diff --git a/.claude/board/EPIPHANIES.md b/.claude/board/EPIPHANIES.md
index bb0053fd0..4b08187fc 100644
--- a/.claude/board/EPIPHANIES.md
+++ b/.claude/board/EPIPHANIES.md
@@ -1,3 +1,59 @@
+## 2026-06-06 — E-DEINTERLACE-TWO-SCALES — deinterlace is one operation at two scales; no-cross-cycle-lag = byte-scale deinterlace
+
+**Status:** FINDING (source-grounded; `temporal.rs` PR #468 confirms row-scale; byte-scale is a documented gap)
+**Confidence:** High
+
+**The synthesis:** temporal causality in the SoA system must be enforced at two
+independent scales that share the same monotonic clock:
+
+```text
+Row/query scale  →  HLC tick + DependsClosure  →  temporal.rs::deinterlace()  (SHIPPED, PR #468)
+Byte/column scale → SoaEnvelope::cycle() stamp → MailboxSoA Arc-swap COW      (GAP — plan written)
+```
+
+Both are the SAME operation — "sort by the causal clock and project the result
+into the reader's reference frame" — but at different granularities.
+
+**Row scale (PR #468 confirms):**
+`temporal.rs:18-20` defines the standing wave correctly: "merge-sort by HLC
+tick and every field's row lands on one timeline. The result IS the standing
+wave / kanban SoA." The `deinterlace()` function + `EpistemicMode` (Strict /
+Aware / Retro) + `DependsClosure` implement this. 8 tests pass.
+
+**Byte scale (current gap):**
+Nothing in the codebase prevents a reader from holding column data from SoA
+cycle N and cycle N+1 in the same SIMD sweep. The `SoaEnvelope::cycle()` stamp
+exists but is not enforced as a snapshot barrier.
+
+**The fix (plan: `cycle-coherent-soa-snapshot-v1.md`):**
+Arc-swap COW at column granularity in `MailboxSoa::advance_phase`:
+1. Writer increments `cycle`, then swaps the `Arc<[u8]>` of each mutated column.
+2. Reader snapshots all column Arcs under one cycle stamp (lock-free retry).
+3. The resulting `MailboxSoaSnapshot { cycle, cols }` is structurally coherent.
+
+**The boundary:**
+`MultiLaneColumn` in ndarray stays layout-only. The Arc-swap policy lives in
+lance-graph's `MailboxSoa`. ndarray does not learn that cycles exist.
+
+**The clock is one clock:**
+`SoaEnvelope::cycle()` (byte scale) and `QueryReference::ref_version` (row
+scale) are the same monotonic sequence. Threading `snapshot.cycle` into
+`QueryReference` closes the loop: row-scale and byte-scale deinterlace use
+the same clock.
+
+**Standing wave clarification (Q3 probe result):**
+The "standing wave" is NOT a compute recurrence. It is the deinterlaced
+projection over Lance versions — provided by Lance versioning itself (O(1)
+90° lookup). Do not implement a standing wave in compute.
+
+**Cross-ref:**
+- PR #468 (`temporal.rs`) — row-scale (SHIPPED)
+- PR #477 (`soa_envelope.rs`) — envelope contract (IN REVIEW)
+- `.claude/plans/cycle-coherent-soa-snapshot-v1.md` — byte-scale fix plan
+- `docs/probes/q3-standing-wave-falsification.md` — probe confirming no wave in compute
+
+---
+
 ## 2026-06-04 — E-AUDIT-RETENTION-CAVEAT — substrate-b consumer doc Lance-versions-as-audit claim was overstated; corrected to retention-policy-gated (codex P1 on #465)
 
 **Status:** CORRECTION (codex P1 on PR #465, 2026-06-04; merged + immediate follow-up correction per the no-silent-edit discipline — the FIX appends; the original epiphany E-SUBSTRATE-B-CAPABILITY-ROADMAP stands as the corrected reference now reads).
diff --git a/.claude/board/INTEGRATION_PLANS.md b/.claude/board/INTEGRATION_PLANS.md
index f1aeaba8e..25c92e83d 100644
--- a/.claude/board/INTEGRATION_PLANS.md
+++ b/.claude/board/INTEGRATION_PLANS.md
@@ -1,3 +1,19 @@
+## 2026-06-06 — cycle-coherent-soa-snapshot-v1 (Arc-swap COW at column granularity; byte-scale deinterlace; no-cross-cycle-lag guarantee)
+
+**Status:** QUEUED. Design-spec only, no code. **Plan file:** `.claude/plans/cycle-coherent-soa-snapshot-v1.md`.
+**Owns:** 6 deliverables D-SOA-SNAP-1..6.
+- D-SOA-SNAP-1: `MailboxSoaSnapshot` type in lance-graph-contract
+- D-SOA-SNAP-2: `SnapshotProvider` trait in lance-graph-contract
+- D-SOA-SNAP-3: Arc-swap write path in `MailboxSoa::advance_phase`
+- D-SOA-SNAP-4: `snapshot()` impl on `MailboxSoa`
+- D-SOA-SNAP-5: No-cross-cycle-lag falsification test (writer thread + 8 reader threads)
+- D-SOA-SNAP-6: Wire `snapshot.cycle` into `QueryReference` (close row-scale / byte-scale clock loop)
+**Epiphany:** E-DEINTERLACE-TWO-SCALES (prepended 2026-06-06).
+**Companion:** PR #468 (`temporal.rs`, row-scale, SHIPPED); PR #477 (`soa_envelope.rs`, IN REVIEW).
+**Boundary:** ndarray stays layout-only (`MultiLaneColumn`); Arc-swap policy in lance-graph only.
+
+---
+
 ## 2026-06-05 — cesium-osm-substrate-v1 (OpenStreetMap as 6th source class for the 3DGS-ArcGIS-Cesium ingestion plan; OSM PBF → Arrow → Lance → SPO → cesium tileset → splat renderer; substrate-reuse with splat-native-ultrasound-v1)
 
 **Status:** PROPOSAL. Design-spec only, no code. **Plan file:** `.claude/plans/cesium-osm-substrate-v1.md` (~430 LOC). **Trigger:** user feasibility question on OSM × Cesium × Gaussian-splat coupling; cross-session coordination with OGAR.
diff --git a/.claude/board/TECH_DEBT.md b/.claude/board/TECH_DEBT.md
index 6d49b043d..1721076d5 100644
--- a/.claude/board/TECH_DEBT.md
+++ b/.claude/board/TECH_DEBT.md
@@ -15,6 +15,17 @@
 
 ## Open Debt
 
+### TD-UNBUNDLE-FROM-1 — `unbundle_from` is NOT the inverse of `bundle_into` (2026-06-07)
+
+**Open.** `crates/lance-graph-planner/src/cache/kv_bundle.rs` — `unbundle_from`
+uses `wrapping_sub` as the "undo" of `bundle_into`. But `bundle_into` is a
+weighted average: `(old * w_self + new * w_new) / total`. Subtraction is not the
+inverse. `AttentionMatrix::set` calls both in sequence, silently corrupting the
+gestalt ~1 bit per epoch. Measurable after ~100 epochs. Function is marked
+`#[deprecated]` with a doc warning; callers use `#[allow(deprecated)]` + FIXME.
+**Paid by:** switch to raw-sum + count tracking so exact integer subtraction is
+possible. Cross-ref: `kv_bundle.rs:28-33`.
+
 ### TD-HELIX-OVERLAP-1 (D-HELIX-1) — `helix` re-derives existing CERTIFIED primitives (clean-room by directive)
 
 **Open.** `crates/helix` ships as a zero-dep clean-room codec per the user directive "scoped only to crate." ~80% of its pipeline duplicates existing, in-places-CERTIFIED workspace code: Fisher-Z/arctanh→i8 (`bgz-tensor::projection::Base17Fz`, `bgz-tensor::fisher_z::FamilyGamma` ρ≥0.999), golden-spiral azimuth (`jc::weyl`), stride-4 coupling (`thinking-engine::reencode_safety`, `highheelbgz`), EULER_GAMMA hand-off (`jc::precond`, `bgz-tensor::euler_fold`), 256-palette/L1 (`bgz17::palette`). Genuinely new = the `√u` equal-area hemisphere placement + the PLACE/RESIDUE doctrine. **Paid by** (when it graduates from clean-room): the consolidation path in `crates/helix/KNOWLEDGE.md` § Overlap & Consolidation — re-export `FamilyGamma` behind a feature; route coupling through the canonical `(i·11)%17`/stride-4 zipper; feed `ResidueEdge` into the existing HIP/TWIG CAKES tier. **Also owed:** a fidelity-vs-ground-truth probe (the naive-u8 floor gate ≥0.9980 Pearson is currently CONJECTURE — NOT RUN) before promotion. Cross-ref: E-HELIX-OVERLAP, `encoding-ecosystem.md`.
diff --git a/.claude/plans/cycle-coherent-soa-snapshot-v1.md b/.claude/plans/cycle-coherent-soa-snapshot-v1.md
new file mode 100644
index 000000000..755ac15d8
--- /dev/null
+++ b/.claude/plans/cycle-coherent-soa-snapshot-v1.md
@@ -0,0 +1,176 @@
+# Plan: Cycle-Coherent SoA Snapshot — No-Cross-Cycle-Lag Guarantee
+
+**Version:** v1
+**Date:** 2026-06-06
+**Status:** Queued
+**D-ids:** D-SOA-SNAP-1 through D-SOA-SNAP-6
+
+---
+
+## The problem
+
+`temporal.rs` (PR #468) closes the row-scale deinterlace gap: HLC tick →
+`classify/deinterlace` → causally-coherent row sequence. But there is a
+parallel byte-scale gap: nothing prevents a reader from holding a mix of
+column data from cycle N and cycle N+1 within the same SIMD sweep. This is
+the **cross-cycle lag problem** — a SIMD sweep that is not internally
+single-cycle is not coherent.
+
+The deinterlace operation is one operation at two scales:
+
+```text
+Row/query scale  →  HLC tick + DependsClosure  →  temporal.rs (SHIPPED, PR #468)
+Byte/column scale → SoaEnvelope::cycle() stamp → MailboxSoA Arc-swap (THIS PLAN)
+```
+
+---
+
+## The mechanism: Arc-swap COW at column granularity
+
+The SoA mailbox carries its columns as `Arc<[u8]>` slices (via
+`MultiLaneColumn` in ndarray). The invariant is:
+
+> **A reader that snapshots all column Arcs at the same `cycle()` stamp sees
+> a single coherent cycle. No column can be from a prior cycle.**
+
+### Write path (in `lance-graph`, `MailboxSoa::advance_phase`)
+
+On every `advance_phase(to: KanbanPhase)`:
+
+1. Increment `cycle` counter on the envelope.
+2. For each mutated column: swap the `Arc` pointer — `Arc::make_mut` on the
+   backing `Arc<[u8]>` of the `MultiLaneColumn`, write the new data, then
+   publish the new Arc via an `ArcSwap` (or `RwLock<Arc<MultiLaneColumn>>`).
+3. The cycle increment is a `SeqCst` store (fence) BEFORE the column Arc
+   swaps. Readers who observe the new cycle will see the new column data.
+
+### Read path (in `lance-graph`, `MailboxSoaView`)
+
+On `snapshot()`:
+
+1. Load cycle stamp.
+2. Clone all column Arcs under the same cycle stamp (atomic snapshot loop:
+   re-read cycle after loading all Arcs; retry if it changed — lock-free
+   single-retry is sufficient because writers are serialized through
+   `advance_phase`).
+3. Return `MailboxSoaSnapshot { cycle, cols: [...] }`.
+
+The snapshot guarantees all column data is from the same cycle.
+
+### Boundary: ndarray stays layout-only
+
+`MultiLaneColumn` in ndarray is `Arc<[u8]>` with typed lane iterators —
+**layout-only**. The Arc-swap policy (when to swap, how to snapshot, the
+cycle fence) belongs in `lance-graph`'s `MailboxSoa`. ndarray never learns
+that cycles or snapshots exist. The boundary is:
+
+```text
+ndarray::simd::MultiLaneColumn  — Arc<[u8]>, lane iters, Send + Sync, zero-copy reads
+lance-graph::MailboxSoa         — Arc-swap on advance_phase, cycle fence, snapshot()
+```
+
+### Connection to temporal.rs
+
+`SoaEnvelope::cycle()` is the byte-scale clock. `QueryReference::ref_version`
+is the row-scale clock (a Lance version). They are the same monotonic clock
+at different granularities — Lance version N corresponds to SoA cycle C(N).
+When `temporal.rs::deinterlace` runs at query time, the `V_ref` it uses should
+align with the `cycle()` of the snapshot being queried.
+
+Wiring: `VersionScheduler::on_version(&view, at, exec)` provides the Lance
+version; the `MailboxSoaSnapshot` that went into that version carries its
+`cycle`. Threading `snapshot.cycle` into `QueryReference` closes the loop so
+row-scale and byte-scale deinterlace use the same clock.
+
+---
+
+## Deliverables
+
+### D-SOA-SNAP-1 — `MailboxSoaSnapshot` type in lance-graph-contract
+
+A `MailboxSoaSnapshot` struct: `cycle: u32`, `cols: Vec<Arc<MultiLaneColumn>>`.
+Snapshot is `Send + Sync`. No reference to the originating `MailboxSoa`.
+This is a point-in-time read — immutable after creation.
+
+### D-SOA-SNAP-2 — `SnapshotProvider` trait in lance-graph-contract
+
+```rust
+pub trait SnapshotProvider {
+    fn snapshot(&self) -> MailboxSoaSnapshot;
+}
+```
+
+Zero deps in contract. `MailboxSoa` in lance-graph implements it.
+
+### D-SOA-SNAP-3 — Arc-swap write path in `MailboxSoa::advance_phase`
+
+In lance-graph (not contract, not ndarray): implement the cycle fence +
+column Arc-swap on every `advance_phase`. Use `std::sync::RwLock<Arc<MultiLaneColumn>>`
+per column (no external arc-swap crate needed unless benchmarks show
+contention; add as a feature flag if needed).
+
+### D-SOA-SNAP-4 — `snapshot()` implementation on `MailboxSoa`
+
+Lock-free snapshot: load cycle, clone all column Arcs, re-read cycle, retry
+once if changed. Return `MailboxSoaSnapshot`.
+
+### D-SOA-SNAP-5 — No-cross-cycle-lag falsification test
+
+```rust
+// Spawn a writer thread: advance_phase in a loop (100 cycles).
+// Spawn 8 reader threads: each calls snapshot() in a loop.
+// Assert: every snapshot has all columns reporting the same cycle.
+// Assert: no snapshot mixes data from two different cycles.
+```
+
+The test is the formal statement of the guarantee. If it passes, the
+invariant is mechanically enforced, not just documented.
+
+### D-SOA-SNAP-6 — Wire `snapshot.cycle` into `QueryReference`
+
+In the planner: when a query resolves a `MailboxSoaSnapshot`, thread
+`snapshot.cycle` through `QueryReference::hlc_tick` (or a new
+`QueryReference::soa_cycle: Option<u32>` field) so `deinterlace` at
+row scale uses the same cycle boundary as the snapshot at byte scale.
+
+---
+
+## Prerequisite gap fixes (order matters)
+
+These mechanical fixes should land before or alongside D-SOA-SNAP-1
+(they settle the column shape):
+
+1. Remove `MailboxSoA::emit()` + `CollapseGateEmission` from source.
+2. Rename `last_emission_cycle` → `last_active_cycle` in MailboxSoA.
+3. Drop `entity_type: u16` from SoA row — MailboxId IS NiblePath.
+4. Fix `OntologyRegistry::enumerate_first_with_entity_type_id` linear scan.
+5. Remove `MappingRow.thinking_style` — Kanban owns thinking styles.
+6. Fix `unbundle_from` in `kv_bundle.rs:29` — `wrapping_sub` is not the
+   inverse of weighted-average `bundle_into`.
+
+Items 1-5 settle the column shape before the Arc-swap schema is frozen.
+Item 6 is independent but should not be deferred (correctness bug).
+
+---
+
+## Non-goals
+
+- No recurrence / standing wave implementation. The standing wave is the
+  deinterlaced Lance version projection, provided by Lance versioning
+  (O(1) 90° lookup). Do not implement it in compute.
+- No baton. No emission. No inter-mailbox handoff type. The snapshot is
+  consumed in-place; nothing is transmitted.
+- ndarray does not learn about cycles, snapshots, or advance_phase.
+
+---
+
+## Cross-references
+
+- `temporal.rs` (PR #468) — row-scale deinterlace (SHIPPED)
+- `soa_envelope.rs` (PR #477) — envelope LE contract (IN REVIEW)
+- `soa-three-tier-model.md` — three-tier lifecycle model
+- `q3-standing-wave-falsification.md` — falsification: standing wave = Lance
+  versioning, not compute recurrence
+- `.claude/board/EPIPHANIES.md` E-DEINTERLACE-TWO-SCALES — the synthesis
+- `ndarray/src/simd_soa.rs` — `MultiLaneColumn` (layout-only; Arc-swap lives
+  in lance-graph, not here)
diff --git a/CLAUDE.md b/CLAUDE.md
index 6a2b3aacb..8afd3ab56 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,5 +1,27 @@
 # CLAUDE.md — lance-graph
 
+## P0 — AdaWorldAPI forks ONLY, NEVER crates.io upstream
+
+**Always depend on the AdaWorldAPI fork of any crate that has one. NEVER use the
+upstream crates.io version of a forked crate.** Non-negotiable; applies to every
+`Cargo.toml` and every dependency decision in this repo. Every repo in this
+workspace is local — prefer the local/fork source over the registry, always.
+
+- Crates with an `AdaWorldAPI/<name>` fork — e.g. `ndarray`, `lance` /
+  `lancedb` / `lance-index` / `lance-linalg` / `lance-namespace`, `surrealdb`,
+  and any other — MUST be wired via the fork (`path` / `git` / `[patch.crates-io]`),
+  never the registry version.
+- If a fork's coordinates (git URL, branch/tag, feature flag) are unknown,
+  **STOP and ask**. Do NOT fall back to crates.io as a convenience or to make a
+  build pass.
+- `"warning: Patch <crate> ... was not used in the crate graph"` is a policy
+  alert. It can indicate missing fork wiring OR a transitive semver mismatch
+  that prevents the patch from applying. Do not ignore it: verify direct
+  `Cargo.toml` patch entries and `Cargo.lock` wiring, then track/resolve any
+  transitive blocker explicitly before closing the issue.
+- crates.io is permitted ONLY for crates that have no AdaWorldAPI fork / no local
+  source.
+
 > **Updated**: 2026-04-21 (categorical-algebraic inference click)
 > **Role**: The obligatory spine — query engine, codec stack, semantic transformer, and orchestration contract
 > **Status**: 22 crates, 7 in workspace, 15 excluded (standalone/DTO), Phases 1-2 DONE, Phases 6-7 DONE (grammar + governance), Phase 3 IN PROGRESS
diff --git a/crates/lance-graph-contract/src/lib.rs b/crates/lance-graph-contract/src/lib.rs
index e2a7e2c71..3c4638829 100644
--- a/crates/lance-graph-contract/src/lib.rs
+++ b/crates/lance-graph-contract/src/lib.rs
@@ -93,6 +93,7 @@ pub mod scheduler;
 pub mod sensorium;
 pub mod sigma_propagation;
 pub mod sla;
+pub mod soa_envelope;
 pub mod soa_view;
 pub mod splat;
 pub mod tax;
diff --git a/crates/lance-graph-contract/src/soa_envelope.rs b/crates/lance-graph-contract/src/soa_envelope.rs
new file mode 100644
index 000000000..58f32a655
--- /dev/null
+++ b/crates/lance-graph-contract/src/soa_envelope.rs
@@ -0,0 +1,405 @@
+//! SoA envelope little-endian contract.
+//!
+//! # Why this module exists
+//!
+//! Column-level LE knowledge is not enough. ndarray's `MultiLaneColumn`
+//! (the column carrier) already decodes its own bytes little-endian, and
+//! `CausalEdge64` / `EpisodicEdges64` each know their own `to_le_bytes` /
+//! `from_le_bytes`. But the **SoA envelope as a whole** — the thing a Lance
+//! version snapshots, the thing `simd_soa` sweeps, the thing a future reader
+//! decodes — has no contract describing how those columns *assemble* into one
+//! row-strided packet. The parts know the LE contract; the envelope did not.
+//!
+//! [`SoaEnvelope`] is that missing contract. It makes the in-place SoA
+//! backing store **self-describing at each cycle**: a stable column ordering,
+//! a fixed row byte stride, a `cycle` version stamp, and a
+//! [`ENVELOPE_LAYOUT_VERSION`]. With it, a Lance version IS a coherent LE
+//! in-place layout at cycle N — not a loose collection of independently-
+//! correct columns. Nothing is serialized or transmitted; the backing bytes
+//! are resident in-place, zero-copy from creation to Lance tombstone.
+//!
+//! # Layering (read before adding an ndarray dependency here)
+//!
+//! This module is **zero-dep, byte-geometry only**. It describes *where*
+//! columns sit in the backing store's row stride and *what* LE element each
+//! holds — as data ([`ColumnDescriptor`]), never as ndarray generic bounds.
+//! That keeps `lance-graph-contract` featherweight for its non-HPC consumers
+//! (OGAR classes, ractor actors), and it keeps ndarray usable standalone by
+//! any pure-SIMD consumer.
+//!
+//! The split is deliberate and complementary, not duplicated:
+//!
+//! | Level | Home | Answers |
+//! |-------|------|---------|
+//! | Column LE contract | `ndarray::simd::MultiLaneColumn` | "how do I sweep one typed column" |
+//! | Envelope LE contract | this module | "where do columns sit in the row stride, what cycle is this" |
+//! | Composition | `lance-graph` (always has both deps) | carve envelope columns → wrap each in `MultiLaneColumn` |
+//!
+//! ndarray never learns the envelope exists; this crate never learns ndarray
+//! exists; `lance-graph` binds them.
+
+/// Layout version of the envelope byte geometry.
+///
+/// Bumped whenever the meaning of [`ColumnDescriptor`] offsets/strides
+/// changes. A reader MUST refuse to decode a packet whose stamped version it
+/// does not understand (per `I-LEGACY-API-FEATURE-GATED`: layout reclaim is
+/// paired with a version gate on the serialization path).
+pub const ENVELOPE_LAYOUT_VERSION: u8 = 1;
+
+/// The little-endian element type of one column.
+///
+/// Width only — no distance semantics, no domain meaning (cf. ndarray's
+/// no-umbrella rule). The actual decode (`from_le_bytes`) happens in the
+/// consumer's `MultiLaneColumn` lane iterator.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+#[repr(u8)]
+pub enum ColumnKind {
+    U8 = 0,
+    I8 = 1,
+    U16 = 2,
+    I16 = 3,
+    U32 = 4,
+    F32 = 5,
+    U64 = 6,
+    F64 = 7,
+}
+
+impl ColumnKind {
+    /// Bytes per element of this LE column kind.
+    pub const fn elem_bytes(self) -> usize {
+        match self {
+            ColumnKind::U8 | ColumnKind::I8 => 1,
+            ColumnKind::U16 | ColumnKind::I16 => 2,
+            ColumnKind::U32 | ColumnKind::F32 => 4,
+            ColumnKind::U64 | ColumnKind::F64 => 8,
+        }
+    }
+}
+
+/// One column's placement within a single row of the backing store.
+///
+/// `Copy` and `repr(C)` so a descriptor table is itself a stable LE artifact.
+/// `name_id` is a stable column ordinal (an enum discriminant on the consumer
+/// side), NOT a string — keeping this crate alloc-free and the descriptor
+/// `Copy`.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+#[repr(C)]
+pub struct ColumnDescriptor {
+    /// Stable column identity (consumer-side enum ordinal).
+    pub name_id: u16,
+    /// LE element kind.
+    pub kind: ColumnKind,
+    /// Elements of `kind` per row for this column (e.g. content = 256 × u64,
+    /// energy = 1 × f32).
+    pub elems_per_row: u16,
+    /// Byte offset of this column within one row packet.
+    pub row_offset: u32,
+}
+
+impl ColumnDescriptor {
+    /// Bytes this column occupies in one row.
+    pub const fn col_bytes_per_row(&self) -> usize {
+        self.kind.elem_bytes() * self.elems_per_row as usize
+    }
+
+    /// Byte range `[start, end)` of this column within a row packet.
+    pub const fn row_byte_range(&self) -> (usize, usize) {
+        let start = self.row_offset as usize;
+        (start, start + self.col_bytes_per_row())
+    }
+}
+
+/// What can go wrong validating an envelope's byte geometry.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum EnvelopeError {
+    /// The stamped layout version is not the one this build understands.
+    LayoutVersionMismatch { expected: u8, found: u8 },
+    /// Sum of column byte-widths does not equal the declared row stride.
+    StrideMismatch { declared: usize, summed: usize },
+    /// Two columns overlap, or a gap/ordering violation was found.
+    ColumnOverlap { col_a: u16, col_b: u16 },
+    /// A column's byte range ends past the declared row stride. Distinct from
+    /// [`StrideMismatch`]: the widths can sum to the stride while a column is
+    /// still positioned (via its `row_offset`) so its end exceeds the stride.
+    ColumnOutOfBounds { col: u16, col_end: usize, stride: usize },
+    /// `as_le_bytes().len()` is not `row_stride * n_rows` (backing store size mismatch).
+    PacketSizeMismatch { expected: usize, found: usize },
+    /// A requested row or column index is out of bounds.
+    OutOfBounds,
+}
+
+/// The little-endian geometry contract for one SoA envelope cycle.
+///
+/// Implemented by the owner of the in-place backing store (e.g. the mailbox
+/// SoA). The envelope is zero-copy from creation to Lance tombstone — nothing
+/// is serialized or transmitted; this trait describes *where columns sit* in
+/// the already-resident backing bytes and *what cycle stamp* the store carries.
+/// The read-only view here mirrors `MailboxSoaView` vs `MailboxSoaOwner`:
+/// mutation lives on the owner type, never on this trait.
+pub trait SoaEnvelope {
+    /// Layout version this implementor's geometry conforms to.
+    const LAYOUT_VERSION: u8 = ENVELOPE_LAYOUT_VERSION;
+
+    /// Stable, ordered column placement table. Ordering is part of the
+    /// contract: a reader walks columns in this order.
+    fn columns(&self) -> &[ColumnDescriptor];
+
+    /// Total bytes per row across all columns.
+    fn row_stride(&self) -> usize;
+
+    /// Number of rows in this snapshot.
+    fn n_rows(&self) -> usize;
+
+    /// The version stamp this snapshot carries (the cycle whose committed
+    /// state these bytes are). This is what turns a Lance version into a
+    /// coherent "packet at cycle N".
+    fn cycle(&self) -> u32;
+
+    /// The whole packet as contiguous LE bytes, zero-copy. Length MUST be
+    /// `row_stride() * n_rows()`.
+    fn as_le_bytes(&self) -> &[u8];
+
+    /// Zero-copy LE view of one full row.
+    fn row_le(&self, row: usize) -> Option<&[u8]> {
+        let stride = self.row_stride();
+        let start = row.checked_mul(stride)?;
+        let end = start.checked_add(stride)?;
+        self.as_le_bytes().get(start..end)
+    }
+
+    /// Zero-copy LE view of one column within one row.
+    fn column_le(&self, row: usize, col: &ColumnDescriptor) -> Option<&[u8]> {
+        let r = self.row_le(row)?;
+        let (start, end) = col.row_byte_range();
+        r.get(start..end)
+    }
+
+    /// Validate that the declared geometry is internally consistent and that
+    /// the backing packet matches. Call this at the Lance read boundary — a
+    /// v1 packet under a v2 reader (or a torn snapshot) is refused here rather
+    /// than silently mis-decoded downstream.
+    fn verify_layout(&self) -> Result<(), EnvelopeError> {
+        // 1. Version gate.
+        if Self::LAYOUT_VERSION != ENVELOPE_LAYOUT_VERSION {
+            return Err(EnvelopeError::LayoutVersionMismatch {
+                expected: ENVELOPE_LAYOUT_VERSION,
+                found: Self::LAYOUT_VERSION,
+            });
+        }
+        // 2. Columns are non-overlapping, each fits within [0, stride), and
+        //    their widths sum to the stride.
+        //    Checking only the width sum is insufficient: two columns whose
+        //    widths sum to the stride can still have one column whose end
+        //    offset exceeds the stride (e.g. offsets 4+8 with stride 8).
+        let cols = self.columns();
+        let mut summed = 0usize;
+        let stride = self.row_stride();
+        // `row_offset as usize + col_bytes` can wrap on 32-bit targets (wasm32):
+        // row_offset is u32 (≤ 4.29e9) and col_bytes can reach 8 × 65535, so the
+        // sum can exceed usize::MAX on a 32-bit usize and wrap to a small value
+        // that would slip past the `a_end > stride` check. Compute every end with
+        // checked_add and reject overflow as ColumnOutOfBounds.
+        let checked_end = |c: &ColumnDescriptor| -> Result<usize, EnvelopeError> {
+            (c.row_offset as usize)
+                .checked_add(c.col_bytes_per_row())
+                .ok_or(EnvelopeError::ColumnOutOfBounds {
+                    col: c.name_id,
+                    col_end: usize::MAX,
+                    stride,
+                })
+        };
+        for (i, a) in cols.iter().enumerate() {
+            let a_start = a.row_offset as usize;
+            let a_end = checked_end(a)?;
+            summed += a.col_bytes_per_row();
+            if a_end > stride {
+                return Err(EnvelopeError::ColumnOutOfBounds {
+                    col: a.name_id,
+                    col_end: a_end,
+                    stride,
+                });
+            }
+            for b in &cols[i + 1..] {
+                let b_start = b.row_offset as usize;
+                let b_end = checked_end(b)?;
+                let overlap = a_start < b_end && b_start < a_end;
+                if overlap {
+                    return Err(EnvelopeError::ColumnOverlap {
+                        col_a: a.name_id,
+                        col_b: b.name_id,
+                    });
+                }
+            }
+        }
+        if summed != stride {
+            return Err(EnvelopeError::StrideMismatch {
+                declared: stride,
+                summed,
+            });
+        }
+        // 3. Backing packet size matches stride × rows.
+        let expected = stride.saturating_mul(self.n_rows());
+        let found = self.as_le_bytes().len();
+        if expected != found {
+            return Err(EnvelopeError::PacketSizeMismatch { expected, found });
+        }
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    struct TestEnvelope {
+        cols: Vec<ColumnDescriptor>,
+        stride: usize,
+        rows: usize,
+        bytes: Vec<u8>,
+        cycle: u32,
+    }
+
+    impl SoaEnvelope for TestEnvelope {
+        fn columns(&self) -> &[ColumnDescriptor] {
+            &self.cols
+        }
+        fn row_stride(&self) -> usize {
+            self.stride
+        }
+        fn n_rows(&self) -> usize {
+            self.rows
+        }
+        fn cycle(&self) -> u32 {
+            self.cycle
+        }
+        fn as_le_bytes(&self) -> &[u8] {
+            &self.bytes
+        }
+    }
+
+    fn two_col_envelope(rows: usize) -> TestEnvelope {
+        // col 0: 1 × f32 (4 B) at offset 0
+        // col 1: 1 × u64 (8 B) at offset 4
+        let cols = vec![
+            ColumnDescriptor {
+                name_id: 0,
+                kind: ColumnKind::F32,
+                elems_per_row: 1,
+                row_offset: 0,
+            },
+            ColumnDescriptor {
+                name_id: 1,
+                kind: ColumnKind::U64,
+                elems_per_row: 1,
+                row_offset: 4,
+            },
+        ];
+        let stride = 12;
+        TestEnvelope {
+            cols,
+            stride,
+            rows,
+            bytes: vec![0u8; stride * rows],
+            cycle: 7,
+        }
+    }
+
+    #[test]
+    fn kind_widths() {
+        assert_eq!(ColumnKind::U8.elem_bytes(), 1);
+        assert_eq!(ColumnKind::F32.elem_bytes(), 4);
+        assert_eq!(ColumnKind::U64.elem_bytes(), 8);
+    }
+
+    #[test]
+    fn descriptor_byte_range() {
+        let d = ColumnDescriptor {
+            name_id: 0,
+            kind: ColumnKind::U64,
+            elems_per_row: 256,
+            row_offset: 16,
+        };
+        assert_eq!(d.col_bytes_per_row(), 256 * 8);
+        assert_eq!(d.row_byte_range(), (16, 16 + 256 * 8));
+    }
+
+    #[test]
+    fn valid_envelope_passes() {
+        let env = two_col_envelope(4);
+        assert_eq!(env.cycle(), 7);
+        assert!(env.verify_layout().is_ok());
+    }
+
+    #[test]
+    fn stride_mismatch_caught() {
+        let mut env = two_col_envelope(4);
+        env.stride = 16; // columns sum to 12, not 16
+        env.bytes = vec![0u8; 16 * 4];
+        assert_eq!(
+            env.verify_layout(),
+            Err(EnvelopeError::StrideMismatch {
+                declared: 16,
+                summed: 12,
+            })
+        );
+    }
+
+    #[test]
+    fn overlap_caught() {
+        let mut env = two_col_envelope(1);
+        env.cols[1].row_offset = 2; // u64 at 2 overlaps f32 at [0,4)
+        env.stride = 10;
+        env.bytes = vec![0u8; 10];
+        assert!(matches!(
+            env.verify_layout(),
+            Err(EnvelopeError::ColumnOverlap { .. })
+        ));
+    }
+
+    #[test]
+    fn column_past_stride_caught() {
+        // Two 4-byte columns at offsets 4 and 8 with stride 8.
+        // Width sum = 8 = stride, but column B's end (12) > stride (8).
+        let cols = vec![
+            ColumnDescriptor { name_id: 0, kind: ColumnKind::F32, elems_per_row: 1, row_offset: 4 },
+            ColumnDescriptor { name_id: 1, kind: ColumnKind::F32, elems_per_row: 1, row_offset: 8 },
+        ];
+        let env = TestEnvelope { cols, stride: 8, rows: 1, bytes: vec![0u8; 8], cycle: 0 };
+        assert!(matches!(
+            env.verify_layout(),
+            Err(EnvelopeError::ColumnOutOfBounds { col: 1, col_end: 12, stride: 8 })
+        ));
+    }
+
+    #[test]
+    fn packet_size_mismatch_caught() {
+        let mut env = two_col_envelope(4);
+        env.bytes.truncate(12 * 3); // one row short
+        assert_eq!(
+            env.verify_layout(),
+            Err(EnvelopeError::PacketSizeMismatch {
+                expected: 48,
+                found: 36,
+            })
+        );
+    }
+
+    #[test]
+    fn row_and_column_views_are_zero_copy_slices() {
+        let mut env = two_col_envelope(2);
+        // Write row 1, col 1 (u64) = 0x0102030405060708 LE.
+        let v: u64 = 0x0102_0304_0506_0708;
+        let row1_col1_start = 12 + 4;
+        env.bytes[row1_col1_start..row1_col1_start + 8].copy_from_slice(&v.to_le_bytes());
+
+        let row = env.row_le(1).unwrap();
+        assert_eq!(row.len(), 12);
+
+        let col = env.column_le(1, &env.cols[1]).unwrap();
+        assert_eq!(col.len(), 8);
+        assert_eq!(u64::from_le_bytes(col.try_into().unwrap()), v);
+
+        // Out of bounds.
+        assert!(env.row_le(2).is_none());
+    }
+}
diff --git a/crates/lance-graph-planner/src/cache/kv_bundle.rs b/crates/lance-graph-planner/src/cache/kv_bundle.rs
index 6b696ca7d..9ca013caa 100644
--- a/crates/lance-graph-planner/src/cache/kv_bundle.rs
+++ b/crates/lance-graph-planner/src/cache/kv_bundle.rs
@@ -26,6 +26,32 @@ pub fn bundle_into(source: &HeadPrint, target: &mut HeadPrint, weight_self: f32,
 }
 
 /// Unbundle: subtract out (XOR analog for i16).
+///
+/// # Correctness warning — this is NOT the inverse of [`bundle_into`]
+///
+/// [`bundle_into`] performs a **weighted average**: `(old * w_self + new * w_new) / total`.
+/// Subtraction is the inverse of XOR-bundle or simple add-bundle, NOT of weighted-average
+/// bundle. Calling this after `bundle_into` silently corrupts the gestalt: the gestalt
+/// drifts every epoch because the removed value is the rounded average representation,
+/// not the original addend. After ~100 epochs the corruption is measurable.
+///
+/// The correct approach for an updateable gestalt is one of:
+/// 1. **Re-accumulate**: on update, rebuild the gestalt from scratch by iterating all heads.
+/// 2. **Track raw sum + count**: store `sum: [i32; BASE_DIM]` and `count: u32` separately
+///    so exact subtraction is possible without rounding loss.
+/// 3. **Accept approximate unbundle only when weight_self = weight_new = 1.0**: then
+///    `bundle_into` reduces to `(old + new) / 2` and there is still no exact inverse.
+///
+/// Tracked as tech-debt in `.claude/board/TECH_DEBT.md` (unbundle_from correctness).
+///
+/// # Panics
+/// Never panics — wrapping arithmetic.
+#[deprecated(
+    since = "0.0.0",
+    note = "NOT the inverse of bundle_into (weighted-average). \
+            See function doc for the correct unbundle strategies. \
+            Tracked: .claude/board/TECH_DEBT.md — unbundle_from correctness."
+)]
 pub fn unbundle_from(source: &HeadPrint, target: &mut HeadPrint) {
     for d in 0..BASE_DIM {
         target.dims[d] = target.dims[d].wrapping_sub(source.dims[d]);
@@ -72,10 +98,16 @@ impl AttentionMatrix {
     }
 
     /// Set attention head and update gestalt.
+    ///
+    /// Note: the gestalt update uses the deprecated `unbundle_from` which is NOT the
+    /// exact inverse of `bundle_into` (weighted-average). The gestalt drifts slowly
+    /// over many epochs. FIXME: rebuild gestalt from scratch or switch to raw-sum
+    /// tracking — tracked in `.claude/board/TECH_DEBT.md`.
     pub fn set(&mut self, row: usize, col: usize, head: HeadPrint) {
         let idx = row * self.resolution + col;
-        // Unbundle old from gestalt
+        // Unbundle old from gestalt (approximate — see method doc).
         let old = self.heads[idx].clone();
+        #[allow(deprecated)]
         unbundle_from(&old, &mut self.gestalt);
         // Bundle new into gestalt
         bundle_into(&head, &mut self.gestalt, self.epoch as f32, 1.0);
@@ -129,8 +161,11 @@ mod tests {
             assert_eq!(target.dims[d], expected, "dim {d} mismatch");
         }
 
-        // Unbundle b from target: should shift back toward a
+        // Unbundle b from target: documents the approximate (not exact) behaviour.
+        // This test verifies the arithmetic, NOT that round-trip fidelity holds
+        // (it doesn't — unbundle_from is not the inverse of bundle_into).
         let before_unbundle = target.clone();
+        #[allow(deprecated)]
         unbundle_from(&b, &mut target);
         // After unbundle, each dim should be before - b
         for d in 0..BASE_DIM {
diff --git a/crates/lance-graph/src/nsm/nsm_word.rs b/crates/lance-graph/src/nsm/nsm_word.rs
index cebfd3d8a..f2642bac6 100644
--- a/crates/lance-graph/src/nsm/nsm_word.rs
+++ b/crates/lance-graph/src/nsm/nsm_word.rs
@@ -171,13 +171,16 @@ fn build_distance_matrix_from_cam(
         return WordDistanceMatrix::new(0);
     }
 
-    // Parse codebook: 6 subspaces x 256 centroids x subspace_dim floats
-    // We interpret codebook_bytes as f32 array
-    let codebook_floats: &[f32] = unsafe {
-        let ptr = codebook_bytes.as_ptr() as *const f32;
-        let len = codebook_bytes.len() / 4;
-        std::slice::from_raw_parts(ptr, len)
-    };
+    // Parse codebook: 6 subspaces x 256 centroids x subspace_dim floats.
+    // Decode the bytes as a little-endian f32 array. A `&[u8]` carries no
+    // alignment guarantee, so a `*const f32` reinterpret would be UB on an
+    // unaligned buffer (mmap'd file, sub-slice). `from_le_bytes` over 4-byte
+    // chunks is alignment-free and endian-correct (matches the workspace LE
+    // contract). The codebook is only read below, so owning a Vec is fine.
+    let codebook_floats: Vec<f32> = codebook_bytes
+        .chunks_exact(4)
+        .map(|c| f32::from_le_bytes([c[0], c[1], c[2], c[3]]))
+        .collect();
 
     // Determine subspace_dim: total_floats / (6 * 256)
     let total_floats = codebook_floats.len();
diff --git a/docs/architecture/soa-three-tier-model.md b/docs/architecture/soa-three-tier-model.md
new file mode 100644
index 000000000..875c3ca96
--- /dev/null
+++ b/docs/architecture/soa-three-tier-model.md
@@ -0,0 +1,322 @@
+# SoA Three-Tier Model — Mailbox Lifecycle, Kanban, and Ontology
+
+> **Branch:** `claude/stoic-turing-M0Eiq`
+> **Date:** 2026-06-06
+> **Authority:** Supersedes any prior baton/emission/CollapseGateEmission framing.
+
+---
+
+## The invariant
+
+**Every SoA envelope is zero-copy from creation to Lance tombstone.**
+
+**Target state:** there is no baton, no emission, and no inter-mailbox handoff
+type. No bytes leave the backing store until Lance's own columnar I/O writes
+them to disk — and even then the in-memory store is unchanged, not serialized
+and freed.
+
+**Current state:** legacy `MailboxSoA::emit()` and `CollapseGateEmission`
+artifacts still exist in source and are scheduled for removal (see Tier 1
+below). Treat them as migration-only; do not call or extend them.
+
+---
+
+## Tier 1 — MailboxSoA (primary, owned, zero-copy)
+
+The `MailboxSoA<const N>` is the single thought envelope. One mailbox owns one
+SoA. The columns (`energy [f32;N]`, `plasticity [u8;N]`, `last_active_cycle [u32;N]`,
+`edges [CausalEdge64;N]`, `qualia [QualiaI4_16D;N]`, `meta [MetaWord;N]`,
+`entity_type [u16;N]`) are allocated once at mailbox creation and released at
+Lance tombstone.
+
+```
+creation
+   │
+   ▼
+MailboxSoA<N>  (backing store in-place; column LE contract = MultiLaneColumn)
+   │              (envelope LE contract = SoaEnvelope trait)
+   │
+   ▼  Lance write on each version tick (LE bytes → columnar store)
+DatasetVersion(v)  →  DatasetVersion(v+1)  →  ...
+   │
+   ▼
+Lance soft-delete (tombstone)  ← sole lifecycle event that ends the store
+```
+
+**Access contract:**
+- `MailboxSoaView`: read-only, `&[T]` borrows, `edges_raw() -> &[u64]`
+- `MailboxSoaOwner`: `advance_phase(&mut self, to: KanbanPhase)` — sole mutator
+
+**Idempotency guard:** `last_active_cycle [u32;N]` marks the cycle a row was
+last written. It is a same-cycle guard, not a history column. (Rename from
+`last_emission_cycle` in source — the emission framing is wrong.)
+
+**`MailboxSoA::emit()` and `CollapseGateEmission` are legacy artifacts from a
+superseded design and are scheduled for removal.** Until that lands, treat them
+as migration-only and non-canonical. There is no intended inter-mailbox handoff
+type.
+
+---
+
+## Tier 2 — KanbanColumn / Rubicon lifecycle (sole secondary data)
+
+The only data that is *secondary* to the SoA backing store is the Kanban
+phase. This is triggered by the Lance writer, not by the SoA itself.
+
+```
+Lance writer  →  VersionScheduler::on_version(&view, at, exec)
+                         │  read-only &V: never mutates
+                         ▼
+                   Option<KanbanMove>  { mailbox, from→to, libet_offset_us }
+                         │  caller applies
+                         ▼
+              MailboxSoaOwner::advance_phase(to)  ← SOLE mutator
+
+KanbanPhase lifecycle (6 states):
+  Planning → CognitiveWork → Evaluation → Commit → Plan → Prune
+```
+
+Above the SoA mailboxes, ractor (`lance-graph-supervisor`, ractor 0.14,
+`supervisor` + `supervisor-lifecycle-audit` features) provides actor-level
+meta-orchestration. Each mailbox is a ractor actor. The single-owner invariant
+(no virtual ownership pointer needed) is enforced by Rust move semantics through
+ractor's message-passing model.
+
+The Kanban column is the only data outside the SoA backing store that reflects
+SoA lifecycle. There is no baton, no emission stream, no secondary truth column.
+
+---
+
+## Tier 3 — OGAR classes + OGIT ontology (inherited, O(1))
+
+The identity of a mailbox SoA resolves O(1) to its OGAR class and OGIT
+ontology schema. This is Tier 3 because it is *inherited*, not stored per-row.
+
+**Resolution chain:**
+
+```
+mailbox address  =  u32 mailbox_id  =  NiblePath  (MailboxId IS the NiblePath)
+        │
+        ▼  HHTL radix-trie prefix walk — the u32 itself is the trie key
+        │  NiblePath::is_ancestor_of:
+        │    (other.path >> (4*(other.depth-self.depth))) == self.path
+        │  = prefix ancestry = class ancestry (Confirmed)
+        ▼
+OGIT radix-trie codebook  (O(1) for known classes at compile time)
+        │
+        ├─ class identity string  ("ogit-op/WorkPackage")
+        ├─ schema (fields, assoc, enums, attributes)  — stored ONCE per class in OntologyRegistry
+        └─ label inheritance  (parent, mixins, STI)
+
+For new/runtime classes: JIT via lance-graph-planner (JITson / Cranelift)
+```
+
+**Thinking style is owned by the Kanban (Tier 2), not the class.** The class
+does not dispatch a thinking style — the Kanban column does. Thinking styles
+are an **O(1) lookup over an I4-32D address space** (32 nibbles × 4 bits =
+128 bits = 2^128 distinct style addresses). The Rubicon phase the Kanban
+assigns selects the style; the OGAR class supplies schema + tools, not the
+style. (`MappingRow.thinking_style` as a per-class field is therefore the wrong
+home — the style belongs to the Kanban lifecycle state, addressed O(1) in the
+I4-32D space, not stored per ontology class.)
+
+**MailboxId IS the NiblePath.** The `u32 mailbox_id` field in `MailboxSoA` is not
+a handle into a separate lookup — it IS the NiblePath key that the HHTL radix trie
+walks. No separate prefix field survives. This makes `entity_type: u16` in every
+SoA row entirely redundant: if the ontology resolves O(1) from the address, the
+per-row handle violates SoC and defeats radix-trie cheapness. **`entity_type: u16`
+removal from SoA rows is total** once O(1) lookup is the sole path. The current
+linear scan in `OntologyRegistry::enumerate_first_with_entity_type_id` is a defect
+— it should be an O(1) `Vec` index keyed by the 1-based ordinal, or removed entirely
+once the per-row handle is gone.
+
+**OGAR active record / DLL AST adapter:** OGAR classes get pragmatic mapping
+to inherited tools at compile time. These are cheap inherited registers, not
+per-instance data in the SoA. The `Adapter::map` static identity transform in
+OGAR + `KnowableFromStore` trait at the lance-graph boundary is the seam.
+
+**surrealdb / kv-lance:** OGAR's DLL AST → SurrealQL path (`ogar-adapter-surrealql`)
+requires surrealdb with the `kv-lance` feature. This is BLOCKED(C) — the
+`kv-lance` feature is only in the AdaWorldAPI surrealdb fork, coordinates
+(git URL, branch) unknown. `surreal_container/Cargo.toml` dep is commented
+out pending resolution. **Do not fall back to crates.io surrealdb.**
+
+---
+
+## What does NOT exist (and must not be invented)
+
+| Concept | Status |
+|---|---|
+| `CollapseGateEmission` as cross-mailbox carrier | **WRONG** — scheduled for removal |
+| `MailboxSoA::emit()` | **WRONG** — scheduled for removal |
+| "Baton" as inter-mailbox handoff | **WRONG** — superseded |
+| `wire_cost_bytes() = 13 + 10·baton_count` | **WRONG** — from CLAUDE.md E-BATON-1, now superseded |
+| `Vsa16kF32` as a cross-mailbox carrier | **WRONG** — deprecated, lives only as legacy `cycle` column in `BindSpace` |
+| Secondary data beyond KanbanColumn | **WRONG** — Kanban is the only secondary tier |
+| BindSpace as the envelope | **MIGRATION IN PROGRESS** — BindSpace is the global legacy; MailboxSoA is the target |
+
+---
+
+## Iron rules that fall out of this model
+
+1. `MailboxSoA` backing store is never copied, never serialized, never transmitted.
+   Lance writes LE bytes from it; the store itself stays in place.
+2. `VersionScheduler` is read-only (`&V`). It proposes; `MailboxSoaOwner` disposes.
+3. `MailboxSoA::emit()` and `CollapseGateEmission` are removed in the next
+   pass — they are not part of the correct design.
+4. ractor provides the single-owner invariant for mailbox actors — no virtual
+   ownership pointer is needed.
+5. Ontology resolution is O(1) HHTL prefix lookup for known classes. JITson
+   for new ones. The `entity_type: u16` per-row handle may be eliminated once
+   the O(1) lookup is the sole path.
+6. surrealdb requires the AdaWorldAPI fork with `kv-lance`. Never fall back to
+   crates.io. BLOCKED(C) until fork coordinates are provided.
+
+---
+
+## Register-file model — SoA as LE bytecode registers, OGAR class as instruction-set descriptor
+
+This is the load-bearing mental model. Read it before touching the SoA layout,
+the class hierarchy, or any codegen template.
+
+### SoA columns = LE registers
+
+The `MailboxSoA<N>` columns are CPU-style registers: fixed width, fixed byte
+offset, little-endian, indexed by position. There is no schema in the row.
+The row is a register bank.
+
+**Current / transitional layout** (target state removes `entity_type[N]` — see §3.2):
+
+```text
+  Byte offset   Width    Column               LE kind
+  ──────────    ─────    ──────               ───────
+  0             4·N      energy[N]            f32 × N
+  4N            N        plasticity[N]        u8  × N
+  5N            4·N      last_active_cycle[N] u32 × N
+  9N            8·N      edges[N]             u64 × N   (CausalEdge64 LE)
+  17N           N        qualia[N]            u8  × N   (QualiaI4_16D packed)
+  18N           2·N      meta[N]              u16 × N   (MetaWord LE)
+  20N           2·N      entity_type[N]       u16 × N   ← TRANSITIONAL: scheduled
+                                                          for removal once O(1)
+                                                          HHTL lookup is the sole path
+  22N           4        mailbox_id           u32
+  22N+4         4        current_cycle        u32
+  ...           ...      (scalars follow)
+```
+
+The `SoaEnvelope` trait is the register-file descriptor: it names each
+register's byte offset, width, and LE element kind — exactly what a CPU ABI
+document does. `ColumnDescriptor` is one register descriptor. `verify_layout()`
+is the ABI conformance check.
+
+`MultiLaneColumn` in ndarray is the load/store unit: it iterates the LE bytes
+of one typed register into SIMD lanes. Nothing above this level cares about
+byte order — it is resolved at the `from_le_bytes` boundary inside the lane
+iterator.
+
+### OGAR class = instruction-set descriptor + DTO store for active record
+
+The OGAR class does NOT live in the register. It describes what the register
+means. A class is:
+
+- **Label** — the OGIT identity string (`"ogit-op/WorkPackage"`), the
+  human-readable name, and the full label-inheritance chain up the HHTL trie.
+- **Schema** — the field set: which fields exist, what types they are, which
+  are required vs optional. Stored once per class in `OntologyRegistry`
+  (`MappingRow`); never duplicated into SoA rows.
+- **Tools** — the methods / adapters that operate on the register. These are
+  inherited from the class hierarchy (HHTL prefix ancestry = class ancestry).
+  A subclass inherits all parent tools without restating them. The default
+  mechanism is **compile-time Rust trait impls**: one `impl Tool for ClassFoo`
+  per class, monomorphized at build time from the HHTL inheritance chain.
+  Zero-cost — no vtable, no `dyn`, no runtime dispatch. "Cheap inherited
+  registers" in the architecture doc is literal: the trait impl IS the register,
+  and the compiler erases it to a direct call.
+
+  **Dispatch escape hatch.** Runtime dispatch is *not* the default and is not
+  baked into the substrate. If a class genuinely needs runtime dispatch, it adds
+  a **dispatcher class** as an escape hatch attached to a register — an opt-in,
+  per-class override. The base case stays monomorphized and zero-cost; only the
+  classes that ask for dispatch pay for it.
+- **Codegen templates** — Askama/Jinja `Class<Template>` views (see below).
+- **Active record** — the class instance wraps a slice of the register bank
+  and provides the domain API. Methods come from the class hierarchy; data
+  comes from the register slice. The active record is the class speaking about
+  one register bank row, not a separate struct.
+
+```
+  mailbox address  ──HHTL O(1)──►  OGAR Class
+                                       │
+                              ┌────────┼────────────┐
+                              ▼        ▼             ▼
+                           label    schema         tools
+                          (string) (fields)  (inherited methods)
+                              │        │             │
+                              └────────┼─────────────┘
+                                       ▼
+                             active record instance
+                          (class + register bank slice)
+                          no new fields; register IS the data
+```
+
+### Askama/Jinja codegen = masked selection from the class DTO — split by known vs JIT
+
+A `Class<Template>` is not a new type. It is a **masked selection** over the
+class DTO: the template declares which fields it reads, the codegen emits only
+those fields as strongly-typed Rust from the class schema, and the result is a
+zero-overhead view — one `select` mask over one class, compiled to a concrete
+struct by the Askama/Jinja template engine.
+
+**When does this codegen happen? Both — split by known vs JIT:**
+
+- **Known OGAR classes** (those in the codebook at compile time): `build.rs` /
+  proc-macro emits concrete Rust structs at build time. Zero runtime cost;
+  the compiler sees the full type.
+- **Runtime-discovered / new classes**: `JITson` path in `lance-graph-planner`
+  (Cranelift backend). The template is instantiated at first encounter and
+  compiled to native code. Same masked-selection semantics, deferred to first use.
+
+**The template engine is not the only codegen front-end.** The SurrealDB AST can
+resolve the same masked selection as **Elixir-syntax templates**, but it is
+compiled through the *same* runtime split — known classes compiled at build time,
+new classes via JIT Cranelift / JITson in `lance-graph-planner`. Askama/Jinja and
+the SurrealQL/Elixir-template path are two surface syntaxes over one codegen
+backend; both bottom out at the build-known vs JIT-new split, never at runtime
+interpretation.
+
+```
+  OGAR Class { field_a, field_b, field_c, tool_x, tool_y, template_T }
+                     │
+                     ▼  Class<TemplateFoo> mask = { field_a, tool_x }
+                     │
+              codegen (Askama/Jinja)
+                     │
+                     ▼
+  struct FooDto { field_a: TypeA }   // only selected fields
+  impl FooTool for FooDto { ... }    // only selected tools
+```
+
+The template is a compile-time projection. No runtime dispatch. No new
+inheritance hierarchy. The mask is the whole mechanism — the class already
+owns the full schema; the template carves the slice it needs.
+
+This makes every DTO in the system a **derived view of an OGAR class**, never
+an independent schema. A session that proposes a new DTO struct without a
+corresponding OGAR class entry is creating schema drift.
+
+### Why this is the correct mental model
+
+| CPU register file | SoA mailbox |
+|---|---|
+| Register bank | `MailboxSoA<N>` columns |
+| Register descriptor (ABI doc) | `SoaEnvelope` + `ColumnDescriptor` |
+| Load/store unit (MOV instruction) | `MultiLaneColumn` SIMD iterator |
+| Instruction-set definition | OGAR class (label + schema + tools) |
+| Subroutine calling convention | HHTL inheritance (prefix = class ancestry) |
+| Object code (compiled binary) | Askama/Jinja codegen from `Class<Template>` |
+| Active register state | register bank slice wrapped by active record |
+
+The SoA is dumb. It holds bytes. The class makes the bytes meaningful.
+The template makes the class usable without the full schema in scope.
+Nothing in the register knows about the class; nothing in the class knows
+about which register it describes at runtime — the address is the link.
diff --git a/docs/probes/particle-soa-envelope-audit.md b/docs/probes/particle-soa-envelope-audit.md
new file mode 100644
index 000000000..3379af1e3
--- /dev/null
+++ b/docs/probes/particle-soa-envelope-audit.md
@@ -0,0 +1,561 @@
+# Particle / SoA Envelope Audit — Does the Struct Geometry Measure What It Claims?
+
+> **Branch:** `claude/stoic-turing-M0Eiq`
+> **Date:** 2026-06-06
+> **Scope:** Current code only. No standing-wave, no emergent-cognition, no
+>   philosophy. No assumption of a global carrier, wave field, f32 carrier,
+>   singleton thought, or distributed truth ownership.
+> **Method:** Whole-file reads of the envelope, edge, reference, scheduler,
+>   bridge, and ontology surfaces in `lance-graph` + `OGAR`. Every claim is
+>   file-path grounded and tagged Confirmed / Inferred / Absent / Contradiction.
+
+**Intended model under test:**
+1. One mailbox-owned logical thought.
+2. One SoA envelope represents that thought.
+3. Identity from immutable semantic address space.
+4. Schema inheritance via `OGAR::classes::from(address)`.
+5. Lance versioning = self-through-time.
+6. `CausalEdge64` = compact local causal/NARS claim **payload**.
+7. References = explicit pointers, not copied truth.
+8. Pragmatics = local state in the envelope.
+9. AST adapter selection inherited from OGAR classes.
+10. The question: does the geometry measure what it claims?
+
+---
+
+## 1. File-path grounded findings
+
+### Phase 1 — Locate the actual thought envelope
+
+**There are TWO competing SoA envelopes in the tree. This is the single
+biggest structural finding.**
+
+| Envelope | File | Role | Status |
+|---|---|---|---|
+| `MailboxSoA<const N>` | `crates/cognitive-shader-driver/src/mailbox_soa.rs` | The **intended** per-mailbox thought envelope (one owner, N rows) | **Confirmed** — matches intended model |
+| `BindSpace` | `crates/cognitive-shader-driver/src/bindspace.rs` | The **older** global/process-wide SoA, still carrying the deprecated 65 KB/row `Vsa16kF32` `cycle` plane | **Contradiction** — co-exists with MailboxSoA, no migration seam |
+| `MailboxSoaView` / `MailboxSoaOwner` (traits) | `crates/lance-graph-contract/src/soa_view.rs` | The **canonical zero-copy read/write contract** the envelope is supposed to satisfy | **Confirmed** — clean abstraction |
+
+- `MailboxSoA<1024>` columns (`mailbox_soa.rs`): `energy [f32;N]`,
+  `plasticity_counter [u8;N]`, `last_emission_cycle [u32;N]`,
+  `edges [CausalEdge64;N]`, `qualia [QualiaI4_16D;N]`, `meta [MetaWord;N]`,
+  `entity_type [u16;N]`; scalars `mailbox_id`, `current_cycle`, `w_slot`,
+  `threshold`. **This is the particle envelope the intended model describes.**
+  ⚠ The source contains `emit(MailboxId) -> CollapseGateEmission` — this method
+  contradicts the zero-copy model (creation to Lance tombstone, no emission,
+  no baton). It is a code artifact to be removed, not the intended design.
+- `BindSpace` columns (`bindspace.rs`): `FingerprintColumns { content [u64×256],
+  cycle [f32×16_384], topic, angle, sigma }`, `EdgeColumn`, `QualiaI4Column`
+  (+ deprecated `QualiaColumn` f32×18), `MetaColumn`, `temporal`, `expert`,
+  `entity_type`, `ontology: Option<Arc<OntologyRegistry>>`. Per-row footprint
+  **71,713 bytes**, of which **65,536 bytes is the `cycle` `Vsa16kF32` plane**.
+- The `ShaderDriver` (`driver.rs`) holds **both**: `bindspace: Arc<BindSpace>`
+  **and** `mailboxes: HashMap<MailboxId, MailboxSoA<1024>>` (commented
+  "transitional per-mailbox routing (slice A2)"). The driver is mid-migration
+  from the global BindSpace to per-mailbox SoAs and **both surfaces are live**.
+
+**Phase 1 output:**
+
+| Tag | Finding |
+|---|---|
+| **Confirmed** | `MailboxSoA<N>` is the per-thought envelope; `soa_view.rs` traits are the canonical contract; identity scalar is `mailbox_id: MailboxId (u32)`. |
+| **Confirmed** | State for one thought is *intended* to be one `MailboxSoA`. |
+| **Inferred** | The driver's `mailboxes: HashMap` is the active routing path; BindSpace is legacy being drained. |
+| **Absent** | No single canonical envelope is *declared* as THE envelope — both compile, both are reachable. |
+| **Contradiction** | Two SoA representations co-exist (`BindSpace` global + `MailboxSoA` per-mailbox). The deprecated `Vsa16kF32` carrier is **not** absent — it is the live `cycle` column of `BindSpace` at 65 KB/row, contradicting "no f32 carrier." |
+
+---
+
+### Phase 2 — Identity audit
+
+**Identity = `mailbox_id: u32` (envelope identity) + `entity_type: u16`
+(class identity pointer). The intended `OGAR::classes::from(address)` reverse
+resolver does NOT exist in OGAR — its equivalent lives in lance-graph as a
+linear scan.**
+
+- Envelope identity: `MailboxSoA.mailbox_id: MailboxId` (`= u32`), the corpus
+  root handle. `WitnessEntry.mailbox_ref: u32` preserves *full* identity across
+  cohort rotation (wider than the 6-bit W-slot index — good design).
+- Class identity: `entity_type: u16` per row. `bindspace.rs:244` doc:
+  *"0 = untyped. Non-zero = 1-based index into Ontology.schemas."*
+- Resolution (`driver.rs:331-338`): `etid = entity_type[row]` → if 0 no context,
+  else `OntologyRegistry::enumerate_first_with_entity_type_id(etid)` →
+  `MappingRow.ontology_context_id()` → `MulThresholdProfile::for_context(ctx_id)`.
+- **The resolver is a linear `.find()` scan** (`lance-graph-ontology/src/registry.rs:327`)
+  over `SchemaPtr::entity_type_id()`, **not** an O(1) array index, despite the
+  "1-based index" doc wording. `entity_type_id` is packed in `SchemaPtr` bits 23..8.
+- OGAR side: only the **forward** builder exists —
+  `ogar_ontology::class_identity(prefix, class_name) -> String` (e.g.
+  `"ogit-op/WorkPackage"`). **No `classes::from(address)`, no `class_for`,
+  no reverse resolver** anywhere in OGAR crates. The address string *is* the
+  class key (Confirmed); the reverse map is delegated to lance-graph's
+  `NiblePath` router + `OntologyRegistry`.
+- Schema is stored **once per class** (`OntologyRegistry` `MappingRow`, idempotent
+  on checksum). **No schema is duplicated into SoA rows** — rows carry only the
+  `u16` pointer. (Confirmed — clean.)
+
+**Identity diagram:**
+
+```
+                       envelope identity                 class identity
+                       ────────────────                  ──────────────
+   MailboxSoA.mailbox_id : u32  ◄── owner key       entity_type[row] : u16   (0 = untyped)
+            │                                               │  1-based, dense in append order
+            │                                               ▼
+            │                              OntologyRegistry::enumerate_first_with_entity_type_id(u16)
+            │                                               │  ⚠ LINEAR SCAN, not O(1) index
+            │                                               ▼
+            │                                         MappingRow  (schema stored ONCE per class)
+            │                                          ├─ ontology_context_id()  → MulThresholdProfile
+            │                                          ├─ schema_ptr (SchemaPtr: ns|entity_type_id|marking)
+            │                                          └─ thinking_style: Option<ThinkingStyle>  ⚠ stored, UNUSED at dispatch
+            │
+            ▼
+   OGAR forward only:  class_identity(prefix, name) -> "ogit-op/WorkPackage"
+   OGAR reverse  (classes::from(address)) : ABSENT — lives in lance-graph as the scan above
+```
+
+| Tag | Finding |
+|---|---|
+| **Confirmed** | Schema meaning inherited (not duplicated); address string is the class key; schema stored once per class. |
+| **Confirmed** | Identity is two-level: `mailbox_id` (envelope) + `entity_type` (class). |
+| **Inferred** | "Immutable address space" holds as an *intended* downstream property (const prefixes, `@vN` append, VART append-only trie) — **not enforced in code**. |
+| **Absent** | `OGAR::classes::from(address)` reverse resolver. The intended inheritance call site does not exist as named. |
+| **Contradiction** | The realized resolver is a **linear scan keyed by `entity_type_id`**, while the doc claims "1-based index into schemas." Two different access models documented vs implemented. |
+
+---
+
+### Phase 3 — `CausalEdge64` audit
+
+**Two incompatible `CausalEdge64` types exist. The canonical one is a payload,
+but the v2 layout smuggles a *reference* (W-slot) into the payload word.**
+
+Canonical: `crates/causal-edge/src/edge.rs` — `struct CausalEdge64(pub u64)`,
+`Copy`, 8 bytes, no lifetime. v1 / v2 (feature `causal-edge-v2-layout`) layouts:
+
+| Bits | v1 field | v2 field | Class | Authoritative? |
+|---|---|---|---|---|
+| 0..7 | S palette index | S palette index | payload (SPO) | **authoritative** |
+| 8..15 | P palette index | P palette index | payload (SPO) | **authoritative** |
+| 16..23 | O palette index | O palette index | payload (SPO) | **authoritative** |
+| 24..31 | NARS frequency u8 | NARS frequency u8 | payload (truth) | **authoritative** |
+| 32..39 | NARS confidence u8 | NARS confidence u8 | payload (truth) | **authoritative** |
+| 40..42 | CausalMask (Pearl 2³) | CausalMask (Pearl 2³) | payload (causal) | **authoritative** |
+| 43..45 | direction triad | direction triad | payload (causal) | **authoritative** |
+| 46..48 / 46..49 | inference type (3-bit unsigned) | inference mantissa (4-bit **signed**) | payload (derived tag) | derived (enum) |
+| 49..51 / 50..52 | plasticity | plasticity | pragmatic (local) | **authoritative (local)** |
+| 52..63 | temporal (12-bit) | **RECLAIMED** | — | v1: payload; v2: gone |
+| 53..58 | — | **W-slot (6-bit witness ref)** | **REFERENCE** | reference (→ WitnessTable) |
+| 59..60 | — | truth-band TrustTexture | payload (derived) | derived |
+| 61..63 | — | spare | — | — |
+
+- **Thinking style is NOT a field of `CausalEdge64`.** Style lives in `MetaWord`
+  (`MetaColumn`) and is selected by qualia auto-detection / `UnifiedStyle`, not
+  carried on the edge. (Answers "which fields are thinking style": none.)
+- Local/incompatible duplicate: `crates/thinking-engine/src/layered.rs` —
+  a *different* `struct CausalEdge64(pub u64)` whose 8 bytes are **8 named
+  channels** (BECOMES/CAUSES/SUPPORTS/REFINES/GROUNDS/ABSTRACTS/RELATES/
+  CONTRADICTS), with `to_spo()/from_spo()` transcoders to the canonical type at
+  the L3 commit boundary. Same name, different geometry. (Contradiction.)
+
+**Field table verdict:**
+
+| Question | Answer |
+|---|---|
+| Which fields authoritative? | S, P, O, frequency, confidence, CausalMask, direction, plasticity (local). |
+| Which derived? | inference mantissa (enum tag), truth-band (from confidence). |
+| Acts as payload? | **Yes** — Confirmed. It is a compact local causal/NARS claim. |
+| Accidentally acts as identity? | **No** for v1. **Partially for v2** — the W-slot (bits 53-58) is a *reference index* into `WitnessTable`, mixing a pointer into the payload word. Not identity, but reference-in-payload. (Contradiction with "references should be explicit pointers, not packed into truth.") |
+
+---
+
+### Phase 4 — Reference audit
+
+**References are explicit `Copy` handles (good). `EpisodicWitness64` as a SoA
+*column* is absent (queued). Stale-copy risk is bounded; no circular ownership
+in the Rust sense.**
+
+- `EpisodicEdges64(pub u64)` (`lance-graph-contract/src/episodic_edges.rs`):
+  4 × 16-bit slots, each an `EdgeRef { family: u8 (nibble), local: u16 (1-based) }`.
+  MRU hot tier, slot 0 = strongest, slot 3 = eviction candidate. All `Copy`,
+  functional updates (`promote`, `push` return new words). **Explicit pointers,
+  not copied truth.** (Confirmed.)
+- `DemotionSink::demote(&mut self, EdgeRef)` — the only mutating receiver, the
+  seam to the cold connectome.
+- `WitnessTable<64>` + `WitnessEntry { mailbox_ref: u32, spo_fact_ref: Option<u64> }`
+  (`witness_table.rs`): resolves the v2 W-slot. `mailbox_ref` is the **full** u32
+  identity (not the 6-bit slot) → rotation-safe. `spo_fact_ref` is `None`
+  (ephemeral) or `Some` (crystallised AriGraph triple). `WitnessEntry` is `Copy`;
+  the table is `Clone`-only (1.5 KiB).
+- **`EpisodicWitness64` as a SoA column is ABSENT** — `soa_view.rs:75-95`
+  explicitly comments the episodic/witness column as *queued, not yet landed*.
+  The envelope does **not** yet carry the reference column the intended model
+  names.
+
+**Reference topology diagram:**
+
+```
+   MailboxSoA (owner of truth: edges[], energy[], qualia[], meta[])
+        │ owns
+        ▼
+   CausalEdge64  ──(v2 W-slot, 6-bit)──►  WitnessTable<64>
+        │                                      │ entry.mailbox_ref : u32   (REFERENCE, full id)
+        │                                      └ entry.spo_fact_ref: Option<u64> (REFERENCE → AriGraph triple, or None)
+        │
+   EpisodicEdges64 (hot MRU word)
+        └ slot[0..4] : EdgeRef{family,local}  (REFERENCE, explicit, Copy)
+                 │ evict slot 3
+                 ▼
+           DemotionSink (→ cold connectome, the only &mut receiver)
+```
+
+| Classification | Members |
+|---|---|
+| **owned truth** | `MailboxSoA` columns (`edges`, `energy`, `qualia`, `meta`, `plasticity`). The mailbox is sole owner. |
+| **reference** | `EdgeRef`, `EpisodicEdges64` slots, `CausalEdge64` v2 W-slot, `WitnessEntry.{mailbox_ref, spo_fact_ref}`. All explicit, all `Copy`. |
+| **copied state** | `WitnessEntry.mailbox_ref` is a *copy of a u32 id* (not the row) — cheap, rotation-safe; not stale because it's the canonical wide id, not a slot index. |
+| **derived state** | truth-band, inference enum from mantissa, `class_id` alias of `entity_type`. |
+
+| Tag | Finding |
+|---|---|
+| **Confirmed** | References are explicit `Copy` pointers, not copied truth. No circular ownership (all handles, no `Rc`-cycles; mailbox is single owner). |
+| **Inferred** | Stale-copy risk is bounded: the only copied identity is the *wide* `mailbox_ref`, which survives cohort rotation by design. The 6-bit W-slot *would* go stale on rotation, which is exactly why `WitnessTable` stores the full u32. |
+| **Absent** | `EpisodicWitness64` SoA column (queued in `soa_view.rs`). |
+| **Contradiction** | none for ownership; the only smell is the v2 W-slot reference packed into the `CausalEdge64` payload word (see Phase 3). |
+
+---
+
+### Phase 5 — Lance versioning audit
+
+**Self-through-time is via `DatasetVersion(u64)` + `VersionScheduler` →
+`KanbanMove`. History is NOT duplicated in rows. Clean, with one placeholder.**
+
+- `scheduler.rs`: `DatasetVersion(pub u64)`; trait
+  `VersionScheduler::on_version<V: MailboxSoaView>(&self, view: &V, at: DatasetVersion,
+  exec: ExecTarget) -> Option<KanbanMove>`. The scheduler takes `&V` (shared,
+  read-only) — **"propose, don't dispose": the scheduler never mutates; only
+  `MailboxSoaOwner::advance_phase` mutates.** (Confirmed — clean ownership split.)
+- `NextPhaseScheduler` advances the 6-phase Rubicon Kanban lifecycle on each
+  Lance version tick. Planning→CognitiveWork stamps `libet_offset_us = -550_000`.
+- Per-row time stamps in the envelope are `current_cycle: u32` and
+  `last_emission_cycle [u32;N]` — these are **same-cycle idempotency guards**,
+  not history. No previous-self snapshot is copied into rows.
+
+**Version lineage diagram:**
+
+```
+   Lance dataset tick:  DatasetVersion(v)  ── increments ──►  DatasetVersion(v+1)
+            │ on_version(&view, at, exec)
+            ▼
+   VersionScheduler (READ-ONLY &V)  ──proposes──►  KanbanMove { mailbox, from→to phase,
+            │                                                    witness_chain_position, libet_offset_us }
+            │ (caller applies)
+            ▼
+   MailboxSoaOwner::advance_phase(to)   ← SOLE mutator
+            │
+            ▼
+   self-through-time = the sequence of Lance versions of the SAME mailbox dataset
+   (previous-self is implicit in Lance history; NOT duplicated in rows)
+```
+
+| Classification | Verdict |
+|---|---|
+| **clean** | Previous-self is implicit via Lance versioning; no history duplicated in rows; read-only scheduler vs single mutating owner is a correct ownership split. |
+| **redundant** | none material. `current_cycle` + `last_emission_cycle` are guards, not history. |
+| **unclear** | `KanbanMove.witness_chain_position` is currently set to `view.current_cycle()` — a structural **placeholder** until the witness-arc column (A3) lands. |
+| **contradictory** | none. |
+
+---
+
+### Phase 6 — SPO rung audit
+
+**The 2³ rung is explicit as `CausalMask` (Pearl) bits 40-42 of `CausalEdge64`;
+SPO decomposition is explicit as three palette indices + the
+`markov_soa::SpoRanks` triple. Partial resolution is supported.**
+
+- SPO indices: `CausalEdge64` bits 0-23 = S/P/O palette indices (each 8-bit).
+- 2³ causal rung: `CausalMask` at bits 40-42 (Pearl's 2³ = 8 causal mask
+  states). Explicit, not derived. (Confirmed.)
+- Vocabulary-agnostic SPO: `markov_soa::SpoRanks { s: u16, p: u16, o: u16 }` —
+  three opaque ranks; distance injected as a closure (`Fn(u16,u16)->u8`), so
+  language (DeepNSM/COCA) stays upstream and never reaches into the rung.
+- Partial resolution: `markov_soa::SoaWavePrimer::project` folds a ±radius
+  window into a `WaveProjection` of `SpoRanks` with `best_guess_match` returning
+  a fuzzy score — i.e. partial / probabilistic SPO resolution is supported.
+
+**SPO rung table:**
+
+| Property | Status | Evidence |
+|---|---|---|
+| 2³ rung explicit? | **Yes (Confirmed)** | `CausalMask` bits 40-42, Pearl 2³ |
+| Derivable? | partly | direction triad (43-45) derivable from mask context |
+| Redundant? | **No** | SPO palette indices and `SpoRanks` serve different layers (edge payload vs Markov projector); not duplication |
+| Partial resolution? | **Yes (Confirmed)** | `SoaWavePrimer::project` → `best_guess_match` fuzzy score |
+
+---
+
+### Phase 7 — Little-endian contract audit
+
+**The SoA envelope is zero-copy in-place (creation → Lance tombstone). There is
+no baton, no emission, no serialization. The LE contract describes where columns
+sit in the in-place backing store, not a transmitted packet. Two fragmentation
+risks remain.**
+
+- The SoA is owned in-place by the mailbox. A Lance version IS the backing store
+  at cycle N — not a serialized snapshot, not a transmitted packet.
+  `CausalEdge64` and `EpisodicEdges64` both expose `to_le_bytes / from_le_bytes`
+  for Lance's columnar write path (Lance reads/writes LE bytes from/into the store).
+  These are Lance I/O seams, not cross-mailbox serialization. (Confirmed — correct design.)
+- p64-bridge (`p64-bridge/src/lib.rs`): `edges_to_layered_rows(&[CausalEdge64])
+  -> [[u64;64];8]`, `edge_to_block(&CausalEdge64) -> (usize,usize)`. **This is a
+  projection / derivation, not a layout-preserving transport.** It reads SPO +
+  mask bits and *computes* palette addresses; it does not round-trip the edge.
+  p64 derives a different geometry (palette planes) from the edge — one-way lens,
+  not a serializer. (Inferred — acceptable by design.)
+- SoA view reinterpret seam: `MailboxSoaView::edges_raw() -> &[u64]` (NOT
+  `&[CausalEdge64]`) — the contract crate stays zero-dep on `causal-edge` by
+  handing back raw `u64` that callers reconstruct via `CausalEdge64(raw)`. This
+  is a **hidden reinterpret**: correctness depends on every caller agreeing on
+  the v1-vs-v2 layout. Under the `causal-edge-v2-layout` feature, a caller that
+  reconstructs with v1 semantics silently mis-reads bits 46-63
+  (the exact `I-LEGACY-API-FEATURE-GATED` hazard).
+
+**Contract map:**
+
+```
+   ENVELOPE LE CONTRACT (in-place backing store)
+   ├─ CausalEdge64::{to,from}_le_bytes          (causal-edge crate, v1/v2 feature-gated — Lance I/O seam)
+   ├─ EpisodicEdges64::{to,from}_le_bytes        (matches CE64 convention)
+   │
+   FRAGMENTATION RISKS
+   ├─ ⚠ TWO CausalEdge64 layouts (causal-edge SPO-palette  vs  thinking-engine 8-channel)
+   │      bridged only by layered.rs::to_spo()/from_spo()  — name collision, lossy
+   └─ ⚠ soa_view::edges_raw() -> &[u64]  (reinterpret seam; v1/v2 layout agreement is implicit)
+
+   NOTE: CollapseGateEmission / "baton" DO NOT exist in the correct design.
+   MailboxSoA::emit() in source is a code artifact to be removed. Every SoA is
+   zero-copy from creation to tombstone; there is no cross-mailbox handoff type.
+```
+
+| Question | Answer |
+|---|---|
+| Single canonical LE contract? | **Yes** — CE64/EpisodicEdges64 byte methods are the Lance I/O seam. (Confirmed.) |
+| Hidden conversion? | **Yes** — `edges_raw() -> &[u64]` reinterpret; v1/v2 layout agreement is implicit (Contradiction risk). |
+| Serialization tax? | **None** — the backing store is in-place. Lance writes LE columns directly. p64 derives palette geometry, does not serialize. |
+| Contract fragmentation? | **Yes** — two `CausalEdge64` types is the principal fragmentation. |
+
+#### Phase 7 follow-up — the envelope must know the LE contract, not just the columns (RESOLVED 2026-06-06)
+
+The original Phase 7 finding ("single canonical LE contract: yes for the
+column byte methods") was **incomplete**. Column-level LE knowledge is
+necessary but not sufficient: `CausalEdge64`, `EpisodicEdges64`, and ndarray's
+`MultiLaneColumn` each decode their own bytes correctly, but the **SoA envelope
+as a whole** — what a Lance version snapshots and what `simd_soa` sweeps — had
+no contract describing how those columns *assemble* into one row-strided packet
+with a cycle stamp. The parts knew the LE contract; the envelope did not.
+
+**Resolution (shipped this branch):**
+
+- **Column LE contract = `ndarray::simd::MultiLaneColumn`** (`ndarray/src/simd_soa.rs`).
+  Already exists, already LE-correct per column (`iter_f32x16` / `iter_u64x8`
+  via `from_le_bytes`), already standalone — any pure-SIMD consumer uses it
+  with zero lance coupling. **No change needed.**
+- **Envelope LE contract = `lance_graph_contract::soa_envelope::SoaEnvelope`**
+  (new module, this commit). Zero-dep, byte-geometry only: `columns()`
+  (`ColumnDescriptor[]` — ordering + offset + LE `ColumnKind` + elems/row),
+  `row_stride()`, `cycle(): u32`, `LAYOUT_VERSION`, `as_le_bytes()`, plus
+  `row_le` / `column_le` zero-copy views and a `verify_layout()` gate (catches
+  stride mismatch, column overlap, backing-store size mismatch, and version
+  skew at the Lance read boundary — closing the `edges_raw() -> &[u64]`
+  implicit-agreement hazard). The envelope describes the in-place backing
+  store; nothing is packaged or transmitted.
+- **Composition = `lance-graph`** (the one crate that always has both deps):
+  carve each envelope column per its descriptor, wrap in `MultiLaneColumn`.
+
+**Why NOT a shared `simd-soa-contract` crate, and why NOT pull ndarray into
+the contract:** `lance-graph-contract` is consumed by OGAR classes and ractor
+actors precisely because it is zero-dep. ndarray is the heavy HPC foundation
+(BLAS L1/L2/L3, MKL/OpenBLAS FFI). Pulling ndarray into the contract would
+force that build onto every contract consumer AND force a pure-SIMD ndarray
+consumer to transitively pull a graph contract crate. The two-level split
+above keeps **both** crates clean: ndarray standalone for SIMD-only consumers,
+contract featherweight for class/actor consumers. The levels are complementary
+(column = "how to sweep one typed column"; envelope = "where columns sit in the
+backing store, what cycle"), never restated, and neither crate depends on the other.
+
+**Iron rule that falls out:** *ndarray owns the column contract; lance-graph
+owns the envelope contract; neither restates the other; lance-graph binds them.*
+
+---
+
+### Phase 8 — OGAR inheritance audit
+
+**OGAR is a vocabulary/IR producer. It mints class-identity strings and emits
+SPO triples; it owns NO runtime registry, NO reverse resolver, NO thinking
+style, and NO class-driven adapter dispatch. The coupling is one trait.**
+
+| Semantic | Source | Status |
+|---|---|---|
+| Class identity string (`prefix/Class`) | OGAR `ogar_ontology::class_identity` (forward only) | **Confirmed (from OGAR)** |
+| Schema (fields/assoc/enums/attributes) | OGAR `Class` IR (once per class) | **Confirmed (from OGAR)** |
+| Inheritance edges (`parent`, `mixins`, STI) | OGAR `Class.parent` / `Class.mixins` (representational; **resolution deferred to consumer**) | **Confirmed (representational only)** |
+| Class → version (`knowable_from`) | trait `KnowableFromStore` (OGAR declares; **lance-graph implements**) | **Confirmed (seam)** |
+| Reverse `classes::from(address)` | — | **Absent** |
+| AST adapter selection from class | OGAR `Adapter` trait exists but **no class-driven dispatch**; emitter takes no adapter | **Absent (manual)** |
+| Thinking style from class | docs-only refs; not on `Class`; stored on lance-graph `MappingRow` but **unused at dispatch** | **Absent (inheritance), stored-but-dead (lance side)** |
+| Pragmatics (energy, plasticity, qualia, cycle) | **local** to `MailboxSoA` | **Confirmed (local)** |
+
+**Inheritance map:**
+
+```
+   OGAR (producer, Lance-free)                         lance-graph (consumer/runtime)
+   ───────────────────────────                         ──────────────────────────────
+   class_identity(prefix,name) ──► "ogit-op/WorkPackage" ──► NiblePath router / OntologyRegistry key
+   Class { parent, mixins, attributes, ... } ──emit──► SPO Triples ──► triple loader
+   trait KnowableFromStore  ◄──implemented by──         OntologyRegistry / ClassRegistryWriter
+        register(id, ddl_hint)->u64                     enumerate_first_with_entity_type_id (scan)
+        knowable_from(id)->u64                           MappingRow.thinking_style (STORED, UNUSED)
+                                                         MulThresholdProfile::for_context (the ONLY
+                                                            thing entity_type actually drives today)
+   AST adapter:  Adapter::map (static identity xlate)   ── NO class→adapter dispatch wired ──
+   Pragmatics:                                          MailboxSoA.{energy,plasticity,qualia,meta}  (LOCAL)
+```
+
+---
+
+## 8. Redundancy list
+
+1. **Two SoA envelopes** — `BindSpace` (global, 65 KB/row `Vsa16kF32` cycle plane)
+   vs `MailboxSoA` (per-mailbox). The driver holds both. (highest priority)
+2. **Two `CausalEdge64` types** — `causal-edge` (SPO-palette) vs
+   `thinking-engine::layered` (8-channel). Same name, different geometry.
+3. **Deprecated `Vsa16kF32` cycle plane** still allocated in `BindSpace`
+   (65 KB/row) despite being scoped out as a cross-mailbox carrier.
+4. **`QualiaColumn` (f32×18, deprecated)** co-exists with `QualiaI4Column`
+   (canonical, 8 B/row).
+5. **`MappingRow.thinking_style`** is stored per class but never read on the
+   `entity_type` dispatch path — dead field.
+6. **`entity_type` resolution** is a linear scan despite a "1-based index" doc
+   contract — the index model is documented but not implemented.
+
+## 9. Circular ownership risks
+
+- **None in the Rust ownership sense.** All cross-structure links are `Copy`
+  handles (`EdgeRef`, W-slot index, `mailbox_ref`, `spo_fact_ref`), not `Rc`/`Arc`
+  cycles. The mailbox is the single owner of its truth columns.
+- **Dependency-cycle avoidance is correct:** planner ↔ shader-driver cycle is
+  broken by the closure seam in `convergence.rs::run_convergence(..., impl FnOnce(...))`;
+  AriGraph→planner cycle is broken via the p64 convergence point. (Confirmed.)
+- **Latent hazard, not a cycle:** the v2 W-slot reference lives *inside* the
+  `CausalEdge64` payload word, coupling payload and reference layers. If the
+  witness table is rebuilt out of step with the edges, the 6-bit index resolves
+  to a wrong (but valid) entry — silent, not a panic.
+
+## 10. Recommended minimal corrections
+
+Ordered by leverage, each is a *classification-respecting* minimal change — no
+theory-driven rename, no refactor beyond making ownership/reference/version/
+execution geometry explicit.
+
+1. **Pick one envelope. Declare it.** Mark `BindSpace` `#[deprecated]` with a
+   migration pointer to `MailboxSoA`, or invert: state in one doc-comment which
+   is canonical and gate the other behind a `legacy-bindspace` feature. Today
+   both compile and the driver holds both — the reader cannot tell which is the
+   particle. (Resolves redundancy 1, 3.)
+2. **Rename the local edge.** `thinking_engine::layered::CausalEdge64` →
+   `ChannelEdge64` (or similar). Keep `to_spo()/from_spo()`. The name collision
+   is the single biggest correctness trap in the LE contract. (Resolves
+   redundancy 2, contract fragmentation.)
+3. **Make `entity_type` resolution match its contract.** Either (a) change the
+   `OntologyRegistry` to a real O(1) `Vec` index keyed by the 1-based
+   `entity_type` (matching the doc), or (b) fix the doc to say "scan by
+   `entity_type_id`." Pick one; don't ship both stories. (Resolves redundancy 6.)
+4. **Decide the W-slot home.** If references must be explicit (intended model
+   #7), the v2 W-slot is a reference packed into payload. Either document it as a
+   deliberate exception with a version gate (it already has one), or move the
+   witness reference out of `CausalEdge64` into the (queued) `EpisodicWitness64`
+   SoA column. Land that column — `soa_view.rs` already reserves the slot.
+   (Resolves Phase 3/4 contradiction + Phase 4 Absent.)
+5. **Wire or delete the dead inheritance.** `MappingRow.thinking_style` is stored
+   per class but unused at dispatch. Either consume it in `driver.rs:331-339`
+   (true class→style inheritance, matching intended model #9/#4) or remove the
+   field. (Resolves redundancy 5; closes the "inheritance from OGAR class"
+   intended-vs-actual gap.)
+6. **Type the `edges_raw()` seam.** The `&[u64]` reinterpret in `soa_view.rs`
+   relies on implicit v1/v2 agreement. Add a `const EDGE_LAYOUT_VERSION: u8`
+   to the view trait and assert it at reconstruction, per
+   `I-LEGACY-API-FEATURE-GATED`. (Resolves Phase 7 hidden-conversion risk.)
+7. **Retire the deprecated qualia/cycle columns** once (1) lands —
+   `QualiaColumn` f32×18 and the `Vsa16kF32` cycle plane are pure footprint
+   (65.5 KB/row) on the legacy envelope. (Resolves redundancy 3, 4.)
+9. **Remove `MailboxSoA::emit()` and `CollapseGateEmission`.** The zero-copy
+   model (creation → Lance tombstone, no emission, no baton) means `emit()` and
+   the `CollapseGateEmission(u16 target, CausalEdge64)` type are code artifacts
+   from a superseded design. The KanbanColumn/`VersionScheduler`/ractor
+   orchestration is the only secondary path; there is no inter-mailbox handoff
+   type. Remove `emit()` from `MailboxSoA`, remove or gate `CollapseGateEmission`
+   behind `#[deprecated]`, and update `ShaderDriver` accordingly.
+10. **Demote the `ndarray-hpc` fallback wording in CLAUDE.md.** In practice
+   **no shipped consumer uses lance-graph without ndarray** — every consumer
+   uses both. The `ndarray-hpc` feature / `blasgraph/ndarray_bridge.rs`
+   fallback is a **CI-compile-check only** path, not a real deployment mode.
+   CLAUDE.md currently presents it as a parallel architecture ("Fallback
+   without ndarray ... for minimal builds / downstream consumers who don't need
+   HPC"), which is exactly what makes sessions re-derive the wrong dependency
+   boundary (e.g. "keep ndarray ignorant of the envelope to preserve the
+   fallback"). Reword to: *ndarray is mandatory for every shipped consumer; the
+   no-ndarray path is a CI compile gate, nothing ships on it.* This is the
+   load-bearing correction behind recommendation-set context for the SIMD_SOA
+   contract split (Phase 7 follow-up).
+
+---
+
+## Geometry verdict — per major field
+
+| Field / structure | Verdict | Rationale |
+|---|---|---|
+| `MailboxSoA.mailbox_id` | **KEEP** | Envelope identity, correct. |
+| `MailboxSoA.entity_type` | **KEEP (fix resolver)** | Correct as class pointer; resolver should match its O(1) doc. |
+| `MailboxSoA.energy / plasticity / last_emission_cycle` | **KEEP (rename)** | Local pragmatics, correctly owned. `last_emission_cycle` is a same-cycle idempotency guard; rename to `last_active_cycle` to remove the emission framing. |
+| `MailboxSoA.edges (CausalEdge64)` | **KEEP** | Payload, correctly owned by the mailbox. |
+| `MailboxSoA.qualia (QualiaI4_16D)` | **KEEP** | Canonical local pragmatic vector. |
+| `MailboxSoA.meta (MetaWord)` | **KEEP** | Thinking-style/awareness bits belong here, not on the edge. |
+| `CausalEdge64` S/P/O/freq/conf/mask | **KEEP** | Authoritative payload. |
+| `CausalEdge64` v2 W-slot | **REFERENCE ONLY** | Move to `EpisodicWitness64` column or gate as explicit exception. |
+| `CausalEdge64` truth-band / inference enum | **DERIVE** | Derivable from confidence / mantissa. |
+| `thinking_engine::layered::CausalEdge64` | **KEEP + RENAME** | Distinct concept; collision is the hazard. |
+| `BindSpace` (whole) | **MOVE TO LANCE / DEPRECATE** | Legacy global SoA; persist via Lance, drain into `MailboxSoA`. |
+| `BindSpace.cycle (Vsa16kF32)` | **REMOVE** | Deprecated carrier; 65 KB/row footprint. |
+| `QualiaColumn (f32×18)` | **REMOVE** | Superseded by `QualiaI4Column`. |
+| `entity_type → OntologyRegistry` schema | **MOVE TO OGAR** | Schema is OGAR's `Class` IR; lance should hold only the registry/version impl of `KnowableFromStore`. |
+| `MappingRow.thinking_style` | **UNCLEAR** | Wire it (inheritance) or remove it (dead). Decide. |
+| `DatasetVersion` + `VersionScheduler` | **KEEP** | Clean self-through-time; read-only propose vs single-owner dispose. |
+| `KanbanMove.witness_chain_position` | **UNCLEAR** | Placeholder (= current_cycle) until A3 witness-arc lands. |
+| `EpisodicEdges64 / EdgeRef` | **KEEP (REFERENCE ONLY)** | Correct explicit pointers. |
+| `WitnessTable / WitnessEntry` | **KEEP (REFERENCE ONLY)** | Wide `mailbox_ref` is rotation-safe by design. |
+| `EpisodicWitness64` SoA column | **LAND IT** | Currently Absent; reserved in `soa_view.rs`. |
+| `p64-bridge` projections | **KEEP (DERIVE)** | One-way lens CE64→palette; not a transport, document as such. |
+
+---
+
+## Bottom line
+
+**Does the struct geometry measure what it claims?**
+
+- **Payload, references, versioning, zero-copy lifecycle: YES.** `CausalEdge64`
+  is a clean payload, references are explicit `Copy` handles with no ownership
+  cycles, Lance versioning gives self-through-time without row-level history
+  duplication, the read-only-scheduler / single-owner-mutator split is correct,
+  and the SoA envelope is zero-copy in-place from creation to Lance tombstone
+  (no emission, no baton, no serialization).
+- **Identity, inheritance, single-envelope: NOT YET.** The intended
+  `OGAR::classes::from(address)` does not exist (forward-only in OGAR; a linear
+  scan in lance-graph); two SoA envelopes co-exist with a live deprecated f32
+  carrier; two `CausalEdge64` types share a name; and class→{thinking-style,
+  AST adapter} inheritance is either stored-but-dead or absent.
+
+The geometry is **load-bearing where it concerns one mailbox's owned payload and
+its versioned lifecycle**, and **under-specified where it concerns identity
+resolution and OGAR class inheritance**. The seven minimal corrections above
+close the gap without renaming on theory — they make ownership, reference,
+versioning, and execution geometry explicit, which is exactly the stated goal.
diff --git a/docs/probes/q3-standing-wave-falsification.md b/docs/probes/q3-standing-wave-falsification.md
new file mode 100644
index 000000000..d200a96f2
--- /dev/null
+++ b/docs/probes/q3-standing-wave-falsification.md
@@ -0,0 +1,285 @@
+# Q3 Probe — Standing-Wave Falsification
+
+> **Branch:** `claude/stoic-turing-M0Eiq`
+> **Date:** 2026-06-06
+> **Files read:** `crystal/fingerprint.rs`, `cognitive_shader.rs`, `collapse_gate.rs`,
+> `cycle_accumulator.rs`, `crystal/cycle.rs`, `recipe_kernels.rs`, `atoms.rs`,
+> `planner/src/cache/kv_bundle.rs`, `ndarray/src/hpc/vsa.rs`
+> **Method:** Read all VSA, braid, permutation, bundle, and cognitive-shader source in
+> lance-graph-contract + lance-graph-planner. Answer 7 questions with source citations.
+> No narrative — executable code only.
+
+---
+
+## Classification
+
+### **(B) Damped relaxation, with (D) graph propagation with wave vocabulary as the framing layer**
+
+There is no standing wave. The only state-evolution code that exists is either
+(i) a bounded geometric decay to a fixed point, or
+(ii) a running weighted-average accumulator with distance readout.
+The "wave / braid / Markov trajectory / standing field" vocabulary in CLAUDE.md is almost
+entirely doc-comment and architecture prose. The executable substrate is feed-forward
+bind/bundle/cosine plus saturating quantizers. Every loop has a hard iteration cap or runs
+once per input with no re-injection.
+
+---
+
+## 7-Question Answers (source-cited)
+
+### Q1 — What is the evolution operator?
+
+**There is no single VSA state → next-state operator in the contract or planner crates.**
+
+What exists:
+
+- **Feed-forward encode primitives** (`crystal/fingerprint.rs:367–505`):
+  `vsa_bind` / `vsa16k_bind` (elementwise multiply),
+  `vsa_bundle` / `vsa16k_bundle` (elementwise add),
+  `vsa_superpose` (weighted add),
+  `vsa_cosine` / `vsa16k_cosine` (normalized readout).
+  All pure functions `(state, state) → state`. None iterate. None feed back.
+
+- **The only accumulating "state machine"** is `AttentionMatrix::set` in
+  `planner/src/cache/kv_bundle.rs:75–84`:
+  `gestalt_{n+1} = (epoch·gestalt_n + head) / (epoch+1)` — a running mean,
+  updated only by external writes. Remove the writer; it is static.
+
+- **The "F descent"** — the advertised dispatch engine — is
+  `recipe_kernels.rs:255`: `while fe > NOISE_FLOOR && depth < 9 { fe *= 0.5 }`.
+
+Summary: **a pipeline of pure maps with saturating gates, not a recurrence.**
+
+---
+
+### Q2 — Linear, piecewise-linear, or nonlinear?
+
+All three coexist, segregated by stage:
+
+| Stage | Linearity | Source |
+|-------|-----------|--------|
+| `vsa16k_bundle` | **Linear** — elementwise `+=`, no normalization, grows unboundedly | `fingerprint.rs:479–487` |
+| `vsa16k_cosine` | **Nonlinear** — divides by `norm_a.sqrt()*norm_b.sqrt()`; `<1e-12 → 0.0` | `fingerprint.rs:490–505` |
+| `I4x32::pack` | **Nonlinear** — `clamp(-8, 7)` saturating quantizer | `atoms.rs:97, :153` |
+| `Vsa10kI8` | **Nonlinear** — `.clamp(-1.0, 1.0)` | `fingerprint.rs:244` |
+| `GateDecision` | **Piecewise-linear** — Flow/Block/Hold threshold | `collapse_gate.rs:59` |
+| F-threshold commit | **Piecewise-linear** — `if free_energy < 0.2 → Commit` | `recipe_kernels.rs:680` |
+| `fe *= 0.5` loop | **Nonlinear** (exponential) — the central "dynamic" | `recipe_kernels.rs:255–261` |
+
+---
+
+### Q3 — Which part is unitary/permutation-like (norm-preserving)?
+
+**`vsa_permute` does not exist on the real-valued (f32) VSA algebra path.**
+
+The cyclic bit rotation lives in `ndarray/src/hpc/vsa.rs:326–349`, operating on the
+**binary `VsaVector`** (`words: [u64]`, 16384 *bits*). It is a genuine cyclic permutation
+— `dst_bit = (src_bit + shift) % 16384` — norm-preserving in Hamming space, with a
+correct round-trip test at `vsa.rs:322–324`.
+
+The real-valued path (`vsa16k_bind` / `vsa16k_bundle` / `vsa16k_cosine` in
+`fingerprint.rs`) has **no permutation primitive**. `fingerprint.rs:163` and
+`fingerprint.rs:295` have doc-comments pointing at the ndarray binary primitive; the
+real-valued algebra never calls it.
+
+The `vsa_sequence` binary path (`vsa.rs:371–378`) permutes-by-index then bundles —
+but there is **no inverse-permute readout anywhere**: `vsa_clean` (`vsa.rs:394`) does a
+flat Hamming scan with no de-braiding. Position is written once and never decoded back.
+
+**The ρ^d braid is norm-preserving on the binary carrier it actually lives on.
+It is absent from the real-valued algebra path.**
+
+---
+
+### Q4 — Which part is dissipative?
+
+Five independent sinks:
+
+1. **Cosine normalization** (`fingerprint.rs:490–505`) — discards magnitude entirely.
+2. **Saturating quantization** — `I4x32::pack` `clamp(-8,7)` (`atoms.rs:97`);
+   `Vsa10kI8` `.clamp(-1.0,1.0)` (`fingerprint.rs:244`);
+   `structured_from_vsa10k` `.round().clamp(0,255)` (`fingerprint.rs:274`).
+3. **Threshold gates** — `vsa16k_to_binary16k_threshold` sign-collapse to 1 bit
+   (`fingerprint.rs:451`); `GateDecision::Block/Hold`.
+4. **α-saturation early termination** — `MergeMode::AlphaFrontToBack` documents
+   `α_acc += α_i*(1-α_acc); if α_acc > 0.99 break` (`collapse_gate.rs:36–46`).
+   The formula is doc-only; the enum variant carries no executed math.
+5. **The F-descent** — `fe *= 0.5` (`recipe_kernels.rs:259`) is a contraction map.
+   The system's central "dynamic" is literally exponential damping to zero, hard-capped
+   at 9 iterations.
+
+---
+
+### Q5 — Does a non-trivial field persist after input removal?
+
+**No. There is no closed feedback loop in executed code.**
+
+- `CycleCrystal` (`crystal/cycle.rs:10–18`) — a frozen data record (fields + getters),
+  no `step`/`evolve` method.
+- `CycleAccumulator` (`cycle_accumulator.rs`) — a `Vec<C>` batch buffer; `drain()`
+  empties it, no carry-over.
+- `CollapseGateEmission` (`collapse_gate.rs:177`) — a baton-list DTO. The bundle is
+  an ephemeral per-mailbox computation, never persisted or transmitted across boundaries
+  (CLAUDE.md E-BATON-1).
+- `gestalt` in `kv_bundle.rs` — persists across `set()` calls but is a running mean
+  updated by external writes only; remove the writer and it is static.
+- `global_context += fact → reshapes NEXT cycle` — prose in CLAUDE.md.
+  `grep global_context src/`: **zero hits** in executed source.
+
+---
+
+### Q6 — Is phase preserved, quantized, or merely implied?
+
+**Merely implied in the binary path; absent in the real-valued algebra path.**
+
+Real VSA phase-coding requires permute-at-encode AND permute-aware-unbind.
+In the binary path (`ndarray/vsa.rs:371–378`), `vsa_sequence` permutes-by-index then
+bundles. But there is no inverse-permute at readout — `vsa_clean` does a flat Hamming
+scan with no de-braiding. **Phase is written once and never distinguished at readout.**
+
+In the real-valued algebra path (`vsa16k_bind` / `vsa16k_bundle`), no permute is applied
+at any stage. Phase is structurally absent, not quantized.
+
+---
+
+### Q7 — Minimum test to falsify
+
+**This is the standing-wave falsification test. The system fails it as written.**
+
+```rust
+#[test]
+fn standing_wave_or_damped_relaxation() {
+    // Build initial state using the real-valued VSA algebra primitives
+    let role_key = vsa16k_role_key(RoleSlice::SUBJECT);  // fingerprint.rs
+    let content  = vsa16k_content_fp(b"hello");
+    let s0 = vsa16k_bind(&role_key, &content);
+
+    // Remove all external input. Attempt self-recurrence:
+    // s_{n+1} = normalize(vsa16k_bundle([s_n]))  -- the strongest possible recurrence
+    let mut s = s0.clone();
+    let mut energies = Vec::new();
+    for _ in 0..100 {
+        // vsa16k_bundle([s]) is identity (sum of one vector), so cosine stays 1.0.
+        // With normalization each step: s approaches unit-norm fixed point.
+        let norm: f32 = s.0.iter().map(|x| x*x).sum::<f32>().sqrt();
+        energies.push(norm);
+        s.0.iter_mut().for_each(|x| *x /= norm.max(1e-12)); // normalize
+    }
+
+    // Standing-wave criterion (would pass iff true wave):
+    //   norm stays bounded AND bounded-away-from-zero AND energy recirculates.
+    // Actual result: norm monotonically → 1.0 (fixed point), never oscillates.
+    // That is damped relaxation, not a standing wave.
+
+    let last = *energies.last().unwrap();
+    // Should oscillate if wave; instead it's a fixed point:
+    assert!((last - 1.0_f32).abs() < 0.01, "fixed point, not wave: norm = {last}");
+
+    // What would prove a standing wave: a norm-preserving rotation applied each step
+    // so s_{n+1} = permute(normalize(s_n)) would produce a periodic orbit.
+    // No such rotation exists on the real-valued algebra path. That is the gap.
+}
+```
+
+**What would falsify the (B) verdict:** A function `f(s) -> s` that (a) applies a
+norm-preserving rotation on the real-valued algebra, and (b) is iterated without a hard
+depth cap and without per-step external input, producing bounded non-zero energy at n=∞.
+No such `f` exists in the codebase.
+
+---
+
+## Load-Bearing Stones vs Cathedral Fog
+
+### Stones (correct and confirmed):
+
+| Claim | Status | Source |
+|-------|--------|--------|
+| Binary `vsa_permute` is norm-preserving cyclic rotation | ✅ Correct | `ndarray/vsa.rs:326–349` |
+| Role-key orthogonality via disjoint slices | ✅ Correct-by-construction | `vsa/roles.rs`, `grammar/role_keys.rs` |
+| Baton carries `(u16 target, CausalEdge64)` across mailbox boundaries | ⚠️ Superseded | `collapse_gate.rs:177` — the write-side push carrier (baton) existed; but per `soa-three-tier-model.md` §target-state (2026-06-07) it is scheduled for removal. The SoA snapshot (read-side pull) replaces the inter-mailbox handoff. Marking ✅ here conflicts with the arch doc; this entry is a correction note, not a reversal of the probe finding. |
+| CAM-PQ codec is separate from VSA (I-VSA-IDENTITIES) | ✅ Correct | enforced architecturally |
+| `vsa16k_bind` = elementwise multiply (Hadamard product) | ✅ Correct | `fingerprint.rs:468` |
+| `vsa16k_bundle` = elementwise sum, no normalization | ✅ Correct | `fingerprint.rs:479` |
+
+### Fog (vocabulary in prose, absent in executable code):
+
+| Claim | Status | Gap |
+|-------|--------|-----|
+| ρ^d braiding on real-valued algebra path | ❌ Missing | `vsa_permute` exists only on binary carrier (`ndarray/vsa.rs`) |
+| Phase decode / unbind recovers position | ❌ Missing | No inverse-permute at readout |
+| `global_context += fact` reshapes next cycle | ❌ Missing | `grep global_context`: 0 hits in src |
+| "Shader can't resist thinking" active-inference loop | ❌ Not a loop | `fe *= 0.5`, depth < 9, then stops |
+| Standing-wave / self-sustaining field | ❌ Not present | No feedback loop in executed code |
+
+---
+
+## Latent Bug (separate from the wave question)
+
+`unbundle_from` in `kv_bundle.rs:29–33` uses `wrapping_sub` on i16:
+
+```rust
+pub fn unbundle_from(&mut self, head: &HeadPrint) {
+    for (g, h) in self.gestalt.iter_mut().zip(head.0.iter()) {
+        *g = g.wrapping_sub(*h);  // NOT the inverse of weighted-average bundle
+    }
+}
+```
+
+`bundle_into` divides by total weight (a weighted average). `unbundle_from` does raw
+subtraction. **These are not inverses.** After a few epochs, `gestalt.unbundle_from()`
+produces a vector that has no predictable relationship to what was bundled.
+Additionally, `wrapping_sub` silently flips sign on overflow.
+This is a real bug independent of the wave question.
+
+---
+
+## Structural correction — why the standing-wave question is the wrong question
+
+**The probe asked whether a standing wave exists in the dynamic execution path.
+The answer is no — but the more important answer is: it doesn't need to.**
+
+Self-through-time is already provided by the LanceDB table, not by any recurrence
+in the compute path. Each committed state is a Lance version of the mailbox dataset.
+Querying a prior self is a **90° lookup**: the prior version's row is orthogonal to
+the current cycle's write — it is a read against a version tag, not a traversal
+of a recurrence orbit. That lookup is O(1) by LanceDB's versioned columnar geometry,
+not a sweep, not a recurrence, not a dynamic system at all.
+
+The standing-wave framing incorrectly assumed that temporal persistence had to be
+implemented as a recurrence within the compute graph. It does not. Lance provides it
+structurally:
+
+```text
+current compute (per-mailbox, feed-forward, ephemeral)
+         │ commit
+         ▼
+Lance version N     ← O(1) read of any prior version by version tag
+Lance version N+1   ← current write target
+         │ 90° lookup (orthogonal to current cycle's write direction)
+         ▼
+prior self = Lance version k, k < N   — not a recurrence, a table read
+```
+
+The consequence: **do not implement a standing wave**. The question was vacuous
+because the persistence it was meant to provide is already in the storage geometry.
+Any recurrence mechanism would be a redundant, expensive reimplementation of
+Lance versioning in the compute path.
+
+---
+
+## Prescription
+
+The feed-forward bind/bundle/cosine + threshold pipeline is:
+- Correct
+- Well-tested
+- Delivers real value (VSA encoding, role-indexed readout, SPO triple commit)
+
+The binary permutation in ndarray (`vsa_permute`, `vsa_sequence`) is norm-preserving
+and correctly wired for position-sensitive bundling on the binary carrier. It needs
+an inverse-permute at readout to be fully useful — that is the one real gap.
+
+**The honest architecture description:** a per-mailbox feed-forward VSA encode/readout
+pipeline with threshold-gated commit, baton-based causal handoff between mailboxes,
+and self-through-time provided by Lance versioning (O(1) versioned column read, not
+a recurrence). The standing-wave framing adds nothing to this and should not be
+implemented.
diff --git a/docs/probes/q4-hhtl-audit.md b/docs/probes/q4-hhtl-audit.md
new file mode 100644
index 000000000..2dd84761d
--- /dev/null
+++ b/docs/probes/q4-hhtl-audit.md
@@ -0,0 +1,250 @@
+# Q4 Probe — HHTL Audit: Address Algebra vs Accretion
+
+> **Branch:** `claude/stoic-turing-M0Eiq`
+> **Date:** 2026-06-06
+> **Files audited:** `crates/lance-graph-contract/src/hhtl.rs` (19 KB, ~470 lines),
+> `crates/lance-graph-contract/src/high_heel.rs` (42 KB, ~900 lines)
+> **Method:** Read both files completely. Classify every struct/enum/function
+> into exactly one of five categories. No narrative — code citations.
+
+---
+
+## Headline finding
+
+**The address algebra lives almost entirely in `hhtl.rs`. `high_heel.rs` contains
+essentially zero address algebra.**
+
+The two files share the "HHTL" brand but are different concepts.
+`hhtl.rs` is a clean nibble-addressed prefix tree. `high_heel.rs` is a binary container
+format + an online metric clustering accumulator + a lens-calibration subsystem.
+They communicate in module docs, not in code.
+
+---
+
+## Formal definition of an HHTL address (what the code actually says)
+
+**`hhtl.rs` — the real address: `NiblePath { path: u64, depth: u8 }`**
+
+- Fan-out: 16 (`FAN_OUT = 16`). One nibble (4 bits) per level, root-first.
+- Max depth: 16 (`MAX_DEPTH = 16`). Max 16 nibbles = 64 bits.
+- **Truncation is explicit and exact:**
+  - `parent()` → `path >> 4, depth - 1`
+  - `child(n)` → `(path << 4) | n, depth + 1`
+  - These are literal inverses. No ambiguity.
+- **Containment is a single prefix kernel** — `is_ancestor_of` shifts `other.path`
+  right by `4 * (other.depth - self.depth)` nibbles and compares. One function,
+  called by all relation operations. No ad-hoc re-implementation anywhere.
+
+**`high_heel.rs` — NOT an address.**
+
+`Heel::dn_address: u64` is an opaque identity key. It is never truncated,
+never prefix-compared, never tested for containment. The field name contains
+"address" but the semantics are identity, not addressing. The module doc
+claims "HHTL cascade mapping (HEEL=scent / HIP=palette / TWIG=SpoBase17 / LEAF=full
+planes)" — this is a layout legend in a comment. **No code routes by prefix.**
+
+---
+
+## Classification table
+
+### `hhtl.rs` (~470 lines incl. tests)
+
+| Symbol | Category |
+|--------|----------|
+| `NiblePath { path, depth }` | **1 — Address algebra** |
+| `FAN_OUT = 16`, `MAX_DEPTH = 16`, `EMPTY` | **1 — Address algebra** (the axioms) |
+| `root()`, `child(n)`, `try_child(n)`, `parent()` | **1 — Address algebra** (extension / truncation) |
+| `basin()`, `leaf()`, `depth()`, `packed()` | **1 — Address algebra** (prefix readout) |
+| `is_ancestor_of` | **1 — Address algebra** (the containment kernel — see §6 below) |
+| `is_descendant_of` | **3 — Topology consequence** (`other.is_ancestor_of(self)` delegation) |
+| `is_sibling_of` | **3 — Topology consequence** (same parent, different child) |
+| `common_ancestor` | **3 — Topology consequence** (LCA via depth alignment) |
+| `is_full` | **2 — LOD consequence** (depth == MAX\_DEPTH = u64 capacity limit) |
+| `FieldMask` usage in test impls | **3 — Topology consequence** |
+
+### `high_heel.rs` (~900 lines incl. tests)
+
+| Symbol | Category |
+|--------|----------|
+| `CONTAINER_WORDS/BYTES`, `HEEL_WORDS`, `MAX_EDGES` | **5 — Unrelated utility** (container layout constants) |
+| `SpoBase17` + `l1_distance`, `l1_subject`, `scent()` | **5 — Unrelated utility** (distance metrics on i16 planes) |
+| `Heel { dn_address, frequency, confidence, scent, plasticity, temporal }` | **5 — Unrelated utility** (NARS bitfield packing) |
+| `pack_truth_meta`, `unpack_truth_meta` | **5 — Unrelated utility** (NARS bit serialization) |
+| `HighHeelBGZ { buf: [u64; CONTAINER_WORDS] }` | **5 — Unrelated utility** (wire container) |
+| `HighHeelBGZ::new`, `add_edge`, `edge_count`, `wire_size` | **5 — Unrelated utility** |
+| `pack`/`unpack`, `spo_to_bytes`/`bytes_to_spo` | **5 — Unrelated utility** (serialization) |
+| `is_crystallized` | **4 — Special-case accretion** (NARS confidence threshold state machine) |
+| `revise_truth` | **4 — Special-case accretion** (4-branch plasticity threshold magic numbers) |
+| `BasinAccumulator`, `ingest`, `calibrate`, `stats` | **4 — Special-case accretion** (online metric clustering + EMA centroid) |
+| `BasinStats` | **5 — Unrelated utility** (monitoring DTO) |
+| `EncodingPath`, `LensProfile`, `LensProfile::build` | **5 — Unrelated utility / should move out** (encoding calibration — zero addressing) |
+| `LensConfig`, `LensFamily`, `TokenizerFamily`, `LENS_REGISTRY` | **5 — Unrelated utility / should move out** (hardcoded model registry) |
+| experiment / test harness | test infrastructure |
+
+---
+
+## LOC estimate per category (both files combined, ~1370 lines)
+
+| Category | LOC | Where |
+|----------|-----|-------|
+| **1 — Address algebra** | ~110 | `hhtl.rs` only |
+| **2 — LOD consequence** | ~8 | `hhtl.rs` only |
+| **3 — Topology consequence** | ~70 | `hhtl.rs` only |
+| **4 — Special-case accretion** | ~170 | `high_heel.rs` only |
+| **5 — Unrelated utility / move out** | ~620 | `high_heel.rs` only |
+| tests / experiments | ~390 | both |
+
+**Address algebra + direct consequences: ~190 LOC, ~14% of total.
+All 14% lives in `hhtl.rs`. `high_heel.rs` is 0% address algebra.**
+
+---
+
+## Verdict: Is HHTL fundamentally addressing?
+
+**Partial — and split along file lines.**
+
+`hhtl.rs` **is** fundamentally addressing. Every interesting behavior derives from two
+axioms: `child = (path << 4) | n` and prefix-compare via right-shift.
+`is_ancestor_of`, `is_descendant_of`, `is_sibling_of`, `common_ancestor`, `is_full`,
+`parent` — all follow. No special cases. Claim vindicated *here*.
+
+`high_heel.rs` is **not** addressing. Belonging is decided by `l1_distance < threshold`
+(metric clustering), not prefix containment. "HHTL" in this file is a branding label,
+not a shared abstraction. The file has become a bucket: three independent subsystems
+(wire container, basin clustering, lens calibration) filed under one name.
+
+---
+
+## The kernel that proves the concept
+
+`NiblePath::is_ancestor_of` in `hhtl.rs`:
+
+```rust
+pub const fn is_ancestor_of(self, other: Self) -> bool {
+    if self.depth == 0 || self.depth > other.depth {
+        false
+    } else {
+        (other.path >> (4 * (other.depth as u32 - self.depth as u32))) == self.path
+    }
+}
+```
+
+Four lines. Const, O(1). Every other relation reduces to it. This single function proves
+"HHTL is addressing" — truncate `other` to `self`'s depth by shifting off trailing
+nibbles, compare prefix. This is the load-bearing stone.
+
+---
+
+## Three most egregious accretions in `high_heel.rs`
+
+### A1 — `LensProfile` / `LensConfig` / `LENS_REGISTRY` (~290 LOC)
+
+Encoding-distortion profiling with hardcoded `cos_range`, `gamma_offset`,
+`TokenizerFamily` (jina-v3/bge-m3/reranker-v3), model-specific lens configs.
+**Zero addressing, zero clustering, zero container relationship** to the rest of the file.
+It is a transplanted calibration module.
+
+**Action:** Extract to `lens_profile.rs`. Long-term: move out of `lance-graph-contract`
+entirely (the zero-deps invariant is not violated by its presence, but it has no business
+in the contract surface — it is an encoding implementation detail).
+
+### A2 — `BasinAccumulator::calibrate` + EMA centroid drift (~120 LOC combined)
+
+Online metric clustering with exponential-moving-average centroid updates and
+pairwise-distance percentile auto-threshold. Sophisticated but entirely metric,
+not derivable from any prefix axiom.
+
+**Additional smell:** The test prints its own clustering failure:
+`eprintln!("Low merge ratio … threshold may be too tight")`. The file ships
+embedded evidence that the algorithm does not work well.
+
+**Action:** Extract to `basin_accumulator.rs` or a dedicated clustering module.
+
+### A3 — `revise_truth` plasticity state machine
+
+```rust
+let new_plasticity = if merged_c > 0.8 { 0 } else if merged_c > 0.6 { 1 }
+                     else if merged_c > 0.3 { 2 } else { 3 };
+```
+
+Four branches, three magic-number thresholds, zero citation. Not derivable from
+address structure. Per `I-LEGACY-API-FEATURE-GATED`: magic thresholds must say
+"hand-tuned" and cite the calibration experiment. These don't.
+
+**Action:** Extract to a `nars_truth` helper or document thresholds with rationale.
+
+---
+
+## The dead cascade
+
+**`scent()` — the advertised 95%-rejection HEEL pre-filter — is dead code in the merge path.**
+
+`scent()` is computed on `SpoBase17` and tested in isolation. `BasinAccumulator::ingest`
+does a flat linear scan over all basins computing full `l1_distance` and never calls
+`scent()` as a pre-filter. The headline "cascade" performance claim has no implementation.
+
+If the pre-filter were wired: `ingest` would call `candidate.scent().is_compatible(new.scent())`
+first, reject mismatches without computing `l1_distance`, and achieve O(k) instead of O(n)
+where k << n is the scent-compatible subset. Currently it's O(n) flat scan. To fix:
+
+```rust
+// In BasinAccumulator::ingest — proposed, not yet implemented:
+for basin in &mut self.basins {
+    if !basin.scent.is_compatible(candidate.scent) { continue; }  // HEEL gate
+    if basin.centroid.l1_distance(&candidate) < self.threshold {   // HIP merge
+        // merge
+    }
+}
+```
+
+---
+
+## Refactor prescription
+
+1. **Keep `hhtl.rs` as-is.** It is clean, minimal, provably correct. Do not merge it into anything.
+2. **Split `high_heel.rs` into three files:**
+   - `high_heel_container.rs` — `HighHeelBGZ`, `Heel`, `SpoBase17`, pack/unpack (~200 LOC)
+   - `basin_accumulator.rs` — `BasinAccumulator`, `BasinStats`, calibrate (~170 LOC)
+   - `lens_profile.rs` — `LensProfile`, `LensConfig`, `LensFamily`, `TokenizerFamily`, `LENS_REGISTRY` (~290 LOC). **Move out of contract surface eventually.**
+3. **Wire `scent()` into `BasinAccumulator::ingest`** or delete the pre-filter claim from all docs.
+4. **Cite or remove the plasticity thresholds** in `revise_truth`.
+
+---
+
+## Proposed test that proves the kernel is correct
+
+```rust
+#[test]
+fn prefix_kernel_completeness() {
+    // Every relation must reduce to is_ancestor_of or the shift idiom.
+    let root = NiblePath::root();
+    let a = root.child(3).child(7);
+    let b = root.child(3).child(7).child(2);
+    let c = root.child(3).child(9);
+
+    // Containment
+    assert!(a.is_ancestor_of(b));
+    assert!(!b.is_ancestor_of(a));
+    assert!(!a.is_ancestor_of(c)); // different last nibble at depth 2
+
+    // Topology consequences follow
+    assert!(b.is_descendant_of(a));
+    assert!(a.is_sibling_of(c));   // same parent (root.child(3)), different child
+    assert_eq!(a.common_ancestor(c), root.child(3));
+
+    // LOD consequence
+    assert!(!a.is_full()); // depth 2 < MAX_DEPTH
+    let full = (0..NiblePath::MAX_DEPTH).fold(NiblePath::root(), |p, i| p.child(i as u8 % 16));
+    assert!(full.is_full());
+
+    // Cascade routing: truncating to any depth gives a valid ancestor
+    for depth in 0..=b.depth() {
+        let ancestor = NiblePath { path: b.path >> (4 * (b.depth() - depth) as u32), depth };
+        assert!(ancestor.is_ancestor_of(b) || ancestor == b);
+    }
+}
+```
+
+This test would fail if `is_ancestor_of` had an off-by-one, if `parent()` didn't invert
+`child()`, or if the nibble-shift arithmetic were wrong. It does not test the claimed cascade
+performance (O(k) scent pre-filter) because that code does not exist yet.
diff --git a/python/CLAUDE.md b/python/CLAUDE.md
index 5dc645d6e..671c026e9 100644
--- a/python/CLAUDE.md
+++ b/python/CLAUDE.md
@@ -1,3 +1,11 @@
+## P0 — AdaWorldAPI forks ONLY, NEVER crates.io upstream
+
+**Always depend on the AdaWorldAPI fork of any crate that has one. NEVER use the
+upstream crates.io version of a forked crate.** Non-negotiable; applies to every
+`Cargo.toml` and every dependency decision in this repo. Every repo in this
+workspace is local — prefer the local/fork source over the registry, always.
+If a fork's coordinates are unknown, STOP and ask — never fall back to crates.io.
+
 Use the makefile for most actions:
 
 * Build: `maturin develop`