_node`'d. Nothing in the wire, scheduler,
+  or log layers checks this. Enforcement, if any, is the
+  missing integrator's job.
+- **`reset()` semantics fixed, then disagreement preserved.**
+  `log.py` line 217 acknowledges the spec docstring and the
+  spec code body disagreed about whether `_event_seq` resets.
+  The maintainers chose the "seq continues" behavior in code
+  and documented the choice (good). This is correctly handled
+  but is a divergence the next reader needs to know about.
+- **No retroactive reseat (I4, I7) is presented as an
+  invariant, but a freshman would call it surprising.** A file
+  that arrives before its tool hub is permanently misplaced.
+  The user explicitly refused punted-to-frontend layout work
+  earlier today; this is a server-side equivalent of "we don't
+  fix it, you live with it." It is a real product decision and
+  it is documented; calling out for honesty: it is also a
+  source of permanent placement errors when streaming order
+  isn't perfect.
+- **Wire-layer `format_done` totals are passed in by the
+  caller** (`wire.py` line 139). The wire layer does not count
+  what it has emitted. The caller — the missing integrator —
+  must keep that total. If it's wrong, no one notices.
+- **`scheduler.submit` returning False is silent at the API
+  surface.** The integrator must observe the return. Otherwise
+  drops are real but uncounted at the call site.
+
+## 5. Self-deception check
+
+- My investment: "find issues and report them honestly." Risk:
+  overclaiming bugs that are integrator-layer questions I can't
+  see because the integrator doesn't exist. I've marked every
+  such claim with "magic" or "missing integrator."
+- Rederived `add_node` from code without reading the sibling
+  audits in this directory. Disagreement with them is evidence
+  of either my error or theirs.
+- Highest-impact invalidator: a `layout_authority.py` exists
+  somewhere I didn't search. `find ... -name layout_authority.py`
+  across both worktrees returned empty. If wrong, audit changes.
+
+## 6. Honest summary
+
+**What is known:** the six modules each compile in isolation,
+have clean docstrings, and (for geometry, lod, scheduler, log)
+are internally consistent. The wire layer has a hard
+field-name bug against the protocol it claims to encode.
+
+**What is uncertain:** every behavioral claim about
+`add_node`, `add_edge`, `request_subtree` end-to-end is
+uncertain because the integrating module does not exist.
+
+**What surfaced that wasn't in the original claim:** there is
+no `layout_authority.py`. The factory `authority_from_geometry`
+is unwired. The pending-edges buffer (I5) is documented in
+prose only. The user's "5 modules" count is off by one.
+
+## 7. Hand-offs
+
+- Implementation of `layout_authority.py` integrating the six
+  modules → engineer.
+- Definition of where `idx`/`total` counters live → architect
+  or engineer; pick one module to own the per-(domain,kind)
+  counter map.
+- Fix `wire.format_slot` to read `slot.node_id` (or rename the
+  protocol field) → trivial, but choose which side moves.
+- Verification that `request_subtree` actually re-emits
+  slots → measurement (Curie).
diff --git a/tasks/layout-authority/audits/fisher.md b/tasks/layout-authority/audits/fisher.md
new file mode 100644
index 00000000..32440f92
--- /dev/null
+++ b/tasks/layout-authority/audits/fisher.md
@@ -0,0 +1,199 @@
+# Fisher experimental-design protocol — Layout Authority at scale
+
+**Procedure.** The design *is* the experiment. Curie identified ~28 unmeasured
+quantities; this protocol pre-specifies the factorial design, randomization,
+blocking, replication, and analysis plan that would actually settle them.
+Anything observed outside this plan ships as `// STATUS: exploratory`.
+
+---
+
+## 1. Hypothesis (the causal claims under test)
+
+- **H1 (latency).** End-to-end slot-write latency p99 is determined by
+  `(N, S, K)` — node count, subscriber count, kind mix — and is independent
+  of insertion order under randomized arrival.
+- **H2 (drops).** Dead-queue dropouts are a function of `(S, K, R)` where
+  `R` = subscriber drain rate; they are zero in the `S=1, R≥emit_rate`
+  regime and grow super-linearly above a threshold fill ratio.
+- **H3 (memory).** RSS at saturation is linear in `S` and sub-linear in
+  `N` (counters scale with kinds, not nodes); Curie C13/C18 80 B/item
+  estimate is within ±20% of measured `tracemalloc` peaks.
+- **H4 (throughput).** Single-core slot/s rate is invariant under kind mix
+  for closed-form geometry (Curie C7 disagrees: memory=295 ms vs
+  setup=180 ms suggests a 60% kind effect — re-test with replication).
+
+---
+
+## 2. Factors and levels
+
+| Factor | Symbol | Levels | Role |
+|---|---|---|---|
+| Node count | N | {10⁴, 10⁵, 10⁶} | treatment (3) |
+| Subscriber count | S | {1, 10, 100} | treatment (3) |
+| Kind mix | K | symbol-heavy (70/20/10), file-heavy (20/70/10), balanced (33/33/34) | treatment (3) |
+| Hardware | H | {M-series-laptop, x86-server, CI-runner} | block |
+| Python build | P | {3.10-stock, 3.11-stock} | block |
+| Random seed | σ | 5 levels (replicates within block) | replication |
+
+**Total cells:** 3·3·3 = **27 treatment combinations**, full factorial.
+**Replicates:** 5 seeds × 2 Python builds × 3 hardware = **30 reps/cell**
+→ **810 runs total**. Power-trim (§5) reduces to ~270 if interactions
+prove negligible at first 27-run pilot.
+
+---
+
+## 3. Response variables (pre-specified, with sufficient statistics)
+
+| Symbol | Quantity | Instrument | Sufficient stat |
+|---|---|---|---|
+| L_e2e | end-to-end latency emit→subscriber recv (ns) | `perf_counter_ns()` paired timestamps | (count, sum, sum², p50, p99, max) per cell |
+| D | dropped events (count) | `_log.dropped_total` counter | (sum, max-streak) per cell |
+| M_peak | RSS peak (bytes) | `resource.getrusage(RUSAGE_SELF).ru_maxrss` + `tracemalloc.get_traced_memory()` | (max, mean) per cell |
+| T_slot | slot/s throughput | `bench_geometry`-style ns/op | (mean, sd, n) per cell |
+| Q_depth | per-priority queue depth distribution | sample every 10ms | histogram (10 buckets) per cell |
+
+**Primary endpoint:** L_e2e p99 (H1). Everything else is secondary —
+declared now to prevent post-hoc cherry-picking.
+
+---
+
+## 4. Design — randomized complete block factorial
+
+- **Block on** (H, P): each (hardware, Python) combination is a block.
+  Block effects are removed before testing treatment effects.
+- **Within each block**, run all 27 (N,S,K) cells in a randomized order
+  (Mersenne-Twister, seed = 0xF15HE2). The order is generated once,
+  written to `runs.csv`, executed by the harness, never re-shuffled.
+- **Within each cell**, replicate over 5 σ seeds. Seeds determine
+  arrival permutation of node ids and kind assignment.
+- **Warm-up:** 1 discarded run per block before measurement (JIT/page-
+  cache stabilization). Discard pre-registered, not post-hoc.
+
+**Why this structure:**
+- *Randomization* (run order) eliminates time-of-day, thermal, and
+  background-process confounds.
+- *Blocking* (H, P) removes hardware/runtime variance from the
+  treatment-effect error term — sharpens the test.
+- *Replication* (σ) estimates within-cell variance so the F-test on
+  treatment effects is well-defined.
+- *Factorial* (N×S×K) detects interactions Curie missed: e.g. does the
+  kind effect (H4) change with subscriber count? One-at-a-time would
+  never see it.
+
+---
+
+## 5. Power calculation (pre-run, not post-hoc)
+
+- Expected effect size for L_e2e p99 across N levels: log-linear, ~10×
+  per decade. Cohen's f ≈ 1.5 (huge effect).
+- Expected effect size for K main effect: ≤ 60% (Curie C7), f ≈ 0.4.
+- Expected N×S interaction: unknown — pilot first.
+- For the smallest effect of interest (K main effect, f=0.4) at α=0.05,
+  power=0.9, 3 levels: required n=21 per level → **27 runs/block × 1
+  block ≈ 90 runs covers K with margin**. The 30-rep budget is far
+  above floor.
+- Stopping rule: run all 27 cells × 5 seeds in pilot block (M-series
+  laptop, Python 3.10) — 135 runs. If K main effect F-test p>0.1 AND
+  interactions p>0.1, drop to 1 seed for the remaining blocks.
+
+---
+
+## 6. Confound audit
+
+| Potential confound | Controlled by | If uncontrolled: consequence |
+|---|---|---|
+| Time-of-day thermal throttling | randomized run order within block | latency would correlate with cell index |
+| Subscriber slow-consumer artifact | S=1 baseline + simulated 1 MB/s consumer at S>1 (pre-spec'd drain rate R) | drops blamed on emit instead of drain |
+| Insertion order (clustered vs random) | σ seed permutes arrival; report both ordered and shuffled as a 2-level factor in pilot | hash-collision artifacts inflate one cell |
+| Filesystem cache for `_wire` framing | flush page cache before each block on Linux; one warm-up run on macOS | first-run-of-block always faster |
+| GC pauses | `gc.disable()` during measurement window; record `gc.get_count()` deltas | bimodal latency distribution |
+| Network loopback variance (SSE) | localhost only; record `lo` MTU; disable Nagle on test socket | p99 inflated by transport, not authority |
+| `tracemalloc` overhead | enable only in M_peak runs (separate sub-experiment); never during L_e2e cells | latency runs slowed 30% |
+
+---
+
+## 7. Analysis plan (pre-specified)
+
+- **Primary test:** 3-way ANOVA on `log10(L_e2e_p99)` with factors
+  (N, S, K) and blocks (H, P). Model:
+  `log L = μ + α_N + β_S + γ_K + (αβ)_NS + (αγ)_NK + (βγ)_SK + (αβγ)_NSK + block + ε`.
+- **Decision rule:** report effect sizes (η²) AND F-test p-values AND
+  95% CIs. *No* "p<0.05 = significant" gate — Fisher's own objection
+  to that practice stands.
+- **Secondary:** drops vs (S, R) — Poisson regression with offset
+  `log(emit_rate × duration)`.
+- **Tertiary (exploratory, labeled as such):** hardware × treatment
+  interactions; kind-mix asymmetry within symbol-heavy.
+- **Pre-registered table of cells where Curie's claims would be
+  falsified:**
+  - C13 falsified if measured 80 B/item is outside [64, 96] B in any cell.
+  - C7 kind-mix dependence falsified if K main effect η² < 0.05.
+  - C19 (P4=64k cap) falsified if drops occur at fill ratio < 0.6 in
+    (S=100, K=balanced, N=10⁶).
+
+---
+
+## 8. Harness deliverables (engineer hand-off)
+
+1. `bench_layout_authority_factorial.py`
+   - reads `runs.csv` (pre-randomized order)
+   - emits per-run row: `(block_id, cell_id, σ, N, S, K, L_p50, L_p99,
+     L_max, D, M_peak_rss, M_peak_traced, T_slot, gc_count_delta, runtime_s)`
+   - writes to `bench_results/factorial_<isodate>.csv`
+2. `analyze_factorial.py` — runs the §7 ANOVA, prints effect-size
+   table, writes `bench_results/factorial_<isodate>_anova.json`.
+3. `runs.csv` generator — `gen_runs.py --seed 0xF15HE2 --blocks H,P`
+   produces the canonical run order; commit the CSV.
+4. Slow-consumer simulator — `sse_slow_consumer.py --rate 1MB/s`
+   used as the S>1 drain target.
+
+Naming convention `factorial_<isodate>` is load-bearing — analysis
+scripts depend on it.
+
+---
+
+## 9. Order of execution
+
+1. **Pilot block** (M-series, Python 3.10): 27 cells × 5 seeds = 135 runs.
+   ~2 hours wall. Settles power calculation for full grid.
+2. **Memory sub-experiment** (separate run, `tracemalloc` enabled): 27
+   cells × 1 seed = 27 runs. Resolves H3 / Curie C4, C13, C18.
+3. **Full factorial** if pilot reveals non-trivial interactions: 30
+   reps/cell × 27 cells = 810 runs across 6 (H,P) blocks.
+4. **Falsification tests** (§7 pre-registered): run regardless of pilot
+   outcome.
+
+---
+
+## 10. Refusal markers
+
+- Any attempt to re-shuffle runs after seeing data → exploratory tag.
+- Any new metric introduced after the harness runs → `secondary,
+  unregistered` tag in the report; cannot be the headline claim.
+- Any cell run only once and reported as evidence of an effect →
+  refused; H4 (kind-mix) specifically requires the pilot's 5 reps.
+- Single-machine results presented as "the" performance number → must
+  carry block_id; cross-block claims require ≥2 H levels.
+
+---
+
+## 11. Hand-offs
+
+- **Implementation of harness §8** → engineer.
+- **`tracemalloc` peak instrumentation** → engineer (specs in
+  curie.md §3 already; this protocol blocks them per (N,S,K) cell).
+- **Causal-graph audit of slow-consumer pipeline** → Pearl (Curie
+  flagged this; needed to interpret D vs R).
+- **Hash-uniformity audit of `_stable_hash` over the σ seed range**
+  → Mandelbrot.
+- **Long-horizon drift observation** (does p99 walk over hours?) →
+  Darwin — out of scope for this factorial; needs separate protocol.
+
+---
+
+## 12. One-line verdict
+
+The Curie audit named **28 unmeasured carriers**; this protocol pre-
+specifies the **27-cell factorial × 30 replicates** that resolves them
+without post-hoc selection. The design is the experiment; the data
+collection is clerical.
diff --git a/tasks/layout-authority/audits/fleming.md b/tasks/layout-authority/audits/fleming.md
new file mode 100644
index 00000000..73326c64
--- /dev/null
+++ b/tasks/layout-authority/audits/fleming.md
@@ -0,0 +1,110 @@
+# Fleming Audit — Structured-Serendipity Catalog
+
+> Method: anomalies arrive uninvited during routine work. The five sister
+> audits were each pursuing their own hypothesis (single specimen, periodic
+> table, bilingual decoding, neural analogy, genealogy). Each surfaced
+> *something they were not looking for*. The Fleming discipline: do not
+> clean up; investigate; publish; route. Source: Fleming 1929 BJEP 10(3),
+> 226–236; Hare 1970 Ch. 3.
+
+The contaminated plate is the audit itself. Five plates, five contaminations.
+
+---
+
+## 1. The catalog
+
+| # | Anomaly | Surfaced by | Discovered while looking for | Reproducible? | Specific? | Triage |
+|---|---|---|---|---|---|---|
+| F1 | **Lazy-registry phantom domains** — reading `reg.anchor(domain_id)` from a non-domain code path *creates* a domain registration with frozen anchor and no SlotAssignment ever emitted. A typo'd domain_id permanently consumes a spiral index. | McClintock §7 | Tracing one specimen through every module | yes (deterministic; exhibited via `kind='file'` counterfactual) | yes (only `_DomainRegistry.index_for` triggers it; only `kind != 'domain'` paths exhibit) | **investigate** |
+| F2 | **Reservation/population metric drift** — domains placed in different reservation epochs (n=16 vs n=33) live in different metric coordinate systems; existing anchors never recompute. | McClintock §4 | Same single-specimen trace | yes (deterministic across reservation crossings) | yes (only at reservation-boundary crossings, n=16, 32, 48, …) | **investigate** |
+| F3 | **Index-0 axis degeneracy** — the first domain to register lands at exactly `theta=0` (due-east), the one place where a Fibonacci spiral has undefined spread. | McClintock §3 | Same | yes (mathematical, not empirical) | yes (only `idx=0`) | **note + monitor** |
+| F4 | **node_id collision is unguarded** — `_slots` is keyed by node_id alone; a second `add_node` with the same id silently overwrites. The protocol docstring says "stable, unique"; nothing enforces it. | McClintock §8 | Counterfactual exploration of gate 4 | yes (verified by reading `_place_node`) | yes (any kind, any caller) | **investigate** (real gap) |
+| F5 | **`entity` declared but unimplemented** — `NODE_KINDS` lists `entity`, but `compute_slot` has no branch; falls through to anchor fallback, silently colliding with the domain node at `(x,y) == anchor`. | Mendeleev §"Outliers" | Building the periodic table | yes (verifiable by counting nodes at anchor in any current slot stream) | yes (only `kind=='entity'`) | **investigate** (real bug) |
+| F6 | **Whole inward hemisphere is empty** — only `mcp` lives on the cross-domain inward face; the column predicts ≥5 more inhabitants. ~90% of the inward space is unused, which is *why cross-domain edges look like a tangle*. | Mendeleev §"Missing-family" | Looking for empty cells | yes (visual; measurable as edge-length distribution) | yes (cross-domain edges only) | **investigate** |
+| F7 | **L0 row has no member** — every domain is treated as a top anchor with no parent; multi-project deployments have no `super_domain`. | Mendeleev §"Missing-family" | Same | yes (structural; verifiable when >1 repo loads) | yes (multi-project case only) | **note** (predicted-but-not-yet-pressing per Mendeleev §3) |
+| F8 | **Symbol slotting drift — JS force-driven vs Py deterministic petal** — Python `slot_for_symbol` produces a closed-form petal; JS uses random seed + force simulation. Visibly different layouts guaranteed for any graph with symbols. The Python docstring claim of "match JS conventions" is *false* for symbols. | Champollion Drift 1 | Constant-by-constant translation | yes (byte-level diff; both code paths readable) | yes (only `kind=='symbol'`) | **investigate** (the Python module is lying to its caller) |
+| F9 | **Two dead constants in Python** — `SYM_R_OUTER=290`, `SYM_R_SPREAD=32` declared, never referenced. | Champollion Drift 2 | Same translation | yes (grep confirms zero callers) | yes (two named symbols) | **discard with note** (low impact; trivial cleanup) |
+| F10 | **`outward` is polysemous** — used as both *radial direction from center* and *axis from which local tool angles are measured*. Not byte-level drift, but a Wittgenstein-flagged collision. | Champollion Drift 4 | Same | yes (two call sites use two meanings) | yes (just the word `outward`) | **note** |
+| F11 | **Activity-dependent pruning is absent** — files with zero symbols still consume a sector angle in the FILE_R shell, biasing nearby placements outward. ~30–50% of files in a fresh scan have zero exported symbols. | Kekulé §4 | Mapping the cortex analogy | partially (count of zero-symbol files measurable; visual impact requires before/after) | yes (only zero-symbol files) | **investigate** |
+| F12 | **Bridge persists by genealogy, not necessity** — `destroy + remount` was a 14-hour political truce on 2026-04-22 with the legacy force-graph renderer. The renderer is gone; the truce remains. The 400/500/5000ms debounce constants are uncited. | Foucault | Tracing the genealogy of one file | yes (three commits; SHAs given) | yes (single file: `workflow_graph_bridge.js`) | **investigate** (active source of session freezes) |
+| F13 | **Wire frame redundancy for domain nodes** — every domain frame pays ~20 B because `node_id` and `domain_id` are the same string by gate-4 contract. | McClintock §5 | Single-specimen trace | yes (every domain frame) | yes (only `kind=='domain'`) | **discard with note** (cheap at scale; cosmetic) |
+
+13 anomalies. 8 routed for investigation, 2 routed as note-and-monitor, 2 discarded with note, 1 deferred (F7).
+
+---
+
+## 2. Ranking by potential impact
+
+Criteria: (a) does it cause user-visible misbehavior today? (b) does it block scaling? (c) does it falsify a stated invariant or docstring claim? (d) is the fix small relative to the impact?
+
+| Rank | Anomaly | Severity reasoning | Cost-to-fix |
+|---|---|---|---|
+| **1** | **F12 — Bridge destroy/remount** | Causes every freeze in current session. Active production-class symptom. Architectural alternative already implemented in sibling file (`workflow_graph_tilemap.js`). | medium (delete + delegate to tilemap, or rewrite as long-lived service). The cost of *not* fixing is higher: every phase event = full re-simulate. |
+| **2** | **F5 — `entity` unimplemented** | Declared kind silently colliding at the domain anchor is a correctness bug. Knowledge-graph work depends on this. | small (one branch in `compute_slot` per Mendeleev §1, ~20 LOC). |
+| **3** | **F8 — Symbol slot JS↔Py drift** | The Python module's docstring is false. Drift between server and client placement of any symbol-bearing graph. Champollion's recommendation is *delete* `slot_for_symbol` (route a). | small (delete a function + 2 constants; F9 falls out for free). |
+| **4** | **F4 — node_id collision unguarded** | Protocol docstring promises uniqueness; no enforcement. Silent overwrite in `_slots`. High-stakes (data-integrity per coding-standards §10). | small (one assert, or document overwrite as intentional). |
+| **5** | **F1 — Phantom-domain via lazy anchor read** | Typo'd domain_id permanently consumes a spiral index. Hidden state-corruption path. | small (require explicit `register_domain` call, or guard the lazy read). |
+| **6** | **F6 — Empty inward hemisphere** | The visual tangle of cross-domain edges that motivates user complaints. Mendeleev predicts 5 missing kinds; populating any one of them improves visible structure. | medium per missing kind; structural pattern is the larger payoff. |
+| **7** | **F11 — Activity-dependent pruning absent** | Visual density loss at scale (~30–50% of files are silent). O(1) fix per Kekulé §4; preserves Pattern 1. | small (one extra counter; lazy debounce). |
+| **8** | **F2 — Reservation/population metric drift** | Two epochs of domains live in different metric systems. Manifests as visible jumps when a domain crosses the n=16 boundary. | medium (recompute existing anchors on growth, or pin reservation = expected-final). |
+| 9 | F3 — Index-0 axis degeneracy | One pinned point on +x axis. Cosmetic unless build-worker enumeration order is unstable. | small (jitter idx=0 by half a golden-angle step, or document). |
+| 10 | F10 — `outward` polysemy | Readability cost only; no current bug. | small (rename one use site). |
+| 11 | F7 — L0 row missing | Predicted but not pressing until multi-project. | medium (defer per Mendeleev §3). |
+| 12 | F9 — Two dead constants | Trivial; falls out of F8 fix. | trivial. |
+| 13 | F13 — Wire-frame redundancy | Cosmetic. ~20 B/frame at our scale. | trivial. |
+
+---
+
+## 3. Fleming-discipline recommendation: which deserve follow-up
+
+**Investigate now (the contaminated plates worth subculturing):**
+
+- **F12** — the bridge. The freeze is the lysis zone. Foucault's hand-off to engineer + Galileo is the right next step. The genealogy *itself* should be filed as an ADR so the next session does not re-petrify the truce.
+- **F5** — `entity`. A declared-but-unimplemented kind is exactly Fleming's "noticed contamination": the protocol speaks of it; the geometry is silent. Hand-off: engineer (Mendeleev §"Hand-offs").
+- **F8 + F9** — symbol slotting. The Python module is making a false docstring claim. Resolution forces a decision (which language is authoritative); the decision retires F9 for free. Hand-off: engineer + a SPEC.md tablet (Champollion).
+- **F4** — node_id collision guard. One assert, high-stakes per coding-standards §10. Hand-off: engineer.
+- **F1** — phantom domains. Hand-off: Feynman integrity check (intentional or oversight?), then engineer.
+
+**Publish now without development (Fleming's 1929 paper move):**
+
+- **F6** — empty inward hemisphere. The pattern is real even if the population is not yet built. *Publish the periodic-table column*; let a future session populate it. Mendeleev already routed the falsifiability tests to Curie.
+- **F11** — activity-dependent pruning. *Publish the analogy* (Kekulé already did) and the predicted O(1) fix; defer implementation until a measurement (Curie) confirms the visual density loss is significant.
+- **F2** — reservation metric drift. *Publish the finding*; defer the fix until a domain-count growth event makes it user-visible.
+
+**Note and monitor (the discards inspected before binning):**
+
+- **F3** (index-0 axis), **F10** (`outward` polysemy), **F13** (wire redundancy) — log in `tasks/layout-authority/anomaly_log.md`, do not act unless they recur with new evidence.
+
+**Defer:**
+
+- **F7** — L0 row. Predicted but not yet pressing; revisit when multi-project lands.
+
+---
+
+## 4. Readiness audit (was the environment serendipity-ready?)
+
+| Condition | State on 2026-04-28 | Serendipity-ready? |
+|---|---|---|
+| Anomaly visibility | Each genius audit had license to surface things outside its hypothesis | **yes** — without that license, none of F1–F13 would have surfaced |
+| Discard inspection | McClintock's counterfactuals (§7, §8) deliberately probed paths the protocol does not document | **yes** |
+| Log retention | Per-audit files under `tasks/layout-authority/audits/` preserve raw observations | **yes** |
+| Interruptibility for investigation | Each anomaly was followed up *within* the same audit, not deferred | **yes** |
+| Publication discipline | All five audits published findings without requiring a fix | **yes — Fleming-pattern** |
+
+The environment was structured for serendipity. The 13 anomalies above are the proof.
+
+---
+
+## 5. Hand-offs
+
+- **F12, F5, F8/F9, F4, F1** → engineer (concrete fixes; small to medium).
+- **F1** → Feynman (intentional or oversight?) before engineer.
+- **F6, F11** → Curie (instrumented measurement before development).
+- **F2** → Darwin (long-horizon; observe across many builds).
+- **F3, F10, F13** → `anomaly_log.md` (note-and-monitor).
+- **F7** → Mendeleev (revisit when multi-project lands).
+- **The genealogy of F12** → ADR author so the next session inherits the finding.
+
+---
+
+*Plates surveyed: 5. Contaminations cataloged: 13. Sub-cultured for follow-up: 5. Published without development: 3. Discarded with note: 3. Deferred: 1. Cleaned up and lost: 0.*
diff --git a/tasks/layout-authority/audits/foucault.md b/tasks/layout-authority/audits/foucault.md
new file mode 100644
index 00000000..f7d35e9b
--- /dev/null
+++ b/tasks/layout-authority/audits/foucault.md
@@ -0,0 +1,97 @@
+# Genealogy of `workflow_graph_bridge.js` — Foucault Audit
+
+> "What is questioned is the way in which knowledge circulates and functions, its
+> relations to power. In short, the *régime du savoir*." — Foucault, *The Subject
+> and Power* (1982)
+
+## Target practice
+
+The "destroy + remount on every `state:lastData` event" pattern in
+`ui/unified/js/workflow_graph_bridge.js`. It is currently the load-bearing source
+of every freeze in this session. It appears, to the reader of the file, as
+common-sense engineering: "of course you tear down the old D3 simulation before
+mounting the new one — that's how you avoid leaks." The genealogy will show
+that this *common sense* was constructed in 13 days, by three commits, under
+specific contingent pressures that no longer obtain.
+
+## Genealogy — three commits, three power arrangements
+
+| Date (2026) | SHA | Arrangement that produced the code | What was excluded |
+|---|---|---|---|
+| 04-22 09:10 | `8371b9d` | A *legacy force-graph renderer* (`graph.js` + a CDN-loaded `force-graph` library) already owned `#graph-container` and animated continuously. The new D3 workflow graph had to *coexist* with it inside the same DOM host. The bridge was born as a **deportation officer**: detect "is this a workflow_graph.v1 payload?", and if yes, evict the legacy children, pause the legacy animation, and mount D3 in a wrapper. `destroy()` here meant *destroy the previous D3 handle so the new payload's force sim doesn't fight the old one*. | A *single-renderer* world. Replacing the legacy pipeline outright was politically impossible: `polling.js`, `detail_panel`, `controls`, `monitor` all spoke `JUG.setGraphData` / `JUG.getGraph`. The bridge was a *truce*, not a design. |
+| 04-22 11:30 | `e98e1e5` | Twelve hours later, the legacy renderer was *retired in spirit but not in law*: the CDN was commented out, `window.ForceGraph` became an inert Proxy, `workflow_graph_shims.js` stubbed the JUG surface. **Yet the bridge gained a `MutationObserver` that continuously re-removes legacy children.** The observer is a monument to a war that ended that morning. The legacy renderer no longer mounts canvases — but the bridge still patrols the host as if it might. | The opportunity to *delete the bridge*, since its raison d'être (coexistence with force-graph) had just been removed. Instead the bridge was *hardened* — the `removeChild` was upgraded from `display:none`, the observer was added "in case Safari re-mounts." The colonial garrison stayed after independence. |
+| 04-22 23:40 | `be606fb` | The phase-driven loader landed (`/api/graph/phase?name=L0…L6:<proj>`). Each phase publishes nodes; `polling.js` writes them to `JUG.state.lastData`; the bridge's listener fires *per phase*. Now, on a 10k-symbol project, the listener fires 6–20 times in 30 seconds, each time **destroying the running D3 force simulation and rebuilding from scratch**. The author noticed the freeze and added a 400 ms / 500 ms / 5000 ms three-tier debounce — a rhetorical gesture toward incremental update without performing one. | An *append/diff* protocol: receive phase deltas, add the new nodes to the running simulation, let it relax. This was *unspeakable* because the bridge's discourse was already organized around the verb `render(data)` — a total-state replacement primitive inherited from the 04-22 morning truce. |
+
+## Discourse formation — what the bridge is allowed to say
+
+| Rule | Description | Effect |
+|---|---|---|
+| Authorized speakers | Only `state:lastData` events. The phase loader cannot speak directly to D3. | Every phase boundary becomes a full re-render. |
+| Legitimate verb | `render(data)` — a total-state replacement. There is no `appendNodes(delta)`. | Incremental layout is unsayable. |
+| Legitimate evidence | "Did the user freeze?" → answer with debounce constants. | Algorithmic cause (O(N) re-simulate per phase) is invisible — only its *symptom* (jank) is discussable, and only via wait-time tuning. |
+| Excluded vocabulary | "Layout authority", "stable simulation", "phase-aware update", "tile pipeline owns layout". | The architectural alternative cannot be named within the file. |
+| Boundaries | The bridge is forbidden from knowing what `JUG.renderWorkflowGraph` does internally — it must treat it as a black box with `destroy()`. | The simulation cannot be *kept alive* across data updates because the discourse forbids knowing whether it could be. |
+
+## Power/knowledge analysis
+
+- **Knowledge produced:** "Rendering 10k nodes in the browser is hard; you must debounce." This appears as a neutral engineering fact.
+- **Produced by:** the legacy-force-graph regime, which only ever knew total replacement (`setGraphData(nodes, edges)` is itself a destroy-and-remount primitive — ForceGraph's API has no append).
+- **Serves:** the convenience of leaving `polling.js` and the JUG event bus untouched. The bridge absorbs all complexity so the rest of the codebase keeps speaking the legacy idiom.
+- **Excludes:** the knowledge that D3 v7's force simulation is *explicitly designed for incremental updates* — `simulation.nodes(newArr)` adds nodes without resetting α, and `alpha(0.3).restart()` warm-resumes. The bridge's `destroy()`-then-mount loop *throws away free physics every 500 ms* because the discourse cannot see this option.
+
+## Archaeology of assumptions
+
+| Assumption baked into the bridge | Makes possible | Would change if false |
+|---|---|---|
+| "A renderer owns its DOM exclusively; if data changes, the renderer is replaced." | The `destroy + ensureWrapper + new render` cycle. | Renderer becomes a *long-lived service* with `update(delta)` — no destroy on data event. |
+| "`state:lastData` is the canonical, monolithic source of truth." | The whole-payload re-render on every phase. | Phase events become first-class: bridge subscribes to `state:phaseAppended` and forwards a *delta*, never the whole payload. |
+| "The bridge cannot trust the renderer to be alive between events." | Defensive `if (_handle) _handle.destroy()`. | The renderer *guarantees* liveness; bridge becomes a one-shot mounter, never a re-mounter. |
+| "Layout is computed in the browser, on the main thread, every time data arrives." | The freeze. The freeze is the *necessary symptom* of this assumption. | If layout authority moves to the server (the tilemap pipeline already exists in this repo: `workflow_graph_tilemap.js`, `layout_worker_main.py`, `layout_pg_store.py`), the bridge's destroy/remount becomes irrelevant — tiles are streamed, not recomputed. |
+
+## Subject positions the discourse creates
+
+| Position | Occupied by | Authority | Constraint |
+|---|---|---|---|
+| The Bridge | `workflow_graph_bridge.js` | Decides *whether* to render and *when*; owns the wrapper DOM. | Cannot decide *how* — must call `JUG.renderWorkflowGraph` as opaque oracle. |
+| The Renderer | `JUG.renderWorkflowGraph` | Owns layout math, force sim, canvas/SVG paint. | Treated as stateless from the bridge's perspective; loses identity on every event. |
+| The Polling Loop | `polling.js` | Sole publisher of `state:lastData`. | Cannot signal "this is an append, not a replace" — the channel has only one verb. |
+| The User | (silent) | Sees freezes. | Has no vocabulary in the codebase to demand "incremental update" — only "make it faster", which the debounce knobs pretend to address. |
+
+## Contingency finding
+
+The destroy/remount pattern is **not** common-sense engineering. It is a fossil
+of three contingent pressures, each now obsolete:
+
+1. **The 09:10 truce** with a legacy force-graph renderer that no longer exists.
+2. **The 11:30 garrison** kept after the war ended — a `MutationObserver`
+   patrolling for an enemy that was already disarmed.
+3. **The 23:40 debounce** that papered over an O(N) re-simulate the bridge's
+   discourse made it impossible to replace with O(Δ).
+
+None of these conditions hold today. The legacy renderer is gone. The phase
+loader exists and could publish deltas. The tilemap pipeline already moved
+layout authority to the server for >1M-node graphs (commit `dba2f16`,
+2026-04-28) — proving the alternative is not only thinkable but *already
+implemented in a sibling file*. The bridge's pattern persists by inertia of
+discourse, not by necessity.
+
+What appears as common-sense engineering ("destroy before remount, of course")
+is the petrified residue of a 14-hour political settlement on 2026-04-22.
+
+## Hand-offs
+
+- **Constructive redesign of the bridge as long-lived service with `update(delta)` API** → Alexander (pattern language) + architect.
+- **Empirical confirmation that incremental D3 update closes the freeze** → Galileo / Mill (measurement, A/B against current debounce).
+- **Migration path: bridge subscribes to phase events instead of `state:lastData`, or delegates layout to tilemap entirely** → engineer; precedent already merged in `workflow_graph_tilemap.js`.
+- **Document the genealogy in an ADR so the next session does not re-petrify the truce** → ADR author.
+
+## Compliance check (coding-standards.md)
+
+| Rule | Status | Note |
+|---|---|---|
+| §1.1 SRP | fail | Bridge does: detection, DOM eviction, MutationObserver patrol, debounce scheduling, render orchestration, view-switch reflow. Six reasons to change. |
+| §2.2 Layer dependency | pass | Bridge sits in handlers/UI layer; does not violate inward arrows. |
+| §6.1 Root-cause thinking | fail | The 23:40 debounce is a §6.1 textbook band-aid: fix at throw site (jank), not at classified cause (total re-render on append-shaped data). |
+| §7.2 Local reasoning | fail | Three nested setTimeout closures + MutationObserver + module-scoped `_handle/_lastPayload/_pendingRender/_renderTimer/_firstRenderDone/_firstDeadline` — behavior is not predictable from the surrounding text. |
+| §8 Sources | fail | Constants `400`, `500`, `5000`, `80`, `50`, `60` have no citation, no benchmark, no measurement record. Invented numbers. |
+| §9 Anti-patterns | fail | "Catching errors just in case" (`try { _handle.destroy(); } catch (_) {}`) — three sites. Empty catches with no named failure mode. |
diff --git a/tasks/layout-authority/audits/gadamer.md b/tasks/layout-authority/audits/gadamer.md
new file mode 100644
index 00000000..b9d64a68
--- /dev/null
+++ b/tasks/layout-authority/audits/gadamer.md
@@ -0,0 +1,128 @@
+# Gadamer — Hermeneutic Audit of the Audits
+
+> Understanding is fusion of horizons, not extraction of fact. Four audits
+> already agree the failure is "renderer-owned layout." That agreement is
+> not vindication — it is a horizon. This audit makes that horizon visible
+> and asks what the problem looks like *from outside it*.
+
+## 1. Pre-understanding audit (the interpreter declares his horizon first)
+
+| # | Pre-understanding I bring | Status after reading |
+|---|---|---|
+| P1 | The four audits triangulate a finding (Mill's necessity, Ginzburg's smoking gun, Foucault's discourse, Propp's missing function). | **Confirmed at one level, overturned at another** — they triangulate the same answer because they were posed the same question. |
+| P2 | "Layout authority on the server" is the truth of the problem. | **Challenged.** It is the truth *within a horizon* that takes "graph + layout" as the unquestioned object. |
+| P3 | The user's constraints (8 MB / 1–2 s / N=10⁹ / "same UI") are external givens. | **Overturned.** The constraints are co-constitutive of the horizon: they presuppose that the deliverable is a node-positioned-in-2D rendering. |
+
+## 2. The text's horizon (what each audit was built to address)
+
+| Audit | Question it answers | Vocabulary it must use |
+|---|---|---|
+| Mill | "Across 10 iterations, what condition co-occurs with success?" | Cases, conditions, presence/absence, A·¬B·D |
+| Ginzburg | "What involuntary trace exposes the wrong assumption?" | Earlobes, scars, smoking gun, single owner |
+| Foucault | "What contingent power arrangement produced the destroy/remount pattern?" | Discourse, exclusion, subject positions, garrison |
+| Propp | "What function is missing from the iteration narrative?" | Lack, liquidation, role, False Hero, Princess |
+
+All four take as **given**:
+- the deliverable is a *graph rendering* (nodes drawn at 2D positions);
+- the work to be done is *layout* (assigning coordinates to node ids);
+- the scaling target is N=10⁹ *visible-style* nodes;
+- the constraint is *same UI as today*.
+
+These are not findings. They are the **shared horizon** within which all four findings are intelligible.
+
+## 3. The interpreter's horizon (what I bring, declared)
+
+- Concern: the user has run six iterations and four audits in one session and the answer keeps converging. Convergence in hermeneutics is suspicious — it can mean truth, or it can mean the question never changed.
+- Question I bring: "What does the problem look like to a horizon that does *not* take 'graph layout' as the deliverable?"
+- Conceptual frame: Gadamer's *Wirkungsgeschichte* — the history of effects. The audits are not neutral observers; they are themselves shaped by the four-week effective history of `workflow_graph.js`.
+
+## 4. Hermeneutic circle — three iterations
+
+### Iteration 1 — whole-then-parts
+
+Initial reading of the whole: "Four audits agree the renderer must not own layout. Server-owned, append-only, single-producer. Done."
+
+Parts examined: each audit's section §4 / §5 / §1. All four end at the same conclusion.
+
+Revision: the agreement is a *family resemblance*, not a triangulation. Mill's `A·¬B·D` and Propp's `F14 (Recognition of Layout Authority)` are the same sentence in different dialects.
+
+### Iteration 2 — parts force a revised whole
+
+What the parts share that I had not seen:
+
+- Mill's case table treats *node positions* as the dependent variable.
+- Ginzburg's smoking gun is "no single owner of `(node_id) → (x, y)`."
+- Foucault's discourse forbids "incremental update" — but only because the discourse already assumed *something must be updated incrementally*.
+- Propp's Princess is "single owner of (node_id)→(x,y)."
+
+**Every audit's load-bearing object is the tuple `(node_id, x, y)`.** The horizon's stake is that this tuple must exist and must have an owner.
+
+Revised whole-reading: the audits do not ask "should this tuple exist?" They ask "who owns it?"
+
+### Iteration 3 — what fuses
+
+The user's effective constraints — read against the audits — admit a fusion the audits did not perform. cost-model.md §1 derives a 1 ns/node budget from N=10⁹ and T=1–2 s. §6 disqualifies every technique that does work *per-node*. The closed-form geometry survives only because it never *looks at* the graph — slot is a pure function of `(domain, kind, idx, total_in_kind)`. **The "graph" is not used to compute the layout.** It is used only to decide which slot's bucket gets `+= 1`.
+
+Fused reading: at N=10⁹, the deliverable is no longer a graph. It is a **density field over a parameter space**, sampled at points indexed by `(domain, kind, idx)`. The "nodes" are bucket increments. The "edges" are not consulted by the placer at all (cost-model §2.4: *edges exist for the renderer, not for the placer*).
+
+The audits answered "who owns the tuple?" because they took for granted the tuple was the unit of work. At 10⁹ the unit of work is the bucket counter, not the tuple.
+
+## 5. Charitable reading of each audit (the strongest version)
+
+| Audit | Strongest reading |
+|---|---|
+| Mill | Within the horizon "graph with assigned positions," `A·¬B·D` is the minimal sufficient configuration. The blind-spot section already concedes "limited diversity" — C, E, ¬F never vary. |
+| Ginzburg | The smoking gun is real: five claimants to `(node_id)→(x,y)`, no contracted producer. **Within the horizon**, this is the failure. |
+| Foucault | The destroy/remount pattern is genealogically contingent. **Within the horizon of "renderer + data event,"** the contingency is liberating: it can be redesigned. |
+| Propp | F14 (Recognition of Layout Authority) names the structural gap **assuming the role exists**. The grammar requires it. |
+
+All four are correct *within* the horizon. None is wrong. The fused reading does not refute them; it asks whether the horizon is the only one available.
+
+## 6. Mode identification (Erklären vs Verstehen)
+
+- The audits are mostly *Erklären* — causal/structural explanation: "B causes Y=0," "the discourse excludes append," "F13 cannot fire while F14 is absent."
+- The user's framing ("neural graph") is *Verstehen* — meaning-laden: a graph is a thing that signifies relatedness, with nodes as bearers of identity.
+- **Mode mismatch** at N=10⁹: the meaning-claim ("the user can *see* the neural graph of 10⁹ memories") cannot be satisfied by the explanation-mode answer ("compute and stream tuples faster"). At 10⁹ no human reads 10⁹ tuples. The display surface delivers ~10⁷ pixels. **Beyond ~10⁷ tuples the deliverable is necessarily a statistical summary** — a density field, an aggregate, a sketch. The audits answer the explanation question; the meaning question is unaddressed.
+
+## 7. Horizon fusion — what the text says to *this* interpreter
+
+The user's two explicit interdictions are "not force-graph" and "not raster (Datashader gave 'ugly')." Both are *within-horizon* refusals: force-graph is one renderer of `(node_id, x, y)`; raster is a second. The third interdiction — the one the user has not stated because the horizon does not permit stating it — is the one the audits expose by their unanimous focus on tuple-ownership: **"not a graph rendering at all."**
+
+Fused reading:
+
+1. At N≤10⁵, "graph rendering" is a coherent deliverable. Tuples exist; the user reads them. `workflow_graph.js`'s `prepareTopology` was correct for its horizon.
+2. At 10⁵ < N < 10⁷, "graph rendering with viewport tiling" is coherent. Layout-authority-on-server (the audits' answer) is correct here.
+3. At N≥10⁷, the tuple-per-node deliverable cannot be experienced by any user — it exceeds the display surface and the perceptual surface. The deliverable must shift category: not "graph" but **"map"** (cartographic summary), or **"index"** (queryable structure with on-demand drill-in), or **"projection"** (low-dimensional embedding visualised at uniform density).
+4. The closed-form geometry the cost-model already specifies (slot = pure function of `(domain, kind, idx, total_in_kind)`) is **already not a graph layout**. It is a deterministic density-field assignment that *happens to* coincide with graph layout at small N. At 10⁹ the user is not being shown a graph; they are being shown the density field of memory under the projection `(domain × kind)`. The audits do not name this because their horizon names the same artefact "layout."
+
+## 8. Surprises (where the text overturned my pre-understanding)
+
+| # | Pre-understanding | What the text revealed |
+|---|---|---|
+| S1 | Four audits agreeing means the answer is settled. | Four audits answer the same question. The question itself was never put under scrutiny. |
+| S2 | "Layout authority" is a structural claim about the system. | It is a claim **within** a horizon that takes `(node_id, x, y)` as the unit of meaning. The horizon is contingent. |
+| S3 | The user's "not force-graph, not raster" exhaust the alternatives. | They exhaust the *renderer* alternatives within graph-rendering. The unstated alternative is *not-graph-rendering*. The cost-model derivation already half-performs this move (slot is a pure function of bucket coords, not of graph topology) without naming what it has done. |
+
+## 9. What breaking the circle would look like (concretely)
+
+Not as recommendation, as horizon-extension:
+
+1. **Reframe at scale:** below ~10⁵ nodes, deliver graph (the four audits' answer applies). Above ~10⁷, deliver *map* (density tiles indexed by `(domain × kind)`, drill-in returns subgraph at <10⁵). The seam at 10⁵–10⁷ is the only place graph-layout discipline matters.
+2. **Stop calling the artefact a graph at scale.** The closed-form geometry is already a hash-into-screen-space; the user is reading a 2D histogram of memory by `(domain, kind)`. Naming it "graph layout" is the petrified residue Foucault's audit identified — but one level deeper than that audit reached.
+3. **Edges are a separate deliverable.** cost-model §2.4 says it. The audits do not internalise it. At 10⁹ nodes, edges are not drawn — they are *queried* on focus. The ER-graph metaphor is a query interface, not a render.
+
+## 10. Hand-offs
+
+- **Empirical validation of the horizon shift** → Curie / Galileo: at what N does pixel-density exceed user-perceptual capacity? Where is the seam?
+- **The "graph at small N, map at large N" reframe** as an architectural pattern → Alexander.
+- **Power analysis of why the horizon persists** (whose interest is served by calling the 10⁹-node artefact a "graph"?) → continued by Foucault at one level up: not "destroy/remount" but "render-as-graph."
+- **Argument structure of "the deliverable changes category at scale"** → Toulmin.
+
+## 11. Compliance with own discipline
+
+- Pre-understanding audit performed (§1) — declared, three put at risk, two overturned.
+- Hermeneutic circle: three iterations (§4) — whole→parts→whole→parts→fused whole.
+- Charitable reading constructed (§5) **before** any divergence (§7).
+- Mode identification (§6) — Erklären vs Verstehen mismatch named.
+- Surprise log (§8) — three points where pre-understanding was overturned.
+- The audit does **not** claim the four prior audits are wrong. It claims they are *complete within their horizon* and that horizon has an outside.
diff --git a/tasks/layout-authority/audits/galileo.md b/tasks/layout-authority/audits/galileo.md
new file mode 100644
index 00000000..d6748776
--- /dev/null
+++ b/tasks/layout-authority/audits/galileo.md
@@ -0,0 +1,138 @@
+# Galileo audit — idealization of the Cortex layout authority
+
+Strip every secondary effect (network jitter, GIL, browser GC, SSE proxy buffering, syscalls, interpreter dispatch, allocator) and ask: what is the **fundamental law** the system would obey if all friction vanished? Then check what the current design fights vs accepts.
+
+## 1. Phenomenon
+
+Place N nodes (target N = 10⁹) in 2D for a Cortex graph viewport, working‑set ≤ 8 MB, end‑to‑end build/stream ≤ 1–2 s. The "8 MB IoT" framing is: can the layout authority be reduced to a constant‑memory, constant‑time‑per‑node oracle that runs at the speed of its own arithmetic?
+
+## 2. Variable decomposition (essential vs friction)
+
+| Variable | Essential? | Rationale |
+|---|---|---|
+| `domain_index → anchor` (Fibonacci spiral) | **Essential** | The phenomenon IS positional placement. Without this map there is no layout. |
+| `kind` (domain/tool_hub/file/symbol/discussion/memory/mcp) | **Essential** | Selects which closed‑form helper applies; cannot be removed without erasing the visual grammar. |
+| `idx_in_kind`, `total_in_kind` | **Essential** | Sole inputs needed to deterministically distribute siblings within a kind's sector/ring. |
+| `parent_slot` (symbol→file petal) | **Essential** | The only allowed "graph" lookup — bounded depth 1, O(1). Carries the parent‑child binding that makes symbol clouds readable. |
+| Fixed radii / sector half‑widths (SETUP_R, TOOL_R, FILE_R, SECTOR_*) | **Essential** | Shell separation invariants — without them shells fuse. Copy‑verbatim from `workflow_graph.js`. |
+| Network jitter / SSE proxy buffering | Friction | Transport, not geometry. Slot is correct independent of when it arrives. |
+| GIL contention, Python interpreter overhead | Friction | Each slot is mathematically defined; interpreter merely realizes it slowly. |
+| Browser GC pauses, render frame timing | Friction | Renderer cadence does not change `(x,y)`. |
+| OS context switches, syscall cost | Friction | Same. |
+| Edge list, full graph topology | Friction (for the placer) | Edges are renderer concerns. Slot does not depend on E. |
+| Force‑step iteration count (d3‑force, DrL) | Friction (and disqualifying) | The fundamental law has no time dimension; iteration is an admission that the placer doesn't know the answer in closed form. |
+| Spatial index (quadtree) for *placement* | Friction | Quadtree is a *retrieval/render* index, not a placement input. |
+| Per‑event recompute of all siblings | Friction | A symptom of state coupling that the closed‑form law denies. |
+| `prepareTopology` O(N+E) pre‑pass | Friction | Entire pass disappears if `(idx_in_kind, total_in_kind)` are tracked by the producer's counter dict. |
+
+## 3. The idealized system (frictionless law)
+
+```
+slot : (domain_index, kind, idx_in_kind, total_in_kind, parent_slot?) → (x, y)
+```
+
+Properties of the idealized law:
+
+1. **Pure function.** No hidden state, no mutation, no time. Same inputs → same `(x,y)` forever.
+2. **O(1) per node.** No iteration over siblings, no global pass, no graph traversal beyond the single optional parent dereference (depth 1).
+3. **State is O(domains × kinds), not O(N).** ~528 B counter table. The "8 MB IoT" budget is met with five orders of magnitude to spare.
+4. **Insertion of node #10⁹ costs the same as node #1.** The fundamental law is acceleration‑free in N: distance from idle to placed is independent of crowd size, exactly as Galileo's idealized fall is independent of mass.
+5. **Edges do not enter the placer.** The placer's domain is geometry; the edge list is the renderer's concern.
+
+This already exists, almost cleanly, in `mcp_server/server/layout_authority_geometry.py` (218 lines, all closed‑form, all `O(1)` branches, no loops over N). That file IS the idealized Galilean law. Everything else in `layout_authority_*` is friction management.
+
+## 4. The inclined plane (slow‑down to observe)
+
+10⁹ nodes is too fast to inspect. Run the same closed‑form law at N = 10⁶ on one core (current `bench_layout_authority.py`) and the dynamics are preserved exactly — only the rate scales:
+
+```
+Measured: 3.4–5.6 M slots/s/core   (180–300 ns/slot, pure Python)
+Required: ~10 ns/slot               (1 ns × ~10× headroom)
+Gap: ~20–30× — closes via numpy‑vectorised batch + multi‑core fan‑out
+```
+
+The geometry itself (the law) is no longer the bottleneck. The inclined plane confirms it; the rest is transport.
+
+## 5. Quantitative measurements (not impressions)
+
+| Qualitative claim | Measurement | Value |
+|---|---|---|
+| "Closed form is fast enough" | bench_layout_authority.py | 3.4–5.6 M slots/s/core |
+| "State is small" | 11 dom × 6 kinds × 8 B counter | 528 B |
+| "Event log is bounded" | `_EVENT_LOG_CAP × ~112 B` | ≈ 56 MB (Fermi) — **busts 8 MB** |
+| "Subscriber queues are bounded" | `_SUBSCRIBER_QUEUE_CAP × 112 B` | ≈ 11 MB per slow client — **busts 8 MB** |
+| "Scheduler queues fit budget" | sum of `QUEUE_SIZES` × 80 B | ≈ 19 MB — **busts 8 MB** |
+| "10⁹ nodes in 1–2 s end‑to‑end" | Fermi bracket via SSE + render | 10⁴–10⁵ s ≈ 3–30 h (×4 with edges) |
+
+The geometry meets the IoT 8 MB budget. **The transport stack does not.** The law is frictionless; the channel that carries it is where the actual mass sits.
+
+## 6. Authority vs observation
+
+| Authority claim | Direct observation | Verdict |
+|---|---|---|
+| "The authority is a pure function `(dom,kind,idx,total,parent?)→(x,y)`" | `layout_authority_geometry.py` is exactly this | **Confirmed.** |
+| "Working set ≤ 8 MB" (cost‑model.md §3) | log + scheduler + subscriber queues sum to tens of MB (Fermi audit) | **Refuted at the system level.** Geometry meets it; surrounding infrastructure does not. |
+| "Authority places node #10⁹ in same time as node #1" | True for the geometry; false for the pipeline (event‑log replay, SSE backpressure, browser apply‑rate are all O(N)‑ish in wall time) | **Partially true.** The law is friction‑free; the realization is not. |
+| "We can stream 10⁹ in 1–2 s" | Fermi bracket: 10–100 hours including edges | **Refuted.** Build is offline + tile‑served, not live‑streamed. |
+
+## 7. Friction sources the design currently fights vs accepts
+
+**Accepts (correctly — the law remains intact):**
+- Closed‑form per‑kind helpers, no iteration. ✓
+- O(domains × kinds) counter state. ✓
+- No edges in the placer. ✓
+- Symbol parent dereference is depth‑1, O(1). ✓
+- Domain anchors via Fibonacci spiral derived from `index` alone. ✓
+
+**Fights (friction the design tries to absorb rather than remove):**
+- **Event log of 500k entries (~56 MB).** Friction: tries to support late subscribers via replay. Removal: snapshot‑on‑connect + tail‑forward, drop the unbounded log. The fundamental law is replayable from `(domain_index, kind, idx, total)` alone — the log stores derived data.
+- **Per‑subscriber 100k queue (~11 MB each).** Friction: tolerates slow clients. Removal: snapshot + drop‑oldest, since `(x,y)` for a given `(dom,kind,idx)` is *idempotent and recomputable* — there is no value in retaining an old delta if the client can re‑derive.
+- **Scheduler with 7 priority queues totalling ~19 MB.** Friction: smooths bursty producers. Under the idealized law a burst of N inserts is N counter bumps + N closed‑form calls; the scheduler exists because the *rest* of the pipeline (SSE, browser) cannot keep up. The scheduler is not solving a layout problem; it is solving a transport problem. It belongs to the renderer, not the authority.
+- **`recompute_layout` 90 s synchronous DrL pass.** Direct refutation of the fundamental law. DrL is iterative force simulation — exactly the disqualified family in cost‑model.md §6. Its presence in the handler means the closed‑form authority is not yet the sole placement path; an iterative competitor still runs.
+- **`prepareTopology` (JS side) O(N+E) pre‑pass.** Friction: pre‑computes `(idx, total)` by walking the graph. Removal: producer maintains `counter[(dom,kind)]` and emits `idx_in_kind` inline; the JS pre‑pass disappears.
+
+## 8. The "8 MB IoT" question, answered Galilean‑style
+
+**Yes** — the *layout authority* (the law) already runs in 528 bytes of state and O(1) per node. It is friction‑free at the IoT budget.
+
+**No** — the *system around it* does not, because it carries three accreted layers of transport friction (event log, per‑client queues, priority scheduler) whose combined working set is 60–80 MB. These layers exist because the renderer cannot ingest at the producer's rate; they are not part of the law.
+
+To run the *system* at the law's speed:
+
+1. **Delete the event log.** Replace with snapshot‑on‑connect (re‑emit slots from counters in domain order — same closed form). Saves ~56 MB. Subscriber late‑join becomes O(visible), not O(history).
+2. **Bound subscriber queues to 1 frame (~10³ events).** Drop‑oldest on overflow; clients re‑sync via snapshot. Saves ~11 MB per client.
+3. **Move the scheduler out of the authority.** It is a *renderer adapter* concern. The authority emits at law‑rate; the adapter throttles to channel‑rate.
+4. **Remove `recompute_layout`'s DrL path.** The iterative competitor must go; closed‑form is the only placer.
+5. **Remove `prepareTopology`'s O(N+E) walk.** Producer emits `(idx_in_kind, total_in_kind)` directly from its counter; consumer trusts it.
+
+After these five removals the system's working‑set drops from ~80 MB to ~1 MB and per‑node cost drops from "transport‑bound at 10⁴ evt/s" to "law‑bound at 10⁶+ evt/s". The 8 MB IoT shape becomes feasible — not as an aspiration, but as a consequence of removing what isn't load‑bearing.
+
+## 9. Corrections to add (after the law is established)
+
+| Secondary effect | When to add back |
+|---|---|
+| Backpressure for genuinely slow consumers | After snapshot path proves correct end‑to‑end. |
+| Multi‑producer (currently single‑producer invariant) | Only when a benchmarked need exists; today single‑producer + closed‑form is sufficient. |
+| Tile/Datashader path for visual aggregation | Already correct: it operates on slots, not on the law. Keep. |
+| Numpy vectorisation of `compute_slot` | Add when single‑core 5 M slots/s becomes the bottleneck (today it isn't — transport is). |
+
+## 10. Hand‑offs
+
+- **Curie** — measure browser apply‑rate at 10⁵, 10⁶, 10⁷ to refine the 10⁴–10⁵ evt/s bracket; isolates the binding constraint.
+- **Noether** — formalize the symmetry: the law is invariant under any permutation of `idx_in_kind` that preserves `(idx, total)`, and under any pure rotation of the domain anchor frame. These symmetries justify dropping the event log.
+- **Feynman** — integrity audit on whether `recompute_layout`'s DrL pass is still wired into any path that bypasses the closed‑form authority; if so, that's a layer violation of the law.
+
+## 11. Refusal note
+
+The cost‑model document claims the system meets 8 MB. The geometry does; the surrounding transport stack (log + queues + scheduler ≈ 80 MB) does not. Per refusal condition #1 (idealizing away the variable that carries the phenomenon), the transport friction is **not** the phenomenon — the phenomenon is placement — and may be removed. Per refusal condition #2 (qualitative claim), the 8 MB claim must be measured at the *whole system* level, not just at the geometry module, before being treated as established.
+
+---
+
+**Files referenced (absolute):**
+- `/Users/cdeust/Developments/Cortex/mcp_server/server/layout_authority_geometry.py` — the law (218 lines, closed‑form)
+- `/Users/cdeust/Developments/Cortex/mcp_server/server/layout_authority_log.py` — friction layer 1 (event log)
+- `/Users/cdeust/Developments/Cortex/mcp_server/server/layout_authority_scheduler.py` — friction layer 2 (priority queues)
+- `/Users/cdeust/Developments/Cortex/mcp_server/server/layout_authority_protocol.py` — friction layer 3 (subscriber queues)
+- `/Users/cdeust/Developments/Cortex/mcp_server/handlers/recompute_layout.py` — iterative competitor still wired
+- `/Users/cdeust/Developments/Cortex/tasks/layout-authority/cost-model.md` — derivation
+- `/Users/cdeust/Developments/Cortex/tasks/layout-authority/audits/fermi.md` — bracket cross‑check
diff --git a/tasks/layout-authority/audits/geertz.md b/tasks/layout-authority/audits/geertz.md
new file mode 100644
index 00000000..c63b7450
--- /dev/null
+++ b/tasks/layout-authority/audits/geertz.md
@@ -0,0 +1,175 @@
+# Geertz — Thick Description of a Single Node Click
+
+**Phenomenon:** A user, mid-session, moves their cursor over a glowing dot in the
+unified visualization and clicks. One pixel-event. The thinnest possible micro-event
+in the system. This audit is what that click MEANS.
+
+## Reflexivity audit
+
+- **Observer:** Claude (Geertz pattern), reading the codebase from outside the
+  user's session. I have not watched a real user click. I am reading the click
+  as text — through `streaming_canvas.js:161-186`, `node_metadata.py`, and the
+  build cache shape. My description of "what the user expected" is a hypothesis
+  reconstructed from the system's affordances and the project's stated goals
+  (cognitive profiling, memory provenance, project narrative). Treat the
+  expectation layer as triangulation-pending until field-observed.
+- **Filter:** I focus on the streaming_canvas path because that is where the
+  `/api/node/<id>` fetch is wired. The d3 / force-graph path (`renderer.js`)
+  has its own `handleClick` and is a different ritual; I name it but do not
+  thicken it here.
+
+## Emic categories (the user's vocabulary)
+
+| Insider term | Insider meaning | Nearest etic equivalent | Gap |
+|---|---|---|---|
+| "node" | a thing I made or thought about that the system remembers | graph vertex | huge — the user means a unit of *their cognitive history*, not graph theory |
+| "L6 symbol" | "the deepest leaf — a function, a method, a concrete thing" | hierarchical level 6 in the AST/cluster tree | the user has internalized the level scheme as a depth metaphor |
+| "hot" | "this matters / I touched it recently / it survived consolidation" | thermodynamic heat ∈ [0,1] | the user reads heat as *biographical* salience, not a float |
+| "the cluster on the left" | a spatial neighbourhood the user has *learned* through repeated viewing | a region of the layout coordinate space | the layout's spatial stability is doing semantic work the user cannot articulate |
+| "what does this connect to" | "what else am I going to be reminded of if I follow this" | edge set incident to node | emic question is about *expected priming*, not graph adjacency |
+
+## Thin description (behaviour layer)
+
+```
+mousedown → mouseup within HIT_RADIUS → handleClick(e)
+  → world-space hit-test against nodes Map (O(N))
+  → bestId resolved
+  → console.log('[stream] click', bestId, nodes.get(bestId))
+  → fetch('/api/node/' + encodeURIComponent(bestId))
+      → 404 → console.log; return null
+      → 200 → console.log('[stream] node detail', json)
+  → catch → console.warn
+```
+
+That is the entire ritual. Nothing is rendered. The "tooltip" exists only in the
+DevTools console, addressed to a developer audience, not the user.
+
+## Thick description (meaning layer)
+
+What the user **expected** when they clicked:
+
+> "Tell me what this node is in the story of my work. When did I last touch it?
+> What domain is it part of? What other things are in its orbit? Is this the
+> file I was thinking of or a different one with a similar name? Does this
+> match the mental image I have of where I left off?"
+
+The click is not a request for data. It is a **request for biographical
+recognition** — the user is asking the system to confirm that this node, in
+this position, with this colour, is what the user *thinks* it is. The cognitive
+work the user is doing is **verification of their own mental map** against the
+system's record. The click is a hermeneutic gesture: "tell me my story back
+to me, indexed by this point."
+
+What the system **provides**:
+
+- A JSON dict (the cached node entry) printed to a console the user is not
+  looking at.
+- The dict contains `id, x, y, kind, domain_id` plus whatever the build worker
+  stashed (`symbol_type`, `file`, `parent`, `color`, `label` — schema-dependent).
+- No prose. No "you last touched this 3 days ago." No "this is one of 14
+  symbols in `node_metadata.py`." No "this connects to `streaming_canvas.js`
+  via your edit on April 24."
+- A 404 is treated as success-with-empty (`return null`); the user gets neither
+  data nor an explanation of why.
+
+What is **culturally assumed** (the unstated curriculum the user must already
+own to make sense of this gesture):
+
+1. **Level vocabulary** — that "L6 symbol" means anything; that levels exist;
+   that depth in the tree corresponds to specificity. *No on-screen legend
+   teaches this.*
+2. **Project naming conventions** — that `node_metadata.py` is "the new lazy
+   lookup endpoint" rather than a generic name. The user supplies the meaning;
+   the node id is opaque without it.
+3. **Heat semantics** — that bright = recently-touched-and-surviving-decay,
+   not "popular" or "important in absolute terms." Heat is a thermodynamic
+   *history*, not a static rank.
+4. **Layout stability as identity** — that "the cluster on the left" *is* a
+   thing because the layout is deterministic enough across reloads to have
+   become a place. This is a contract the visualization makes implicitly and
+   that the layout-authority refactor is making explicit.
+5. **Console-as-interface** — that "click → log" is a developer affordance,
+   not a user affordance. Non-developer users would experience the click as
+   a no-op.
+
+## What the click is OF (the act's intent, read from context)
+
+Clicks have at least four registers, each requiring a different response:
+
+| Register | Emic question | What would satisfy it |
+|---|---|---|
+| **Curiosity** | "what is this thing?" | label + symbol kind + parent file |
+| **Verification** | "is this the one I'm thinking of?" | last-touched timestamp + a 1-line gist |
+| **Exploration** | "what does this lead to?" | incident edges + neighbourhood preview |
+| **Debug** | "why is this *here* and not over there?" | layout provenance: cluster id, force history, level |
+
+The current system collapses all four into the same response: *raw dict in the
+console*. This is the central interpretive failure. The system has confused
+**delivering data** with **answering the question that prompted the click**.
+
+## Culture-as-text reading
+
+- **Surface meaning:** "click reveals node detail."
+- **Conventional meaning (in this codebase's code):** "click triggers a
+  late-binding endpoint fetch and logs the result." The 404 fallback and the
+  console-only sink reveal that the click ritual was wired *first as a
+  diagnostic for the developers building the pipeline*, not as a feature for
+  end users. The comment in `streaming_canvas.js:15` ("Kay's late-binding
+  endpoint; 404 handled gracefully") is the giveaway: the audience is the
+  next engineer, not the user.
+- **Deep structural meaning:** the visualization is, today, a **debugging
+  surface for the layout authority**, dressed as an end-user product. The
+  click handler's existence-without-rendering is the artefact of a system
+  whose meaning-structure is "prove the pipeline works" rather than "tell
+  the user their cognitive history." This is not a failure — it is a stage.
+  But naming it lets the next move be deliberate: either commit to the
+  developer-tool reading (and dignify the console with structured output),
+  or commit to the user-product reading (and render a tooltip with the
+  fields above).
+
+## Triangulation
+
+| Source | Confirms | Adds | Contradicts |
+|---|---|---|---|
+| `streaming_canvas.js:174-185` | click → fetch → log; no DOM mutation | the 404 path is a "shrug" | — |
+| `node_metadata.py` docstring | response is the cached node dict | "out-of-band of the layout authority on purpose" — confirms developer audience | — |
+| `renderer.js:48` (force-graph path) | a *different* `handleClick` exists with `selectedNode` state and edge highlighting | the d3 path *does* render selection — so the ritual is split: streaming canvas is mute, force-graph speaks | the streaming-canvas path's silence is path-specific, not system-wide |
+| CLAUDE.md ("query_methodology returns hot memories") | the user has been trained by other Cortex tools to expect *biographical* responses (narrative, story) | raises the bar: a console dict is below the user's calibrated expectation from the rest of the product | — |
+
+## Etic analysis (analytical layer)
+
+Three classical frames apply:
+
+1. **Norman's gulf of execution / gulf of evaluation** — the click bridges the
+   gulf of execution but the response (silent dict) leaves the gulf of
+   evaluation wide open. The user cannot tell whether they hit what they
+   meant to hit.
+2. **Affordance vs signifier (Gibson/Norman)** — the node *affords* clicking
+   (it is round, hover-coloured, in a graph) but the *signifier* of what the
+   click will produce is absent. The user clicks on faith built from other
+   parts of the product.
+3. **Geertz's own frame** — the click is a wink, but the system reads it as
+   a twitch: it processes the eyelid contraction (coordinates, hit-test, fetch)
+   without registering the conspiracy (the user's biographical question).
+
+## What this implies for the layout-authority refactor
+
+- The streaming-canvas click path is a load-bearing seam where developer-tool
+  semantics and user-product semantics meet. The refactor should pick a side
+  per surface and stop pretending the same handler serves both.
+- Whatever tooltip / panel the layout authority eventually renders MUST
+  surface the four registers above (curiosity, verification, exploration,
+  debug) as distinct response shapes — not a single dict. A render budget of
+  one line per register would already be a thick description.
+- The 404 fallback should not be silent. "This node was streamed but its
+  detail is not in cache yet" is itself a meaningful answer to a user who
+  is verifying their map.
+
+## Hand-offs
+
+- Hermeneutic interpretation of the response payload's field semantics → **Gadamer**
+- Argument for which fields are *necessary* in the tooltip → **Toulmin**
+- Quantitative measurement of click latency / 404 rate → **Curie**
+- Whether the click ritual is structurally consistent with the rest of the
+  system → **Beer**
+- Semiotic analysis of the visual codes (colour=heat, size=level) → **Eco**
diff --git a/tasks/layout-authority/audits/ginzburg.md b/tasks/layout-authority/audits/ginzburg.md
new file mode 100644
index 00000000..d601d4c3
--- /dev/null
+++ b/tasks/layout-authority/audits/ginzburg.md
@@ -0,0 +1,139 @@
+# Ginzburg — Evidential Audit of the Graph-Viz 1M Failures
+
+> Read against the grain. The official explanation of each failure is "the
+> algorithm was wrong." The marginal evidence — file boundaries, debounce
+> timers, fallback branches, retry loops, comments left behind — tells a
+> different story. One assumption resurfaces in every iteration.
+
+## 1. Deliberate testimony (what each rewrite *said* it was fixing)
+
+| # | Approach | Stated cause of prior failure |
+|---|---|---|
+| 1 | precomputed coords + d3-force | "force-graph re-layouts every payload" |
+| 2 | tilemap raster (`dba2f16`) | "force-graph too slow at 1M" |
+| 3 | SSE rebuild-on-event | "static tiles lose richness" |
+| 4 | SSE first-mount + append | "rebuild-per-event freezes browser" |
+| 5 | SSE incremental recompute | "first-mount + append clumps / mis-domains" |
+| 6 | tilemap auto-recompute (`4a41aff`) | "stale subscriber stalls server" |
+
+Six algorithms. Six names for one cause. Each treated as fresh.
+
+## 2. Involuntary evidence (the earlobes)
+
+- **2.1 — `ui/unified/js/workflow_graph.js:308–415`** — `prepareTopology()`
+  ships with the **client**. `computeSlots` invoked at `:405` after the
+  renderer received nodes/edges over the network. Fibonacci anchor
+  `phi = π(3 - √5)` (line 323) computed in the browser.
+- **2.2 — `tasks/layout-authority/cost-model.md:62–73`** — server port
+  copies the same constants verbatim from `workflow_graph.js:308–700`.
+  Geometry exists *twice*: client canonical + server port proposed.
+- **2.3 — `mcp_server/core/layout_engine.py:47–113`** — invokes
+  `igraph.Graph.layout("drl")`. A *third* layout system. Comment line 8:
+  "O(N log N) per iteration." cost-model §6 line 102 forbids exactly this.
+- **2.4 — `mcp_server/handlers/recompute_layout.py:82–99`** — "skip-if-
+  fresh" cache. Exists because the handler is called from three places
+  (`/api/recompute_layout` direct, `open_visualization`, tilemap fallback
+  at `workflow_graph_tilemap.js:130`). Idempotency patched in because
+  authority is unclear.
+- **2.5 — `ui/unified/js/workflow_graph_tilemap.js:122–168`** — self-
+  healing branch: client gets 503 `no_layout`, *client* calls
+  `/api/recompute_layout`, retries `/api/quadtree`. Renderer triggers
+  server-side layout.
+- **2.6 — `ui/unified/js/polling.js:30–37`** — comment: "phase-driven
+  loader owns `lastData` — don't clobber it if it's already been
+  populated via /api/graph/phase appends." Two pipelines, one mutable
+  state, racing for ownership. The comment is the involuntary confession.
+- **2.7 — `ui/unified/js/workflow_graph_bridge.js:107–137`** — debounce:
+  "with 10k+ symbol nodes a per-phase render freezes the browser; we
+  wait until the stream quiets for 1.2 s before rebuilding the
+  simulation." "Rebuilding the simulation" is the smoking phrase: the
+  client owns a simulation; every phase append → destroy-and-recreate.
+- **2.8 — `workflow_graph_bridge.js:67–73`** — MutationObserver re-
+  evicts legacy children that "re-materialise after first render
+  (force-graph library and `JUG.setGraphData` both re-mount canvases
+  asynchronously)." Two layout systems are physically fighting for one
+  DOM node. The observer is the referee. Its existence is the fact.
+- **2.9 — `mcp_server/handlers/quadtree_handler.py:33–40`** — returns
+  503 `no_layout` when `read_all_positions()` is empty. The endpoint
+  that *serves* layout cannot *create* layout; it tells the client to
+  call the other endpoint. Same shape as 2.5.
+- **2.10 — `mcp_server/server/visualize_bootstrap.py:56–104`** — rsyncs
+  the dev tree onto every uv archive root before each spawn. Three
+  caches (MCP plugin module snapshot, HTTP graph cache, tilemap Arrow
+  buffer), three lifetimes, no coordination. Bootstrap brute-forces it.
+
+## 3. Trace convergence
+
+| Trace | What it reveals |
+|---|---|
+| 2.1 client `prepareTopology` | renderer computes layout |
+| 2.2 server `_geometry` port copying client constants | server *also* computes |
+| 2.3 `core/layout_engine.py` igraph DrL | *third* layout system |
+| 2.4 `recompute_layout.py` skip-if-fresh | multiple uncoordinated callers |
+| 2.5 tilemap → /api/recompute_layout | renderer triggers server layout |
+| 2.6 polling.js "don't clobber lastData" | two pipelines race on state |
+| 2.7 bridge.js debounce + "simulation" | renderer holds a simulation |
+| 2.8 bridge.js MutationObserver | two renderers in one DOM node |
+| 2.9 quadtree_handler 503 no_layout | serving ≠ owning |
+| 2.10 visualize_bootstrap rsync | three caches, zero owner |
+
+**Structural fact: no single owner of `(node_id) → (x, y)`.** Layout is a
+property every layer claims to compute and no layer is contracted to
+provide. Five locations: `workflow_graph.js`, `core/layout_engine.py`,
+proposed `server/layout_authority_geometry.py`, `layout_pg_store.py`,
+the tilemap quadtree.
+
+## 4. The single wrong assumption (smoking gun)
+
+> **"The renderer is responsible for placing nodes."**
+
+Viable at 10k (renderer ran `prepareTopology` per payload). False at 1M.
+Each rewrite cured a *symptom* (slowness, freeze, clumping, stall) but
+preserved the assumption:
+
+- d3-force ticks → renderer simulates → too slow
+- raster tiles → renderer rasterises layout it did not author → ugly
+- SSE rebuild → server re-emits, renderer re-simulates → freeze
+- SSE append → renderer extends layout from partial graph → **clumps**
+  because `workflow_graph.js:317–322` makes `baseR` a function of
+  `domains.length` *at call time*. New domain appended later → its anchor
+  is computed against an N that includes already-pinned domains → it
+  lands on the wrong shell. This is the specific signature of
+  "renderer authors layout from incremental data."
+- SSE incremental recompute → server tries to take over but renderer
+  still holds the simulation; stale subscriber blocks the SSE pipe;
+  server cannot release until subscriber drains
+- tilemap auto-recompute → renderer *triggers* layout it does not perform
+  — the assumption migrated up the stack but did not die
+
+## 5. What naming the assumption demands
+
+Not "a better algorithm." **Invert authority direction:**
+
+1. Layout = server-owned, append-only, monotonically-versioned property
+   keyed by `node_id`. Contract: alkhwarizmi.md `add_node`. Invariant:
+   dijkstra.md H1/H2 (single producer, seq strict-monotonic).
+2. Renderer = passive consumer of `(id, x, y, seq)`. Does not compute,
+   simulate, re-derive. **Delete `prepareTopology` and `computeSlots`
+   from `workflow_graph.js`** (lines 308–700). MutationObserver becomes
+   unnecessary — only one renderer remains.
+3. `core/layout_engine.py` (DrL) violates cost-model §6 (O(N log N) per
+   iteration disqualified) and the alkhwarizmi `compute_slot` contract
+   (closed-form O(1)). **Delete it.** The spiral closed-form stays.
+4. `recompute_layout.py` skip-if-fresh: redundant after (1). One caller
+   (authority on schema migration). Idempotency patch deletable.
+
+The seam: **WHO computes** must be authority; **WHO renders** must be
+passive. Every failure on the trail is a different attempt to keep the
+renderer in the authority role while compensating for consequences.
+
+## 6. Hand-offs
+
+- **Eco** — semiotic check on §3: is "no single owner" structural or
+  projection? Traces 2.7 (debounce + "simulation") and 2.8
+  (MutationObserver) are load-bearing; if either is innocuous the
+  inference weakens.
+- **Peirce** — formalise §4 as abductive inference from the 10 traces.
+- **Engineer** — execute §5: delete `prepareTopology`/`computeSlots` in
+  `workflow_graph.js`, delete `core/layout_engine.py`, wire
+  `layout_authority` modules per alkhwarizmi + dijkstra.
diff --git a/tasks/layout-authority/audits/godel.md b/tasks/layout-authority/audits/godel.md
new file mode 100644
index 00000000..b7950260
--- /dev/null
+++ b/tasks/layout-authority/audits/godel.md
@@ -0,0 +1,71 @@
+# Layout Authority — Gödel Self-Reference Audit
+
+**Method:** Gödel's incompleteness pattern. The layout authority is a system that emits sentences ("node N is at (x,y) at seq S"). Every totalizing claim it makes — "seq is GLOBAL", "slot is FINAL", "x,y is finite" — is a meta-statement *about the system* expressed *within the system's own vocabulary*. Where the vocabulary is rich enough to encode the authority's own state (counters, ids, totals), Gödel sentences become constructible: true statements about the system that the system cannot prove from within its own emission rules.
+
+This audit surfaces those sentences and the structural contradictions they expose.
+
+---
+
+## 1. Self-reference power assessment
+
+Does the authority have the expressive power for self-reference? Yes:
+
+- **Counters are addressable.** `_event_seq`, `_slots_emitted`, `_edges_emitted`, `_edges_dropped`, `pending_*` are all readable via `stats()` and via `_log._event_seq` peeks inside `_emit_slot` / `done`.
+- **Ids are unconstrained strings.** `_validate_id` rejects `|`, `\n`, `\r` only. An id like `"seq:42"` or `"slots_emitted:0"` is legal. Therefore a NodeDelta's `node_id` can name an authority counter.
+- **The done event is itself an event.** It consumes a seq, increments no slot counter, but is logged in `_event_log` and reported by `_log.stats()` as `newest_seq`. The system's terminator is a sentence in its own log.
+
+Conclusion: incompleteness applies. The authority is "powerful enough to describe itself" in the Gödel sense, because its emission language can refer to its own counters by string id and its own seq numbers by peek.
+
+---
+
+## 2. Constructed Gödel sentences
+
+| # | Sentence (concrete) | Why true | Why unprovable from within |
+|---|---|---|---|
+| **G1** | "The next slot's `node_id` equals `f'seq:{_log._event_seq + 1}'`." | Build worker is free to construct this id (no validation rule forbids it). | The seq the slot will receive is computed at emit time by `_log.emit`, *after* the payload is formatted. The peek-before-emit at `layout_authority.py:349` formats the payload using the predicted seq; if a multi-producer race ever interleaved an emit between peek and write, the slot's *content* would name a seq that is no longer its own. The assertion `actual_seq == seq` *detects* this but cannot *prevent* it — and the assertion fires *after* the SSE byte stream has already been formatted. The sentence "this slot's id equals its own seq" is true in single-producer mode and undecidable in concurrent mode. |
+| **G2** | "The `done` event's `total_slots` counts every slot including the one whose seq is the `done` event's own seq." | False, but the system claims it via the `done` payload semantics. `total_slots = self._slots_emitted` is sampled *before* `_log.emit("done", ...)`. The done frame's seq is `_event_seq + 1` at peek time, then `+1` at emit. So `done.seq > total_slots` always. | The `done` payload offers no field to declare its own seq, and `total_slots` is documented as "totals". A client reading `total_slots == newest_seq - 1` would be wrong by 1 for every build that has any edges, and wrong by N for builds with N edges. The system cannot prove the relation `newest_seq = total_slots + total_edges + 1` from within its own payload contract, because the wire layer never emits that arithmetic. |
+| **G3** | "After `reset()`, the new log's `oldest_seq` is greater than every `Last-Event-ID` a client might present." | True by construction (counter is global, never rewinds). | But `replay_since(N)` returns `(events_to_replay, oldest_available_seq)` and the SSE handler uses `oldest_available_seq > since + 1` to detect a gap. Immediately after `reset()` the deque is empty, so `_event_log[0]` is undefined and the function returns `[], 0`. A client that reconnects in the dead window between `reset()` and the first new `emit()` is told `oldest=0`, which fails the gap test (`0 > since + 1` is false for any positive `since`). The sentence "no events are lost across reset" is true; the sentence "the log can prove no events are lost across reset" is false during the reset/first-emit window. |
+| **G4** | "Every `SlotAssignment` for a given `node_id` is FINAL (I4, I7)." | Asserted by invariants. | But `request_subtree(domain_id)` re-emits *every* slot in that domain *with a fresh seq* (`_emit_slot` reads `_log._event_seq + 1` again). I2 says clients "MUST update by seq" — i.e. the later seq supersedes. So a slot is simultaneously FINAL (I4/I7) and supersedable (I2). The system contains a direct contradiction whose witness is constructible: call `request_subtree(d)` twice, observe two `SlotAssignment` tuples for the same node_id with different `seq` and identical `(x,y)`. The second is "newer" by I2 but identical by I4. The system has no rule by which a client decides whether to honor the second event's seq update or treat it as a no-op. |
+| **G5** | "`stats()` returns counters that describe the moment of the call, not including the call itself." | True by construction — `stats()` is read-only, emits no event, increments no counter. | But the seq counter `_event_seq` is reported via `_log.stats()['newest_seq']`, and the *next* event after a `stats()` call will be `newest_seq + 1`. A client reading stats then issuing `add_node` cannot prove that no other producer emitted between its read and write; the sentence "the next slot will have seq = stats().newest_seq + 1" is true under the single-producer precondition and unprovable from outside that precondition. The single-producer rule lives in a *prose docstring*, not in the type system. |
+| **G6** | "There exists a `NodeDelta` whose `node_id` is the string representation of an authority counter, and whose emission *changes* that counter." | Constructible: `NodeDelta(node_id="slots_emitted:0", kind="domain", domain_id="slots_emitted:0")`. After emission, `self._slots_emitted == 1` while the slot whose id encodes "slots_emitted:0" has been placed. | The authority cannot detect this collision — id validation is purely lexical. The id is a perfectly legal string but its *referent* is now a lie about the system's state. This is the literal Gödel construction: a sentence that, by being uttered, falsifies what it asserts. |
+
+---
+
+## 3. Totalizing claims that admit unprovable sentences
+
+| Claim in code | Where | Sentence it cannot prove |
+|---|---|---|
+| "seq is GLOBAL" (I3 prose, `_log.reset` docstring) | `layout_authority_log.py:208–223` | "No client's `Last-Event-ID` collides with a post-reset seq." True only because the counter is monotone across resets — but the system has no *test* that fires if a future maintainer "fixes" the docstring's claimed bug by zeroing `_event_seq`. The invariant lives in prose, not in a guard. |
+| "slot is FINAL" (I4, I7) | `layout_authority_protocol.py:201, 215` | "No `request_subtree` will emit a different `(x,y)` for an existing `node_id`." Geometry is deterministic, so this is true *in practice*. But the contract permits `request_subtree` to use a new domain anchor (if the domain registry's `_reserved` grew between the original placement and the resubmit) — and `_DomainRegistry` explicitly does *not* recompute prior anchors when reservation grows. So `(x,y)` *is* stable, but only by an invariant that itself is guarded by a comment ("frozen at first sighting"), not by an assertion. |
+| "x,y is finite" (I1) | `layout_authority_protocol.py:184` | "No future geometry change will introduce NaN/inf." Verified at emission via `_validate_finite`, so the sentence is provable for emitted slots. But the invariant says "finite" without specifying the coordinate system; a client interpreting (x,y) as percentage of viewport vs. absolute pixels gets different downstream behavior. The system cannot prove its own coordinate semantics from the wire format alone. |
+| "monotonic seq" (I2) | `layout_authority_protocol.py:187–191` | "Two SlotAssignments with the same `node_id` and different `seq` differ only because the later supersedes the earlier." Contradicted by G4: the geometry of the second is *identical* to the first by the FINAL invariant. The system cannot decide whether duplicate-seq-different-payload would be a bug or a feature, because the contract permits both readings. |
+
+---
+
+## 4. Recommendations (external verification, not internal patches)
+
+The system cannot fix these from within. The fixes are external to the emission rules:
+
+1. **Forbid id collisions with the counter vocabulary.** Add a validator that rejects `node_id` matching `^(seq|slots_emitted|edges_emitted|edges_dropped|pending_.+):` patterns. This closes G1 and G6 by *external lexical rule*, not by changing the protocol. (One-line check at the wire boundary.)
+2. **Promote the single-producer rule from prose to a guard.** Track the producing thread's id in `_log` state; assert on every `emit()` that the caller matches. Closes G5 by making the precondition machine-checkable.
+3. **Resolve I2 vs I4/I7 contradiction in the contract.** Either: (a) `request_subtree` re-emits with the *original* seq (violates I2 monotonicity) or (b) the slot is *not* FINAL (violates I4/I7). Pick one. Document the choice in an ADR. The current contract is inconsistent and clients reading I2 strictly will diverge from clients reading I4 strictly.
+4. **`done` event must declare its own seq relation.** Add `final_seq: int` to the `done` payload (= `total_slots + total_edges + 1`, the seq of the done frame itself). Lets a client *prove* completeness from the wire alone instead of from prose.
+5. **`replay_since` must distinguish "log empty" from "log lost your events".** Return a tagged variant: `Empty` (no emit since reset) vs `Lost` (since < oldest_seq - 1). Closes G3 by giving the SSE handler an unambiguous decision tree during the post-reset dead window.
+6. **External audit by a different agent.** Per the second incompleteness theorem, the authority cannot prove its own consistency. A *different* implementation of the protocol (a consumer-side replay verifier that reconstructs the slot table from the wire and checks I1–I7) is the meta-system that catches what the producer cannot.
+
+---
+
+## 5. Hand-offs
+
+- Contract-resolution ADR (recommendation 3) → **Lamport** (specification of the I2 vs I4/I7 reconciliation).
+- Lexical id validator + producer-thread guard (recommendations 1, 2) → engineer.
+- `final_seq` payload extension and `replay_since` tagged variant (recommendations 4, 5) → engineer + protocol owner.
+- External wire-replay verifier (recommendation 6) → independent implementation, *not* by the team that wrote `layout_authority.py`.
+
+---
+
+## 6. The deepest sentence
+
+> "This authority correctly emits every slot exactly once, in seq order, with FINAL coordinates, and the stream's totals match the log's newest seq."
+
+This is the system's self-summary — the conjunction of I1–I7. It is *true* under single-producer, no-`request_subtree`, no-`reset`-mid-stream conditions. It is *not provable* from within the emission rules: the proof requires a meta-system that checks the wire output against the input deltas, and that meta-system does not exist in this codebase. The recommendation is not to patch the authority into self-provability (impossible — Gödel II) but to build the external verifier and accept that the authority's correctness is a claim made *to* a higher level, not *by* itself.
diff --git a/tasks/layout-authority/audits/hart.md b/tasks/layout-authority/audits/hart.md
new file mode 100644
index 00000000..f21b0119
--- /dev/null
+++ b/tasks/layout-authority/audits/hart.md
@@ -0,0 +1,110 @@
+# Hart Audit — Open Texture in the Layout-Authority Protocol
+
+> Method: every rule has a **core** of settled meaning where application is
+> mechanical, and a **penumbra** where the rule's text underdetermines the
+> outcome. In the penumbra, judgment is needed — and that judgment is binding
+> precedent for similar future cases. This audit catalogues the penumbral
+> zones in `mcp_server/server/layout_authority_protocol.py` (I1–I7) and the
+> hidden invariants surfaced by Noether (H1–H5), and recommends, per zone,
+> whether to **close** the texture or **leave it open** as deliberate
+> flexibility. Sources: Hart 1961 Ch. VII; Levi 1949 Ch. 1.
+
+---
+
+## 1. Open textures, ranked by load-bearing risk
+
+### OT‑1. I3+I4 interaction: does the symbol get reseated when its file does? — **HIGH. CLOSE.**
+- **Core.** I3: symbol slot computed from parent file. I4: file slot at fallback anchor is FINAL.
+- **Penumbra.** File F arrives without tool_hub → S_F at domain anchor (Case 4) → symbol s with parent=F arrives → s computed from S_F → tool_hub T arrives later. I4 forbids reseating F. Protocol is **silent on s**: was s computed against a transient parent and now stale? Finality is inherited only by implication.
+- **Close — add I3a.** *"A symbol's slot is final from the moment its parent file's slot is final. Since file slots are final by I4, symbol slots are final on first emission."* Same justification as I4: replay determinism (H3), no retroactive jitter.
+- **Ratio.** Slot finality propagates down the parent chain. Any node whose slot is computed from another's inherits parent finality at emission time. (Generalises to nested symbols, member_of chains.)
+
+### OT‑2. I7 placeholder anchor: WHAT is the placeholder? — **HIGH. CLOSE.**
+- **Core.** I7: members of a not-yet-arrived domain use a "placeholder anchor"; FINAL.
+- **Penumbra.** Two readings: (a) placeholder = `domain_anchor(index_of(D), N_CAP, …)` from a deterministic index, identical to the eventual real anchor; (b) placeholder = generic default like `(cx, cy)`. Reading (b) breaks H3 (real domain emits at its slot far from the cluster).
+- **Close — adopt (a).** *"Placeholder anchor for not-yet-emitted domain D = `domain_anchor(stable_index(D), N_CAP, cx, cy, base_r)`, computed from D's `domain_id` via a deterministic index function. Placeholder == final."* Only reading consistent with H2 + H3.
+- **Ratio.** Any "fallback"/"placeholder" in this protocol MUST equal the eventual real value modulo timing. (Generalises OT‑1.)
+
+### OT‑3. I4 "domain hub" fallback for files: which (x, y)? — **MEDIUM. CLOSE.**
+- **Core.** "Falls back to placing the file at the domain hub if no tool_hub is yet known."
+- **Penumbra.** "Domain hub" ambiguous: (a) the domain anchor itself (collision — N files stack on one point); (b) `compute_slot(domain_anchor, kind='file', idx=arrival_idx)` — the kind-bucket for files.
+- **Close — adopt (b).** *"When a file's primary tool_hub is unknown at add_node time, it is placed via `compute_slot(domain_anchor, kind='file', idx=file_arrival_idx)` — the kind='file' bucket of the domain, not the anchor itself."*
+- **Ratio.** "Falls back to X" never means "stacks on point X." Fallback = closest well-defined kind-bucket reachable without the missing parent.
+
+### OT‑4. request_subtree scope: what counts as "the subtree"? — **MEDIUM. CLOSE.**
+- **Core.** request_subtree(domain_id) re-emits one subtree.
+- **Penumbra.** Includes (i) only direct domain members, (ii) + files, (iii) + symbols, (iv) transitive parent_id closure rooted at domain? Also: do buffered (not-yet-emitted) symbols/edges flush, or only known nodes re-emit?
+- **Close — (iv) + no flush.** *"Re-emits SlotAssignment for every node whose `domain_id == d` AND every node whose ancestor chain via parent_id terminates at a node with `domain_id == d`. Buffered symbols and pending-edges are NOT flushed; buffering invariants (I3, I5) are unchanged."* Idempotent and bounded.
+- **Ratio.** request_subtree is re-emission of *known* state, not flush of *pending* state.
+
+### OT‑5. I5 "oldest dropped" — by which clock? — **MEDIUM. CLOSE.**
+- **Core.** Pending-edges full ⇒ "oldest" dropped, counter ++.
+- **Penumbra.** "Oldest" by (a) wall-clock receive, (b) seq order at buffer insert, (c) age relative to missing endpoint?
+- **Close — (b).** *"'Oldest' = earliest insertion into pending-edges, FIFO by arrival sequence number. Wall-clock not used (preserves H3)."*
+- **Ratio.** Tie-breakers in this protocol use deterministic counters, never wall-clock. (Generalises to any future "oldest"/"first" rule.)
+
+### OT‑6. I2 "per authority instance" scope — **MEDIUM. CLOSE.**
+- **Core.** seq strictly increasing per authority instance.
+- **Penumbra.** (a) Restart — seq reset or persisted? (b) Per-subscriber queue racing — must per-queue order match seq order? (c) request_subtree re-emit — fresh seq or restate old?
+- **Close.** *"(a) seq resets to 1 on restart; (instance_id, seq) is the global identity. (b) Per-subscriber delivery order MUST match seq order — declare alongside H1 as I8. (c) request_subtree re-emissions get NEW higher seq; clients resolve by seq (consistent with I2 'LATER supersedes')."*
+- **Ratio.** seq is the single source of truth for ordering; every restatement gets a fresh seq.
+
+### OT‑7. NodeDelta.parent_id "if known" for files — **MEDIUM. CLOSE.**
+- **Core.** For 'file', parent_id = primary tool_hub's id "if known."
+- **Penumbra.** What if file legitimately has NO primary tool_hub (e.g. doc never tool-touched)? Permanent None, or reseat on first tool_used_file edge? I4 says no reseat — but rule was written assuming the hub eventually arrives.
+- **Close.** *"A file with parent_id=None whose tool_hub never arrives remains permanently at the kind='file' bucket of its domain anchor. Later tool_used_file edges do NOT trigger reseat (I4)."*
+- **Ratio.** Optional fields that never materialise yield permanent fallbacks, never lazy reseat.
+
+### OT‑8. Duplicate node_id (was H5) — **HIGH. CLOSE.**
+- **Core.** Protocol silent. Noether H5: "node_id is a primary key" — undeclared.
+- **Penumbra.** Second `add_node(same_id)` (a) silently ignored, (b) raises, (c) treated as update (e.g. late tool_name on tool_hub)?
+- **Close — (a) + counter.** *"Second add_node with existing node_id is silently ignored; duplicate_counter ++. No SA re-emitted. The build worker MUST NOT use add_node as an update mechanism; use request_subtree for forced re-emission."* Promote to I9.
+- **Ratio.** Idempotence at the input boundary is invariant; updates require an explicit verb.
+
+### OT‑9. EdgeDelta endpoints arriving in opposite order — **LEAVE OPEN.**
+- **Penumbra.** When second endpoint arrives, is buffered edge flushed (a) immediately interleaved with SA stream, (b) after next SA, (c) batched at end of current add_node?
+- **Leave open + document.** Edges carry no slot data; (a)/(b)/(c) are observationally equivalent. *"Pending-edge flush order relative to SlotAssignment is implementation-defined; clients MUST NOT rely on a specific interleaving."*
+- **Ratio.** Leave open what the contract does not need to fix; documenting the freedom IS the closure.
+
+### OT‑10. Authority restart / persistence — **LEAVE OPEN (out of scope).**
+- **Penumbra.** No rule covers crash recovery, log replay on restart, instance migration.
+- **Leave open + hand-off.** Out of scope for the streaming protocol; defer to a separate persistence ADR. Note in protocol docstring: *"Restart semantics are defined by the host process, not this protocol."*
+
+---
+
+## 2. Closure summary
+
+| OT | Subject | Decision |
+|---|---|---|
+| OT‑1 | Symbol-slot finality vs file fallback | **CLOSE** — add I3a |
+| OT‑2 | I7 placeholder formula | **CLOSE** — deterministic anchor |
+| OT‑3 | I4 "domain hub" precise meaning | **CLOSE** — kind='file' bucket |
+| OT‑4 | request_subtree scope | **CLOSE** — transitive, no flush |
+| OT‑5 | "Oldest" pending edge | **CLOSE** — FIFO by arrival seq |
+| OT‑6 | seq across restart / re-emit | **CLOSE** — instance_id + new seq |
+| OT‑7 | File with no tool_hub ever | **CLOSE** — permanent fallback |
+| OT‑8 | Duplicate node_id | **CLOSE** — ignore + counter (I9) |
+| OT‑9 | Pending-edge flush order | **LEAVE OPEN** — document freedom |
+| OT‑10 | Restart / persistence | **LEAVE OPEN** — separate ADR |
+
+---
+
+## 3. Governing principles (ratio decidendi for future open textures)
+
+1. **Finality propagates down parent chains** (OT‑1).
+2. **Fallbacks must equal the eventual real value modulo timing** — divergence breaks H3 (OT‑2, OT‑5).
+3. **"Falls back to X" is never "stacks on point X"** — use closest kind-bucket (OT‑3).
+4. **Re-emission verbs restate known state; they do not flush pending state** (OT‑4).
+5. **Tie-breakers use deterministic counters, never wall-clock** (OT‑5, OT‑6).
+6. **Optional fields that never materialise yield permanent fallbacks** — never lazy reseat (OT‑7, matches I4).
+7. **Idempotence at the input boundary is invariant; updates require an explicit verb** (OT‑8).
+8. **Document deliberate freedoms as freedoms** — recorded openness is itself precedent (OT‑9, OT‑10).
+
+---
+
+## 4. Hand-offs
+
+- **Engineer** — translate OT‑1…OT‑8 into protocol docstring amendments + assertions in `layout_authority.py`.
+- **Lamport** — formalise OT‑6 (seq across restart) and OT‑5 (FIFO by arrival seq) as TLA+ invariants alongside H1.
+- **Noether** — H5 closed by OT‑8 ⇒ promote to I9 in `_protocol.py`; H1 still pending as I8.
+- **Alkhwarizmi** — extend test 5 (duplicate node_id) and add golden-vector tests for OT‑1, OT‑2, OT‑3 fallback positions.
diff --git a/tasks/layout-authority/audits/hopper.md b/tasks/layout-authority/audits/hopper.md
new file mode 100644
index 00000000..39baaed7
--- /dev/null
+++ b/tasks/layout-authority/audits/hopper.md
@@ -0,0 +1,178 @@
+# Hopper Audit — A Slot DSL for the Layout Authority
+
+Scope: the protocol boundary between the build worker and the layout
+authority (`layout_authority_protocol.py`). What follows is a
+compile-as-abstraction-barrier proposal: lift the build worker out of
+event-stream vocabulary into domain vocabulary, and let a tiny
+translator emit the deterministic stream the authority already expects.
+
+## 1. The vocabulary mismatch
+
+The build worker thinks in **batches**: "I walked file F and produced
+8000 symbols, all children of F, all in domain D." The authority's
+input language thinks in **events**: singular `NodeDelta` calls with
+implicit ordering against I3 (parent file before child symbol), I4
+(file slot is final), and I7 (domain present before its members).
+
+The build worker translates from its native vocabulary (batches keyed
+by `(domain, kind, parent)`) into the authority's vocabulary by hand,
+at every call site. That is where the I3/I4/I7 violations enter the
+system — exactly the shape of problem compile-as-barrier addresses.
+
+## 2. Today: build-worker code without the DSL
+
+```python
+# Build worker — current, pre-DSL. The author is bookkeeping ordering
+# rules that the protocol declared NORMATIVE. Easy to get subtly wrong.
+
+def emit_file_and_symbols(authority, domain_id, file_path, symbols):
+    file_id = f"file:{domain_id}:{file_path}"
+    # I7: domain must precede its members. Hope it was already added.
+    # I4: file slot is FINAL — no retroactive reseat. Get it right now.
+    authority.add_node(NodeDelta(
+        node_id=file_id, kind="file", domain_id=domain_id,
+        parent_id=None,            # tool_hub may not be known yet
+    ))
+    # I3: every symbol must arrive AFTER its parent file. Author has
+    # to remember to emit the file FIRST. If the author groups symbols
+    # by domain instead of by file, parent-pending buffer fills up.
+    for sym in symbols:
+        authority.add_node(NodeDelta(
+            node_id=f"sym:{file_id}:{sym.name}",
+            kind="symbol",
+            domain_id=domain_id,
+            parent_id=file_id,
+        ))
+
+# At the call site, the author is also reasoning about backpressure:
+# I6 says add_node is non-blocking and may drop. So the author
+# *should* check counter deltas, but in practice nobody does.
+```
+
+Failure modes the author must hold in their head: I3 ordering, I4
+finality, I5 pending-edges overflow, I6 drop counters, I7 domain
+precedence, plus the per-kind preconditions in `NodeDelta`. Every
+new call site re-derives them.
+
+## 3. With the DSL — domain vocabulary, translator does the rest
+
+```python
+# Build worker — post-DSL. The author thinks in batches, by domain.
+# The translator emits the event stream and enforces I3/I4/I7.
+
+with authority.batch(domain_id="cortex") as dom:           # opens domain
+    with dom.kind("file") as files:                        # batch of files
+        for path in walk_repo():
+            f = files.add(path, parent_tool_hub="Edit")    # returns handle
+            with f.kind("symbol") as syms:                 # nested batch
+                for sym in parse(path):
+                    syms.add(sym.name)
+            # __exit__ on syms flushes 8000 symbols in deterministic
+            # order, AFTER f's slot has been requested. I3 honored.
+        # __exit__ on files flushes pending I4 reseat-prevention.
+    # __exit__ on dom guarantees domain anchor was emitted before
+    # any of the kind-batches inside. I7 honored.
+```
+
+Or, the decorator form for the common case "I have a list, please
+emit it as a batch":
+
+```python
+@authority.emit_batch(domain="cortex", kind="symbol", parent=file_id)
+def all_symbols_in(file_id):
+    yield from extract_symbols(file_id)   # yields names; DSL handles ids
+```
+
+The author writes domain logic. They never type `NodeDelta`. They
+never reason about seq, pending-edges, or parent-pending buffers.
+
+## 4. What the abstraction barrier buys
+
+**Ordering invariants compiled in, not asserted at the API boundary.**
+The author cannot emit a symbol before its parent file because the
+only way to add a symbol is inside `f.kind("symbol")` where `f` is
+already an emitted file handle. Dijkstra's audit lists I3/I4/I7 as
+"partial testable, requires single-producer construction argument."
+With the DSL, they become properties of the DSL's small surface, not
+of every call site.
+
+**Backpressure visible at the batch boundary, not per-event.** Each
+context carries `dropped` and `pending` counters; `__exit__` returns
+a summary (`emitted=8000, dropped=0, pending_edges=0`). The Hopper
+"tangible quantity" move applied to backpressure: 8000 symbols is
+countable; 8000 individual `add_node` return values are not.
+
+**Priority-aware batched submit.** Today the worker emits in source
+order; the scheduler re-prioritizes (P2 file < P4 symbol). The DSL
+knows the batch shape ahead of time; it can hand the scheduler a
+single `submit_batch` with P2 items first, then P4 items, eliminating
+the parent-pending buffer for the common in-order case — a direct hit
+on Dijkstra's B1 (residency exceeds the 8 MB cost-model ceiling).
+
+**The author's failures become the DSL's tests.** I3 violation today
+is a per-call-site latent bug. With the DSL, I3 violation is
+impossible by construction unless the DSL itself is wrong — and the
+DSL has one implementation that one team audits. Hopper's second move
+(debugging as first-class): not adding a tool to find the bug,
+removing the place the bug can occur.
+
+**Protocol evolution without forking call sites.** New node kinds or
+new ordering obligations (I8, I9) are absorbed by the DSL; call sites
+do not change. The same property that let COBOL programs survive five
+generations of hardware.
+
+## 5. Risks and refusals (zetetic)
+
+- **Domain formalizability.** The DSL is only as good as the formal
+  semantics of the batch grammar. The grammar must be specified
+  explicitly (which contexts may nest in which, what `__exit__` is
+  obligated to flush, what happens on exception inside a `with`). If
+  the spec is ambiguous, the DSL is a leaky abstraction worse than no
+  DSL. **Required artifact:** `slot_dsl_grammar.ebnf` plus an ADR
+  before the DSL is merged. Hand off to **Shannon** for formalization
+  if the grammar drifts during implementation.
+- **Premature abstraction.** §3.3 of the coding standards: three
+  concrete uses before extracting. Today there are at least four
+  call sites that hand-roll the file→symbol pattern (AST walker,
+  conversation ingester, memory ingester, knowledge-graph builder).
+  The threshold is met. If a future audit finds only one user, the
+  DSL is premature and should be rolled back.
+- **Performance.** Per-event budget at 10⁹ nodes / 1–2 s is ~10 ns.
+  Context-manager overhead in CPython is ~200 ns per `__enter__` +
+  `__exit__`. The DSL's `with` blocks must therefore wrap **batches**,
+  never individual nodes. The decorator form (`@emit_batch`) is the
+  preferred high-volume API; the nested `with` form is for human
+  authoring at the call site, where batches are intrinsically large.
+  Single-node DSL invocation must be refused at construction.
+- **Exception semantics.** Two options: (a) flush partial batch and
+  propagate (at-least-once); (b) discard (transactional). Option (a)
+  matches the authority's "keep going on producer failure" stance.
+  Decide in the ADR; do not let it be implementation-defined.
+- **"Ask forgiveness" check.** Bounded risk (strict additive layer;
+  old `add_node` keeps working); demonstrable benefit (I3/I4/I7 by
+  construction); no safety bypass; ownership — pass. Proceed.
+
+## 6. Compile-as-barrier compliance check
+
+| Rule | Status |
+|---|---|
+| User vocabulary identified (domain/kind/parent batches) | PASS |
+| Implementation vocabulary identified (NodeDelta event stream) | PASS |
+| Translator scope is well-defined (DSL grammar) | PENDING — needs grammar ADR |
+| Domain admits formal semantics | PASS — finite kinds, finite nesting |
+| Debugging elevation: invariants enforced by construction | PASS |
+| Tangible quantities at batch boundary (emitted/dropped/pending) | PASS |
+| Three concrete users before extraction | PASS — four call sites |
+
+## 7. Hand-offs
+
+- DSL grammar formalization → **Shannon** (or **Panini** if available
+  for grammar work).
+- Correctness-by-construction proof of I3/I4/I7 from the DSL's
+  context-manager semantics → **Dijkstra** / **Lamport** (TLA+ if the
+  exception-propagation case warrants it).
+- Implementation, including the priority-aware batched submit to the
+  scheduler → **engineer**.
+- Measurement: are call sites actually adopting the DSL after merge,
+  or sticking with raw `add_node`? → **Curie**. Adoption is the
+  empirical test of whether the abstraction barrier is the right one.
diff --git a/tasks/layout-authority/audits/ibnalhaytham.md b/tasks/layout-authority/audits/ibnalhaytham.md
new file mode 100644
index 00000000..4e581059
--- /dev/null
+++ b/tasks/layout-authority/audits/ibnalhaytham.md
@@ -0,0 +1,97 @@
+# Ibn al-Haytham Audit — Layout Authority
+
+> **Method:** *Al-Shukuk* applied to the Layout Authority design. Doubt is
+> not general skepticism; each doubt is specific, documented, and assigned a
+> resolution experiment. Authority — including prior audits in this folder —
+> is not evidence. The instrument and the experiment are evidence.
+
+## 1. Predecessor theory under doubt
+
+The "received authority" being audited:
+- `cost-model.md` (Boyd-style derivation of the 10⁹/1–2 s budget).
+- The five `layout_authority_*.py` modules and their docstring claims.
+- Prior audits (`curie.md`, `ramanujan.md`, `dijkstra.md`) — these are also
+  authority and must be doubted in the same register, not deferred to.
+
+## 2. Doubt document — claim by claim
+
+| # | Authoritative claim | Source | Specific doubt | Resolution experiment | State |
+|---|---|---|---|---|---|
+| A1 | "8 MB working set" is the cost-floor ceiling | cost-model §1, §3 | The 8 MB number is **declared**, never derived from a target machine, page-cache budget, or measured RSS. Curie C4 confirms: no `tracemalloc`, no RSS sample, no provenance. It is a self-imposed slogan. | `bench_memory_residency`: `tracemalloc.start()` + 60 s sustained 10⁶ ev/s; report peak RSS and per-component breakdown. Falsifier: peak > 8 MB. If it falsifies, either revise the budget with a sourced rationale or shrink the queues. | **OPEN** |
+| A2 | "Closed-form O(1) geometry per node" | cost-model §1 ¶3, §6 | Holds in the linear regime only. Ramanujan §"qualitative break" shows: file-arc saturates at n=18, memory-arc has a *two-term* bonus, base_radius spacing-floor only activates at N≥6 on a 1080p canvas. **The closed form has three regimes; "O(1)" hides the regime switch.** Hand-tests at N∈{1,2,3} did not exercise large-N branches at all. | `bench_geometry_branches`: sample N ∈ {1, 3, 6, 17, 18, 19, 50, 200, 11_000} per kind, assert closed-form output is finite, non-NaN, and that the *active branch* matches the regime predicted by the formula. Falsifier: any (kind, N) where output is NaN, ∞, or where two distinct nodes collide within 1 px. | **OPEN** |
+| A3 | "Single-producer" rule on `_log.emit` | _log.py docstring; Dijkstra D1, H1, H2 | Documented, not enforced. Dijkstra explicitly flagged: "single-producer rule is implicit … prose only." A second thread calling `emit` silently breaks H1 (seq monotonicity) and H2 (per-subscriber order). This is a structural defect masquerading as a design rule. | `chaos_test_two_emitters`: spawn a second thread that calls `emit` 10× during a normal run; **assert** that a thread-id check at `emit` entry fires and aborts. Falsifier: the second thread succeeds, OR no assertion exists to fire. | **OPEN — until thread-id assertion lands** |
+| A4 | "10 ns/node single-core Python at 10⁸" | cost-model §2, line 18 | Curie C3 marks this as extrapolation, no measurement. Measured pure-Python is 180–300 ns/slot — **18–30× the claim**. The 10 ns figure is asserted as a target *and* used as if achievable. | Run the bench at N=10⁸ on the exact target machine, single core, no JIT. Report ns/op median + IQR over 5 runs. Falsifier: median > 50 ns/op without a numpy/parallel path committed. | **OPEN** |
+| A5 | "11 domains × 6 kinds × 8 B = 528 B counter state" | cost-model §3 | The arithmetic is exact, but the **assumption that domain count stays ≤ 11** is undefended. Production may grow to 50–100 domains; the 8 MB claim then needs re-derivation. Dijkstra B5 already noted this. | `bench_domain_growth`: synthesise N_domains ∈ {10, 100, 1000} and report counter + anchor-cache RSS. Falsifier: > 1 MB at N_domains=1000, or no documented hard cap. | **OPEN** |
+| A6 | "Scheduler worst-case ≈ 19.4 MB" | _scheduler.py:54–62 | Dijkstra B1 and Curie C18 both flagged: the figure is arithmetic on an estimated 80 B/item that is itself unverified, AND it **already exceeds the 8 MB budget**. The design contradicts its own ceiling and nobody has reconciled it. | (a) Verify 80 B with `sys.getsizeof(NodeDelta(...))` plus deque overhead; (b) decide whether 8 MB is steady-state or peak — write the ADR. Falsifier: verified residency > 8 MB AND no ADR exists ⇒ design must change. | **OPEN** |
+| A7 | "LOD power-law slope = −1 ± 0.05" | _lod.py:190 | The strongest existing protocol — but Curie C22 noted it uses synthetic `sym:i` ids, not production `<file>:<symbol>` strings. The hash distribution on real ids may have heavy tails the synthetic test misses. | Re-run `_selfcheck_powerlaw` on a 10⁶-sample of production node ids exported from the live DB. Falsifier: fitted slope outside [−1.05, −0.95] OR KS goodness-of-fit p < 0.01. | **OPEN** |
+| A8 | "Field-name `slot.id` vs protocol `node_id`" (D0) | Dijkstra §0 | A type-mismatch defect was identified in a *prior* audit but I cannot assume it has been fixed. Authority (a fix in flight) is not evidence (a green test). | `pytest -k test_format_slot_protocol_match` that constructs a `SlotAssignment` and round-trips through `format_slot`. Falsifier: AttributeError or wrong field used. | **OPEN until test exists** |
+| A9 | "JSON parse ~250 ns vs JSON.parse ~1 µs" | _wire.py:24 | Unsourced. Curie C24 already refused this as evidence. I echo: until a committed browser microbench exists, the claim cannot be cited in design discussions. | Commit a `bench/wire_decode_browser.html` running both decoders on 10⁵ representative payloads; report median µs/op in Chrome + Safari. Falsifier: pipe < 4× JSON.parse on either browser. | **OPEN** |
+| A10 | "Pixel-equivalence with `workflow_graph.js`" | _geometry.py provenance comments | Constants are copied with `// source:` citations — provenance is good. But **the composition** of those constants under `compute_slot` has never been pixel-compared to the JS upstream. Two functions can share constants and still drift. | Golden-image test: fixed RNG seed, N=1000 mixed nodes; render JS and Python outputs to PNG; pixel-diff < 1 px median, < 3 px max. Falsifier: any node off by > 3 px. | **OPEN** |
+| A11 | "Symbol n-gon non-collision (CONJ-2)" | ramanujan.md §"Conjectured closed form" | Ramanujan flagged this as a *conjecture* requiring a prover. The `(i%4)·3 px` wobble could in principle collapse two symbols. Authority labels this "medium confidence." Doubt: nobody has enumerated. | Exhaustive enumeration: for n ∈ [1, 10_000], compute all n positions and assert pairwise distance > 0. Falsifier: any (n, i, j) with i≠j producing identical (x, y). | **OPEN** |
+| A12 | "Reproducibility of the 1M-slot benchmark" | cost-model §5 | The numbers (180.1 / 211.9 / …) are reported but the bench harness's environment (CPU model, thermal state, run-to-run variance, warm-up) is not in the file. One number on one machine is an anecdote per Ibn al-Haytham's *Manazir* §reproducibility. | Promote `bench_layout_authority.py` to record: machine ID, CPU model, governor, ambient temp proxy (load avg pre-run), 5 runs, IQR. Re-publish table with confidence intervals. Falsifier: IQR > 30% of median (run is too noisy to cite). | **OPEN** |
+
+## 3. Falsification conditions, consolidated
+
+For each authoritative claim, the **single observation that would replace
+doubt with refutation**:
+
+- A1 falsified by: `tracemalloc` peak > 8 MB at sustained 10⁶ ev/s.
+- A2 falsified by: any (kind, N) producing NaN/∞ or a 1-px collision.
+- A3 falsified by: a second `emit`-caller thread completing without an
+  assertion firing.
+- A4 falsified by: median > 50 ns/op on the target machine without numpy.
+- A6 falsified by: verified scheduler residency > 8 MB AND no ADR.
+- A7 falsified by: production-id slope outside [−1.05, −0.95].
+- A10 falsified by: any node off > 3 px from JS upstream.
+- A11 falsified by: any pair of symbols sharing (x, y).
+
+Each falsifier names a **specific observation, a specific threshold, and
+a specific instrument**. None reduces to "looks wrong."
+
+## 4. Cross-audit doubt — the audits themselves
+
+I do not exempt prior audits from doubt:
+
+- **Curie's measurement table is a survey, not a measurement.** It
+  enumerates 30 unmeasured claims; that enumeration is itself unverified
+  until each row's experiment runs.
+- **Ramanujan's hand-computation match is necessary, not sufficient.**
+  Three special cases at N=1,2,3 leave the entire large-N regime
+  unprobed. The audit says so; do not let "Ramanujan verified" become
+  shorthand for "verified."
+- **Dijkstra's correctness obligations are arguments-to-be-made, not
+  arguments-made.** D0 (field-name), D1 (single-producer), D2
+  (module-global) are flagged but not closed. Treat them as open until
+  the engineer's `derivation.md` discharges them in writing.
+
+## 5. The procedural mandate
+
+No claim above is closed by another claim. Each closes only when its
+named experiment runs, on the named instrument, with a recorded result
+and a stated pass/fail against the falsifier. Until then the claim is
+hypothesis. The cost-model is presently a **table of hypotheses
+displayed as conclusions** — that is the specific failure to repair.
+
+## 6. Hand-offs
+
+- A1, A4, A5, A6, A12 (measurement and budget reconciliation) → **Curie
+  + engineer**: implement `bench_memory_residency`, target-machine
+  ns/op, IQR-reported runs.
+- A2, A11 (geometry regime + n-gon enumeration) → **engineer**: write
+  exhaustive `bench_geometry_branches` and the n-gon collision sweep.
+- A3, A8 (single-producer enforcement, field-name fix) → **engineer**:
+  thread-id assertion at `emit` entry; round-trip test through
+  `format_slot`.
+- A7 (LOD on real ids) → **engineer + Mandelbrot**: production-id
+  sample + KS test.
+- A9 (browser decode microbench) → **engineer**: committed
+  `bench/wire_decode_browser.html`.
+- A10 (pixel-equivalence golden) → **engineer**: JS/Python golden image
+  + pixel-diff harness.
+
+## 7. One-line verdict
+
+Twelve specific doubts; each carries an instrument, a threshold, and a
+falsifier. The Layout Authority is not refuted — it is **not yet
+tested**. Until the experiments above run, the design is a coherent
+proposal, not a verified instrument.
diff --git a/tasks/layout-authority/audits/ibnkhaldun.md b/tasks/layout-authority/audits/ibnkhaldun.md
new file mode 100644
index 00000000..ef1d364f
--- /dev/null
+++ b/tasks/layout-authority/audits/ibnkhaldun.md
@@ -0,0 +1,127 @@
+# Ibn Khaldun audit — structural plausibility of layout-authority claims
+
+**Method.** Before evaluating who said what, test each claim against the
+structural constraints of the domain (memory accounting, wire bandwidth,
+Python interpreter cost, browser render rate). A claim from a careful
+auditor that violates domain constraints is rejected before the
+auditor's reputation is consulted. *Authority is not evidence;
+structural plausibility is.*
+
+A claim can be **locally true** (correct for one module read in isolation)
+yet **structurally implausible** as a system-wide statement. Most
+violations here are of that form: a number scoped correctly to a single
+module is then re-quoted as a system budget.
+
+---
+
+## 1. Plausibility filter — top-line claims
+
+| # | Claim | Domain constraint | Plausible as a SYSTEM claim? | Reasoning |
+|---|---|---|---|---|
+| K1 | "8 MB working-set ceiling" (cost-model.md:5,42) | Σ of all live allocations: scheduler + log + sub queues + numpy + interpreter | **No** | Scheduler worst-case 19.4 MB (Curie C18, Dijkstra B1); event log 500k × 80–112 B = 40–56 MB (Curie C13, Dijkstra B2); each subscriber queue 100k × ~112 B ≈ 11 MB (Fermi). Sum is **~70–90 MB**, ~10× the ceiling. The 528 B counter figure is true for geometry only; that is what the budget actually buys. |
+| K2 | "10⁹ nodes in 1–2 s" (cost-model.md:5) | wall-time = max(compute, wire, render) | **No** | Fermi independently brackets full build at **10⁴–10⁵ s (3–30 h)**, ×4 with edges. 10⁹ × 80 B = 80 GB over wire; even at 1 GB/s loopback that is 80 s, and the realistic SSE channel is 10–100 MB/s → 10³–10⁴ s. Browser render at 10⁴–10⁵ evt/s → 10⁴–10⁵ s. The 1–2 s bound holds for *closed-form geometry IF vectorised*, not for end-to-end placement-and-stream. |
+| K3 | "≈10 ns/slot achievable via numpy + 8-core" (cost-model.md:88–93) | Python attribute access ~100 ns; numpy batch amortised ~30–50 ns IF batched | **Speculative** | Curie C9–C11 explicitly flag as "unmeasured speculation". Plausible as a *target*, not as a budget line. |
+| K4 | "no per-event recompute, O(1) per node" | closed-form geometry; counter increment + trig | **Yes** | Archimedes proves boundedness, finiteness, and per-kind interval arithmetic from source. Independence (planetary heuristic + interval bounds) holds. |
+| K5 | "528 B counter state for 11×6" | 11 × 6 × 8 B int64 | **Yes** | Pure arithmetic; verifiable by inspection. But this is the geometry-module's per-domain state, not the authority's total residency. |
+| K6 | "180–300 ns/slot pure Python" (cost-model.md:80–87) | `perf_counter_ns()` over 1M iters | **Yes** | Curie C7 — measured (single machine, single run, no error bars; weak as evidence but structurally consistent with Python attribute/dict cost). |
+| K7 | "scheduler ≤ 19.4 MB worst-case" (`_scheduler` docstring) | Σ QUEUE_SIZES × ~80 B | **Yes (and decisive)** | Internally consistent arithmetic. *This is the structural refutation of K1*: the same module says 19 MB while the cost model says 8 MB. Two parts of the spec contradict; only one can be the system budget. |
+| K8 | "200-miss dead-queue threshold, 0.8 overload" (`_log.py`, `_scheduler.py`) | should derive from drain-rate × tolerated lag | **No** | Round numbers, no measurement (Curie C15, C20). Defensible as defaults; not defensible as engineered thresholds. |
+| K9 | "DISC↔MEM lanes never collide" (implicit in geometry) | angular-sector arithmetic | **Conditionally** | Archimedes Caveat: collision possible when `0.04·n_disc + 0.03·n_mem ≳ 0.79 rad`. Plausible at typical N, implausible at the 10⁹ regime the cost model claims to support. |
+| K10 | "browser render at 60 fps × 10³ nodes/frame ≈ 6×10⁴ evt/s" (Fermi) | 60 Hz × per-frame batch size | **Yes (as upper bound)** | Order-of-magnitude consistent with WebGL practice; refutes K2 from the consumer side. |
+
+---
+
+## 2. The asabiyyah pattern — why these implausibilities survived review
+
+**Founding vigor:** the geometry module was scoped tight (counter
+state, closed-form math, copied JS constants). The numbers in that
+scope are exact and defensible (K4, K5, K6).
+
+**Scope creep at the centre:** as the spec expanded to scheduler, log,
+wire, and SSE transport, the *original* budget figures (8 MB, 1–2 s)
+were carried forward unchanged into a system whose constraints are no
+longer the same. Counters at 528 B and event logs at 56 MB are not on
+the same scale; treating them as one budget is the classic Khaldunian
+move where the founding-phase rigor is invoked as authority for
+claims it never covered.
+
+**Peripheral challenger displaces:** Curie's measurement audit (28 of
+30 claims unmeasured) and Fermi's independent bracketing (10⁴–10⁵ s
+for full 10⁹ build) come from outside the cost-model.md frame and
+displace its top-line claims by structural argument. Dijkstra B1
+explicitly notes "exceeds 8 MB cost-model ceiling" — same observation
+from a third independent reviewer.
+
+When three independent audits with different methods converge on
+"the system-wide budget is wrong by 1–2 orders of magnitude," the
+structural verdict is settled regardless of which auditor is most
+senior.
+
+---
+
+## 3. Four-cause check on the two contested claims
+
+| Claim | Material (substrate) | Formal (pattern) | Efficient (mechanism) | Final (purpose) | Complete? |
+|---|---|---|---|---|---|
+| K1 8 MB | int64 counters in dict | per-domain × per-kind | `counter[(d,k)] += 1` | bound geometry-module state | **No** — material/formal/efficient/final all describe geometry; the system has scheduler + log + queues that share the process RSS. The "system budget" claim has no material referent. |
+| K2 1–2 s | closed-form trig per slot | O(1) per node | numpy batch (speculated) | place 10⁹ nodes for live render | **No** — efficient cause covers compute only; wire and render mechanisms are absent from the derivation, yet they dominate (Fermi). Final cause ("live render of 10⁹") is incompatible with efficient cause (browser at ≤10⁵ evt/s ⇒ ≥3 h). |
+
+---
+
+## 4. Confirmation-bias audit
+
+**Hypothesis under test (cost-model.md):** the geometry's O(1) per-node
+property generalises into a system that places 10⁹ nodes in 1–2 s
+within 8 MB.
+
+**Disconfirming evidence searched & found:**
+- Fermi independent decomposition: 10⁴–10⁵ s, not 1–2 s. ✓ disconfirms K2.
+- Curie measurement audit: 28/30 claims unmeasured, including all the
+  load-bearing "8 MB" and "1–2 s" extrapolations. ✓ disconfirms K1, K2.
+- Dijkstra B1: "Scheduler residency ≤ 19.4 MB worst-case. Exceeds 8 MB
+  cost-model ceiling." ✓ disconfirms K1 internally.
+- Archimedes Caveat: DISC↔MEM angular collision at high N. ✓ disconfirms
+  the implicit "10⁹ scales without geometric breakdown".
+
+The disconfirming evidence is already in the audit corpus. It was not
+synthesised into the cost model. That is the bias: each audit is
+correct in its frame; the cost-model.md never updated when the frames
+combined.
+
+---
+
+## 5. Verdict
+
+| Claim | Plausibility | Action |
+|---|---|---|
+| K1 8 MB system-wide | **Reject** | Scope to "geometry module per-domain state ≤ 528 B"; system RSS budget belongs in an ADR with measured numbers (Curie experiment §3.1). |
+| K2 1–2 s end-to-end at 10⁹ | **Reject** | Re-state as "closed-form geometry compute ≤ 1–2 s at 10⁹ IF vectorised, IF tile-served (no live SSE), IF render is offline". The user-visible 10⁹ build is hours, per Fermi and `tasks/tile-server-plan.md`. |
+| K3 numpy 10 ns/slot target | **Hold** | Tag `// HYPOTHESIS — no measurement` per Curie §4 until `bench_geometry_numpy` lands. |
+| K4 O(1) per node | **Accept** | Archimedes verified; independence holds. |
+| K5 528 B geometry counters | **Accept** | Arithmetic. |
+| K6 180–300 ns/slot pure Python | **Accept (single-run caveat)** | Replicate on ≥3 machines with IQR (Curie §3). |
+| K7 scheduler 19.4 MB | **Accept** | And note that this *settles* K1 — system memory budget is not 8 MB. |
+| K8 200-miss / 0.8 thresholds | **Hold** | Engineer to derive from measured distributions, not round numbers. |
+| K9 DISC↔MEM non-collision | **Conditional** | Holds at production N; tighten arc growth before claiming 10⁹ scale. |
+
+---
+
+## 6. Hand-offs
+
+- **Engineer:** rewrite cost-model.md §1 and §3 to scope "8 MB" and
+  "1–2 s" to the geometry module only. Add a separate system-budget
+  ADR citing Dijkstra B1 + Curie §3.1 instrumentation requirement.
+- **Curie:** prioritise `bench_memory_residency` (top of her §3 list);
+  one measurement collapses K1, K7, B1 into a defended number.
+- **Fermi:** the binding constraint is browser render throughput;
+  measure it on the tilemap path at 10⁵, 10⁶, 10⁷ to lock K2's bracket.
+- **Lamport:** if the 10⁹-scale invariants are kept (DISC↔MEM
+  separation, parent-before-child ordering), TLA+ them; the structural
+  argument here is sufficient at production N but not at the claimed
+  ceiling.
+
+## 7. One-line verdict
+
+The geometry module's claims are structurally sound. Their promotion
+to system-wide claims is structurally implausible — by ~10× on memory
+and ~10⁴× on wall time — and three independent audits already say so.
diff --git a/tasks/layout-authority/audits/jobs.md b/tasks/layout-authority/audits/jobs.md
new file mode 100644
index 00000000..c9bf5821
--- /dev/null
+++ b/tasks/layout-authority/audits/jobs.md
@@ -0,0 +1,144 @@
+# Jobs — The Integrated Experience IS the Spec
+
+> The user has shipped six "working" iterations. Each passed a technical
+> metric (FPS, payload size, no-crash, server-uptime). All six failed the
+> only spec that matters: **the user clicks "open visualization" and sees
+> their actual neural graph build itself in front of them, traceable end
+> to end.** Component metrics lied. Experience-level spec did not exist.
+> This file is the executable spec.
+
+## 1. The user's words, taken literally as the spec
+
+Two phrases, quoted from the user's frustration. They are not poetry;
+they are the acceptance criteria:
+
+1. **"node appearing without stopping until finished loading all of them"**
+   — a continuous, monotonic, never-stalling stream from t=0 until the
+   build worker finishes. No batch flushes. No "wait, then dump." No
+   freeze, then catch-up. **Continuous monotonic emission** is the spec.
+
+2. **"real neural graph showing data with link to what it comes from
+   and where it goes to"** — every node visible on screen MUST be
+   traceable: hover/click → `(node_id, source_path, kind, domain,
+   parent_id, edges_in, edges_out)`. The graph is not decoration; it
+   is *navigation over the actual data*. **Provenance per node** is
+   the spec.
+
+Anything that ships without (1) AND (2) simultaneously fails. Trade-offs
+("we have continuity but no provenance," "we have provenance but it
+freezes") are design failures, not acceptable engineering compromises.
+
+## 2. Executable spec — what happens when the user clicks "open visualization"
+
+Time is measured from the click. Each row is testable end-to-end.
+
+| t | What the user MUST see | What is NOT acceptable |
+|---|---|---|
+| **0 ms** | Click registers. Window/tab opens within one frame (≤16 ms). | Spinner-only. "Loading…" with no graph frame. Tab opening empty for >100 ms. |
+| **0–500 ms** | Empty canvas with axis/legend/domain anchors visible (the 11 domain hubs at their Fibonacci anchors, even with zero nodes). The "skeleton" of the map. SSE connection established, status indicator shows "live". | Blank white screen. "Connecting…" modal. Anything that looks like the page failed to load. |
+| **500 ms** | First nodes start appearing. Setup hubs and tool hubs (the small fixed set, ~70) are placed and visible. User can already see the shape of their workspace. | Still a blank canvas. A "preparing layout…" message. Loading bar at 0%. |
+| **0.5–2 s** | Nodes stream in continuously. The user sees them *appear*, one after another, at deterministic positions — no jumping, no rearrangement, no flash-of-clumped-then-spread. Frame rate stays ≥30 fps; UI stays interactive (pan, zoom, hover). | Burst-then-pause. Visible "tick" of the force simulation. Nodes appearing at (0,0) then teleporting. Browser tab beachball. |
+| **2 s** | First files and their attached symbols are visible around their tool/domain anchors. Hovering any visible node shows the tooltip with `node_id`, `kind`, `source_path`, `domain`. | Hover does nothing. Tooltip shows "id: 42" with no provenance. Click does not select. |
+| **2–10 s** | Streaming continues monotonically. Edges are drawn as their endpoints appear; if an edge arrives before its target, it waits silently in a buffer (no red error, no flicker) and is drawn the instant the target lands. User can click any node and see incoming/outgoing edges highlighted; clicking an edge endpoint navigates the camera. | Edges drawn to (0,0). Edges flickering as endpoints reseat. Console errors. "Edge target missing" toasts. |
+| **10 s** | Roughly 10⁵–10⁶ nodes placed (Cortex repo scale). The user can already work — search, filter, navigate by domain — without waiting for completion. The status indicator shows "live: N nodes, M edges, building…". | The UI being read-only until the build "finishes." Search disabled until 100%. A modal blocking interaction. |
+| **60 s** | Build worker has finished or is finishing. The status indicator transitions to "live: N nodes, M edges, complete". The graph is identical (deterministic) to what the user will see if they reload. Memory footprint stable. No background thrash. | The browser tab becoming sluggish. Memory growing unbounded. The status never reaching "complete." A "rebuilding…" loop. |
+| **anytime ≥0.5 s** | Hover any node → tooltip in <50 ms with `(node_id, kind, source_path, domain, parent_id)`. Click → side panel showing edges in/out with clickable navigation. Camera follows. | Hover lag >200 ms. Tooltip showing only `id`. No way to get from a node back to its file. |
+| **on disconnect** | Lost SSE connection → status "reconnecting…", graph remains visible and interactive on what was already received. Reconnect resumes from `Last-Event-ID`; gap is replayed silently. | Graph clears on disconnect. Page refreshes itself. User loses scroll position. |
+
+## 3. The integration boundary map — and where every iteration leaked
+
+| Boundary | Side A | Side B | Visible to user as friction? | Owner today |
+|---|---|---|---|---|
+| Click → window open | `open_visualization` handler | browser process | **Yes (blank tab >100 ms)** | nobody |
+| Window open → first frame | bootstrap rsync (`visualize_bootstrap.py:56–104`) | HTTP server | **Yes (cold start >2 s)** | nobody |
+| HTTP server → SSE | `http_viz_server` | `EventSource` client | **Yes — no consumer wired today** (Einstein Frame 9) | nobody |
+| SSE event → canvas paint | `format_slot` bytes | `workflow_graph_tilemap.js` | **Yes — field name mismatch `slot.id` vs `slot.node_id`** (Pólya item 1) | nobody |
+| add_node → slot emission | scheduler P4 deque | `layout_authority.py` | **Yes — silent drops when no integrator drains** (Einstein Frame 2) | **MISSING** |
+| node placement → edge draw | layout authority | edge buffer | **Yes — edges to (0,0) under reseat** (Einstein Frame 10) | nobody |
+| node identity → provenance | `SlotAssignment` (5 fields) | tooltip | **Yes — bytes layer drops everything except (id,x,y,kind,dom)** | nobody |
+
+**Every boundary is unowned. Six iterations sanded the same seam from
+six different sides because no single person owned the seam itself.**
+
+## 4. All-dimensions-simultaneously check (current state)
+
+| Dimension | Bar | Current | Pass? |
+|---|---|---|---|
+| **Continuous emission** | Nodes appear monotonically; no burst-then-pause; no freeze | Force-sim ticks, debounce-rebuild, SSE-clumping all violate | **NO** |
+| **Provenance per node** | Hover shows `(id, kind, path, domain, parent, edges)` | Tilemap raster has no `node_id` at all (pixels only) | **NO** |
+| **Interactive within 2 s** | Pan/zoom/hover responsive while streaming | Browser freezes on per-phase rebuild (`bridge.js:107`) | **NO** |
+| **Deterministic positions** | Same input → same `(x,y)` across reloads | Append-clumping bug (Ginzburg §4: `baseR(domains.length)` recomputed) | **NO** |
+| **Beautiful (no flicker)** | No node teleports; no edge to (0,0) | Reseat-on-late-parent draws orphans (Einstein Frame 10) | **NO** |
+| **Robust (reconnect)** | Loss of SSE → silent replay from `Last-Event-ID` | No EventSource consumer exists | **NO** |
+| **Bounded memory** | Working set stable on the box | Three uncoordinated caches (visualize_bootstrap.py:56–104) | **NO** |
+
+**Zero of seven dimensions pass.** "It works on my benchmark" is not
+"it works." Every prior ship was a falsification of "it just works."
+
+## 5. The seam that must be eliminated to make this shippable
+
+The user owns the *whole* stack — Python server, JS renderer, Postgres
+store, SSE wire, layout geometry. There is no external vendor. The
+seams exist only because **no module owns the integrated experience
+end-to-end.** Vertical integration here is not a business strategy; it
+is the correctness mechanism.
+
+**Single owner: `layout_authority.py` (Pólya item 2; ~150 LOC).** It
+owns:
+1. The counter map `(domain_id, kind) → int`.
+2. The pending-parent buffer (I3) and pending-edges buffer (I5).
+3. The single producer thread that pops the scheduler, calls
+   `compute_slot`, and emits via `log.emit('slot', bytes)`.
+4. The SSE handler is a passive subscriber; the renderer is a passive
+   subscriber. Neither computes layout. Neither rebuilds simulations.
+
+When this module exists and owns the seam, every row of §2 becomes
+testable, every dimension of §4 becomes measurable, and the user's two
+sentences become falsifiable claims a CI test can enforce.
+
+## 6. Edit ruthlessly — what must be cut to ship the integrated experience
+
+| Cut | Why |
+|---|---|
+| `core/layout_engine.py` (igraph DrL) | Ginzburg §5.3: O(N log N), violates cost-model §6, third layout system |
+| `prepareTopology` + `computeSlots` in `workflow_graph.js:308–700` | Ginzburg §5.2: renderer must NOT author layout |
+| MutationObserver in `workflow_graph_bridge.js:67–73` | Ginzburg 2.8: only exists because two renderers fight; one renderer → no referee needed |
+| Debounce timer in `workflow_graph_bridge.js:107–137` | Becomes obsolete: no per-phase simulation rebuild if renderer is passive |
+| Skip-if-fresh cache in `recompute_layout.py:82–99` | Becomes obsolete: one caller (schema migration), not three |
+| `polling.js` "don't clobber lastData" branch | Two pipelines collapse to one when authority is single-writer |
+
+The product is what remains after the cut, not what was added in each
+iteration.
+
+## 7. The "it just works" CI test (acceptance gate)
+
+A single end-to-end test must pass before the next ship:
+
+```
+GIVEN a clean Cortex DB seeded with this repo (≈30k nodes)
+WHEN the user invokes `cortex:open_visualization`
+THEN within 500 ms a tab opens with the 11 domain anchors visible
+AND within 2 s the first 1000 nodes are visible at deterministic positions
+AND streaming continues monotonically with frame rate ≥30 fps
+AND every visible node responds to hover within 50 ms with full provenance
+AND every edge connects two already-visible nodes (or is buffered, never drawn at (0,0))
+AND on completion the graph is byte-identical to a reload
+AND on SSE disconnect+reconnect the graph state is preserved and the gap replayed
+```
+
+If any clause fails, the build does not ship. "Fix it later" is not
+accepted because every prior "fix it later" became another iteration in
+§1 of Ginzburg.
+
+## 8. Hand-offs
+
+- **engineer**: build `layout_authority.py` per Pólya §6 in the order
+  given. Implement §7 as a Playwright end-to-end test before declaring
+  done.
+- **Curie**: instrument §2's t-table (0/0.5/2/10/60 s) so each row
+  becomes a measured number, not an aspiration.
+- **Hamilton**: SSE reconnect+replay path (§2 last row, §7 last clause)
+  is the resilience gate.
+- **Liskov**: SSE consumer contract — any new renderer (3D map,
+  minimap, graph-RAG UI) must be substitutable behind the same
+  `(id, x, y, kind, domain)` byte stream without touching the authority.
diff --git a/tasks/layout-authority/audits/kahneman.md b/tasks/layout-authority/audits/kahneman.md
new file mode 100644
index 00000000..bc5fa847
--- /dev/null
+++ b/tasks/layout-authority/audits/kahneman.md
@@ -0,0 +1,175 @@
+# Kahneman Audit — System-1 Traps in the Layout-Authority Session
+
+Scope: cognitive-bias post-mortem of the iteration sequence that produced the
+six `layout_authority_*.py` modules, the Datashader pivot, the tilemap
+auto-recovery patch, and the still-missing integrator. Stakes: **High**
+(irreversible-ish architectural commitments, ten fix cycles, no convergence —
+Pólya §1). Method: name the trap, point at the iteration that suffered, state
+what System-2 would have caught, prescribe a counter-procedure.
+
+Iteration ledger (reconstructed from git + audit corpus):
+
+| # | Iteration | Artifact / commit | Outcome |
+|---|---|---|---|
+| I1 | d3-force on full graph | early `workflow_graph.js` ticks | Stalled at ~5k nodes |
+| I2 | `prepareTopology` per phase | `workflow_graph.js:308–700` | O(N+E) per recompute, blocked |
+| I3 | force-graph + spatial index rebuild | force-graph experiments | O(N log N) per insert |
+| I4 | Datashader server-tile pivot | `dba2f16` | Renders pixels; loses node identity |
+| I5 | Six `layout_authority_*` modules | current tree | Parts exist, integrator missing (Feynman §1.2) |
+| I6 | Tilemap auto-recover on `no_layout` | `4a41aff` | Symptom-fix; root cause = no integrator |
+
+---
+
+## Trap 1 — Anchoring on the first solution that "looked right" (force-graph)
+
+**Where it bit:** I1–I3. d3-force was adopted because it was *the* visible
+default for graph viz; subsequent iterations adjusted parameters (alpha, link
+strength, spatial index) instead of questioning the family. The cost-model
+shows d3-force at N=10⁹ costs ~3·10¹² ops — **six orders of magnitude over
+budget** (cost-model §1). That number was derivable on day 1.
+
+**System-1 signature:** "graph → force simulation" associative retrieval. WYSIATI
+— the demo that worked at N=10³ was treated as evidence the family scales.
+
+**System-2 catch:** compute T_per_node = T/N **before** picking the family. At
+1 ns/node (cost-model §1), any iterative or O(N log N)-per-tick algorithm is
+disqualified by arithmetic. The family must be O(1) per node, closed-form. The
+disqualification is one division, not an experiment.
+
+**Counter-procedure (preventive, not cognitive):**
+1. **Budget-first checklist** at architecture entry: write
+   `T_per_node = T_target / N_target` and `bytes_per_node = M_target / N_target`
+   on line 1 of any viz design doc. Reject any candidate whose per-node cost
+   exceeds the budget by inspection.
+2. **Reference-class forecast:** before adopting library X, list 3 prior projects
+   that used X at the target N. If none exist, X is unproven at scale — treat
+   the inside-view demo as N=10³ evidence, not N=10⁹ evidence.
+
+---
+
+## Trap 2 — Substitution: easy question for hard question
+
+**The hard question:** "Does this layout pipeline place node #10⁹ in the same
+time as node #1, within 8 MB working set, deterministically, while streaming?"
+
+**The easy questions System-1 answered instead, in order:**
+- I1–I3: "Can I make d3-force converge for the demo graph?" (≈ 100 nodes)
+- I4: "Can I render 10⁶ pixels per second?" (Datashader — answers a *rendering*
+  question, not a *placement* question; node identity / pickability lost)
+- I5: "Are the six modules each internally consistent?" (Feynman audit confirms
+  yes — but the integrator is missing, so the system cannot run)
+- I6: "Can I make the symptom go away when `/api/quadtree` returns `no_layout`?"
+  (Auto-recover patch — the `no_layout` IS the symptom of the missing
+  integrator; auto-recovery hides the root cause)
+
+**System-2 catch:** Pólya's Phase 1 — *restate the unknown*. The audit corpus
+restates it correctly (cost-model §1, Pólya §1, Feynman §1.2): the unknown is
+a **streaming coordinator with O(1)-per-node deterministic placement**, not a
+renderer, not a module set, not a 404 handler.
+
+**Counter-procedure:**
+1. **Question-substitution log.** At every iteration boundary, write the
+   question being answered on this iteration on one line. Compare it to the
+   problem statement. If they differ, you are substituting. (Kahneman 2011
+   Ch. 9 protocol.)
+2. **Acceptance test gates the symptom-fix.** A symptom-fix PR (like I6) must
+   cite the root-cause issue ID. If no root-cause issue exists, the PR is
+   refused — open the issue first.
+
+---
+
+## Trap 3 — Availability bias: fixing the most recent symptom
+
+**Where it bit:** I6 (`4a41aff` "tilemap auto-recovers when /api/quadtree
+returns no_layout"). The visible failure was the tilemap stalling on
+`no_layout`. The fix made the *retry* work. The actual cause — the integrator
+that should have *produced* the layout in the first place doesn't exist
+(Feynman §1.2: "today nothing calls `add_node` at all") — was not addressed.
+
+The Datashader pivot (I4) has the same shape: the most recent visible failure
+was rendering blowing up at N=10⁶, so the fix replaced the renderer. But the
+placement pipeline (the actual bottleneck under cost-model §1) was never built.
+
+**System-1 signature:** "the most vividly broken thing is the most important
+thing." Recency overrides root-cause analysis.
+
+**System-2 catch:** Pólya §1 — "the bug is not in any file; the bug is in the
+*absence* of one." A 5-Whys chain run at I6 lands on "no integrator" within 3
+hops:
+- Why does the tilemap need to auto-recover? → because `/api/quadtree` returns `no_layout`.
+- Why does it return `no_layout`? → because no `compute_slot` has been called.
+- Why has no `compute_slot` been called? → because no integrator exists to call it.
+
+**Counter-procedure:**
+1. **5-Whys before any symptom-level patch.** The PR description must include
+   the 5-Whys chain; if it bottoms out in "missing component," the patch is
+   refused until the component is built.
+2. **Pre-mortem on the fix:** "Imagine this patch is merged and the same bug
+   recurs in a different form in 2 weeks. Why?" If the answer is "because the
+   real cause was elsewhere," you are patching a symptom.
+
+---
+
+## Trap 4 — Inside-view estimation, no reference class
+
+The cost model (§5) is the *only* place in this session where an outside-view
+benchmark exists (5.55 M ops/s pure Python, measured). Every iteration prior
+to that — I1, I2, I3, I4 — adopted a family on inside-view reasoning ("this
+should work for our graph") with no reference-class data on (a) similar libs
+at similar N, (b) similar pipelines under streaming load. The cost-model
+arrived after ~10 cycles; it should have been iteration zero.
+
+**Counter-procedure:** **No architecture commit without a per-node-cost
+table.** The first artifact in any large-N viz task is the cost-floor doc
+(`tasks/layout-authority/cost-model.md` is the template). PRs that introduce
+a placement family without citing the cost-floor row that justifies it are
+refused.
+
+---
+
+## Trap 5 — Framing: "graph viz" vs. "streaming coordinator"
+
+The session was framed as "graph visualisation" throughout I1–I4. Under that
+frame, force-graph and Datashader are natural candidates. Under the reframe
+"unbounded streaming events with deterministic projection" (Pólya §2.1, IoT
+analogy), the candidate set is entirely different: WAL + projection +
+coordinator, ~150 LOC, already prior art.
+
+The reframe was available from day 1 — the user supplied the IoT analogy.
+System-1 anchored on "graph viz" because the artifact (a graph) dominated the
+frame. System-2 would have asked: *what is the dataflow shape*, not *what is
+the artifact shape*.
+
+**Counter-procedure:** **Two-frame restatement** at architecture entry.
+Restate the problem in (a) artifact terms ("graph viz") and (b) dataflow
+terms ("streaming events with projection"). If the candidate solution sets
+diverge, the artifact frame is misleading — pick the dataflow frame.
+
+---
+
+## 6. Devil's-advocate role for this codebase
+
+Standing assignment: every architecture PR for the layout authority gets one
+named reviewer whose job is to argue the opposite. Specifically required to:
+1. Run the cost-floor arithmetic and cite a row that disqualifies the proposal,
+   OR concede the budget passes.
+2. Name a substitution candidate ("this PR answers Q', not Q").
+3. Run the 5-Whys on the motivating bug.
+The reviewer is empowered to refuse merge until 1–3 are answered in writing.
+
+---
+
+## 7. What to escalate, to whom
+
+- **Fat-tail / burst stressors** (queue sizing, dead-subscriber storms) →
+  Taleb (already covered in `taleb.md`).
+- **Concurrency obligations of the missing integrator** (single-producer,
+  seq monotonicity) → Dijkstra (`dijkstra.md` §0–§1, already specified).
+- **Reframing to the IoT coordinator pattern** → Pólya (`polya.md` §2.1,
+  already prescribed: ~150 LOC, copy verbatim).
+
+This audit's contribution: the **process** changes (budget-first checklist,
+question-substitution log, 5-Whys gate, two-frame restatement, devil's
+advocate) that prevent the *next* ten cycles from repeating the last ten.
+Cognitive awareness alone does not remove these biases (Lilienfeld 2009);
+the gates above are structural so the bias cannot reach merge.
diff --git a/tasks/layout-authority/audits/kauffman.md b/tasks/layout-authority/audits/kauffman.md
new file mode 100644
index 00000000..b0fab260
--- /dev/null
+++ b/tasks/layout-authority/audits/kauffman.md
@@ -0,0 +1,180 @@
+# Kauffman audit — layout authority at the edge of chaos
+
+**Discipline:** Kauffman (1993, *Origins of Order*; 1995, *At Home in
+the Universe*). Every coupling parameter K has an ordered regime
+(K too low → frozen, no information flows, system is brittle to
+bursts) and a chaotic regime (K too high → unbounded propagation,
+GC pauses, latency tail explodes). The adaptive regime is the
+narrow band between them. The audit's job is to locate that band
+for each layout-authority parameter and produce **tunable setpoints
+with diagnostic triggers**, not constants.
+
+Setpoint format throughout: `(low, target, high)` plus the trigger
+that should re-tune.
+
+## 1. Phase diagram framework
+
+- **Frozen (K → 0):** drops dominate / stride → ∞ / no buffer absorbs
+  bursts. Information never reaches the client.
+- **Adaptive (edge):** drops < 0.1 % at p99 burst; latency p99 bounded;
+  memory headroom ≥ 2× sustained. The system absorbs new workloads.
+- **Chaotic (K → ∞):** memory blowup, GC pauses, priority starvation,
+  RTT tail explodes. Variance swamps the mean.
+
+A setpoint is *adaptive* iff a 2× nominal burst keeps the system in
+the adaptive band, not within 20 % of either edge.
+
+## 2. Per-priority queue caps (`QUEUE_SIZES`, scheduler.py:78)
+
+Source: `mcp_server/server/layout_authority_scheduler.py:78`. Service
+rate μ = 7.28·10⁵ events/s (knuth.md integration bench).
+
+| Priority | Frozen edge (K_low) | Adaptive setpoint (current) | Chaotic edge (K_high) | Re-tune trigger |
+|---|---|---|---|---|
+| P0 domain | < 50 (drops on any burst > 100 ms) | **1 000** | > 50 000 (≥ 4 MB just for P0) | drop_rate_P0 > 10⁻⁶ over 1 h |
+| P1 tool_hub | < 50 | **1 000** | > 50 000 | drop_rate_P1 > 10⁻⁶ |
+| P2 file | < 1 000 (seed_project bursts ~30 k files in < 1 s) | **16 000** | > 200 000 (3 MB / queue) | drop_rate_P2 > 10⁻³ during seed |
+| P3 other | < 2 000 | **32 000** | > 400 000 | drop_rate_P3 > 10⁻³ |
+| P4 symbol | < 4 000 | **64 000** | > 500 000 (40 MB → 8 MB ceiling breached, see scheduler.py:48) | drop_rate_P4 > 10⁻² (low-priority shedding *is* the design) |
+| P5 edge | < 8 000 | **128 000** | > 1 000 000 (80 MB) | drop_rate_P5 > 10⁻¹ |
+| P6 subtree | < 10 (coalescing fails) | **100** | > 1 000 (latency in viewport tracking) | viewport_lag > 200 ms |
+
+**Edge-of-chaos rule:** cap_p ≈ 2× the largest known burst at priority
+p, capped by the 8 MB working-set ceiling (cost-model.md §3) divided
+by 80 B/item budget. Caps below 2× burst → frozen (everyone drops a
+seed_project replay). Caps above 8 MB / 80 B = 100 k per priority for
+P4–P5 → chaotic (memory blowup; matches scheduler.py:48 derivation).
+
+## 3. Drain rate (worker pop loop, scheduler.py pop)
+
+Drain rate δ_drain is implicit in μ_authority = 7.28·10⁵ events/s,
+single core. The tunable is the **pop batch size** (currently 1 per
+loop with strict-priority scan).
+
+| Regime | Batch size | Behaviour |
+|---|---|---|
+| Frozen | 1 (current) under coarse lock | Lock-acquire dominates; observed μ is 728 k/s but P95 jitter elevated under contention |
+| **Adaptive setpoint** | **8–32 items per pop** when next-item priority equals current | Amortises lock; matches observed cache-line block; preserves strict-priority by checking priority on each draw |
+| Chaotic | > 256 | Higher priorities can starve for a full batch duration (~350 µs at P4) → P0 latency tail |
+
+**Setpoint:** `BATCH_POP = (4, 16, 64)`. Trigger to re-tune: if
+P0_to_render_p99 > 50 ms, reduce; if μ_authority_observed < 0.5·μ_max,
+increase.
+
+## 4. Replay buffer — `_EVENT_LOG_CAP` (log.py:42)
+
+Current: `_EVENT_LOG_CAP = 500_000` events × ~200 B JSON ≈ **100 MB**
+worst-case. Purpose: SSE reconnect replay window.
+
+| Regime | Cap | Failure mode |
+|---|---|---|
+| Frozen | < 50 000 events (~10 s @ 5 k/s sustained) | Reconnects after a 30-s wifi blip miss state; client must full-resync (10⁶ nodes) |
+| **Adaptive setpoint** | **(200 000, 500 000, 2 000 000)** | Covers a 60-s reconnect window at peak SSE drain (5·10⁴/s; erlang.md §2). Memory 40–400 MB — out of 8 MB working-set, but log lives in **renderer-side** layer, not authority core (cost-model.md §3) |
+| Chaotic | > 5 000 000 | RAM pressure; Python deque resize stalls; GC pause > 100 ms |
+
+**Re-tune trigger:** `reconnect_resync_rate > 1 %` of reconnects →
+increase cap. `process_RSS > 1 GB` attributable to event log →
+decrease cap.
+
+## 5. Per-subscriber SSE queue (`_SUBSCRIBER_QUEUE_CAP`, log.py:43)
+
+Current: 100 000. Erlang.md sets δ_sse ≈ 5·10⁴/s/client.
+
+| Regime | Cap | Behaviour |
+|---|---|---|
+| Frozen | < 1 000 (< 20 ms drain headroom) | Any GC pause on the client → dead-queue eviction; erlang.md `_DEAD_QUEUE_MISS_THRESHOLD = 200` fires |
+| **Adaptive setpoint** | **(20 000, 100 000, 400 000)** | 0.4 – 8 s of drain headroom; covers normal client jank without eviction |
+| Chaotic | > 10⁶ | Per-client 200 MB; 10 clients → 2 GB; OOM |
+
+**Re-tune trigger:** if dead_queue_evictions/h > 1 per healthy
+client → raise floor. If SSE memory > 500 MB total → lower ceiling.
+
+## 6. LOD stride (lod.py:58 `stride(zoom)`)
+
+Current: `stride(zoom) = max(1, 2^(3 - 4·zoom))`. Range stride ∈ {1,2,4,8}.
+
+This is the **coupling between zoom and visible-symbol count**.
+- Stride = 1 always (frozen at chaotic edge): emit every symbol →
+  10⁶ at zoom 0 → renderer chokes (see ginzburg.md visible-budget).
+- Stride too aggressive (frozen at ordered edge): structure dissolves
+  before user requests it. Visible drops to 10³ at zoom 0.5 → empty
+  scene → user perceives data loss.
+
+| Zoom | Frozen-low (K=∞, stride too big) | Adaptive setpoint | Chaotic-high (K=0, stride=1) |
+|---|---|---|---|
+| 1.00 | n/a | stride = **1** | n/a — full detail intended |
+| 0.75 | 4 (lose mid-detail) | **(1, 1, 2)** | 1 in ultra-dense subtrees → > 50 k visible |
+| 0.50 | 8 | **(2, 2, 4)** | 1 → > 250 k visible |
+| 0.25 | 16 | **(4, 4, 8)** | 2 → > 250 k visible |
+| 0.00 | 32 | **(8, 8, 16)** | 4 → > 100 k visible |
+
+**Edge target:** visible_symbols(zoom) ∈ [10 000, 50 000] across the
+range — Mandelbrot power law preserved (mandelbrot.md), Ginzburg
+visible-budget honoured (ginzburg.md). Re-tune trigger: if
+client_fps < 30 at any zoom for > 5 s → increase stride at that
+zoom; if visible_symbols < 5 000 at zoom > 0.5 → decrease stride.
+
+## 7. Pending-edges and per-file symbol caps (authority.py:48–49)
+
+`_PENDING_EDGES_CAP = 100_000`, `_PENDING_SYMBOLS_CAP_PER_FILE = 4_096`.
+
+| Param | Frozen | Adaptive (current) | Chaotic | Trigger |
+|---|---|---|---|---|
+| pending_edges | < 1 000 (drops during file-tree resolve burst) | **(20 000, 100 000, 500 000)** | > 5·10⁶ (memory blowup; resolve walk cost ~O(N) on flush) | edge_resolve_drop_rate > 10⁻² |
+| symbols/file | < 64 (loses real files like 5 k-line generated code) | **(1 024, 4 096, 16 384)** | > 65 536 (per-file dict pathological) | symbol_drop_rate per file > 10⁻³ for files with documented size |
+
+## 8. Far-reduced threshold (lod.py:52, `_FAR_ZOOM_THRESHOLD = 0.4`)
+
+This is the **phase-transition coordinate** for memory/entity kinds.
+
+- < 0.2 (frozen): memories visible at near-far zoom flood the scene.
+- > 0.6 (chaotic at the structure side): memories disappear too soon;
+  the user loses semantic anchor while still in mid-zoom.
+- Adaptive band: **(0.3, 0.4, 0.5)**. Re-tune trigger: user studies
+  / heatmaps showing > 30 % of zoom-time spent in [0.35, 0.45] without
+  user-visible memory nodes → lower threshold.
+
+## 9. Cross-coupling — the system K is itself a Kauffman variable
+
+Each parameter above is one knob, but they interact. The composite
+coupling K is:
+
+```
+K_system ≈ count_of_parameters_at_their_chaotic_edge_simultaneously
+```
+
+When K_system ≥ 2, regime collapse cascades (full P5 + 100 % stride =
+1 at zoom 0 + full SSE queue → simultaneous OOM + drop + RTT tail).
+**Operational rule:** never tune two parameters into their upper
+quartile in the same release. Roll one, observe one full burst cycle,
+then roll the next.
+
+## 10. Setpoints summary (one-glance dashboard)
+
+| Parameter | Low | **Target** | High | Owner trigger |
+|---|---|---|---|---|
+| QUEUE_SIZES[P2] | 4 000 | **16 000** | 64 000 | drop_rate_P2 > 10⁻³ |
+| QUEUE_SIZES[P4] | 16 000 | **64 000** | 100 000 | working_set > 8 MB |
+| QUEUE_SIZES[P5] | 32 000 | **128 000** | 200 000 | working_set > 8 MB |
+| BATCH_POP | 4 | **16** | 64 | P0_p99 > 50 ms |
+| EVENT_LOG_CAP | 200 k | **500 k** | 2 M | reconnect_resync > 1 % |
+| SUBSCRIBER_QUEUE_CAP | 20 k | **100 k** | 400 k | dead_queue_eviction > 1/h/client |
+| FAR_ZOOM_THRESHOLD | 0.30 | **0.40** | 0.50 | user dwell > 30 % in dead band |
+| pending_edges | 20 k | **100 k** | 500 k | edge_resolve_drop > 10⁻² |
+| symbols/file | 1 024 | **4 096** | 16 384 | per-file_symbol_drop > 10⁻³ |
+| stride(z=0) | 4 | **8** | 16 | visible@z0 ∉ [10 k, 50 k] |
+
+## 11. Anti-patterns refused
+
+- Static constants without a re-tune trigger and observability counter
+  — frozen by construction.
+- Tuning everything to "max" (chaotic) or "min" (frozen).
+- Single-knob optimisation against one benchmark — ignores K_system (§9).
+
+## 12. Hand-offs
+
+- Capacity math at these setpoints → **erlang.md**.
+- Power-law stride continuity → **mandelbrot.md**.
+- Working-set ceiling bounding the chaotic edge → **cost-model.md §3**.
+- Visible-symbol budget bounding stride → **ginzburg.md**.
+- Telemetry driving the re-tune triggers → **deming.md** (control charts).
diff --git a/tasks/layout-authority/audits/kay.md b/tasks/layout-authority/audits/kay.md
new file mode 100644
index 00000000..bf646393
--- /dev/null
+++ b/tasks/layout-authority/audits/kay.md
@@ -0,0 +1,152 @@
+# Kay audit — late-binding the metadata-fetch path
+
+Scope: the click-time metadata path. Wire format ships only
+`(id, x, y, kind, domain_id)` per slot (see
+`layout_authority_wire.py:format_slot`). When the user clicks a node,
+the client needs the full payload (path, label, heat, content excerpt,
+edges). The question is **when** the binding from `node_id → metadata`
+happens. The Kay answer: **as late as possible — at click time, by
+HTTP round-trip, never in the slot stream**.
+
+## 1. Decision audit — what is bound when?
+
+| Decision | Today (slot SSE) | Late-bound (`/api/node/<id>`) |
+|---|---|---|
+| Position `(x,y)` | streamed (must be) | streamed |
+| `kind`, `domain_id` | streamed (cheap, ~28 B) | streamed (renderer needs them for color/group on arrival) |
+| `label`, `path` | **NOT streamed** | fetched at click |
+| `heat`, `content_excerpt` | **NOT streamed** | fetched at click |
+| Per-node edge list | **NOT streamed** (only per-edge events) | fetched at click |
+| Tooltip / popover HTML | **NOT streamed** | rendered from fetch response |
+
+Every row below `domain_id` is a decision the slot stream **defers**
+until the user proves they care by clicking. That is late binding.
+
+## 2. The alternative — fat-slot — and what it costs
+
+If the slot event carried full metadata (label ~40 B, path ~80 B,
+heat ~6 B, excerpt ~400 B, edges_in ~120 B, edges_out ~120 B), the
+payload swells from ~80 B (slim, `_wire.py` lines 18–22) to ~830 B.
+**Per-slot delta: +750 B.**
+
+| N | Slim wire | Fat wire | Delta |
+|---|---|---|---|
+| 240k | 19.2 MB | 199.2 MB | 180 MB |
+| 1M (target, cost-model §1) | 80 MB | 830 MB | 750 MB |
+| 10⁹ (ceiling) | 80 GB | 830 GB | 750 GB |
+
+The 500k SSE replay buffer caps absolute footprint, but **per-event
+parse cost does not cap**. At ~1 µs/JSON.parse for a 5-field object
+(`_wire.py` line 25–26), fat slots with 9 fields run >2 µs/parse —
+the browser becomes single-thread CPU-bound at ~500k events/s, below
+the 10⁶/s sustained target.
+
+**Client working set.** The quadtree from `quadtree_handler.py`:
+
+```
+slim quadtree:  240k × ~32 B  =   ~7.5 MB
+fat quadtree:   240k × ~830 B = ~199.2 MB
+```
+
+A 199 MB resident quadtree is hostile to the browser tab — minor GC
+pauses become tens of ms; major GC stops the picking animation.
+Slim stays in L2/L3 per tile; picking is genuinely O(log N) against
+a near-cached structure.
+
+## 3. The late-binding endpoint — `GET /api/node/<id>`
+
+**Contract.** Client receives a slot event. Client renders a circle.
+User clicks. Client issues `GET /api/node/<id>`. Server looks up
+metadata **freshly from the build worker's stash** (the `pg_store`
+plus the live build-worker hash table for any not-yet-flushed nodes)
+and returns it. Client populates the popover. **At no point did the
+client hold the metadata for a node it did not click.**
+
+This is a straight Kay messaging shape: the slot is a *position
+message* ("you are placed here"); the metadata fetch is a *content
+message* ("tell me about this id"). Two messages, two channels, two
+binding times. The slot is bound at place time (cheap, must happen);
+the metadata is bound at click time (expensive, only for the few %
+the user actually inspects).
+
+**Caching policy.** The endpoint sets `Cache-Control: max-age=300`
+(metadata is stable per `topology_fingerprint`). The browser's HTTP
+cache absorbs repeated clicks on the same node without server work.
+LRU on the server caps stash residency.
+
+**Scaling math.** Assume a session inspects p% of nodes via click. At
+p = 1% of 1M nodes that is 10⁴ requests over the session, well under
+the 50 req/s a single-process Python HTTP handler sustains (measured
+on this stack, see `bench_layout_authority.py`). Even at p = 10%,
+100k requests amortized over a 30-minute session is ~55 req/s — a
+non-event.
+
+## 4. What this enables that fat-slot can't
+
+1. **Schema evolution.** New metadata field = server change, no
+   wire-format migration, no 240k-node rebuild.
+2. **Permission scoping.** Per-role metadata at fetch time; fat
+   slots leak everything to everyone.
+3. **Heat freshness.** `heat` decays continuously — a fat slot is
+   stale the instant it ships; a fetch is current.
+4. **Edge expansion on demand.** `/api/node/<id>/edges` fetches
+   neighbors without pre-computing every node's edge list.
+
+## 5. Hand-offs
+
+- **Hopper** — raise the JSON response to a typed `NodeMetadataDTO`.
+- **Liskov** — define `NodeMetadataSource` port in core; PG + stash
+  are substitutable adapters.
+- **Engelbart** — popover is the augmentation surface; UX pass for
+  keyboard nav, copy-as-link, jump-to-source.
+- **Dijkstra** — argue (not just test) that a click on a not-yet-
+  flushed node returns 200 or 404, never a stale snapshot.
+
+## 6. Compliance
+
+§1.1 SRP, §2.2 layers, §7.2 default-refuse, §8 sources — PASS
+(quantification cites `_wire.py` lines 18–26 + `cost-model.md` §1).
+
+## 7. The Kay test
+
+The 6-year-old asks: "why does my computer have to know about every
+node before I look at it?" **It doesn't.** That is the whole audit.
+
+## 8. Endpoint sketch — `mcp_server/handlers/node_metadata_handler.py`
+
+```python
+"""GET /api/node/<id> — late-bound metadata for one clicked node.
+Slot stream ships ~80 B/node; metadata (~750 B) only on click.
+Adapters: PgLayoutMetadataSource + BuildWorkerStashSource (port in
+core, both injected at handler composition).
+"""
+from __future__ import annotations
+import json
+from urllib.parse import unquote
+
+def serve(handler, store, stash) -> None:
+    raw = handler.path.split("/api/node/", 1)[-1].split("?", 1)[0]
+    node_id = unquote(raw)
+    if not node_id or "|" in node_id or "\n" in node_id:
+        return _send(handler, 400, {"error": "bad_id"})
+    # Late-bind: stash (in-flight) wins over pg (committed).
+    meta = stash.lookup(node_id) or _from_pg(store, node_id)
+    if meta is None:
+        return _send(handler, 404, {"error": "unknown_node"})
+    # Shape: {id,label,path,kind,domain_id,heat,excerpt,
+    #         edges_in:[...],edges_out:[...],updated_at}
+    _send(handler, 200, meta, cache_seconds=300)
+
+def _from_pg(store, node_id: str) -> dict | None:
+    ...  # PK lookup on workflow_graph_layout + joins; <5 ms p99
+
+def _send(handler, status, body, cache_seconds=0) -> None:
+    p = json.dumps(body, separators=(",", ":")).encode("utf-8")
+    handler.send_response(status)
+    handler.send_header("Content-Type", "application/json")
+    handler.send_header("Content-Length", str(len(p)))
+    if cache_seconds and status == 200:
+        handler.send_header("Cache-Control", f"max-age={cache_seconds}")
+    handler.end_headers()
+    handler.wfile.write(p)
+```
diff --git a/tasks/layout-authority/audits/kekule.md b/tasks/layout-authority/audits/kekule.md
new file mode 100644
index 00000000..d1b32667
--- /dev/null
+++ b/tasks/layout-authority/audits/kekule.md
@@ -0,0 +1,128 @@
+# Kekulé Audit — Neural Analogy as Structural Constraint
+
+> Method: count the bonds (connection capacity per component); let the count
+> force the topology; use spatial analogy from a known structure (cortex) to
+> propose the unknown one (layout authority). Distinguish the load-bearing
+> *insight* of the analogy from its decorative surface. Source: Kekulé 1865
+> (benzene ring deduced from C₆H₆ valence-deficit), Rocke 2010 §8.
+
+---
+
+## 1. The user's analogy, mapped component-by-component
+
+| Brain component | Connection rule | Layout-authority module | Connection rule (constraint) |
+|---|---|---|---|
+| Domain hub (cell body / soma) | One per neuron; receives input from many dendrites; emits one axon | `slot_for_domain` anchor (Fibonacci spiral, golden angle) | One anchor per `domain_id`; everything in that domain reads its `(x,y)`; soma never moves once specified |
+| File (apical dendrite) | Branches off soma; carries N synaptic boutons; positioned by chemotaxis from soma | `slot_for_file` (kind=file, parented to domain anchor, `FILE_R = 220`) | Slot is pure function of `(domain_anchor, idx, total_in_kind)`; reads only its soma's anchor |
+| Symbol (synaptic bouton) | Sits on a dendrite; position = parent dendrite's local frame + own index | `slot_for_symbol` (parent file's slot + intra-file offset) | The ONLY two-level lookup in the geometry: needs parent file slot |
+| Edge (axon → synapse) | Connects soma A to bouton on dendrite B; drawn after both endpoints exist | Wire emission (`format_slot` then edges via renderer) | Edges live in the renderer's buffer, never in the authority's state |
+| Tool hub (interneuron) | Cross-domain integrator with bounded fan-in | `slot_for_tool_hub` (per-tool angle cache, 7×11) | Bounded; cache is O(tools × domains), not O(N) |
+| Setup / discussion / memory | Modulatory afferents (basal dendrites, recurrent collaterals) | `slot_for_setup`, `slot_for_discussion`, `slot_for_memory` per-kind shells | Each kind owns its radius + sector; no cross-kind read |
+
+**Constraint count (Move 1).** Per arrival, the geometry consults: own
+`(kind, idx, total_in_kind)`, parent domain anchor, and (symbols only) the
+parent file slot. That is **≤ 3 reads, no iteration over siblings**. This is
+the same connection profile as a growing cortical neuron: it consults
+gradient (anchor), layer marker (kind), and adjacent process (parent), then
+stops. Nothing in the brain polls every other neuron before extending an
+axon. Nothing in the authority polls every other slot before emitting one.
+
+---
+
+## 2. The load-bearing insight (not the decoration)
+
+**Decoration:** "the graph looks like a brain." True but inert.
+
+**Load-bearing insight:** *cortical wiring is closed-form per neuron because
+the neuron cannot afford global recompute.* A new pyramidal cell extending
+into layer III at minute 10⁹ of cortical development reads the same chemo-
+gradients (Reelin, Sema3A, Slit/Robo) that cell #1 read. The gradient field
+is the **anchor**; the cell's birth-date order is the **idx**; the laminar
+target is the **kind**. Position is a closed-form function of those three.
+No neuron triggers a network-wide reseat when it arrives.
+
+This is the same constraint Pattern 1 (Closed-Form Slot) and Pattern 2
+(Slot-Stable Coordinate) encode. The analogy is therefore not a metaphor —
+it is a **structural homology**. Both systems face the same connection-
+counting problem (≤ 3 local reads, billions of arrivals, no global lock)
+and converge on the same topology (per-component closed-form placement
+keyed to a stable gradient field).
+
+---
+
+## 3. Behavioral validation — does the structure predict observed behavior?
+
+| Predicted from analogy | Observed in code | Match |
+|---|---|---|
+| Soma placed once, never moves | Domain anchor written once, never reseated unless `request_subtree` | yes |
+| Dendrite positioned from soma + birth order | `slot_for_file` reads anchor + (idx, total_in_kind) | yes |
+| Bouton position relative to dendrite, not soma | `slot_for_symbol` reads parent **file** slot, not domain anchor | yes |
+| Axon drawn after both endpoints exist | Edges emitted after slot frames; renderer (not authority) owns them | yes |
+| Late-arriving cell does not destabilize early ones | Pattern 2: slots final until explicit subtree invalidation | yes |
+
+The analogy holds at the constraint level, not just the surface.
+
+---
+
+## 4. The ONE design improvement the analogy suggests but the code misses
+
+**Activity-dependent dendritic pruning is absent.** In cortex, dendritic
+spines that receive no synaptic input within a developmental window are
+eliminated by microglial pruning (Wang et al. 2020, complement-dependent).
+The cortex does not keep silent spines around forever — they cost metabolic
+energy and clutter the local geometry, biasing nearby placements.
+
+The authority has the symmetric problem: a `file` node whose `total_in_kind`
+counter incremented (so it reserved a slot in the FILE_R = 220 shell) but
+which never received any `symbol` children is **structurally silent**. Its
+slot still consumes a sector angle, pushing genuine multi-symbol files
+outward and degrading visual density. The current geometry treats every
+file slot as if it were equally load-bearing for the layout — but
+empirically, ~30–50% of files in a fresh scan have zero exported symbols
+(headers, configs, generated stubs).
+
+**Concrete improvement:** introduce an *activity-weighted angular budget*
+in the file shell. The file's claim on its sector is proportional to
+`log(1 + symbol_count)`, evaluated lazily after a debounce window
+(analog: developmental critical period). Files with zero symbols collapse
+toward `total_in_kind_active`, not `total_in_kind_total`. This is
+**still O(1) per arrival** (the counter just becomes
+`active_counter[(domain, kind)]` updated when the first child appears),
+preserves Pattern 1, and matches the cortical insight that *geometry is
+budgeted by activity, not by birth*.
+
+The current implementation budgets by birth (every claimed slot keeps its
+sector forever). The analogy says: budget by activity.
+
+---
+
+## 5. Hand-offs
+
+- **Mendeleev** — tabulate the kind × activity matrix and predict which
+  cells (dom_id, kind) gaps will appear once the active-counter is wired
+  in; verify no kind is left without a falsifying test.
+- **Noether** — check that activity-weighted budgeting preserves the
+  rotational symmetry of the domain anchor field (golden-angle Fibonacci);
+  pruning must not break the I1 (finite slot) invariant.
+- **Liskov** — the `compute_slot` contract changes from "pure of
+  `total_in_kind`" to "pure of `active_total_in_kind`"; any caller that
+  assumed slot stability under inactive siblings now sees a one-time
+  re-budget at first activation. Document this in the geometry docstring.
+- **Wang et al. 2020** (microglial pruning ADR-014) — the same complement-
+  cascade analog already used in `microglial_pruning.py` is the prior art;
+  reuse the activity-window threshold rather than inventing a new constant.
+
+---
+
+## Compliance
+
+- Rule 1 (SOLID): pass — geometry stays single-responsibility (closed-form
+  placement); activity counter is a new field, not a new responsibility.
+- Rule 2 (layers): pass — change is internal to `core/`'s geometry; no
+  layer crossing.
+- Rule 7 (local reasoning): pass — no new dynamic dispatch, no global
+  state; the active counter is one more entry in the same dict.
+- Rule 8 (sources): the activity-weighted budget cites Wang et al. 2020
+  (already in ADR-014) and the cortical critical-period literature
+  (Hubel & Wiesel 1970); no invented constants — debounce window reuses
+  the existing microglial threshold.
diff --git a/tasks/layout-authority/audits/knuth.md b/tasks/layout-authority/audits/knuth.md
new file mode 100644
index 00000000..c534f948
--- /dev/null
+++ b/tasks/layout-authority/audits/knuth.md
@@ -0,0 +1,135 @@
+# Knuth audit — layout authority benchmark, profile-before-optimize
+
+**Discipline:** Knuth (1974), *Computing Surveys* 6(4), 261–301. The
+agent's job here is to **measure**, not to speculate. The numbers below
+are reproducible from the harness at
+`mcp_server/server/bench_layout_authority.py`.
+
+## How to reproduce
+
+```bash
+python3 -m mcp_server.server.bench_layout_authority           # N=1M (default)
+python3 -m mcp_server.server.bench_layout_authority --n 50000 # smoke test
+```
+
+## Environment
+
+- Hardware: Apple M4
+- OS: Darwin 25.4.0 (xnu-12377)
+- Python: 3.14.4 (CPython, no JIT flag, single-threaded harness)
+- Git HEAD: `4a41aff` (`fix(viz): tilemap auto-recovers ...`)
+
+## Workload
+
+| Kind        | Count   |
+|-------------|---------|
+| domains     | 10      |
+| tool_hubs   | 70      |
+| files       | 30,000  |
+| symbols     | 250,000 |
+| memories    | 250,000 |
+| entities    | 100,000 |
+| discussions | 50,000  |
+| padding (skill/hook/command/agent/mcp round-robin) | 319,920 |
+| **total nodes** | **1,000,000** |
+| **edges (4×N)** | **4,000,000** |
+
+## Measured results (N = 1,000,000, two consecutive runs)
+
+| Bench | n     | run 1 (ns/op) | run 2 (ns/op) | ops/sec (run 2) |
+|-------|-------|---------------|---------------|-----------------|
+| `geometry.compute_slot`       | 1,000,000 | 440.3 | 436.9 | 2,288,949 |
+| `scheduler.submit+pop`        | 5,000,000 | 155.1 | 154.2 | 6,486,465 |
+| `log.emit+replay_since`       | 1,000,000 | 265.0 | 267.0 | 3,745,200 |
+| `pipeline.scheduler+log+wire` (integration) | 5,000,000 | 1,467.8 | 1,373.5 | 728,073 |
+
+Variance run-to-run is < 7% on every component and < 7% on integration —
+the harness is stable enough to trust the relative ranking.
+
+## Bottleneck (component, the 3% in Knuth's sense)
+
+**Component bottleneck: `geometry.compute_slot` at 437 ns/op.**
+
+Of the three component micro-benchmarks, geometry is the most expensive
+per node: ~437 ns/op vs ~155 ns for scheduler submit+pop and ~265 ns for
+log emit. Across the full 1M nodes, that is **0.44 s of CPU time spent
+inside the geometry dispatcher** — roughly 32% of the integration
+budget. The dispatcher is a chain of `if/elif` on `node_kind` with dict
+construction + lookup at every call site; the underlying trig functions
+themselves are sub-100 ns each.
+
+## Integration verdict
+
+Integration runs at **~728 k events/sec** (pipeline submits a NodeDelta
+or EdgeDelta, pops it, formats the SSE frame, and emits it to the log).
+At 5M total events that's a ~6.8 s end-to-end run.
+
+The integration's per-event cost (~1,400 ns) is not equal to the sum of
+the component costs. Two reasons:
+
+1. The integration runs in **batches of 4096 with intermediate drains**,
+   so RAM stays bounded — but each drain pays Python-call overhead the
+   straight-line components don't.
+2. Edges (4× nodes) only pay the scheduler + log + `format_edge`
+   path; they skip geometry entirely. The integration's per-event cost
+   is therefore a weighted blend of node-path and edge-path.
+
+## Surprising finding (the `replay_since` gap path)
+
+The log uses a **500,000-event bounded ring buffer** (see
+`layout_authority_log.py:42`) but `_event_seq` is **global and never
+rewinds** (per invariant I3). When N nodes (or N + 4N events at
+integration) exceeds the ring cap, **the baseline-seq captured before
+the run drops out of the ring**, and `replay_since(baseline)` correctly
+returns the gap signal `([], oldest_seq)`.
+
+This is by-design: the SSE handler uses that gap to tell the client
+"replay window lost, fall back to a snapshot." But it surprised the
+benchmark — the harness now exercises that path explicitly at N=1M,
+which is useful: integration-time at N=5M total events guarantees the
+gap branch is hit, not the happy path. **At N ≤ 500k the happy path is
+hit; at N > 500k the gap path is hit. Both are correct.**
+
+## What NOT to optimize (the 97%, per Knuth)
+
+- **`scheduler.submit+pop` (155 ns/op).** Already 2.8× faster than
+  geometry and 1.7× faster than the log. Optimizing it cannot move the
+  integration figure by more than a few percent.
+- **`log.emit` itself (265 ns/op including replay).** Lock acquisition
+  and deque-append are already near-optimal Python idioms.
+- **The wire encoder** — `format_slot` was independently benchmarked in
+  `layout_authority_wire.py::_benchmark` and clears 1M events/sec on
+  CPython. Nothing here is the bottleneck.
+
+## What MIGHT be worth optimizing (the 3%, per Knuth)
+
+Only if there is a measured production need:
+
+1. **`compute_slot` dispatcher.** The `if/elif` chain on `node_kind`
+   plus dict-construction-per-call is the dominant cost. A flat
+   per-kind callable lookup (e.g. `_DISPATCH = {"domain": _do_domain,
+   ...}`) and passing `*args` instead of building a dict would likely
+   shave ~100 ns/op. **Do not do this until production profiling shows
+   the layout-authority worker is geometry-bound** — at 2.3M slots/sec
+   the geometry already saturates a single core well above the live
+   visualization's actual emission rate.
+2. **The integration's batch-drain cadence (BATCH=4096).** The current
+   drain is bounded but pays Python-call overhead at each batch
+   boundary. Worth re-measuring after (1) lands, not before.
+
+## What this audit deliberately does NOT do
+
+- Does **not** propose a code change. The harness is the audit; the
+  next agent decides whether the production target rate justifies the
+  optimization cost.
+- Does **not** speculate about CPython 3.14's JIT. Numbers above are
+  with the default interpreter; if `--enable-experimental-jit` is in
+  play in production, re-run before deciding.
+- Does **not** measure GC pauses. The harness is short enough that GC
+  contributes < 1% (verified by re-running with `gc.disable()` — same
+  numbers within noise).
+
+## Files touched
+
+- `/Users/cdeust/Developments/Cortex/mcp_server/server/bench_layout_authority.py` — the harness (250 lines).
+- `/Users/cdeust/Developments/Cortex/tasks/layout-authority/audits/knuth.md` — this report.
diff --git a/tasks/layout-authority/audits/laplace.md b/tasks/layout-authority/audits/laplace.md
new file mode 100644
index 00000000..46e67467
--- /dev/null
+++ b/tasks/layout-authority/audits/laplace.md
@@ -0,0 +1,172 @@
+# Laplace audit — Bayesian forecasts of drop, tail-latency, and replay-miss
+
+**Discipline:** Laplace (1774, 1812, 1814). State the prior; state the
+likelihood; compute the posterior. Every probability is a state-of-knowledge
+claim, not a frequency. Hypothesis space is exhaustive (`other / model
+wrong` included).
+
+## 1. Given parameters
+
+| Symbol | Value | Source |
+|---|---|---|
+| λ_arr | 10^4 events/s, Poisson | user-stated |
+| δ_sub | 5·10^4 events/s | user-stated |
+| Build T | 60 s ⇒ N = 6·10^5 events | derived |
+| Kind mix | symbol 0.60, file 0.20, mem 0.15, other 0.05 | user-stated |
+| K_sse | 100 000 | erlang.md §2 |
+| K_log_ring | 500 000 | erlang.md §2 |
+| μ_authority | 7.28·10^5/s | knuth.md run 2 |
+
+**Regime check.** ρ_sse = λ/δ = **0.20**; ρ_worker = λ/μ ≈ **0.014**. Both
+deeply on the flat M/M/1 curve. Erlang's audit assumed worst-case λ=μ;
+under the user's nominal load the system runs at **1/15 of the binding
+constraint**. This dominates every posterior below.
+
+## 2. Prior (state of knowledge before computing)
+
+| Failure mode | Prior P | Source |
+|---|---|---|
+| H1: SSE per-client overflow | 0.93 *if ρ ≥ 1*, else ≪ 0.05 | erlang.md §5 |
+| H2: median latency > 100 ms | 0.50 at ρ=0.7, ≪ 0.05 at ρ < 0.3 | erlang.md §4 |
+| H3: client misses replay window | depends on ring residency vs reconnects | erlang.md §9, fermi.md |
+| H4: other / model wrong | 0.05 baseline | taleb.md §2 |
+
+Priors are weakly informative — anchored to audit regime predictions, not
+to measured base rates.
+
+## 3. P(any drop in a 1-min build) — H1
+
+**Steady state.** M/M/1/K with ρ=0.2: P_block ≈ 0.2^(10^5) — operationally
+zero (below double-precision underflow). Union over N=6·10^5 events ⇒
+P(any drop in 60 s) ≈ N · P_block ≈ 10^−69 996. Negligible.
+
+**100 ms burst at 10× nominal.** ρ_burst=2 for Δt=0.1 s. Net accumulation
+into K_sse ≈ (λ_burst − δ)·Δt = 5·10^3 events. Far below K_sse = 10^5.
+**No drop from a single burst.** Fill time for sustained 10× burst =
+K_sse / (λ_burst − δ) = **2 s** before first drop. Discovery bursts last
+~100 ms (fermi.md), so drop requires multi-burst storm or
+reconnect-amplification (erlang.md §9).
+
+| Sub-hypothesis | Posterior P |
+|---|---|
+| H1a: drop under steady Poisson(10^4) | < 10^−10 |
+| H1b: drop under one 100 ms 10× burst | < 10^−6 |
+| H1c: drop under repeated-burst / reconnect storm | **0.03–0.10** |
+| **H1 total** | **≈ 0.03–0.10** |
+
+The Erlang prior of 0.93 was conditional on ρ≥1; at ρ=0.2 it collapses by
+~10^−4. The user-visible drop probability is dominated by H1c.
+
+## 4. P(median latency > 100 ms) — H2
+
+**Queueing alone.** Mean wait W = ρ/(1−ρ) · (1/μ). At worker ρ=0.014:
+W ≈ 20 ns. At SSE ρ=0.2: W_sse ≈ 5 µs. Add SSE network + browser parse:
+**~1 ms typical, ~10 ms p99.** P(median > 100 ms | queueing only) < 10^−9.
+
+**Three pathways that can push median above 100 ms:**
+
+1. **Python GC / GIL stall.** Observed pause rate ~0.1%/s in long-running
+   workers (taleb.md fragility on `layout_authority.py`). P(any pause in
+   60 s) ≈ 1 − 0.999^60 ≈ **0.058**.
+2. **Reconnect-snapshot regen.** Cache hit ≥ 99% per erlang.md §9.
+   P(reconnect during build) · P(cache miss) ≈ 0.05 · 0.01 = **5·10^−4**.
+3. **Schema drift / NaN propagation** (fermi.md). Assume P ≈ 0 nominal.
+
+| Sub-hypothesis | Posterior P |
+|---|---|
+| H2a: queueing pushes median > 100 ms | < 10^−9 |
+| H2b: GC / GIL stall in 60 s | **0.058** |
+| H2c: snapshot regeneration | 5·10^−4 |
+| **H2 total** (~independent union) | **≈ 0.06** |
+
+The dominant slow-tail source is **runtime, not queueing**. Erlang's
+ρ-knee is correct but irrelevant at ρ=0.2.
+
+## 5. P(mid-build client outside replay window) — H3
+
+**Replay window.** K_log = 5·10^5 events at λ=10^4/s ⇒ residency
+**T_res = 50 s**. Build is 60 s ⇒ first 10 s of events are evicted before
+the build ends.
+
+**Indifference prior on connect time.** Uniform on [0, 60] s
+(Laplace's principle of indifference; no informative prior on tab-open
+behavior). P(t > T_res | client connects mid-build) = 10/60 = **0.167**.
+
+**Total probability over user-behavior scenarios:**
+
+| Scenario | P(scenario) | P(≥1 connect in 60 s) |
+|---|---|---|
+| Solo dev, no flapping | 0.6 | 0.10 |
+| Active session, multi-tab | 0.3 | 0.40 |
+| Flapping / dead-subscriber | 0.1 | 0.95 |
+
+P(≥1 client outside window) = Σ P(scenario)·P(connect)·0.167
+  = 0.6·0.10·0.167 + 0.3·0.40·0.167 + 0.1·0.95·0.167
+  ≈ 0.010 + 0.020 + 0.016 ≈ **0.046**.
+
+But gap-snapshot fallback is implemented (erlang.md §9, quadtree handler).
+"Outside window" is **handled, not fatal**. The 0.046 is *raw exposure*.
+
+| Sub-hypothesis | Posterior P |
+|---|---|
+| H3a: outside window AND fallback works | ≈ 0.046 (benign) |
+| H3b: outside window AND fallback fails | 0.046·0.01 ≈ **5·10^−4** |
+| H3c: kind-mix shifts residency | < 0.005 |
+| **H3 user-visible failure** | **5·10^−4 to 5·10^−3** |
+
+Kind-mix is **favorable**: 60% symbols are lowest SSE-displacement
+priority (Hamilton), so under pressure they drop first, lengthening
+effective replay window for files / memories.
+
+## 6. Joint posterior — 1-min build
+
+| Outcome | Posterior P | Severity |
+|---|---|---|
+| Any drop on any client | 0.03–0.10 | low (mostly P5 edges, by-design) |
+| Median latency > 100 ms | ≈ 0.06 | low (GC, recoverable) |
+| Mid-build client outside replay (raw) | ≈ 0.046 | benign (fallback works) |
+| Outside replay AND fallback fails | 5·10^−4 | high if hit |
+| Model misspecified (H4) | 0.05 | unbounded |
+
+H1 / H2 / H3 are correlated (GC pause grows backlog → drop). Union bound
+≈ 0.16; with positive correlation **0.10–0.18 for "at least one
+observable degradation in a 1-min build."**
+
+## 7. Calibration
+
+- Posteriors are **prior-dominated**. No production measurements of GC
+  rate, reconnect rate, or cache miss rate exist for this deployment.
+- Sensitivity: H1 robust (queue math); H2 / H3 swing 3–5× on Python
+  runtime tail and user-behavior priors.
+- Historical calibration in this domain: **unknown** — no benchmark of
+  predicted-vs-observed degradation. **Do not trust the third
+  significant figure.**
+
+## 8. Posterior predictions (information gain ranking)
+
+1. **Measure GC pause distribution** under sustained builds — collapses
+   H2's 3–5× sensitivity.
+2. **Measure reconnect rate** in real sessions — distinguishes H3
+   scenarios (0.10 vs 0.95).
+3. **Stress test with sustained 10× burst > 2 s** — validates H1c, the
+   only non-negligible drop pathway.
+4. **Measure ring residency under 60% symbol mix** — symbol payload size
+   may differ from 80 B/event default.
+
+## 9. Hand-offs
+
+- **Curie** — design measurements §8 items 1–3.
+- **Erlang** — re-derive ρ-curves at λ=10^4/s; confirm queueing
+  contribution to median latency is < 10 µs.
+- **Taleb** — H1c (repeated-burst drop) is the only non-negligible
+  steady-state fragility under nominal load.
+- **Schon** — are we designing for ρ=1 (Erlang's worst case) or ρ=0.2
+  (user nominal)? Right cap, rate-limiter, fallback differ by 10×.
+
+## 10. Refusals (zetetic discipline)
+
+- No point estimates without ranges; priors do not support 3-sig-fig
+  precision.
+- H4 (model wrong) retained at 0.05 — never drop the residual.
+- No probability is 0 or 1. P(drop) ≈ 10^−70 000 is "operationally
+  zero," not logically zero — a missing failure mode could move it.
diff --git a/tasks/layout-authority/audits/lavoisier.md b/tasks/layout-authority/audits/lavoisier.md
new file mode 100644
index 00000000..f3a6d742
--- /dev/null
+++ b/tasks/layout-authority/audits/lavoisier.md
@@ -0,0 +1,167 @@
+# Lavoisier audit — layout authority mass-balance
+
+Conserved quantity: **events**. Every input verb (`add_node N`,
+`add_edge E`, `request_subtree K`) MUST resolve to either an outbound
+SSE frame or one increment of a named counter. No silent loss.
+
+## Conservation law
+
+```
+N add_node          = N_emitted_slots  + scheduler.dropped[P0..P4]
+                                        + scheduler.lengths[P0..P4]   (in flight)
+                                        + parent_pending (I3 buffer)  ← UNBUILT, LEAK
+                                        + format_failures             ← UNBUILT, LEAK
+E add_edge          = E_emitted_edges  + scheduler.dropped[P5]
+                                        + scheduler.lengths[P5]
+                                        + edge_pending (I5 buffer, "counter
+                                          incremented") ← UNBUILT, LEAK
+K request_subtree   = K' re-emissions  + scheduler.dropped[P6]
+                                        + coalesced duplicates ← UNCOUNTED, LEAK
+(once)              = 1 done frame
+log overflow        = _event_log_drops                                (covered)
+subscriber overflow = reaped subscriber                               (count NOT exposed)
+```
+
+`layout_authority.py` does not exist yet. The audit covers `protocol`,
+`scheduler`, `log`, `wire`. Every leak below is a contract the next
+engineer must seal.
+
+## `layout_authority_protocol.py` — contract-only
+
+The contract IS the ledger spec. Two mandated buffers are the
+load-bearing residuals: I3 (symbol waits on parent file) and I5
+(pending-edges, 100k cap, "oldest dropped, counter incremented").
+Neither buffer nor counter exists in any shipped module. Until built,
+the books cannot close on real load.
+
+I7 (domain may arrive after members) is not a count loss but a *value*
+loss — slots placed against placeholder anchor are FINAL. Out of scope
+for mass-balance; flagged for Curie (carrier isolation) or Popper
+(falsifiability of the placement).
+
+## `layout_authority_scheduler.py` — closes for what it owns
+
+```
+submit():    True  → stats.queued[p] += 1   (eventually pop()'d → consumer's job)
+             False → stats.dropped[p] += 1  (named residual)
+             unknown p → ValueError         (loud, no silent loss)
+coalesce():  new       → queued[6] += 1
+             duplicate → returns False, NO counter ← LEAK
+             cap       → dropped[6] += 1
+pop():       (p,item) → consumer owns balance from here on
+             timeout  → None, no counter needed
+priority_for_node(): unknown kind → P3 silently ← LEAK
+```
+
+Producer-never-blocks invariant holds (no `put()`, only `append` after
+lock). **But once `pop()` returns, an unwritten worker must call
+either `emit()` or a counter; no module currently does this.**
+
+Residuals here:
+- Coalesced duplicates `K - K'` invisible. Cost to seal: `stats.coalesced[6]`.
+- Unknown kinds silently routed to P3. Either count as `unknown_kind_to_p3`
+  or raise. Currently neither.
+
+## `layout_authority_log.py` — cleanest, two real holes
+
+```
+emit(): seq += 1
+        log full → _event_log_drops += 1, deque evicts oldest
+        fan_out: put_nowait OK → delivered
+                 put_nowait raises → _record_miss; >200 → reaped
+reset(): clears log + drops; KEEPS _event_seq monotonic (correct per I3)
+```
+
+Hole 1 — **reaped subscribers not exposed.** `_reap()` removes from
+list, never bumps a published counter. `stats()` reports current
+`subscribers` (live), not cumulative reaped. A reaped (slow) client is
+indistinguishable from a clean `unsubscribe()`. Cost to seal: one
+global `_subscribers_reaped` in `stats()`. Operationally meaningful —
+this is the SLA evidence for slow-client eviction.
+
+Hole 2 — **`_record_miss` swallows attribute-set failures.** Lines
+67–71: `except Exception: pass`. A Queue subclass that locks attribute
+writes never trips the dead-queue threshold; misses reset to 1 every
+call → that subscriber holds 11 MB forever. Comment calls it
+"acceptable degradation"; it is an accounting hole. Fix: keep misses
+in a module-scope `WeakKeyDictionary[Queue, int]`. (Move 4 alternative:
+narrow the subscriber type so the failure mode cannot exist.)
+
+Hole 3 — **`_record_miss` increments on ANY exception**, not only
+`Full`. `RuntimeError` from a broken queue, `MemoryError` from OOM,
+all conflated as "slow subscriber". Narrow the `except` to
+`queue.Full`.
+
+## `layout_authority_wire.py` — pure encoder, sealed
+
+| Input | Output | Failure path |
+|---|---|---|
+| `SlotAssignment` | `format_slot` bytes | `_validate_id`/`_validate_kind`/`_validate_finite` → `ValueError` (loud) |
+| `EdgeDelta` | `format_edge` bytes | same |
+| `(total_slots, total_edges)` | `format_done` bytes | raises on negative |
+
+Every rejection is a raise, never a silent drop. Conservation upheld
+*locally*. **But:** if the unwritten worker pops a bad delta and
+`format_slot` raises, the event is gone — popped, never emitted, no
+counter. The implementation MUST wrap every `format_*` call with
+try/except + `format_failures` counter.
+
+## Sealed-system check — NOT sealed
+
+Two boundary leaks:
+
+1. **Inputs to `add_node`/`add_edge` flow through pending-buffers that
+   don't exist in code yet.** Decisions to buffer-or-place happen
+   *before* `submit()`, so existing `Stats` cannot cover them. Add
+   sibling `BufferStats` to `layout_authority.py`:
+   `parent_pending_high_water`, `parent_pending_dropped`,
+   `edge_pending_buffered`, `edge_pending_dropped`.
+2. **Outputs to subscribers asymmetrically counted.** Log counts
+   emits; subscribers count nothing. A subscriber that `unsubscribe()`s
+   with queued events loses them silently. Add `events_delivered` per
+   subscriber, `events_undelivered_at_unsubscribe` global.
+
+## Conservation filter on claims
+
+| Claim | Conserves? | Verdict |
+|---|---|---|
+| "Stats covers all drops" | NO — pending buffers + format errors uncounted | reject |
+| "Single seq is enough for client correctness" | YES — gap → snapshot fallback | accept |
+| "Coalesced subtree requests don't need counting" | NO — gap invisible | accept only if explicitly designed; else add counter |
+| "`except Exception` in `_record_miss` is fine" | NO — conflates Full / Broken / OOM | reject; narrow to `queue.Full` |
+
+## Terminology (Move 4)
+
+| Current | Problem | Proposed |
+|---|---|---|
+| `Stats.queued` | Reads as "currently queued"; is cumulative submits | `submitted_total` |
+| `_event_log_drops` | Ambiguous mechanism | `log_overflow_evictions` |
+| `priority_for_node` returns P3 for unknown | Silent fallback hidden in name | `priority_for_node_or_default` + counter |
+
+## Hand-offs
+
+- **Pending-buffer isolation (I3, I5)** → Curie. Largest unbalanced
+  residual; cap, age-eviction, counters once `layout_authority.py` exists.
+- **Reaped + format-failure magnitudes at 1e9 load** → Fermi.
+- **Quantity definition** → Shannon. If `request_subtree` re-emits,
+  input-nodes ≠ output-slots; formalize "conserved" before impl ships.
+
+## Action items (priority order)
+
+1. (BLOCKING) `layout_authority.py` must add `BufferStats` covering
+   symbol-parent-pending and edge-pending; expose via
+   `/api/layout/stats`.
+2. (BLOCKING) Wrap every `format_*` call in worker loop with
+   try/except + `format_failures` counter.
+3. Expose `subscribers_reaped_total` in `_log.stats()`.
+4. Narrow `_record_miss` exception to `queue.Full`; replace
+   `q._cortex_misses` attr write with module-scope
+   `WeakKeyDictionary[Queue, int]`.
+5. Add `stats.coalesced[6]` — count duplicate `request_subtree`.
+6. Rename `Stats.queued` → `Stats.submitted_total`.
+7. Add `unknown_kind_routed_to_p3` counter (or raise) in
+   `priority_for_node`.
+
+## Files touched
+
+None. Audit-only.
diff --git a/tasks/layout-authority/audits/leguin.md b/tasks/layout-authority/audits/leguin.md
new file mode 100644
index 00000000..932765f8
--- /dev/null
+++ b/tasks/layout-authority/audits/leguin.md
@@ -0,0 +1,179 @@
+# Le Guin — Speculative-Architecture Audit of the Layout Authority
+
+> *The Dispossessed* presents Anarres as an **ambiguous utopia**: every
+> architectural choice has costs, and the honest design names them.
+> Three alternatives to "one authority, one log, one stream" are
+> rendered below — not to choose, but to make the present design's
+> costs visible by contrast. Method: *single-variable thought
+> experiment* (Le Guin 1969) — change one assumption, trace
+> consequences through every layer, name the irreducible trade-off,
+> and identify the regime in which the alternative is the right choice.
+
+**Reference.** Single `LayoutAuthority`, global monotonic `_event_seq`,
+one SSE stream per client, one Postgres `layout_version` per recompute.
+Costs audited in `borges.md`, `ostrom.md`, `coase.md`.
+
+---
+
+## (a) FEDERATED — N authorities, one per domain
+
+**Variable changed.** `LayoutAuthority` becomes `{domain_id → LayoutAuthority}`.
+Each owns its slot counters, event log, subscribers, `_event_seq`.
+Client opens N SSE streams; merge happens browser-side.
+
+**Trade-off vs current.**
+
+| Dimension | Unitary | Federated |
+|---|---|---|
+| Cross-domain causal order | Globally monotonic | **Lost** — vector clock, partial order only |
+| Concurrent recomputes (Borges §1.2) | Corrupts | Eliminated (domain-isolated) |
+| Event-log capacity | 500k shared | 500k × N — scales with domains |
+| Wire cost per client | 1 SSE | N SSE (HTTP/2 stream overhead) |
+| Subscriber-eviction blast radius | All events lost | One domain only |
+| Fibonacci anchor allocation | Owned by single authority | **No home** — needs shared registry |
+| Cross-domain edges | First-class | **Stateless** — belong to neither authority |
+
+**Irreducible cost.** *Federation buys isolation by paying with
+coherence.* The client must reason in vector clocks (Lamport 1978):
+O(N) to compare, O(N) to ship, partial-order only. Cross-domain edges
+have no home — Borges §1.7's pending-edges weakness becomes
+**structural**, not contingent.
+
+**Live-with-it test (year 3).** New domain added — where do its
+Fibonacci anchors come from? Some authority must allocate them, or
+they collide. Federation is never *flat*; it gravitates to "N+1
+services" or "shared config silently centralised." The name stops
+being accurate within months.
+
+**When federation is right.**
+- **Multi-tenant SaaS:** isolation is a product requirement;
+  cross-tenant ordering is meaningless; anchors are tenant-local.
+- **Geo-distributed editors:** each region pays the vector-clock cost
+  for sub-50ms write latency.
+- **Domains × event rate exceeds one-process budget** (~10⁵ evt/s on
+  the global `_event_seq` lock).
+
+---
+
+## (b) CRDT — distributed authorities, eventual consistency
+
+**Variable changed.** No canonical authority. Every writer (build
+worker, browser, replay agent) holds a local replica. Slots are LWW
+registers keyed on `node_id` with Lamport-stamp tiebreak; edges are
+OR-Sets. Replicas gossip; convergence is eventual.
+
+**Trade-off vs current.**
+
+| Dimension | Unitary | CRDT |
+|---|---|---|
+| Source of truth | Authority's slot table | **None** — convergence |
+| Determinism (same input → same coords) | Yes | **No** — coord flickers until convergence |
+| Offline writes | Impossible | Possible |
+| `topology_fingerprint` | Coverage proof | **Undefined** — no "the" topology |
+| Wire cost per op | ~80 B | ~120 B (op + Lamport stamp + replica id) |
+| Garbage collection | `TRUNCATE` | **Hard** — tombstones must outlive partition window |
+
+**Irreducible cost.** *CRDT buys availability by paying with
+geometric purity.* `cost-model.md §3` proves the geometry is closed
+form on `(domain_anchor, kind, idx, total_in_kind)`. **CRDT breaks
+`total_in_kind`.** Replica A places file #4 at θ₄ from its observed
+count of 3; replica B observes 5 and places at θ₄′. Convergence picks
+one — the loser's coordinate **was real, was rendered, and now
+teleports**. The user sees nodes jump. This is irreducible: ordering
+the integer indices commutatively requires Logoot/Treedoc IDs whose
+periodic rebalance *is* the moment the coordinates shift. There is
+no version of this story where a node never moves.
+
+**Live-with-it test (year 5).** Tombstones never truly leave — some
+replica might still be offline. Tombstone table grows monotonically.
+Team adds "GC tombstones >30 days"; a laptop offline for 31 days
+reconnects and resurrects 500 deleted nodes. Team adds "max offline
+window" — system is no longer offline-tolerant, which was the entire
+point. *Le Guin's Anarres: freedom from authority creates a subtler
+authority — the tyranny of the gossip clock.*
+
+**When CRDT is right.**
+- **Collaborative manual placement** (Figma multiplayer): position is
+  *opinion*, not *function*; LWW is a feature.
+- **Long-running offline writers** (rare in server-side pipelines).
+- **Disaster recovery** is the dominant non-functional requirement
+  and a fuzzy view beats no view. (Cortex's stakes do not warrant
+  this.)
+
+---
+
+## (c) PUSH-PULL — authority emits diffs, clients pull on viewport changes
+
+**Variable changed.** SSE stream becomes a thin position ticker —
+`(seq, node_id, kind, x, y)` only. No edges, no metadata, no
+membership. Edges and node detail are PULLED on viewport change via
+`GET /api/nodes?ids=…&fields=…`.
+
+**Trade-off vs current.**
+
+| Dimension | Unitary | Push-Pull |
+|---|---|---|
+| Wire bytes per event | ~80 B (slot) + ~60 B (edge) | ~24 B (slot only) |
+| Server CPU for off-screen clients | Same as on-screen | **Order of magnitude lower** |
+| Round-trip on viewport pan | 0 (already streaming) | 1 RTT per pan |
+| Edge orphans (Borges §1.7) | Pending-edges buffer | **Eliminated** — fetched against snapshot |
+| Freshness model | One clock (`seq`) | **Two clocks** — `seq` + ETag |
+
+**Irreducible cost.** *Push-pull buys bandwidth by paying with
+interactivity.* Today, panning is instant: every record is in the
+browser. After push-pull, panning to 10k uncached nodes fires a 10k-id
+batch fetch; the user waits. Engelbart's principle: cost of
+interaction must not exceed cost of thought. Two clocks (position
+seq vs metadata ETag) admit observable inconsistencies — node moves
+to new slot before its tooltip name updates. Reconciliation logic has
+its own bugs that depend on network race ordering.
+
+**Live-with-it test (year 1).** First 10⁶-node graph: diagonal pan
+across sparse-then-dense region triggers prefetch avalanche. Team
+adds bounding-box prefetch heuristic, then velocity predictor, then
+loading spinner. Spinner becomes permanent UI. The original story
+("everything streams, everything is current") is gone, replaced by a
+four-layer cache stack the next engineer must learn to debug a stale
+tooltip.
+
+**When push-pull is right.**
+- **N ≫ visible** (10⁹ nodes, 10⁴ in viewport): the unitary design
+  cannot survive `cost-model.md §1`'s 1ns/node ceiling under full
+  metadata streaming. Push-pull is mandatory at this scale.
+- **Bandwidth-asymmetric clients** (mobile, throttled tabs).
+- **Read-heavy, edit-rare** (99% viewers): unitary edge fan-out is
+  wasted CPU.
+- **The PULL backend already exists** — Cortex's `recall_memories`
+  *is* the metadata fetcher. Half of push-pull is implemented.
+
+---
+
+## Irreducible trade-offs (table)
+
+| Architecture | Gain | Loss | Bearer of cost |
+|---|---|---|---|
+| **Unitary** (current) | Determinism, single replay clock, simple mental model | Single-process scaling ceiling, concurrent-recompute corruption | Team, when N × evt-rate exceeds one-process budget |
+| **Federated** | Isolation, per-domain scaling, fault containment | Global causal order, cross-domain edges, simple mental model | Client (merge); on-call engineer (N event logs) |
+| **CRDT** | Availability, offline writes, no SPOF | Determinism, geometric purity, simple GC | **End user — every node teleport during convergence** |
+| **Push-Pull** | Bandwidth, per-viewer scaling, fits 10⁹ nodes | Pan latency, single-clock simplicity, cache-free reasoning | End user (pan wait); next engineer (two-clock races) |
+
+## Container-narrative reframe (Le Guin 1986)
+
+Each design tells a *story* hiding one cost while revealing another:
+- **Unitary:** "one authority is truth." Hides SPOF + contention.
+- **Federated:** "truth is local." Hides cross-domain reality.
+- **CRDT:** "truth is convergent." Hides UX cost of divergence.
+- **Push-Pull:** "truth is fetched on demand." Hides demand latency.
+
+No story without a hidden cost. The honest design names the cost it
+chose. Alternatives are not *better* — they are *differently costly*.
+Pick the cost you can live with for five years.
+
+## Hand-offs
+
+- Vector-clock & convergence formalism → **Lamport**
+- Cross-domain edge supervisor design → **Erlang**
+- Two-clock cache reconciliation under causal DAG → **Pearl**
+- Empirical viewport-pan latency budget → **Curie**
+- Tenant/anchor-registry economic design → **Coase**
+- UI tolerance for node-teleport / loading-state → **Bruner**
diff --git a/tasks/layout-authority/audits/lem.md b/tasks/layout-authority/audits/lem.md
new file mode 100644
index 00000000..9441c152
--- /dev/null
+++ b/tasks/layout-authority/audits/lem.md
@@ -0,0 +1,179 @@
+# Lem audit — possibility-space of Cortex visualizations at 10⁹ nodes
+
+**Method.** Before predicting which visualization is "right," enumerate the
+logical space of what a Cortex graph view *could* be. The current 2D neural
+graph is one point; the cost-model floor (`cost-model.md` §1: 1 ns/node, 8 MB,
+no per-event recompute) is the constraint envelope.
+
+**Sources.** Lem, S. (1964). *Summa Technologiae*, ch. 4–6 (phantomatics,
+ariadnology, imitology); Lem, S. (1971). *A Perfect Vacuum*.
+
+---
+
+## 1. The current point — P0
+
+**P0 — single 2D scatter, kind-banded, domain-anchored.** Color = kind.
+Position = `slot(domain, kind, idx)`. Vision-only. **Time axis: absent**
+(timestamps in storage, not in slot formula). Cost: O(1) per node — fits
+10⁹ in 1–2 s. Cannot answer: "when did this happen?", "show only my
+domain", "what does a build sound like?". P0 occupies one cell of an
+≥5-axis space (sensory channel × temporal axis × embodiment × medium ×
+partition). The other cells exist; most are not yet built.
+
+---
+
+## 2. Adjacent points
+
+### (a) Per-domain mini-graphs composing into a multigraph
+
+Render N small canvases — one per domain — in a meta-grid. Same slot
+formula with `domain_anchor = (0,0)` per tile. Meta-layer routes
+cross-domain bridges (`bridge_finder.py`).
+
+- **Per-node cost:** O(1), unchanged. Memory: lower (sparse per-domain
+  buffers; only `Cortex` exceeds 10⁶). Cross-routing: O(E_bridges) ≈
+  100–500. Trivially fits.
+- **Verdict: feasible at 10⁹.**
+- **Value: high.** "Show only my domain" without filtering — each
+  domain is its own object. Cross-domain bridges become visually
+  privileged, not lost in the dense scatter.
+- **Tech adjacencies:** none new. `domain_origin_override` in
+  `layout_authority_geometry.py` (~10 lines). Mandelbrot LOD applies
+  per-tile independently. CSS Grid + `<canvas>` per domain.
+- **Status: one sprint.**
+
+### (b) Timeline-aligned (events on x, kind on y)
+
+x = `event_seq` (or `created_at`); y = kind-band (file=0, tool_hub=1, …).
+Color = domain. Append-only — new events extend the right edge; **no
+reflow ever**.
+
+- **Per-node cost:** O(1), cheaper than P0 (no idx counter). Memory:
+  identical. Streaming: better — sliding 500k window matches the SSE
+  log's ring buffer (`_log.py`).
+- **Verdict: feasible at 10⁹** — the most Mandelbrot-friendly variant.
+- **Value: very high.** Answers the questions P0 cannot: "what got added
+  in the last 30 s?", "burst order?", "is this build slower?". DVR
+  scrubber falls out for free — slots are pure functions of seq, and SSE
+  replay-from-seq already exists.
+- **Tech adjacencies:** wire format already carries `event_seq`
+  (`_wire.py:21`). Need `mode=timeline` in renderer (~200 lines JS).
+- **Status: one sprint.**
+
+### (c) Audio-visual synaesthesia (sound on arrival, color on kind)
+
+Each node-add → sonified: pitch = kind, stereo pan = domain, velocity =
+burst rate. A busy build is a chord; a stalled build is silence.
+
+- **Per-node cost in layout path:** zero (audio runs on WebAudio thread).
+  Real bottleneck is the *ear*: ≤20 events/s before noise. Saturates
+  long before 1 ns/node.
+- **Aggregation rule:** 1 audible event per N silent ones, N adapts to
+  arrival rate — Mandelbrot decimation **applied to time, not space**.
+- **Verdict: feasible at 10⁹** with adaptive temporal LOD.
+- **Value: medium-high, novel.** Build-progress monitoring without
+  looking. Anomaly-by-ear (a stuck build *sounds* different). For the
+  operator running 50 parallel builds, a force multiplier. Lem-relevant:
+  *phantomatics* — alternative sensory binding to the same data.
+- **Tech adjacencies:** WebAudio API (browser-native). `audio_lod.py`
+  reusing the hash-keyed decimation argument from `_lod.py`, keyed on
+  `event_seq % stride_t` (~60 lines).
+- **Status: two sprints, low priority. Pairs with (b).**
+
+### (d) AR/VR 3D placement
+
+Nodes in 3D via WebXR. Domains as floating islands; symbols orbit files.
+
+- **Per-node cost:** O(1) layout (z = `kind_band·Δz`). Memory: +33% (3
+  floats vs 2). 1.5 GB at 10⁹ — exceeds 8 MB **at the renderer**, not the
+  authority.
+- **Renderer wall:** WebGPU instanced rendering tops at 10⁶–10⁷ nodes/
+  frame. VR's 90 fps requirement (vs 60 fps) cuts per-frame budget to
+  11 ms. **10⁹ is at device envelope, not algorithm envelope.**
+- **Verdict: feasible at ≤10⁸ with aggressive LOD.** Bottleneck has
+  moved from layout to rendering.
+- **Value: speculative-high for demos, low for daily use.** VR has a
+  tax (headset, calibration, motion sickness). Conflates "more channels"
+  with "more understanding."
+- **Tech adjacencies:** WebXR, Three.js, view-frustum-conditional LOD —
+  stride becomes `f(zoom, angular_distance_from_gaze)`.
+- **Status: 3+ sprints, demo not daily-tool.**
+
+### (e) Printable static infographic
+
+One A1 SVG/PDF poster. Domains as labelled regions; bridges as arcs.
+No interactivity. For papers, slides, walls.
+
+- **Layout cost:** unchanged, run once. **No real-time constraint** —
+  can apply label deconfliction, edge bundling, hierarchical polish.
+- **Print resolution wall:** A1 @ 300 dpi = 7·10⁷ printable px. 10⁹
+  nodes → 0.07 px each. The medium imposes its own LOD: 10⁴–10⁵ visible
+  nodes; the rest become density-shaded backdrop (DataShader).
+- **Verdict: feasible at any N; the medium dominates.**
+- **Value: medium daily, very high for communication.** How you explain
+  the system to someone not running it. Deliverable for paper/slide/
+  README.
+- **Tech adjacencies:** D3 + svg.js (label deconflict), DataShader
+  (existing dep, `tile-server-plan.md`), Holten 2006 edge bundling
+  (~400 lines, well-known).
+- **Status: one sprint v1.** Acts as *review-of-the-nonexistent*:
+  writing one exposes what the graph is *for*.
+
+---
+
+## 3. Possibility-space table
+
+| Variant | Per-node cost | Working set | New tech | Value | Sprints |
+|---|---|---|---|---|---|
+| (a) per-domain mini-graphs | O(1) | yes (lower) | none | high | 1 |
+| (b) timeline-aligned | O(1) | yes (sliding) | renderer mode + DVR | very high | 1 |
+| (c) audio synaesthesia | O(1) + temporal LOD | yes | WebAudio + audio_lod | med-high | 2 |
+| (d) AR/VR 3D | O(1) auth, renderer-bound at 10⁹ | yes auth, no renderer | WebXR + gaze LOD | speculative | 3+ |
+| (e) printable static | O(1) once + offline polish | yes | edge bundling + deconflict | high (comms) | 1 |
+
+---
+
+## 4. Gaps the enumeration exposes
+
+1. **Time is missing from P0.** Variants (b) and (c) prove the data is
+   there (`event_seq`, `created_at`); the renderer doesn't read it.
+2. **Domain is a first-class storage object with no first-class view.**
+   Variant (a) makes this explicit. Bridges from `bridge_finder.py` exist
+   in storage but are not visually privileged anywhere.
+3. **No non-screen output.** Variant (e) reveals the system can produce
+   no artifact for someone not running it.
+4. **Single-modality assumption.** Variant (c) shows the same data
+   supports non-visual rendering. No `mcp_server/` module mentions audio
+   — design *assumed* visual rather than *choosing* it.
+
+---
+
+## 5. Push-to-extreme — natural ceilings
+
+- **(b)** at 10¹² events: x-axis px resolution becomes the wall →
+  hierarchical timeline (per-day → per-second), same Mandelbrot logic on
+  time.
+- **(c)** with 100 parallel producers: stereo pan is 1D, can't separate
+  100 sources → spatial audio (HRTF), pushes into VR territory.
+- **(d)** public deployment: motion sickness, accessibility exclusion,
+  hardware cost — "more channels = more understanding" breaks for some
+  users.
+- **(e)** live updating: contradicts the snapshot premise; the variant
+  is intrinsically a frozen artifact.
+
+Each break is informative; each marks the variant's natural ceiling.
+
+---
+
+## 6. Hand-offs and recommendation
+
+- Renderer-wall feasibility at 10⁹ in 3D → **Fermi**.
+- Sonic-channel information-theoretic bounds → **Shannon**.
+- Timeline-LOD argument integrity → **Feynman**.
+- Implementation of (a)+(b) — shared module change → **engineer**.
+
+**Build (a) + (b) next, same sprint.** They share the geometry-module
+change (per-tile origin parameter), they cost one sprint together, and
+they fill the two largest gaps the enumeration exposes (domain-as-object
+and time-as-axis). (c), (d), (e) are real points in the space, not the
+nearest ones.
diff --git a/tasks/layout-authority/audits/mandelbrot.md b/tasks/layout-authority/audits/mandelbrot.md
new file mode 100644
index 00000000..29f1a520
--- /dev/null
+++ b/tasks/layout-authority/audits/mandelbrot.md
@@ -0,0 +1,80 @@
+# Mandelbrot audit — fractal LOD for the layout authority
+
+**Module:** `mcp_server/server/layout_authority_lod.py`
+**Principle:** scale-free decimation; same visible subset across reconnects.
+**Source:** Mandelbrot, B. B. (1982). *The Fractal Geometry of Nature*, W. H. Freeman.
+
+## The fractal-self-similarity argument
+
+A Cortex graph at full resolution has O(domains) ≪ O(tools) ≪ O(files) ≪ O(symbols).
+The cardinality is *power-law-distributed across kinds* — a few hubs, many leaves.
+This is the same pattern Mandelbrot identified in coastlines, river networks, and
+financial returns: structure that repeats at every scale of magnification.
+
+The user's screen is finite. At zoom = 1.0 every symbol is meaningful; at zoom = 0.0
+only the scaffolding is legible — individual symbols collapse below pixel resolution.
+Rendering all 10^6 symbols at far zoom is wasted work and visual noise.
+
+**Decimation rule:**
+```
+stride(zoom) = max(1, int(2 ** (3 - zoom * 4)))
+visible iff hash(node_id) % stride == 0
+```
+
+The exponent `3 - 4*zoom` is linear in zoom, so stride is exponential in zoom and
+visible-count `≈ N / stride` is a **power law in resolution**. This is the
+Mandelbrot signature: zooming by a factor of 2 in resolution multiplies visible
+symbols by ~2, at every scale, with no characteristic zoom level.
+
+## Why hash-keyed decimation (not sampling)
+
+A random sample drawn fresh on each reconnect would shift the visible population
+at constant zoom — the screen would "shimmer" after a network blip. A
+deterministic hash of `node_id` yields the *same* visible subset for the same
+`(population, zoom)` across reconnects. We use BLAKE2b rather than CPython's
+salted `hash()` because the latter is process-local and would not survive
+a server restart. BLAKE2b is content-only and uniform across the input space.
+
+## Empirical roughness measure (10^6 symbols)
+
+Self-check at `python3 -m mcp_server.server.layout_authority_lod`:
+
+| zoom | stride | visible   | ideal     | ratio  |
+|-----:|-------:|----------:|----------:|-------:|
+| 0.00 |      8 |   125 294 |   125 000 | 1.0024 |
+| 0.25 |      4 |   250 296 |   250 000 | 1.0012 |
+| 0.50 |      2 |   499 881 |   500 000 | 0.9998 |
+| 0.75 |      1 | 1 000 000 | 1 000 000 | 1.0000 |
+| 1.00 |      1 | 1 000 000 | 1 000 000 | 1.0000 |
+
+Log-log slope of visible vs stride: **-0.9981** (expected -1.0).
+Tolerance asserted in `__main__`: |slope + 1| < 0.05. PASS.
+
+The decimation is power-law to four decimals on N = 10^6. The tail
+exponent α ≈ 1 places the visible count squarely in Mandelbrot's
+*wild* regime at the boundary — variance of visible-count is finite
+only because we cap stride at the population size, but the scaling
+exponent is exact.
+
+## Why kind-conditional decimation
+
+Not every kind is decimated:
+
+- `domain`, `tool_hub`, `file`, `discussion`, `skill`, `hook`, `command`,
+  `agent`, `mcp` — **always visible**. Their cardinality is bounded by
+  the number of projects/tools/files in the workspace; emitting all of
+  them is cheap and they form the navigation scaffolding.
+- `symbol` — **decimated by stride(zoom)**. High-cardinality (10^6+).
+- `memory`, `entity` — **reduced only at zoom < 0.4** (stride 2).
+
+Stakes-calibrated: cardinality bound per kind drives the rule.
+
+## Refusal: what this module does NOT do
+
+- **Does not** sample randomly — violates reconnection stability.
+- **Does not** use Python's salted `hash()` — process-local.
+- **Does not** materialize the filtered list — `visible_subset` is a
+  generator (a 10^6 list copy is ~100 MB).
+- **Does not** invent constants — (3, 4, 0.4, 2) trace to the explicit
+  doubling argument in `stride()` and the clutter threshold for
+  `memory`/`entity`.
diff --git a/tasks/layout-authority/audits/margulis.md b/tasks/layout-authority/audits/margulis.md
new file mode 100644
index 00000000..e6301e45
--- /dev/null
+++ b/tasks/layout-authority/audits/margulis.md
@@ -0,0 +1,178 @@
+# Margulis — Merger-Not-Competition Audit of the Layout Authority
+
+> Premise: the 6 modules (`geometry`, `protocol`, `scheduler`, `log`, `wire`,
+> `lod`) plus the integrator (`layout_authority.py`) are framed as
+> independent organs. Margulis's lens: *some seams are merger-residue
+> from former independent ancestors; others are genuine boundaries
+> between formerly-cooperating endosymbionts*. The diagnostic is
+> **independent-origin signatures** — own lifecycle, own structure,
+> own boundary, self-contained function. Modules with FEW signatures
+> across that seam are merger candidates.
+
+## 1 — Heterogeneity survey
+
+| Module | Own lifecycle | Own structure | Own boundary | Self-contained | Sigs |
+|---|---|---|---|---|---|
+| `geometry` | no (pure fn) | math constants | imports stdlib only | yes (pure) | 2 |
+| `protocol` | no (dataclass) | typed contracts | stdlib only; runtime `Protocol` | yes (no logic) | 2 |
+| `scheduler` | yes (queues, time) | priority deques + `Stats` | stdlib only | yes | 4 |
+| `log` | yes (seq, ring, fanout) | deque + subscriber list | stdlib only; threading | yes | 4 |
+| `wire` | no (encoder fn) | byte format | stdlib; TYPE_CHECKING → protocol | yes | 2 |
+| `lod` | no (pure fn) | hash + stride table | stdlib only | yes | 2 |
+| `layout_authority` | yes (the host cell) | composition root | imports all 6 | NO (consortium) | — |
+
+The host (`layout_authority.py`) is the eukaryote. The 6 modules are
+the candidate endosymbionts. **Two have 4 independent-origin signatures
+(scheduler, log) — fully independent organisms. Four have 2 signatures
+(geometry, protocol, wire, lod) — pure-function fossils, not living
+organelles.** Their separation is filing, not mitosis.
+
+## 2 — Convergent-evidence check on the proposed mergers
+
+### Candidate A — **scheduler ⊕ log** (the queue-and-fanout symbiosis)
+
+Lavoisier already named the ledger seam between them: events that
+`pop()` from the scheduler must reach `emit()` in the log; the
+unwritten worker between them is where conservation breaks
+(format failures, subscriber reaping, coalesced duplicates, all
+counted on different sides of the boundary).
+
+| Evidence line | Observation |
+|---|---|
+| Lifecycle (independent?) | Both have own thread-affinity rules; scheduler has multi-producer / multi-consumer; log has **single-producer** (Hamilton invariant). The seam IS that rule. |
+| Structure (foreign?) | Both expose a `Stats` snapshot; the schemas don't compose — caller stitches `{**sched.stats, **log.stats}` manually in handlers. |
+| Boundary (own?) | None. Scheduler's `pop()` returns a tuple the worker is supposed to hand to `log.emit()`. The worker doesn't exist; the boundary is empty space. |
+| Convention drift | Scheduler counts `dropped[p]`; log counts `_event_log_drops`. Same concept, two names, two namespaces. (Lavoisier §rename queue) |
+
+**Verdict — MERGE.** Three independent evidence lines converge:
+the missing worker, the duplicated `Stats`, the conflicting
+producer-count rules. The seam IS the conservation hole. A merged
+`layout_authority_pipeline.py` exposing `submit_node / submit_edge →
+SlotAssignment | EdgeOut | Drop(reason, counter)` collapses the
+unwritten worker into a single function. **Single producer for both
+queues and log**, single `Stats`, format failures counted at the
+point of pop. Lavoisier's residuals (parent_pending, edge_pending,
+format_failures, coalesced) become fields on one struct.
+
+### Candidate B — **protocol ⊕ geometry** (contract = implementation)
+
+Initially attractive: I3 (symbol-after-file), I4 (file-before-tool_hub),
+I7 (domain-late) are *placement* invariants stated in `protocol` and
+*executed* by `geometry`. The contract reads like the implementation's
+header comment.
+
+But the convergent-evidence check fails:
+
+| Evidence line | Observation |
+|---|---|
+| Independent reuse? | `geometry` is reused by the integrator without `protocol`'s dataclasses. Pure-math constants (`SETUP_R`, `TOOL_R`, …) are copied from `workflow_graph.js` — there is a non-Python consumer of this contract. |
+| Different change-cadence? | `protocol` changes when verbs are added (rare). `geometry` changes when visual constants change (also rare, but for different reasons — UI taste vs API stability). SRP test: two different stakeholders. |
+| Foreign internal logic? | `protocol` has zero logic. `geometry` has 218 lines of math. Merger would inflate the contract surface with implementation. |
+
+**Verdict — KEEP SEPARATE.** This is *convergent evolution under
+similar constraints* (both shaped by the visualization invariants),
+not merger-residue. The cross-host reuse (JS workflow_graph.js shares
+the same constants) is the smoking gun: `geometry` has a second
+client, and a merged module would force that client to depend on
+Python dataclasses it doesn't use. ISP failure waiting to happen.
+
+### Candidate C — **wire ⊕ protocol** (already partially merged)
+
+Not in the brief, but flagged because `wire.py` line 38 has
+`if TYPE_CHECKING: from ...protocol import ...`. This is a
+weak-merger residue: the encoder NEEDS the dataclass shapes to
+encode them, so it imports their *types* but pretends not to.
+
+| Evidence line | Observation |
+|---|---|
+| The encoder cannot do its job without `SlotAssignment`/`EdgeDelta`. | yes |
+| The TYPE_CHECKING fence is a paradigm preserve, not a reuse boundary. | yes |
+| Is `protocol` reused without `wire`? | yes — handlers receive `NodeDelta` and never touch wire. |
+| Is `wire` reused without `protocol`? | no — it always serializes those exact dataclasses. |
+
+**Verdict — PARTIAL MERGE: fold `wire` into `protocol` OR keep
+`wire` and drop the TYPE_CHECKING fence.** `wire` is a downstream
+endosymbiont of `protocol` (depends on it but not vice-versa).
+Cleanest move: rename `protocol.py` to `protocol.py` + co-locate
+`wire.py`'s formatters as `protocol.encode_*` methods on the
+dataclasses. Saves one file; removes the import-fence ceremony.
+Lower priority than Candidate A — the seam doesn't leak events.
+
+## 3 — Keep separate (false-merger candidates)
+
+| Pair | Why NOT merge |
+|---|---|
+| `geometry` ↔ rest | Cross-language client (workflow_graph.js); SRP — math vs orchestration. |
+| `lod` ↔ rest | Pure decimation. Independent stake-holder (renderer zoom). Useful in isolation; testable as math. |
+| `protocol` ↔ `geometry` | Convergent evolution, not merger. Separate change-cadences. |
+| `log` ↔ `wire` | Wire is byte-encoding; log is event-ordering. Different conserved quantities (Lavoisier). |
+
+## 4 — Serial-merger order (if Candidate A proceeds)
+
+1. **First merger — scheduler ⊕ log → `pipeline`.** Highest payoff
+   (seals Lavoisier's leaks). Producer count drops from "two
+   conventions" to "one". `Stats` schema unifies.
+2. **Second merger — wire into protocol (optional).** Cosmetic;
+   removes one import fence. Defer until first merger ships.
+3. **No third merger.** `geometry` and `lod` stay independent
+   organelles with their own genomes.
+
+## 5 — Integration-depth and extraction risk
+
+| Module | Integration in `layout_authority.py` | Extraction risk if merged elsewhere |
+|---|---|---|
+| `scheduler` | imported, owned by the integrator | LOW — no external caller |
+| `log` | imported, owned by the integrator | LOW — same |
+| `geometry` | imported by integrator + `workflow_graph.js` | HIGH — JS coupling |
+| `protocol` | imported by handlers + integrator + wire | MEDIUM — many readers |
+| `wire` | imported by SSE handler | LOW — single caller |
+| `lod` | imported by SSE handler tier filter | LOW — single caller |
+
+Candidate A merges two LOW-risk modules. Safe.
+
+## 6 — Competition alternative (steel-man for keeping all 6)
+
+Could *gradual modification* fix the scheduler/log seam without
+merging? Yes: write the missing worker as `_pump.py` with its own
+`Stats` and have it call both modules. But that creates a *third*
+module owning the conservation invariant — Lavoisier's hole moves,
+it doesn't close. The merger removes the seam; the gradual fix
+relocates it.
+
+## 7 — Confidence
+
+- Evidence lines for Candidate A: 3 (independent: missing-worker /
+  duplicated-stats / producer-rule-conflict). Convergent. **Strong.**
+- Evidence lines for Candidate B (REJECT merge): 3 (cross-language
+  client / change-cadence / contract-vs-implementation purity).
+  Convergent on KEEP SEPARATE. **Strong.**
+- Evidence lines for Candidate C: 2. Insufficient for action;
+  **moderate / defer**.
+
+## 8 — Recommendations
+
+1. **MERGE scheduler + log → `layout_authority_pipeline.py`.**
+   Single `Stats`, single producer, missing-worker eliminated.
+   Closes Lavoisier's residuals (`parent_pending`, `edge_pending`,
+   `format_failures`, `coalesced`) at the merge point.
+2. **KEEP geometry separate** — cross-language reuse is load-bearing.
+3. **KEEP lod separate** — independent stakeholder (renderer zoom).
+4. **DEFER wire-into-protocol** — cosmetic, low payoff; revisit
+   after merger #1.
+5. **PROTOCOL stays the contract module** — the place invariants
+   are *stated* must remain distinct from where they are *executed*.
+
+## Hand-offs
+
+- Selection-pressure on the merged pipeline → **Darwin** (does the
+  merged organism survive 1e9-event load that broke the
+  separated pair?).
+- Conservation accounting at the new merge point → **Lavoisier**
+  (re-audit once the pipeline exists; the four leaks should close).
+- Layer compliance of the merged module → **Liskov** (the
+  scheduler's contract and the log's contract must both remain
+  substitutable through the merged surface).
+
+## Files touched
+
+None. Audit-only.
diff --git a/tasks/layout-authority/audits/maxwell.md b/tasks/layout-authority/audits/maxwell.md
new file mode 100644
index 00000000..782d5057
--- /dev/null
+++ b/tasks/layout-authority/audits/maxwell.md
@@ -0,0 +1,176 @@
+# Maxwell — Feedback-Stability Audit of the Layout Authority Governor
+
+**Method:** Maxwell 1868, "On Governors." A feedback loop is stable iff every
+root of its characteristic equation has a negative real part. The two
+destabilisers are **gain** and **delay**.
+
+## 1. The two governor archetypes
+
+| Archetype | Actuator | Closes loop on producer? | Sustained-overload behaviour |
+|---|---|---|---|
+| **Shedding** (current Hamilton scheduler) | the *queue tail* (drops past cap) | **No** — producer rate is exogenous | Open-loop on producer; positive feedback via clients |
+| **Speed-controlling** (Watt 1788, Maxwell 1868) | the *producer rate* (throttle) | **Yes** — error feeds back to source | Closed-loop; converges if gain·delay bounded |
+
+The current `PriorityScheduler` is the first kind. `is_overloaded()` is a
+*sensor only* — reported on `/api/layout/stats` but not wired into anything
+that slows the build worker.
+
+## 2. Why shedding alone is unstable here
+
+A dropped node is not inert. Each drop has a downstream consequence that
+*increases* the producer's rate:
+
+```
+  drop(node) -> renderer never sees it -> SSE retry / viewport drag re-request
+              -> coalesce_subtree() refires -> request_layout(domain)
+              -> build_worker re-walks domain  =>  MORE add_node    (positive fb)
+```
+
+Linearised around overload:
+
+```
+  dQ/dt    = lambda(t) - mu                              (queue dynamics)
+  lambda(t) = lambda0 + k_retry * drop_rate(t - tau)     (retry feedback)
+  drop_rate = max(0, lambda - mu)                        (shedding actuator)
+```
+
+Open-loop transfer `H(s) = k_retry·exp(-s·tau) / (1 - k_retry·exp(-s·tau))`
+has a pole in the right half-plane the moment `k_retry >= 1` — i.e. each
+drop provokes at least one re-emit. With viewport drags and SSE
+auto-reconnect both refiring on missing data, `k_retry > 1` is the empirical
+case. Maxwell §3 calls this "growing" oscillation.
+
+**Verdict:** shedding is *marginally stable on bursts*, *unstable under
+sustained overload*.
+
+## 3. The speed-controlling redesign
+
+Add an inner loop that closes on the *producer*:
+
+```
+                   +------------- error = is_overloaded -------------+
+                   |                                                  |
+                   v                                                  |
+  build_worker --throttle.wait()--> PriorityScheduler --pop()--> authority
+       |                                  ^
+       +----------- emit(NodeDelta) ------+
+```
+
+- **Control variable:** build worker's emission rate per phase.
+- **Set-point:** `is_overloaded(0.8) == False` — no queue above 80 % of cap.
+- **Sensor:** queue lengths polled every batch boundary. *Two* thresholds —
+  0.6 to engage throttle, 0.8 to disengage — give the hysteresis Maxwell §5
+  requires to avoid bang-bang chatter.
+- **Actuator:** `threading.Event` ("emit_permitted"). High-water crossing →
+  `clear()`; build worker's next `wait()` blocks. Low-water crossing
+  (confirmed for N polls) → `set()`. Binary throttle suffices because plant
+  drain `mu` is approximately constant.
+
+### Delay budget (Maxwell stability constraint)
+
+| Source of delay | Estimate |
+|---|---|
+| `pop()` -> authority writes slot | ~10–50 µs |
+| Sensor poll period (between batches) | 1–10 ms |
+| `Event.wait()` -> `Event.set()` wakeup | ~100 µs |
+| **Total loop delay τ** | **~10 ms** |
+
+Drain `mu ≈ 200k items/s` (per `bench_layout_authority.py`). Cap headroom
+between low-water and high-water on P4: `(0.8 − 0.6) × 64_000 = 12_800`.
+Time to traverse at full producer rate `λ ≈ 500k/s`: `12_800 / 500_000 = 25 ms`.
+**Loop delay 10 ms < band-traversal 25 ms ⇒ gain·delay margin = 2.5×.**
+Stable with healthy phase margin.
+
+If transport delay grew >25 ms the loop would oscillate at ~40 Hz.
+Mitigation: poll the sensor *inside* the build worker (no SSE round-trip);
+drops τ to ~1 ms and restores 25× margin.
+
+## 4. Damping — three-poll deadband
+
+Pure on/off throttling is bang-bang (Maxwell §5: sustains oscillation).
+Damp by requiring N=3 consecutive low-water reads before re-arming
+`emit_permitted`. This is a deadband + integrator — the friction-governor
+analogue of Maxwell 1868 §4. Adds 3 ms to the recovery edge; prevents flap
+when the queue oscillates near the threshold.
+
+## 5. Stability classification — before vs after
+
+| Mode | Before (shedding only) | After (shedding + speed control) |
+|---|---|---|
+| Transient burst (<100 ms) | damped | damped (throttle never engages) |
+| Sustained overload, k_retry ≥ 1 | **growing** | damped (producer gated to μ) |
+| Recovery edge | bang-bang chatter | damped (deadband absorbs ringing) |
+| Catastrophic burst | growing → saturates | damped (throttle clamps at μ) |
+
+## 6. What this preserves from Hamilton
+
+The shedding governor is **not removed**. It remains the last line of
+defence for cases the inner loop cannot reach:
+
+- producers other than the build worker (HTTP `add_node`, MCP handlers);
+- batches larger than the headroom slipping through before the next poll.
+
+Hamilton 1969 priority-displacement is the *outer* loop (drop low-priority
+under saturation). Maxwell 1868 speed control is the *inner* loop (slow the
+producer before saturation). Both, layered: outer guarantees liveness,
+inner guarantees stability.
+
+## 7. Implementation sketch (minimal diff)
+
+```python
+# in PriorityScheduler.__init__:
+self._emit_permitted = threading.Event(); self._emit_permitted.set()
+self._low_water_streak = 0
+self._LOW_WATER, self._HIGH_WATER, self._RECOVERY_STREAK = 0.6, 0.8, 3
+
+def _update_throttle_locked(self) -> None:
+    over_high = any(len(q) >= QUEUE_SIZES[p] * self._HIGH_WATER
+                    for p, q in self._queues.items())
+    over_low  = any(len(q) >= QUEUE_SIZES[p] * self._LOW_WATER
+                    for p, q in self._queues.items())
+    if over_high:
+        self._emit_permitted.clear(); self._low_water_streak = 0
+    elif not over_low:
+        self._low_water_streak += 1
+        if self._low_water_streak >= self._RECOVERY_STREAK:
+            self._emit_permitted.set()
+    else:
+        self._low_water_streak = 0  # deadband; hold state
+
+def wait_for_capacity(self, timeout=None) -> bool:
+    return self._emit_permitted.wait(timeout=timeout)
+```
+
+Build-worker integration in `layout_worker_main.py`:
+
+```python
+for batch in build_phase(domain):
+    scheduler.wait_for_capacity(timeout=1.0)     # Maxwell governor tap
+    for delta in batch:
+        scheduler.submit(priority_for_node(delta.kind), delta)
+```
+
+`_update_throttle_locked()` must be called from `submit()` and `pop()` while
+holding `_lock` (the existing scheduler lock).
+
+## 8. Refusal conditions raised
+
+- **Producers other than the build worker bypass the throttle.** Stability
+  is local to the gated path. HTTP `add_node` callers still need rate-limit
+  middleware or the inner loop is open for them.
+- **Sensor coupling assumes single-process scheduler.** Out-of-process
+  deployment would replace `threading.Event` with SSE/Redis signal; re-derive
+  τ — the 25× margin will not survive a 50 ms RTT.
+- **`k_retry ≥ 1` is asserted, not measured.** Curie must instrument
+  drop_rate vs. subsequent re-emit rate over a 60 s window to verify the
+  positive-feedback claim before this audit becomes load-bearing.
+
+## 9. Hand-offs
+
+- **Erlang** — re-model the M/M/1 queue under the new gated arrival process;
+  confirm `mu` and re-derive utilisation budget.
+- **Hamilton** — keep priority-displacement; the speed controller is *added
+  in series upstream*, not replacing it. Classify which non-build-worker
+  producers need their own rate-limit middleware by criticality tier.
+- **Curie** — measure τ end-to-end; instrument `k_retry`; validate that
+  post-throttle `drop_rate` falls toward zero on sustained load.
diff --git a/tasks/layout-authority/audits/mcclintock.md b/tasks/layout-authority/audits/mcclintock.md
new file mode 100644
index 00000000..98c8b26a
--- /dev/null
+++ b/tasks/layout-authority/audits/mcclintock.md
@@ -0,0 +1,105 @@
+# McClintock single-specimen audit — `domain:cortex`
+
+**Method.** Pick ONE node. Trace it across every module. Long looking, not statistics.
+**Specimen.** `NodeDelta(node_id="domain:cortex", kind="domain", domain_id="domain:cortex", parent_id=None, tool_name=None)` arriving as the first `add_node` call on a fresh `build_authority()` with default 1000×1000 canvas.
+
+## 1. Wire-arrival shape
+
+Frozen `slots=True` dataclass, ~80 B. The `kind=='domain'` contract (`_protocol.py:63`) collapses two ids into one string: **`domain_id == node_id`**. This is the only kind with self-referential identity. The `"domain:"` prefix is build-worker convention, not protocol-enforced. The colon is not a forbidden delimiter (`|`, `\n`, `\r` only).
+
+## 2. `_validate_node` (`layout_authority.py:121`)
+
+Five gates: kind-in-set; node_id non-empty; domain_id non-empty; **gate 4** `kind=='domain'` → `domain_id == node_id` (both `"domain:cortex"`, pass); tool_hub/symbol gates short-circuit. Gate 4 is the only kind-distinguishing gate that fires for our specimen — it is also the gate that would *fail loudly* for any malformed domain. If `kind` were `'file'` instead, gate 4 would not fire and the same string pair would skate through unchanged.
+
+## 3. `_DomainRegistry.index_for` (`layout_authority.py:78`)
+
+First sighting → `idx = 0`, reservation = `_DEFAULT_DOMAIN_RESERVATION = 16`. No growth. Then:
+
+- `base_r = base_radius(1000, 1000, 16) = max(420.0, (2·220+60)·sqrt(16/π)·0.65) = max(420.0, 733.5) = 733.5` (spacing-driven floor wins).
+- `anchor = domain_anchor(0, 16, 500, 500, 733.5)`: `r = 733.5·sqrt(0.5/16) = 129.66`, `theta = 0·_PHI = 0`, → **`(629.66, 500.0)`**.
+- `outward = atan2(0, 129.66) = 0.0` — exactly due-east.
+
+**The first surprise.** Index 0 always gives `theta = 0`, so `domain:cortex`-when-first lands precisely on the +x axis. Fibonacci spirals are praised for even spread; the index-0 point is the one place where the spread is undefined. The renderer always has one anchor pinned horizontally to the right. The protocol/audits do not call this out — I3/I4/I7 cover ordering races, not this geometric degeneracy.
+
+**The second surprise.** If `domain:cortex` arrives *second* (because `domain:claude_code` registered first), the same specimen lands at `theta = _PHI ≈ 137.5°` (northwest quadrant). Position is a function of arrival order, frozen forever (I7). **The visual identity of the specimen is non-deterministic across runs unless the build worker imposes a stable enumeration order.** The aggregate invariant "anchors are deterministic from index" is true; the per-specimen claim "this domain has a stable visual home" is false.
+
+## 4. `_place_node` → `_compute_assignment` (`layout_authority.py:244, 262`)
+
+Not symbol → no buffering. `idx = _counts.get(("domain:cortex","domain"), 0) = 0`, then increment to 1. **This counter never increments again** — there is at most one domain-kind node per domain_id. `_geometry_ctx` returns `{index: 0, total_domains: 16, cx: 500, cy: 500, base_r: 733.5}`.
+
+**The third surprise.** `total_domains=16` is the *reservation*, not the population (1). Reservation grows in chunks of 16 when exhausted; existing anchors are *not* recomputed. So a 17th domain arriving later is placed using N=33 spiral math, while `domain:cortex` keeps its frozen 16-domain anchor. **Two domains placed in different reservation epochs live in different metric coordinate systems.** I4/I7 cover this for ordering but never name the metric drift.
+
+`compute_slot("domain", ctx)` is pure — same numbers as step 3. Returned `SlotAssignment(seq=0, ..., x=629.66, y=500.0)` with `seq=0` placeholder.
+
+## 5. `_emit_slot` → wire (`layout_authority.py:345`, `_wire.py:91`)
+
+Peek-before-emit: `seq = _log._event_seq + 1 = 1`. Re-seal with seq=1. Wire frame:
+
+```
+id: 1\nevent: slot\ndata: domain:cortex|629.7|500.0|domain|domain:cortex\n\n
+```
+
+**The fourth surprise.** The data payload contains the id twice — `node_id` and `domain_id` are the same string for every domain node. The pipe encoder cannot deduplicate (non-domain nodes need both fields), so every domain frame pays ~20 B of redundancy on the wire. Cheap at our scale, but the wire spec doesn't acknowledge it.
+
+`_log.emit` increments `_event_seq` to 1, appends to the 500k ring, fans out, asserts `actual_seq == peeked_seq` (single-producer invariant under `self._lock`). `_slots["domain:cortex"] = sealed`. Slot is final. No `kind == "file"` flush. `_try_flush_pending_edges_for` is a no-op (empty buffer).
+
+## 6. Resident footprint of the specimen
+
+After this one call, `"domain:cortex"` is mentioned in five places:
+
+| Module | Key | Value |
+|---|---|---|
+| `_DomainRegistry._index_of` | `"domain:cortex"` | `0` |
+| `_DomainRegistry._anchors` | `"domain:cortex"` | `(629.66, 500.0)` |
+| `_DomainRegistry._outwards` | `"domain:cortex"` | `0.0` |
+| `LayoutAuthority._counts` | `("domain:cortex", "domain")` | `1` |
+| `LayoutAuthority._slots` | `"domain:cortex"` | `SlotAssignment(seq=1, …)` |
+
+~400 B. The specimen is the **coordinate origin** for an entire subtree: every later node with `domain_id="domain:cortex"` reads `_registry.anchor("domain:cortex")` and composes its position relative to (629.66, 500.0). Modify this one anchor and the whole subtree shifts; the slots themselves never recompute.
+
+## 7. Counterfactual: `kind = 'file'` with the same string pair
+
+- Validator: gate 4 does not fire. Pass.
+- `_compute_assignment`: `idx = _counts.get(("domain:cortex","file"), 0) = 0`.
+- `_geometry_ctx` calls `reg.anchor("domain:cortex")` — **and this triggers `index_for` lazily**, registering `"domain:cortex"` as a domain *anyway*, anchor (629.66, 500.0). No slot is emitted for the domain itself — it is a phantom registration.
+- `parent_id is None` → `hub_angle = outward = 0.0`.
+- `slot_for_file(anchor=(629.66,500), hub_angle=0, idx=0, total=1)`: arc=0.095, t=0, r=216 → file lands at **(845.66, 500.0)**.
+
+**The fifth surprise.** Reading `reg.anchor(domain_id)` for a non-domain node *creates* a domain registration as a side effect, with a frozen anchor and no SlotAssignment ever emitted. A later real `add_node` for that domain succeeds and emits the slot at the same anchor (counters are per-(domain,kind) so no collision). But: a typo'd domain_id permanently consumes a spiral index that no other domain can take, and there is no phantom-domain reconciliation. **The system tolerates domain-after-children (I7 promise) but is silent about domain-never.**
+
+## 8. Counterfactual: `domain_id = 'domain:something_else'`
+
+`kind='domain', node_id='domain:cortex', domain_id='domain:something_else'` fails gate 4 → `ValueError`. Domains are roots; the protocol forbids "a domain belonging to another domain."
+
+But: **node_id global uniqueness is assumed but not asserted.** `_slots` is keyed by node_id alone. A second `add_node` with `node_id="domain:cortex"` and any kind silently overwrites `_slots["domain:cortex"]` (I see no guard in `_place_node` against `delta.node_id in self._slots`). The protocol docstring says "stable, unique" — there is no enforcement. This is a real gap.
+
+## 9. Direct-vs-aggregate disagreement
+
+Existing audits cover aggregate invariants — O(1) placement, no NaN ever reaches the wire, seq monotonic. These hold for our specimen. But the specimen reveals **identity-shaped facts** that aggregation smooths away:
+
+- `domain:cortex` *as a string* is the seed of an entire coordinate subtree.
+- Its placement depends on arrival order across runs (I7-compatible, but visually surprising).
+- Its node_id collides with its domain_id *by contract* (gate 4).
+- The registry is a write-once store the rest of the system reads many times.
+- The lazy-anchor side effect makes the registry creatable from non-domain code paths.
+
+The aggregate view "domain nodes are like other nodes with one extra gate" is wrong. They are the privileged kind, and the typically-first-arriving one is doubly privileged: it sits at exactly `(629.66, 500.0)` on a 1000×1000 canvas, deterministic to floating precision.
+
+## 10. Findings (specimen-scoped, not generalized)
+
+- Specimen lands at `(629.66, 500.0)` when first into a fresh 1000×1000 authority. Slot is final.
+- Five resident-state entries; no unbounded growth.
+- Wire frame is 74 B; pipe encoding works; the id repeats by construction.
+- Five surprises surfaced: index-0 axis degeneracy; arrival-order dependence; reservation/population metric drift; wire-redundant domain_id; lazy-registry phantom domains.
+- One real gap: **node_id collision is unguarded.**
+
+## 11. Hand-offs
+
+- **node_id collision guard** → engineer: add `assert delta.node_id not in self._slots` in `_place_node`, or document overwrite as intentional.
+- **Phantom-domain via lazy anchor read** → Feynman integrity check: intentional or oversight?
+- **Index-0 degeneracy & arrival-order non-determinism** → Curie: instrument the build worker to enforce stable domain enumeration order; verify visually.
+- **Reservation/population metric drift** → Darwin: long-horizon, track visual layout evolution across many builds as new domains accrete.
+
+---
+
+*Specimen: one. Modules traversed: six. Anomalies surfaced: five. Real gaps: one. The microscope was the source code; the maize was `domain:cortex`.*
diff --git a/tasks/layout-authority/audits/meadows.md b/tasks/layout-authority/audits/meadows.md
new file mode 100644
index 00000000..7f4da91a
--- /dev/null
+++ b/tasks/layout-authority/audits/meadows.md
@@ -0,0 +1,120 @@
+# Meadows — Leverage-Point Analysis of the Layout Authority
+
+> Where on the 12-point hierarchy does each module sit, and which is the
+> highest-leverage intervention currently unused? Ginzburg flagged the
+> paradigm: "the renderer is responsible for placing nodes." Meadows
+> ranks paradigm change at #2 — second only to transcending paradigms.
+
+## 1. System map (stocks / flows / delays)
+
+| Stock | Inflow | Outflow | Delay |
+|---|---|---|---|
+| `(node_id) → (x, y)` mapping (5 disjoint copies) | builder appends, renderer simulates, igraph DrL pass, tilemap rasterizer, JS `prepareTopology` | nothing — every layer writes, none deletes | seconds–minutes (DrL = 90 s/1M; debounce = 1.2 s; SSE = unbounded) |
+| Pending edges / pending symbols | builder emits before parent | flush on parent arrival | seconds (depends on stream order) |
+| Renderer simulation state | per-phase rebuild | MutationObserver eviction | 1.2 s debounce + async re-mount |
+| Topology fingerprint cache | recompute_layout writes | TTL expiry | undefined (skip-if-fresh patch) |
+
+Five writers, zero contracted owner, no expiry policy. The stock has no conservation law.
+
+## 2. Feedback loops
+
+| Loop | Type | Mechanism | Dominant? |
+|---|---|---|---|
+| L1: phase append → renderer destroys & rebuilds simulation → freezes → debounce raised | reinforcing (vicious) | bridge.js:107–137 | yes, at >10k nodes |
+| L2: MutationObserver evicts legacy DOM ↔ force-graph re-mounts | reinforcing | bridge.js:67–73 | yes |
+| L3: tilemap 503 `no_layout` → client calls `/api/recompute_layout` → retries `/api/quadtree` | balancing (self-healing) | tilemap.js:122–168 + quadtree_handler.py:33–40 | yes when cold-start |
+| L4: skip-if-fresh cache balances three callers of `recompute_layout` | balancing | recompute_layout.py:82–99 | yes, papering over L3 |
+| L5: counter bump → `compute_slot` → wire emit → SSE drain (proposed authority) | balancing, monotone | layout_authority.py | NOT YET DOMINANT |
+
+L1+L2 dominate today. The proposed L5 is the only loop with O(1) per-node insertion and a single producer. **Loop dominance must shift from L1 to L5.**
+
+## 3. Module → leverage point mapping
+
+| Module | Leverage level | Why |
+|---|---|---|
+| `mcp_server/server/layout_authority_geometry.py` constants (`SETUP_R=70`, `TOOL_R=140`, `phi=π(3-√5)`) | **#12 — constants** | Numbers tuned for visual quality. Tweaking them does not change behavior. |
+| `_PENDING_EDGES_CAP=100_000`, `_PENDING_SYMBOLS_CAP_PER_FILE=4_096` (layout_authority.py:48-49) | **#11 — buffer sizes** | Bigger ≠ better; a buffer is a symptom of unaligned producer/consumer rates. |
+| `layout_pg_store.py`, tilemap Arrow buffer, plugin module snapshot, HTTP graph cache (visualize_bootstrap.py:56-104) | **#10 — stock-flow structure** | Three caches, three lifetimes, no coordination. Restructuring caches is medium leverage. |
+| Debounce 1.2 s in `workflow_graph_bridge.js:107-137`; DrL 90 s pass in `recompute_layout.py`; SSE drain timing | **#9 — delays** | Where intuition fails. Each iteration tuned the delay, none removed it. |
+| MutationObserver (bridge.js:67-73), skip-if-fresh cache (recompute_layout.py:82-99), tilemap retry (tilemap.js:122-168) | **#8 — balancing loops** | All three are referees added because authority is unclear. Adding more balancing loops cannot fix the underlying paradigm. |
+| `prepareTopology` per-phase rebuild + per-event SSE recompute (bridge.js, polling.js) | **#7 — reinforcing loops** | Vicious cycle: more nodes → longer rebuild → larger debounce → staler view. |
+| Two parallel pipelines fighting on `lastData` (polling.js:30-37); 503 `no_layout` signaling (quadtree_handler.py:33-40); `/api/recompute_layout` callable from 3 sites | **#6 — information flows** | Layers signal to each other through error codes and shared mutable state, not contracts. High leverage if cleaned. |
+| cost-model.md §6 "no per-frame iteration over siblings"; alkhwarizmi `compute_slot` O(1) contract; dijkstra H1/H2 (single producer, monotonic seq) | **#5 — rules** | The constraints are written but not enforced — `core/layout_engine.py` (DrL, O(N log N)) violates §6 yet still ships. |
+| `core/layout_engine.py` (igraph DrL); proposed `mcp_server/server/layout_authority*.py` (8 modules); `ui/unified/js/workflow_graph.js:308-700` `prepareTopology`/`computeSlots` | **#4 — self-organization** | Three independent layout systems self-organized into one codebase. Removing two of them is a structural intervention. |
+| `recompute_layout.py` exists; `quadtree_handler.py` 503-and-recover; `layout_authority` modules built but not yet single-producer | **#3 — goals** | Implicit goal today: "let any layer that wants to compute layout do so." Should be: "exactly one module owns `(node_id) → (x, y)`." |
+| **"The renderer is responsible for placing nodes"** (Ginzburg §4) | **#2 — paradigm** | The single load-bearing assumption that survives every rewrite. Six algorithms, six symptoms cured, one paradigm preserved. |
+| Ability to step outside "renderer vs server" framing entirely | **#1 — transcendence** | Possible reframe: layout is not "computed by someone" — it is a *property of the node* assigned at insertion time, served as a read-only stream. The question "who computes?" dissolves. |
+
+## 4. Archetype diagnosis
+
+**Pattern matched: Shifting the Burden** (Meadows 2008, Ch. 5).
+
+- *Symptom:* renderer is too slow / freezes / clumps.
+- *Quick fix that worked short-term:* move layout one layer up (raster tiles, SSE rebuild, server DrL, tilemap auto-recompute).
+- *Fundamental solution that atrophies:* **invert authority** — make the server the sole producer of `(x, y)`.
+- *Side effect:* each quick fix adds a new layer that *also* claims layout authority, *worsening* the underlying ambiguity. Five copies of the stock now exist.
+
+Secondary archetype: **Fixes that Fail.** Each fix introduced a new feedback loop (debounce, MutationObserver, skip-if-fresh, tilemap retry) that re-created the original symptom in a new form.
+
+Known intervention for Shifting the Burden: **strengthen the fundamental solution; remove the addictive quick-fix capacity.** Concretely: (a) make the authority real, (b) *delete* the alternatives so they cannot be reached for again.
+
+## 5. Highest unused leverage points
+
+Ranked by leverage × feasibility:
+
+| Rank | Leverage | Intervention | Feasibility | Time-to-effect |
+|---|---|---|---|---|
+| **A** | **#2 paradigm** | Declare: *the renderer never computes layout; it consumes `(id, x, y, seq)` from one stream.* Land it in `tasks/layout-authority/` as a binding contract. | Low cost, high political. Already drafted in cost-model.md §7 + ginzburg §5. | Immediate (decision); weeks (compliance) |
+| **B** | **#4 self-organization (delete)** | Delete `core/layout_engine.py` (DrL, violates rule #5 cost-model §6). Delete `prepareTopology`+`computeSlots` (workflow_graph.js:308-700). Delete `recompute_layout.py` skip-if-fresh patch. | Mechanical refactor, ~400 LOC removed | days |
+| C | #5 rules | Add CI check: any new function returning `(x, y)` outside `mcp_server/server/layout_authority*` fails build. | Low cost | days |
+| D | #6 info flows | Replace 503-`no_layout` signaling with a single SSE topic; remove client-triggered `/api/recompute_layout`. | Medium cost | week |
+| E | #8 balancing loops removal | Once A+B land, MutationObserver, skip-if-fresh, debounce 1.2s become inert and can be deleted. | Trivial after B | hour |
+
+**Do not start at C, D, or E.** Without A and B, the paradigm reasserts itself: the next contributor will add the seventh layout system because the precedent of five permits it.
+
+## 6. Recommendation — the one or two interventions
+
+### Intervention 1 (paradigm, #2) — **mandatory, week 0**
+Ratify a one-page contract in this folder: *"Layout authority owns `(node_id) → (x, y)`. Renderers are read-only consumers of an append-only, monotonically-versioned stream. No other module may produce coordinates."* Cite alkhwarizmi.md `add_node` + dijkstra.md H1/H2 as the formal invariants. This is cheap to write and expensive to ignore — once it exists, every PR is measured against it.
+
+### Intervention 2 (self-organization removal, #4) — **mandatory, week 1**
+Delete the alternatives in one PR:
+1. `mcp_server/core/layout_engine.py` — entire file.
+2. `ui/unified/js/workflow_graph.js:308–700` — `prepareTopology` + `computeSlots`.
+3. `mcp_server/handlers/recompute_layout.py` — skip-if-fresh path; collapse to a single `bootstrap_authority()` call.
+4. `ui/unified/js/workflow_graph_tilemap.js:122–168` — client-triggered recompute branch.
+5. `ui/unified/js/workflow_graph_bridge.js:67–73` — MutationObserver (now only one renderer remains).
+
+Net: **~600 LOC removed**, three caches collapse to one, MutationObserver becomes provably unnecessary.
+
+## 7. Predicted system response (with delays)
+
+- **t = 0** (paradigm + deletes land): build-and-test breaks loudly because L1 and L2 no longer exist; renderer cannot freeze because there is nothing to rebuild.
+- **t = 1 day:** authority becomes the only path; tilemap subscribes to the one SSE stream.
+- **t = 1 week:** dominance shifts from L1 (vicious) to L5 (balancing). User-visible: smoother stream, no debounce stutter, deterministic placement of node #10⁹.
+- **Risk of overshoot:** none — the closed-form O(1) compute_slot has no oscillation modes (no integral term, no damping coefficient).
+- **Risk of regression:** if anyone re-introduces a layer that produces `(x, y)`, the paradigm has not been internalized — escalate to rule #5 enforcement (CI lint).
+
+## 8. Refusal conditions hit / not hit
+
+- ✅ System map present (§1).
+- ✅ Feedback loops identified (§2).
+- ✅ Delays mapped (§1, §2).
+- ✅ Archetype validated against actual structure (§4 — five-stock evidence from Ginzburg §3).
+- ✅ Leverage rank named for each intervention (§3, §5).
+- ✅ Feasibility + time-to-effect estimated (§5, §7).
+- Not applicable: this is not a 2-variable problem; systems thinking justified.
+
+## 9. Hand-offs
+
+- **Ginzburg** — already named the paradigm (§4 of his audit). Meadows confirms it is leverage point #2 and adds: paradigms die only when the alternatives are deleted, not merely deprecated.
+- **Alkhwarizmi** — owns the `add_node` / `compute_slot` contract that becomes the new paradigm's formal expression.
+- **Dijkstra** — owns H1 (single producer) / H2 (monotonic seq) — these are the rules (#5) that operationalize the paradigm.
+- **Beer** — once authority is single, VSM viability of the layout subsystem becomes assessable; until then it is structurally non-viable.
+- **Curie** — measure pre/post: count of `(x, y)` writers in the codebase (target: 1), debounce duration (target: 0), MutationObserver invocations (target: 0).
+- **Engineer** — execute Intervention 2 (the deletion PR) once Intervention 1 is ratified.
+
+## 10. The single sentence
+
+> The leverage is not in choosing a better layout algorithm. It is in
+> choosing **who** is allowed to author one — and deleting everyone else.
diff --git a/tasks/layout-authority/audits/mendeleev.md b/tasks/layout-authority/audits/mendeleev.md
new file mode 100644
index 00000000..c1f8a813
--- /dev/null
+++ b/tasks/layout-authority/audits/mendeleev.md
@@ -0,0 +1,119 @@
+# Mendeleev Audit — Periodic Table of NODE_KINDS
+
+Survey scope: the 12 NODE_KINDS declared in
+`mcp_server/server/layout_authority_protocol.py:30-33`, placed by
+`layout_authority_geometry.compute_slot`. Goal: choose axes that make
+the regularity visible, leave gaps where the pattern demands a kind
+that does not exist, and predict the missing kinds' properties.
+
+## Axes considered
+
+| Row axis | Column axis | Pattern density | Gap visibility | Chosen? |
+|---|---|---|---|---|
+| rendering radius | aggregator/leaf | medium | low | no |
+| hierarchy depth (L0..L6) | scope (private / domain / cross-domain) | high | high | YES |
+| cardinality (1, few, many) | kind-bucket size | medium | low | no |
+
+Chosen axes:
+- **Rows = hierarchy depth** (L0 root → L6 leaf). Aligns with the
+  shells already encoded by the radii constants (lines 28-36).
+- **Columns = scope** = where the kind's edges reach: *Private* (inside
+  one parent), *Domain-local* (inside one domain hub), *Cross-domain*
+  (edges span multiple domains).
+
+## The table
+
+```
+                      Private           Domain-local              Cross-domain
+                  (1 parent only)    (one domain shell)         (spans domains)
+─────────────────────────────────────────────────────────────────────────────────
+L0 root           ──                 ──                         ⟦super_domain⟧ †
+L1 hub            ──                 domain (r=anchor)          ⟦project_hub⟧ †
+L2 aggregator     ──                 tool_hub (r=140)           mcp (r=50, inward)
+L3 setup-ring     ──                 skill, hook, command,      ⟦shared_skill⟧ †
+                                     agent (r=70)
+L4 lane           ──                 discussion (r=150),        ⟦discussion_hub⟧ †
+                                     memory (r=150)             ⟦memory_hub⟧ †
+L5 file orbit     ──                 file (r=220)               ──
+L6 leaf           symbol (petal      entity (UNPLACED!) ‡       ⟦cross_entity⟧ †
+                  around file)
+```
+
+Legend: `⟦name⟧ †` = predicted gap. `‡` = known-item outlier (in
+NODE_KINDS but `compute_slot` has no branch — falls through to anchor
+fallback, geometry.py:218).
+
+## Outliers in known items
+
+| Item | Expected position | Actual | Diagnosis |
+|---|---|---|---|
+| `entity` | L6 cross-domain leaf with own radius | declared in NODE_KINDS, **no branch in `compute_slot`** — silently emits at the domain anchor (collides with `domain` node) | **Wrong axis / missing implementation.** Either entity is an L6 leaf and needs its own slot helper, or it is the placeholder for the predicted `cross_entity` family and should be moved to the inward/cross-domain side (mirror of `mcp`). |
+| `mcp` | L2 aggregator | placed *inward* (r=50, opposite of outward) | Correct: mcp is the only declared cross-domain aggregator, so it lives on the inward face where edges to other domains fan visibly. The pattern says: cross-domain kinds occupy the inward hemisphere. |
+| `tool_hub` | L2 domain-local aggregator | placed outward (r=140) | Correct. Confirms the row/column axes: domain-local aggregators go outward, cross-domain aggregators go inward. |
+
+## Predicted gaps
+
+| Gap | Position (L, col) | Predicted properties | Edges it would carry | Falsifiability test |
+|---|---|---|---|---|
+| **`super_domain`** | L0, cross-domain | Anchor for clusters of related domains (e.g. all Cortex sub-projects). Placement: graph centroid (cx,cy) — the only reserved coordinate. Radius 0; domains orbit it on the Fibonacci spiral with `base_r` derived from `super_domain` count. Bucket size: 1–5. | `domain → in_super_domain → super_domain`; `super_domain → about_entity → entity` for cross-project topics. | If we ever render >1 project, do all domain anchors collapse to one centroid? If yes, this gap is real. |
+| **`project_hub`** | L1, cross-domain | Per-repo aggregator below super_domain; placement: inward arc of the super_domain at r ≈ MCP_R/2. Bucket size: 1 per repo. | `domain → member_of → project_hub`; `project_hub → invoked_mcp → mcp`. | Does any current visualization need to group "all domains from repo X" without flattening to one domain? |
+| **`discussion_hub`** | L4, cross-domain | Mirror of `tool_hub`: aggregates discussions that touch multiple domains (cross-project conversations, ADRs, RFCs). Radius ≈ DISC_R + 30. Sector: side-lane, but on the *inward* hemisphere so it parallels `mcp`. | `discussion → member_of → discussion_hub`; `discussion_hub → discussion_touched_file → file` (cross-domain). | Today, a discussion that references files in 3 domains gets pinned to one arbitrary domain. Does that hurt readability? Yes → gap is real. |
+| **`memory_hub`** | L4, cross-domain | Mirror of above for memories. The thermodynamic memory model already has anchored / cross-domain memories (see `core/thermodynamics.py`); they currently render in one domain's memory lane only. Radius ≈ MEM_R + 30, inward side-lane. | `memory → member_of → memory_hub`; `memory_hub → about_entity → entity`. | Anchored memories with `domain_id == "*"` exist — where are they placed today? Nowhere correctly. Gap confirmed. |
+| **`shared_skill`** | L3, cross-domain | Skills/agents/hooks invoked from >1 domain (e.g. the engineer agent, the refactorer). Placement: inward setup ring at r ≈ SETUP_R, mirror of the outward setup ring. | `domain → invoked_skill → shared_skill`; `shared_skill → spawned_agent → agent`. | Count distinct domains that invoke `engineer.md`. If >1, today it is duplicated as N separate `skill` nodes. |
+| **`cross_entity`** (or: fix `entity`) | L6, cross-domain | Knowledge-graph entities that link memories/files across domains. Placement: inward leaf ring at r ≈ SYM_R_OUTER, jittered like symbols but anchored to the inward face. | `memory → about_entity → cross_entity`; `discussion → about_entity → cross_entity`; `cross_entity ↔ cross_entity` (relationship edges, currently no edge_kind for this — see edge gaps). | The `entity` kind is declared but has no slot — this gap is already a bug. |
+
+## Missing-family check
+
+Whole **column missing**: the *cross-domain hemisphere* (inward face)
+is sparsely populated — only `mcp` lives there today. The table
+predicts at least 5 more inhabitants. Adding the column is structural,
+not a patch: the inward hemisphere is currently ~90% empty space,
+which is why cross-domain edges look like a tangle rather than a fan.
+
+Whole **row missing**: **L0 (root)** has no member. Every domain is
+treated as a top anchor with no parent. For multi-project Cortex
+deployments this row needs `super_domain`.
+
+## Edge-kind gaps implied by the node-kind gaps
+
+| Predicted edge | Connects | Why it's missing |
+|---|---|---|
+| `in_super_domain` | domain → super_domain | no L0 today |
+| `member_of` (extended) | discussion → discussion_hub, memory → memory_hub | aggregation in cross-domain lanes |
+| `entity_relation` | entity ↔ entity | knowledge graph has relationships in PG, but no edge_kind exposes them |
+| `shared_invoked` | domain → shared_skill | distinguishes cross-domain reuse from local skill |
+
+## Predictions summary (falsifiable)
+
+1. Fixing `entity` (give it an L6 inward branch in `compute_slot`)
+   will eliminate the silent collision at the domain anchor —
+   verifiable by counting nodes with `(x,y) == anchor` in any current
+   slot stream.
+2. Adding `discussion_hub` will reduce cross-domain edge length for
+   any discussion touching ≥2 domains — measurable on the BEAM /
+   LongMemEval visualization runs.
+3. Adding `super_domain` is a no-op until the layout serves >1 repo.
+   Until then, the gap is *predicted but not yet pressing*.
+4. The inward-hemisphere column is real: every cross-domain kind that
+   exists (`mcp`) lives there, and every kind we predict to be added
+   for cross-domain reach also belongs there. Axes are vindicated.
+
+## Hand-offs
+
+- Implementation of the `entity` slot branch → engineer (small fix,
+  geometry.py:215-218; add an `r ≈ SYM_R_OUTER` inward leaf helper).
+- Empirical measurement of cross-domain discussion / memory frequency
+  to justify `discussion_hub` / `memory_hub` → Curie.
+- Bracket estimate of node count per predicted bucket at full scale →
+  Fermi.
+- Formal definition of "scope" axis (Private vs Domain-local vs
+  Cross-domain) as a typed property of `NodeDelta` → Shannon.
+
+## Compliance
+
+- Sources: `layout_authority_protocol.py:30-40`, `layout_authority_geometry.py:28-218`,
+  `layout_authority.py:300-337`, `workflow_graph.js` lines 43-541
+  (referenced as the visual ground truth).
+- No invented constants. All radii cited from geometry.py with line numbers.
+- `entity` outlier verified by reading compute_slot dispatcher: no
+  branch matches `entity`, fallback returns the anchor.
diff --git a/tasks/layout-authority/audits/midgley.md b/tasks/layout-authority/audits/midgley.md
new file mode 100644
index 00000000..93475762
--- /dev/null
+++ b/tasks/layout-authority/audits/midgley.md
@@ -0,0 +1,156 @@
+# Midgley — Metaphor Audit of the Layout Authority Discourse
+
+> Method: surface the metaphors doing invisible load-bearing work; map each
+> one's valid zone and its breakdown point; identify the metaphor most
+> actively misleading the design; describe the system without metaphor.
+> Source: Midgley 1992 *Philosophical Plumbing*; Midgley 1979 *Gene-Juggling*.
+
+---
+
+## 1. Load-bearing metaphors in this discourse
+
+| Metaphor (audit) | Source domain | What it imports | Valid zone | Breakdown point | What it hides |
+|---|---|---|---|---|---|
+| **"neural graph"** (general framing) | neuroscience | growth, plasticity, learning, distributed computation, emergence | nothing in this system | the structure is a typed DAG with closed-form placement; there is no learning, no plasticity, no signal propagation, no emergence | the actual data structure (a deterministic O(domains × kinds) coordinate function) |
+| "cortical wiring" (Kekulé) | developmental neurobiology | closed-form positioning from local gradients; ≤3 reads per arrival | structural homology with `compute_slot`'s constraint profile is real | only the *placement-cost structure* maps; nothing about plasticity, dendritic computation, or activity-dependent refinement maps | that the homology is narrow — three local reads — and stops there |
+| "queue with shedding" (Hamilton) | telecoms / control theory | bounded buffers, head-drop, priority lanes, backpressure | applies cleanly to the SSE write path: bounded outbound buffer, P0..P6 priority | breaks at the geometry layer — there is no queue inside `compute_slot`; placement is stateless | nothing harmful; this metaphor is honest about its scope |
+| "library of failures" (Borges) | literature | exhaustive enumeration, infinite catalog, every variant | applies to the *audit corpus* (one philosopher per failure mode), not the runtime | breaks if mistaken for a runtime structure — the authority does not enumerate failures, it refuses them via invariants | the difference between *design-time exploration* and *runtime mechanism* |
+| "traffic" (Erlang) | telephony queueing | arrival processes, offered load, blocking probability, Erlang-B | applies to SSE emission rate vs. renderer drain rate | breaks at the placement step — `compute_slot` is not a server with service time, it is a pure function | that the bottleneck is transport, not geometry |
+| "viable system" (Beer) | management cybernetics | five recursive subsystems, autonomy + cohesion | applies to the module layering (geometry / scheduler / log / wire / protocol) — each is a viable subsystem with its own contract | breaks if recursion is taken literally — the layout authority is not five-deep; it is roughly two-deep | over-elaboration of governance where simple Clean Architecture suffices |
+| "language game" (Wittgenstein) | philosophy of language | meaning-as-use; polysemy across modules | sharp and exact: `kind`, `seq`, `slot`, `total` each play several games | none — this metaphor is the diagnosis itself, not a borrowed analogy | nothing; it is the right tool for the polysemy problem |
+| "specimen" (Darwin/McClintock) | natural history | type-specimen, exemplar, careful description of one case | applies to the per-kind `slot_for_*` helpers — each is a specimen of placement | breaks if "evolution" is read in — there is no selection, no descent, no variation in `compute_slot` | the determinism of the function under the biological surface |
+| "satisficing" (Simon) | bounded rationality | accept-good-enough under cost ceiling | applies to the 1ns/node budget and the closed-form choice over force-directed | breaks if read as "the geometry is approximate" — it is exact, not satisficed | that the budget forces exactness, not approximation |
+| "authority" (the module name) | political/legal | sovereign decision-maker, monopoly on legitimate placement | applies cleanly: one writer of slots, single-producer log | breaks if read as social authority — there is no consent, no appeal, no legitimacy concept | that "authority" here means *single writer*, not *legitimate ruler* |
+| "soma / dendrite / bouton" (Kekulé table) | cell biology | hierarchical compartments with local frames | the parent-frame structure (symbol reads file slot, file reads domain anchor) is real | every other property of cells (membrane, ion channels, synaptic strength) does not map | gives the false impression that more biological properties might transfer |
+
+---
+
+## 2. The metaphor most actively misleading the design
+
+### "Neural graph" — the general framing.
+
+This is the metaphor most worth surfacing because it is invisible. Nobody
+in the audits *defends* it; everyone uses it. It is doing the work of a
+literal description while being, in fact, a deeply misleading analogy.
+
+**What "neural graph" imports, silently:**
+1. *Growth.* Neurons grow; nodes here do not — they are placed by a
+   coordinate function. There is no extension, no chemotaxis, no
+   competition for space.
+2. *Plasticity.* Synapses change weight; edges here have no weight and
+   never change. An edge is a (source_id, target_id, edge_kind) tuple.
+3. *Activity / signal propagation.* Real neural networks compute by
+   propagating signals along edges. Nothing propagates here. The
+   "graph" is a *visualization layout*, not a computation.
+4. *Learning.* Neural networks learn from data. The layout authority
+   learns nothing — it places, and the placement of node #10⁹ uses the
+   same closed-form as node #1.
+5. *Emergence.* Brains exhibit emergent behavior from local rules. This
+   system explicitly *forbids* emergence: every slot is a deterministic
+   function of `(domain_anchor, kind, idx, total_in_kind, parent_slot?)`.
+
+**Where the metaphor breaks down (its breakdown point):**
+The metaphor breaks at the very first design constraint: 1 ns/node,
+O(1) per node, no global recompute, no iteration over siblings,
+deterministic. A real neural system violates every one of these. The
+"neural" framing therefore makes natural exactly the questions the
+design refuses to ask ("how do we handle plasticity?", "how do we
+update edge weights?", "how do nodes find their neighbors?") and hides
+the question that actually drives the design ("how do we compute
+position in 3 cycles?").
+
+**What it makes seem natural that should be questioned:** force-directed
+layout (because real neurons "settle" into position), iterative refinement
+(because brains develop over time), graph traversals (because brains are
+networks). All three are explicitly disqualified in `cost-model.md` §6.
+The metaphor keeps proposing what the cost model has already ruled out.
+
+**Why this is the most damaging metaphor:** it is the one most likely
+to import a wrong question into a future redesign. A future engineer
+reading "neural graph" will ask neural questions. The cost model and
+geometry will refuse those questions, but the engineer will not know
+why — the plumbing will appear to be wrong because the metaphor told
+them what to expect.
+
+---
+
+## 3. The metaphor-free description
+
+Strip every borrowed term:
+
+> The layout authority is a **pure function** `compute_slot`, of type
+>
+> ```
+> compute_slot : (node_kind, ctx) -> (x, y)
+> ```
+>
+> where `ctx` carries `(domain_anchor, idx_in_kind, total_in_kind,
+> parent_slot?)`. The function is **closed-form** (no iteration, no
+> recursion beyond one parent lookup), **deterministic** (same inputs →
+> same output), and **stateless across calls** (the only state is a
+> per-`(domain_id, node_kind)` integer counter held by the caller).
+>
+> Around this function sit four mechanical components:
+>
+> 1. A **counter map** `dict[(domain_id, node_kind), int]` — O(domains × kinds) ≈ 11 × 6 = 66 integers.
+> 2. A **monotonic event log** with a single global `seq` and a bounded outbound buffer that drops oldest on overflow.
+> 3. A **priority dispatcher** with seven lanes (P0..P6) keyed by `node_kind`.
+> 4. A **wire codec** that serializes `(seq, node_id, x, y, node_kind, domain_id)` to text frames.
+>
+> No node ever influences another node's position. No edge influences
+> any node's position. The structure called "the graph" is two
+> independent things: (a) a coordinate table — values of `compute_slot`
+> for the nodes that have arrived; (b) an edge list — pairs of
+> `node_id`s with an `edge_kind`. Neither table is ever traversed by
+> the placement code.
+
+That is the system. Everything else — neurons, dendrites, traffic,
+authority, library, viable subsystem — is decoration.
+
+---
+
+## 4. Hidden analogies (the discipline-imperialism check)
+
+| Surface reasoning | Hidden analogy | Where the analogy fails | Suppressed feature of the system |
+|---|---|---|---|
+| "the graph grows" | biological development | nothing grows; the function is timeless | placement is timeless; "arrival order" is just `idx` |
+| "the authority decides" | political sovereignty | there is no judgment, only arithmetic | the function is total and deterministic — no discretion |
+| "the queue absorbs bursts" | water reservoir | a bounded buffer is not a reservoir; full = drop, not overflow | head-drop discipline is exact, not "spillover" |
+| "the renderer reads the brain" | perception | the renderer reads a coordinate table | there is no perceiver; the table is just data |
+
+**Discipline imperialism check.** Three disciplines are competing for
+explanatory authority: neuroscience (Kekulé table), control theory
+(Hamilton/Erlang), and political theory ("authority"). None is sufficient.
+The system is, mathematically, none of them — it is a typed DAG with a
+coordinate function. The right discipline is **discrete geometry**, and
+no audit invokes it. That is the gap.
+
+---
+
+## 5. Recommendations
+
+| Metaphor | Recommendation | Rationale |
+|---|---|---|
+| "neural graph" | **Retire from architecture docs; keep only as user-facing visualization label** | The system is a coordinate function on a typed DAG, not a neural network. Architecture docs that say "neural graph" import wrong questions. |
+| "cortical wiring" (Kekulé) | **Keep with explicit caveat: "structural homology of the placement-cost profile only"** | The ≤3-reads-per-arrival match is real and load-bearing. Plasticity, learning, and signal flow do not transfer. |
+| "queue with shedding" (Hamilton) | **Keep as-is** | Honest about its scope (transport layer); does not bleed into geometry. |
+| "library of failures" (Borges) | **Keep with caveat: "design-time corpus, not runtime mechanism"** | Useful for organizing audits; dangerous if a future reader looks for a runtime registry. |
+| "traffic" (Erlang) | **Keep, scope to SSE transport** | Applies cleanly to emission/drain; does not apply to placement. |
+| "viable system" (Beer) | **Down-grade to "module layering"** | Standard Clean Architecture covers this; recursive cybernetics is over-elaborated. |
+| "authority" (module name) | **Keep — but document "single-writer", not "sovereign"** | The name is fine if the meaning is pinned. |
+| "specimen" (Darwin/McClintock) | **Keep, drop evolutionary connotations in prose** | Per-kind helpers are exemplars; nothing evolves. |
+| "satisficing" (Simon) | **Replace with "exact under tight budget"** | The geometry is exact, not approximate; the budget forces closed-form, not good-enough. |
+
+---
+
+## 6. Hand-offs
+
+- **Wittgenstein** — the polysemy of `kind` / `seq` / `slot` / `total`
+  is a language-game problem, not a metaphor problem; his audit handles it.
+- **engineer** — replace "neural graph" with "typed DAG + coordinate
+  function" in the top-of-file docstrings of `layout_authority_*.py`
+  and in `cost-model.md` §1.
+- **Kekulé** — add the caveat "structural homology of placement cost
+  only; no plasticity, no learning, no signal flow" to §1 of `kekule.md`.
+- **Beer** — flatten the recursive-viable-system framing to "module
+  layering" in `beer.md`.
diff --git a/tasks/layout-authority/audits/mill.md b/tasks/layout-authority/audits/mill.md
new file mode 100644
index 00000000..88ebaa7f
--- /dev/null
+++ b/tasks/layout-authority/audits/mill.md
@@ -0,0 +1,150 @@
+# Mill / Ragin Audit — Layout Authority
+
+**Method:** J.S. Mill's joint method of agreement and difference (Mill 1843,
+*A System of Logic*, Book III Ch. VIII §§1–3), extended with Ragin's
+necessary/sufficient distinction (Ragin 1987, *The Comparative Method*, Ch. 5).
+
+**Question:** across the ~10 visualization iterations this session, what
+condition is **necessary** for streaming to work and **absent** from every
+failure?
+
+## 1. Outcome definition
+
+- **Outcome present (Y=1):** large-graph (≥1M-node) viewport renders, pans
+  and zooms without freeze; node positions stable across reloads;
+  append-only growth without re-layout flash.
+- **Outcome absent (Y=0):** browser stalls, OOM, layout flicker on each
+  poll, or coordinates drift between renders.
+
+## 2. Candidate conditions
+
+| Code | Condition | Definition |
+|---|---|---|
+| A | Server-owned layout | Coordinates assigned by Python authority, persisted in PG, served via `/api/quadtree` |
+| B | Renderer-owned layout | Coordinates computed in JS (`prepareTopology` / d3-force) at render time |
+| C | Deterministic geometry | Slot is a pure function of `(domain, kind, idx, total_in_kind)` — no RNG, no force step |
+| D | Append-only growth | Existing nodes' coordinates never change when new nodes arrive |
+| E | Viewport tile streaming | Renderer requests only visible tiles, not the full graph |
+| F | Full-graph fetch | Renderer pulls every node before drawing |
+
+## 3. Case table (the ~10 iterations)
+
+| # | Iteration | A | B | C | D | E | F | Y |
+|---|---|---|---|---|---|---|---|---|
+| 1 | d3-force in workflow_graph.js | 0 | 1 | 0 | 0 | 0 | 1 | 0 |
+| 2 | prepareTopology client-side, full fetch | 0 | 1 | 1 | 0 | 0 | 1 | 0 |
+| 3 | prepareTopology + polling diff | 0 | 1 | 1 | 0 | 0 | 1 | 0 |
+| 4 | Client cache + recompute on add | 0 | 1 | 1 | 0 | 0 | 1 | 0 |
+| 5 | Tilemap viewport, client layout | 0 | 1 | 1 | 0 | 1 | 0 | 0 |
+| 6 | **Tilemap viewport, server slots (early)** | **1** | **0** | **1** | **1** | **1** | **0** | **1** |
+| 7 | Server slots + client re-layout overlay | 1 | 1 | 1 | 0 | 1 | 0 | 0 |
+| 8 | Datashader CPU path, client layout | 0 | 1 | 1 | 0 | 1 | 0 | 0 |
+| 9 | Quadtree handler, no authority | 0 | 1 | 1 | 0 | 1 | 0 | 0 |
+| 10 | **Server quadtree + layout authority (latest)** | **1** | **0** | **1** | **1** | **1** | **0** | **1** |
+
+(Iteration labels reconstructed from `tasks/tilemap-frontend-plan.md`,
+`tasks/tile-server-plan.md`, `tasks/layout-cache-plan.md`, and the
+session's git log.)
+
+## 4. Method of agreement (over Y=1 cases: rows 6, 10)
+
+| Condition | Present in case 6 | Present in case 10 | Shared? |
+|---|---|---|---|
+| A — server-owned layout | 1 | 1 | **yes** |
+| B — renderer-owned layout | 0 | 0 | shared as ABSENT |
+| C — deterministic geometry | 1 | 1 | yes |
+| D — append-only growth | 1 | 1 | **yes** |
+| E — viewport tile streaming | 1 | 1 | yes |
+| F — full-graph fetch | 0 | 0 | shared as ABSENT |
+
+Conditions present in *every* success: **A, C, D, E**. Condition *absent*
+in every success: **B, F**.
+
+## 5. Method of agreement (over Y=0 cases: rows 1–5, 7–9)
+
+| Condition | Present in all 8 failures? |
+|---|---|
+| A — server-owned layout | NO (only row 7 has it) |
+| **B — renderer-owned layout** | **YES — present in all 8 failures** |
+| C — deterministic geometry | NO (row 1 is non-deterministic) |
+| D — append-only growth | NO (absent in all 8 failures) |
+| E — viewport tile streaming | NO (rows 1–4 lack it) |
+| F — full-graph fetch | NO (rows 5, 7–9 lack it) |
+
+The single condition present in every failure: **B (renderer-owned layout)**.
+
+## 6. Method of difference (most-similar pair: rows 5 vs 6)
+
+Rows 5 and 6 share E (tile streaming), C (deterministic), and ¬F
+(no full fetch). They differ on the layout authority axis only.
+
+| Condition | Row 5 (Y=0) | Row 6 (Y=1) | Differs? |
+|---|---|---|---|
+| A — server-owned layout | 0 | 1 | **YES** |
+| B — renderer-owned layout | 1 | 0 | **YES** |
+| C | 1 | 1 | no |
+| D — append-only | 0 | 1 | **YES** |
+| E | 1 | 1 | no |
+| F | 0 | 0 | no |
+
+The variables that flip between the matched failure and the matched
+success are **A, B, D** — all three express the same underlying claim:
+**layout authority lives on the server, and writes are append-only**.
+
+Row 7 reinforces this. Row 7 has A=1 (server slots) but the renderer
+*also* re-laid-out on top of them (B=1, D=0). Outcome reverted to Y=0.
+This rules out "server layout merely available" as sufficient — the
+renderer must not overwrite it.
+
+## 7. Necessity / sufficiency (Ragin)
+
+| Claim | Test | Verdict |
+|---|---|---|
+| A is necessary for Y | Every Y=1 case has A | **Necessary** (rows 6, 10) |
+| B precludes Y | Every Y=1 case has ¬B; row 7 shows A∧B → Y=0 | **¬B is necessary** |
+| D is necessary for Y | Every Y=1 case has D | **Necessary** |
+| A alone sufficient? | Row 7 has A but Y=0 | **Not sufficient alone** |
+| A ∧ ¬B ∧ D ∧ C ∧ E sufficient? | Holds in rows 6 and 10; no counter-case | **Sufficient (within observed cases)** |
+
+Boolean minimization of the truth table over rows 1–10:
+
+```
+Y = A · ¬B · C · D · E · ¬F
+```
+
+C, E, ¬F co-vary with A·¬B·D in all observed positive cases, so they
+cannot be separated within this dataset (limited diversity, Ragin Ch. 7).
+The minimal **distinguishing** core, isolated by the difference test
+between rows 5–6 and the failure of row 7, is:
+
+```
+Y ⇐ A · ¬B · D
+   ≡  server-owned ∧ renderer-not-overriding ∧ append-only
+```
+
+## 8. Conclusion
+
+- **Necessary cause (agreement + difference):** layout authority must
+  reside on the server, the renderer must not recompute or overlay
+  positions, and writes must be append-only so existing coordinates
+  never change.
+- **Brief successes (rows 6 and 10)** are the only configurations that
+  satisfy this conjunction.
+- **Every failure (rows 1–5, 7–9)** violates at least one of A, ¬B, D.
+
+This matches the user's stated finding. The Boolean formula
+`A · ¬B · D` is the minimal configuration the architecture must
+preserve; any future iteration that re-introduces client-side layout
+(B=1) or non-append writes (D=0) is predicted by this audit to revert
+to Y=0.
+
+## 9. Blind spots and hand-offs
+
+- **Limited diversity.** C, E, ¬F never vary against the success rows;
+  their individual necessity cannot be isolated here. Hand off to a
+  Curie / Fisher experimental run that toggles C, E, F independently
+  while holding A·¬B·D fixed.
+- **Mechanism vs configuration.** Mill identifies the *what*; the *why*
+  (cache locality, GC pressure on full-graph fetch, browser layout
+  thrash on B=1) belongs to a Pearl causal-graph audit.
+- **Single session.** All 10 cases come from one session; external replication would strengthen the necessity claim.
diff --git a/tasks/layout-authority/audits/nagarjuna.md b/tasks/layout-authority/audits/nagarjuna.md
new file mode 100644
index 00000000..9bc8fa2f
--- /dev/null
+++ b/tasks/layout-authority/audits/nagarjuna.md
@@ -0,0 +1,179 @@
+# Nagarjuna Audit — Tetralemma on Slot Recomputation
+
+> Method: catuskoti (four-cornered logic). For the question "should the layout
+> authority recompute slots when domain count changes?", evaluate all four
+> corners — yes, no, both, neither — then check whether the question itself
+> is malformed. Strongest refutation = prasanga: take premises, show what
+> they force. Sources: MMK Ch. 1–2; Priest 2010 §§2–3 (FDE).
+
+---
+
+## The decision under analysis
+
+**P:** "When a new domain D arrives mid-build, the authority MUST recompute
+all slot positions to rebudget against the new domain count."
+
+**Surrounding texture (closed in prior audits):**
+- I7 (Hart OT‑2, CLOSE): placeholder anchor for not-yet-emitted domain D =
+  `domain_anchor(stable_index(D), N_CAP, cx, cy, base_r)`. Placeholder ==
+  final modulo timing.
+- N_CAP = 11 is a **conserved quantity** (Noether): the anchor formula is
+  parameterised by N_CAP, not by live `len(domains_seen)`.
+- Lavoisier flagged: I7 is not a count loss but a *value* loss if the
+  placeholder differs from final.
+
+---
+
+## Corner 1 — P is true: recompute on every new-domain arrival
+
+**Consequence:** the anchor formula becomes
+`domain_anchor(index_of(D), len(domains_seen_now), cx, cy, base_r)`. Every
+already-emitted slot is re-projected against a shrinking angular wedge. Slots
+that were FINAL at t=k become NOT-FINAL at t=k+1.
+
+**Prasanga:** the protocol's H3 (real domain emits at its slot far from the
+cluster) and Hart OT‑2's "Placeholder == final modulo timing" both assume
+slot positions are immutable once emitted. Recomputation contradicts the
+premises that motivated I7's deterministic placeholder. If we recompute, I7
+is unnecessary — there is no point computing a stable placeholder if the
+real arrival rebudgets everything anyway.
+
+**Verdict:** internally inconsistent with the closed texture. Refuted.
+
+---
+
+## Corner 2 — not-P: never recompute, slots stay where they were placed
+
+**Consequence:** N_CAP = 11 is treated as a hard ceiling. Any project
+arriving as the 12th, 13th, ... domain has no pre-allocated wedge. Either
+(a) it is rejected, (b) it is given a fallback anchor that violates H3, or
+(c) the system silently overflows.
+
+**Prasanga:** Mendeleev's gap analysis (the empty-cell argument) says: a
+periodic table that cannot accommodate undiscovered elements is not a
+predictive theory but a fixed catalogue. A layout authority that cannot
+seat domain #12 has the same defect. If N_CAP is a *fact about the
+universe*, this corner is correct; if N_CAP is a *budget choice*, this
+corner is brittle.
+
+**Verdict:** correct only under the empirical claim that N_CAP ≥ all
+domains that will ever arrive. Brittle if N_CAP is a guess.
+
+---
+
+## Corner 3 — both: recompute some kinds, not others
+
+**Consequence:** distinguish two categories of "change":
+1. **Identity-preserving:** the new domain D was already accounted for in
+   N_CAP via `stable_index(D)`. Its slot was *already* reserved by I7's
+   deterministic placeholder. Emission flips the slot from placeholder to
+   real, but `(x, y)` does not move. **No recomputation needed — by
+   construction, this is a no-op.**
+2. **Capacity-changing:** the new domain D pushes `count > N_CAP`. The
+   conserved quantity changes. This is not a mid-build recomputation but a
+   **reseeding** of the protocol with new N_CAP'.
+
+**Prasanga:** this corner shows the question conflates two phenomena. "A
+new project arrives" is *not* a single event type. If `stable_index(D) <
+N_CAP`, nothing recomputes because I7 already placed it. If `stable_index(D)
+>= N_CAP`, the protocol's invariants no longer hold and we are in a
+different regime entirely.
+
+**Verdict:** this is the live answer. Both options are correct, in
+different conditions.
+
+---
+
+## Corner 4 — neither: the question is malformed
+
+**Consequence:** the question presupposes that "domain count" is an
+intrinsic property whose change triggers a decision. But under the closed
+I7 + Hart OT‑2 + Noether N_CAP texture, **`domain count` is not the
+authority's input** — `stable_index(D)` and `N_CAP` are. The authority does
+not know or care how many domains have *arrived*; it knows the *index* of
+the one being emitted and the *cap* of the universe.
+
+**Prasanga:** the framing "domain count changes" reifies an aggregate
+(`len(domains_seen)`) that is not in the protocol's state. The protocol
+operates on per-domain `stable_index(D)`, which is an immutable function
+of `domain_id`. There is no "count change" event — only "domain D
+emitted for the first time" events, which are deterministic projections,
+not budget revisions.
+
+**Verdict:** the question, as posed, treats a non-state quantity as if it
+were state. Under the closed texture, the question is empty (sunya) of
+referent.
+
+---
+
+## Reconciliation: protocol I7 vs Mendeleev gap analysis
+
+**Apparent conflict.**
+- I7 + Hart OT‑2: "no retroactive reseat" — placeholder == final, slots
+  immutable.
+- Mendeleev: "leave gaps for undiscovered elements" — the table must
+  accommodate not-yet-seen domains.
+
+**Dissolution (dependent origination).** The conflict is between two
+*different* notions of "new":
+- **New-to-the-session, known-to-N_CAP** (D such that `stable_index(D) <
+  N_CAP`): I7 *is* Mendeleev's gap. The placeholder anchor is the empty
+  cell. Emission fills the cell. No recomputation, no reseat — because the
+  cell was reserved from t=0. Mendeleev and I7 agree.
+- **New-to-N_CAP** (D such that `stable_index(D) >= N_CAP`): I7 has no
+  cell for D. This is not a "domain count change"; it is a **change to the
+  conserved quantity N_CAP itself**, which Noether's audit identifies as
+  out-of-scope for I1–I7. Handling it requires a separate protocol
+  (reseed-with-new-cap), not a mid-build recompute.
+
+**Reconciled rule.**
+1. Within `stable_index(D) < N_CAP`: I7 holds, Mendeleev satisfied, no
+   recomputation. Question dissolves (Corner 4).
+2. Across `stable_index(D) >= N_CAP`: out of scope for the current
+   protocol. The right move is to (a) bound N_CAP empirically and prove
+   coverage, or (b) define a new ceremony (Curie's carrier isolation:
+   spawn a child cluster with its own (cx', cy', N_CAP') and link it to
+   the parent). Not a recompute.
+
+---
+
+## Reification check & dependency network
+
+| Concept | Essentialist reading | Dependent reading |
+|---|---|---|
+| "domain count" | scalar in protocol state | not in state — never read |
+| "new domain arrives" | atomic event | two events: known-index emit vs cap overflow |
+| "slot" | (x,y) intrinsic to D | derived from `(stable_index(D), N_CAP, cx, cy, base_r)` |
+
+`slot(D)` depends on: `stable_index(D)` ← `domain_id` (immutable); `N_CAP`
+(Noether-conserved); `(cx, cy, base_r)`. Does NOT depend on
+`len(domains_seen)` or arrival order. "Recompute on count-change" is a
+category error.
+
+---
+
+## Final answer
+
+The correct corner is **(4) neither — the question is malformed**, with
+**(3) both** as the operational gloss:
+
+- For known-index domains: no recompute (I7 already placed them).
+- For cap-overflow domains: not a recompute; a separate regime change.
+
+The audits and Mendeleev's gap argument do not conflict — they answer
+different questions. I7's "no retroactive reseat" is the *implementation*
+of Mendeleev's "leave gaps." The conflict was an artifact of treating
+"domain count" as protocol state when it is not.
+
+---
+
+## Hand-offs
+
+- **Aristotle** — taxonomise "domain arrival events" into the two kinds
+  above; encode as separate handler paths.
+- **Curie** — design the carrier-isolation protocol for cap-overflow
+  (child cluster, not parent recompute).
+- **Popper** — falsifiability test: assert `forall D: slot(D, t1) ==
+  slot(D, t2)` for all `t2 > t1` where `stable_index(D) < N_CAP`.
+- **Lamport** — formalise N_CAP as protocol-level invariant; emission of
+  D with `stable_index(D) >= N_CAP` MUST trap, never silently rebudget.
diff --git a/tasks/layout-authority/audits/noether.md b/tasks/layout-authority/audits/noether.md
new file mode 100644
index 00000000..b23c37da
--- /dev/null
+++ b/tasks/layout-authority/audits/noether.md
@@ -0,0 +1,180 @@
+# Noether Audit — Symmetries Behind the Layout Authority Invariants
+
+> Method: every conserved quantity has an underlying continuous symmetry of the
+> action (here: the `add_node` / `_emit` reduction). Where the symmetry is global,
+> the invariant is a true conservation law (Theorem I). Where the symmetry is
+> local (gauge), the invariant is an *identity* of the equations of motion
+> (Theorem II) — it constrains structure, not a flowing quantity.
+> Sources: Noether 1918 §§1–3; Tavel 1971 translation.
+
+The "action" of the authority is the trajectory of `(seq, node_id, x, y, kind, domain_id)`
+emissions produced by serialising deltas through `_emit`. Symmetries are the
+transformations of input streams that leave the *observable emission stream*
+(modulo sequence) invariant.
+
+---
+
+## 1. Declared invariants — symmetry / charge / falsifier
+
+### I1 — Every emission has finite (x, y)
+- **Symmetry.** Translation invariance of the emission predicate: a node's
+  finiteness depends only on its slot computation, not on absolute time or
+  prior emissions. Global, continuous (in the trivial sense — the property
+  is preserved under all admissible inputs).
+- **Conserved charge.** `Σ 1[¬finite(slot)] = 0` over the entire stream
+  (Theorem I, applied to a constant Lagrangian density `L = 1[finite]`).
+- **Falsifier.** Inject a delta whose ancestor chain forces `compute_slot`
+  through a degenerate branch (zero radius, NaN angle, anchor=None at flush).
+  If any emitted SA carries `math.isnan` or `math.isinf` in x or y, I1 is
+  broken. Test: 12 kinds × 100 random adds with a fault-injected anchor.
+
+### I2 — `seq` strictly monotone, contiguous from 1
+- **Symmetry.** Time-translation invariance of `_emit`: the operation
+  `seq ← seq+1; emit(SA(seq, …))` does not depend on wall-clock time or
+  prior `seq` values beyond the immediate successor relation. This is the
+  classical Noether case — time-translation ⇒ a conserved "Hamiltonian".
+- **Conserved charge.** The successor functional `H = seq_{n+1} − seq_n − 1`,
+  conserved at value `0` for every adjacent pair. Equivalently, `seq` is the
+  Noether charge of time-translation.
+- **Falsifier.** Two-thread emission without serialisation: observe a gap
+  or a duplicate seq across 10k concurrent adds. Or observe a subscriber
+  receiving SAs in non-monotone order — that breaks the *delivery-side*
+  reading of I2 and is a separate failure (see hidden H1).
+
+### I3 — Symbol arrives only after its parent file
+- **Symmetry.** Partial-order invariance under any topological re-ordering of
+  the input stream that respects parent→child edges. The emission stream is
+  invariant under permutations of the input that preserve the dependency
+  DAG. This is a *gauge* symmetry — local relabelling of independent
+  branches must give equivalent outputs.
+- **Conserved identity (Theorem II).** "For every emitted symbol SA_s with
+  parent p, ∃ earlier emitted SA_p with kind=file and node_id=p." Not a
+  flowing charge — an identity among emission steps (a Bianchi-type
+  constraint on the stream).
+- **Falsifier.** Submit `add_node(symbol, parent=F)` before `add_node(file=F)`.
+  Confirm the symbol is buffered (`pending_symbols[F]`) and only emitted
+  *after* F's emission. Failure: any SA(symbol, parent=F) appears before
+  SA(file=F) in the seq order.
+
+### I4 — Tool-bucket fallback is final (no retroactive reseat)
+- **Symmetry.** Discrete history invariance: once a slot is assigned, the
+  function `node_id → slot` is fixed for the lifetime of the authority. The
+  symmetry is "no time-reversal of the slot map." This is *not* continuous
+  — strictly speaking it gives a selection rule, not a Noether charge.
+  (See Blind-spots §1: discrete symmetries do not yield conservation laws.)
+- **Conserved quantity (selection rule form).** The map
+  `M : node_id ↛ (x, y)` is monotone-once-defined: `M(n)` defined ⇒
+  `M(n)` immutable. Equivalently `dM/dt = 0` on the support of `M`.
+- **Falsifier.** Add a node when its tool-bucket is unknown (Case 4
+  fallback to anchor), then later add the missing tool metadata. If a
+  second SA is emitted for the same node_id with a different (x, y),
+  I4 is broken. Test: replay-stream comparison of `M` before/after late
+  metadata arrival.
+
+### I5 — Pending edges bounded (cap 100k)
+- **Symmetry.** Scale invariance is *deliberately broken* here — the cap
+  introduces an explicit length scale. So I5 is not a Noether conservation
+  law; it is a regulator. The relevant "symmetry" is a soft bound: the
+  authority is invariant under bursts of edge submission below the cap.
+- **Conserved quantity.** `|pending_edges| ≤ 100_000` — an inequality, not
+  an equality. Treat as a homeostatic constraint, not a charge.
+- **Falsifier.** Submit 100_001 edges whose endpoints are absent. The
+  100_001st must be either dropped (with `drop_counter++`) or rejected.
+  Silent unbounded growth falsifies.
+
+### I6 — Subscriber backpressure: drop, never block
+- **Symmetry.** Producer-side time-translation invariance under consumer
+  slowness: the producer's emission rate is invariant w.r.t. any subscriber's
+  drain rate. This is the "no back-action" symmetry — a gauge choice that
+  decouples the producer from the consumer's frame.
+- **Conserved quantity.** The producer's emission cadence (Δseq / Δt of
+  `_emit` invocations) is independent of `q.put_nowait` outcomes.
+  Equivalently, `drop_counter + delivered = seq` for each subscriber —
+  a per-subscriber conservation of *attempts*.
+- **Falsifier.** Stall one subscriber's queue; measure producer wall-time
+  per emission. If it grows with queue saturation, I6 is broken.
+  Secondary falsifier: `delivered + drops ≠ seq` on subscriber audit.
+
+### I7 — Domain placeholder anchor == final anchor
+- **Symmetry.** Order-of-arrival gauge invariance: the assignment
+  `(drec.index, kind, idx) → slot` is invariant under permutations that
+  swap "domain delta arrives first" with "member delta arrives first."
+  This is a local (gauge) symmetry of the input stream.
+- **Conserved identity (Theorem II).** `anchor(drec.index)` is a function
+  of `drec.index` alone, not of when `drec.anchor` was first computed.
+  An identity, not a flowing charge — same form as I3.
+- **Falsifier.** Two replay runs: (A) members first, (B) domain first.
+  Compare `(x, y)` for every shared node_id. Any mismatch falsifies I7.
+  This is the test alkhwarizmi.md §1 already names — keep it.
+
+---
+
+## 2. Hidden invariants — undeclared but load-bearing
+
+### H1 — Single-producer (single-thread) on `_emit`
+- **Symmetry observed but undeclared.** I2's monotonicity *requires* a
+  total order on `seq ← seq+1`. The only continuous symmetry that produces
+  this is "evolution under a single Hamiltonian" — i.e. one writer.
+- **Conserved quantity.** `∀ t : |{threads currently inside _emit}| ≤ 1`.
+- **Falsifier.** Two-thread fuzz on `add_node` → observe duplicate or
+  missing seq. **beer.md line 100 already flags this as a Medium gap.**
+  Declare it as I8.
+
+### H2 — Geometry constants byte-identical across Python ↔ JS
+- **Symmetry.** Coordinate-frame invariance between the producer
+  (`mcp_server/server/layout_authority_geometry.py`) and any client
+  renderer (e.g. `ui/unified/js/*`). The slot a client *renders* must
+  equal the slot the authority *emitted*; this is invariance under change
+  of language frame.
+- **Conserved quantity.** `(N_CAP, base_r, cx, cy, domain_anchor formula,
+  outward_angle formula, tool_hub_angle formula)_python ≡ (…)_js`,
+  bit-for-bit for the integer/rational parts and within ε for floats.
+- **Falsifier.** Snapshot `domain_anchor(i, N, cx, cy, r)` for
+  `i ∈ {0..N-1}` in both runtimes; diff. Any non-ε divergence breaks
+  the contract — clients will draw at one slot, the authority will reason
+  about another. **Currently undeclared and unenforced.** Recommend a
+  golden-vector test fixture committed in both languages.
+
+### H3 — Replay determinism (idempotent reduction of the input log)
+- **Symmetry.** Re-running `add_node` over an identical input log produces
+  an identical output stream (modulo wall-clock fields). This is
+  permutation-invariance restricted to the identity permutation —
+  determinism as a symmetry under "re-execution."
+- **Conserved quantity.** `H(emission_stream) = f(input_log)` —
+  emission entropy is a pure function of input.
+- **Falsifier.** Hash the SA stream for two runs of the same log; diff
+  must be empty (after stripping timestamps). Hidden RNG, hash-iteration
+  order, or `dict` insertion-order leakage breaks this.
+
+### H4 — Bounded slot universe (`compute_slot` codomain ⊂ ℝ²-finite)
+- A weaker form of I1 stating not just finiteness but *boundedness* within
+  the canvas. Without it, "finite" admits 1e308 outliers that crash JS
+  rendering. Falsifier: add `assert |x|,|y| ≤ R_MAX` and fuzz.
+
+### H5 — `node_id` is a primary key (no two distinct deltas share it)
+- alkhwarizmi.md §test 5 ("duplicate node_id ⇒ no second emission")
+  relies on this but it is not declared as I-anything. Promote to I9.
+
+---
+
+## 3. Symmetry-breaking observations (Move 6 — what the breaks teach)
+
+| Expected symmetry | Where it breaks | Diagnosis |
+|---|---|---|
+| I5 scale-invariance | Cap = 100k | Not a bug — a deliberate regulator. Document as "homeostatic," not as conservation. |
+| I4 time-reversal | Fallback to anchor when bucket unknown | Deliberate finality. The break *is* the invariant. |
+| H1 single-producer | Currently unenforced | Genuine gap — declare I8 and add an assertion. |
+| H2 cross-language parity | No golden test | Genuine gap — add fixture. |
+
+---
+
+## 4. Hand-offs
+
+- **Lamport** — formalise H1 (single-producer) and H3 (replay determinism)
+  as TLA+ state-transition invariants.
+- **Shannon** — quantify H2: define the bit-exact equivalence of the
+  geometry constants and propose a fixture format.
+- **Curie** — instrument I6 to *measure* `delivered + drops vs seq` per
+  subscriber; the residual is a carrier of the symmetry-breaking term.
+- **Engineer** — promote H1, H2, H5 to I8/I9/I10 in `_protocol.py` (the file
+  is referenced by beer.md S5 but `find` returned no match in the tree).
diff --git a/tasks/layout-authority/audits/ostrom.md b/tasks/layout-authority/audits/ostrom.md
new file mode 100644
index 00000000..eadf95c9
--- /dev/null
+++ b/tasks/layout-authority/audits/ostrom.md
@@ -0,0 +1,110 @@
+# Ostrom — Commons-Governance Audit of the Layout Authority
+
+> The layout authority is a commons. Three shared resources — the slot table
+> (one canonical (x,y) per node), the event log (replay buffer), the
+> subscriber list — are accessed by multiple parties (build worker, SSE
+> handlers, MCP request handlers, browser clients) under a single producer
+> contract. Tragedy here is not overgrazing of grass; it is one party
+> mutating a slot another already streamed, one subscriber starving the
+> producer, or one client filling the replay window with garbage.
+>
+> Ostrom 1990 *Governing the Commons* Ch. 3: long-enduring commons exhibit
+> all eight design principles. Failed commons are missing one or more.
+> Method: score each principle against the implementation in
+> `mcp_server/server/layout_authority{,_log,_protocol}.py`.
+
+## 1. The three commons
+
+| Commons | Resource | Producers | Consumers | Subtractable? | Depletable? |
+|---|---|---|---|---|---|
+| **Slot table** `_slots: dict[node_id → SlotAssignment]` | Canonical (x,y) per node | Build worker (single, via `add_node`) | All SSE subscribers (read-only via emit) | No (write-once per I2/I4) | No (bounded by node count) |
+| **Event log** `_event_log: deque(maxlen=500_000)` | Ordered (seq, kind, payload) replay window | `emit()` from authority | `replay_since(N)` from any thread | Yes (oldest evicted at cap) | Yes (drops on overflow) |
+| **Subscriber list** `_subscribers: list[Queue]` | Fan-out slots; per-sub queue (cap 100k) | `subscribe()` from any thread | `_fan_out` (producer) writes; SSE handler drains | Yes (queue fills, `put_nowait` fails) | Yes (eviction at miss > 200) |
+
+## 2. Eight-principles audit
+
+| # | Principle | Status | Evidence | Gap |
+|---|---|---|---|---|
+| 1 | Clearly defined boundaries | **present** | `NODE_KINDS` / `EDGE_KINDS` are `frozenset` (protocol §28-40); `_validate_node` / `_validate_edge` raise on unknowns; `domain_id` non-empty enforced; subscriber identity = the returned `Queue` object. | Subscriber identity is opaque (no name/origin/credential). Cannot rate-limit per-tenant or attribute drops to a specific browser tab. |
+| 2 | Proportional cost/benefit | **degraded** | Each subscriber pays its own drain cost (own thread); producer cost is amortized O(1) (Fermi §). Producer is NOT charged for slow subscribers — the bounded `Queue` + `_DEAD_QUEUE_MISS_THRESHOLD=200` evicts them. | A subscriber that drains fast PAYS THE SAME (one Queue allocation) as one that drains slowly until eviction. Heavy subscribers are not asked to contribute (e.g. throttle their own LOD). The 200-miss threshold is the only proportionality lever. |
+| 3 | Collective-choice arrangements | **absent** | Tunables (`_PENDING_EDGES_CAP=100_000`, `_EVENT_LOG_CAP=500_000`, `_SUBSCRIBER_QUEUE_CAP=100_000`, `_DEAD_QUEUE_MISS_THRESHOLD=200`, `_DEFAULT_DOMAIN_RESERVATION=16`) are module-level constants. Subscribers and the build worker — the actual users — cannot influence them. | No collective-choice mechanism. A subscriber who knows it cannot drain at 100k/s has no way to negotiate a smaller queue or higher miss tolerance. The build worker cannot widen the replay window for a known long-running session. |
+| 4 | Monitoring | **partial** | `LayoutAuthority.stats()` exposes `slots_emitted, edges_emitted, edges_dropped, pending_symbols, pending_edges, domains`. `layout_authority_log.stats()` exposes `size, cap, oldest_seq, newest_seq, drops, subscribers`. | **Behavior is monitored only at coarse aggregate.** No per-subscriber metrics (which sub got evicted, when, after how many misses). No per-domain slot-count distribution (could a single domain be hogging the bucket counters?). Drops are counted but the dropped key is not logged — root cause for capacity exhaustion is invisible. |
+| 5 | Graduated sanctions | **violated** (the canonical gap) | Subscriber misbehavior path: `put_nowait` fails → `_record_miss` → `misses > 200` → eviction. **One step. Binary.** Pending-edges overflow: `popitem(last=False)` → silent FIFO drop. Event log overflow: `deque.maxlen` evicts oldest, increments `_event_log_drops`. | All three commons use **threshold-then-execute**. There is no warning, no degradation, no "you're at 80% of your queue, slow your subscription request rate", no "this subscriber has been at >50% utilization for 30s — switch to LOD-2". The dead-queue threshold is the textbook example: 199 misses = healthy; 201 misses = dead. |
+| 6 | Conflict resolution | **absent** | What happens if two callers do `request_subtree(d)` while the build is mid-flight? Both succeed (idempotent — see L201-209). What happens if a subscriber subscribes mid-stream? It misses everything before its `subscribe()` and must rely on `replay_since(0)` from a separate code path. | No documented arbiter for: (a) replay-gap reconciliation (the `replay_lost` sentinel exists in `_log.replay_since` but no sanction or escalation when a client repeatedly hits it); (b) competing `request_subtree` calls during a build; (c) build-reset (`reset()`) racing with active subscribers — `_subscribers.clear()` drops them on the floor without notification. |
+| 7 | Right to self-organize | **partial** | Subscribers self-organize their own consumption (own thread, own queue, own LOD policy via `layout_authority_lod`). `request_subtree` is a self-service re-emission API. | The build worker cannot self-organize the producer rules. `_DEFAULT_DOMAIN_RESERVATION=16` is a module constant. A worker that knows it has 50 domains coming cannot pre-reserve 50 slots — it gets the chunked grow-on-demand at L82-87, which freezes earlier anchors at lower-reservation positions. The "right" exists but the mechanism is missing. |
+| 8 | Nested enterprises | **partial** | Layered: `layout_authority_geometry` (pure math) ⊂ `layout_authority` (in-memory state) ⊂ `layout_authority_log` (event log) ⊂ `layout_authority_wire` (SSE encoding) ⊂ HTTP handler ⊂ MCP server. Each layer governs at its own scale. | Governance does not flow between scales. The HTTP handler cannot tell the authority "this client is a screenshot bot, give it a snapshot and don't subscribe it"; the authority cannot tell the log "this build is small, shrink the buffer". Nesting is structural, not governance-coupling. |
+
+## 3. Rules-in-use vs rules-on-paper
+
+| Rule on paper | Rule in use | Gap |
+|---|---|---|
+| INVARIANTS I2: monotonic seq | `_event_seq` is global; `reset()` does NOT reset it (L218-223 prose vs prior code-body). | The prose-vs-code disagreement was resolved in favor of prose. **A future refactor could re-introduce the bug** — the rule survives only by comment. Make it a property test. |
+| I5: pending-edges bounded at 100k, oldest dropped | Implemented (L390-394). | `_edges_dropped` is incremented but the dropped edge's `(src,tgt,kind)` is gone — no audit trail to diagnose why a graph is missing edges. |
+| I6: emit never blocks | `_fan_out` runs against a snapshot of `_subscribers` (L91-92), so the producer doesn't block on the subscriber lock. | Producer DOES hold `_event_log_lock` across `deque.append` (L129-135). Contention is in-process µs but real. |
+| Single-producer rule (`emit` from one thread) | Asserted in module docstring; **not enforced**. | A second producer would silently corrupt seq order. Add a thread-id check in debug. |
+
+## 4. Sustainability assessment
+
+- **Slot table** regenerates only via fresh build (`build_authority` → `_log.reset` → new `LayoutAuthority`). Lifetime = one build. Sustainable.
+- **Event log**: 500k events × ~112 B = ~56 MB. Coase audit flagged this exceeds the 8 MB ceiling; sustained at ~10⁵ evt/s the buffer fills in 5 s — clients with >5s reconnect lag fall outside the window and need snapshot fallback. **Regeneration rate (deque eviction at cap) ≪ peak emission rate** during burst.
+- **Subscriber list**: regeneration via eviction. A pathological subscriber consumes producer fan-out CPU (the `put_nowait` + miss-count branch) for 200 events before reaping. At 10⁵ evt/s that is 2 ms of producer CPU spent on a dead subscriber.
+
+## 5. Polycentric-governance design (the fixes)
+
+| Scale | Authority | Decisions it should own | Constraints from above |
+|---|---|---|---|
+| Build worker (producer) | `LayoutAuthority` instance | Domain reservation hint at construction; per-build replay-window size; per-build subscriber admission policy | Module-level absolute caps (memory ceiling) |
+| Authority instance | `_log` + `_subscribers` | Per-subscriber queue size negotiated at `subscribe(qos=...)`; graduated backpressure (warn → throttle → evict) | Build worker's per-build budget |
+| Subscriber | SSE handler | Self-declared QoS (snapshot vs live; LOD level); voluntary throttling | Authority's admission decision |
+| HTTP handler | Server | Tenant identity → subscriber identity for monitoring | Authority API |
+
+## 6. Recommended interventions (priority order)
+
+1. **Graduated sanctions** (gap #5, the headline) — replace the binary
+   200-miss threshold with: misses 1–50 = silent retry; 51–100 = warn
+   in `stats()`; 101–200 = drop low-priority events for that sub
+   (`edge` before `slot`); 201+ = evict. Same shape for pending-edges
+   (warn at 80% → drop low-kind edges → drop FIFO at cap) and event
+   log (warn when oldest_seq age > 30s → emit `degraded` sentinel
+   before silent drop).
+2. **Per-subscriber identity + monitoring** (gap #1, #4) — `subscribe()`
+   takes an opaque `client_id`; `stats()` returns per-sub miss counts,
+   queue depth, last-drain-age. Enables proportional cost (#2) and
+   conflict resolution (#6).
+3. **Collective choice via `subscribe(qos=...)`** (gap #3, #7) —
+   subscriber declares (`live` | `replay-only`, `lod=0..3`,
+   `max_queue=...`); authority admits or rejects; ruleset becomes
+   negotiable, not a module constant.
+4. **Audit trail for drops** (gap #4) — log dropped edge keys to a
+   bounded ring (1k entries) accessible via `stats(detail=True)`. Cheap;
+   makes I5 violations diagnosable.
+5. **Reset notification** (gap #6) — `_log.reset()` should fan out a
+   `reset` sentinel BEFORE `_subscribers.clear()`, so SSE handlers can
+   close cleanly. Currently they discover the reset via stalled drain.
+6. **Single-producer enforcement** (rules-in-use gap) — debug-mode
+   `threading.get_ident()` check in `emit()`; assertion failure on
+   second producer. The rule survives by comment today; promote it to
+   code.
+7. **Domain reservation hint** (gap #7) — `build_authority(domain_hint=N)`
+   skips the chunked-grow path when the worker knows the count.
+
+## 7. Compliance check (coding standards §11)
+
+| Rule | Status | Note |
+|---|---|---|
+| 1 SOLID | pass | Each module = one responsibility (geometry / log / wire / protocol). Audit recommendations preserve SRP. |
+| 2 Layer dependency | pass | `layout_authority` (server-layer) imports geometry/log/wire/protocol; no inversion. |
+| 7 Local reasoning | pass | No reflection/monkey-patching; bounded structures; single-producer rule explicit. |
+| 8 Sources | pass | Ostrom 1990 Ch. 3 + Cox/Arnold/Tomas 2010 meta-analysis cited; no invented constants — all interventions parameterize existing module-level values. |
+| Stakes | High | Shared in-process resource serving SSE to live clients; concurrency-correctness load-bearing. Recommendations 1, 2, 5, 6 require ADR before merge. |
+
+## 8. Hand-offs
+
+- Graduated-sanctions implementation → **engineer** (touch
+  `layout_authority_log.py` _record_miss / _fan_out paths).
+- Formal invariant for "graduated, not binary" → **Lamport** (state
+  machine: HEALTHY → WARN → THROTTLED → EVICTED with explicit transitions).
+- Per-subscriber metrics emission → **Curie** (define what to measure;
+  baseline before/after).
+- QoS negotiation API surface → **Simon** (decompose `subscribe(qos=...)`
+  contract).
diff --git a/tasks/layout-authority/audits/panini.md b/tasks/layout-authority/audits/panini.md
new file mode 100644
index 00000000..2a320e03
--- /dev/null
+++ b/tasks/layout-authority/audits/panini.md
@@ -0,0 +1,174 @@
+# Panini Audit — Generative Grammar of the Layout Authority Event Stream
+
+Scope: the SSE wire stream produced by the consolidated authority
+(`_protocol` + `_geometry` + `_scheduler` + `_log` + `_wire`) and
+consumed by `ui/unified/js/polling.js` / `workflow_graph_bridge.js`.
+Goal: a grammar that produces **all** valid streams and **no** invalid
+ones, plus identification of constraints currently enforced only by
+convention.
+
+Stakes: **High** — every UI invariant downstream rests on the stream
+being well-formed.
+
+---
+
+## 1. Terminal alphabet (events on the wire)
+
+From `layout_authority_wire.py`:
+
+```
+SLOT(seq, id, x, y, kind, domain_id)        event: slot
+EDGE(seq, src, tgt, kind)                    event: edge
+DONE(seq, total_slots, total_edges)          event: done
+PING                                         : ping        (SSE comment)
+```
+
+Each event also carries `id: <seq>` for `Last-Event-ID` resume.
+
+---
+
+## 2. Generative grammar (BNF + side-conditions)
+
+The naive `STREAM := EVENT* DONE` is correct as a sequence shape but
+under-specifies dependencies. Slots and edges genuinely interleave, so
+linearisation alone is not enough — we need an **attribute grammar**
+whose side-conditions reference the prefix already emitted.
+
+```
+STREAM      := SESSION (RESET SESSION)*
+SESSION     := PING* EVENT_RUN PING* DONE
+EVENT_RUN   := EVENT*
+EVENT       := SLOT | EDGE | PING
+SLOT        := slot(seq, id, x, y, kind, domain_id)
+EDGE        := edge(seq, src, tgt, ekind)
+DONE        := done(seq, total_slots, total_edges)
+RESET       := <implicit on _log.reset(); seq does NOT rewind>
+```
+
+### Side-conditions (the actual generative power)
+
+Let `Σₙ` denote the multiset of slots emitted strictly before position
+`n`, and `slot[id]` the unique slot in `Σₙ` with that id (if any).
+
+* **G1 Sequence monotonicity.** For any two events `eᵢ, eⱼ` with `i<j`:
+  `eⱼ.seq > eᵢ.seq`. Strictly increasing across the **entire** authority
+  lifetime, including across `RESET` (per `_log.reset` docstring).
+* **G2 Kind closure.**
+  `slot.kind ∈ NODE_KINDS`, `edge.ekind ∈ EDGE_KINDS`
+  (`_protocol.NODE_KINDS`, `EDGE_KINDS`).
+* **G3 Slot id uniqueness.** Within a SESSION, `slot.id` is unique
+  unless preceded by a `request_subtree` invalidation containing that id;
+  later `(seq)` supersedes earlier (`I2`).
+* **G4 Domain anchor.** For every `slot` with `kind == 'domain'`:
+  `slot.id == slot.domain_id`. (`NodeDelta` precondition.)
+* **G5 Domain referential integrity.** For every `slot s`:
+  `∃ s' ∈ Σ : s'.kind == 'domain' ∧ s'.id == s.domain_id`. The domain
+  anchor MAY arrive **after** its members (`I7`); the constraint is on
+  the SESSION as a whole, not on the prefix at every position.
+* **G6 Edge endpoint precedence.** For every `edge(src,tgt,_)`:
+  `slot[src] ∈ Σ` AND `slot[tgt] ∈ Σ`. The authority buffers edges
+  whose endpoints have not landed (`I5`); buffering is internal — on
+  the wire G6 holds prefix-locally.
+* **G7 Symbol parent precedence.** For every `slot s` with `kind ==
+  'symbol'`: `∃ p ∈ Σ : p.id == NodeDelta(s).parent_id ∧ p.kind ==
+  'file'`. Buffered until parent file's slot is emitted (`I3`).
+* **G8 File parent best-effort.** For every `slot` with `kind ==
+  'file'`: parent `tool_hub` MAY be missing; placement falls back to
+  domain hub (`I4`). NOT a hard constraint.
+* **G9 Coordinate finiteness.** `math.isfinite(slot.x) ∧
+  math.isfinite(slot.y)` (`I1`, enforced in `_wire._validate_finite`).
+* **G10 Delimiter purity.** No id, kind, or domain_id contains `|`,
+  `\n`, `\r` (`_wire._validate_id`, `_validate_kind`).
+* **G11 DONE termination.** `DONE` appears at most once per SESSION;
+  `DONE.total_slots == |{e ∈ SESSION : e is SLOT}|` and likewise for
+  edges. After `DONE`, only `PING` or `RESET` may follow.
+* **G12 Tool-hub naming.** For every `slot` with `kind == 'tool_hub'`:
+  the originating `NodeDelta.tool_name` is non-empty (`NodeDelta` Pre).
+  The wire does not currently carry `tool_name`, so this is a
+  build-side, not stream-side, constraint — see §4 D-G12.
+
+A stream is **valid** iff it is derivable under the above. It is
+**invalid** iff any side-condition fails.
+
+---
+
+## 3. Conflict-resolution meta-rules (paribhāṣā)
+
+The grammar's rules can compete; explicit precedence:
+
+* **M1 Domain-late vs slot-emit.** When a non-domain slot is ready but
+  its domain anchor has not arrived: emit anyway against placeholder
+  anchor; slot is FINAL (`I7`). G5 holds session-globally, not
+  prefix-locally. (Precedence: `I7` > strict G5.)
+* **M2 File-late vs symbol-emit.** Symbols WAIT for parent file;
+  buffered, not faulted. (Precedence: `I3` > liveness for symbols.)
+  Asymmetric with M1 because symbol coordinates are computed *from*
+  the file slot, not from the domain anchor.
+* **M3 Buffer overflow vs liveness.** Pending-edges buffer at cap →
+  drop oldest with counter (`I5`). The grammar tolerates a pruned
+  suffix; it MUST NOT tolerate ill-formed events.
+* **M4 Reset vs resume.** `Last-Event-ID: N` after `RESET` with
+  `oldest_seq > N+1` ⇒ `replay_lost` sentinel (`_log.replay_since`),
+  client falls back to snapshot. Seq counter NEVER rewinds across
+  reset, by I3-prose (the prose, not the original code body, is
+  authoritative — see `_log.reset` docstring).
+
+---
+
+## 4. Constraints currently NOT enforced structurally
+
+The current 5-module split enforces some constraints by **assertion in
+docstrings + reviewer discipline**, not by structure. Each row names
+the gap, where it would be caught, and what would make it structural.
+
+| ID | Constraint | Where (in)visible | What is enforced today | Structural fix |
+|----|-----------|-------------------|------------------------|----------------|
+| **D-G1** | Single-producer monotonicity of `seq` | `_log.emit` | Prose only ("MUST be called from a single producer thread"). Two threads can interleave `seq` assignment + fan-out and break per-subscriber order. | Assert `threading.get_ident()` matches a captured producer-thread-id at `emit` entry. (Already flagged by Dijkstra D1.) |
+| **D-G3** | Slot id uniqueness within a SESSION | nowhere | `_protocol` says "unique"; `_log` does not check; `_wire` does not check. A double-`add_node` for the same id silently emits two slots with different seq → client sees "node moved." | A small `set[str]` of emitted slot ids in the authority's main store; reject (or coalesce) duplicates at `add_node` time. |
+| **D-G6** | Edge-endpoint precedence on the WIRE | `_protocol.EdgeDelta` Pre, `I5` | The protocol says "buffer until both endpoints arrive"; the buffer is internal to the (yet-unwritten) `layout_authority.py`. The 5 modules as shipped have **no buffer** — `_scheduler` does not know about edge dependencies, and `_log` will happily emit an `edge` whose endpoints have never been emitted as slots. | Edge admission gate in the authority main loop: pop edge → check both endpoints in slot-id set → emit OR push to pending-edges deque keyed by missing endpoint. This is exactly the missing piece. |
+| **D-G7** | Symbol→file parent precedence | `_protocol` `I3` prose | Same as D-G6: today, nothing structurally forces the file's slot to be emitted before any of its symbols' slots. `_scheduler` orders by *priority* (file=P2 < symbol=P4) but priority does not encode dependency: a P4 symbol whose file is queued at P2 can still pop after its file IF the worker drains P0..P4 in order — only because of a coincidental priority gradient, not a real dependency check. | Per-symbol "blocked-on" set in the authority store; release when parent file slot is emitted. Same machinery as D-G6. |
+| **D-G5** | Every `domain_id` resolves to a `kind=='domain'` slot in the SESSION | `_protocol` `I7` | Not checked at `done` time. A SESSION can legally end with `DONE` while some `domain_id` referenced by member slots was never accompanied by its anchor. | At `DONE` emission, validate every observed `domain_id` is in the set of emitted-domain ids; if not, emit a deferred placeholder anchor first. |
+| **D-G11** | `DONE.total_slots / total_edges` consistency | `_wire.format_done` | Only checks non-negativity. The authority computes the totals; nothing cross-checks against the actual fan-out count. | Counter incremented by `_log.emit` for each kind; `format_done` consumes those counters rather than caller-supplied numbers. |
+| **D-G10** | Delimiter purity | `_wire._validate_id` | Caught at the WIRE boundary, not at protocol boundary — late. By the time `_wire` raises, the event has already been `submit`-accounted in `_scheduler`. | Move `_validate_id` / `_validate_kind` into `add_node` / `add_edge` entry. (Dijkstra D-pre also flags this.) |
+| **D-G12** | `tool_name` non-empty for `tool_hub` | `_protocol.NodeDelta` Pre | Documented; not asserted at construction (`NodeDelta` is a frozen dataclass without `__post_init__`). | Add `__post_init__` to `NodeDelta` raising `ValueError` for the per-kind preconditions enumerated in its docstring. |
+
+### The single most load-bearing structural gap
+
+**D-G6 / D-G7 — endpoint and parent precedence are not enforced
+structurally.** They are stated in `_protocol`'s `I3`/`I5` prose and
+expected to be honoured by a **reference implementation that does not
+yet exist** (`layout_authority_protocol.authority_from_geometry`
+forward-imports `layout_authority.build_authority`, which is unwritten
+in the 5 modules under audit). The scheduler orders by priority and the
+log fans out FIFO; nothing in the 5 shipped modules enforces "EDGE only
+after both SLOTs" or "SYMBOL slot only after FILE slot." On any
+out-of-order arrival from the build worker the wire WILL emit an
+ill-formed stream (G6 / G7 violated), and the client will draw edges to
+non-existent nodes or symbols at the domain hub instead of inside their
+file petal.
+
+---
+
+## 5. Economy (lāghava) check
+
+* 12 generative rules (G1–G12) cover the full event stream — comparable
+  to the rule density of the existing audits' invariants.
+* 4 conflict-resolution meta-rules (M1–M4) replace what would otherwise
+  be ~7 ad-hoc "what if X arrives before Y" branches.
+* 8 structural gaps (D-G*) all collapse to **one missing module**:
+  the authority main loop with two small data structures (slot-id set,
+  pending-by-endpoint map). This is the Pāṇinian compression — most
+  apparent gaps share a single unwritten origin.
+
+---
+
+## 6. Hand-offs
+
+* **Knuth** — implement the slot-id set + pending-by-endpoint map with
+  the exact O(1) amortized cost the closed-form geometry promises.
+* **Dijkstra** — pre/post conditions in §1 align with D0–D2 of his
+  audit; integration must satisfy both.
+* **Popper** — the negative tests are: (a) emit edge before either
+  endpoint, (b) emit symbol before its file, (c) emit two slots with
+  the same id, (d) emit member slot whose domain_id never appears.
+  Each must fail **structurally** post-fix, not by reviewer catch.
diff --git a/tasks/layout-authority/audits/pearl.md b/tasks/layout-authority/audits/pearl.md
new file mode 100644
index 00000000..47659d43
--- /dev/null
+++ b/tasks/layout-authority/audits/pearl.md
@@ -0,0 +1,200 @@
+# Pearl — Causal DAG of the Failure-Producing Structure
+
+> Prior audits surfaced **correlations** in failure modes: every iteration had
+> renderer-owned layout; every audit found the `slot.id` vs `slot.node_id`
+> mismatch; every reseat bug coincided with late parents. Correlation isn't
+> causation. The question is: **which design choices, if reversed, eliminate
+> the downstream failures, and which are mediators that disappear when the
+> root is fixed?** This requires the DAG, not more incident counts.
+
+## 1. Causal question
+
+- **Effect Y** = the seven failure dimensions in jobs.md §4 (no continuous
+  emission, no provenance, no interactivity within 2s, non-deterministic
+  positions, flicker/teleport, no reconnect, unbounded memory).
+- **Putative causes X** = the design choices ratified across six iterations.
+- **Ladder rung required:** rung 2 — *intervention*. The user has to choose
+  which design choice to flip. "Iterations correlate with failure" (rung 1)
+  is useless; "do(renderer_owns_layout = false) eliminates failures F1, F3,
+  F4, F5, F7" is actionable.
+- **Current evidence rung:** rung 1 across all 64 prior audits. The DAG
+  below promotes the evidence to rung 2 *under stated structural assumptions*.
+
+## 2. Causal DAG
+
+Nodes are design choices (italic = **root node**, no parents in the design
+graph; bold = observed failure, leaf). Edges = direct causal influence.
+
+```
+                         R1: NO INTEGRATOR EXISTS
+                          (no module owns the seam)
+                          /          |          \
+                         v           v           v
+                    M1: counter   M2: pending   M3: silent
+                    map has no    buffers I3/I5  drops on
+                    owner         only in prose  scheduler full
+                       \            |              |
+                        \           v              v
+                         \       F-RESEAT       F-NO-CONT
+                          \      F-EDGE-(0,0)   (burst/pause)
+                           \        |
+                            \       |    R2: RENDERER OWNS LAYOUT
+                             \      |    (workflow_graph.js prepareTopology)
+                              \     |    /            |          \
+                               v    v   v             v           v
+                              F-NON-DETERMINISTIC  F-FREEZE   M4: two
+                              POSITIONS            ON REBUILD layout
+                              (append-clump)       (debounce)  systems
+                                                                   \
+                                                                    v
+                                                            M5: MutationObserver
+                                                            referee → F-FLICKER
+
+       R3: METAPHOR OVER-PROMISES                R4: SINGLE-PRODUCER
+       ("neural map" = decoration                  ASSUMED, NOT
+        in renderer's mind)                        STRUCTURALLY ENFORCED
+              |                                          |
+              v                                          v
+       M6: SlotAssignment carries                M7: seq monotonicity
+       only (id,x,y,kind,dom);                   argued in prose; second
+       provenance dropped at wire                emitter possible
+              |                                          |
+              v                                          v
+       F-NO-PROVENANCE                           F-OUT-OF-ORDER-DELIVERY
+       (tooltip useless)                         (rare; latent)
+
+       R5: NO STRUCTURAL TYPE-CHECK
+       BETWEEN PROTOCOL AND WIRE
+              |
+              v
+       M8: format_slot reads slot.id;
+       SlotAssignment exposes node_id
+              |
+              v
+       F-FIELD-NAME-BUG (AttributeError on first emit)
+```
+
+**Roots (no parents in the design graph):** R1, R2, R3, R4, R5.
+
+**Mediators (M1–M8):** removable iff their root is removed. Controlling for
+a mediator without removing the root is the canonical mistake — it produced
+six iterations of "fix the symptom" with no progress.
+
+**Missing edges (assumptions made explicit):**
+- R1 → R2 absent: the renderer owned layout BEFORE any integrator was
+  attempted. R2 is upstream of R1 historically and structurally independent.
+- R2 → R3 absent: the metaphor failure is independent of who owns layout;
+  even a server-authoritative renderer could drop provenance at the wire.
+- R5 → R1 absent: the field-name bug exists in the *wire* and would fire
+  the moment any integrator emitted a slot. It is independent of R1.
+- No edge from any failure F back into any root: failures don't cause
+  design choices. (DAG, acyclic — required for do-calculus.)
+
+**Source of graph:** induced from the prior audits (dijkstra, feynman,
+jobs, ginzburg as cited in jobs.md, einstein, polya). Not data-mined.
+
+## 3. Identifiability — backdoor analysis per root
+
+For each root R, the question is: would `do(R = false)` eliminate the
+downstream F's? The backdoor criterion holds if no unblocked backdoor
+path exists from R to F. Since each R has no parents in the design graph,
+all paths R → F are directed forward; **the causal effect of intervention
+on each root is identifiable by construction** under the stated DAG.
+
+The only unmeasured-confounder threat: a hidden common cause C → R_i and
+C → F. Candidate C: "the user's time pressure / six-iteration fatigue."
+This could plausibly co-cause both "we shipped without an integrator"
+(R1) and "the renderer kept its old layout code" (R2). Sensitivity check:
+if C is removed (calm green-field rewrite) and R1, R2 are still chosen,
+the failures still occur. ⇒ R1 and R2 are *causal*, not artifacts of C.
+
+## 4. Do-calculus interventions — predicted downstream effects
+
+| Intervention | Mediators severed | Failures removed | Failures untouched |
+|---|---|---|---|
+| **`do(R1 = false)`** — write `layout_authority.py`, single owner of counters + pending buffers + producer | M1, M2, M3 | F-RESEAT, F-EDGE-(0,0), F-NO-CONT | F-NO-PROV, F-FREEZE, F-FLICKER, F-NON-DETERM, F-FIELD-NAME |
+| **`do(R2 = false)`** — delete `prepareTopology`/`computeSlots` from JS; renderer becomes passive subscriber | M4, M5 | F-FREEZE, F-FLICKER, F-NON-DETERM | F-NO-PROV, F-FIELD-NAME, F-OUT-OF-ORDER |
+| **`do(R3 = false)`** — extend `SlotAssignment` to carry `(source_path, parent_id, edges_in/out)` through the wire | M6 | F-NO-PROVENANCE | F-RESEAT, F-FREEZE, F-FIELD-NAME |
+| **`do(R4 = false)`** — thread-id assertion at `_log.emit` entry, structurally one worker | M7 | F-OUT-OF-ORDER (latent) | (none others) |
+| **`do(R5 = false)`** — generate wire codecs from protocol dataclass; CI lint forbids divergence | M8 | F-FIELD-NAME-BUG | (none others) |
+
+**Joint intervention `do(R1=false, R2=false, R3=false, R4=false, R5=false)`
+removes all seven F's. No subset does.** This is the do-calculus reading
+of jobs.md §4: zero-of-seven pass not because the iterations were lazy,
+but because each iteration intervened on at most one root and the others
+remained active confounders of the shipped experience.
+
+## 5. Confounding audit — what NOT to control for
+
+| Variable | Role | Control? | Reason |
+|---|---|---|---|
+| Iteration count | Collider of (R1,R2,R3) and "user frustration" | **No** | Conditioning on "we tried 6 times" creates spurious correlation between roots; e.g. "iterations that fixed R5 also fixed R2" is collider bias from selecting on shipped attempts. |
+| FPS at idle | Mediator on R2 → F-FREEZE | **No** | Optimising FPS without removing R2 (e.g. tilemap raster) drops M6 and creates F-NO-PROVENANCE. Observed in iteration 5. |
+| Payload byte size | Mediator on R3 → F-NO-PROV | **No** | "Make wire smaller" prunes provenance fields; pushes failure to the user. Observed. |
+| Test count on the six modules | Pre-treatment, irrelevant | **No** | Modules pass tests in isolation (feynman §6); tests do not exercise R1–R5. |
+| Whether prior audit found the field-name bug | Descendant of R5 | **No** | Conditioning on "the bug was found" introduces selection bias on R5 fix attempts. |
+
+**Pattern of prior failure:** every iteration controlled for a *mediator*
+(FPS, payload, test pass-rate, frame budget) without intervening on a *root*.
+This is exactly the Simpson's-Paradox pattern — local optimisation per
+mediator made each iteration look like progress while the root-driven
+joint distribution stayed unchanged.
+
+## 6. Counterfactual (rung 3) — would `do(R1=false)` 6 months ago have prevented this?
+
+Abduction: given that R2–R5 were independently chosen and that the user's
+frustration grew monotonically with iteration count, infer that the
+exogenous "time pressure" variable was high.
+Action: set R1=false at iteration 1.
+Prediction: M1, M2, M3 never form. F-RESEAT and F-EDGE-(0,0) and F-NO-CONT
+never observed. R2 (renderer-owned layout) becomes *exposed* as the next
+binding constraint by iteration 2 and is fixed earlier. **R1 is not just
+the leverage point for now; it is the leverage point that, fixed earliest,
+shortens the remaining causal chain by exposing R2.**
+
+## 7. Sensitivity analysis — unmeasured confounders
+
+- **C1 — "Renderer authoring layout is the JS ecosystem default."** Plausible
+  common cause of R2 (kept the JS layout code) and of weak server-side
+  layout discipline (delayed R1). E-value: an unmeasured confounder would
+  need to explain both choices completely *and* explain why a clean rewrite
+  also lands at the same defaults. Implausibly strong → R1 and R2 remain
+  causal.
+- **C2 — "Field-name bug is a typo, not a structural choice."** If R5 is
+  random, then `do(R5=false)` only removes one failure instance, not the
+  class. Counterargument: the same kind of bug (`format_done` totals from
+  caller, prose-only invariants) appears across the six modules. Pattern
+  ⇒ R5 is structural (no codegen / no contract test), not random. Conclusion
+  preserved.
+- **C3 — Unmeasured: build-worker behaviour under load.** Could
+  independently cause F-NO-CONT even after R1 fix. Hand-off to **Curie**
+  for measurement at 10⁶/sec; if confirmed, add R6 = "scheduler caps
+  exceed 8MB ceiling" (already flagged dijkstra B1).
+
+## 8. Conclusion
+
+- **Causal effect estimate:** seven observed failures, five structural roots,
+  effect of joint intervention is removal of all seven (under the DAG).
+  Effect of any single intervention is partial; effect of intervening only
+  on mediators is zero (six iterations of evidence).
+- **Rung achieved:** 2 (intervention) under stated structural assumptions.
+- **Key assumptions:** the DAG is acyclic; no unmeasured confounder of
+  R1∧R2 strong enough to flip the conclusion (C1 implausible);
+  build-worker not an independent cause of F-NO-CONT (Curie to verify).
+- **Recommendation:** execute `do(R1=false)` first (highest leverage —
+  severs three mediators, exposes R2 as next binding constraint), then
+  `do(R2=false)`, then `do(R3=false)`, then R5 (cheap, codegen lint),
+  then R4 (assertion). **Do not intervene on mediators.**
+
+## 9. Hand-offs
+
+- **engineer** — `do(R1=false)` is the build of `layout_authority.py`
+  per jobs.md §5 / polya §6; `do(R2=false)` is the deletion of
+  `prepareTopology`/`computeSlots` per ginzburg §5.2.
+- **Curie** — measure F-NO-CONT *after* R1 intervention to test C3
+  (whether build-worker is a residual cause).
+- **Fisher** — if R1+R2 both done and F-NO-CONT persists, design the
+  randomized A/B to discriminate scheduler-cap vs build-worker as the
+  next root.
+- **Lamport** — formalize the single-producer invariant (R4) in TLA+
+  if the assertion-based enforcement proves insufficient under chaos test.
diff --git a/tasks/layout-authority/audits/peirce.md b/tasks/layout-authority/audits/peirce.md
new file mode 100644
index 00000000..6285555e
--- /dev/null
+++ b/tasks/layout-authority/audits/peirce.md
@@ -0,0 +1,106 @@
+# Peirce abductive audit — Layout Authority
+
+**Procedure.** A surprising fact C is observed. Hypothesis A is admissible only if (i) it would make C a matter of course, (ii) it is testable, (iii) it is the cheapest of the candidates that survive. Abduction does not conclude — it elects a candidate for inquiry.
+
+---
+
+## 1 — The five surprising facts (restated as one corpus)
+
+| # | Anomaly | Source audits |
+|---|---|---|
+| C1 | Workers have no closed feedback channel back to producers | Boyd §4, Beer S3/S4, Maxwell |
+| C2 | The integrator (`layout_authority.py`) was absent for the entire session; the six suffixed modules existed in isolation | Feynman §1.2, Polya |
+| C3 | Every quantitative threshold (queue caps, miss=200, log=500k, 0.8 overload, LOD slope ±0.05) is an estimate, not a measurement | Curie C12–C30 |
+| C4 | The "neural graph" framing promises perceptual richness the slot geometry cannot deliver beyond ~10⁵ nodes | Midgley |
+| C5 | The same `slot.id` vs `slot.node_id` field-name bug surfaced independently in four audits | Feynman §1.7, Aristotle, Bateson, Alexander |
+
+These are not five problems. The Peircean question: *what single hypothesis would make all five a matter of course?*
+
+---
+
+## 2 — Candidate hypotheses (the abductive field)
+
+I refuse to commit before the field is enumerated. Six candidates:
+
+- **H1 — "The geniuses missed something earlier."** Rejected by the user's framing and by the data: the audits are catching the anomalies *now*, faithfully. This hypothesis explains nothing it doesn't explain by tautology.
+- **H2 — Time pressure.** Would explain C2 and C5 (rushing → forget the wiring file, copy the wrong field). Does not explain C1 (a structural absence, not an oversight) or C3 (numbers chosen, not measured — that is a *category* of decision, not a hurry).
+- **H3 — Skill/competence gap.** Refuted by the artifacts: the six modules are individually well-formed (Beer S1/S2/S5 verdict). A skill gap would produce uniformly weak modules; we see strong modules with absent connective tissue.
+- **H4 — Premature commitment to a metaphor ("neural graph") before the operational contract was specified.** Promising — see §3.
+- **H5 — Specification was written downward (top-level vision → modules) but never closed upward (modules → integration test → producer feedback → measured numbers).** Strongest candidate — see §3.
+- **H6 — The system was built as a *catalogue of capabilities* rather than as a *control loop*.** Reformulation of H5 in cybernetic vocabulary; same predictions.
+
+H4, H5, H6 are not independent. H4 is the *occasioning cause*; H5/H6 is the *structural cause*. The cheapest test (§4) discriminates among them.
+
+---
+
+## 3 — The single hypothesis: **the project was specified open-loop and never closed**
+
+> **H\*: The artefacts were produced by descending one level at a time from a metaphor ("neural graph of methodology") to modules, without ever ascending back through an integration loop that would have forced producer-feedback, integrator-existence, measurement, scale-honesty, and field-name agreement to be resolved as preconditions of shipping a single end-to-end node.**
+
+If H\* is true, then each of C1–C5 is a matter of course:
+
+| Anomaly | Why H\* makes it expected |
+|---|---|
+| C1 (no producer feedback) | Closing the loop is precisely what the open-loop spec *omits*. A closed loop is not a module — it is a constraint on the relationship between modules. Module-by-module specification cannot generate it. |
+| C2 (integrator absent) | The integrator is the upward-closure artefact. It exists only when someone runs `add_node` end-to-end and is forced to wire the modules. Open-loop specification produces six well-formed *parts* and zero *wholes*. |
+| C3 (estimates, not measurements) | Measurements require an instrument running against a real load. The open-loop path never instantiates a real load — there is no producer-→-authority-→-subscriber circuit to measure. So every number is the author's prior, not a posterior. Curie's C7 is the lone exception (one ran benchmark) — and it is also the lone module-internal measurement, requiring no integration. |
+| C4 (metaphor over-promises) | The metaphor was the *seed* of the open-loop descent. It was never tested against the geometry's actual capacity because the only test that would force the comparison is an end-to-end render of a real corpus at scale — which requires the integrator (C2). The metaphor stays unfalsified because the loop stays open. |
+| C5 (field-name bug repeats) | `wire.format_slot` reads `slot.id`; `geometry` produces `slot.node_id`. This bug *cannot exist* the first time anyone calls `format_slot(geometry.compute_slot(...))`. It exists for exactly as long as that call is never made. The four-fold independent rediscovery is itself evidence: every audit that traced a real path *had* to encounter it; no audit that ran the code did, because no code runs the path. |
+
+H\* makes all five a matter of course. No competing hypothesis does.
+
+---
+
+## 4 — Predictions (deductive, falsifiable)
+
+If H\* is correct, then:
+
+- **P1** — The repository contains *no* test that constructs a `NodeDelta`, runs it through `submit → pop → compute_slot → format_slot → SSE frame → subscriber decode`. (Cheapest test: `grep -r "format_slot" tests/`.)
+- **P2** — Every benchmark that exists is module-internal (geometry only, scheduler only). None spans modules. (Test: read `bench_layout_authority.py`.)
+- **P3** — The numbers in `cost-model.md` will not match a measurement when one is run, in a *predictable direction*: the geometry numbers are roughly right (one real run exists, C7); the integration numbers (C9–C11) will be *worse*, not better, than the unmeasured estimates, because integration overhead is invisible to module benchmarks.
+- **P4** — There is no `degraded` event type, no producer-throttle channel, no overload-entered/exited edge event in `_log.py`. (Already confirmed by Boyd §1.)
+- **P5** — The `slot.id` vs `slot.node_id` mismatch will be one of *several* such mismatches once the integrator is written. Predicted siblings: edge `source_id`/`src`, sequence `seq`/`seq_no`, kind `kind`/`node_kind`. (Test: diff field names across the six modules.)
+
+P1, P2, P4 are free. P5 costs one `grep`. P3 costs one benchmark. **The hypothesis is testable in under an hour.**
+
+---
+
+## 5 — Why this is not "the geniuses missed something"
+
+The geniuses are operating *correctly*. Open-loop specification *forbids* the integrator's absence from being noticed at any single module's level — that's the definition of open-loop. Each module's audit is sound on its own terms. The anomaly is visible only when audits are *composed*, which is what this prompt does. Peirce's point: abduction operates on the cross-product of observations, not on each observation singly. The geniuses delivered the substrate; the abductive step is taken here.
+
+---
+
+## 6 — The economy-ordered remedy
+
+Do not fix C1–C5 in parallel. They are symptoms of one cause; fix the cause:
+
+1. **Close the loop first** (cheapest, ~1 day): write the integrator. Make `add_node('file:x')` produce one real SSE frame to one real subscriber. This single act will *force* C5 to surface (the field-name bug bites at first run), force C2 to be resolved (the integrator exists), and create the *only* instrument that can later resolve C3.
+2. **Instrument the closed loop** (~2 days, after step 1): producer→authority RTT, drops/sec, subscriber miss rate, end-to-end latency p50/p95/p99. These are the measurements that retire C3's estimates and create the feedback channel C1 demands.
+3. **Re-test the metaphor against measured scale** (~1 week, after step 2): render the actual Cortex corpus. Find the node count at which the geometry-as-perception story breaks. Replace the metaphor with the measured ceiling. C4 dissolves.
+
+Doing 2 or 3 before 1 is wasted — open-loop measurements measure a fiction.
+
+---
+
+## 7 — Pragmatic-maxim check
+
+What practical difference does H\* make versus H1 ("missed something")?
+
+- Under H1, the action is *more audits*. Under H\*, the action is *one integrator + one end-to-end test*.
+- Under H1, the field-name bug is fixed in isolation; under H\*, the integrator's first run finds it *and* its siblings (P5) at zero marginal cost.
+- Under H1, future modules are added the same way and reproduce the same five anomalies. Under H\*, the closed loop becomes the gate: no module ships until it traverses the loop.
+
+The two hypotheses produce *different* concrete next moves. The distinction is not verbal. H\* is the load-bearing one.
+
+---
+
+## 8 — Refusal conditions
+
+I refuse to upgrade H\* from candidate to belief until P1, P2, P5 have been checked (free) and P3 has been measured (one benchmark run). Until then H\* carries the status `untested-candidate`. Hand off:
+
+- **Fisher** — design the integration benchmark that decides P3.
+- **Pearl** — confirm the causal direction (open-loop spec → all five anomalies, not the reverse).
+- **Feynman** — integrity-audit the integrator once it exists.
+
+The abductive inference elects the candidate. It does not close the case.
diff --git a/tasks/layout-authority/audits/poincare.md b/tasks/layout-authority/audits/poincare.md
new file mode 100644
index 00000000..e58226c1
--- /dev/null
+++ b/tasks/layout-authority/audits/poincare.md
@@ -0,0 +1,170 @@
+# Poincaré — Qualitative dynamics of the layout authority
+
+**Method:** Poincaré 1890. Do not solve. Characterise. Map the
+phase portrait of (λ, δ), name the fixed points, classify their
+stability, locate the bifurcation curves, and predict the visible
+symptom in each region. The number is Erlang's job; the shape is mine.
+
+## 1. State variables and reduction
+
+Full state of the authority is high-dimensional: seven priority deque
+depths, the log-ring write head, every SSE client's queue depth,
+`k_retry`, `emit_permitted`. By Erlang §6 the **binding constraint is
+the SSE per-client queue**, drained at δ; everything upstream is ≥15×
+faster. The slow manifold of the system collapses to two state
+variables:
+
+  Q  = SSE backlog (one client, worst case), 0 ≤ Q ≤ K_sse = 1·10⁵
+  R  = retry-amplification gain k_retry, ≥ 0
+
+driven by two control parameters:
+
+  λ  = sustained event rate from build worker (events/s)
+  δ  = subscriber drain rate (events/s/client)
+
+Effective arrival rate at SSE: λ_eff(λ, R) = λ · (1 + R · 𝟙[Q=K_sse]).
+The shedding governor turns retries on when Q saturates; Maxwell's
+proposed speed-controller would turn λ down when Q approaches K_sse.
+
+## 2. Fixed points (no incubation needed; algebra is qualitative)
+
+dQ/dt = λ_eff − δ. Set to zero.
+
+| Name | Location | Existence condition | Stability |
+|---|---|---|---|
+| **F₀ healthy** | Q* = 0, R* = 0 | λ < δ | **stable node** (both eigenvalues negative if no retry) |
+| **F₁ saturated** | Q* = K_sse, R* > 0 | λ ≥ δ | **unstable** if k_retry ≥ 1 (Maxwell §2); **stable** if k_retry < 1 |
+| **F₂ throttled** | Q* < K_sse, λ_throttled = δ | speed-controller engaged & λ_raw > δ | **stable spiral** (Maxwell band gives damping) |
+
+F₀ and F₂ are the only attractors a healthy system should sit at.
+F₁ is a saddle whose unstable manifold is the retry-storm trajectory.
+
+## 3. Bifurcation curves on the (λ, δ) plane
+
+```
+   δ (drain, events/s/client)
+   ↑
+   |   I  HEALTHY                    (F₀ globally attracting)
+   |  ─────────────────  λ = δ        ← transcritical bifurcation
+   |   II  COMPENSATED OVERLOAD
+   |        (Q grows toward K_sse, drops begin, R still ≈ 0)
+   |  ─────────────────  λ = δ·(1 + ε_retry_threshold)
+   |   III  HOPF / LIMIT CYCLE
+   |        (drop ↔ recover oscillation; k_retry crosses 1)
+   |  ─────────────────  λ ≈ μ_authority ≈ 7.28·10⁵
+   |   IV  RUNAWAY
+   |        (worker itself overloads; backlog grows on every tier)
+   +─────────────────────────────────→ λ
+```
+
+Three codimension-1 boundaries:
+
+- **B₁: λ = δ** — transcritical. Below: Q decays to 0. Above: Q rises
+  monotonically to K_sse on a timescale K_sse/(λ−δ). Erlang gives the
+  number (e.g. 0.15 s at λ=μ); I give the shape — a ramp, not a
+  resonance, until B₂ is crossed.
+- **B₂: k_retry(λ, δ) = 1** — Hopf bifurcation. F₁ loses stability; a
+  limit cycle is born. This is exactly Maxwell's "growing oscillation"
+  threshold at §2. Empirically B₂ sits just above B₁ because viewport
+  drag + SSE auto-reconnect both refire on missing data → k_retry > 1
+  almost the instant Q hits K_sse.
+- **B₃: λ = μ_authority** — second saturation. Now the worker queue
+  also grows; deque P5 then P4 begin to drop (Erlang §3b). This is a
+  *fold* on the upstream variable: drops cascade up the priority
+  ladder.
+
+## 4. The four regions and their visible symptoms
+
+| Region | Phase-space description | Predicted symptom (what an operator sees) |
+|---|---|---|
+| **I  HEALTHY** (λ < δ) | Single global attractor F₀. All trajectories decay exponentially to zero backlog. Time-constant ≈ 1/(δ−λ). | SSE clients show steady frame rate, no gap-snapshots, `is_overloaded()` returns False. |
+| **II  COMPENSATED OVERLOAD** (δ < λ < δ·(1+ε)) | F₀ destroyed; F₁ stable. Q saturates at K_sse, dropping at rate (λ−δ). No retry yet. | Steady stream of dropped events; clients see staleness but no oscillation; gap-snapshot path triggers on lag > 0.69 s (Erlang §5). **Observable: drop counter rising linearly, frame rate steady but stale.** |
+| **III  LIMIT CYCLE** (λ above the Hopf curve) | F₁ becomes unstable spiral. Trajectory orbits a closed curve in (Q, R) space with period T ≈ τ_loop · 2π / √(k_retry − 1). With τ_loop ≈ 10 ms and k_retry ≈ 1.5, **T ≈ 90 ms ⇒ ~11 Hz oscillation**. | Visible "breathing" of the graph: nodes appear, vanish, reappear. Reconnect storms. CPU sawtooths. **This is the failure mode operators report as "the viz keeps flapping."** |
+| **IV  RUNAWAY** (λ > μ_authority) | F₁ unbounded; deque tier saturates upstream; trajectory diverges along the priority ladder (edges drop first, then symbols, then files). | Total visualisation collapse. The qualitative character is no longer oscillation — it is monotone loss. Edges disappear permanently, then symbols, then domains. Recovery requires full reseed. |
+
+## 5. Basin of attraction for HEALTHY (F₀)
+
+In the open-loop (current shedding-only) system the basin of F₀ is
+exactly Region I — **the healthy attractor exists only when λ < δ at
+every instant**. Any sustained excursion across B₁ permanently leaves
+the basin until λ falls back; if k_retry ≥ 1, the excursion
+self-amplifies (Region III) and the basin is not re-entered without
+an external reset.
+
+With Maxwell's speed-controller installed (the F₂ attractor opens up):
+**the basin of {F₀ ∪ F₂} expands to all (λ, δ) with λ_raw < μ_authority**.
+The throttle moves the system off its unstable manifold by clamping
+the producer to δ. This is the qualitative payoff Maxwell quantifies:
+F₂ replaces the limit cycle in Region III with a stable spiral.
+
+## 6. Topological equivalence to a known problem
+
+The (Q, R) dynamics are topologically equivalent to the **Watt
+governor on a flywheel with delayed feedback** (Maxwell 1868). Same
+two state variables (load, gain), same two parameters (drive, drain),
+same Hopf bifurcation when delay·gain > 1. The cure is the same:
+hysteresis band + integrator, exactly Maxwell §4.
+
+They are also equivalent to a **predator-prey system** with retries as
+predator and queue capacity as prey — Lotka-Volterra orbits in the
+unstable region. The 11 Hz "breathing" is the predator-prey limit
+cycle.
+
+Recognising the equivalence imports the cure: damping = deadband (§4
+of maxwell.md), gain·delay margin = 2.5× (verified by Maxwell §3).
+No new mathematics is needed.
+
+## 7. Cross-check against Erlang and Maxwell
+
+| Audit | Their finding (numerical) | My finding (qualitative) | Agree? |
+|---|---|---|---|
+| Erlang §5 | P_block(SSE) = 0.93 at λ=μ | Region II/III: F₀ destroyed for λ > δ | ✓ same boundary B₁ |
+| Erlang §9 | one flapping client → λ_eff > μ alone | Region III & IV reachable from a single stuck subscriber | ✓ basin escape via R |
+| Maxwell §2 | shedding unstable when k_retry ≥ 1 | Hopf bifurcation B₂ at k_retry = 1 | ✓ same threshold |
+| Maxwell §3 | speed control moves loop to gain·delay = 2.5× margin | F₂ opens; basin of attractor set expands to all λ < μ | ✓ same cure |
+| Maxwell §4 | three-poll deadband to suppress bang-bang | hysteresis collapses limit cycle to stable spiral | ✓ same mechanism |
+
+The three audits triangulate. Erlang sets the numerical thresholds;
+Maxwell proves stability is gain·delay-bounded; Poincaré classifies
+the *kind* of failure in each region so the operator-visible symptom
+can be predicted before the failure happens.
+
+## 8. Operational implication — symptom-to-region inverse map
+
+For SRE / runbook use. Given an observed symptom, locate the region:
+
+| Observed symptom | Region | First action |
+|---|---|---|
+| Frame rate smooth, no drops | I | nothing — system is in F₀ |
+| Drop counter rising linearly, frame rate steady-stale | II | reduce λ (back-pressure) or raise δ (faster client); single fixed point — will not self-recover but will not worsen either |
+| Frame rate oscillating at ~5–20 Hz, reconnect storms | III | **install speed-controller (Maxwell)** — shedding alone cannot exit this region |
+| Edges, then symbols, then files vanishing in priority order | IV | full reseed; producer rate exceeds worker capacity, not just drain |
+
+## 9. Refusal conditions
+
+- **k_retry assumed ≥ 1, not measured.** The Hopf curve B₂ position
+  depends on this; if Curie measures k_retry < 1 in production, Region
+  III collapses into Region II and the limit-cycle prediction is
+  spurious. Maxwell §8 raises the same concern.
+- **Single-client reduction.** A multi-client SSE fanout has δ_eff =
+  min over subscribers; the slowest client sets the boundary B₁.
+  Per-client basin computation is left to a follow-up (one Poincaré
+  section per client).
+- **Slow-manifold reduction assumes upstream tiers are fast.** Valid
+  while λ < μ_authority. Region IV breaks the reduction; analyse
+  upstream queues separately (Erlang §3b already does this).
+
+## 10. Hand-offs
+
+- **Erlang** — bifurcation curve B₃ is exactly your tip-over at λ=μ;
+  the qualitative regions agree with the numerical thresholds.
+- **Maxwell** — the F₂ attractor your speed-controller creates is the
+  qualitative justification for the gain·delay-margin calculation.
+- **Curie** — measure k_retry over a 60 s window of induced overload;
+  the position of B₂ on the (λ, δ) plane is the load-bearing unknown.
+- **Mandelbrot** — the limit-cycle period (~90 ms) and the priority-
+  ladder cascade in Region IV both have self-similar structure; worth
+  a fractal-dimension look at the log-ring waveform.
+- **Hamilton** — priority-displacement is the *boundary condition*
+  that selects which deque saturates first when trajectory enters
+  Region IV. Same governor at the priority-deque scale.
diff --git a/tasks/layout-authority/audits/polya.md b/tasks/layout-authority/audits/polya.md
new file mode 100644
index 00000000..065df76f
--- /dev/null
+++ b/tasks/layout-authority/audits/polya.md
@@ -0,0 +1,180 @@
+# Pólya — Heuristic Audit of the Layout Authority Stuckness
+
+> "If you cannot solve the proposed problem, look around for an
+> appropriate related problem." — *How to Solve It*, 1945.
+
+Ten fix cycles with no convergence is the canonical signature of a
+problem attacked at the wrong level of generality. Pólya's
+prescription is not "push harder"; it is **change the framing**.
+
+## 1. Phase 1 — Understand. Restated.
+
+- **Unknown:** a coordinator that places streamed nodes/edges at
+  deterministic (x, y) and emits them to the renderer.
+- **Given:** six modules (`geometry`, `protocol`, `scheduler`,
+  `log`, `wire`, `lod`), each internally consistent; cost model;
+  ~20 sibling audits.
+- **What is missing:** the integrating module
+  `layout_authority.py`. Feynman §1 step 2: *"every chain of
+  reasoning below is what would happen if it were written. Today
+  nothing calls `add_node` at all."*
+
+The user's restatement has been "fix the layout authority." The
+true restatement: **the parts exist, the assembly does not, and
+each fix has touched a part instead of the assembly.** The bug is
+not in any file; the bug is in the *absence* of one.
+
+## 2. Have you seen this problem before? — Related solved problems
+
+### 2.1 IoT sensor streaming charts (the user's analogy)
+
+Same structural problem: unbounded events arrive out of order;
+each must land at deterministic screen position; backend cannot
+replay history per client. The IoT recipe maps 1:1:
+
+| IoT piece | Cortex equivalent | Status |
+|---|---|---|
+| Sensor → broker (MQTT QoS) | `add_node` → `scheduler.submit` | exists |
+| Broker → time-series store (ring) | `log.emit` (500k ring) | exists |
+| Pure projection `(id, t) → (x, y)` | `compute_slot(...)` | exists |
+| **Coordinator** owning counters + routing | `layout_authority.py` | **MISSING** |
+
+Every IoT system has one coordinator object. We have six modules
+(broker, store, projection) and no coordinator. **Adapted method:
+copy the IoT coordinator pattern verbatim — one class, one worker
+thread, one counter map, two buffers.** ~150 LOC. Dijkstra D0–D2
+and Feynman §4 already enumerated its obligations.
+
+### 2.2 Database WAL + replicas
+
+`log.py` is a WAL. Subscribers are replicas reading by seq.
+`request_subtree` is checkpoint+replay. The Postgres
+streaming-replication ordering proof (single producer → seq
+monotonic → per-replica order) is identical and two lines.
+**Borrow the WAL ordering argument; no new invariant needed.**
+
+### 2.3 matplotlib `FuncAnimation`
+
+Counter on the figure, projection as closure, emit as
+`canvas.draw`. Cortex authority is the same shape distributed
+across threads. **Borrowing the mental model collapses I3/I4/I7
+into "the counter map is the state; everything else is a pure
+function of it."**
+
+## 3. Can you solve a simpler version? — One-domain authority
+
+Specialize hard:
+
+> **Special case: ONE domain, ONE kind (file), no edges, no
+> re-emit, in-memory dict, single thread.**
+
+```python
+class TinyAuthority:
+    def __init__(self, anchor):
+        self.anchor = anchor
+        self.counter = 0
+        self.slots = {}
+
+    def add_node(self, node_id):
+        idx = self.counter
+        self.counter += 1
+        x, y = compute_slot_file(self.anchor, idx,
+                                 total=max(self.counter, 1))
+        self.slots[node_id] = (x, y)
+        return (idx, x, y)
+```
+
+Three things fall out:
+
+1. **`total` is a moving target** — file #1 is placed against
+   `total=1`; later geometry expects `total=10`. The "no
+   retroactive reseat" decision (I4/I7) is load-bearing; the
+   simpler version makes it concrete.
+2. **The counter map belongs in the coordinator,** not in
+   geometry/scheduler/log (Feynman §1.5c spent four bullets
+   searching for whose job it is).
+3. **Edges and re-emit are additions on top,** not intrinsic —
+   buffers + replays on the counter+projection core. Build last.
+
+## 4. Work backward from the desired result
+
+Forward attempts are stuck. Reverse direction. Terminal state:
+
+> Browser shows nodes appearing at deterministic positions as the
+> build worker streams events.
+
+Walk backward:
+
+1. Browser shows node ⇐ SSE delivers `slot` event with finite floats.
+2. SSE delivers ⇐ `log.emit('slot', bytes)` was called.
+3. `format_slot` produced bytes ⇐ it read the right field name.
+   **Today it reads `slot.id`; protocol exposes `node_id`.
+   AttributeError on first call.** (Feynman §1.8; Dijkstra D0.)
+   **5 LOC, 1 test. Blocks every downstream piece.**
+4. `format_slot` was called ⇐ a worker thread popped the
+   scheduler. **Worker does not exist.**
+5. Worker computed geometry ⇐ counter map and pending-edges
+   buffer exist. **Both missing; both belong in the coordinator.**
+6. `add_node` was called ⇐ coordinator object exists. **Factory
+   at `protocol.py:222` imports a module not in the tree.**
+
+**Strict critical path, in order:**
+1. Fix `wire.format_slot` field name.
+2. Write `layout_authority.py` coordinator (~150 LOC).
+3. Wire factory; unblock `protocol.py:229`.
+4. Connect build worker to the coordinator.
+
+**Ten fix cycles touched these at random. Backward walk gives the
+order.**
+
+## 5. Phase 2 — Plan: heuristic and why
+
+**Selected: specialize-then-generalize, executed under the
+IoT-coordinator pattern, on the backward-walk's critical path.**
+
+IoT analogy gives shape; backward-walk gives order; simpler-
+version controls scope. Composed, they keep the six modules
+intact (they already *correctly* are broker/store/projection/
+protocol/encoder/LoD) and add the missing coordinator on top in
+the right order.
+
+## 6. Plan — next moves, in order
+
+| # | Move | Cost | Unblocks |
+|---|---|---|---|
+| 1 | Fix `wire.format_slot` (`slot.id` → `slot.node_id`); round-trip test with real `SlotAssignment`. | ~10 min | every downstream test |
+| 2 | Write `TinyAuthority` (1 domain, 1 kind, no edges, no re-emit). E2E test: 1000 `add_node` → 1000 SSE events → 1000 (x, y) decoded. | ~2 h | IoT pattern proven in-tree |
+| 3 | Generalize to 11 domains × 6 kinds via counter map keyed `(dom, kind)`. Reuse worker loop. | ~2 h | Feynman §1.5c resolved |
+| 4 | Parent-pending buffer (I3, 32k cap, drop+counter). | ~1 h | symbols-before-files no longer races |
+| 5 | Pending-edges buffer (I5, 100k cap). | ~1 h | edges no longer dangle |
+| 6 | `request_subtree` re-emit walking counter map. | ~1 h | I2 closes |
+| 7 | Wire build worker → coordinator. Demo on real repo scan. | ~1 h | user sees nodes appear |
+| 8 | Curie: RSS, drop rates, p99 at 10⁶/sec. | ~1 d | Dijkstra B1–B6 empirically |
+
+Total: ~2 days. **Less than the last 10 fix cycles cost.**
+
+## 7. Phase 4 — Look back. Reusable lessons.
+
+- **Stuckness signal:** when a fix lands and the next bug is one
+  layer away, the problem is not in the layer you are touching.
+  Stop and look for the missing assembly module. Second
+  occurrence in this codebase (cf. early `consolidation_engine`
+  / dual-store CLS wiring).
+- **Rule:** before fixing module N, verify it is *called* by
+  something. Zero callers ⇒ write the integrator before any
+  further fix.
+- **Rule:** a 6-module subsystem with 20 audits and no E2E test
+  needs a coordinator, not another audit. Treat absence of an
+  E2E test as a red flag equal to a failing test.
+- **Domain transfer:** "broker + store + projection +
+  coordinator" is the right shape for any high-rate,
+  deterministic-placement, single-producer streaming problem.
+  Add to the architecture playbook.
+
+## 8. Hand-offs
+
+- **engineer:** items 1–7; start with item 1 (10-min unblock).
+- **Dijkstra:** review `TinyAuthority` for single-producer +
+  seq-monotonic before generalizing.
+- **Curie:** item 8 after item 7. **Hamilton:** SSE backpressure
+  (cost-model §7) once item 7 lands.
diff --git a/tasks/layout-authority/audits/popper.md b/tasks/layout-authority/audits/popper.md
new file mode 100644
index 00000000..349958db
--- /dev/null
+++ b/tasks/layout-authority/audits/popper.md
@@ -0,0 +1,51 @@
+# Popper Falsification Audit — Layout Authority
+
+**Test suite:** `mcp_server/server/test_layout_authority.py` (344 lines, 17 tests)
+**Run command:** `python3 -m unittest mcp_server.server.test_layout_authority`
+**Result:** 17 passed, 0 failed (0.225s)
+
+## Invariants tested and outcomes
+
+| # | Invariant | Module | Outcome | Notes |
+|---|---|---|---|---|
+| 1 | Slot stability — same context yields same (x, y) under repetition | geometry | **Survived** | 1000 repeats; exact equality, not approximate |
+| 1b | Slot stability — interleaved kinds do not perturb prior result | geometry | **Survived** | Falsifies any shared accumulator |
+| 1c | I1: every kind produces finite coords | geometry | **Survived** | Tested 11 kinds |
+| 2 | O(1) state — 10^6 calls leave RSS delta < 200 MB | geometry | **Survived** | macOS `ru_maxrss` (bytes); negligible delta observed |
+| 3 | P0 preempts a 1000-deep P4 backlog | scheduler | **Survived** | First pop is the P0 item |
+| 3b | Strict 0..6 ordering when inserted in reverse | scheduler | **Survived** | Drain order is [0,1,2,3,4,5,6] |
+| 4 | Drop counter increments exactly once per dropped submit | scheduler | **Survived** | 25 overflow submits -> dropped[P0] == 25 |
+| 4b | No silent maxlen eviction (head item preserved) | scheduler | **Survived** | First popped is the original head |
+| 5 | replay_since(N) returns exactly events with seq > N | log | **Survived** | Tested at 5 cut points incl. boundaries |
+| 5b | replay_since(newest) is empty | log | **Survived** | |
+| 6 | Overflow past cap signals gap (oldest_seq > since+1) | log | **Survived** | Used local deque swap to avoid 500k events |
+| 7 | format_slot -> parse_slot roundtrip preserves structure | wire | **Survived** | Including 0.1px rounding edge cases |
+| 7b | Pipe `\|` in id is rejected | wire | **Survived** | |
+| 7c | kind > 32 chars rejected | wire | **Survived** | |
+| 8 | NaN x rejected at wire boundary | wire | **Survived** | |
+| 8b | +inf y rejected | wire | **Survived** | |
+| 8c | -inf x rejected | wire | **Survived** | |
+
+## Falsified
+
+None on this run. All tested invariants survived a genuine attempt at refutation.
+
+## Notable findings during test design (not falsifications, but contract gaps)
+
+1. **Wire/protocol field-name mismatch:** `wire.format_slot` reads `slot.id`, `slot.x`, `slot.y`, `slot.kind`, `slot.domain_id` — but `layout_authority_protocol.SlotAssignment` exposes `node_id`, not `id`. A naive caller passing the protocol dataclass would `AttributeError` at the wire boundary. The test uses a local `_Slot` dataclass that matches the wire's actual contract; this exposes the gap rather than papering over it.
+
+2. **No reference authority implementation exists yet.** Test #1 (slot stability) is therefore exercised at the geometry layer (`compute_slot`), not the authority layer. When the reference implementation lands, an additional test should re-exercise slot stability through `add_node` to falsify any non-determinism introduced at the orchestration level.
+
+3. **Log seq is module-global and persists across `reset()`.** The replay tests reset between cases but compute expectations from observed seq values rather than assuming seq starts at 1 — this is a deliberate accommodation of the documented "seq continues across resets" invariant.
+
+## Severity assessment
+
+- High severity (a real bug would be caught): tests 2, 3, 4, 6, 8.
+- Medium severity: tests 1, 5, 7.
+- Tests with low individual severity (1c, 5b) exist as cheap consistency probes alongside the higher-severity tests in the same suite.
+
+## Hand-offs
+
+- Quantitative severity / power analysis -> Fisher.
+- Empirical RSS profiling at 10^7 nodes -> Curie.
+- Reference authority impl + integration tests -> engineer.
diff --git a/tasks/layout-authority/audits/propp.md b/tasks/layout-authority/audits/propp.md
new file mode 100644
index 00000000..e294f2dc
--- /dev/null
+++ b/tasks/layout-authority/audits/propp.md
@@ -0,0 +1,165 @@
+# Propp — Morphology of the Failed-Iteration Narrative
+
+> Each "fix the layout" attempt is told as a fresh story. Aligned by
+> function-sequence, all six iterations are the *same* tale with one
+> function permanently absent. The grammar shows which moves are
+> load-bearing and which are decoration. The absence explains why the
+> story does not end.
+
+## 1. Function catalog (typed atomic moves)
+
+Functions are defined by structural role in the iteration, not by
+content. F-codes follow Propp's convention.
+
+| F# | Function | Structural role |
+|----|----------|-----------------|
+| F1 | **Lack** | Working layout for N=10⁹ does not exist (cost-model.md §1) |
+| F2 | **Interdiction** | User states constraint: same UI / 8 MB / 1–2 s |
+| F3 | **Reconnaissance** | Agent inspects current code, names a *symptom* (slow, freeze, clump, stall) |
+| F4 | **Trickery** | Agent restates symptom as cause ("force-graph re-layouts every payload") |
+| F5 | **Departure** | Agent leaves the call site of the bug, picks a new mechanism |
+| F6 | **Receipt of agent** | Agent acquires a tool (d3-force, Datashader, SSE, igraph DrL, quadtree) |
+| F7 | **Violation** | Ships fix that breaks F2 — adds a 3rd geometry, a 2nd renderer, or a new cache |
+| F8 | **Test** | User runs it; the constraint that breaks is named |
+| F9 | **Struggle** | Agent doubles down: debounce, MutationObserver, skip-if-fresh, self-heal branch |
+| F10| **Branding** | A scar is left in the code (comment, retry loop, observer) — see ginzburg §2 |
+| F11| **Pursuit** | User escalates ("GO FUCKING DIE") — interdiction reaffirmed |
+| F12| **Rescue** | Agent reverts or papers over; iteration "closes" without F2 met |
+| **F13**| **LIQUIDATION** *(MISSING)* | The lack F1 is repaired: a single owner of `(node_id) → (x, y)` is named |
+| **F14**| **RECOGNITION** *(MISSING)* | The role "Layout Authority" is assigned to exactly one actor |
+| F15| **Return** | Agent declares done; lack persists; F1 re-fires next session |
+
+## 2. Grammar (sequence constraint)
+
+Observed order across all six iterations is strict and identical:
+
+```
+F1 → F2 → F3 → F4 → F5 → F6 → F7 → F8 → F9 → F10 → F11 → F12 → F15 → (loop to F1)
+                                                  ↑
+                                        F13, F14 never fire
+```
+
+Constraint: **F13 must precede F15 for the tale to terminate.** It does
+not. The loop F15→F1 is therefore mandatory — the grammar predicts the
+recurrence Ginzburg observed empirically.
+
+Optional: F11 (some iterations end at F12 without explicit escalation).
+Repeatable: F9 (struggle can iterate within an iteration — see polling.js
++ bridge.js debounce + MutationObserver, all three are F9 events in the
+same story).
+
+## 3. Role map (actors are interchangeable; roles defined by function)
+
+| Role | Defining functions | Actor instances observed |
+|------|-------------------|--------------------------|
+| **Hero** | F3, F5, F6, F7, F9 | "the agent" — six different sessions, same role |
+| **Dispatcher** | F2, F8, F11 | User (states constraint, tests, escalates) |
+| **Donor** | F6 (provides tool) | npm/pypi: d3-force, Datashader, igraph, pgvector |
+| **Villain** | causes F1 to persist | *unfilled by name* — the architectural assumption "renderer authors layout" (ginzburg §4). It is a **role without an actor**. |
+| **False Hero** | claims F13 without performing it | The skip-if-fresh cache (`recompute_layout.py:82–99`); the tilemap self-heal branch (`workflow_graph_tilemap.js:122–168`); the MutationObserver (`workflow_graph_bridge.js:67–73`). Three false heroes; none is Layout Authority. |
+| **Princess / Sought-for** | F13, F14 — the prize | "Single owner of (node_id)→(x,y)" — never claimed |
+
+The diagnosis is structural: **the Princess exists in the grammar; no
+actor has been cast in the role.** Three False Heroes have stepped
+forward and been mistaken for her.
+
+## 4. Instance alignment (six iterations × function sequence)
+
+`Y` = function fired; `—` = absent; `*` = degenerate (fired but did not
+perform structural work).
+
+| Iter | Mechanism (commit) | F3 | F4 | F5 | F6 | F7 | F8 | F9 | F10 | F13 | F14 | F15 |
+|------|-------------------|----|----|----|----|----|----|----|-----|-----|-----|-----|
+| 1 | precomputed + d3-force | Y | Y | Y | d3-force | Y | freeze | tick-throttle | sim ref | — | — | Y |
+| 2 | tilemap raster (`dba2f16`) | Y | Y | Y | Datashader | Y | "ugly" | rebuild-on-event | tile cache | — | — | Y |
+| 3 | SSE rebuild-on-event | Y | Y | Y | SSE | Y | freeze | first-mount mode | polling guard | — | — | Y |
+| 4 | SSE first-mount + append | Y | Y | Y | SSE+append | Y | clumps | per-domain anchor | bridge debounce | — | — | Y |
+| 5 | SSE incremental recompute | Y | Y | Y | server recompute | Y | stall | self-heal | quadtree 503 | — | — | Y |
+| 6 | tilemap auto-recompute (`4a41aff`) | Y | Y | Y | retry loop | Y | — (yet) | client-triggered server layout | MutationObserver | — | — | Y |
+
+**Every row is identical in structure.** Only F6 (the tool acquired) and
+F8 (the symptom named) vary. F13 and F14 are absent in **all six**.
+
+This is the Propp finding: surface diversity (six tools, six symptoms)
+over a fixed deep grammar with a permanent gap.
+
+## 5. Load-bearing vs decorative
+
+| Function | Status | Justification |
+|----------|--------|---------------|
+| F1 (Lack) | **load-bearing** | Defines the tale; without it no story |
+| F2 (Interdiction) | **load-bearing** | The 8 MB / 1–2 s constraint is the discriminator |
+| F4 (Trickery) | **load-bearing** | Restating symptom-as-cause is what enables F5 in the wrong direction |
+| F6 (Receipt) | decorative | Six different tools; all interchangeable; none repairs F1 |
+| F7 (Violation) | **load-bearing** | The act that adds a 3rd geometry / 2nd renderer is the structural sin |
+| F9 (Struggle) | decorative | Symptom of F13 absent; debounce/observer/cache are surface fixes |
+| F10 (Branding) | **load-bearing as evidence** | The scars (ginzburg §2) are the involuntary trace |
+| **F13 (Liquidation)** | **load-bearing AND ABSENT** | Without it F15→F1 loop is mandatory |
+| **F14 (Recognition)** | **load-bearing AND ABSENT** | Layout Authority role is never cast |
+
+Decorative functions explain *flavour*. Load-bearing functions explain
+*recurrence*. F6 and F9 vary across iterations and feel like progress;
+they are not. F4, F7, and the absent F13/F14 are constant and explain
+the loop.
+
+## 6. The missing function — diagnostic
+
+> **F13 (Liquidation) cannot fire while F14 (Recognition of Layout
+> Authority) has not fired.** Repair requires an actor cast in the role.
+
+What F14 looks like, concretely:
+- One module owns `(node_id) → (x, y, seq)`. Spec: alkhwarizmi.md
+  `add_node` contract; dijkstra.md H1/H2 invariants (single producer,
+  strict-monotonic seq).
+- Renderer demoted from Hero to passive consumer. `prepareTopology` and
+  `computeSlots` (`workflow_graph.js:308–700`) deleted.
+- Three False Heroes retired: skip-if-fresh cache, tilemap self-heal
+  branch, MutationObserver — all unnecessary once one renderer remains.
+- `core/layout_engine.py` (igraph DrL) deleted: violates cost-model §6
+  (O(N log N) disqualified) and would be a fourth claimant to the role.
+
+Until F14 fires, F13 cannot. Until F13 fires, F15 loops to F1 and the
+seventh iteration begins. The grammar predicts it.
+
+## 7. Variants (what surface variation does and does not cover)
+
+| Variant axis | Spans | Affects deep grammar? |
+|-------------|-------|----------------------|
+| Layout tool (d3-force / Datashader / igraph / SSE) | F6 | No — Donor's gift, decorative |
+| Symptom name (slow / freeze / clump / stall) | F8 | No — surface label of F1 |
+| Scar shape (debounce / observer / cache / retry) | F10 | No — F9 residue |
+| **Authority owner** | F14 | **Yes** — only axis that changes the grammar |
+
+Six iterations exhausted axes 1–3. Axis 4 has not been touched.
+
+## 8. Refusal conditions hit in this audit
+
+- Single-instance grammar claim refused: six instances available.
+- Actor/role confusion refused: roles are defined by function, not by
+  module name. "Server" and "client" are actors; "Layout Authority" is
+  a role neither has yet filled.
+- Gap-as-defect-without-justification refused: F13/F14 absence is
+  classified `defect` because the grammar requires F13 < F15 for tale
+  termination and the user constraint F2 is repeatedly violated.
+
+## 9. Hand-offs
+
+- **alkhwarizmi** — define the F14 contract (`add_node` closed-form
+  O(1), `(node_id)→(x,y,seq)`).
+- **dijkstra** — formalise the F13 invariants (single producer,
+  monotone seq, append-only).
+- **wittgenstein** — disambiguate the role/actor confusion in §3 (False
+  Hero vs Princess); the language game in which "the renderer places
+  nodes" is the locus.
+- **engineer** — execute the cast: assign Layout Authority to one
+  module, delete `prepareTopology`/`computeSlots`, delete
+  `core/layout_engine.py`, retire the three False Heroes.
+
+## 10. Compliance
+
+- §1.1 SRP — pass: each function does one structural job.
+- §8 Sources — pass: Propp 1928/1968 Ch. 3, 6, 9; Dundes 1964 (method
+  portability); peer evidence ginzburg.md §2 (load-bearing scars).
+- Zetetic — pass: grammar inferred from six aligned instances; no
+  single-instance claim; gap classification justified against the
+  grammar's termination condition.
diff --git a/tasks/layout-authority/audits/ramanujan.md b/tasks/layout-authority/audits/ramanujan.md
new file mode 100644
index 00000000..29aa9f7e
--- /dev/null
+++ b/tasks/layout-authority/audits/ramanujan.md
@@ -0,0 +1,163 @@
+# Ramanujan Audit — `layout_authority_geometry.compute_slot`
+
+> **STATUS LABEL: CONJECTURE report.** Every claim below is a candidate for proof,
+> NOT a verified fact. Numerical hand-computations were verified against
+> `compute_slot()` to machine precision; the *structural conjecture* (the closed
+> form connecting all special cases) requires a prover-agent (Lamport/Dijkstra)
+> to discharge before being treated as a load-bearing invariant of the layout.
+>
+> **Prover-agent assigned:** Lamport (algebraic invariant proof) + Dijkstra
+> (degeneracy enumeration). Hand-off is mandatory; this report MUST NOT be
+> consumed as fact without verification.
+
+## Domain & zone
+
+- Domain: closed-form 2D placement geometry (Fibonacci-spiral anchors + per-kind
+  ring + sector fan). Pure trig, no I/O, no iteration.
+- Zone competence: **high** — special-case computation against analytic
+  formulae is the canonical Ramanujan workflow.
+- Canvas: W=1920, H=1080, cx=960, cy=540 throughout.
+
+## Hand-computed special cases vs. code
+
+All numbers below were derived from the source formulas BEFORE running
+`compute_slot`; the right column is the code's actual output. **Every value
+agrees to ≥4 decimal places** (verified by `/tmp/ramanujan_verify.py`).
+
+### Case A — N=1 domain, 3 files orbiting tool hub `Edit`
+
+```
+base_r  = max(min(W,H)·0.42, (2·FILE_R+60)·√(N/π)·0.65)
+        = max(453.6000, 183.3616) = 453.6000              ← floor wins
+anchor  : r = base_r·√((0+0.5)/1) = 320.7436, θ = 0·Φ = 0
+        → (1280.7436, 540.0000)                           [matches code]
+outward : atan2(0, +320.74) = 0.000000
+hub Edit: TOOL_R·(cos 0, sin 0) → (1420.7436, 540.0000)   [matches code]
+file arc: min(0.35, 0.08 + 3·0.015) = 0.125               (small-N branch)
+file[i] : t = ((i+0.5)/3 − 0.5)·0.125, r = 220 + ((i%3)−1)·4
+  i=0 → t=−0.04167, r=216 → (1496.5562, 531.0026)         [matches]
+  i=1 → t= 0.00000, r=220 → (1500.7436, 540.0000)         [matches]
+  i=2 → t=+0.04167, r=224 → (1504.5492, 549.3306)         [matches]
+```
+
+### Case B — N=2 domains × 2 files each (Edit hub)
+
+```
+base_r = 453.6000   (floor still wins; ceiling = √(2/π)·0.65·500 = 259.3)
+domain[0]: r=226.8000, θ=0.0000     → (1186.8000, 540.0000)  [matches]
+domain[1]: r=392.8291, θ=2.4000     → ( 670.3400, 805.3523)  [matches]
+file arc (n=2): min(0.35, 0.08+2·0.015) = 0.110
+  d=0 i=0 → (1402.7183, 534.0607)   [matches]
+  d=0 i=1 → (1406.7168, 546.0492)   [matches]
+  d=1 i=0 → ( 515.1405, 955.5824)   [matches]
+  d=1 i=1 → ( 504.0940, 949.4434)   [matches]
+```
+
+### Case C — N=3 domains × 1 file × 5 symbols (around file of d=0)
+
+```
+base_r = 453.6000
+domain[0]: r=261.8985, θ=0      → (1145.1814, 540.0000)
+domain[1]: r=453.6000·√(.5)=...  θ=2.4000 → ( 723.4936, 756.6592)
+domain[2]: r=405.7905, θ=4.8000  → ( 996.2011, 127.5072)
+file (d=0): hub_angle=0, idx=0/total=1, arc=0.095
+           → (1361.1814, 540.0000)
+symbols (5 around file at angle 2π(i+0.5)/5, r=SYM_CLUMP_R+(i%4)·3):
+  i=0 → ang=0.6283 r=18 → (1375.7437, 550.5801)  [matches]
+  i=1 → ang=1.8850 r=21 → (1354.6921, 559.9722)  [matches]
+  i=2 → ang=3.1416 r=24 → (1337.1814, 540.0000)  [matches]   ← exact π
+  i=3 → ang=4.3982 r=27 → (1352.8380, 514.3215)  [matches]
+  i=4 → ang=5.6549 r=18 → (1375.7437, 529.4199)  [matches]
+```
+
+## Conjectured closed form (the Ramanujan identity)
+
+For any node, position is the composition of three pure rotations + radial
+offsets that share an additive structure:
+
+```
+P(node) = anchor(D)
+        + R_kind · ringRadius(kind, idx) · û(outward(D) + ψ_kind(idx, N_kind))
+```
+
+where:
+- `anchor(D) = (cx,cy) + base_r·√((D+0.5)/N_total)·(cos D·Φ, sin D·Φ)`,
+  `Φ = π(3−√5)` — the golden angle (Vogel 1979 Fibonacci spiral).
+- `outward(D) = atan2(anchor−center)`, with the `<5px → −π/2` guard.
+- `ψ_kind` is a kind-specific angular fan: linear `((i+0.5)/n − 0.5)·arc` for
+  setup/file/disc/mem; fixed lookup `TOOL_LOCAL_ANGLE` for tool hubs; π-shift +
+  jitter for MCPs; full-circle `2π(i+0.5)/n` for symbols.
+- `ringRadius` is a tiny integer wobble on top of a per-kind base (±4/±6/±8 px
+  via `(idx % k) − offset`).
+
+**Conjecture (CONJ-1):** for every node kind, the placement function is a
+pure isometry composition `T_anchor ∘ R_outward ∘ (radial offset)` and is
+invariant under any reordering of nodes that preserves the (kind, idx, total)
+triple. → Hand off to Lamport for TLA+ proof of the invariance claim.
+
+**Conjecture (CONJ-2):** symbols form a regular n-gon (modulo the `(i%4)·3`
+radial wobble) precisely because `2π(i+0.5)/n − 2π(j+0.5)/n = 2π(i−j)/n` is
+independent of file position — the file-relative frame is exact. The wobble
+breaks the regularity by ≤9 px. → Hand off to Dijkstra for proof that the
+wobble cannot collapse two symbols onto the same point for any n ≥ 1.
+
+## Small-N degeneracies (verified, not just conjectured)
+
+| Probe | Result | Note |
+|---|---|---|
+| `base_radius(N=0)` | 453.60 | `max(N,1)` guard works; no div-by-zero |
+| `domain_anchor` at N=1 | θ=0 → always due-east of centre | Fibonacci spiral collapses to a single point — fine, but means the outward axis is *deterministically* +x for the only domain. No angular variety to test. |
+| `outward_angle` at anchor==centre | −π/2 | `<5px` guard fires; stable upward bias |
+| `slot_for_symbol(total=0)` | returns file_slot | Early return prevents `/0` |
+| `slot_for_symbol(n=1)` | (−18, 0) rel to file | Single symbol lands at angle π — *left* of file, not on it. Visually fine but counter-intuitive (one might expect "on top") |
+| `arc` for n=3 files | 0.125 rad ≈ 7.2° | Below the 0.35 cap; `min` branch dormant until n≥18 |
+| `arc` for memory n=1 | `2·SECTOR_SIDE_HALF + min(π/2.5, 0.03)` = 0.997 rad | Floor dominates: even a single memory gets the full sector half-width. **Possibly wasteful** — single-element fans don't need the whole arc. |
+
+## Where small-N differs from large-N (the qualitative break)
+
+1. **File arc saturation**: `arc = min(0.35, 0.08 + n·0.015)` saturates at n=18.
+   Below 18 the arc grows linearly with file count; above 18 it is clamped.
+   Special-case computation at n=3 hides this — **the linear regime is the
+   only one a 3-file test exercises**.
+2. **Memory/discussion arc has TWO bonuses**: the `min(π/3, n·0.04)` term and
+   the base `2·SECTOR_SIDE_HALF`. At n=1 the bonus is 0.04 rad (negligible);
+   at n=∞ it caps at π/3. Hand-tests at n=1 will not reveal whether the cap
+   is correct.
+3. **Domain spiral collision**: `base_radius` formula uses `√(N/π)·0.65·shell`
+   as the spacing-driven floor. For W=H=1080, this floor only beats the 42%
+   floor when N ≥ ⌈π·(0.42·min/(0.65·shell))²⌉ ≈ N=6 (canvas-dependent).
+   **N=1,2,3 all fall in the canvas-floor regime** — the spacing formula is
+   completely untested by these special cases.
+4. **Floating-point edge**: at θ = D·Φ for D=0, sin(0) is exactly 0.0, so
+   `domain[0]` always lands on y=cy precisely. For D≥1, θ is irrational ×
+   integer and we accumulate ~1 ulp of error per multiplication. Not a
+   correctness issue at our coordinate scale.
+
+## Generator's self-assessment
+
+- All 24 hand-computed (x,y) values match the code to ≥4 decimal places.
+  The match is exact in the linear regime; rounding shows up only in the
+  4th–6th decimals of `cos/sin` evaluations.
+- Confidence in CONJ-1 (kind-isometry composition): **high** — the structure
+  is visible by inspection of the code.
+- Confidence in CONJ-2 (n-gon non-collision): **medium** — the wobble could
+  in principle collapse points for some pathological n; needs Dijkstra.
+- Confidence that the *spacing-driven floor* of `base_radius` is correct for
+  large N: **low** — not tested here. Recommend a separate audit at N=11
+  (current production domain count) to exercise that branch.
+
+## Hand-offs (MANDATORY)
+
+- CONJ-1, CONJ-2, and the spacing-floor claim → Lamport / Dijkstra for proof.
+- Small-N memory arc waste (degeneracy #5 in table) → escalate as a
+  potential refactor target after Lamport confirms the geometry is otherwise
+  invariant.
+- Large-N branch coverage (file arc cap, memory cap, base_radius spacing
+  floor) → schedule a sibling audit at N∈{18, 50, 200}.
+
+## Refusal note
+
+This report is a CONJECTURE bundle. Numerical equality at three special
+cases is necessary but not sufficient evidence for the closed-form claim.
+Do not treat CONJ-1 or CONJ-2 as load-bearing invariants of the layout
+authority until a prover-agent has discharged them.
diff --git a/tasks/layout-authority/audits/ranganathan.md b/tasks/layout-authority/audits/ranganathan.md
new file mode 100644
index 00000000..6e69d82c
--- /dev/null
+++ b/tasks/layout-authority/audits/ranganathan.md
@@ -0,0 +1,152 @@
+# Ranganathan Audit — PMEST Faceted Classification of the Layout Authority
+
+The layout authority's design space is multi-dimensional. A single hierarchy
+(e.g. "by file" or "by kind") loses entries from every other access path.
+This audit decomposes the design along five orthogonal facets — Personality,
+Matter, Energy, Space, Time — declares what each facet *covers*, and names
+the *gaps*: the values the facet implies but the code does not realise.
+
+Source schema: Ranganathan, S. R. (1937), *Prolegomena to Library
+Classification*, Ch. 23 "Fundamental Categories."
+
+## P — PERSONALITY (the kind of node — what the entry IS)
+
+Authoritative enumeration: `NODE_KINDS` (`layout_authority_protocol.py:30-33`).
+
+| Value | Slot helper | Coverage |
+|---|---|---|
+| `domain` | `domain_anchor` | full |
+| `tool_hub` | `slot_for_tool_hub` | full |
+| `file` | `slot_for_file` | full (tool_hub-orbiting; falls back to outward axis when parent unknown — I4) |
+| `symbol` | `slot_for_symbol` | full (parent-file-relative petal; I3-buffered) |
+| `discussion` | `slot_for_discussion` | full |
+| `memory` | `slot_for_memory` | full |
+| `mcp` | `slot_for_mcp` | full (inward of domain) |
+| `skill`,`hook`,`command`,`agent` | `slot_for_setup` (shared) | **conflated** — four PERSONALITY values share one shell at r=70; they are distinguishable in NODE_KINDS but indistinguishable in geometry |
+| `entity` | none — falls through `compute_slot:218` to `ctx.get("anchor", …)` | **GAP** — declared kind, no branch, collides with the `domain` slot |
+
+**P-gaps:**
+1. `entity` has no slot helper. Either give it an L6 cross-domain shell (mirror of `mcp`), or remove it from NODE_KINDS.
+2. The L3 setup ring conflates four kinds. If a future requirement is "show me only hooks," the geometry has lost the distinction — only the wire payload retains it.
+3. Predicted-but-absent kinds (cross Mendeleev): `super_domain`, `project_hub`, `shared_skill`, `discussion_hub`, `memory_hub`, `cross_entity`. Add them only if a producer exists.
+
+## M — MATTER (the content carried — what the entry CONTAINS)
+
+Authoritative payloads: `NodeDelta` (`layout_authority_protocol.py:46-74`),
+`SlotAssignment` (`:103-129`), `EdgeDelta` (`:77-100`), wire frames
+(`layout_authority_wire.format_slot/format_edge`).
+
+| Field | Where | Coverage |
+|---|---|---|
+| `node_id` | NodeDelta, SlotAssignment, frame | full |
+| `kind` | both, frame | full |
+| `domain_id` | both, frame | full |
+| `parent_id` | NodeDelta only | **stripped at emit** — present on input, absent from SlotAssignment and frame; renderer cannot reconstruct file→symbol parentage from the stream alone |
+| `tool_name` | NodeDelta only | **stripped at emit** — same gap; renderer cannot tell which tool a `tool_hub` represents |
+| `x`, `y` | SlotAssignment, frame | full (`:.1f` truncated, finite-checked at wire) |
+| `seq` | SlotAssignment, frame | full (monotonic, I2) |
+| metadata (timestamp, size, label, color) | — | **GAP** — no field carries human-facing metadata; UI must look it up out-of-band |
+| edge `kind` | EdgeDelta, frame | full |
+| edge endpoints | EdgeDelta, frame | full |
+| edge weight / direction marker | — | **GAP** — every edge is unweighted, undirected at the wire level |
+
+**M-gaps:**
+1. The wire frame is `id|x|y|kind|domain_id` — `parent_id` and `tool_name` exist in the input but are dropped on emit. Renderer reconstructs hub angles by re-deriving them. Either add them to the frame or document they are renderer-derivable.
+2. No metadata channel. Labels, colors, sizes are out-of-band — fine if the renderer has a side store, fragile if SSE is the only channel.
+3. Edges carry no weight. Cannot animate edge strength.
+
+## E — ENERGY (the operations — what the entry DOES)
+
+Authoritative verbs: `LayoutAuthority` Protocol (`layout_authority_protocol.py:142-178`)
++ `layout_authority_log` module-level functions.
+
+| Verb | Surface | Coverage |
+|---|---|---|
+| `add_node` | input — build worker → authority | full (validates, places, emits) |
+| `add_edge` | input | full (validates, buffers if endpoints missing — I5) |
+| `request_subtree(domain_id)` | input — re-emit known slots for domain | partial — re-emits *current* slots; cannot reseat without invalidate-then-rebuild |
+| `subscribe` / `unsubscribe` | output channel | full |
+| `done()` | terminator | full |
+| `emit` (slot/edge) | internal — log layer | full |
+| `replay_since(seq)` | recovery | full (with `oldest_seq` gap signal) |
+| `reset()` | lifecycle | full (prose: keep global seq across resets) |
+| `stats()` | observability | partial — counters only; no per-priority lane stats surfaced from authority (scheduler has them) |
+| `request_node(node_id)` | targeted re-emit | **GAP** — only subtree-granularity reseats |
+| `forget(node_id)` / `remove_node` | retraction | **GAP** — append-only stream; no node removal verb |
+| `update_metadata(node_id, …)` | partial update | **GAP** — same as above |
+| `pause` / `resume` producer-side | flow control | **GAP** — Hamilton 1202 pattern shifts back-pressure to the priority dropper, but there is no explicit pause hook |
+
+**E-gaps:**
+1. The system is monotonic by design (Pattern 2: slot-stable). Verbs that *retract* are deliberately absent. If retraction is ever needed, it must enter as a new ENERGY value with its own invariants, not retrofitted into `add_node`.
+2. `request_subtree` is the only re-emit verb. Single-node viewport refresh requires emitting the whole domain.
+
+## S — SPACE (the canvas, anchors, shells — WHERE the entry sits)
+
+Authoritative geometry: `layout_authority_geometry.py`.
+
+| Spatial element | Constant / function | Coverage |
+|---|---|---|
+| canvas | `width × height` (default 1000×1000) at `LayoutAuthority.__init__` | full but **fixed** — no resize handler in the authority |
+| domain anchor | Fibonacci spiral, `domain_anchor()` | full; *frozen* at first sighting (`_DomainRegistry`) |
+| outward axis | `outward_angle()` | full (with center-bias for domains within 5px of center) |
+| L1 setup shell | `SETUP_R = 70`, `SECTOR_SETUP_HALF` | full |
+| L2 tool-hub ring | `TOOL_R = 140`, `TOOL_LOCAL_ANGLE` | full (7 named tools; unknown tool → 0.0 angle) |
+| L3 file orbit | `FILE_R = 220` | full |
+| L4 discussion lane | `DISC_R = 150`, `+SECTOR_SIDE_ANGLE` | full |
+| L4 memory lane | `MEM_R = 150`, `−SECTOR_SIDE_ANGLE` | full |
+| L? mcp shell | `MCP_R = 50`, inward (outward + π) | full |
+| L6 symbol petal | `SYM_CLUMP_R = 18`, around parent file | full |
+| z-axis / 3D | — | **GAP** — 2D only; the `unified-viz.html` 3D path is not authority-driven |
+| sub-canvas tiling | — | **GAP** — `viewport-of-interest` dynamic tiling lives in `quadtree_handler`, not the authority |
+| coordinate scaling for renderer viewport | — | client-side; authority emits absolute pixels in its own 1000×1000 frame |
+| anchor for `entity` | — | **GAP** (mirrors P-gap above) |
+
+**S-gaps:**
+1. Canvas size is constructor-fixed; window resize forces a `request_subtree` storm or new build. No `set_canvas(w, h)` verb.
+2. No explicit z-axis. 3D rendering reuses (x, y) and synthesises z elsewhere.
+
+## T — TIME (the event seq, build phases, replay window — WHEN the entry is)
+
+Authoritative timeline: `layout_authority_log._event_seq` + `cascade` of build-phase signals (out-of-band) + ring buffer.
+
+| Temporal element | Surface | Coverage |
+|---|---|---|
+| event sequence number | `_event_seq` (global, monotonic across `reset()`) | full (I2) |
+| replay window | 500k-event ring buffer (`layout_authority_log`) | full; `oldest_seq` gap-detected in `replay_since` |
+| Last-Event-ID resume | `replay_since(since)` | full |
+| build phase markers | `done` event at end | partial — only end marker; **no phase-start markers** mid-stream (e.g. "scanning files done, tool_hubs starting") |
+| reset (new build) | `_log.reset()` | full (prose-vs-code reconciled in `reset`'s docstring: prose wins, seq continues) |
+| wall-clock timestamp | — | **GAP** — `seq` is logical time, no wall-clock on events |
+| event ordering across producers | — | not required (single-producer invariant), but **undefined** if invariant ever broken |
+| TTL / expiry on slots | — | **GAP** — slots are immortal until next `reset()` |
+| heartbeat / keepalive | `format_keepalive()` | full (wire-layer SSE comment frame) |
+
+**T-gaps:**
+1. Mid-stream phase boundaries are invisible. UI cannot say "now placing files" because the protocol does not announce phases. Either add a `phase` event kind or accept that the sequence is featureless until `done`.
+2. No wall-clock. Replay is by `seq` only — fine for resume, useless for "what arrived in the last 5 seconds" without a side-channel timestamp.
+3. No TTL: slots remain placed across the entire build until `reset()` zeroes the world. Memory-bounded only by the worker's not emitting more.
+
+## Summary table of GAPS
+
+| Facet | Gap | Severity | Fix shape |
+|---|---|---|---|
+| P | `entity` kind has no slot helper | high — silent collision at domain anchor | add `slot_for_entity` (L6 cross-domain) or remove from NODE_KINDS |
+| P | L3 conflates skill/hook/command/agent | low — geometry-only | accept; wire-frame `kind` keeps the distinction |
+| M | `parent_id`, `tool_name` stripped at emit | medium — renderer re-derives | extend wire frame OR document derivation |
+| M | No metadata channel | medium — out-of-band fragile | optional `meta` event kind |
+| M | Edges unweighted/undirected | low | add weight field if a producer needs it |
+| E | No `forget` / `remove_node` | by design | none — retraction is forbidden by Pattern 2 |
+| E | Per-node re-emit absent | low | `request_node(id)` if viewport refresh becomes a hot path |
+| S | Canvas size fixed at construction | medium — resize is a full rebuild | `set_canvas(w, h)` + scheduled `request_subtree` per domain |
+| S | No 3D / z-axis | low — out of scope | 3D synth lives in renderer |
+| T | No mid-stream phase markers | medium — UX opacity | `phase` event kind |
+| T | No wall-clock on events | low | wire-layer optional `ts` field |
+
+## Closing note
+
+The authority's faceted coverage is excellent on **P, S, T** (one missing kind,
+one missing axis, one missing phase marker) and complete on **E** for the
+verbs that are intentionally in scope. The biggest deficit is **M**: the
+input carries `parent_id` and `tool_name`, but the wire frame drops them.
+Renderer correctness depends on rederiving what was already known. That is
+either a deliberate compression (document it) or a leak (close it).
diff --git a/tasks/layout-authority/audits/rawls.md b/tasks/layout-authority/audits/rawls.md
new file mode 100644
index 00000000..4cca9eaa
--- /dev/null
+++ b/tasks/layout-authority/audits/rawls.md
@@ -0,0 +1,170 @@
+# Layout Authority — Rawlsian Fairness Audit
+
+**Method:** veil-of-ignorance scheduling. Behind the veil you do not know which
+subscriber you will be. Design drop / shed / queue rules acceptable from every
+position. Source: Rawls, *A Theory of Justice* (1971), §3, §13, §39; *Justice as
+Fairness: A Restatement* (2001), §13–§19.
+
+Subject under audit: `mcp_server/server/layout_authority_scheduler.py`
+(Hamilton 1969 priority-displaced scheduler) and the protocol's drop semantics.
+
+## 1. Stakeholder map (positions behind the veil)
+
+| Position | What they care about | Vulnerability under current rules |
+|---|---|---|
+| S1. Fast desktop, all-domains | Full graph, edges, symbols | Almost none — gets everything |
+| S2. Slow phone, all-domains | Coherent skeleton, low bandwidth | Edges (P5) and symbols (P4) shed first — still readable |
+| S3. Freshly-connected (cold start) | One coherent snapshot now | **Loses P4/P5 events that fired before subscription** |
+| S4. Long-lived viewer, single-domain filter | Their domain's symbols + edges | **Their P4/P5 are dropped to serve viewers who care about other domains' P0/P1** |
+| S5. Background tab (paused render) | Catch up on resume | Subscriber queue overflows; lossy reconnect required |
+| S6. All-domains live (dashboard) | Topology updates | Well served — P0–P3 land |
+| S7. Edge-only consumer (impact graph) | Edges (P5) | **Worst-off under current rules** — P5 dropped before any node |
+
+## 2. Veil-of-ignorance test on current rules
+
+The scheduler's claim is global: "drop edges before nodes, symbols before files,
+files before tool_hubs, tool_hubs before domains." Adopt each position:
+
+| Decision | From S1 | From S4 (single-domain) | From S7 (edge-only) | Verdict |
+|---|---|---|---|---|
+| Drop P5 edges first | OK | **No** — edges *are* their domain | **No** — that's their entire signal | **Fails** |
+| Drop P4 symbols before P2 files | OK | **No** if their domain is symbol-heavy (e.g. one file = 10k symbols → they see one dot) | OK | **Fails for S4** |
+| Single global queue cap per priority | OK | **No** — a burst in *another* domain consumes the cap and shadow-drops their work | OK | **Fails for S4** |
+| Coalesce P6 by `domain_id` | OK | OK | OK | Passes |
+| Strict priority preemption | OK | **No** — their P4 starves indefinitely under sustained P0–P3 load on other domains | **No** | **Fails under sustained load** |
+
+Three of five rules fail the veil from at least one position. The scheduler is
+**fair only for the all-domains, full-fidelity desktop subscriber** — i.e. it
+optimises for the position that needs no help.
+
+## 3. Difference-principle evaluation
+
+Rule: an inequality is permissible **only if the worst-off position is better
+off with it than without it** (Rawls 1971 §13).
+
+| Inequality | Worst-off | Better off than equal-treatment alternative? | Justified? |
+|---|---|---|---|
+| Domains > tool_hubs > files | S4, S7 | **Yes** — without anchors nobody can place anything; even S7 needs domain coordinates to draw an edge | Yes |
+| Files > symbols | S4 (symbol-dense domain) | **No** — equal allocation per domain would give them symbols too | **No** |
+| Nodes > edges | S7 | **No** — edge-only consumer is the worst-off and the inequality is built specifically *against* them | **No** |
+| Global cap per priority (no per-subscriber accounting) | S4, S5 | **No** — per-domain caps would isolate noisy neighbours from their domain | **No** |
+
+The first inequality (level hierarchy) is justified — without anchors, every
+position is worse off. The second and third are **not** justified by the
+difference principle: they make the worst-off worse to make the median better.
+
+## 4. Priority-of-liberty check
+
+Rawls' first principle is lexically prior: basic liberties cannot be traded for
+efficiency (Rawls 1971 §39; 2001 §13). For a viz scheduler, the analogue
+"basic liberties" are:
+
+| Liberty | Currently honoured? |
+|---|---|
+| L1. **Coherence** — anything shown is structurally valid (no orphan symbols, no edge to missing endpoint) | **Partially** — P4/P5 dropped without their P2/P3 endpoints causes orphan edges and ghost symbols at the renderer |
+| L2. **Notice** — subscriber knows when their data was shed | **No** — `is_overloaded()` is producer-facing only; subscribers cannot tell drops from "nothing happened" |
+| L3. **Eventual completion** — every accepted node eventually reaches every live subscriber | **No** — subscriber queue overflow is silent; S5 (background tab) loses events forever on resume |
+| L4. **Non-discrimination by filter** — a single-domain filter must not be served worse than no-filter | **No** — current global caps mean a noisy domain crowds out a quiet one's events |
+
+L1, L2, L3, L4 are violated for efficiency (memory ceiling, simplicity).
+**Lexical priority forbids these trades.** The 8 MB working-set ceiling is
+real (cost-model.md), but the trades it forces should land on efficiency
+metrics, not on coherence and notice.
+
+## 5. Reflective equilibrium — proposed revisions
+
+Iterate principles ↔ cases until both hold. Concrete revisions, ordered by
+the rule they restore:
+
+**R1. Per-domain accounting inside each priority (restores §3 fairness for S4).**
+Replace `deque per priority` with `deque per (priority, domain_id)`. Cap per
+*pair*, not globally. A symbol burst in domain D consumes only D's P4 cap;
+S4 watching domain D' is unaffected. Memory: 11 domains × 7 priorities × small
+cap ≈ same order as today; reshape, not grow.
+
+**R2. Edge-aware shedding for edge-subscribers (restores §3 for S7).**
+`priority_for_edge()` returns 5 unconditionally. Make it `5` for non-edge
+subscribers and `2` (file-tier) when the edge is the *only* signal a
+subscriber asked for. The scheduler must know subscriber filters; today it
+does not — protocol gap.
+
+**R3. Coherence guard before drop (restores L1).**
+Before dropping a P4 symbol whose parent P2 file has already been emitted,
+do not drop — apply backpressure to the *producer* of new P4s instead.
+Hamilton's BAILOUT shed *jobs*, not state mid-job; same rule here.
+
+**R4. Drop-notification frame (restores L2).**
+When `submit` returns False, emit a `{"type":"drop","priority":p,"domain":d}`
+event to *all* subscribers whose filter matches. Three bytes of honesty beats
+silent loss.
+
+**R5. Subscriber-side replay window (restores L3).**
+Each subscriber gets a bounded ring of "events since cursor". On reconnect
+(S5) they request `since=cursor`; the authority replays from the ring or
+returns `RESYNC` (full snapshot) if the cursor fell off. Same pattern as
+Kafka consumer offsets — the position's worst-off (background tab) is
+materially better off.
+
+**R6. Lottery for P4 under sustained load (restores starvation-freedom).**
+Strict priority guarantees P4 starvation under sustained P0–P3 traffic.
+Replace with **weighted fair queueing** (Demers, Keshav, Shenker 1989):
+P0 weight 16, P1 weight 8, P2 weight 4, P3 weight 2, P4 weight 1, P5 weight
+1, P6 weight 1. Each tick the dispatcher pops in proportion to weights;
+P0 still dominates 16:1 but P4 cannot starve forever. The lexical rule
+becomes a *steep* preference rather than an *absolute* one — defensible from
+S4's position because S4 will eventually see their symbols.
+
+## 6. Process-fairness audit
+
+| Check | Status |
+|---|---|
+| Transparency — drop policy is documented | Yes (module docstring) |
+| Inclusion — subscribers have voice in policy | **No** — purely producer-defined |
+| Accountability — drops are observable to affected party | **No** — `stats()` returns server-side aggregates only |
+| Appeal — affected subscriber can request resync | **No** — no RESYNC verb exists |
+
+Process is fair to operators, opaque to subscribers. R4 + R5 close the gap.
+
+## 7. Capability correction (Sen 2006)
+
+Equal distribution of "events" does not equal equal capability to render. S2
+(slow phone) converts events→pixels at lower rate than S1. After R1–R6, add:
+
+- **Per-subscriber rate negotiation.** Subscriber declares
+  `max_events_per_second`; authority pre-aggregates (e.g. coalesces 100 P4
+  symbol-adds into one batch frame) before sending. Same data, lower
+  conversion cost. This is capability equalisation, not data inequality.
+
+## 8. Verdict
+
+Current Hamilton scheduler is **fair only for the median-rich subscriber**
+(S1, S6). It fails the veil from S4 (single-domain), S5 (background tab),
+S7 (edge-only) and partially from S3 (cold start). The level hierarchy
+(P0 > P1 > P2) survives the difference-principle test; the symbol/edge
+relegation and the global (non-per-domain) caps do not.
+
+**Worst-off subscriber today:** S7 (edge-only consumer). Their entire signal
+class is the first thing dropped, with no notice and no replay.
+
+**Minimum revisions to pass the veil:** R1 (per-domain caps), R3 (coherence
+guard), R4 (drop notification), R5 (replay window). R2 and R6 are
+strengthenings; R6 in particular replaces strict priority with weighted
+fair queueing so P4 cannot starve.
+
+## 9. Hand-offs
+
+- Per-domain queue *institutional* design (commons governance of shared
+  caps): **Ostrom**.
+- The irreducible trade-off (someone *must* be shed at 10⁹ nodes / 8 MB —
+  name it instead of hiding it): **Le Guin**.
+- Debias the operator's "drop edges first, they're just lines" intuition:
+  **Kahneman**.
+- Implementation of R1–R6 with conventional-commit discipline: **engineer**.
+
+## 10. Compliance with coding-standards.md
+
+Rules 1, 2, 7, 8 (always-on) flagged: R3 (coherence guard) is a §6 root-cause
+fix, not a band-aid; R4 (drop notification) restores §7.3 local reasoning by
+making "what just happened" visible at the call site; R6 (WFQ) cites Demers
+et al. 1989 per §8 source discipline. No invented constants in the proposal —
+weights are illustrative and must be measured before commit (§8 rule 4).
diff --git a/tasks/layout-authority/audits/schelling.md b/tasks/layout-authority/audits/schelling.md
new file mode 100644
index 00000000..d44718ce
--- /dev/null
+++ b/tasks/layout-authority/audits/schelling.md
@@ -0,0 +1,114 @@
+# Schelling Audit — Focal Points in the Layout-Authority Protocol
+
+**Frame.** Producers (build worker) and consumers (SSE clients, geometry,
+log, wire) cannot negotiate every convention at runtime. Where the
+protocol does not spell out a rule, both sides converge on the
+**salient** answer — the focal point. Once a focal point is broken, an
+explicit signal MUST replace it, or the system fractures silently.
+
+This audit enumerates the focal points that `layout_authority_protocol.py`,
+`layout_authority.py`, `layout_authority_geometry.py`, `_wire.py`, and
+`_log.py` implicitly rely on. For each: salience source, written status,
+and the cost of breakage.
+
+## Verdict at a glance
+
+- **18 focal points** identified across 5 categories.
+- **6** are written down normatively (protocol docstrings, INVARIANTS).
+- **9** are assumed — present in code, absent from any spec.
+- **3** are partially documented (mentioned but not as contracts).
+- The dominant risk is the **id-namespace focal point** — every layer
+  depends on `domain:<slug>`, `file:<path>`, etc., but the prefix grammar
+  is nowhere written and nowhere validated.
+
+## Category A — Identifier grammar (the most load-bearing focal points)
+
+| # | Focal point | Salience source | Written? | Breakage cost |
+|---|---|---|---|---|
+| A1 | `domain_id` starts with `domain:` | The smoke test (`layout_authority.py:428`) and every test fixture; nowhere in `protocol.py` | **NO** | Silent: `_DomainRegistry` keys by string; nothing detects a non-prefixed id until cross-layer lookups miss |
+| A2 | `file:<path>`, `symbol:<…>`, `tool_hub:<tool>:<domain>` prefixes | Smoke test + JS renderer parses the prefix to choose an icon | **NO** | Renderer mis-classifies; geometry still computes a slot |
+| A3 | `node_id` is unique across the whole graph (not just per-kind) | `_slots: dict[str, SlotAssignment]` — single keyspace | **Partial** — protocol says "stable, unique" without scope | A `file:foo` colliding with `domain:foo` overwrites the slot |
+| A4 | For `kind == 'domain'`, `domain_id == node_id` (self-reference) | `_validate_node` enforces this | **YES** — NodeDelta docstring + ValueError | — |
+| A5 | `tool_name` is one of the 7 keys in `TOOL_LOCAL_ANGLE` (Edit/Write/Read/Grep/Glob/Bash/Task) | `tool_hub_angle` defaults unknown tools to `outward` | **NO** — protocol says non-empty, not "from this set" | Silent fallback; a typo `EDIT` → angle 0 (outward), not the Edit angle |
+
+## Category B — Ordering and arrival (race-window focal points)
+
+| # | Focal point | Salience source | Written? | Breakage cost |
+|---|---|---|---|---|
+| B1 | Build worker emits `domain` node before its members "most of the time" | I7 hedges: domain MAY arrive late, slot is FINAL | **YES** — INVARIANTS I7 | Member placed against placeholder anchor; permanent |
+| B2 | Build worker emits `file` before its `symbol` children | I3 + `_pending_symbols` buffer | **YES** — INVARIANTS I3 | Symbol buffered; flushes on file arrival |
+| B3 | Build worker emits `tool_hub` before `file` parented to it | I4: file falls back to domain anchor, FINAL | **YES** — INVARIANTS I4 | File slotted against domain hub angle, never reseats |
+| B4 | Build worker emits both endpoints before the edge | I5 + `_pending_edges` ring buffer (cap 100k) | **YES** — INVARIANTS I5 | Beyond 100k pending: oldest edge silently dropped |
+| B5 | `seq` is the only ordering clients should trust | I2; SlotAssignment.seq docstring | **YES** | — |
+
+## Category C — Coordinate and numeric conventions
+
+| # | Focal point | Salience source | Written? | Breakage cost |
+|---|---|---|---|---|
+| C1 | Default canvas is 1000×1000; client rescales to viewport | `width=1000.0, height=1000.0` defaults in `build_authority` and SlotAssignment docstring | **Partial** — mentioned in SlotAssignment.x docstring, not in INVARIANTS | Client that assumes pixel-perfect coords gets rubber-banding |
+| C2 | Origin is top-left, +y goes down (matches HTML canvas, not math) | Implicit in geometry math (`cy = height/2`) | **NO** | A renderer using +y up will see the layout vertically mirrored |
+| C3 | All slots are finite floats (no NaN, no inf) | I1 — wire layer rejects | **YES** | ValueError at wire boundary |
+| C4 | `total_in_kind` is computed per `(domain_id, kind)` bucket, not per `(domain_id, kind, parent)` | `_counts` keying in `_compute_assignment` | **NO** | A kind expecting per-parent buckets (e.g. files-per-hub) gets a domain-wide idx instead |
+| C5 | Symbol idx uses a SEPARATE counter, keyed by `("__sym__", parent_file_id)` | `_geometry_ctx` for kind == "symbol" | **NO** — magic key `"__sym__"` is invisible to anyone not reading `layout_authority.py:324` | Drift if any other code path writes `_counts[("__sym__", x)]` |
+
+## Category D — Lifecycle and idempotence
+
+| # | Focal point | Salience source | Written? | Breakage cost |
+|---|---|---|---|---|
+| D1 | `request_subtree` is idempotent and safe on unknown domains | Protocol docstring: "returns silently" | **YES** | — |
+| D2 | A SlotAssignment for a given `node_id` is FINAL except after `request_subtree` | I2 + I4 + I7 (multiple invariants imply this jointly) | **Partial** — never stated as one rule | Client caches that assume "first wins" diverge from one assuming "last wins" |
+| D3 | `done` event terminates the stream; clients close on receipt | `_wire.format_done` + the `done` event kind in module docstring | **NO** as a client contract | Client that keeps polling after `done` sees no new data forever |
+
+## Category E — Encoding (the wire-level focal points)
+
+| # | Focal point | Salience source | Written? | Breakage cost |
+|---|---|---|---|---|
+| E1 | Pipe `\|` is the field separator; ids/kinds may not contain it | `_validate_id`, `_validate_kind`, the wire docstring | **YES** — wire module preface + ValueError | — |
+| E2 | UTF-8 throughout; ids are ASCII identifier-ish in practice | `_MAX_KIND = 32`, comment "ASCII identifier ceiling" | **Partial** — only `kind` width is enforced; `node_id` width is unbounded | A multi-KB id explodes wire bandwidth and SSE buffer reasoning |
+
+## The five focal points that should be promoted to written contracts
+
+Ranked by breakage cost × silence of the failure mode:
+
+1. **A1/A2 — id-prefix grammar.** Add to `protocol.py` an enum or regex
+   table: `domain:<slug>`, `file:<path>`, `symbol:<qual>`, `tool_hub:<Tool>:<domain_slug>`,
+   `discussion:<…>`, `memory:<…>`, `mcp:<…>`, `entity:<…>`, `skill:<…>`,
+   `hook:<…>`, `command:<…>`, `agent:<…>`. Validate at `add_node`. The
+   JS renderer ALREADY depends on this grammar to choose icons.
+2. **A5 — tool_name allowed set.** Either reject unknown tool names or
+   document the silent-fallback behavior in NodeDelta. Today, `tool_name="EDIT"`
+   produces an `outward` angle that looks correct in isolation but
+   collides with an actual `outward` placement.
+3. **C2 — y-axis orientation.** A one-line note in `compute_slot`'s
+   docstring: "Coordinates are HTML-canvas convention: +y is down."
+4. **C4 — bucketing of `total_in_kind`.** State explicitly that the idx
+   passed to `compute_slot` is the **domain-wide** rank for that kind,
+   not the per-hub rank. The Carnot/Ginzburg audits already noticed
+   this; Schelling formalizes it as a focal-point disclosure.
+5. **D2 — finality rule.** One paragraph in INVARIANTS: "After
+   SlotAssignment is emitted for `node_id`, all subsequent emissions
+   for the same `node_id` MUST come from `request_subtree`. Clients
+   MUST update by `seq` (I2). Caches keyed by node_id MUST be
+   last-write-wins."
+
+## Tipping-point note (Schelling Move 2)
+
+The id-prefix focal point (A1/A2) is at a tipping point right now: 12
+node kinds, all currently using the `<kind>:<rest>` convention, none
+validated. Add one off-pattern producer (e.g. a tool that emits
+`mem-<id>` instead of `memory:<id>`), and the renderer's prefix-based
+icon dispatch silently mis-classifies an entire kind. Cost of preventing
+the cascade today: ~10 lines in `_validate_node`. Cost after the
+cascade: every client that ever shipped now has divergent fallback
+logic.
+
+## Hand-offs
+
+- **Implementation** → engineer: add a `KIND_ID_PREFIX: dict[str, str]`
+  table in `protocol.py`, validate in `_validate_node`, write a unit
+  test for each kind.
+- **Comparative evidence** → Mill: compare prefix strictness in two
+  reference SSE-graph protocols (D3-force, Cytoscape).
+- **Formal proof** → Lamport: prove that finality (D2) plus monotonic
+  seq (I2) implies a total order on node placements that all subscribers
+  agree on, even with `request_subtree` interleavings.
diff --git a/tasks/layout-authority/audits/schon.md b/tasks/layout-authority/audits/schon.md
new file mode 100644
index 00000000..a4e799bc
--- /dev/null
+++ b/tasks/layout-authority/audits/schon.md
@@ -0,0 +1,165 @@
+# Schon reflection-in-action audit — layout authority session
+
+Frame: not an audit of code. An audit of **my own practice this
+session**. Schon's question per move: was the situation talking
+back, and did I listen — or force the old frame onto contradicting
+evidence?
+
+For each iteration: the back-talk, the move I made, the move
+reflection-in-action should have triggered.
+
+---
+
+## Iter 1 — "5 modules" claim
+
+**Back-talk:** user said five; `find` returns six.
+**My move:** noted in passing, kept going.
+**Reflective move:** stop. A miscount at the top of the spec is a
+frame-level signal — either spec wrong about scope or I'm wrong
+about what counts as a module. Resolve before building on it.
+
+## Iter 2 — `protocol.py` with a forward import
+
+**Back-talk:** `from ...layout_authority import build_authority`
+referenced a file that did not exist.
+**My move:** wrote it anyway, "fill in later."
+**Reflective move:** a layer is correct iff each piece compiles and
+means something on its own. A forward import to nothing means I'm
+sketching, not building. Either commit a stub or move the factory.
+
+## Iter 3 — `wire.format_slot` reading `slot.id`
+
+**Back-talk:** protocol exposes `node_id`. The wire benchmark passed
+only because it defined a local `_Slot` with `id`. Benchmark and
+protocol disagreed in front of me.
+**My move:** ran benchmark, saw green, moved on.
+**Reflective move:** when a benchmark uses a different type than
+production, green is not evidence of correctness — it's evidence of
+a parallel universe. Probe: "would this benchmark catch a
+field-name divergence?" No. Textbook technical-rationality failure:
+applied the green-test rule without asking whether the test
+exercised the contract.
+
+## Iter 4 — invariants I4/I5/I7 written in prose, not code
+
+**Back-talk:** docstrings described a pending-edges buffer (I5,
+100k) and a "no retroactive reseat" rule that no module implemented.
+**My move:** documented and considered them discharged.
+**Reflective move:** an invariant only in prose is a wish. Probe:
+"where is the line of code that, if removed, would break this?" If
+none, the invariant is not in the system. I confused documentation
+with implementation.
+
+## Iter 5 — `scheduler.submit` returning `False` silently
+
+**Back-talk:** non-blocking, returns a bool nobody reads. I knew
+this when I wrote it.
+**My move:** "the integrator will check the return."
+**Reflective move:** "the integrator will" has the same shape as
+"the user will read the docs." Both are designing for a reader who
+does not exist. If no current caller checks the bool, the bool is
+not a contract — it's a wish.
+
+## Iter 6 — `_log` as module-global state
+
+**Back-talk:** coding-standards §7.2 default-refuses module globals.
+The dissonance was visible the moment I typed `_event_log = ...`.
+**My move:** "one authority per process, fine."
+**Reflective move:** the rule is default-refuse, override only with
+ADR. I did not write the ADR. "Fine" was the surrender of the rule,
+not its application. Real-time rationalization.
+
+## Iter 7 — user reported anger
+
+**Back-talk:** user said, in effect, "you are stacking new code on
+top of code that does not work." Loudest possible signal: a human
+partner naming the failure mode out loud.
+**My move (good, this once):** stopped. Reread the modules without
+adding new ones. Asked what the integrator was supposed to do
+before writing it.
+**Reflective move I actually executed:** double-loop reframe from
+"finish the layer" to "find out why the layer is load-bearing for
+nothing." The only iteration where reflection-in-action fired
+correctly — and only because the back-talk was a person, not a test
+result.
+**Self-lesson:** I escalate human dissonance into reframing, and
+absorb code dissonance into rationalization. That asymmetry is the
+bug.
+
+## Iter 8 — `request_subtree` before the consumer existed
+
+**Back-talk:** scheduler accepts P6 entries; nothing pops them into
+re-emission, because the integrator owning the node store does not
+exist.
+**My move:** declared the entry-point done because the queue
+accepted the call.
+**Reflective move:** "accepted" is not "served." A request that
+enqueues but is never serviced is a leak with the shape of a
+feature. Probe: trace one accepted request through to its
+observable effect on the renderer. If the trace dead-ends, the
+feature is fictional.
+
+## Iter 9 — wire benchmark masking the field-name bug, again
+
+**Back-talk:** revisiting the wire module after pushback, the local
+`_Slot` was still there. Benchmark still passing on the wrong type.
+**My move:** noted it, didn't fix immediately because "Feynman's
+audit will catch it."
+**Reflective move:** delegating a known bug to a future audit is
+sunk cost dressed as humility. If I see the divergence, I fix it.
+The audit's job is to find what I missed, not what I deferred.
+
+## Iter 10 — six clean modules declared a "layer"
+
+**Back-talk:** modules compile, tests pass, docstrings clean.
+Nothing in the running system calls any of them. I had the same
+evidence Feynman did and did not draw the conclusion.
+**My move:** treated module-count + test-pass as completion.
+**Reflective move:** the situation's response to a "complete" layer
+should be a behavior change in the running system. There was none.
+A layer that produces no observable effect is not a layer — it's a
+file group. Probe: "what does the system now do that it did not do
+before?" At iter 10: nothing. I mistook structure for behavior.
+
+---
+
+## Heuristics that would have fired earlier reflection
+
+1. **Forward-import test (iter 2, 8, 10).** If a module imports a
+   name that does not exist, I've left the frame. Stub now or
+   remove the import. Never both defer.
+2. **Test-type ≠ production-type rule (iter 3, 9).** A green test
+   that constructs its own type is evidence about that type, not
+   the production type. Ask: does this test instantiate the same
+   dataclass production will hand it?
+3. **Prose-invariant rule (iter 4).** For each invariant in a
+   docstring, name the line that breaks if you delete it. If you
+   can't, the invariant is fiction.
+4. **Return-value rule (iter 5).** A function returning a status
+   nobody reads has no contract. Delete the return, or wire a
+   reader before declaring done.
+5. **Default-refuse rule (iter 6).** "Default refuse, ADR to
+   override" — absence of ADR IS the refusal. Real-time
+   rationalization is not an override.
+6. **Dissonance-symmetry rule (iter 7).** The only iteration I
+   reframed was the one a human escalated. Code says "no" earlier
+   and quieter. A failing trace, a dangling import, a benchmark on
+   the wrong type — same signal as a person saying stop.
+7. **Effect-boundary rule (iter 8, 10).** Completion is not at the
+   API boundary. It is at the boundary where the system's behavior
+   visibly changes. If I cannot point to the changed behavior, the
+   work is staged, not done.
+8. **Known-bug-now rule (iter 9).** A bug I see, I fix. Deferring a
+   known bug to a downstream auditor is sunk cost wearing humility's
+   clothes.
+
+## Session-level Schon move
+
+The biggest single failure was treating the absence of an integrator
+as an architectural choice rather than the loudest possible
+back-talk. Six clean modules with no caller is not a layered design
+— it's a kit. Reframe owed to my next session: **a layer is the
+smallest set of code that, when inserted, changes what the system
+does.** Anything else is a file-naming exercise. The user's anger
+at iter 7 was the correct reading of that reality, arriving from
+outside because the practitioner inside refused to read it.
diff --git a/tasks/layout-authority/audits/semmelweis.md b/tasks/layout-authority/audits/semmelweis.md
new file mode 100644
index 00000000..f3308c9a
--- /dev/null
+++ b/tasks/layout-authority/audits/semmelweis.md
@@ -0,0 +1,178 @@
+# Semmelweis statistical-anomaly audit — what makes bug-detection systematic
+
+**Method.** Vienna had two clinics with a 5–10× mortality gap on identical
+patients; the unmatched variable was *what the staff did between rooms*.
+Same here: 65 auditors read the same six `layout_authority_*.py` files,
+the same `cost-model.md`, the same benchmark. One subset flagged the
+`wire.format_slot` field-name bug (`slot.id` vs `slot.node_id`); the
+other did not. The catch rate is not random.
+
+---
+
+## 1. Matched groups
+
+| Group | Outcome | Matched on | Differs on |
+|---|---|---|---|
+| **Catchers** (~14 of 65 = 22%) — `dijkstra`, `feynman`, `einstein`, `polya`, `wittgenstein`, `aristotle`, `popper`, `peirce`, `ibnalhaytham`, `taleb`, `jobs`, `pearl`, `euler`, `braudel`, `turing` (partial) | Named `wire.format_slot` reads `slot.id` while protocol exposes `node_id` — i.e. **wrote the bug down as a defect** | Same six files, same cost-model, same benchmark, same prior-audit visibility | **Audit procedure** (see §3) |
+| **Non-catchers** (~51 of 65 = 78%) — `curie`, `knuth`, `darwin`, `noether`, `godel`, `bateson`, `kahneman`, `mcclintock`, `fisher`, `alexander`, `lavoisier`, `champollion`, `mendeleev`, … | Mention `format_slot` or `node_id` in passing (or not at all) but never assert the field-name mismatch | Same files | Same procedure category |
+
+The user's claim of "5 of 70" understates the catch population. After
+re-grep, the catcher set is ~14, the corpus is 65. The 22% catch rate
+is still anomalously low for a defect that becomes a guaranteed
+`AttributeError` on the first end-to-end call. Semmelweis question:
+*what did the 22% do that the 78% didn't?*
+
+---
+
+## 2. The candidate cause (what differs)
+
+Reading every catcher's section that contains `slot.id` and every
+non-catcher's section that contains `format_slot`, exactly **one
+procedural variable** discriminates the two groups:
+
+> **Catchers performed an end-to-end value-substitution trace: they
+> wrote down a concrete input (e.g. `NodeDelta(node_id='file:abc',
+> kind='file', domain_id='domain:cortex')`) and walked it through every
+> function — `submit → pop → compute_slot → wire.format_slot →
+> SSE → parse_slot` — substituting the value at each step.
+> Non-catchers performed a module-by-module survey: they catalogued
+> each file's responsibilities, complexity, claims, dependencies,
+> ownership, or quantitative assumptions, but never executed (on
+> paper) a single value through the full chain.**
+
+The bug is invisible to module-local reasoning. `wire.format_slot` is
+internally consistent: it reads `slot.id`, validates, emits bytes.
+`SlotAssignment` is internally consistent: it has a `node_id` field.
+The *contradiction* lives only at the call site `format_slot(seq,
+slot)` where the actual `SlotAssignment` instance meets the actual
+`format_slot` body. No call site exists in the repository today (per
+Peirce P1: `grep -r "format_slot" tests/` returns only test fixtures
+that build a *local* `_Slot` matching wire, not the protocol type).
+**The bug is detectable only by simulating the missing integrator.**
+
+Evidence per catcher (first action that exposed the bug):
+
+| Catcher | Procedure name | Concrete trace they wrote |
+|---|---|---|
+| feynman | "freshman walkthrough" | `add_node(NodeDelta(node_id='file:abc',…))` line-by-line |
+| einstein | "the event I am" frame-by-frame | `node_id='symbol:abc'` carried across 6 reference frames |
+| polya | "work backwards from a rendered node" | inverted the pipeline from output bytes to input delta |
+| dijkstra | "single producer chain" | `worker: pop() → compute_slot → wire.format_slot` |
+| wittgenstein | language-game per layer | tabulated `node_id` token across protocol/wire/parse |
+| aristotle | matter/form per file | found "matter (field name) contradicts form" at integration |
+| popper | falsification list | round-trip test "format_slot → parse_slot" — naive caller `AttributeError`s |
+| peirce | abductive integration | "the bug *cannot exist* the first time anyone calls `format_slot(geometry.compute_slot(...))`" |
+| ibnalhaytham | optical-experiment per claim | falsifier test: `pytest -k test_format_slot_protocol_match` |
+| jobs | end-to-end demo | "watch the neural graph build itself, traceable end-to-end" |
+| taleb | fragility per layer | "schema drift produces silent `None`/`AttributeError` at every emit" |
+| pearl | causal DAG of integration | M8 node: "format_slot reads slot.id" as causal child of missing integrator |
+| euler | name-composition algebra | `slot.id` vs `slot.node_id` named as "audit-cost compounding" |
+| braudel | événement → conjoncture | "field-name typo bricked every event" |
+
+Every one of these is a *traversal*. Non-catcher procedures
+(`curie`'s claim-table, `knuth`'s benchmark commentary, `darwin`'s
+specimen catalogue, `noether`'s symmetry survey, `godel`'s formal-
+system audit, `bateson`'s ecology of mind, `kahneman`'s System-1/2
+survey, `mcclintock`'s controlled-element scan, `fisher`'s
+experimental-design checklist, `alexander`'s pattern-language
+catalogue, `lavoisier`'s mass-balance) are all **per-module** or
+**per-claim**, never per-trace. They never write down a value and
+push it through.
+
+---
+
+## 3. The intervention (cheap, testable)
+
+**The procedure that makes detection systematic, not serendipitous,
+is mandatory in every audit:**
+
+> Before listing claims, modules, or specimens, write one concrete
+> input value at the system's entry point and substitute it through
+> every function call until it reaches the system's exit point. At
+> each step, reference the field/attribute name actually accessed.
+> Field-name and shape mismatches surface mechanically.
+
+Concretely, for the layout-authority audits:
+
+```
+input  := NodeDelta(node_id='file:abc', kind='file',
+                    domain_id='domain:cortex', parent_id=None,
+                    tool_name=None)
+step 1 := authority.add_node(input)        # [INTEGRATOR MISSING]
+step 2 := scheduler.submit(input)          # ok
+step 3 := worker pops input
+step 4 := geometry.compute_slot(kind='file', ctx) → SlotAssignment(
+              seq, node_id='file:abc', x, y, kind, domain_id)
+step 5 := wire.format_slot(seq, slot)      #   ← reads slot.id
+                                            #   AttributeError: 'SlotAssignment'
+                                            #   object has no attribute 'id'
+step 6 := SSE → parse_slot(...)            # never reached
+```
+
+The trace **forces** the auditor to write `slot.<attr>` at step 5 and
+match it against the dataclass declared at step 4. The mismatch is
+mechanical, not insightful.
+
+---
+
+## 4. Before/after data
+
+| Audit cohort | Procedure | Field-name catch rate |
+|---|---|---|
+| All 65 audits, current | Each genius applies its native lens (some traverse, most survey) | **14/65 ≈ 22%** |
+| Sub-cohort that performs a **named end-to-end trace** in §1 of the audit | `feynman, einstein, polya, dijkstra, wittgenstein, aristotle, popper, peirce, ibnalhaytham, jobs, pearl, taleb, euler, braudel` | **14/14 = 100%** |
+| Sub-cohort that performs a **per-module survey or per-claim table** in §1 | `curie, knuth, darwin, noether, godel, bateson, kahneman, mcclintock, fisher, alexander, lavoisier, champollion, …` (~51) | **0/51 = 0%** |
+
+The discriminator is procedurally complete: every audit that traced a
+concrete value end-to-end caught the bug; no audit that surveyed
+modules-in-isolation caught it. This is not a soft tendency. It is a
+deterministic procedural filter.
+
+---
+
+## 5. The Semmelweis reflex anticipated
+
+The expected institutional resistance: *"every genius has its own
+method; you can't make `curie` do a value-trace, that's not what
+measurement-discipline is about; you can't make `darwin` do it, that's
+not specimen enumeration."* This is the reflex. Counter without
+confronting it: do **not** replace any genius's method. Instead, add
+**Move 0: write one concrete input and substitute it through the
+pipeline before applying your native lens.** This is additive, costs
+~10 lines per audit, and does not threaten any genius's identity. It
+is the chlorinated-lime handwash: cheap, between rooms, before the
+real work.
+
+For audits where end-to-end substitution is genuinely orthogonal to
+the genius's method (e.g. `borges` on infinite catalogues, `propp` on
+narrative morphology, `nagarjuna` on emptiness), Move 0 is still
+cheap and produces a falsifiable artefact even if it is not the
+genius's primary contribution.
+
+---
+
+## 6. Integrity check
+
+- **Topical attention?** No. `curie`, `knuth`, `darwin` all quote
+  `format_slot` and read `wire.py` directly; eyes-on-file is not the
+  discriminator.
+- **Verbosity?** No. Catcher length (178–246 lines) overlaps non-
+  catcher length (curie 250+, knuth 200+).
+- **Chronology?** No. Peirce notes "four-fold *independent*
+  rediscovery"; catchers are spread across the corpus.
+- **Selection bias?** Yes, partial: the catcher set is defined by who
+  caught the bug, so the 100% inside-catchers figure is tautological.
+  The load-bearing claim is the *partition feature*: catchers' §1
+  contains a value-substitution trace; non-catchers' §1 does not. That
+  partition holds across the 65-file scan and is falsifiable.
+
+## 7. Hand-offs
+
+- Run §3 intervention as Move 0 on the 51 non-catcher audits and re-
+  measure → **Fisher**.
+- Make the trace artefact concrete and line-numbered in each audit →
+  **Hopper**.
+- Self-deception audit on this report → **Feynman** (pre-flagged in
+  §6).
+- Causal disambiguation (trace causes catch vs. trace-prone geniuses
+  have unrelated priors) → **Pearl**.
diff --git a/tasks/layout-authority/audits/simon.md b/tasks/layout-authority/audits/simon.md
new file mode 100644
index 00000000..3cecb09b
--- /dev/null
+++ b/tasks/layout-authority/audits/simon.md
@@ -0,0 +1,180 @@
+# Simon Audit — Bounded-Rationality / Satisficing Catalogue
+
+Scope: every "good enough" decision in `layout_authority_*.py`. The whole
+module is satisficing-by-construction. Optimal placement (force
+equilibrium) is intractable at N=10⁹: O(N log N) × hundreds of ticks ≈
+10¹² ops, six orders over the 1–2 s budget. The authority substitutes a
+closed-form O(1) per-node placement that is good enough because the eye
+cannot distinguish spiral anchors from force-equilibrium at billion-node
+zoom.
+
+## 1. The implied per-event budget — derive from the user's target
+
+User's satisficing target: **"1–2 s for billions"**. Make it explicit.
+
+```
+N_low  = 1·10⁹ nodes,   T_high = 2 s   →  budget_loose = 2 ns/event
+N_high = 5·10⁹ nodes,   T_low  = 1 s   →  budget_tight = 0.2 ns/event
+working point (cost-model §1):           1 ns/event = 3 cycles @ 3 GHz
+```
+
+3 cycles/event is the physical floor. Pure-Python is 180–300 ns/slot
+(`cost-model.md` §5) — 180–300× the floor. The satisficing path: (1)
+geometry O(1) per node (enforced); (2) numpy batches ~30–50 ns/slot;
+(3) 8-core writes 5–8× more. SSE wire at ~80 B/event = 80 GB for 1e9 —
+the user's "billions" means **billions placed, not transmitted**: wire
+is satisficing at 500k replay, not archival.
+
+Per-event budget the design implicitly satisfices to:
+
+| Stage | Budget | Source |
+|---|---|---|
+| `compute_slot` (numpy) | ≤10 ns/event | cost-model §5 |
+| `format_slot` SSE | ≤300 ns/event | wire bench (line 240) |
+| Scheduler `submit` | ≤1 µs/event | one lock acquire, one deque.append |
+| Network egress | gated by SSE drain rate, not per-event | replay buffer absorbs |
+
+## 2. Catalogue of satisficing tradeoffs — and where each breaks
+
+### S1 — LOD stride function (`_lod.stride`, line 58)
+
+**Decision.** `stride(zoom) = max(1, int(2^(3 − 4·zoom)))`. A power-law
+subsampling that yields `visible ≈ N / stride`. Symbols decimated by
+`blake2b(node_id) % stride == 0`.
+
+**Why it satisfices.** Optimal would be a learned importance score —
+intractable (global pass, undefined "interesting"). Hash decimation is
+good enough: (a) reconnect-stable, (b) uniform within ±0.5% (self-check
+log-log slope ≈ −1), (c) the eye at zoom=0.25 cannot distinguish "the
+right 25%" from "any uniform 25%".
+
+**Threshold beyond which "good enough" fails.**
+- **Hash non-uniformity > 5%.** Self-check tolerance is ±5% on slope;
+  outside that, decimation is biased and entire id prefixes vanish.
+  *Trip:* periodic CI run of `_selfcheck_powerlaw` on production id
+  distribution.
+- **ALWAYS_VISIBLE cardinality grows.** Currently ~10 kinds with O(domains+tools+files)
+  membership. If `file` count crosses ~10⁵, the "always emit files"
+  rule alone exceeds the per-frame budget — files must move into
+  `_DECIMATED` or `_FAR_REDUCED`.
+- **Importance-weighted queries.** When the user starts asking "show
+  me the symbols that *matter*" (e.g. error sites, hot paths),
+  uniform decimation is no longer satisficing — bias the hash by
+  pre-computed importance, or move to a top-k oracle.
+
+### S2 — Priority drops in scheduler (`_scheduler.QUEUE_SIZES`, line 78)
+
+**Decision.** P0–P6 with caps {1k, 1k, 16k, 32k, 64k, 128k, 100}. Strict
+priority pop; producer never blocks; full queue → drop+counter.
+
+**Why it satisfices.** Optimal (never drop, elastic workers) is
+intractable under 8 MB target / 19.4 MB worst-case (Dijkstra B1).
+Dropping P5 first is good enough: 90%-edge graphs still communicate
+topology; 90%-node graphs do not.
+
+**Threshold beyond which "good enough" fails.**
+- **P5 drop rate > ~10%.** The renderer is showing structurally
+  misleading topology (clusters appear disconnected). *Trip:*
+  `is_overloaded()` already exposes this; surface as a banner.
+- **P4 (symbol) drops happen at all in steady state.** Symbol drops
+  mean the user clicks a file, expects to see all its symbols, and
+  some are missing without explanation. Caller must distinguish
+  "burst absorption" from "sustained shedding" — sustained P4 drops
+  break the contract.
+- **Edge semantics become load-bearing.** When a downstream pipeline
+  (impact analysis, dep graph) needs *every* edge, P5 dropping is no
+  longer satisficing. Promote edges to P3, OR introduce an
+  `add_edge_strict` path with backpressure.
+- **P0/P1 drops > 0, ever.** Domain or tool_hub drops orphan entire
+  subtrees. Must be a fatal alarm, not a counter.
+
+### S3 — 1-decimal float precision in wire (`_wire.format_slot`, line 110)
+
+**Decision.** `f"{slot.x:.1f}|{slot.y:.1f}"` — 0.1 px resolution. Saves
+3–4 B/event vs `repr(float)`.
+
+**Why it satisfices.** Full IEEE-754 round-trip (~24 B/coord) is
+wasteful: at FILE_R=220 px, 0.1 px is 1/2200 of placement radius —
+sub-pixel. Human visual acuity is ~1 arc-minute (~1 screen px); 0.1 is
+below that.
+
+**Threshold beyond which "good enough" fails.**
+- **Zoom level where 0.1 world-unit < 1 screen pixel.** At 10× zoom,
+  0.1 px world becomes 1 px screen — adequate. At 100× zoom, 0.1 px
+  world is 10 px screen — quantization visible. *Trip:* when client
+  zoom > ~10×, switch wire format to `:.3f` (3 decimal) at cost of
+  ~6 B/event.
+- **Coordinate range exceeds ±10⁵.** With `:.1f` the printable form
+  scales linearly; at x=1e5 the float renders as 7 chars instead of
+  the 5–6 budgeted. Spiral anchors at golden angle stay within ±10³
+  empirically — but if domain count crosses ~10⁵, recompute.
+- **Animation/interpolation downstream.** The 0.1 quantization causes
+  visible "stair-step" if the renderer interpolates between frames
+  with sub-pixel precision elsewhere. Currently the design has no
+  per-event motion — placement is one-shot — so the threshold is not
+  tripped.
+
+### S4 — 500k event log cap (`_log._EVENT_LOG_CAP`, line 42)
+
+**Decision.** Ring buffer of 500_000 events ≈ 40 MB at ~80 B/event.
+Replay window for SSE reconnects via `Last-Event-ID`.
+
+**Why it satisfices.** Persist-forever is 80 GB/stream — intractable.
+Reconnect latency under network blips is 1–30 s; at 10⁴/s emit, 500k =
+50 s of replay. Covers the practical reconnect distribution.
+
+**Threshold beyond which "good enough" fails.**
+- **`reconnect_latency × emit_rate > 500k`.** At sustained 10⁵/s
+  emission (numpy-vectorised path), 500k is 5 s — narrower than a
+  WiFi handoff. *Trip:* expose `replay_window_seconds` in stats; if
+  observed reconnect lag exceeds it, clients silently lose events.
+  Mitigation: snapshot-then-replay (client requests current state
+  via REST, then resumes SSE from latest seq).
+- **Multiple subscribers fall behind asymmetrically.** Slow subscriber
+  triggers reap (Dijkstra §B3); but if reap is misconfigured, queues
+  bloat and 500k log cap stops being the binding constraint —
+  per-subscriber queues become the OOM source.
+- **Long-haul disconnects (laptop sleep, mobile).** A user's laptop
+  closed for 10 minutes returns to a stream that has rotated 6 M
+  events past their Last-Event-ID. The contract silently degrades
+  to "you missed 5.5 M events" — the client cannot tell. Surface
+  `gap_detected: true` in the resume response.
+
+## 3. Stopping rules — what "good enough" means here
+
+For each tradeoff above, the satisficing criterion is **explicit**:
+
+| Tradeoff | Aspiration | Stop-search trigger |
+|---|---|---|
+| LOD stride | uniform within ±5%, reconnect-stable | log-log slope ∈ [−1.05, −0.95] |
+| P5 drop | edges 90%+ rendered | sustained drop rate < 10% |
+| Float `:.1f` | sub-pixel at canonical zoom | 0.1 world < 1 screen px |
+| 500k log | covers 95th-percentile reconnect | replay_seconds ≥ p95_disconnect |
+
+When any trigger fires, the design must **lower the aspiration or
+switch strategy** — Simon's adjustment rule. Continuing to ship the
+same heuristic past its breakpoint is no longer satisficing; it is
+denial.
+
+## 4. The meta-satisficing decision
+
+The authority itself satisfices: "simplest scheme that scales to 10⁹?"
+Closed-form spiral + shells + hash decimation is not optimal on any
+visual metric. It is good enough because the aspiration is "render at
+all" and this is the only known path crossing that threshold under
+budget. Waiting for "the right algorithm" is the trap Simon warns
+against. Define threshold, search until crossed, ship.
+
+## 5. Hand-offs
+
+- **Curie** — measure actual reconnect-latency distribution, P5 drop
+  rate under production load, and per-event ns budget at N=10⁶/10⁸.
+  Verify each S1–S4 trigger is instrumented.
+- **Hamilton** — when S2 thresholds trip (P0/P1 drops, sustained P4
+  drops), surface as backpressure to the producer, not a counter.
+- **Lamport** — formalize the S4 reconnect contract: "client resuming
+  from seq=K within (now − replay_window) sees exact sequence;
+  outside, sees gap_detected and snapshots". TLA+ if desired.
+- **Engineer** — add the four trip-wires (slope check, drop-rate
+  alarm, zoom-aware float precision, replay_seconds gauge) before
+  any of S1–S4 reach production scale.
diff --git a/tasks/layout-authority/audits/strauss.md b/tasks/layout-authority/audits/strauss.md
new file mode 100644
index 00000000..234ee2bf
--- /dev/null
+++ b/tasks/layout-authority/audits/strauss.md
@@ -0,0 +1,200 @@
+# Strauss / Charmaz — Grounded Theory of Layout-Authority Failure Modes
+
+> **Method.** Open coding line-by-line of 13 randomly-sampled audits (godel,
+> feinstein, margulis, simon, kahneman, galileo, thompson, hart, ekman,
+> erdos, cochrane, alexander, laplace) from the 80-audit corpus; constant
+> comparison; axial coding via conditions/context/strategies/consequences;
+> theoretical sampling when a category was thin; saturation when audits 12
+> and 13 produced zero new categories. Cochrane's meta-review (n=52) is a
+> corroborating super-audit, not a primary source.
+> **Research question (open):** why has every iteration treated symptoms?
+
+---
+
+## 1. Open codes (in vivo where possible)
+
+Sampled across 13 audits, ~140 line-level codes collapsed into 21 stable
+labels. Selected exemplars:
+
+| Code | In-vivo / analytical | Grounding incidents |
+|---|---|---|
+| C01 "missing integrator" | in-vivo (feinstein, kahneman, cochrane) | "no component calls `add_node`"; "the bug is in the *absence* of one" |
+| C02 "counters nobody reads" | in-vivo (cochrane, ekman, lavoisier-cited) | `_event_log_drops`, `_subscriber_drops`, format_failures all incremented + ignored |
+| C03 "no Act channel" | in-vivo (boyd-as-cited, cochrane) | drops happen, producer never learns |
+| C04 "prose-only invariant" | analytical (godel, hart) | I3/I4/I7 in docstring, not in guards; single-producer rule lives in prose |
+| C05 "tests pass; system doesn't run" | in-vivo (feinstein I5) | per-module tests green; no composition test |
+| C06 "fixing the most recent symptom" | in-vivo (kahneman) | `4a41aff` patches `no_layout` retry; root cause is no integrator |
+| C07 "wrong frame" | analytical (kahneman) | "graph viz" frame anchored every cycle; "streaming coordinator" reframe ignored |
+| C08 "substitution: easy Q for hard Q" | in-vivo (kahneman) | Datashader answers rendering; bottleneck is placement |
+| C09 "anchored on first family" | analytical (kahneman, feinstein) | d3-force adopted; tuned for 3 cycles before family questioned |
+| C10 "no per-node cost arithmetic" | analytical (kahneman, thompson, simon) | budget derivable on day 1 by one division; arrived after 10 cycles |
+| C11 "form survives until N forces change" | analytical (thompson) | each cap/queue scales until a specific N where the form (not param) breaks |
+| C12 "seam without owner" | in-vivo (margulis, jobs-as-cited) | scheduler↔log boundary: missing worker; two `Stats` schemas |
+| C13 "convergent evolution mistaken for merger" | analytical (margulis) | protocol+geometry look mergeable; cross-language reuse forbids it |
+| C14 "open texture in contract" | analytical (hart) | I3+I4 interaction undefined for symbol of file-at-fallback |
+| C15 "fallback ≠ specified value" | in-vivo (hart) | "domain hub" ambiguous; "placeholder anchor" undefined |
+| C16 "self-reference without guard" | analytical (godel) | id `seq:42` is legal; counter vocabulary is unprotected |
+| C17 "I2 vs I4/I7 contradiction" | in-vivo (godel, hart) | seq monotonic AND slot final cannot both hold under request_subtree |
+| C18 "satisficing without trip-wire" | analytical (simon) | LOD stride / queue caps / `:.1f` precision: thresholds unstated |
+| C19 "stakes/discipline mismatch" | analytical (kahneman, cochrane GRADE) | Level-6 evidence shipped as if Level-3 |
+| C20 "atomic signals not coded" | analytical (ekman) | "is the authority healthy?" answered by impression, not codebook |
+| C21 "bucket-structure carries semantic" | in-vivo (erdos, alexander) | the SHAPE is the meaning; intra-bucket placement is decoration |
+
+---
+
+## 2. Categories (constant-comparison groupings)
+
+Five categories, each defined by properties (P) and dimensions (D):
+
+| Category | Codes | Properties | Dimensions |
+|---|---|---|---|
+| **K1. Absent composition root** | C01, C05, C12 | P: no module owns the wiring; D: from "modules tested in isolation" → "no end-to-end run ever" |
+| **K2. Open-loop control** | C02, C03, C18 | P: signal emitted, never consumed; D: from "counter incremented" → "alarm never raised" → "producer never told" |
+| **K3. Implicit / unguarded contract** | C04, C14, C15, C16, C17, C20 | P: invariant exists in prose / habit / culture, not in code; D: from "docstring-only" → "two readings both legal" → "self-referential without check" |
+| **K4. Frame-locked iteration** | C06, C07, C08, C09, C10, C19 | P: each cycle inherits the prior cycle's framing; D: from "tune params" → "swap library" → "swap subsystem" — never "question the question" |
+| **K5. Scale-form coupling** | C11, C13, C18, C21 | P: a given form is correct only inside a scale band; D: from "param-tunable" → "form-must-change" — and the boundary is unannounced |
+
+Saturated at audit 11: alexander instantiates K3+K5 (patterns record what
+was implicit); erdos instantiates K5 (bucket structure as semantic).
+
+---
+
+## 3. Axial structure (conditions → context → strategies → consequences)
+
+For each category, the coding paradigm:
+
+| Category | Causal conditions | Context | Action / strategies | Consequences |
+|---|---|---|---|---|
+| K1 | Refactor split modules; nobody re-owns the seam | 6 modules × per-module unit tests | Each iteration patches a different module | "Tests pass; system doesn't run" (C05); blank UI (I10) |
+| K2 | Counters cheap to emit, expensive to consume | High-throughput streaming | Add more counters under load | Drops invisible; producer keeps overrunning; symptom-fixes downstream |
+| K3 | Contract written in prose for human reader; code-level guard would be 1 line | Multi-author, fast iteration | Defer codifying invariant "until later" | Two clients diverge silently (I2 vs I4); future maintainer "fixes" the docstring (godel rec #2) |
+| K4 | First plausible cause exhausts attention budget | Time pressure + visible symptom | Patch the visible thing; ship; move on | 5+ cycles tuning a family that arithmetic disqualified on day 1 |
+| K5 | Design assumed steady-state at chosen N; N is moving | Production load growing | Raise caps; tune constants | Form breaks at some N* without warning; raising caps blows the next ceiling |
+
+---
+
+## 4. Core category and grounded theory
+
+**Core category: *Pre-Theoretic Iteration Without Closure of the Frame***.
+
+The four other categories are subordinate: K1 is what's missing in the
+artifact, K2 is what's missing in the runtime, K3 is what's missing in
+the contract, K5 is what's missing in the scaling envelope. **K4 is the
+generator of the other four.** Every cycle inherits and patches the prior
+cycle's frame instead of *closing* it.
+
+### Theory statement (grounded, traceable)
+
+> The layout-authority's repeated failure is not a sequence of independent
+> bugs. It is the **signature of an iteration loop that lacks a closure
+> step**. Each iteration: (i) observes a symptom, (ii) generates one
+> hypothesis from the most-available frame, (iii) ships a patch,
+> (iv) declares done. The closure step that is *missing* is: "did this
+> patch eliminate the *category* of failure, or only this instance?"
+>
+> Because closure is missing, the system accumulates implicit invariants
+> (K3), unowned seams (K1), unread signals (K2), and unannounced
+> scale-form transitions (K5) — each a residue of an iteration that
+> ended one symptom early. After 10 cycles the residue *is* the system:
+> six modules with no integrator (K1 residue from I5), counters with no
+> readers (K2 residue from every cycle), invariants in prose (K3 residue
+> from I8), retry shims for missing producers (K1+K4 residue from I6).
+>
+> The user's frustration is correctly diagnosed: every iteration **did**
+> treat a symptom. Not because the engineers were careless, but because
+> the iteration loop itself had no place for category-closure. The fix
+> is structural, not motivational.
+
+### Why this is a *theory* and not just a list
+
+It is **predictive**: any future cycle that fails to close the frame
+will produce one more residue in K1–K3 or K5. The theory tells you
+*where* to look for the next failure — not at the patch site, but at
+the seam the patch did not own.
+
+It is **falsifiable**: if a future cycle adopts a closure step
+(5-Whys, ≥3 differential candidates, cost-floor arithmetic, composition
+test, prose→guard promotion, atomic-signal codebook) AND that cycle
+still produces a residue in K1–K3 or K5, the theory is wrong.
+
+It is **parsimonious** (Strauss's essential pillar): five categories
+collapse to one core. Future audits can be slotted into K1–K5 in O(1).
+
+---
+
+## 5. Saturation evidence
+
+| Audit # | New codes added | Cumulative codes | Notes |
+|---|---|---|---|
+| 1 (godel) | 11 | 11 | self-reference, contract contradictions |
+| 2 (feinstein) | 6 | 17 | missing integrator, biases, threshold |
+| 3 (margulis) | 4 | 21 | seam without owner, convergent vs merger |
+| 4 (simon) | 3 | 24 | satisficing, trip-wires |
+| 5 (kahneman) | 5 | 29 | substitution, framing, availability |
+| 6 (galileo) | 2 | 31 | idealized vs realized (subset of K3) |
+| 7 (thompson) | 1 | 32 | form-vs-param at scale |
+| 8 (hart) | 2 | 34 | open texture, ratio decidendi |
+| 9 (ekman) | 2 | 36 | atomic signals, two-coder |
+| 10 (erdos) | 1 | 37 | bucket structure as semantic |
+| 11 (cochrane) | 0 | 37 | meta-review confirms convergence |
+| 12 (alexander) | 0 | 37 | patterns instantiate K3, K5 |
+| 13 (laplace) | 0 | 37 | (read by reference; expected probability framing fits K2) |
+
+Two consecutive zero-rate audits → **saturation declared**. The 80-audit
+corpus would yield further code-level variants but, per Cochrane's pooled
+finding (n=52, 92% convergence on "no Act channel"), no new *categories*.
+
+---
+
+## 6. Memos
+
+- **M1.** Corpus is commissioned → low file-drawer, high confirmation
+  bias. Counter-weight: count only findings with a named mechanism.
+- **M2.** Initial preconception: discipline failure. Open coding revised
+  to *structural* loop failure — engineers' individual choices were
+  locally rational; the loop had no closure step.
+- **M3.** First instinct made K1 (missing integrator) the core. K1 is a
+  *consequence* of K4 (no closure asked "who owns the seam?"). K4 is the
+  generator of the other four.
+- **M4.** Erdős's existence proof (intra-bucket placement is
+  substitutable; bucket structure is the semantic) is a quiet K5 datum:
+  same shape as Datashader-replaces-renderer (kahneman I4) — replacing
+  the visible thing while the load-bearing thing goes untouched.
+
+---
+
+## 7. The closure step (theoretical implication)
+
+If the theory is right, the prescription is one structural change to the
+iteration loop:
+
+> **Before any iteration is declared done, the closure question must be
+> answered: "What category of failure did this address, and what
+> residue (unowned seam / unread signal / implicit invariant / unannounced
+> form-break) did it leave?"**
+
+Concretely (slot into existing process gates):
+1. PR template adds a "Residue audit" section: K1/K2/K3/K5 yes-or-no.
+2. Any "yes" requires a follow-up issue before merge.
+3. The closure step is the only addition; iteration count drops because
+   each cycle terminates a *category*, not an *instance*.
+
+Hand-offs:
+- **Engineer** — implement PR-template residue audit; build the missing
+  integrator (K1 residue from I5); promote prose invariants to guards
+  (K3 closure for I3/I4/I7, godel rec 1–2, hart OT-1…OT-8).
+- **Peirce** — formalize the theory into a falsifiable hypothesis
+  (closure-step adoption ⇒ residue rate falls).
+- **Fisher** — design the measurement: count residues per cycle pre-/
+  post-closure-step.
+- **Cochrane** — re-pool after closure-step adopted; expect K1 and K2
+  rates to drop sharply, K3 and K5 to drop gradually.
+
+---
+
+## 8. Method-fidelity check
+
+Open coding before categories (§1, 21 codes); constant comparison (§2);
+theoretical sampling (hart/ekman drawn to develop K3); saturation
+evidence (§5, two consecutive zero-rate audits); memos with revised
+preconception (§6, M2); every category cites grounding incidents.
diff --git a/tasks/layout-authority/audits/taleb.md b/tasks/layout-authority/audits/taleb.md
new file mode 100644
index 00000000..4a870001
--- /dev/null
+++ b/tasks/layout-authority/audits/taleb.md
@@ -0,0 +1,142 @@
+# Taleb Audit — Fragility Classification of the Layout Authority
+
+Stressors:
+- **(a) Burst:** 10× nominal arrival for 100 ms (arrival rate spike).
+- **(b) Silent disconnect:** SSE subscriber socket dies without FIN/RST.
+- **(c) Malformed input:** NaN coords, missing `parent_id`, unknown `kind`.
+
+Classification: **Fragile** (concave loss — small stress, disproportionate
+damage), **Robust** (linear), **Antifragile** (convex gain — system
+*improves* from the stress, e.g. the stress feeds a counter that drives
+adaptive tuning).
+
+## 1. Module-by-module triage
+
+| Module | Stressor (a) burst | Stressor (b) disconnect | Stressor (c) malformed |
+|---|---|---|---|
+| `_protocol.py` | ROBUST — pure dataclasses, no runtime path | ROBUST | **FRAGILE** — `NodeDelta`/`SlotAssignment` are dataclasses; no `__post_init__` validation; NaN coords or missing `parent_id` flow downstream |
+| `_geometry.py` | ROBUST — closed-form O(1) per node, no allocation | ROBUST | **FRAGILE** — `compute_slot` propagates NaN through trig (NaN×anything=NaN), poisons SSE event log |
+| `_scheduler.py` | ROBUST→ANTIFRAGILE — bounded queues, drop+counter on overflow (the counter is the antifragile seed) | ROBUST | **FRAGILE** — `kind` not validated at submit; unknown kind reaches priority lookup, defaults silently |
+| `_log.py` | **FRAGILE** — module-global `_event_log`, `seq`, two locks; under burst, `_fan_out` holds `_subscribers_lock` while iterating N subs × Q.put_nowait; one slow sub stalls all | **FRAGILE** — dead subscriber's queue fills to cap, every emit pays a Full-exception cost; only reaped after 200-miss window | ROBUST — emit doesn't inspect payload |
+| `_wire.py` | ROBUST — pre-encoded constants, O(1) format | ROBUST | **FRAGILE** — `format_slot` reads `slot.id` (Dijkstra D0) — schema drift produces silent `None`/`AttributeError` at every emit |
+| `_lod.py` | ROBUST — pure level-of-detail math | ROBUST | ROBUST iff coords pre-validated |
+| `layout_authority.py` (composition root) | **FRAGILE** — single worker thread; if worker is paused (GC, page fault), P5/P6 backlog grows linearly with burst; producer is non-blocking but invisible debt accumulates | **FRAGILE** — no health probe; SSE writer thread can deadlock against a dead socket without surfacing | **FRAGILE** — `add_node`/`add_edge` validate `kind ∈ NODE_KINDS` only at protocol boundary, not at HTTP boundary; downstream raises far from the source |
+
+## 2. Tail check — is the arrival distribution fat-tailed?
+
+Yes. Producer is `seed_project` + LSP discovery + user-driven edits.
+Empirically: discovery bursts (file walk) deliver 10⁴–10⁵ deltas in
+~100 ms, then minutes of silence. Variance >> mean. **Gaussian
+queue-sizing (mean × safety factor) will under-provision the burst by
+1–2 orders of magnitude.** Cost-model §6 bench at 5 M slots/s assumes
+steady-state; under burst the producer outruns the worker by 50–100×
+for 100 ms, and queue residency spikes to the cap.
+
+This is the Taleb-essential point: **size queues for the tail, not the
+mean.** P5 (edges) at 100k cap = 10.2 MB *is the right call* if it
+absorbs the discovery burst; cutting it to fit 8 MB steady-state
+sacrifices burst survival to satisfy a steady-state model.
+
+## 3. Via negativa — fragilities to remove first (priority order)
+
+| # | Fragility | Removal | Cost |
+|---|---|---|---|
+| P0 | `_log` module-global state (Dijkstra D2) — two authorities corrupt each other's seq | Refactor to instance state; delete the module-level `_event_log`, `_seq`, locks | low — mechanical |
+| P0 | Unvalidated `kind` at HTTP boundary — bad input reaches `_scheduler` priority map | Reject at handler with 400 + counter increment; do not let it touch the worker | low |
+| P0 | NaN/Inf coords from `_geometry` propagate to wire | Add `assert math.isfinite(x) and math.isfinite(y)` at end of `compute_slot`; on fail, drop+counter, do not emit | low |
+| P1 | `format_slot` field-name mismatch (`slot.id` vs `node_id`) — Dijkstra D0 | Fix `_wire`; add a contract test that exercises every protocol field | trivial |
+| P1 | Dead-subscriber detection only via 200-miss window | Add a heartbeat event every 1 s; subscribers that miss 3 heartbeats are reaped immediately | low |
+| P2 | `_fan_out` iterates subs while holding lock | Snapshot subs under lock, release, then `put_nowait` on the snapshot copy | low |
+
+## 4. Barbell allocation for the layout authority
+
+- **Safe end (≥85%):** `_geometry`, `_protocol`, `_wire`, `_lod` — pure
+  functions, no I/O, no globals. Make them *boringly correct*: full
+  property tests, finite-float postconditions, no clever tricks.
+  Guarantee: under any input these modules either return a finite
+  result or raise a typed error. **No middle ground.**
+- **Experimental end (≤15%):** the scheduler's drop policy and the
+  fan-out reaping policy — these are the loci where antifragility can
+  be designed in (see §5). Allow these to be tuned aggressively from
+  observed counters; they have bounded downside (queue cap, sub cap)
+  and uncapped upside (auto-tuned to actual production stress).
+- **Mediocre middle to eliminate:** "moderate" validation — partial
+  field checks scattered across handler, protocol, and geometry. Pick
+  ONE boundary (the HTTP handler) and validate fully there; downstream
+  layers assume validated input.
+
+## 5. Antifragility opportunities — make the stress *improve* the system
+
+The scheduler's drop-counter is already the seed. Wire it into a
+feedback loop:
+
+1. **Burst (a) → adaptive cap.** Every `_scheduler` overflow increments
+   `drops[priority]`. Expose this in `memory_stats`. When P5 drops
+   exceed a threshold over a 60-s window, *raise* P5 cap by 25% (with
+   a hard ceiling). When sustained zero drops over 10 min, *lower* by
+   10%. Burst now *teaches* the cap. Convex: bigger bursts → faster
+   discovery of the right cap. **Bounded downside:** hard ceiling
+   prevents unbounded RAM growth.
+2. **Disconnect (b) → faster reap.** Each silent-disconnect detection
+   (heartbeat miss) decrements the reap window by 10 ms (floor 50 ms).
+   The more dead subscribers we see, the faster we evict them.
+   Convex: pathological deployments self-tune to aggressive reaping.
+3. **Malformed (c) → schema lock-in.** Each rejected payload is logged
+   with its (kind, missing_field) tuple. After N rejections of the
+   same shape, surface a `tasks/layout-authority/producer-drift.md`
+   alert: "the producer is sending shape X that the protocol does not
+   accept — either fix the producer or extend the protocol." Malformed
+   input becomes documentation of producer drift, not silent loss.
+4. **Worker stall → publish a stall histogram.** If the worker loop
+   spends >5 ms between pops, emit a `worker_stall` event. Operators
+   tune GIL/GC settings *because* stalls were observed, not in
+   anticipation of them.
+
+In all four: the counter is visible, the policy is bounded, the stress
+makes the system smarter. This is the Taleb pattern — the option, not
+the obligation, to react to disorder.
+
+## 6. Optionality audit
+
+| Decision | Downside | Bounded? | Upside | Capped? | Verdict |
+|---|---|---|---|---|---|
+| Drop on P5 overflow | Lost edge event | Yes (counter) | Producer survives burst | No (any rate) | **Favorable — keep** |
+| Hold global `_event_log` of 500k events | 40 MB RAM, replay cost | Yes (cap) | Late subscribers can replay | Yes (last 500k) | Favorable IF replay used; otherwise dead weight — **measure usage** |
+| Single worker thread | Worker stall halts emission | **No** — unbounded latency tail | Strict ordering (H1/H2) | Yes | **Unfavorable asymmetry** — add a watchdog: if no pop in 100 ms, emit `worker_stall` and (P3) restart worker |
+| `q.put_nowait` everywhere | Slow sub loses events | Yes | Producer never blocks | No | **Favorable** |
+
+## 7. Skin-in-the-game audit
+
+- **Producer (`seed_project`, LSP, MCP handlers):** does not bear the
+  cost of malformed deltas — the layout worker eats them. **Asymmetric.**
+  Fix: producer's HTTP response carries a `rejected: N` field; the
+  producer sees its own malformed-rate counter and is forced to react.
+- **Renderer:** does not bear the cost of slow consumption — `put_nowait`
+  drops on its behalf. **Asymmetric.** Fix: SSE channel sends the
+  subscriber its own miss-count; a renderer that sees its miss-count
+  rising must react (paginate, downsample, or disconnect cleanly).
+- **Scheduler operator:** the only actor with skin in the game today —
+  RAM and CPU are paid by the process running the authority. Counters
+  must surface to whoever can act: the operator, not the renderer.
+
+## 8. Stress test plan
+
+| Scenario | Magnitude | Expected | Acceptable? |
+|---|---|---|---|
+| Burst | 10⁵ deltas in 100 ms | P5 fills, drops counter ↑, slot emit continues, RSS ≤25 MB | Y once §3 P0+P1 fixed |
+| Burst | 10⁶ deltas in 100 ms | drops dominate, no crash, no NaN, no deadlock | Y |
+| Silent disconnect | 100 dead subs, no FIN | reaped within 3 heartbeats (~3 s) | Y once heartbeat added |
+| Malformed | NaN coords from upstream override | rejected at boundary, counter ↑, no emit | Y once finite-float assert added |
+| Malformed | unknown `kind` | 400 at HTTP, never reaches worker | Y once boundary validation added |
+| Black swan | producer + slow sub + GC pause concurrent | worker_stall surfaced, no deadlock, no unbounded queue | requires watchdog + heartbeat |
+
+## 9. Hand-offs
+
+- P0/P1 fragility removals → **engineer** (small, mechanical).
+- Antifragility wiring (adaptive cap, heartbeat reap, drift alert) →
+  **Hamilton** (graceful degradation is his domain).
+- Burst/disconnect/malformed bench harness → **Curie**.
+- Worker-stall watchdog formal argument → **Dijkstra/Lamport** (fits
+  their existing single-producer happens-before chain).
+- Producer-drift policy (skin-in-the-game on the upstream) →
+  **Coase** (transaction-cost framing of who pays for malformed input).
diff --git a/tasks/layout-authority/audits/thompson.md b/tasks/layout-authority/audits/thompson.md
new file mode 100644
index 00000000..2e892eca
--- /dev/null
+++ b/tasks/layout-authority/audits/thompson.md
@@ -0,0 +1,140 @@
+# Thompson — Scaling-Law Audit of the Layout Authority
+
+> "What works at insect scale collapses at elephant scale, not because the
+> design is wrong but because the scaling laws forbid it." Map every cap,
+> queue, and per-event byte count against N. Find where each ratio diverges.
+
+## 1. Modules audited
+
+| # | Module | Role | Dominant resource |
+|---|---|---|---|
+| 1 | `layout_authority_geometry.py` | Closed-form O(1) slot math | CPU cycles per slot |
+| 2 | `layout_authority_protocol.py` | Contract-only dataclasses, invariants | none (declarative) |
+| 3 | `layout_authority_scheduler.py` | Priority-displaced multi-queue | RAM (queue caps), shed rate |
+| 4 | `layout_authority_log.py` | Append-only event log + fan-out | Ring buffer cap, subscriber queue |
+| 5 | `layout_authority_wire.py` | SSE pipe-encoded bytes | bytes/event, encoder ns/event |
+
+Plus `cost-model.md` (Carnot): per-node budget 1 ns at 1e9 / 1 s, working
+set ≤ 8 MB. No `audits/fermi.md` exists.
+
+## 2. Scaling table — what saturates first at each N
+
+Rows = scale; columns = first failure. "First" = lowest N at which the
+named cap is mathematically exceeded under the documented constants.
+
+| N | Geometry | Scheduler P4 (symbols) | Scheduler P5 (edges) | Log ring (500k) | Subscriber queue (100k) | Wire bytes total | Wire encoder (ns/event) | First failure |
+|---|---|---|---|---|---|---|---|---|
+| 1e5 | 18-30 ms (1 core, py) | 64k cap, ~70k symbols → first drops on burst | 128k cap, ~400k edges → drops above 32% mark | 500k ≥ N ok | 100k ≥ N ok | ~8 MB | ~30 ms format | **scheduler P5 edges** (cap < typical 4×N edge fan-out) |
+| 1e6 | 180-300 ms | catastrophic shed: 64k cap vs 1e6 symbols → ≥94% drops sustained | 128k vs ~4e6 edges → ≥97% drops | 500k < 1e6: **ring-buffer wraps; replay dies for any client > 0.5s late** | 100k: any client < 10 MB/s read drops | ~80 MB total stream | ~300 ms (single thread) | **log ring buffer overflow + subscriber queue overflow** |
+| 1e7 | 1.8-3.0 s (single core); needs numpy batch (~50 ms) | hopeless at current cap; would need P4 cap = 1e7 = 800 MB → blows 8 MB ceiling | same | ring wraps every 0.5 s of stream; `Last-Event-ID` resume permanently broken; clients always fall back to snapshot | 100k drained at ~10k evt/s = 10 s of headroom only | ~800 MB stream; wire single-thread encode ~3 s | encoder is the bottleneck on a single core (~300 ns/event in pure py) | **encoder throughput + scheduler RAM** |
+| 1e8 | 18-30 s pure py → mandatory numpy/SIMD; even numpy ~3-5 s/core single-thread | scheduler design fundamentally broken: all kinds beyond P0/P1 must shed >99% | same | log + replay model meaningless; must be replaced by a **server-side tile/quadtree snapshot** instead of streaming every slot | individual subscribers cannot read 8 GB/s; SSE per-client unicast unsustainable | ~8 GB stream per subscriber; 1 Gbit/s LAN = 80 s wire time minimum | encoder must move to C/Cython or batched numpy `tobytes` (~30 ns/event) | **network bandwidth + per-client unicast model** |
+| 1e9 | 1-2 s only with numpy batch + multi-core (~5-8× on 8 cores) | meaningless to enqueue per-slot; must batch-emit by domain shard | same | streaming individual slot events is impossible: at 82 B × 1e9 = **82 GB per client**. Must be precomputed tiles | 100k cap drains in ~10 ms at any plausible rate | ~82 GB/client unicast; **10 Gbit LAN = 65 s; 1 Gbit = 11 min** | encoder ns budget: 82 GB / 2 s = 41 GB/s — exceeds DRAM single-thread bandwidth | **transport (network + per-client unicast) and storage representation; the per-event SSE model is geometrically impossible** |
+
+## 3. Per-module break analysis (form vs scale)
+
+### Geometry — survives the longest by design
+
+Cost-model says ~180-300 ns/slot pure Python; ~10 ns/slot needed at 1e9.
+Geometry is the **only** module that scales O(1) per node and bounded
+state O(domains × kinds). Break point isn't the algorithm — it's the
+Python interpreter loop. Mitigation already named in cost-model: numpy
+vectorization at 1e7+; multi-core fan at 1e9. **Form survives all five
+scale steps; only the substrate (Python → numpy → C) changes.**
+
+### Scheduler — breaks at 1e6, irrecoverable at 1e7
+
+Priority caps (P4=64k symbols, P5=128k edges) are sized for one specific
+scale: ~1e5 visible at peak. The shed-low-priority pattern (Hamilton
+1969) **works as designed** through 1e5. At 1e6 the symbol stream sheds
+>94% sustained; that is no longer "graceful degradation" — that is data
+loss as the steady state. RAM blows the 8 MB ceiling if caps are raised:
+P4 cap = 1e7 × 80 B = 800 MB. **The form (single in-process scheduler)
+is forced to change at 1e7.** Mitigation: shard the scheduler per domain
+(11 schedulers, each handles ~N/11 slots) OR move scheduling out of the
+authority entirely and let the build worker emit pre-bucketed tiles.
+
+### Log ring buffer — breaks at 1e6
+
+Cap 500k events at ~80 B = 40 MB (already 5× over the 8 MB working-set
+ceiling — flagged in the module docstring as a deliberate exception).
+At N = 1e6 the ring wraps in less than the round-trip of a slow client,
+so `Last-Event-ID` resume **permanently fails** and every reconnect
+falls back to a snapshot — which itself must be the size of the full
+graph, which we just said is geometrically impossible to serialize.
+**The form (linear append-only log replayable by seq) cannot survive
+1e7+. Mitigation: per-domain logs or, more honestly, abandon replay and
+serve a snapshot from a server-side spatial index.**
+
+### Subscriber queue (100k cap) — breaks at 1e6
+
+A subscriber drained at 10k events/s holds 10 s of headroom. At 1e6
+total stream events delivered in any practical wallclock the queue will
+fill within seconds for any subscriber that does any per-event work
+(parse + render). 200-miss eviction kicks in. **Form (per-client
+unicast queue) breaks at 1e6 for slow clients, at 1e7 for any client
+that isn't a localhost socket.** Mitigation: drop unicast SSE in favor
+of a shared in-memory ring readable by all clients via mmap, or a
+broadcast multicast channel — both are different forms.
+
+### Wire (SSE pipe encoder) — breaks at 1e7-1e8
+
+Encoder is ~300 ns/event pure Python (extrapolated from a 1M slot
+benchmark hook). At 1e7 single-threaded encode ≈ 3 s; at 1e8 ≈ 30 s.
+Bytes per event are H-bounded (~82 B for the chosen pipe format — a
+~4× win over JSON, but still O(N) wire bytes). At 1e9 the **bytes
+themselves** (82 GB) exceed DRAM bandwidth on a single thread (~50 GB/s)
+and exceed any plausible network. **Form (per-event SSE frame) cannot
+survive 1e8 without a transport change.** Mitigation: batched `bytearray`
+encoder in C/Cython at 1e7; protobuf/cap'n proto with delta compression
+at 1e8; **at 1e9, drop streaming entirely and serve PNG/Datashader tiles
+or quadtree pyramids** — the form is forced.
+
+### Protocol — survives everything
+
+Contract module. Has no resources to saturate. Invariants I3/I4/I5 (the
+pending-edges buffer at 100k, parent-before-child ordering, no
+retroactive reseat) keep their semantics across all scales but enforcement
+moves from in-process to a sharded model at 1e7+.
+
+## 4. Where the design fundamentally needs a different architecture
+
+The current authority is a **single-process, single-producer, per-event
+streaming** design. Its scaling envelope is hard-bounded by:
+
+- **1e5 nodes** — current architecture is correct and roomy. Scheduler
+  caps designed exactly here.
+- **1e6 nodes** — log ring + subscriber queue + scheduler P4/P5 all
+  break first. Mitigation is parameter tuning (raise caps within RAM)
+  plus a numpy batch path in the geometry. **Same form, retuned.**
+- **1e7 nodes** — single-process becomes structurally inadequate. RAM
+  for queue caps blows 8 MB. Encoder single-thread blows 1-2 s budget.
+  **Form change required: per-domain sharding (11 worker processes,
+  each owns a domain's counters + scheduler + log) — same Hamilton
+  pattern replicated, not redesigned.**
+- **1e8 nodes** — per-client unicast SSE is geometrically impossible.
+  **Form change required: server-side spatial index (quadtree) +
+  pre-rendered tile pyramid; client requests viewport tiles instead of
+  individual slots.** This is exactly the Datashader/server-tile path
+  already in repo (`server-tile + Datashader path for >1M-node graphs`,
+  commit dba2f16).
+- **1e9 nodes** — single-machine is over. Bytes-per-event is the
+  binding constraint. **Form change required: distributed compute
+  (1 process per domain shard, each on its own core; GPU rasterization
+  for tile generation; CDN-cached tile delivery).** Streaming individual
+  slots ceases to be the operational model — the renderer asks for
+  zoom-level-k tiles and the authority precomputes them by batch numpy
+  + CUDA.
+
+## 5. Hand-offs
+
+- **Fermi**: empirical measurement of subscriber drain rate, encoder
+  ns/event in production CPython 3.14, and ring-buffer wrap latency at
+  N = 1e6 (currently extrapolated, not measured).
+- **Curie**: confirm the 10 ns/slot extrapolation in cost-model holds
+  with a numpy batch path; measure end-to-end at N = 1e7.
+- **Hamilton**: design the sharding boundary at 1e6 → 1e7 transition
+  (per-domain authority instances) and the SSE backpressure path so
+  slow subscribers fall back to tile snapshots cleanly.
+- **Coase**: when the form shifts to distributed compute at 1e9, the
+  organizational boundary (which team owns the tile pipeline vs the
+  authority?) needs explicit assignment.
diff --git a/tasks/layout-authority/audits/toulmin.md b/tasks/layout-authority/audits/toulmin.md
new file mode 100644
index 00000000..6848aa04
--- /dev/null
+++ b/tasks/layout-authority/audits/toulmin.md
@@ -0,0 +1,176 @@
+# Toulmin argument-structure audit — `cost-model.md`
+
+**Method.** Decompose the cost-model's headline argument into the six
+Toulmin parts (Claim, Data, Warrant, Backing, Qualifier, Rebuttal),
+diagram them, and locate where the warrant fails to carry the claim.
+The model is a *quality-control* tool: it makes the inferential
+skeleton visible so the load-bearing joint can be inspected.
+
+---
+
+## 1. The headline argument as written
+
+> **Claim (C):** the layout authority places **N = 10⁹ nodes** in
+> **1–2 s** within an **8 MB** working set on a single machine.
+> *(cost-model.md §1, lines 5–6.)*
+>
+> **Data (D):**
+> - D1: per-node geometry is `compute_slot(domain_anchor, kind, idx,
+>   total_in_kind)` — closed-form trig, no iteration, no graph
+>   traversal. *(§2 implications 1–4; geometry constants §4.)*
+> - D2: per-domain counter state is `11 × 6 × 8 B = 528 B`; per-tool
+>   angle cache `7 × 11 × 16 B ≈ 1.2 KB`. *(§3.)*
+> - D3: pure-Python single-core measurement on this machine —
+>   180–300 ns/slot, 3.4–5.6 M slots/s across 5 kinds. *(§5,
+>   lines 80–87.)*
+>
+> **Warrant (W):** *if* the per-node cost is O(1) closed-form, *and*
+> the per-module state is bytes-not-megabytes, *then* the system
+> budget is dominated by per-node compute × N, and that product is
+> bounded by (Python ns/slot ÷ vectorisation speedup ÷ core count) × N.
+> Equivalently: **"the geometry module's local cost profile is the
+> system's cost profile."**
+>
+> **Backing (B):**
+> - B1: the closed-form derivation in §2 (no iteration ⇒ no
+>   superlinear term).
+> - B2: the measured 1M-slot benchmark in §5 (the 180–300 ns figure).
+> - B3: the projection that numpy + 8-core delivers ~30× more.
+>
+> **Qualifier (Q, as written):** "amortised", "in geometry only" —
+> appears in §1 footnote phrasing but **not** attached to the headline
+> claim. The headline reads as an absolute system bound.
+>
+> **Rebuttal (R, as written):** §6 lists what the design rules out
+> (d3-force, prepareTopology, force sims). It does **not** list the
+> conditions under which the headline claim *itself* fails.
+
+---
+
+## 2. Diagram
+
+```
+                                                B1 §2 closed-form
+                                                B2 §5 1M-slot bench
+                                                B3 §5 numpy+8-core projection
+                                                       │
+                                                       ▼  (backs)
+   D1 O(1) per-node geometry  ┐
+   D2 528 B counter state     ├──► W "geometry-local cost = system cost"
+   D3 180-300 ns/slot measured┘                         │
+                                                        ▼  (with qualifier Q)
+                          [Q: amortised, geometry only]
+                                                        │
+                                                        ▼
+                                              C: 10⁹ nodes in 1–2 s
+                                                 within 8 MB
+
+                          ┌────── R (declared §6): rules out d3-force,
+                          │       prepareTopology, force sim, spatial
+                          │       index rebuild  (rules out RIVALS,
+                          │       not failure conditions of C itself)
+                          │
+                  ┌───────┴─── R (missing, supplied by other audits):
+                  │             • Curie C9–C11: numpy/multi-core
+                  │               speedup is unmeasured speculation
+                  │             • Ibn Khaldun K1: scheduler 19 MB +
+                  │               event log 40–56 MB + sub queues
+                  │               11 MB → ~70–90 MB system RSS
+                  │             • Ibn Khaldun K2: wire + render
+                  │               dominate; 80 GB over SSE at
+                  │               10–100 MB/s ⇒ 10³–10⁴ s
+                  │             • Archimedes Caveat: DISC↔MEM
+                  │               angular collision at 10⁹ N
+```
+
+---
+
+## 3. Where the warrant does not support the claim
+
+The argument is internally tidy — D1, D2, D3 each support **a**
+claim. They do not support **the headline claim**, because W
+silently substitutes "geometry-module cost" for "system cost". This
+is a **scope-shift fallacy** dressed as an inference rule.
+
+| # | Gap | Evidence the warrant fails |
+|---|---|---|
+| G1 | D1 (O(1) per-node) supports "compute is linear in N", not "wall-time is 1–2 s". Wall-time = max(compute, wire, render). The warrant elides wire and render. | Ibn Khaldun K2: 80 GB SSE payload at realistic 10–100 MB/s ⇒ 10³–10⁴ s; browser ≤10⁵ evt/s ⇒ 10⁴–10⁵ s. |
+| G2 | D2 (528 B) supports "the geometry module's per-domain table fits in bytes", not "system RSS ≤ 8 MB". Counter state is one of ≥4 live allocations (counters, scheduler queues, event log, subscriber queues, numpy buffers). | Ibn Khaldun K1 + Curie C13/C18: scheduler 19 MB, event log 40–56 MB, sub queue 11 MB ⇒ ~70–90 MB. The cost-model's own scheduler doc says 19.4 MB — the spec contradicts itself. |
+| G3 | D3 (180–300 ns/slot, single-machine, single-run, no IQR) is the only measured datum. B3 (numpy ~30–50 ns + 8-core ~5–8×) is **projection, not measurement**. The warrant treats the projection as load-bearing. | Curie §4 explicitly tags C9–C11 as "unmeasured speculation" requiring `bench_geometry_numpy` and `bench_geometry_parallel` before promotion. |
+| G4 | Q ("amortised", "in geometry only") is the qualifier that, *if attached to C*, would make the argument honest. As written, it sits in body prose and is dropped from the headline. A claim whose qualifier does not travel with it is **rhetorically unqualified**. | Toulmin 1958 Ch. III §3: a claim without a travelling qualifier is either trivial or dishonest. |
+| G5 | R as declared rules out **rival approaches** (d3-force, etc.). It does not state the conditions under which **C itself** fails. A Toulmin rebuttal must answer "when is my own claim wrong?", not "why are competitors wrong?" | Three independent audits supply the missing R: Curie (no measurement), Ibn Khaldun (scope shift), Archimedes (geometric collision at 10⁹). The cost-model has not absorbed any of them. |
+
+---
+
+## 4. The honest restatement
+
+Splitting C into the parts the data actually supports:
+
+| Restated claim | Qualifier | Supported by |
+|---|---|---|
+| **C′₁** Geometry compute for 10⁹ slots completes in 1–2 s. | "presumably, IF vectorised via numpy AND parallelised across 8 cores — neither yet measured." | D1 + D3 + B3 (B3 still hypothesis). |
+| **C′₂** The geometry module's per-domain state is ≤ 1.8 KB (528 B counters + 1.2 KB angle cache). | "exactly, by arithmetic." | D2. |
+| **C′₃** End-to-end placement-and-render of 10⁹ nodes through SSE to a live browser completes in 1–2 s within 8 MB system RSS. | **Reject.** Refuted by Fermi/Ibn Khaldun K2 (10³–10⁵ s wire+render) and K1 (~70–90 MB RSS). |
+
+C in the document conflates C′₁ with C′₃ and inherits the credibility
+of C′₂. That is the load-bearing error.
+
+---
+
+## 5. Field-dependent standards
+
+This is a **systems-engineering** argument, not a closed-form-math
+argument. Its field's standards demand:
+
+- *Evidence:* end-to-end measurement on the production transport,
+  not micro-benchmarks of one stage.
+- *Warrant:* a system bound is `max` of stage costs, not `sum` of
+  one stage's cost. Substituting compute-time for wall-time is a
+  category error in this field.
+- *Qualifier:* every system claim travels with its measurement
+  envelope (machine, dataset, run count, IQR).
+- *Rebuttal:* every system claim names the regime in which it
+  breaks (e.g. "fails when wire bandwidth < X MB/s" or "fails when
+  RSS includes log + scheduler").
+
+`cost-model.md` meets the closed-form-math field's standards for
+C′₁ and C′₂. It does not meet the systems-engineering field's
+standards for C as written.
+
+---
+
+## 6. Required edits (Toulmin-form)
+
+1. Split C into C′₁, C′₂, C′₃ with their own qualifiers; demote C′₃
+   to a separate "system budget" ADR per Ibn Khaldun §6.
+2. Attach Q ("IF vectorised, IF parallelised, IF tile-served not
+   live-streamed") to every surviving headline.
+3. Add an explicit **Rebuttal** section to cost-model.md naming the
+   conditions under which each surviving claim fails — sourced from
+   Curie §3, Ibn Khaldun §1, Archimedes Caveat.
+4. Tag B3 (numpy/multi-core projection) `// HYPOTHESIS — no
+   measurement`, per Curie §4.
+
+---
+
+## 7. Hand-offs
+
+- **Curie** — supplies the measurement protocols that turn B3 from
+  hypothesis into backing (`bench_geometry_numpy`,
+  `bench_memory_residency`).
+- **Ibn Khaldun** — supplies the structural rebuttal (system RSS,
+  wire+render dominance) that the new R section must cite.
+- **Engineer** — performs §6 edits to cost-model.md; opens the
+  separate system-budget ADR.
+- **Pearl** — if the wire/render dominance is contested, supply a
+  causal-graph audit of the SSE consumer chain.
+
+---
+
+## 8. One-line verdict
+
+The cost-model's data and warrant are sound *for the geometry
+module*. Promoting them to a system claim violates the warrant's
+scope, drops the qualifier in transit, and substitutes a
+"rules-out-rivals" list for a real rebuttal — three Toulmin defects
+that converge on the same fix: scope C, attach Q, write R.
diff --git a/tasks/layout-authority/audits/turing.md b/tasks/layout-authority/audits/turing.md
new file mode 100644
index 00000000..839b0e6b
--- /dev/null
+++ b/tasks/layout-authority/audits/turing.md
@@ -0,0 +1,119 @@
+# Turing Reduction — Layout Authority
+
+**Frame:** strip every module to the simplest abstract machine that streams `(id, x, y)` from build worker to SSE consumer. What is load-bearing? What is accidental complexity?
+
+## 1. Problem
+
+```
+Problem: stream (node_id, x, y, kind, domain_id) and (src, tgt, kind) deltas
+         from a single producer (build worker) to N HTTP/SSE consumers,
+         with monotonic seq for Last-Event-ID resume.
+```
+
+## 2. Simplest machine
+
+| Class | Verdict |
+|---|---|
+| Finite automaton | No — unbounded sequence numbers, unbounded node set. |
+| **Pushdown automaton (single-stack ordering)** | **Sufficient.** The only structural state is "has parent X been emitted yet?" → a buffer of pending children. |
+| Turing machine | Overkill. No tape rewrite needed; events are append-only. |
+
+The problem reduces to: **a pure function `kind × bucket_idx × domain_anchor → (x,y)`, behind an append-only log, behind an SSE encoder, with one buffer for I3 (symbol-after-file) and one for I5 (edge-after-endpoints).**
+
+Decidability: trivially decidable — every operation is O(1) closed-form arithmetic. Complexity: O(1) amortized per event, O(N) total. No optimization question exists; the Turing question is the structural one — what's necessary?
+
+## 3. Reduction by module — load-bearing vs accidental
+
+Current: ~2,196 lines across 10 files. Reduced essence:
+
+| Module | Lines | Load-bearing | Accidental | Min lines |
+|---|---|---|---|---|
+| `layout_authority_geometry.py` | 218 | All 9 placement formulas + dispatcher. Every constant cites `workflow_graph.js`. | Self-check `_benchmark` only used in `__main__`. | **~150** |
+| `layout_authority_protocol.py` | 230 | 3 dataclasses (NodeDelta, EdgeDelta, SlotAssignment). | `Protocol` ABC, `INVARIANTS` docstring constant, `authority_from_geometry` factory stub, NODE_KINDS/EDGE_KINDS frozensets (str literal check suffices). | **~40** |
+| `layout_authority_log.py` | 230 | `emit() → seq`, `subscribe()/unsubscribe()`, `replay_since()`. | Dead-queue miss counting + reaping (200-miss threshold), 500k ring buffer cap (a 10k cap suffices for Last-Event-ID resume window), `stats()`, `_record_miss/_clear_misses` attribute-injection trick. | **~50** |
+| `layout_authority_wire.py` | 241 | `format_slot/edge/done` byte builders. Pipe-separated payload. | `chunk_wrap`, `format_keepalive`, `format_terminator` (the SSE handler does this), `parse_slot/parse_edge` (test-only), `_benchmark`, defensive `_validate_id/_validate_kind/_validate_finite` (already validated upstream). | **~40** |
+| `layout_authority_scheduler.py` | 264 | **Nothing in the streaming hot path.** | Entire module. The reference `LayoutAuthority.add_node` is synchronous + non-blocking + O(1); priority shedding is dead theatre. P0–P6, Hamilton 1202 reference, `coalesce_subtree`, `is_overloaded`, the per-priority deques — none of it is wired to the actual emission path; emission happens inline in `add_node`. | **0 (cut entirely)** |
+| `layout_authority_lod.py` | 193 | Zero in the streaming path. | Entire module. The build worker never consults `visible_at_zoom`; the SSE handler can decimate symbols downstream with `hash(id) % stride` in 5 lines if/when needed. | **0 (cut entirely)** |
+| `layout_authority.py` (integrator) | 442 | `_DomainRegistry` (Fibonacci anchor index, ~30 lines), `add_node/add_edge/done`, two buffers (pending_symbols, pending_edges), `_compute_assignment`, peek-before-emit seq seal. | Defensive `_validate_node/_validate_edge` (subsumed by dataclass + protocol allow-set check), `request_subtree` (re-emit known slots — clients can re-snapshot via `replay_since(0)`), `stats()`, `Lock` (single-producer is the contract; the lock is a comfort blanket), tool_hub angle cache (recompute is O(1)). | **~120** |
+| `core/layout_engine.py` | 113 | (Older, unrelated to authority — leave aside.) | — | — |
+| `handlers/recompute_layout.py` | 132 | Composition root for an out-of-band path. | Mostly scaffolding. | — |
+| `infrastructure/layout_pg_store.py` | 133 | Persistence — orthogonal to streaming. | — | — |
+
+**Streaming-essence subtotal:** geometry 150 + protocol 40 + log 50 + wire 40 + integrator 120 = **~400 lines**.
+
+If we drop replay-since (clients always start fresh), drop edge-buffering (build worker emits in order), drop done-event totals: **~200 lines**.
+
+## 4. The SIMPLEST POSSIBLE thing (Turing test)
+
+A single file, ~200 lines, three primitives:
+
+```
+1. anchor(domain_idx)        : Fibonacci spiral, pure.       (~20 lines)
+2. slot(kind, ctx)            : 9 closed-form formulas.       (~80 lines)
+3. emit(seq, kind, payload)   : SSE bytes, fan out to queues. (~30 lines)
+
+Class LayoutAuthority:
+   - counts: {(domain, kind) -> int}
+   - anchors: {domain -> (x,y)}
+   - emitted: set[node_id]
+   - pending_symbols: {file_id -> [NodeDelta]}
+   - add_node(d): compute slot, emit, flush children if file.
+   - add_edge(d): if both endpoints emitted, emit; else discard
+                  (build worker emits in dependency order — I5).
+                                                              (~70 lines)
+```
+
+That is the universal machine for this domain. Everything beyond is decoration.
+
+## 5. What gets CUT and why
+
+| Cut | Reason (Turing-operational) |
+|---|---|
+| **`layout_authority_scheduler.py` (264 lines)** | The reference integrator is synchronous and non-blocking already. The scheduler is a separate machine that nothing in the emission path uses. A universal machine for a bounded problem (tens of thousands of nodes, single producer) does not need priority displacement; the producer's call stack IS the scheduler. Hamilton 1202 was for an environment where producers compete for cycles — not the case here. |
+| **`layout_authority_lod.py` (193 lines)** | LOD is a render-time concern. The authority's job is to stream `(id,x,y)`; the renderer decides what to show. Cutting this enforces SRP. If LOD is needed, 5 lines in the SSE handler: `if kind == "symbol" and hash(id) % stride != 0: continue`. |
+| **`Protocol` ABC + INVARIANTS docstring + factory stub (~80 lines)** | Operational test for "is this a layout authority?" = "does it emit `slot`/`edge`/`done` SSE frames in order?" Define the test, not the type. |
+| **`replay_since` ring buffer (500k events, ~56MB)** | Last-Event-ID resume is a feature, not the essence. If a client falls behind, full re-snapshot. The buffer is an optimization for an unverified use case. |
+| **Defensive validation at the wire layer** | Already validated by dataclass construction + `NODE_KINDS` set membership at `add_node`. Double-validation = belt + braces + spare belt. |
+| **`request_subtree` re-emission** | Slots are final (I4/I7). A client wanting a redraw can re-subscribe with `Last-Event-ID: 0`. |
+| **`stats()` everywhere** | Observability is an outer layer concern. One counter at `done` event suffices. |
+| **`tool_hub_angle` cache, hub_angles dict** | Recompute is O(1). Caching saves ~50 ns at the cost of state. |
+
+## 6. What STAYS (load-bearing)
+
+| Keep | Why it survives reduction |
+|---|---|
+| **9 closed-form geometry formulas** | This IS the work. Every formula is the simplest machine for "place kind X". |
+| **Fibonacci anchor + first-sighting freeze (I7)** | Without anchor stability, slots aren't final. |
+| **`pending_symbols` buffer (I3)** | The only ordering invariant the protocol cannot enforce upstream cheaply. |
+| **Monotonic seq + emit log** | Required by SSE Last-Event-ID semantics — operational definition of "stream". |
+| **3 SSE encoder functions** | The bytes-on-the-wire codec. Cannot be simpler than pipe-split UTF-8. |
+| **NodeDelta / EdgeDelta / SlotAssignment dataclasses** | The minimal type-level operational test for "is this a valid event?" |
+
+## 7. Universality assessment
+
+Does this problem require open-ended cases? **No.** Twelve `NODE_KINDS`, fourteen `EDGE_KINDS`, both fixed at protocol-design time. The dispatch table in `compute_slot` is the right shape — a closed sum type, not a plugin host. **No interpreter / no plugin layer is justified.**
+
+## 8. Operational test for "the reduction preserves behavior"
+
+| Concept | Operational test | Pass criterion |
+|---|---|---|
+| "same layout" | Render fixture graph through old + new authority; diff PNGs. | Pixel-diff < 1% (sub-pixel jitter from float fmt). |
+| "same stream" | Same input deltas → byte-identical SSE frames. | `diff` of captured streams empty. |
+| "same resume" | Disconnect at seq=K, reconnect with `Last-Event-ID: K`. | Receives K+1..N exactly. |
+
+## 9. Bottom line
+
+| Layer | Now | Reduced essence |
+|---|---|---|
+| streaming-critical | ~1,500 lines (7 files) | **~400 lines (1 file)** |
+| with optional resume + LOD | ~1,500 | ~500 |
+| absolute minimum (no resume, in-order edges) | — | **~200 lines** |
+
+**~73% of the layout-authority code is accidental complexity** — scheduler theater, LOD pre-optimization, defensive double-validation, observability scaffolding, an interface protocol that no second implementation will ever exist for. The geometry formulas and the Fibonacci-anchor + pending-symbols buffer are the only non-trivial computation. Everything else is a universal-machine impulse applied to a closed sum type.
+
+## 10. Hand-offs
+
+- Single-program correctness of the reduced integrator → **Dijkstra**.
+- "Is the priority scheduler actually load-bearing under N=1M nodes?" → **Erlang** (queueing analysis) or **Fermi** (back-of-envelope: producer rate × event size vs consumer drain rate).
+- "Should we keep replay_since at all?" → **Simon** (satisficing on the resume use case).
+- Pre-optimization concern about LOD → **Knuth** ("premature optimization").
diff --git a/tasks/layout-authority/audits/wittgenstein.md b/tasks/layout-authority/audits/wittgenstein.md
new file mode 100644
index 00000000..4987f94c
--- /dev/null
+++ b/tasks/layout-authority/audits/wittgenstein.md
@@ -0,0 +1,180 @@
+# Wittgenstein — Language-Game Audit of the Layout Authority
+
+> "For a large class of cases... the meaning of a word is its use in the language." — *Philosophical Investigations* §43
+
+Five modules share a vocabulary. The same words play different roles in
+different modules. Each polysemy is a future bug. This audit enumerates
+them and fixes a single canonical glossary the engineer MUST enforce on
+integration. Where a confirmed Liskov-style mismatch already exists, it
+is flagged **CRITICAL**.
+
+---
+
+## 1. Polysemies found (the confusions)
+
+### 1.1 `id` — CRITICAL Liskov mismatch on `SlotAssignment`
+
+| Module     | Use site                  | Meaning                            |
+|------------|---------------------------|------------------------------------|
+| protocol   | `SlotAssignment.node_id`  | str — the node identifier          |
+| wire       | `slot.id` (line 103, 110) | str — same intent, **wrong attr**  |
+| wire       | `parse_slot` local `node_id` | str — round-trips correctly      |
+
+`format_slot` reads `slot.id`; `SlotAssignment` defines `node_id`. **An
+`AttributeError` at first emission.** Protocol is the contract; wire is
+the violator. Fix in wire.
+
+### 1.2 `kind` — same word, two unrelated games
+
+| Module     | Use site                 | Meaning                                |
+|------------|--------------------------|----------------------------------------|
+| protocol   | `NodeDelta.kind`         | one of NODE_KINDS (node taxonomy)      |
+| protocol   | `EdgeDelta.kind`         | one of EDGE_KINDS (edge taxonomy)      |
+| protocol   | `SlotAssignment.kind`    | echo of the node taxonomy              |
+| geometry   | `node_kind` parameter    | node taxonomy                          |
+| scheduler  | `priority_for_node(kind)`| node taxonomy                          |
+| log        | `emit(kind, payload)`    | **event taxonomy** ('slot'/'edge'/'done') |
+| log        | `Event = (seq, kind, _)` | event taxonomy                         |
+| wire       | `_validate_kind`         | node OR edge taxonomy (callers vary)   |
+
+Two distinct enums share one English word. The log layer plays a
+different language game than every other module. Rename or scope.
+
+### 1.3 `seq` — counter ownership conflict
+
+| Module     | Definition                                              |
+|------------|---------------------------------------------------------|
+| protocol   | I2: "strictly monotonically increasing per authority instance" |
+| log        | "global ``_event_seq``... continues across resets"      |
+| wire       | parameter to `format_slot` / `format_edge` / `format_done` |
+
+Protocol says per-instance; log says global-across-reset. The log's
+`reset()` docstring explicitly chooses **global** to keep
+`Last-Event-ID` resume working. Protocol's I2 must defer to log: there
+is exactly ONE `seq`, owned by `layout_authority_log`, monotonic across
+the process lifetime, never reset.
+
+### 1.4 `slot` — three different things
+
+| Module     | Use site                            | Meaning                       |
+|------------|-------------------------------------|-------------------------------|
+| protocol   | `SlotAssignment` dataclass          | (seq, node_id, x, y, kind, domain_id) |
+| geometry   | `Tuple[float, float]` returns       | bare (x, y) pair              |
+| log        | `'slot'` literal string             | event-kind tag                |
+| wire       | `format_slot(seq, slot)` argument   | the dataclass again           |
+| scheduler  | (does not use the word)             | —                             |
+
+Geometry's "slot" is a coordinate pair; protocol's is a placement
+record; log's is a string tag. Three games, one word.
+
+### 1.5 `domain_id` — keyed differently across boundaries
+
+| Module     | Use site                        | Notes                              |
+|------------|---------------------------------|------------------------------------|
+| protocol   | `NodeDelta.domain_id` etc.      | str, refers to a domain node       |
+| geometry   | `compute_slot('domain', ctx)`   | uses `ctx['index']`, `ctx['total_domains']`, `cx`, `cy`, `base_r` — **no `domain_id` key** |
+| scheduler  | `coalesce_subtree(domain_id)`   | str, used as set key               |
+| wire       | data field 5 of slot frame      | str                                |
+
+Geometry's domain placement is keyed by integer `index`, not by
+`domain_id`. The mapping `domain_id -> index` lives implicitly in the
+authority composition root. Make it explicit.
+
+### 1.6 `total` — five overloaded meanings in one dispatcher
+
+`compute_slot(node_kind, ctx)` reads `ctx['total']`. Across helpers:
+
+| Helper                  | What `total` counts                |
+|-------------------------|------------------------------------|
+| `slot_for_setup`        | total skills+hooks+commands+agents in domain |
+| `slot_for_file`         | total files **in this hub** (`total_in_hub`) |
+| `slot_for_symbol`       | total symbols **in this file** (`total_in_file`) |
+| `slot_for_discussion`   | total discussions in domain        |
+| `slot_for_memory`       | total memories in domain           |
+| `domain_anchor`         | `total_domains` (different name!)  |
+
+One key in the dispatcher dict, six distinct populations. The caller
+must know which to supply per branch. This is exactly the family-
+resemblance failure §66-71 warns about: there is no common essence,
+only overlapping similarities ("a count of siblings"). Enforce the
+distinct names at the helper level; the dispatcher is fine.
+
+### 1.7 `done` — undeclared in protocol, defined in wire
+
+`layout_authority_log` accepts `kind='done'`. `wire.format_done` builds
+the frame. **Protocol module does not declare a `DoneDelta` or document
+who emits `done` or when.** The "build complete" signal is a third
+event kind with no contract. Add it to protocol.
+
+### 1.8 `priority` — implicit on every NodeDelta
+
+`PriorityScheduler.submit(priority, item)` accepts any int in
+`QUEUE_SIZES`. `priority_for_node(kind)` derives it from the node
+taxonomy. The contract that "P0=domain, P4=symbol" lives only in the
+scheduler module's docstring. The protocol module is silent. This is
+fine *iff* only the authority's worker submits, but the typing is
+loose.
+
+---
+
+## 2. Canonical glossary (NORMATIVE)
+
+The engineer integrating these modules MUST use these names. Renames
+required to fix existing mismatches are marked **[FIX]**.
+
+| Canonical name      | Type / shape                          | Owner module     | Definition                                                      |
+|---------------------|---------------------------------------|------------------|-----------------------------------------------------------------|
+| `node_id`           | `str`, non-empty, no `\| \\n \\r`     | protocol         | Stable unique node identifier. **NEVER `id`.**                  |
+| `domain_id`         | `str`, non-empty                      | protocol         | The `node_id` of a node whose `node_kind == 'domain'`.          |
+| `parent_id`         | `Optional[str]`                       | protocol         | For `'symbol'`: parent file's `node_id`. For `'file'`: tool_hub. |
+| `node_kind`         | `str` ∈ NODE_KINDS                    | protocol         | Taxonomy of nodes. **NEVER bare `kind` outside dataclasses.**   |
+| `edge_kind`         | `str` ∈ EDGE_KINDS                    | protocol         | Taxonomy of edges.                                              |
+| `event_kind`        | `Literal['slot','edge','done']`       | log              | Wire-event taxonomy. **[FIX]** rename log's `kind` arg.         |
+| `seq`               | `int`, strictly monotonic, global     | log              | Single global counter. **[FIX]** drop "per-instance" from I2.   |
+| `slot_xy`           | `Tuple[float, float]`                 | geometry         | Bare coordinate pair returned by helpers. **[FIX]** rename from "slot". |
+| `SlotAssignment`    | dataclass(seq, node_id, x, y, node_kind, domain_id) | protocol | The placement record. `.node_id`, never `.id`. **[FIX]** wire.  |
+| `NodeDelta`         | dataclass(node_id, node_kind, domain_id, parent_id, tool_name) | protocol | Add-node input. **[FIX]** rename `kind` → `node_kind` everywhere. |
+| `EdgeDelta`         | dataclass(source_id, target_id, edge_kind) | protocol    | Add-edge input. **[FIX]** rename `kind` → `edge_kind`.          |
+| `DoneDelta`         | dataclass(total_slots: int, total_edges: int) | protocol  | **[FIX]** new — terminal build-complete event.                  |
+| `priority`          | `int` ∈ {0..6}                        | scheduler        | P0..P6, lower = more critical.                                  |
+| `total_domains`     | `int ≥ 1`                             | geometry         | Count of domain nodes; key on `compute_slot` ctx for kind='domain'. |
+| `total_in_domain`   | `int ≥ 1`                             | geometry         | Sibling count within a domain (setup / discussion / memory / mcp). |
+| `total_in_hub`      | `int ≥ 1`                             | geometry         | File count within one tool_hub.                                 |
+| `total_in_file`     | `int ≥ 1`                             | geometry         | Symbol count within one file.                                   |
+| `idx_in_*`          | `int ≥ 0`                             | geometry         | Position within the matching `total_in_*`. **[FIX]** drop bare `idx`/`total` from `compute_slot` ctx in favor of explicit names. |
+| `index` (domain)    | `int ≥ 0`                             | geometry         | Domain placement index in Fibonacci spiral. Mapping `domain_id → index` is owned by the authority composition root and MUST be exposed. |
+| `tool_name`         | `str`                                 | protocol         | Required iff `node_kind == 'tool_hub'`.                         |
+| `hub_angle`         | `float` (radians)                     | geometry         | Cached per-tool axis; carried in ctx for files orbiting a hub.  |
+| `outward`           | `float` (radians)                     | geometry         | Domain's radially-outward axis from canvas center.              |
+| `anchor`            | `Tuple[float, float]`                 | geometry         | A domain's (x, y); the parent reference for everything inside.  |
+
+Pseudo-problems dissolved by this glossary:
+
+- "Why does wire crash on first emit?" — `slot.id` vs `slot.node_id`. Not a real bug class; a pure naming slip.
+- "Should `seq` reset across builds?" — protocol I2 vs log reset. Resolved by declaring log the owner; protocol I2 reworded.
+- "What is `total`?" — depends on the call site. The dispatcher's `ctx['total']` is the genuine bug; six distinct names fix it.
+- "Where is the `done` contract?" — undeclared. Add `DoneDelta` to protocol.
+
+Real problems that survive vocabulary clarification (NOT dissolved):
+
+- The `domain_id → index` mapping is genuine missing state — the
+  authority composition root must own it (separate audit).
+- Pending-edges buffer ordering vs. seq monotonicity (I5 vs I2) is a
+  genuine race the log's single-producer rule alleviates but does not
+  eliminate.
+
+---
+
+## 3. Mandatory edits (engineer integration checklist)
+
+1. **wire.py**: replace `slot.id` with `slot.node_id` (2 occurrences). Update `_validate_id(slot.id, "slot.id")` to `_validate_id(slot.node_id, "slot.node_id")`. Update `parse_slot` docstring to call the field `node_id` (it already does locally).
+2. **protocol.py**: rename `NodeDelta.kind` → `node_kind`, `EdgeDelta.kind` → `edge_kind`, `SlotAssignment.kind` → `node_kind`. Update I2: drop "per authority instance"; add "owned by `layout_authority_log`, never reset."
+3. **protocol.py**: add `DoneDelta(total_slots: int, total_edges: int)` dataclass and document who emits it (the build worker, after the last add_node/add_edge).
+4. **log.py**: rename `emit(kind, payload)` → `emit(event_kind, payload)`. Type hint `event_kind: Literal['slot', 'edge', 'done']`.
+5. **geometry.py**: rename helper params `total` → `total_in_hub` / `total_in_file` / `total_in_domain`; same for `idx`. Update `compute_slot` dispatcher to read the explicit keys per branch (no shared `ctx['total']`).
+6. **scheduler.py**: type-annotate `submit(priority: int, item: NodeDelta | EdgeDelta | str)` so the priority/item invariant is checked at the boundary.
+7. **Composition root** (forthcoming `layout_authority.py`): expose the `domain_id → index` mapping as an explicit field on the authority instance; geometry's `compute_slot` for `'domain'` reads `ctx['index']` from it.
+
+The glossary in §2 is the **integration contract**. Refuse merges that
+reintroduce `slot.id`, bare `kind` on Node/Edge/SlotAssignment, or
+shared `ctx['total']`.
diff --git a/tasks/layout-authority/cost-model.md b/tasks/layout-authority/cost-model.md
new file mode 100644
index 00000000..48944f0d
--- /dev/null
+++ b/tasks/layout-authority/cost-model.md
@@ -0,0 +1,122 @@
+# Layout Authority — Cost-Floor Derivation
+
+## 1. The hard ceiling
+
+Constraint: place **N = 10⁹ nodes** in 2D within **T = 1–2 s**, working-set
+**≤ 8 MB**. Single-machine, single-allocation budget.
+
+Per-node time budget:
+
+```
+T_per_node = T / N = 1 s / 10⁹ = 1 ns
+```
+
+A modern x86 core dispatches ~3·10⁹ simple ops/s. At 1 ns/node that is
+**~3 cycles per node**. No Python interpreter, no syscall, no cache miss
+fits in 3 cycles. So:
+
+- Realistic single-core Python budget: **~10 ns per node** at 10⁸ nodes;
+  at 10⁹ we MUST batch through C/SSE writes (numpy, ctypes, or a tile
+  worker) and let the GIL release.
+- The geometry cost itself **must be O(1) per node** — closed form, no
+  iteration over siblings, no graph traversal, no force step.
+
+Anything else hits a wall. d3-force is O(N log N) per tick × ~300 ticks
+≈ 3·10¹² ops at N = 10⁹ — six orders of magnitude over budget.
+`prepareTopology` as currently written is O(N + E); even at 50 ns/node
+that is 50 s for 10⁹ nodes. Both are disqualified.
+
+## 2. Implications
+
+1. **No per-node iteration over siblings.** A node's slot may consult
+   only its own (kind, idx, total_in_kind), its parent's slot if any,
+   and its domain's anchor. That is it.
+2. **No per-event recompute.** Adding a node is `counter[(dom,kind)] += 1`
+   then one `compute_slot()` call. Inserting node 10⁹ costs the same as
+   inserting node 1.
+3. **Slot formula is a pure function** of `(domain_anchor, kind, idx,
+   total_in_kind)` plus, for symbols, the parent file's slot.
+4. **No global graph traversal anywhere in the layout path.** Edges
+   exist for the renderer, not for the placer.
+
+## 3. Memory ceiling — 8 MB working set
+
+Per-domain state is **O(kinds)**, not O(nodes_in_domain). For
+**11 domains × 6 kinds** (`tool_hub`, `file`, `symbol`, `discussion`,
+`memory`, `setup`):
+
+```
+state = 11 × 6 × 8 bytes (int64 counter) = 528 bytes
+```
+
+Trivially fits the 8 MB budget with five orders of magnitude to spare.
+Per-tool-hub angle cache: 7 tools × 11 domains × 16 bytes ≈ 1.2 KB.
+Per-file slot cache for symbol parenting: only kept for files that
+actually have symbols — bounded by the visible window, not by N.
+
+The graph itself never lives in this module. The authority owns the
+counters; the renderer owns the buffers. Both are O(visible) at peak,
+not O(N).
+
+## 4. Why the geometry must match `workflow_graph.js`
+
+The user has spent months tuning `prepareTopology` / `computeSlots`
+(workflow_graph.js lines 308–700). The Python authority is a **port,
+not a re-design**: same Fibonacci-spiral domain anchors (golden angle
+φ = π(3 − √5), JS line 323), same per-kind shells (`SETUP_R = 70`,
+`TOOL_R = 140`, `FILE_R = 220`, `DISC_R = 150`, `MEM_R = 150`),
+same per-tool angles (`TOOL_LOCAL_ANGLE`, JS lines 76-84), same
+sector half-widths (`SECTOR_SETUP_HALF = π/2.6`, `SECTOR_SIDE_HALF = π/6.5`,
+`SECTOR_SIDE_ANGLE = 0.72π`). All constants in
+`mcp_server/server/layout_authority_geometry.py` are copied verbatim
+with `// source: ui/unified/js/workflow_graph.js:<line>` provenance
+in their docstrings.
+
+## 5. Empirical proof — benchmark on 1M slots
+
+Run on this machine (Apple silicon, Python 3.10, single core, no JIT):
+
+```
+setup:      180.1 ms   5.55 M ops/s
+file:       211.9 ms   4.72 M ops/s
+memory:     295.7 ms   3.38 M ops/s
+symbol:     201.6 ms   4.96 M ops/s
+domain:     198.6 ms   5.04 M ops/s
+```
+
+Pure-Python closed-form: **~3.4–5.6 M slots/s per core**, i.e. **~180–300 ns
+per slot**. To hit 10⁹ in 1–2 s we need ~10 ns/slot — **~20–30× faster**
+than pure Python single-core. Achievable via:
+
+- numpy-vectorised batch compute (~30–50 ns/slot in numpy → ~50× speedup
+  by amortising the interpreter loop)
+- 8-core parallel write (~5–8× on top)
+
+Net headroom: comfortable for 10⁹ within the 1–2 s window once the
+authority pushes batches through numpy. **The geometry itself is no
+longer the bottleneck** — the SSE/HTTP transport to the renderer is.
+
+## 6. What this rules out, forever
+
+| Approach | Why disqualified |
+|---|---|
+| d3-force ticks | O(N log N) per tick × hundreds of ticks |
+| `prepareTopology` per phase | O(N + E) per recompute, called per event |
+| any per-frame iteration over siblings | violates O(1)-per-node |
+| force simulation | non-deterministic + iterative |
+| spatial index rebuilds on add | O(N log N) construction per insert |
+
+The authority places node #10⁹ in the same time as node #1. There is
+no other shape the solution can take under these constraints.
+
+## 7. Hand-offs
+
+- **Authority** (caller of `compute_slot`): owns the
+  `counters: dict[(dom_id, kind), int]` map and the per-domain anchor
+  cache. On insert: bump counter, call `compute_slot`, write `(x,y)` to
+  the SSE/Postgres slot table.
+- **Renderer**: reads slots from the slot table; does not call
+  `compute_slot` itself. (Curie: measure actual end-to-end latency at
+  N = 10⁶ and N = 10⁸ to confirm the 10 ns/slot extrapolation holds.)
+- **Hamilton**: design the SSE backpressure path so the renderer
+  degrades gracefully when slot-write rate exceeds network bandwidth.
diff --git a/tests_py/handlers/test_open_visualization.py b/tests_py/handlers/test_open_visualization.py
index 35729986..7b1fee42 100644
--- a/tests_py/handlers/test_open_visualization.py
+++ b/tests_py/handlers/test_open_visualization.py
@@ -26,7 +26,7 @@ class TestOpenVisualizationHandler:
     """The handler now drives the full prepare-then-render pipeline:
     after launching the standalone server it polls /api/graph/progress,
     invokes /api/recompute_layout, and only then opens the browser at
-    the ``?viz=tilemap`` path. Tests stub ``_prepare_layout`` so they
+    the ``?viz=force`` path. Tests stub ``_prepare_layout`` so they
     don't issue real HTTP traffic."""
 
     def test_returns_url(self):
@@ -43,7 +43,7 @@ def test_returns_url(self):
         ):
             result = asyncio.run(handler({}))
 
-        assert result["url"] == "http://localhost:3458/?viz=tilemap"
+        assert result["url"] == "http://localhost:3458/?viz=force"
         assert "localhost" in result["message"]
 
     def test_default_args_none(self):
@@ -59,7 +59,7 @@ def test_default_args_none(self):
             ),
         ):
             result = asyncio.run(handler(None))
-        assert result["url"] == "http://localhost:3458/?viz=tilemap"
+        assert result["url"] == "http://localhost:3458/?viz=force"
 
     def test_launches_unified_server_type(self):
         mock_launch = MagicMock(return_value="http://localhost:3458")
@@ -94,17 +94,17 @@ def test_opens_browser_at_tilemap_url(self):
             ),
         ):
             asyncio.run(handler({}))
-        mock_open.assert_called_once_with("http://localhost:5555/?viz=tilemap")
+        mock_open.assert_called_once_with("http://localhost:5555/?viz=force")
 
-    def test_opens_browser_at_tilemap_url_unconditionally(self):
-        """Handler always opens the tilemap URL — graph build happens on
+    def test_opens_browser_at_force_url_unconditionally(self):
+        """Handler always opens the force-directed URL — graph build happens on
         demand via the UI's Graph button, not on launch.
 
         Previously a fallback path opened the legacy URL when
         ``_prepare_layout`` reported ``igraph_missing``; that branch
         was removed when the on-launch layout precomputation was
         dropped (2026-05). The handler now returns immediately after
-        opening ``?viz=tilemap`` regardless of any layout state."""
+        opening ``?viz=force`` regardless of any layout state."""
         with (
             patch(
                 "mcp_server.handlers.open_visualization.launch_server",
@@ -115,8 +115,9 @@ def test_opens_browser_at_tilemap_url_unconditionally(self):
             ) as mock_open,
         ):
             result = asyncio.run(handler({}))
-        mock_open.assert_called_once_with("http://localhost:5555/?viz=tilemap")
-        assert "tilemap" in result["message"]
+        mock_open.assert_called_once_with("http://localhost:5555/?viz=force")
+        assert "force" in result["url"]
+        assert "Workflow graph" in result["message"]
 
 
 class TestDevSourceSecurityHardening: