feat(dogfood): seal 22-wave roam-on-roam dogfood loop — 71 surgical fixes across 59 files

Pattern 1B/1C/1D envelope discipline:
- cmd_grep / cmd_refs_text / cmd_delete_check: 6 Pattern 1B/1D usage-error envelopes
- cmd_diagnose: Pattern 1B isolated-in-graph + N×4 batch-loop hoist (cmd_diagnose.py:288)
- cmd_attest: empty-changeset no_changes envelope (no more lying safe_to_merge:true)
- cmd_ws: _require_workspace() canonical Pattern-1A envelope across 6 subcommands
- cmd_annotate: read-path Pattern 1D resolution (W324 sibling)
- cmd_invariants / cmd_laws: usage_error envelope + agent_contract parity
- cmd_pr_bundle: emit verdict 156→69 chars (LAW 6 + LAW 4 truncation)
- cmd_workflow: 3 next_commands populated (CONSTRAINT 12)
- cmd_hotspots / cmd_ingest_trace: no-traces closed-enum + parse-error envelope
- cmd_partition / cmd_path_coverage: silent-bucket on unknown filter values

Pattern 2 silent-fallback closures:
- cmd_health: silent-Healthy 100/100 on empty corpus
- cmd_doctor: "all checks passed" on empty corpus
- cmd_taint: silent-SAFE on empty corpus (security-critical)
- cmd_fan: 3-state closed enum for empty-rows
- cmd_runs verify --all: state="ok" when unsigned>0 (now state="unsigned")
- cmd_fingerprint: text/JSON god_components 40x divergence

Critical detector-correctness fixes:
- graph/dark_matter.py: _RE_TABLE matched all Python imports as SQL FROM → 5→1 SHARED_DB (100% FP class fix)
- cmd_secrets.py: Generic Bearer regex FP-storm (1-char+ → 20-char min + lookahead)
- cmd_orphan_imports.py: pyproject parser + dist→import-name map → 578→21 (96.4% FP drop)
- cmd_understand.py: framework FP-storm (gated on _SOURCE_LANGUAGES + path filter)
- cmd_minimap.py / cmd_tour.py: test-fixture pollution in rankings/entry-points

Critical argv-injection security fixes:
- constitution/loader.py: tokenize-before-substitute (--symbol "x; rm -rf ." was injecting 7 argv tokens)
- cmd_pr_replay.py: --range "-"-prefix guard + "--" separator
- security/taint_rules: added CLI-context sources (sys.argv, click.option, etc.) to detect this class structurally

Pattern 3a / Pattern 6 envelope volume:
- cmd_fingerprint.py: 2.1MB → 30KB envelope via top-100 cluster truncate
- cmd_plan.py: 6048 → 3050 tokens via _trim_signature() decorator stripping
- formatter.py: added "cohesion" measurement_suffix + "risks" anchor terminal

W361 PageRank truncation sweep (72% of nonzero values were rounding to 0.0):
- cmd_partition / cmd_duplicates / cmd_codeowners / cmd_batch_search / cmd_agent_export / cmd_map: 4→6 decimals

Complexity reductions:
- cmd_health.py: _emit_health_findings 148→6 (-142) via emit-helper extraction
- catalog/parallel_hierarchy.py: detect_parallel_hierarchy 141→112 (markers_and_union helper)

LAW 4 / LAW 6 / CONSTRAINT 12:
- cmd_impact.py: verdict reach_pct .0f→.1f (LAW 6 self-consistency)
- cmd_orchestrate / cmd_mutate: docstring example flags (--n-agents → --agents, positional → required)
- cmd_adversarial.py: LAW 4 verdict re-anchored on "challenges" terminal
- next_steps.py: roam trace SOURCE TARGET (was 1-arg, Click rejected)

Empty-catch tightening (Pattern 2 lineage):
- cmd_pr_risk / cmd_clean / mcp_extras/completions / search/index_embeddings: typed-narrow handlers

Pattern 2 playbook propagation:
- index_embeddings.py: ONNX backend ImportError/RuntimeError sentinel
- cmd_math --only/--exclude: silent-no-op fix with closest-match warning prefix

cmd_invariants / cmd_laws docstring + agent_contract surfaces:
- cmd_laws check / list / explain: agent_contract.next_commands parity

Detector-pack expansions:
- security/taint_rules/python_basic.yaml + python_path_traversal.yaml: 5 CLI-context sources + 2 sinks
- formatter.py: added "cohesion" + "risks" to LAW 4 vocabulary (CLAUDE.md count 98→99, 115→116)

Dead code:
- search/tfidf.py: compute_tfidf_vectors() removed (0 callers)
- output/framework_filter.py: filter_framework_rows() + count_filtered() removed (undocumented, 0 callers)
- cmd_dead.py: degraded _parse_param_names → import canonical roam._signature_utils.parse_param_names
- mcp_server.py: 2 hedge_comments_false_cycle fix
- evidence/env_refs.py: false-cycle hedge fix (hoisted _detect_ci_env_id to module top)

New tests:
- tests/test_graph_layers.py (9 tests): detect_layers, format_layers
- tests/test_vuln_store_ingest.py (6 tests): ingest_npm/pip/trivy/osv + W202 operator-precedence regression pin
- tests/test_orphan_imports_filters.py (5 tests): W161 pyproject/dist-name/sibling discipline

22 dogfood agents executed; 71 surgical fixes accumulated across 59 modified files.
ruff format + ruff check clean. Drift guards + JSON contracts + smoke all pass.

Author: Cranot

src/roam/catalog/parallel_hierarchy.py

@@ -170,6 +170,34 @@ def _finding(
     )
 
 
+def _markers_and_union(
+    subs: list[tuple[int, str, Optional[str], Optional[int]]],
+    super_name: str,
+) -> tuple[list[tuple[str, set[str]]], set[str]]:
+    """Build the per-subclass marker sets + their union for one hierarchy.
+
+    Each subclass name is tokenised; tokens that overlap with the
+    superclass name are stripped so the comparison signal lives on the
+    *variant* portion (``US``/``UK``/``Payroll``) rather than the shared
+    root (``Employee``). Subclasses with no remaining markers are
+    dropped — they can't contribute to the Jaccard signal.
+
+    The A-side and B-side inner loops in ``detect_parallel_hierarchy``
+    are byte-identical apart from variable suffixes; this helper is the
+    extracted common form.
+    """
+    super_toks = _tokenize(super_name)
+    markers: list[tuple[str, set[str]]] = []
+    for _sid, name, _p, _l in subs:
+        toks = _strip_super_token_overlap(_tokenize(name), super_toks)
+        if toks:
+            markers.append((name, toks))
+    union: set[str] = set()
+    for _n, toks in markers:
+        union |= toks
+    return markers, union
+
+
 def detect_parallel_hierarchy(
     conn: sqlite3.Connection,
     *,
@@ -242,35 +270,14 @@ def detect_parallel_hierarchy(
     eligible.sort(key=lambda t: t[0])
     for i in range(len(eligible)):
         super_a_id, super_a_name, subs_a = eligible[i]
-        super_a_toks = _tokenize(super_a_name)
-        # Build marker sets per subclass (parent tokens stripped).
-        markers_a: list[tuple[str, set[str]]] = []
-        for _sid, name, _p, _l in subs_a:
-            markers = _strip_super_token_overlap(_tokenize(name), super_a_toks)
-            if markers:
-                markers_a.append((name, markers))
-        if len(markers_a) < min_subclasses:
-            continue
-        union_a: set[str] = set()
-        for _n, toks in markers_a:
-            union_a |= toks
-        if not union_a:
+        markers_a, union_a = _markers_and_union(subs_a, super_a_name)
+        if len(markers_a) < min_subclasses or not union_a:
             continue
 
         for j in range(i + 1, len(eligible)):
             super_b_id, super_b_name, subs_b = eligible[j]
-            super_b_toks = _tokenize(super_b_name)
-            markers_b: list[tuple[str, set[str]]] = []
-            for _sid, name, _p, _l in subs_b:
-                markers = _strip_super_token_overlap(_tokenize(name), super_b_toks)
-                if markers:
-                    markers_b.append((name, markers))
-            if len(markers_b) < min_subclasses:
-                continue
-            union_b: set[str] = set()
-            for _n, toks in markers_b:
-                union_b |= toks
-            if not union_b:
+            markers_b, union_b = _markers_and_union(subs_b, super_b_name)
+            if len(markers_b) < min_subclasses or not union_b:
                 continue
 
             similarity = _jaccard(union_a, union_b)

src/roam/commands/cmd_adversarial.py

@@ -17,6 +17,7 @@
 import click
 
 from roam.capability import roam_capability
+from roam.catalog._shared import is_test_path as _is_test_path
 from roam.commands.changed_files import get_changed_files, resolve_changed_to_db
 from roam.commands.resolve import ensure_index
 from roam.db.connection import batched_in, find_project_root, open_db
@@ -268,15 +269,36 @@ def _check_anti_patterns(conn, changed_file_ids, status=None):
 
     changed_fids = set(changed_file_ids)
 
+    # W1259 dogfood fix (CHALLENGE 57 HIGH loop-query): the original loop ran
+    # one ``SELECT file_id FROM symbols WHERE id = ?`` per finding. On
+    # roam-code itself ``run_detectors`` emits ~7900 findings, producing
+    # ~7900 SQL round-trips here just to filter to the small set of changed
+    # files. Pre-fetch the symbol->file_id map for ALL referenced symbols in
+    # one batched query, then filter in Python.
+    candidate_sids = {f.get("symbol_id") for f in findings if f.get("symbol_id")}
+    sym_to_file: dict[int, int] = {}
+    if candidate_sids:
+        try:
+            rows = batched_in(
+                conn,
+                "SELECT id, file_id FROM symbols WHERE id IN ({ph})",
+                list(candidate_sids),
+            )
+            sym_to_file = {r["id"]: r["file_id"] for r in rows}
+        except Exception as exc:  # noqa: BLE001
+            # Lineage: degrade loudly. If the batched lookup fails we
+            # cannot safely scope findings to changed files, so mark the
+            # check as errored rather than emit a misleading clean result.
+            if status is not None:
+                status["anti_patterns"] = f"errored:symbol_file_lookup:{type(exc).__name__}"
+            return challenges
+
     for f in findings:
         sym_id = f.get("symbol_id")
         if not sym_id:
             continue
-        try:
-            row = conn.execute("SELECT file_id FROM symbols WHERE id = ?", (sym_id,)).fetchone()
-        except Exception:
-            continue
-        if not row or row["file_id"] not in changed_fids:
+        file_id = sym_to_file.get(sym_id)
+        if file_id is None or file_id not in changed_fids:
             continue
 
         confidence = f.get("confidence", "medium")
@@ -437,9 +459,15 @@ def _check_orphaned_symbols(conn, changed_sym_ids, status=None):
         file_path = (sym["file_path"] or "").replace("\\", "/")
         name = sym["name"] or ""
 
-        # Skip test files and private symbols
-        is_test = file_path.startswith("test") or "tests/" in file_path or "test/" in file_path or "spec/" in file_path
-        if is_test:
+        # W1259 dogfood fix (W907 cargo-cult guard + parity): the original
+        # ad-hoc check (``startswith("test")`` + ``"tests/" in``) missed
+        # ``_test.go`` / ``_test.py`` suffix files, ``__tests__/``
+        # directories, and camelCase ``UserTest.java`` / ``UserSpec.scala``
+        # / ``UserTests.cs`` basenames — all of which the canonical
+        # ``roam.catalog._shared.is_test_path`` detects. Delegate to the
+        # canonical helper so multi-language repos don't see test
+        # symbols flagged as orphans here.
+        if _is_test_path(file_path):
             continue
         if name.startswith("_"):
             continue
@@ -758,16 +786,28 @@ def adversarial(ctx, staged, commit_range, severity, fail_on_critical, fmt):
         # ------------------------------------------------------------------
         # Gather symbol IDs and file IDs for changed files
         # ------------------------------------------------------------------
+        # W1259 dogfood fix (CHALLENGE 71/77/88 silent-swallow at line 769):
+        # the original loop ran one ``SELECT id FROM symbols WHERE file_id =
+        # ?`` per changed file and silently swallowed any failure. A SQLite
+        # error here would leave ``changed_sym_ids`` partial, making every
+        # downstream check (cycles / layers / cross-cluster / orphaned /
+        # fan-out) emit degraded results indistinguishable from a clean
+        # pass — the canonical Pattern-2 silent-fallback hole. Batch the
+        # lookup into one query AND degrade loudly via ``check_status``
+        # when it fails.
         changed_sym_ids: set[int] = set()
-        changed_file_ids: set[int] = set()
-
-        for path, fid in file_map.items():
-            changed_file_ids.add(fid)
+        changed_file_ids: set[int] = set(file_map.values())
+        sym_lookup_status = "ran"
+        if changed_file_ids:
             try:
-                syms = conn.execute("SELECT id FROM symbols WHERE file_id = ?", (fid,)).fetchall()
-                changed_sym_ids.update(s["id"] for s in syms)
-            except Exception:
-                pass
+                rows = batched_in(
+                    conn,
+                    "SELECT id FROM symbols WHERE file_id IN ({ph})",
+                    list(changed_file_ids),
+                )
+                changed_sym_ids = {r["id"] for r in rows}
+            except Exception as exc:  # noqa: BLE001
+                sym_lookup_status = f"errored:symbol_lookup:{type(exc).__name__}"
 
         # ------------------------------------------------------------------
         # Run all challenge generators
@@ -777,6 +817,10 @@ def adversarial(ctx, staged, commit_range, severity, fail_on_critical, fmt):
         # "changes look clean" when any check errored. Same shape as the
         # W832 cmd_critique guard and the X4 cmd_pr_prep guard.
         check_status: dict[str, str] = {}
+        # W1259 dogfood: also surface the changed-symbol lookup status so a
+        # SQL failure here cannot silently produce empty downstream results.
+        if sym_lookup_status != "ran":
+            check_status["symbol_lookup"] = sym_lookup_status
         challenges: list[dict] = []
         challenges.extend(_check_new_cycles(conn, changed_sym_ids, status=check_status))
         challenges.extend(_check_layer_violations(conn, changed_sym_ids, status=check_status))
@@ -810,6 +854,13 @@ def adversarial(ctx, staged, commit_range, severity, fail_on_critical, fmt):
         errored_checks = sorted(name for name, s in check_status.items() if s.startswith("errored:"))
         partial_success = bool(errored_checks)
 
+        # W1259 dogfood fix (LAW 4): the original verdicts ended on
+        # ``critical`` / ``severity`` / ``info`` — none of which are in
+        # ``_CONCRETE_NOUN_ANCHORS``. Static lint missed it because
+        # ``facts = [verdict]`` is a Name reference, not a literal. At
+        # runtime the verdict (which fact[0] copies) failed LAW 4
+        # anchoring. Rephrase each verdict to terminate on ``challenges``
+        # (anchored).
         if not challenges:
             if partial_success:
                 verdict = (
@@ -820,13 +871,13 @@ def adversarial(ctx, staged, commit_range, severity, fail_on_critical, fmt):
             else:
                 verdict = "No architectural challenges found -- changes look clean"
         elif critical > 0:
-            verdict = f"{len(challenges)} challenge(s), {critical} critical"
+            verdict = f"{critical} critical of {len(challenges)} challenges"
         elif high > 0:
-            verdict = f"{len(challenges)} challenge(s), {high} high severity"
+            verdict = f"{high} high-severity of {len(challenges)} challenges"
         elif warning > 0:
-            verdict = f"{len(challenges)} challenge(s), {warning} warning(s)"
+            verdict = f"{warning} warning(s) across {len(challenges)} challenges"
         else:
-            verdict = f"{len(challenges)} challenge(s), {info} info"
+            verdict = f"{info} info-level of {len(challenges)} challenges"
         if partial_success and challenges:
             # Append partial qualifier so consumers see BOTH the findings
             # count AND the cascade. Matches the W832 cmd_critique shape.

src/roam/commands/cmd_agent_export.py

@@ -196,7 +196,11 @@ def _gather_key_files(conn, limit=15):
         results.append(
             {
                 "path": r["path"],
-                "pagerank": round(r["max_pr"] or 0, 4),
+                # W-dogfood (W336 sibling): 6-decimal precision —
+                # `max_pr` is the MAX symbol-level PR per file. On
+                # 5K+ symbol graphs the per-node PR floor is ~1.4e-05,
+                # so 4-decimal rounding zeroes ~72% of nonzero values.
+                "pagerank": round(r["max_pr"] or 0, 6),
                 "fan_in": r["max_in"] or 0,
                 "symbols": r["sym_count"],
             }

src/roam/commands/cmd_annotate.py

@@ -184,6 +184,12 @@ def annotations(ctx, target, tag, since):
         conditions = ["(expires_at IS NULL OR expires_at > datetime('now'))"]
         params = []
 
+        # W324 + dogfood — Pattern 1D: track resolution state for the read
+        # path so the envelope can distinguish a legitimate "0 annotations
+        # for a resolved target" from a degraded "target did not resolve, we
+        # are querying a dangling qualified_name" silent-success. Mirrors the
+        # write-path disclosure on ``annotate``.
+        resolution: str | None = None  # None when no target was supplied
         if target:
             # Try symbol resolution
             sym = find_symbol(conn, target)
@@ -192,6 +198,7 @@ def annotations(ctx, target, tag, since):
                 qname = sym["qualified_name"] or sym["name"]
                 conditions.append("(symbol_id = ? OR qualified_name = ?)")
                 params.extend([sym_id, qname])
+                resolution = "symbol"
             else:
                 # Try file path
                 frow = conn.execute(
@@ -201,10 +208,16 @@ def annotations(ctx, target, tag, since):
                 if frow:
                     conditions.append("file_path = ?")
                     params.append(frow["path"])
+                    resolution = "file"
                 else:
-                    # Try as qualified_name
+                    # Try as qualified_name. The target did NOT resolve as a
+                    # live symbol or file row; matching by literal qname can
+                    # still hit annotations stored on dangling names from
+                    # prior unresolved writes (relinks on reindex), but the
+                    # caller must be told this is degraded resolution.
                     conditions.append("qualified_name = ?")
                     params.append(target)
+                    resolution = "unresolved"
 
         if tag:
             conditions.append("tag = ?")
@@ -235,17 +248,39 @@ def annotations(ctx, target, tag, since):
             for r in rows
         ]
 
+        # Pattern 1D — silent-success guard. If the caller asked about a
+        # specific target and we fell through to the dangling-qualified_name
+        # path, the count we just returned is from the dangling-name shard
+        # of the table, not from a resolved subject. Mark the envelope
+        # partial_success and degrade the verdict so agents can tell.
+        partial = resolution == "unresolved"
+        if resolution == "unresolved":
+            # LAW 4 / Pattern 1D: lead with a non-digit subject so the long-
+            # sentence anchor rule fires, and surface that the count reflects
+            # only literal qualified_name matches on a target that did NOT
+            # resolve to a live symbol or file row.
+            plural = "s" if len(ann_list) != 1 else ""
+            verdict = f"target did not resolve to any symbol or file: {len(ann_list)} dangling-name annotation{plural}"
+        else:
+            verdict = f"{len(ann_list)} annotation{'s' if len(ann_list) != 1 else ''}"
+
+        summary: dict = {
+            "verdict": verdict,
+            "count": len(ann_list),
+            "target": target,
+            "tag_filter": tag,
+            "partial_success": partial,
+        }
+        if resolution is not None:
+            summary["resolution"] = resolution
+
         if json_mode:
             click.echo(
                 to_json(
                     json_envelope(
                         "annotations",
-                        summary={
-                            "verdict": f"{len(ann_list)} annotation{'s' if len(ann_list) != 1 else ''}",
-                            "count": len(ann_list),
-                            "target": target,
-                            "tag_filter": tag,
-                        },
+                        summary=summary,
+                        resolution=resolution,
                         annotations=ann_list,
                     )
                 )

src/roam/commands/cmd_attest.py

@@ -682,10 +682,20 @@ def attest(ctx, commit_range, staged, output_format, sign, output_file):
 
     changed = get_changed_files(root, staged=staged, commit_range=commit_range)
     if not changed:
+        # Pattern 1D / Pattern 2: no-changes is a degraded-resolution path,
+        # NOT a fully-assessed "safe to merge" verdict. An agent reading
+        # ``summary.safe_to_merge`` must not see ``True`` when the underlying
+        # check never ran (there was nothing to assess). Disclose state +
+        # partial_success explicitly so the verdict and the field agree.
         label = commit_range or ("staged" if staged else "uncommitted")
         _attest_empty_envelope = json_envelope(
             "attest",
-            summary={"verdict": f"no changes found for {label}", "safe_to_merge": True},
+            summary={
+                "verdict": f"no changes found for {label}",
+                "state": "no_changes",
+                "partial_success": True,
+                "safe_to_merge": None,
+            },
         )
         auto_log(_attest_empty_envelope, action="attest", target=label, repo_root=root)
         if json_mode or output_format == "json":

src/roam/commands/cmd_batch_search.py

@@ -76,7 +76,10 @@ def _run_one(conn, q: str, limit: int, include_paths: bool) -> list[dict]:
             "kind": r["kind"],
             "file_path": r["file_path"],
             "line_start": r["line_start"],
-            "pagerank": round(float(r["pagerank"] or 0), 4),
+            # W-dogfood (W336 sibling): 6-decimal precision —
+            # 4-decimal rounding zeroes ~72% of nonzero PR values on
+            # 5K+ symbol graphs (per-node PR floor ~1.4e-05).
+            "pagerank": round(float(r["pagerank"] or 0), 6),
         }
         for r in rows
     ]

src/roam/commands/cmd_clean.py

@@ -12,6 +12,7 @@
 from __future__ import annotations
 
 import os
+import sqlite3
 
 import click
 
@@ -131,7 +132,10 @@ def clean(ctx):
             try:
                 conn.execute("VACUUM")
                 vacuumed = True
-            except Exception:
+            except sqlite3.OperationalError:
+                # VACUUM can fail on an active transaction or locked DB
+                # — that's the only legitimate failure mode here.
+                # Programmer errors (NameError, etc.) propagate per W531.
                 pass
 
         verdict = (