---
title: Repository audit
date: 2026-06-09
---

# Repository audit — levineuwirth.org (2026-06-09)

Comprehensive audit of the repo on `main` at commit `620b974` (working tree
modified: branding refresh across `static/` + `templates/partials/`, plus
`tools/embed.py` rework; untracked `static/og-image.png`,
`templates/partials/logo-mark.svg`, `data/embed-cache-pages.npz.tmp.npz`).

Severity legend: **HIGH** (likely to break a build, cause data loss, or
expose a security weakness) — **MED** (latent bug, brittleness, or
documentation drift) — **LOW** (minor robustness gap or fragile assumption) —
**NIT** (style, polish, or paranoia).

Numbers are file:line against the working tree at audit time. Findings
marked "verified" were reproduced empirically (solver runs, built `_site/`
output inspection, live HTTP checks, binary parsing); the rest were
confirmed by reading the code.

Prior audit: `AUDIT.md` (2026-05-07). Follow-up status in §10.

---

## 1. Build & dependency chain

### 1.1 `cabal.project.freeze` is unsolvable again — next clean build fails — **HIGH**

`cabal build --dry-run` fails today (verified): the freeze pins
`distributive ==0.6.2.1`, but the system (pacman) GHC package db has
`comonad-5.0.10` built against `distributive-0.6.3`:

```
rejecting: distributive-0.6.3/installed... (constraint from
cabal.project.freeze requires ==0.6.2.1)
After searching the rest of the dependency tree exhaustively...
```

The conflict set also names aeson, warp, hakyll, http2, semigroupoids. This
is the same failure mode as prior-audit §1.1 — that audit's specific aeson
pin was fixed (now 2.2.2.0/hashable 1.4.7.0), but a different package broke
the same way after a system update. Recent builds succeed only off the
cached `dist-newstyle/cache/plan.json`; the freeze file has since changed,
so the next cabal invocation re-solves and fails. Because `make deploy`
starts with `make clean`, the next deploy hits this. `levineuwirth.cabal`'s
own bounds are compatible with the freeze — the conflict is
freeze-vs-installed-db, not freeze-vs-cabal-file.

Fix: `tools/refreeze.sh` (written for exactly this post-`pacman -Syu`
situation). The underlying fragility — freezing against a mutable system
package db — remains; consider documenting the refreeze step as part of any
system-upgrade ritual. *(In progress at time of writing.)*

### 1.2 Missing `data/archive-index.json` / `archive-state.json` crashes the build — **HIGH**

`build/ArchiveIndex.hs:134-146`. The module doc (lines 18-22) promises "An
absent or malformed file degrades safely: an empty index makes the link
consumers no-op; an absent state file makes every entry @Live@." But
`rawIndex = unsafePerformIO $ do decoded <- A.eitherDecodeFileStrict' indexPath`
(and identically `rawState`) never checks `doesFileExist`, and aeson's
`eitherDecodeFileStrict'` throws an uncaught `IOException` on a missing
file (verified: `withBinaryFile: does not exist`). Both files are
gitignored (`.gitignore:84-85`), so a fresh clone or a no-`.venv` build —
the exact path `build/Archive.hs:20-24` promises to support — throws when
the CAF is first forced. Contrast `readUrlSet` (line 109) in the same file,
which guards correctly. Currently latent on this machine only because both
generated files happen to exist.

### 1.3 `embed.py` `trust_remote_code=True` executes unpinned third-party code — **HIGH**

`tools/embed.py:329` (line ~341 in the uncommitted version). The new
page-model load is
`SentenceTransformer(PAGE_MODEL_NAME, revision=PAGE_MODEL_REVISION, trust_remote_code=True)`.
The `revision` arg pins only the `nomic-ai/nomic-embed-text-v1.5` repo; the
actual modeling code is pulled via `auto_map` from a *different* repo —
verified in the local HF cache: the executed code lives under
`transformers_modules/nomic_hyphen_ai/nomic_hyphen_bert_hyphen_2048/...`,
i.e. `nomic-ai/nomic-bert-2048` at its current head, which nothing pins. A
compromise of that second repo runs arbitrary Python at build time, in a
repo whose every other download path (download-model.sh, pdfjs, leaflet) is
sha256-pinned. The comment "Both pins are deliberate" is therefore
misleading. Fix: pin via `code_revision`, or run with `HF_HUB_OFFLINE=1`
after first fetch, or document the accepted risk.

### 1.4 Working-tree commit hazard: tracked templates reference untracked files — **HIGH (process)**

`templates/partials/nav.html:5` (tracked, modified) adds
`$partial("templates/partials/logo-mark.svg")$` and
`templates/partials/head.html` references `/og-image.png` — both target
files are **untracked** (no git history). Committing the template diff
without `git add`-ing both breaks every page's Hakyll build on a fresh
clone (`$partial$` aborts compilation) and 404s the og:image. They must
land in the same commit. Conversely, `data/embed-cache-pages.npz.tmp.npz`
must **not** be committed (see §4.1). The partial itself is safe as a
Hakyll template (verified: zero `$` characters; `match "templates/**"`
compiles it).

### 1.5 `einops` dependency: undocumented, unbounded, imported nowhere — **LOW**

`pyproject.toml:27` adds `einops>=0.8.2`. No import anywhere in
`tools/`/`build/`/`static/js/`; its only consumer is nomic's
`trust_remote_code` module (§1.3). Every sibling dependency has an
explanatory comment and an upper bound per the file's own stated policy
("Upper bounds are intentionally generous (next major) but always
present"); einops has neither. `uv lock --check` passes (0.8.2 pinned).

---

## 2. Haskell build code — core

### 2.1 Nav, home grid, and library link `/fiction/` and `/poetry/` — confirmed 404s — **MED**

`build/Site.hs:50-60` (`homePortals` contains `("Fiction","fiction")`,
`("Poetry","poetry")`), `templates/partials/nav.html:56,61`,
`templates/library.html:44,58`. No rule generates either index: fiction and
poetry are not in `tagIndexable` (`build/Patterns.hs:148-151` = essays +
blog + photos) and Site.hs has no landing rule. Verified: `_site/fiction`
does not exist; `_site/poetry/` has no `index.html`. nginx has no
redirects. Both links 404 in production today.

### 2.2 Tag/route collisions guarded for `photography` only — **MED**

`build/Tags.hs:98-99`. `tagIdentifier` maps tag `t` → `t ++ "/index.html"`;
`sectionOwnedTopLevelTags = ["photography"]` is the only guard. A
tagIndexable item tagged `music` (or `music/x`, which expands to `music`)
emits `music/index.html`, already owned by the music index route
(`build/Site.hs:486-487`); similarly `essays`, `blog`, `cv`, `archive`,
`authors`, `bibliography`. Hakyll does not error on duplicate routes — one
silently overwrites the other.

### 2.3 Sidenotes filter destroys the documented no-JS fallback — **MED**

`build/Filters/Sidenotes.hs:30-36` vs `static/css/sidenotes.css:125-135`.
The module doc claims the Pandoc `<section class="footnotes">` "serves as
fallback," but `apply` replaces every `Note`, so the writer never emits the
section. CSS depends on it below 1500px. Verified in output:
`_site/essays/scaling_outage.html` has 3 `class="sidenote"` and zero
`footnotes` occurrences. With JS disabled, footnote content is invisible on
narrow viewports. The comment, the CSS, and ozymandias.md's own prose all
contradict actual behavior.

### 2.4 Sidenote bodies rendered without the KaTeX writer — **MED**

`build/Filters/Sidenotes.hs:103-115`. `inlinesToHtml`/`blocksToHtml` use
`writeHtml5String (def :: WriterOptions)` (PlainMath), while the main
pipeline uses `KaTeX ""` (`build/Compilers.hs:47`). Math inside a footnote
never gets `<span class="math inline">\(...\)</span>`, so KaTeX never
renders it — degrades to plain italics, silently inconsistent with body
math.

### 2.5 SourceRefs whitelist vs `/source/` serving whitelist have drifted — **MED**

`build/Filters/SourceRefs.hs:114-141` vs `build/Site.hs:217-240`. Site.hs:209
says "must stay aligned with 'isSourcePath'". Mismatches: SourceRefs wraps
`content/` and `yaml-source/` (no Site counterpart); `static/` + any known
ext vs Site's `static/js/**`/`static/css/**` only; `tools/` + any ext vs
Site's `tools/**.sh`/`tools/**.py`; `data/` at any depth vs Site's
top-level `data/*.{json,yaml,md,bib}`. Each mismatch yields a wrapped
source-ref whose popup fetch 404s (Forgejo href fallback still works).
Inverse: Site serves `data/*.bib` but `.bib` is missing from
`hasKnownExt` — dead whitelist entry.

### 2.6 `epistemicEntry` ignores `confidence: proved` — **MED**

`build/Site.hs:1014-1024`. Comment: "Compute overall-score the same way
Contexts.overallScoreField does," but it uses
`readMaybe =<< lookupString "confidence" meta`, which is `Nothing` for
`"proved"`/`"proven"`, whereas `Contexts.overallScoreField`
(`build/Contexts.hs:574-576`) substitutes 100 via `isProvedConfidence`.
Proved pages get no `score` in `data/epistemic-meta.json` and export the
raw string under `confidence`, so client-side filtering silently misses
them.

### 2.7 Empty affiliation `<div>` ships on every essay without `affiliation:` — **MED**

`build/Contexts.hs:84-89` + `templates/partials/metadata-tail.html:12`.
`affiliationField` returns an empty list instead of `noResult`; Hakyll's
`$if$` is truthy for empty list fields (the codebase knows this —
`tagLinksFieldExcludingScope` uses `noResult` for exactly this reason).
Verified in output: `_site/essays/asymmetric-forgetting.html` contains
`<div class="meta-row meta-affiliation">` with whitespace-only content.

### 2.8 Library page hard-depends on `content/library.md` — **LOW**

`build/Site.hs:675`. `_ <- loadSnapshot libraryIntroId "body"` is a
top-level compiler statement (not inside a `field`), so it's a hard
failure. The block is documented as "optional prose block"; deleting
`content/library.md` breaks the whole `library.html` compile. Contrast the
existence-guarded sidecars at `build/Tags.hs:277-283` and
`build/Site.hs:843-850`.

### 2.9 Library `primaryPortalOf` reads only list-form `tags:` — **LOW**

`build/Site.hs:632-638`. `lookupStringList "tags"` returns `Nothing` for
scalar comma form (`tags: research, ai`), which Hakyll's `getTags`
accepts. Such an item appears on tag pages but is silently dropped from
the library. All current content uses list form — latent.

### 2.10 `allContent` omits me/, memento-mori/, photography from the link graph — **LOW**

`build/Patterns.hs:124-133`, used by `build/Backlinks.hs:334,345`. Despite
"Every content file the backlinks pass should index," `content/me/index.md`
and `content/memento-mori/index.md` (full essays, rendered with
`backlinksField`) never have their outgoing links extracted; photography
likewise. Either deliberate-but-undocumented or the exact silent omission
the module header says it exists to prevent.

### 2.11 Paginated tag pages: split by creation date, sorted by display date — **LOW**

`build/Tags.hs:371-377`. `buildPaginateWith (sortAndGroupAt tagPageSize)`
partitions via `sortRecentFirst` (creation date), then each page re-sorts
with `recentFirstByDisplay` (revision-aware). A recently revised old item
stays on a late page but jumps to its top — cross-page ordering is not
monotone. Only fires above the 150-item threshold.

### 2.12 `fill:#000` replacement corrupts longer hex colors — **LOW**

`build/Filters/Score.hs:118-133` (and `Filters/Viz.hs` `processColors`).
The 6-digit pass protects only `#000000`; for `fill:#000080` the 3-digit
pass produces `fill:currentColor80` — invalid CSS, silently mangled SVG.
Quoted attribute forms are safe; only unquoted style-property forms are
exposed.

### 2.13 Source-level preprocessors rewrite inside fenced code blocks — **LOW**

`build/Filters/Wikilinks.hs:24-31`, `Filters/Transclusion.hs:18-20`,
`Filters/EmbedPdf.hs`. All run on the raw source before Pandoc parses
fences: `[[anything]]` in a code block becomes a link; a code-block line
that is exactly `{{slug}}` or `{{pdf:...}}` becomes raw HTML.
Transclusion's comment ("prevents accidental substitution inside prose or
code") is false for full-line directives in code blocks. A live foot-gun
for a site that documents its own syntax (ozymandias.md does exactly
this).

### 2.14 `domainIcon` matches substrings of the whole URL, not the host — **LOW**

`build/Filters/Links.hs:120-153`. `"x.com" `T.isInfixOf` url` etc. —
`https://example.org/why-x.com-failed` gets the Twitter icon. Contradicts
the strict-hostname discipline `isExternal` documents at lines 95-101 of
the same file. Cosmetic (icon only).

### 2.15 `gsubRoute "content/"` strips every occurrence, not just the prefix — **LOW**

`build/Site.hs:171,357,417` etc. Hakyll's `gsubRoute` is replace-all; a
co-located directory literally named `content` would be silently mangled
(`content/essays/slug/content/data.csv` → `essays/slug/data.csv`). Same
for `gsubRoute "static/"`. Improbable but silent.

### 2.16 `existsCached` memoizes non-existence for the process lifetime — **LOW**

`build/Filters/SourceRefs.hs:160-166`. Under `make watch`, a source file
created after first reference stays cached as absent until restart.

### 2.17 Core NITs

- `build/Site.hs:42-44`: comment says "eight portals"; the list has nine.
  Echoed at Site.hs:606 ("the eight") vs line 657's "nine times".
- `build/Site.hs:866-877`: random-pages.json comment says "essays + blog
  posts only" but the rule loads fiction and flat poetry too; uses
  flat-only `content/poetry/*.md` while the epistemic rule uses
  `allPoetry` — collection poems are epistemic-indexed but never
  randomizable.
- `build/Utils.hs:64-73`: `authorSlugify` comment claims runs of spaces
  collapse; code maps each space (`"A  B"` → `"a--b"`). Consistent
  everywhere, so links work; comment wrong.
- `build/Utils.hs:31-32`: `readingTime` truncates (`div 200`) — 399 words
  reports "1 min"; comment implies ceiling semantics.
- `build/Pagination.hs:42` + `build/Site.hs:77-82`: hardcoded pattern
  literals duplicate `Patterns.hs`, defeating that module's stated purpose
  (Patterns.hs:6-10).
- `build/Contexts.hs:174-180`: plain `tagLinksField` returns an empty list
  rather than `noResult` — `$if(item-tags)$` is true and templates emit
  empty tag wrappers (author-index.html, item-card.html).
- `build/Tags.hs:296-304`: `tagItemCtx` composes `defaultContext`, not
  `siteCtx`, so `$if(has-monogram)$` never fires on tag pages — monograms
  render on new.html/library but silently never on tag indexes.
- `build/Contexts.hs:485-492`: `dotsField` comment says "1–5" but accepts
  0 (`max 0 (min 5 n)`) — `importance: 0` renders five empty circles.
- `build/Contexts.hs:375-381`: `descriptionField` doc says `noResult`;
  code uses `fail` — behaviorally fine under Hakyll 4.16 `$if$` (verified
  against Hakyll 4.16.7.1 source) but logs `[ERROR]` debug noise per
  abstract-less page. Same in `abstractField`, `summaryField`,
  `bibliographyField`.
- `build/Filters/Images.hs:233-234`: `webpSrc` interpolated into `srcset`
  unescaped while sibling `src` goes through `esc`.
- `build/Filters/Links.hs:37-46,63-69`: internal PDF links double-classified
  (`pdf-link` + `link-internal` chrome) despite the "no overlap" comment.
- `build/Filters/Smallcaps.hs:31-34` + `Filters/Archive.hs:42-44`:
  "headers are skipped" only at top level; a Header nested in a
  Div/BlockQuote is processed, contradicting the comments.

Verified clean: no unguarded `head`/`fromJust`/`read`/`!!` hazards in the
core modules; filter composition order matches its documenting comments;
Hakyll 4.16.7.1 `$if$` treats both `fail` and `noResult` as false.

---

## 3. Haskell build code — feature modules

### 3.1 Stats heatmap day-of-week off-by-one: Sunday clipped out of the SVG — **MED**

`build/Stats.hs:185,300,317`. `dowOf d = fromEnum (dayOfWeek d) -- Mon=0..Sun=6`
— but `time-1.12.2` is ISO-numbered (verified:
`map fromEnum [Monday..Sunday] == [1..7]`). So Sunday lands at y=106 while
`svgH` = 104 — every Sunday cell is clipped out of the viewBox and grid
row 0 is permanently blank. Relatedly, `weekStart` returns the previous
*Sunday* (and for a Sunday, 7 days back), not the "first Monday on or
before" its comment claims; builds run on a Sunday also clip the newest
column horizontally.

### 3.2 `Commonplace.hs` uses `Char8.pack` — non-ASCII YAML corruption — **MED**

`build/Commonplace.hs:143`. `Y.decodeEither' (BS.pack raw)` with
`Data.ByteString.Char8` truncates each `Char` to 8 bits — the exact hazard
`build/Now.hs:249-253` documents and fixes with `TE.encodeUtf8`.
`data/commonplace.yaml` is currently pure ASCII, so latent — but a
commonplace book of quotations is the likeliest file to acquire an em-dash
or curly quote, which will then either fail the YAML parse or publish
mojibake.

### 3.3 Backlinks: links inside tight lists are invisible — **MED**

`build/Backlinks.hs:220-226`. `extractLinksWithContext`'s `go` handles
`Para`, `BlockQuote`, `Div`, `BulletList`, `OrderedList`, then `go _ = []`.
Tight list items (the default `- item` form) are `Plain` blocks, not
`Para`, so recursion into list children yields nothing. Every internal
link written in a tight list never produces a backlink. `Header`, `Table`,
and `DefinitionList` blocks are likewise skipped. The doc comment implies
coverage it doesn't deliver.

### 3.4 Stability "age" is the first→last commit span, not time since first commit — **MED**

`build/Stability.hs:89-93,99-112`. Docs say "age in days since first
commit," but `classify (length dates) (daySpan (last dates) newest)`
computes the span between first and most recent *commit*, with no
reference to today. A piece written in a one-week burst years ago reports
"volatile" forever; time passing without commits can never increase
stability. Either the comment or the metric is wrong.

### 3.5 Frontmatter `history:` assumed newest-first; WRITING.md documents oldest-first — **MED**

`build/Stability.hs:204-217,299-336` vs `WRITING.md:105-109`.
`loadVersionHistory` keeps authored order and all range fields treat the
head as newest (`es@(newest:_) -> let oldest = last es`). Git history is
newest-first, but WRITING.md's `history:` example is oldest-first. With
the documented ordering, `version-history-range` renders reversed
("14 March 2026 – 1 March 2026"), `range-start` returns the newest date,
and `version-history-primary` shows the three *oldest* entries.

### 3.6 Archive manifest→provenance join is exact-string, rest of system is normalized — **MED**

`build/Archive.hs:269`. `Map.lookup (meUrl me) provByUrl` joins on the raw
URL; everywhere else equivalence is `normalizeUrl` (ArchiveIndex
filtering, dup detection, ARCHIVE.md:189-192). Editing a manifest URL to a
normalization-equivalent form (`http`→`https`, trailing slash, tracking
param) silently unpublishes `/archive/<slug>/` while ArchiveIndex's
normalized filter keeps the slug active — links keep pointing at a 404.

### 3.7 Photography `buildPin` computes wrong slug/thumb/title for flat entries — **MED**

`build/Photography.hs:354,362`. `slug = takeFileName (takeDirectory fp)` —
for a flat `content/photography/foo.md` this yields `"photography"`, so
map.json gets `"slug": "photography"`, the title fallback is wrong, and
`thumb = "/photography/photography/<p>"` 404s (flat-single assets route to
`/photography/<asset>`). PHOTOGRAPHY.md:214 explicitly supports flat
singles. Latent — `content/photography/` currently has only `index.md` —
but breaks the first geo-tagged flat single.

### 3.8 `geo-precision` fails open: a typo'd "hidden" publishes coordinates — **MED**

`build/Photography.hs:347-349,312-320`. Only the exact string matches
(`(_, Just "hidden", _) -> return Nothing`); any other value (e.g.
`Hidden`, `hiddn`) falls into `roundCoord`, whose catch-all treats unknown
values as `city` (~10 km rounding) — publishing coordinates the author
meant to suppress. Contradicts the file's own privacy comment (lines
287-289) and the fail-closed precedent for `visibility:` in
`build/Archive.hs:77-83`.

### 3.9 Archive state is process-lifetime cached — `watch` goes stale — **LOW**

`build/ArchiveIndex.hs:123-146` + `build/Archive.hs:304`.
`activeUrls`/`rawIndex`/`rawState` are NOINLINE `unsafePerformIO` CAFs read
once per process, and `archiveRules` reads the manifest in `preprocess`.
Under `site watch`, edits to `manifest.yaml`, `removed.yaml`, or the
regenerated state JSONs are never re-read until restart. One-shot builds
unaffected.

### 3.10 Pinned pages render raw ISO in `$last-reviewed$` — **LOW**

`build/Stability.hs:166-170`. The git branch formats via `fmtIso`
("1 May 2026"); the IGNORE.txt-pinned branch returns the frontmatter value
verbatim ("2026-05-01") — inconsistent display formatting.

### 3.11 Empty/all-comments `manifest.yaml` halts the build — **LOW**

`build/Archive.hs:158-170`. An empty YAML stream decodes as `Null`, which
fails to parse as `[ManifestEntry]` and takes the `exitFailure` branch —
draining the manifest to zero entries is fatal rather than the empty
archive the absent-file branch supports.

### 3.12 Backlinks `normaliseUrl` misses directory-form canonical URLs — **LOW**

`build/Backlinks.hs:275-281`. Strips `.html` but not
`index.html`/trailing slash: a page routed `essays/foo/index.html` keys as
`/essays/foo/index`, but a body link authored `/essays/foo/` doesn't
match — backlink silently dropped. `build/SimilarLinks.hs:97-99` handles
exactly this case and its comment flags the divergence.

### 3.13 SimilarLinks PDF viewer URL not percent-encoded — **LOW**

`build/SimilarLinks.hs:155-164`.
`viewerUrl = "/pdfjs/web/viewer.html?file=" ++ escapeHtml raw` —
`escapeHtml` handles HTML metachars only; a path containing `&`, `?`, `#`,
or spaces breaks the `file=` query value.

### 3.14 Photography feed thumbnails only for directory-form entries — **LOW**

`build/Photography.hs:449-453`. `imgTag` requires `isDir`; flat singles
and series children (`<series>/<photo>.md`) get text-only feed entries,
against PHOTOGRAPHY.md's "thumbnails embedded inline" (lines 36, 445) and
the feed's deliberate inclusion of series children.

### 3.15 Marks: missing confidence/evidence renders a literal "0 TRUST" — **LOW**

`build/Marks.hs:272-278,565`. `computeTrust _ _ = 0` with a comment
claiming the figure "collapses to the bare frame," but
`renderEpistemicFigure` unconditionally calls `renderTrustLabel`, so a
piece with `status:` but no `confidence`/`evidence` (a case MARKS.md:696
says should render) displays a prominent center "0" — indistinguishable
from an authored zero-trust score.

### 3.16 Feature-module NITs

- `build/Catalog.hs:228-235`: two distinct unknown categories render as
  adjacent duplicate "Other" sections (equal rank, `groupBy` on raw
  string).
- `build/Stats.hs:754-777`: `pageTOC` comment says "nine h2 sections";
  lists eleven (matching the eleven rendered).
- `build/SimilarLinks.hs:51-54`: comment says "the template caps the
  display"; the code caps it (`take maxSimilar` at line 80).
- `build/Stats.hs:169-171`, `build/Archive.hs:564-569`: "median" is the
  upper-median for even-length lists.
- `build/Backlinks.hs:133-153`: protocol-relative `//host/path` URLs pass
  `isPageLink` and pollute backlinks.json.
- `build/BibExtras.hs:75-98`: `@string`/`@comment`/`@preamble` blocks
  parsed as citekey entries — only consequential on a citekey/macro-name
  collision.

Verified clean: Marks tick positions/axis order/radii match MARKS.md §3;
proved-confidence trust substitution matches §4.3; Archive's fail-closed
`visibility` validation, removed.yaml conflict rejection, and double-sided
SHA-256 verification all match ARCHIVE.md.

---

## 4. Python & shell tooling

### 4.1 `data/embed-cache-pages.npz.tmp.npz` orphan: explained; cleanup + ignore gaps — **MED**

The orphan (mtime May 26) is the fossil of a fixed bug: an earlier
embed.py passed a bare path to `np.savez_compressed`, numpy appended
`.npz` (verified in numpy's `_savez` source), and the subsequent
`os.replace` raised FileNotFoundError, stranding the file. The current
file-handle code (`tools/embed.py:173-183`) is correct, but: (a) nothing
deletes the stale orphan — **delete it, don't commit it**; (b) the tmp
write has no try/finally, so any mid-write exception strands
`embed-cache-pages.npz.tmp`; (c) the new `.gitignore` entry is exact-path
(`data/embed-cache-pages.npz`) and covers neither `.tmp` nor `.tmp.npz`
variants — widen to `data/embed-cache-pages.npz*`; (d) the fixed tmp name
means two concurrent runs interleave writes.

### 4.2 Corrupt embed cache crashes instead of being discarded — **MED**

`tools/embed.py:154`. The discard path catches
`(OSError, KeyError, ValueError)`, but `np.load` on a truncated `.npz`
raises `zipfile.BadZipFile` (verified MRO: `BadZipFile → Exception`), and
`EOFError` is also uncaught. A half-written cache (exactly what §4.1(b)
can produce) makes every subsequent build print "Warning: embedding
failed" and leaves similar-links/semantic index stale until the file is
manually deleted — the opposite of the docstring's "unreadable →
discarding" contract.

### 4.3 embed.py staleness check structurally defeated by stamp-build-time — **MED**

`tools/embed.py:195-200` + `Makefile:68`. `needs_update()` compares
`_site/**/*.html` mtimes against embed's outputs — but the build order is
`embed.py` → `stamp-build-time.py _site`, and the stamper rewrites the
footer timestamp in essentially every HTML file each build. So every page
is always newer than embed's outputs and the "skip if fresh" fast path
never fires: the full paragraph-embedding pass (and model load) runs on
every build. The new page cache papers over half the cost; the paragraph
pass pays full price every time. Related (`tools/embed.py:297-299`):
model/config changes never invalidate outputs — currently masked by this
bug; fixing one exposes the other.

### 4.4 archive.py writes provenance/index/state non-atomically — **MED**

`tools/archive.py:718-721,734-737,953-957,1077-1080`. All plain
`write_text()`. An interrupt mid-write truncates `PROVENANCE.json`; the
next build's `json.loads` (line 642) raises an unhandled
`JSONDecodeError` — and a truncated provenance is indistinguishable from
corruption in a tool whose whole contract is integrity checking. embed.py
got atomic-write helpers; archive.py did not.

### 4.5 download-leaflet.sh: checksum verification bypassable — **MED**

`tools/download-leaflet.sh:43-47,90`. The early-exit skip checks file
existence only (download-model.sh re-verifies on its skip path), and
`curl -o "$target"` writes directly to the final path: a download that
*fails* `verify_or_warn` aborts via `set -e` *after* the bad file is in
place, and the next run's existence check accepts it permanently. A
MITM'd unpkg.com download survives one failed run and is silently
vendored on the next.

### 4.6 Other download/convert scripts leave partial files in final paths — **LOW**

`tools/download-model.sh:84`: interrupted curl leaves a partial
`model_quantized.onnx`; caught today only because model-checksums.sha256
pins all five files — any unpinned file would persist forever. Use
`-o "$dst.part" && mv`. `tools/convert-images.sh:33`: interrupted cwebp
leaves a partial `.webp` that the `-nt` staleness gate then skips forever
— a truncated WebP ships until manually deleted.

### 4.7 archive.py robustness gaps — **LOW**

- `tools/archive.py:788,795-799`: provenance missing the `artifact` key
  makes `prev_artifact == slug_dir`, then `sha256_of` raises an uncaught
  `IsADirectoryError` instead of the structured "prior snapshot
  incomplete" error.
- `tools/archive.py:614-617,938-940,1066-1068`: non-dict manifest entries
  (`- https://example.com` instead of `- url: ...`) crash with
  `AttributeError: 'str' object has no attribute 'get'`.
- `tools/archive.py:896`: `wayback_save` concatenates the raw URL
  (contrast `wayback_lookup` at 909, which uses `quote(url, safe="")`).

### 4.8 add-popup-source.sh: dead CSP reminder + unvalidated nginx interpolation — **LOW**

`tools/add-popup-source.sh:214`: the connect-src reminder gates on
`[[ "$NEEDS_PROXY" -eq 0 && -n "$UPSTREAM_HOST" ]]`, but `UPSTREAM_HOST`
is only set in the `NEEDS_PROXY -eq 1` branch (lines 124-131) — the
reminder can never print, and the no-proxy case is exactly when it's
needed (the provider will be CSP-blocked with no hint). Line 71: `NAME`
from a free-text prompt is interpolated into
`location /proxy/$NAME/`/`set $upstream_$NAME` with no
`^[a-z0-9-]+$` validation (import-photo.sh validates; this doesn't).

### 4.9 refreeze.sh deletes the freeze before the replacement succeeds — **LOW**

`tools/refreeze.sh:13-16`. `rm -f "$FREEZE"` then `cabal freeze`; a failed
resolve leaves no freeze file (recoverable via git, but write-temp-then-move
is safer).

### 4.10 embed.py / atomic-write NITs — **LOW/NIT**

`tools/embed.py:109-115`: `atomic_write_bytes` uses a fixed `.tmp` name
(concurrent-run collision) and no `fsync` before `os.replace` (power loss
can leave an empty target). Same pattern in `_atomic_write_yaml` of
extract-exif.py:377, extract-palette.py:65, extract-dimensions.py:65.
`tools/embed.py:144`: NpzFile never closed — use
`with np.load(...) as npz:`.

### 4.11 Tooling NITs

- `tools/import-photo.sh:147-155`: on `mogrify -strip` failure the
  EXIF-laden JPEG (GPS, serials) remains under `content/`, where
  `make build`'s `git add content/` could auto-commit it. Delete `$TARGET`
  on that failure path.
- `tools/hooks/pre-commit-marks.sh:28-31`: `awk '{ print $2 }'` truncates
  paths with spaces; the `status:` probe reads the working tree, not the
  staged blob. Advisory-only hook.
- `tools/preset-signing-passphrase.sh:30`: `echo -n "$PASSPHRASE"` eats a
  passphrase starting with `-e`/`-n`/`-E`; use `printf '%s'`.
- `tools/stamp-build-time.py:52-54`: in-place non-atomic rewrite of
  `_site/` HTML.
- `tools/archive.py:244`: `pdftotext` without `--`; a slug starting with
  `-` parses as an option. Same in extract-exif.py:159.
- `tools/monolith-version.txt` records a sha256 (matches the binary
  today, verified) but `find_monolith()` never checks it.

Verified clean: sign-site.sh (atomic sig writes, post-pass manifest
verification); compress-assets.sh and download-pdfjs.sh (mktemp + EXIT
trap, hash verified before extraction); audit-marks.py, viz_theme.py,
extract-dimensions.py, extract-palette.py; embed.py's faiss `-1` padding
is safely filtered; `uv lock --check` passes; model-checksums.sha256 pins
all five model files.

---

## 5. Frontend JavaScript

### 5.1 Score-reader pages never restore theme/settings — **MED**

`templates/score-reader-default.html:10` + `static/js/theme.js:12-13`. The
template loads `theme.js` without `utils.js` (unlike head.html:66-67), so
`window.lnUtils.safeStorage` is undefined and theme/text-size/focus-mode/
reduce-motion all silently fail to restore — a dark-theme user gets a
light flash-and-stay on every score page. Compounding: settings.js (line
15; the template does render the settings toggle) falls back to its no-op
store, so theme picks made on score pages never persist either.

### 5.2 search-filters.js: epistemic filters silently bypass clean-URL pages — **MED**

`static/js/search-filters.js:117-125`. `normUrl()` returns `u.pathname`
verbatim and looks it up in `epistemicMeta[url]`. Verified:
`_site/data/epistemic-meta.json` keys include
`/essays/beyond-comorbidity-indices/index.html` while rendered result
links use `/essays/beyond-comorbidity-indices/`. The lookup misses,
`passes(null)` returns true ("no metadata = don't filter"), so every
directory-style page bypasses all active epistemic filters. Flat `.html`
pages match fine, which hides the bug.

### 5.3 viz.js ignores the cappuccino theme — **MED**

`static/js/viz.js:94-99`. `isDark()` knows only
`'dark'`/`'light'`/OS-preference, but theme.js/settings.js support
`'cappuccino'` — a dark-brown theme (`--bg: #553a28`, base.css:203). With
OS-light + cappuccino, charts render the LIGHT config (near-black marks
and axis labels) on a dark background.

### 5.4 collapse.js localStorage keys collide across pages — **MED**

`static/js/collapse.js:44,83`. Key is
`'section-collapsed:' + heading.id` with no pathname namespace (contrast
annotations.js). Pandoc auto-slugs (`#introduction`, `#background`) recur
across essays, so collapsing "Introduction" on one essay collapses it
everywhere. Also uses raw `localStorage` rather than
`lnUtils.safeStorage`.

### 5.5 semantic-search.js: stale-response race + duplicate index fetch — **MED**

`static/js/semantic-search.js:117-144`. `runSearch` has no generation
token; overlapping queries render in promise-resolution order, so an
older query's hits can replace a newer one's (with `setStatus('')`
masking it). `loadIndex()` (42-59) has no in-flight-promise dedup (unlike
`loadModel`'s `loadModelPromise`), so concurrent first searches fetch
`semantic-index.bin` + `semantic-meta.json` twice.

### 5.6 lightbox.js: aria-modal with no focus trap, no keyboard activation — **MED**

`static/js/lightbox.js`. Overlay sets `role="dialog"` +
`aria-modal="true"` but has no Tab handling (gallery.js's `trapTab` at
235-257 shows the in-repo pattern) — focus walks into the obscured page.
Trigger images get only a `click` listener and no `tabindex`/keydown, so
keyboard users can't open it; `close()` focuses a non-focusable `<img>`,
which no-ops.

### 5.7 Frontend LOWs

- `static/js/gallery.js:122-125,270-275`: math/score overlay is
  click-only (no role/tabindex/keydown); `closeOverlay()` focus-returns
  to a non-focusable div — focus drops to `<body>`.
- `static/js/popups.js:478,515`: the Wikipedia provider's
  `decodeURIComponent` runs synchronously before the `.catch` attaches —
  a malformed percent sequence in a link path throws an uncaught
  `URIError` per hover.
- `static/js/popups.js:359,390`: fetched monogram SVG injected via
  `innerHTML` unescaped — the single unsanitized path in an otherwise
  fully escaped pipeline. Build-authored content, so not exploitable
  today; the comment acknowledges the trust assumption.
- `static/js/citations.js`: dead file — no template loads it; popups.js
  supersedes it. If ever re-added it would double-bind and inject
  bibliography innerHTML without popups.js's cloned-node hardening.
  Delete.
- `static/js/nav.js:26,30-31`: raw `localStorage` unguarded; if storage
  access throws, the throw lands before `toggle.addEventListener`,
  leaving the Portals toggle completely dead (utils.js exists precisely
  for this).
- `static/js/annotations.js:209-215`: marks are mouse-only; the tooltip's
  Delete button is unreachable by keyboard (only recourse is the
  all-or-nothing "Clear Annotations").
- `static/js/search.js:10`: unguarded `new PagefindUI(...)` — if the
  pagefind bundle 404s, the ReferenceError aborts the whole handler
  including the `?q=` pre-fill that the selection-popup "Here" flow
  depends on.
- `static/js/semantic-search.js:55-56,96-107`: no
  `vectors.length === meta.length * DIM` consistency check — a stale
  CDN-cached mismatch yields NaN scores and silently garbage ranking.
  (Current files verified consistent: 1,256,448 bytes = 818 × 384 × 4.)
- `static/js/transclude.js:149-151` + `collapse.js:111-114`: nested
  transcludes render a bare placeholder (no rescan of injected content);
  `reinitCollapse` is not idempotent (would stack toggle buttons if ever
  called twice on the same container).
- `static/js/popups.js:985-988,1009-1014`: `daysBetween` uses `Math.abs`,
  so future dates render "N days ago" (now.js:17 handles this correctly).

### 5.8 Frontend NITs

- `static/js/copy.js:20-22,39`: code-less `<pre>` fallback copies the
  "copy" button label along with content.
- `static/js/score-reader.js:50`: URL rewritten to `?p=1` on every load
  even without a `?p=` param.
- `static/js/search-filters.js:271`: `parseInt(v,10) || 0` turns junk
  threshold input into an active ≥0 filter that matches everything.
- `static/js/selection-popup.js:90-95`: shift-keyup while typing capitals
  in the annotation picker re-summons the selection toolbar over it.

Verified clean: the semantic-search ↔ embed.py contract post-model-split
(DIM 384, 818-entry meta, no prefix for MiniLM — the nomic
`search_document:` prefix is confined to the build-only page path); XSS
escaping across semantic-search, popups providers, map tooltips,
annotations (sole exception §5.7 monogram); theme.js ↔ settings.js
storage schema identical; all JS selector contracts against templates
(including the uncommitted head/nav edits); popups/sidenotes
double-init guards; settings.js and gallery.js focus traps.

---

## 6. Templates & content

### 6.1 Draft in undocumented location is never built — **MED**

`content/drafts/inclusionist-manifesto.md`. WRITING.md:34 says drafts go
under `content/drafts/essays/`; `draftEssayPattern`
(`build/Patterns.hs:46-49`) matches only that, so this file is invisible
even to `make watch`/`make dev` — silently orphaned.

### 6.2 SIMD/PQC essay `repository:` URL 404s — **MED**

`content/essays/where-does-simd-help-post-quantum-cryptography/index.md:24`.
`https://git.levineuwirth.org/where-simd-helps` is missing the owner
segment — verified HTTP 404, while the sibling essay's
`.../neuwirth/beyond_comorbidity_indices` returns 200.

### 6.3 Tracked drafts contradict the gitignore policy — **MED**

`.gitignore:88` ignores `content/drafts/` as local-only "working notes,"
but `git ls-files -i -c` shows four tracked drafts
(`digital_progeny.md`, `modern_idolatry.md`, `test-essay.md`,
`university_care.md`) — ignore rules don't untrack, so edits are
auto-staged by `make build` and pushed publicly by deploy. The over-broad
`**/.env.*` pattern also matches the tracked `.env.example`.

### 6.4 Template/content LOWs and NITs

- `content/colophon.md:5`: `modified:` is dead frontmatter — nothing
  reads it; `$date-modified$` (page-footer.html:108) is Hakyll's
  `dateField` over the `date` key.
- Seven files end frontmatter with a valueless `confidence-history:`
  (YAML null; WRITING.md:97 documents a list of ints) — harmless, but
  `content/essays/scaling_outage.md` also retains the full WRITING.md
  scaffold comments in a published essay.
- `static/images/canto31.jpg`: still 4.0 MB (prior-audit §6.1 unfixed).
- `templates/blog-post.html:25,34`: `id="similar-links"` appears twice in
  mutually exclusive `$if$` branches — safe, fragile under edit.
- `content/drafts/essays/digital_progeny.md`: title duplicates the
  published "The Specification Dilemma" — stale draft.
- Frontmatter flags `home:`/`library:`/`links:`/`search:`/`portal:` are
  consumed (head.html CSS gates, default.html:6 `data-portal`) but
  undocumented in WRITING.md.

Verified clean: all `$partial(...)$` includes resolve; all ~140 distinct
template variables have context providers; no missing `alt` attributes,
tag-balance failures, or within-page duplicate IDs in composed pages; all
26 CSS files referenced by head.html exist; sampled enum values across
all sections are legal per WRITING.md and Contexts.hs validation lists.

---

## 7. Documentation / spec drift (WRITING.md, README.md)

### 7.1 `js:` page-script paths documented as content-relative; emitted root-relative — **MED**

`WRITING.md:773-775` vs `templates/default.html:37`
(`<script src="/$script-src$" defer>`). The doc claims a composition's
`js: scripts/widget.js` serves at `/music/symphony/scripts/widget.js`; the
template emits raw root-relative frontmatter. The only current user
(memento-mori) works by coincidence of its root-level route. A
composition following the doc would 404.

### 7.2 "Standalone page `content/my-page/index.md`" has no generic rule — **MED**

`WRITING.md:20` presents directory-form standalone pages as a general
capability; `build/Site.hs` hardcodes only `content/me/index.md` (293) and
`content/memento-mori/index.md` (307); the generic rule (351) matches flat
`content/*.md` only. A new `content/my-page/index.md` silently doesn't
build.

### 7.3 Portal table lists 8 portals; the build has 9 — **MED**

`WRITING.md:221-231` omits Photography, which is in `homePortals`
(`build/Site.hs:50-60`), the nav, and `content/tag-meta/photography.md`.

### 7.4 Three implemented frontmatter fields undocumented — **MED**

WRITING.md:3 claims to cover "all frontmatter fields"; zero hits for:
`summary:` (`build/Contexts.hs:415-427`, rendered by essay.html:16 and
reading.html:12, in live use), `revised:` (`build/Contexts.hs:815`
`getRevisions` — drives `$date-display$`/`$date-original$`/
`$revision-note$` and list sort order), `keywords:`
(`build/Contexts.hs:283` → `/bibliography/<kw>/` links).

### 7.5 Documentation LOWs

- `WRITING.md:268-269,82`: default citation style called "Chicago
  Author-Date"; the injected CSL (`build/Citations.hs:114,167-168`) is
  `data/chicago-notes.csl`, titled "Chicago Notes Bibliography".
- `README.md:12,19`: `make watch` described as "rebuilds on save without
  a server"; it runs Hakyll's preview server (WRITING.md:1139 has it
  right).
- `WRITING.md:105-109`: `history:` example ordering contradicts the code
  (see §3.5).

---

## 8. nginx, Makefile & deployment

### 8.1 Multi-line CSP value embeds literal `\` + LF bytes — **MED**

`nginx/security-headers.conf:60-71`. The
`Content-Security-Policy-Report-Only` value is a single quoted string
spanning 12 lines with trailing `\` characters — nginx has no
line-continuation inside quoted strings, so the emitted header contains
raw backslash, LF, and leading-space bytes between directives. Raw LF in
a header value is illegal in HTTP/2 (vhost example enables `http2 on`);
strict clients reject the whole response. Sent on every response even as
Report-Only. Must be collapsed to one line.

### 8.2 CSP gaps that will fire under enforcement — **MED**

`nginx/security-headers.conf:66-67`. (a) `font-src 'self' data:` blocks
KaTeX webfonts: head.html:61 loads `katex.min.css` from cdn.jsdelivr.net,
whose relative font URLs resolve to the CDN. (b) `connect-src 'self'`
blocks the onnxruntime `.wasm` that transformers.js v2 (dynamically
imported in `static/js/semantic-search.js:25`) fetches from jsdelivr —
the config comment covers the same-origin model files but not the
runtime. Both latent while Report-Only.

### 8.3 Makefile auto-commit sweeps any pre-staged changes — **MED**

`Makefile:28-29`. `git add content/` followed by
`git diff --cached --quiet || git commit -m "auto: ..."` commits the
*entire index* — anything previously staged gets folded into an
`auto: <timestamp> [skip ci]` commit and pushed publicly on deploy. Use
`git commit -- content/` or verify no foreign paths are staged.

### 8.4 Makefile LOWs

- pdf-thumbs: the `find | while read` pipeline swallows `pdftoppm`
  failures (loop exit status is the last iteration's) — a corrupt PDF
  silently ships without a thumbnail.
- deploy: prerequisite order `clean build sign` is guaranteed only under
  serial make; no `.NOTPARALLEL:` guard for `-j` invocations. (Confirmed:
  deploy does run `clean` first; `.PHONY` is complete; `.env` export
  allowlist is sound.)
- `tools/hooks/pre-commit-marks.sh` is documented (Makefile:175 comment)
  but not installed — `.git/hooks/` has only samples and `core.hooksPath`
  is unset.

Verified clean: all seven `data/` JSON/YAML files parse;
`data/embed-cache-pages.npz` is untracked, so the new gitignore entry is
fully effective; nginx archive.conf's add_header-inheritance re-include is
correct; no redirect loops; popup-proxy rate-limit/cache zones correctly
documented for http{} scope.

---

## 9. Working-tree diff review (branding refresh + embed split)

The model contract is **intact** — the diff splits one MiniLM pipeline
into two: pages now use nomic-embed-text-v1.5 (768d, build-only, for
similar-links.json); paragraphs stay on all-MiniLM-L6-v2@c9745ed (384d,
the browser contract). download-model.sh, model-checksums.sha256,
semantic-search.js (`DIM = 384`), and both WRITING.md lines (1108 nomic
for Related-pages, 1128 MiniLM for client search) are all consistent.
Icon declarations all match real files (verified with `file`: apple-touch
180×180, favicon-96 96×96, manifest PNGs 192/512, og-image 1200×630
matching declared og:image dimensions; the webp sidecar was regenerated).

Open items beyond §1.3/§1.4/§4.1:

### 9.1 32.8 KB traced SVG inlined into every page — **MED**

`templates/partials/logo-mark.svg` (32,818 bytes, potrace-style single
giant `<path>`) is inlined via the nav partial into every HTML page —
a ~33 KB per-page weight regression (pre-compression). The two-tone
`--logo-ink`/`--logo-bg` cutout (components.css:72-98) genuinely needs
inline SVG or `<use>`; an external sprite + `<use href>` restores
cacheability. Better still: a hand-drawn or simplified path — a traced
bitmap at nav size carries detail that can never resolve.

### 9.2 Icon asset bloat — **LOW**

`static/favicon.ico` is now 71,766 bytes; parsed directory shows
16/32/48/64/128/256 px entries, the 128+256 pair alone 55.8 KB. The .ico
is only the legacy fallback (modern browsers take the SVG); 16+32+48
(~8 KB) is conventional. `static/favicon.svg` is a 32,844-byte traced
path. `static/images/link-icons/internal.svg` went ~2 KB → 32,818 bytes
yet renders at 0.7–1.6 rem via CSS mask in three stylesheets
(components.css:853, typography.css:833, popups.css:161).

### 9.3 Webmanifest regressions — **NIT**

`static/site.webmanifest`: `purpose` changed maskable→`any` for both
icons (Android adaptive launchers will letterbox; convention is separate
`any` + `maskable` entries); still no `start_url`/`scope`/`description`
(Lighthouse installability warnings). JSON valid; icons verified.

---

## 10. Prior audit (AUDIT.md 2026-05-07) follow-up

| Finding | Status |
|---|---|
| §1.1 freeze unsolvable | **Effectively still open** — aeson pin fixed, but the freeze broke again via `distributive` after a system update (§1.1 above); the underlying freeze-vs-system-db fragility is unaddressed |
| §1.3 Python version mismatch | Fixed (`requires-python = ">=3.14"` matches `.python-version`) |
| §1.4 model checksums | Fixed (`tools/model-checksums.sha256`, 5 entries) |
| §9.1 nginx headers | Fixed (`nginx/security-headers.conf` + vhost example, README'd) — but see §8.1/§8.2 for new issues in that file |
| §6.1 `canto31.jpg` 4 MB | **Unfixed** |
| robots.txt / sitemap | Fixed (Site.hs:941/963, present in `_site/`) |
| README `paper/`/`spec.md` ghosts | Fixed |
| rsync target quoting | Fixed |
| date-quoting doc | Fixed (WRITING.md:106) |
| tag-meta no-title exception | Fixed (WRITING.md:238-251) |

---

## Suggested triage order

1. ~~`tools/refreeze.sh`~~ (§1.1 — in progress)
2. Delete `data/embed-cache-pages.npz.tmp.npz`; widen the gitignore
   pattern; `git add` `logo-mark.svg` + `og-image.png` before committing
   the branding diff (§1.4, §4.1)
3. Guard `ArchiveIndex.hs` file reads with `doesFileExist` (§1.2)
4. Pin or sandbox the nomic remote code (§1.3)
5. Fix the `/fiction/`–`/poetry/` 404s (§2.1) and the production-visible
   frontend MEDs (§5.1, §5.2)
6. Collapse the nginx CSP to one line before ever flipping it to
   enforcing (§8.1, §8.2)
7. The rest by severity as time allows