Status: completed local M5 baseline; not a release-candidate validation record
Date: 2026-06-05
- Revision basis: private pre-v1
mainafter M4 and public-readiness preparation - Product version:
0.0.1 - Graph schema version:
1.0.0 - Runtime: Node.js
v24.15.0, npm11.6.2; WSL2 Linux-native Node.jsv24.16.0, npm11.13.0 - Primary environment: Windows with PowerShell and Git Bash; WSL2 Ubuntu
Target identities and raw paths are intentionally omitted. Raw generated graphs, maps, and summaries were written to OS temporary storage outside the tracked repository.
npm run check: passednpm run check:evals: passed five copied-package behavioral cases- copied-package runtime check: passed
- PowerShell/Git Bash installer matrix: passed
- adversarial safety suite: passed
npm run check:public: passed for the tracked current treenpm audit --audit-level=high: passed with zero vulnerabilitiesgit diff --check: passed- WSL2 Linux-native adversarial, eval, and copied-package checks: passed
- WSL2 bash installer matrix: Claude Code and Codex user/project fresh install, existing-destination refusal, force replacement, and installed runtime passed
The .gitignore audit used git check-ignore -v rather than assuming rules
worked. Confirmed ignored local-only surfaces:
- dependencies, build output, coverage, editor files, logs, and tool scratch;
.envvariants except an intentionally public.env.example;- project-local Claude Code and Codex skill installations;
- raw validation artifacts and release-candidate scratch; and
- generated
docs/ai/visualize/outputs.
Confirmed intentionally tracked despite nearby ignore rules:
- adversarial generated-namespace exclusion fixture;
- behavioral-eval fixtures;
- governance files; and
- maintained sanitized release records.
The audit also exposed and fixed a scanner gap: project-local Codex installs
under .agents/ are now excluded alongside .claude/ and .codex/.
| Sanitized target shape | Files | Folders | Edges | References | Unknowns | Warnings | Graph bytes | Map bytes | Orient docs |
|---|---|---|---|---|---|---|---|---|---|
| backend service | 7 | 6 | 16 | 4 | 1 | 0 | 8,767 | 105,526 | 0 |
| frontend application | 8 | 7 | 17 | 3 | 0 | 0 | 9,131 | 105,688 | 0 |
| documentation-heavy unfamiliar layout | 4 | 5 | 11 | 3 | 0 | 0 | 6,063 | 103,854 | 0 |
| adversarial input | 7 | 16 | 25 | 3 | 1 | 0 | 12,628 | 108,130 | 0 |
| medium repository with orient docs | 94 | 69 | 251 | 89 | 7 | 0 | 126,297 | 186,212 | 3 |
The generic evidence collector accepted only generic labels in its maintained summary and kept raw paths/artifacts outside tracked source.
The maintained desktop tree, desktop scoped-graph, and mobile profiles were visually inspected after the M5 changes:
- tree view remained readable and clearly separated domains, kinds, and claims;
- scoped graph view remained navigable with subtree focus and compact controls;
- mobile layout stacked the information architecture without clipping; and
- no visual regression was observed.
These observations cover the maintained small fixture. They do not prove every large-repository interaction or independent-user interpretation.
The observed medium target produced 163 nodes, 251 edges, a roughly 126 KB graph, and a roughly 186 KB self-contained map. Scoped graph rendering and the tree/search surfaces remained viable; no evidence justified a hard v1 size threshold or renderer rewrite.
Decision: retain SVG and scoped views for v1. Defer speculative numeric limits. M6 should document practical scoping guidance and treat a materially larger candidate failure as new evidence, not assume this medium result scales without bound.
- Installed runtime: Node.js 18+ standard-library-only contract
- Locally verified: Windows PowerShell, Git Bash, and WSL2 Ubuntu
- WSL2 used Linux-native Node.js and passed adversarial, copied-package, package-independence, and bash installer lifecycle checks
- macOS: explicitly unverified
- Reachable private-era Git history still contains a private validation target
name and concrete workstation path;
npm run check:public:historycorrectly fails until a controlled pre-public rewrite. - Complete GitHub exposure audit and sibling-grade settings application remain.
- Exact rewritten release-candidate checkout validation remains.
- Independent cold-user validation remains.
M5 local documentation, hygiene, live-fire, graph-size, and visual evidence is sufficient to proceed to M6 preparation. It is not sufficient to publish or change repository visibility.