plan(super-domain-rbac-v1): §19 — pinned versions + ndarray::simd canonical SIMD path

Locks the build invariants for all D-SDR-* deliverables:

Pinned versions (per PR #275 + Cargo.toml):
- rust 1.94.1 (MSRV; portable_simd patterns ndarray::simd uses)
- lance =4.0.0 (exact pin)
- lancedb 0.27.2

ndarray::simd is the canonical SIMD path:
- All vectorized ops use ndarray::simd from workspace vendored ndarray fork
- Not raw std::simd, not packed_simd, not hand-rolled intrinsics
- One SIMD path, one test surface, one cross-platform contract
- Hot-path ops mapped:
  * OwlIdentity bitmask scans (Cypher MATCH lowering)
  * Batch MerkleRoot computation across rows
  * BitSet256 bitwise ops (role redaction mask)
  * Per-family codebook PQ centroid distance
  * Canonicalization rule application across batch
  * DataFusion predicate vector composition (UnifiedBridge::authorize)
  * ArrowBatchDriftSignal MerkleRoot-of-batch
- Tier A LOC drops ~15-25%: scalar fallback paths collapse to ndarray::simd
  one-liners, no separate code

Mandatory-ndarray promotion (decoupled concurrent workstream):
- User directive: ndarray should be mandatory dep, not optional ndarray-hpc
- Per CLAUDE.md Phase 3 IN PROGRESS already includes the wiring; this
  promotes that to "make ndarray mandatory, retire feature flag"
- NOT blocking any D-SDR-* deliverable
- Tier A may temporarily ship behind #[cfg(feature = "ndarray-hpc")]
  until the promotion lands; gates retire via mechanical find/replace
- Workstream sequencing:
  1. Promote ndarray: feature → mandatory dep (Phase 3 + new directive)
  2. Retire blasgraph/ndarray_bridge.rs standalone fallbacks
  3. Retire #[cfg(feature = "ndarray-hpc")] gates from D-SDR-*

Tradeoff flagged: ndarray::simd couples lance-graph MSRV to ndarray's;
acceptable per workspace policy (ndarray = The Foundation per CLAUDE.md).
Version pinning stricter than rest of workspace, correct for storage layer
+ Flight SQL where minor-version drift causes real bugs.

INTEGRATION_PLANS.md fourth correction line appended per APPEND-ONLY governance.

Author: claude

.claude/board/INTEGRATION_PLANS.md

@@ -49,6 +49,8 @@
 
 **Correction (2026-05-13):** §13 refinements added (same session). (a) Enforcement composes onto shipped `lance-graph-callcenter::policy::PolicyRewriter` chain + `PolicyKind` taxonomy (RowFilter/ColumnMask/RowEncryption/DifferentialPrivacy/Audit) rather than introducing parallel path — ~30% Tier A LOC reduction. (b) Cross-tenant federation upgraded to A+B+C all accepted; Option C (`EncryptedViewAggregate`) viable now via LanceDB transparent encrypted views, not 2027+ R&D. (c) Audit chain integrity built-in via `MerkleRoot::from_fingerprint` + `ClamPath` from `graph/spo/merkle.rs` (the merkle/DN-path mixing already shipped). (d) Hard-lock requirement formalized: Healthcare ↔ OSINT (and 3 other pairs) get 3 layers of defense — predicate + per-super-domain merkle salt + super-domain-scoped HKDF key derivation. (e) `researcher` role hardened to anonymized-projection-only with k-anonymity floor + DP noise injection on aggregates. New deliverables D-SDR-13..17 added. Open questions on audit format + cross-tenant federation RESOLVED; new open questions on hard-lock partner matrix + per-super-domain DP epsilon + merkle salt rotation cadence.
 
+**Correction (2026-05-13, fourth commit):** §19 build invariants + SIMD strategy added. Pins: rust 1.94.1, lance =4.0.0, lancedb 0.27.2 (per PR #275). All vectorized ops across D-SDR-1..39 use `ndarray::simd` from the workspace's vendored ndarray fork — single SIMD path, single test surface, single cross-platform behavior contract. Hot-path ops mapped: OwlIdentity bitmask scans, batch MerkleRoot computation, BitSet256 bitwise ops, per-family codebook PQ centroid distance, canonicalization rule application, DataFusion predicate vector composition, ArrowBatchDriftSignal MerkleRoot-of-batch. Tier A LOC drops ~15-25% (scalar fallback paths collapse to ndarray::simd one-liners). Mandatory-ndarray-as-dep promotion (retire `ndarray-hpc` feature flag) is a separate concurrent workstream, NOT in this spec's scope but assumed baseline; Tier A may temporarily ship behind `#[cfg(feature = "ndarray-hpc")]` until the promotion lands.
+
 **Correction (2026-05-13, third commit):** §18 empirical reality check added after pygithub REST inspection of `AdaWorldAPI/MedCareV2` + `AdaWorldAPI/MedCare-rs@claude/csharp-handoff-docs-L3DF0`. Major findings: (a) The §15-§17 drift bridge concept is already designed and partially scaffolded as `MedCareV2/MedCare_2.0/LanceProbe/` (M1 complete; M2-M6 pending Rust-side endpoints). 8 LanceProbe components (ParityClient/ParityWitness/DriftSink/etc.) map nearly 1:1 to the spec's DTOs. (b) MedCareV2 is overlay-only (copy of MedCare + LanceProbe additions) — cannot be reshaped freely as I assumed; "do NOT refactor" is the explicit constraint. (c) CRITICAL crypto correction: the "3DES" in MedCare's `Crypt.cs:438-451` uses 128-bit truncated key + zero IV + ECB-equivalent + non-standard MD5+RC2 KDF + 62-entry hardcoded password array — cryptographically equivalent to single DES (broken). The migration is NOT 3DES→AES-GCM rewrap; it's Argon2-backfill-on-login per existing `MedCare-rs/docs/AUTH_LEGACY_TRIPLEDES_MIGRATION.md` plan. (d) Only the `u_pwd` column on `praxis_mitarbeiter` uses the 3DES path; rest of the schema is plaintext. D-SDR-27 scope reduces from "decrypt-rewrap pipeline" to "carry ciphertext forward, Argon2-backfill on first login." (e) §15.2 abstract 12-rule determinism table replaced by 6 concrete canonicalization rules from `CSHARP_HANDOFF_PROMPT.md` lines 93-104 (date / decimal / bool / soft-delete / pwd / timestamp). (f) §17.3 Arrow Flight SQL convergence is aspirational end-state; immediate path is HTTP+JSON over JWT (what LanceProbe already targets); Flight SQL is Phase 5+ migration. (g) New deliverables D-SDR-35..39 for medcare-rs side: parity ingest endpoint, dashboard, DTO contracts doc, TripleDES fallback feature flag, telemetry endpoint. M5 is blocked until these land. Resolved 7 prior open questions (audit format, federation, DEK rotation, hard-lock matrix scope, DP epsilon, MedCareV2 reshape, 3DES inventory). 3 new open questions: other columns calling EncryptMessage in MySQL_Connect.cs, DTO contracts for 40+ planned routes, AUTH_LEGACY_TRIPLEDES_MIGRATION.md DRAFT-to-Active blockers.
 
 **Correction (2026-05-13, second commit):** §14-§17 refinements added (same session). (§14) Meta-bridge extracted from shipped medcare_bridge.rs + sharepoint_bridge.rs harvest, not designed clean-room. New bridges hubspot_bridge.rs + hiro_bridge.rs added as templates; woa_bridge.rs retrofit. Tier F (D-SDR-18..20, 23) + Tier G (D-SDR-21..22) deliverables. (§15) Drift detection initially framed as production parallelbetrieb infrastructure with 12 cross-language determinism rules — substantially refined by §16+§17. (§16) Pre-prod posture corrected per user clarification: nothing in production yet, single 3DES cipher (not 3-cipher chain), one-shot import tool not persistent infrastructure. Zone 3 boundary placement collapses determinism rules from 12 to ~3 (decimal + timestamp + FP aggregate). MerkleRoot-cleartext-beside-ciphertext insight: drift bridge compares without ever decrypting in steady-state production, so encryption uses random nonces (no need for AES-GCM-SIV). MedCare MySQL Struktur reality check (104 tables, all VARCHAR/TEXT/DATETIME, app-layer 3DES not at-rest, schema is purely clinical with billing/tickets in separate WoA/Hiro databases). New deliverables D-SDR-27..30. (§17) Convergence on LanceDB+DataFusion SQL as unified persistence; both Rust (in-process) and C# (Arrow Flight SQL gRPC) clients hit the same DataFusion logical plan layer. Custom Protobuf IDL (D-SDR-20) SUPERSEDED by Arrow Flight SQL — Substrait extension types for OwlIdentity/MerkleRoot/SuperDomain. Drift bridge bounded to Phase 2-3 cutover window, then retires to CI gate. New deliverables D-SDR-31..34. Dropped scope: MySQLAdapterBridge (D-SDR-24), persistent production drift infra, multi-trustee key escrow, C-ABI FFI option, custom Protobuf IDL. §18 deferred pending MCP scope expansion to AdaWorldAPI/MedCare + AdaWorldAPI/MedCareV2 for 3DES column inventory + transcoded shape grep.

.claude/plans/super-domain-rbac-tenancy-v1.md

@@ -1264,3 +1264,79 @@ These slot under Tier F or a new Tier H, blocking M5/M6 of the LanceProbe milest
 - **Coordination doc:** lives at `MedCare-rs/docs/CSHARP_HANDOFF_PROMPT.md` on branch `claude/csharp-handoff-docs-L3DF0`; should be merged or referenced from this spec's path.
 
 **Confidence:** Working — empirical inspection of both repos confirms the architecture; the C# parity tool already implements the drift bridge as scaffolded code; the Rust side gaps are concrete (5 endpoints) and small (~700 LOC + tests across D-SDR-35..39).
+
+---
+
+## 19 — Build invariants + SIMD strategy (2026-05-13, same session)
+
+### 19.1 Pinned versions
+
+All Rust deliverables (D-SDR-1..39) sit on the following workspace pins, already established by PR #275 + per `Cargo.toml`:
+
+```toml
+rust-version = "1.94.1"            # MSRV; 1.94 stabilizes portable_simd patterns ndarray::simd uses
+lance        = "=4.0.0"            # exact pin per Cargo.toml
+lancedb      = "0.27.2"            # caret per Cargo.toml; PR #275 introduced
+```
+
+**Implication for the spec:** D-SDR-28 (MerkleRoot-beside-ciphertext storage layout) targets `lance =4.0.0` schema; D-SDR-31 (Arrow Flight SQL endpoint) targets `lancedb 0.27.2` exposure of the DataFusion catalog. No floating versions; no surprise minor-version bumps mid-implementation.
+
+### 19.2 ndarray::simd is the canonical SIMD path
+
+All vectorized operations across the spec use **`ndarray::simd`** from the workspace's vendored ndarray fork at `/home/user/ndarray`. Not raw `std::simd`, not `packed_simd`, not hand-rolled platform intrinsics. One SIMD path; one set of tests; one cross-platform behavior contract.
+
+**Hot-path operations that should use `ndarray::simd`:**
+
+| Op | DTO | SIMD pattern |
+|---|---|---|
+| Per-row `OwlIdentity` bitmask scans (Cypher MATCH lowering) | `OwlIdentity` (§3.2) | masked u16 compare, vectorized over a column |
+| Batch `MerkleRoot` computation across rows | `MerkleRoot` (§13.3) | parallel XOR-fold over fingerprint slices |
+| `BitSet256` bitwise ops (role redaction mask) | `BitSet256` (§3.6) | 4×u64 SIMD AND/OR/contains-bit |
+| Per-family codebook PQ centroid distance | `OgitFamilyTable.codebook` (§3.3) | `ndarray::simd` Hamming/L2 (already shipped in `ndarray::hpc`) |
+| Canonicalization rule application across batch | §18.4 rules | vectorized string comparison + decimal normalization |
+| DataFusion predicate vector composition | `UnifiedBridge::authorize` (§3.9) | 3-stage masked predicate combine into one bool vector |
+| `ArrowBatchDriftSignal` MerkleRoot-of-batch | §17.4 | XOR-fold over the batch's interleaved (id, merkle) pairs |
+
+**Tier A LOC reduction:** several DTO method bodies that I sketched as scalar loops collapse to `ndarray::simd` one-liners. D-SDR-1..3 estimated LOC drops by ~15-25% (the scalar fallback paths are no longer needed as separate code).
+
+### 19.3 ndarray as mandatory dep (deferred workstream)
+
+Per user directive: **`ndarray` should be a mandatory dep of `lance-graph`, not the current optional `ndarray-hpc` feature.** Currently:
+
+```toml
+# Current (lance-graph/Cargo.toml — to be retired)
+[features]
+default = ["unity-catalog", "delta", "ndarray-hpc"]
+ndarray-hpc = ["dep:ndarray"]
+
+# Target (post-migration)
+[dependencies]
+ndarray = { path = "../../../ndarray", default-features = false }
+# (no feature gate; always present)
+```
+
+**This is a separate concurrent workstream**, not blocking any D-SDR-* deliverable in this spec. **Status per CLAUDE.md**: Phase 3 IN PROGRESS already includes "Wire ndarray as default dep (Cargo.toml change + `ndarray-hpc` feature flag)" — this spec's directive **promotes** that to "make ndarray mandatory, retire the feature flag." No-op for the architecture; it just removes the `#[cfg(feature = "ndarray-hpc")]` branches.
+
+**All D-SDR-* deliverables in this spec assume ndarray is present** (i.e., as if the Phase 3 + new mandatory-promotion workstream has landed). If Tier A ships before the mandatory-promotion lands, the deliverables sit behind `#[cfg(feature = "ndarray-hpc")]` temporarily; once the feature flag retires, the cfg gates are deleted (mechanical change).
+
+### 19.4 Sequencing impact (none for D-SDR-* shipping order)
+
+The mandatory-ndarray promotion is **decoupled** from this spec's deliverables:
+
+| Workstream | Owner | Blocks D-SDR-*? |
+|---|---|---|
+| Promote ndarray from `ndarray-hpc` feature → mandatory dep | Phase 3 (concurrent) | No — Tier A ships behind feature flag in interim |
+| Retire `blasgraph/ndarray_bridge.rs` standalone fallbacks | Post-promotion cleanup | No — fallbacks were never used by D-SDR-* code |
+| Retire `#[cfg(feature = "ndarray-hpc")]` gates from D-SDR-* | Mechanical post-promotion | No — one-shot find/replace |
+
+### 19.5 Brutal-honest tradeoff
+
+`ndarray::simd` adds a workspace-internal dep coupling: lance-graph's MSRV moves in lockstep with ndarray's. Today both are Rust 1.94.1; if ndarray jumps MSRV, lance-graph + all consumers (medcare-rs, smb-office-rs, hiro-rs, hubspot-rs) jump too. This is acceptable because the workspace already treats ndarray as the SIMD foundation per CLAUDE.md ("ndarray = The Foundation (SIMD, GEMM, HPC, ...)"); the alternative (every crate independently picking a SIMD strategy) was already rejected.
+
+The version pinning (lance =4.0.0, lancedb 0.27.2, rust 1.94.1) is **stricter** than the rest of the workspace asks for, which is correct for this spec's deliverables since they touch the storage layer + Flight SQL endpoint where minor-version drift would cause real bugs.
+
+### 19.6 Status
+
+- **Pinned versions:** stable; no action needed beyond using them in `Cargo.toml` for new crates (woa-rs/hubspot-rs/hiro-rs).
+- **`ndarray::simd` adoption:** assumed baseline for all D-SDR-* deliverables; no separate deliverable needed.
+- **Mandatory ndarray promotion:** **NOT in this spec's scope.** Tracked as Phase 3 + post-Phase-3 cleanup workstream. This spec ships against either world (with cfg-gates as transient overhead until promotion lands).