https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-05-28T16:04:57.521070+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/914718f9-4155-49b4-b29c-5201f514b941/export914718f9-4155-49b4-b29c-5201f514b9412026-05-28T16:04:57.876047+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "914718f9-4155-49b4-b29c-5201f514b941", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "Telegram/Iwb1D9IzvS2orK-cp1WadfQSK7-RMozGWg0hCvnc74bOZ8s", "content": "", "creation_timestamp": "2021-11-02T20:27:58.000000Z"}2021-11-02T20:27:58+00:00https://vulnerability.circl.lu/sighting/92e19daa-c8e0-48a1-8d91-b50ae7623344/export92e19daa-c8e0-48a1-8d91-b50ae76233442026-05-28T16:04:57.875960+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "92e19daa-c8e0-48a1-8d91-b50ae7623344", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/habr_com_news/698", "content": "\u200b\u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u043e\u043f\u0438\u0441\u0430\u043b\u0438 \u043a\u043e\u043d\u0446\u0435\u043f\u0442 \u0430\u0442\u0430\u043a\u0438 Trojan Source\n\n\u0411\u0440\u0438\u0442\u0430\u043d\u0441\u043a\u0438\u0435 \u0443\u0447\u0435\u043d\u044b\u0435 \u0438\u0437 \u043a\u0435\u043c\u0431\u0440\u0438\u0434\u0436\u0441\u043a\u043e\u0433\u043e \u0443\u043d\u0438\u0432\u0435\u0440\u0441\u0438\u0442\u0435\u0442\u0430 \u0420\u043e\u0441\u0441 \u0410\u043d\u0434\u0435\u0440\u0441\u043e\u043d \u0438 \u041d\u0438\u043a\u043e\u043b\u0430\u0441 \u0411\u0430\u0443\u0447\u0435\u0440, \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043b\u0438 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e \u043e\u043f\u0438\u0441\u0430\u043b\u0438 \u043a\u043e\u043d\u0446\u0435\u043f\u0442 \u0430\u0442\u0430\u043a\u0438 Trojan Source \u0441 \u0438\u043d\u0434\u0435\u043a\u0441\u043e\u043c CVE-2021-42574. \u041e\u043d\u0430 \u0437\u0430\u043a\u043b\u044e\u0447\u0430\u0435\u0442\u0441\u044f \u0432 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u0438 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 \u0432 \u043b\u0438\u0441\u0442\u0438\u043d\u0433 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u043e\u043b\u0435\u0439 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u0435\u0432. \u0421\u0430\u043c \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442 \u0443\u0436\u0435 \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438 \u043d\u0430 GitHub.", "creation_timestamp": "2021-11-03T08:20:47.000000Z"}2021-11-03T08:20:47+00:00https://vulnerability.circl.lu/sighting/dc2db534-68fc-4645-8eab-36e8f53a8252/exportdc2db534-68fc-4645-8eab-36e8f53a82522026-05-28T16:04:57.875886+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "dc2db534-68fc-4645-8eab-36e8f53a8252", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "Telegram/QwmctutZhDu7jrXaU5oyRyKKwHKFEtgOupcJXhz2cTVjfw", "content": "", "creation_timestamp": "2021-11-03T15:01:34.000000Z"}2021-11-03T15:01:34+00:00https://vulnerability.circl.lu/sighting/830585cc-afd3-4c36-97f1-a36700673bde/export830585cc-afd3-4c36-97f1-a36700673bde2026-05-28T16:04:57.875804+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "830585cc-afd3-4c36-97f1-a36700673bde", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/818", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aChecks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574 \nURL\uff1ahttps://github.com/maweil/bidi_char_detector", "creation_timestamp": "2021-11-07T00:33:04.000000Z"}2021-11-07T00:33:04+00:00https://vulnerability.circl.lu/sighting/ded46284-5428-42de-b55c-d693bac1f2c4/exportded46284-5428-42de-b55c-d693bac1f2c42026-05-28T16:04:57.875704+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "ded46284-5428-42de-b55c-d693bac1f2c4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://t.me/CyberSecurityTechnologies/4889", "content": "#Analytics\nTop 10 Most Used Vulns of the Month (Nov 1-30)\nCVE-2021-22205 - GitLab CE/EE RCE\nhttps://t.me/cybersecuritytechnologies/4602\nCVE-2021-30883 - iOS IOMFB Vuln\nhttps://t.me/cybersecuritytechnologies/4497\nCVE-2021-3064 - Memory Corruption in PAN-OS GlobalProtect Portal/Gateway Interfaces\nhttps://t.me/cybersecuritytechnologies/4724\nCVE-2021-41379 - Windows Installer LPE\nhttps://t.me/cybersecuritytechnologies/4813\nCVE-2021-42321 - MS Exchange Post-Auth RCE\nhttps://t.me/cybersecuritytechnologies/4809\nCVE-2021-40539 - Zoho ManageEngine Auth. Bypass\nhttps://t.me/cybersecuritytechnologies/4718\nCVE-2021-41277 - MetaBase Arbitrary File Read\nhttps://t.me/cybersecuritytechnologies/4802\nCVE-2021-43267 - Remote Kernel Heap Overflow in TIPC\nhttps://t.me/cybersecuritytechnologies/4678\nCVE-2021-42574 - Unicode Bidirectional override vuln\nhttps://github.com/js-on/CVE-2021-42574\nhttps://github.com/pierDipi/unicode-control-characters-action\nCVE-2021-24084 - Windows MDM LPE\nhttps://t.me/cybersecuritytechnologies/4850", "creation_timestamp": "2021-12-03T11:00:35.000000Z"}2021-12-03T11:00:35+00:00https://vulnerability.circl.lu/sighting/ac181c90-fa1f-45d5-9b63-6c4a5ce2ea73/exportac181c90-fa1f-45d5-9b63-6c4a5ce2ea732026-05-28T16:04:57.875596+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "ac181c90-fa1f-45d5-9b63-6c4a5ce2ea73", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-4257", "type": "seen", "source": "https://t.me/cibsecurity/54828", "content": "\u203c CVE-2021-4257 \u203c\n\nA vulnerability was found in ctrlo lenio. It has been declared as problematic. This vulnerability affects unknown code of the file views/task.tt of the component Task Handler. The manipulation of the argument site.org.name/check.name/task.tasktype.name/task.name leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 698c5fa465169d6f23c6a41ca4b1fc9a7869013a. It is recommended to apply a patch to fix this issue. VDB-216214 is the identifier assigned to this vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-19T19:48:04.000000Z"}2022-12-19T19:48:04+00:00https://vulnerability.circl.lu/sighting/259755fe-b1a8-41ed-aae7-839059f7d734/export259755fe-b1a8-41ed-aae7-839059f7d7342026-05-28T16:04:57.875508+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "259755fe-b1a8-41ed-aae7-839059f7d734", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42575", "type": "seen", "source": "https://t.me/ctinow/182047", "content": "https://ift.tt/yHF5YZl\nCVE-2021-42575 | Oracle Hyperion Planning 11.2.14.0.000 Hub input validation", "creation_timestamp": "2024-02-09T14:57:12.000000Z"}2024-02-09T14:57:12+00:00https://vulnerability.circl.lu/sighting/10842011-3b81-45f7-a16f-66fdb3920081/export10842011-3b81-45f7-a16f-66fdb39200812026-05-28T16:04:57.875417+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "10842011-3b81-45f7-a16f-66fdb3920081", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://gist.github.com/zeyi2/ef0acd0169c043f94a62282d357255f4", "content": "", "creation_timestamp": "2025-11-08T07:36:32.000000Z"}2025-11-08T07:36:32+00:00https://vulnerability.circl.lu/sighting/ea161b75-0051-4c9c-9923-5d4725d656fb/exportea161b75-0051-4c9c-9923-5d4725d656fb2026-05-28T16:04:57.875276+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "ea161b75-0051-4c9c-9923-5d4725d656fb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://gist.github.com/stackbleed-ctrl/b7b2f989c6e06be627285851f6176f92", "content": "", "creation_timestamp": "2026-03-16T21:16:24.000000Z"}2026-03-16T21:16:24+00:00https://vulnerability.circl.lu/sighting/6bba259b-b565-4b31-af8b-99ca01202f32/export6bba259b-b565-4b31-af8b-99ca01202f322026-05-28T16:04:57.871310+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "6bba259b-b565-4b31-af8b-99ca01202f32", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42574", "type": "seen", "source": "https://gist.github.com/serpi4/aba8a4ee71a0b5033f1f2918195fdd95", "content": "# dev-signals \u2192 dev-a substrate reconciliation \u2014 survey of 12 candidate predicates\n\n**Purpose**: facilitate decision on Option (3) \u2014 bulk reconcile vs sequential re-lift \u2014 by surveying what's actually in the dev-signals substrate.\n\n**Date**: 2026-05-10\n**dev-a tip**: `10defe8c` (3 predicates: FF-22/23/46)\n**dev-signals tip**: `594d3368` (14 predicates: FF-22 + 13 unique)\n**Subject of immediate Q**: FF-39 (excluded from this survey \u2014 assessed separately)\n**Survey target**: 12 dev-signals-only predicates (FF-28/29/34/35/36/37/38/40/41/42/43/45) + a note on FF-22 divergence\n\n> **Why 12 and not 11**: the original Q referenced \"remaining 11\"; counting the actual dev-signals-only set yields 12 (excluding FF-39 + FF-22-which-is-on-both). FF-22 also has a 217-line divergence between dev-a and dev-signals \u2014 included as Annex A.\n\n---\n\n## TL;DR\n\n| Bucket | FFs | Recommendation |\n|---|---|---|\n| **A. Strong-architectural** (clear AC candidate, anchor incidents, generalizing principle) | FF-40, FF-42, FF-43, FF-45 | Port with adaptation \u2014 high signal, modest re-derivation cost |\n| **B. Medium-architectural** (architectural in spirit, but heuristic classification or domain-leaning) | FF-28, FF-29, FF-34, FF-36 | Port if the matching AC slot exists \u2014 lift gate Q1/Q2 will likely pass |\n| **C. Borderline / process-flavored** (might fail Q1 \"is it architectural?\" or Q3 \"anchor evidence?\") | FF-35, FF-37, FF-38, FF-41 | Architectural-lift gate first; some likely demote to integration tests / ADRs / process-FFs |\n| **Subject** | FF-39 | Pick (1) or (2) per separate convo; this gist informs the (3) frame |\n\n**Bucket A** alone is ~5 days of port work (saves ~20+ days of from-scratch lift).\n**Bucket A+B** is ~11 days port (saves ~40+ days from-scratch).\n**Bucket C** likely 1-2 demote out of the lift entirely.\n\n---\n\n## Quick stats (dev-signals predicates)\n\n| FF | LOC | Tier | Kind | Coverage | Scope | Anchor incidents |\n|---|---:|---|---|---|---|---|\n| FF-22 | 273+217=490 | regex | (n/a, on dev-a) | cross-cutting | atomic | TASK-4173, TASK-4204 |\n| FF-28 | 265 | regex | trend (implicit) | cross-cutting | atomic | B1 typo, /admin/ops/* (lessons-learned 2026-04-27) |\n| FF-29 | 164 | regex | trend (implicit) | cross-cutting | holistic | EventOpsNavBlock drop (2026-04-27, ~7d undetected) |\n| FF-34 | 308 | regex | **tripwire** | domain-specific | holistic | TASK-4161, TASK-4291 (ADR-046) |\n| FF-35 | 183 | ast-grep | **tripwire** | domain-specific | atomic | TASK-4307 (ADR-048) |\n| FF-36 | 245 | ast-grep | trend (implicit) | cross-cutting | holistic | (none \u2014 preventive) |\n| FF-37 | 283 | ast-grep | trend (implicit) | cross-cutting | holistic | (none \u2014 preventive) |\n| FF-38 | 501 | ast-grep | trend (implicit) | cross-cutting | holistic | (none \u2014 preventive) |\n| FF-39 | 385 | regex | (subject) | cross-cutting | holistic | (none cited) |\n| FF-40 | 327 | ast-grep | trend (implicit) | cross-cutting | holistic | (none \u2014 preventive, ADR-005) |\n| FF-41 | 276 | fs-walk | trend (implicit) | cross-cutting | holistic | (none \u2014 process-FF) |\n| FF-42 | 251 | regex | **tripwire** | cross-cutting | atomic | ZWSP/ICU translator copy-paste class, CVE-2021-42574 |\n| FF-43 | 185 | fs-walk | **trend** (declared) | cross-cutting | holistic | 2026-04-29 ID collision crisis (TASK-4250..4254) |\n| FF-45 | 249 | regex | **trend** (declared) | cross-cutting | holistic | 2026-04-29 retro (no-build-id forensics gap) |\n\n**Total dev-signals-only LOC**: 3,622 across 13 predicates (avg 279 LOC each)\n**Total fixtures across 12 surveyed**: 117 corpus files\n\n---\n\n## Per-FF assessment\n\n### Bucket A \u2014 Strong-architectural (port with high confidence)\n\n#### FF-40 \u2014 BC Coupling Trend (LOC-weighted isolation gradient)\n- **Principle**: ADR-005 \u2014 no cross-BC value imports. Generalizes to \"every BC is a clean island\" \u2014 same shape as Conway's Law decoupling, hexagonal-arch port boundaries.\n- **AC candidate**: **AC-04 \u2014 Module-Boundary Discipline** (charter has placeholder \"Module-boundary discipline \u2014 backed by FF-01, FF-40\").\n- **Lift gate verdict**: PASS. Q1 architectural \u2713 (cross-BC coupling is universal arch concern). Q2 generalizes \u2713 (all 6 BCs). Q3 anchor evidence \u2014 **WEAK** (no specific incidents cited; preventive). Q4 falsifiable \u2713. Q5 escapable via SAFE annotation \u2713. Q6 detector tier appropriate \u2713.\n- **Port effort**: 1-2 days. Logic is solid; needs `kind: 'trend'` declared, AC-04 charter entry, anchor-incident hunt (look at FF-01 v1 violations for backfill).\n- **Note**: substantial overlap with FF-36 (cross-BC events) \u2014 same imports, different scoring. Decide if both port or pick one.\n\n#### FF-42 \u2014 Invisible Unicode Detector\n- **Principle**: source files must contain only printable+intentional characters. Maps to **AC-05 \u2014 Source Integrity / Trojan-Source Defense** (would be a NEW AC).\n- **Lift gate verdict**: PASS. Q1 \u2713 (security boundary, CVE-2021-42574 class). Q2 \u2713 (any source file). Q3 \u2713 (translator copy-paste class, ZWSP equality bugs). Q4 \u2713 (lexical detection). Q5 \u2713 (SAFE annotation). Q6 \u2713 (regex tier appropriate).\n- **Port effort**: 1 day. Already declared `kind: 'tripwire'`. Needs new AC-05 charter entry.\n- **Strongest case in the survey** \u2014 clear bug class, framework-agnostic principle, cheap detection.\n\n#### FF-43 \u2014 Backlog Ticket-ID Uniqueness (trend)\n- **Principle**: ID-space integrity for the project's traceability spine. Maps to **AC-06 \u2014 Traceability** (charter has placeholder \"Traceability \u2014 backed by FF-25, FF-26, FF-43\").\n- **Lift gate verdict**: PASS-with-note. Q1 architectural \u2713 (traceability is a quality attribute per Ford ch.2). Q2 \u2713 (whole backlog). Q3 \u2713 (2026-04-29 collision crisis). Q4 \u2713 (filename detection). Q6 \u2713 (fs-walk).\n- **Note**: technically a **process-FF / Ford-canonical** (not code-architecture). Charter entry would explain that distinction.\n- **Port effort**: 0.5 day. Already declared `kind: 'trend'`. Needs AC-06 entry consolidating with FF-25/26.\n\n#### FF-45 \u2014 Build-Version Exposure (ADR-034 \u00a75)\n- **Principle**: deployed images must be self-identifying for incident forensics. Maps to **AC-07 \u2014 Diagnosability** (charter has placeholder \"Diagnosability \u2014 backed by FF-27, FF-45\").\n- **Lift gate verdict**: PASS. Q1 \u2713 (observability/diagnosability is a textbook architectural characteristic). Q2 \u2713 (every Docker build site). Q3 \u2713 (2026-04-29 retro, build-id forensics gap). Q4 \u2713 (regex). Q6 \u2713.\n- **Port effort**: 1 day. Already declared `kind: 'trend'`. Needs AC-07 entry.\n\n**Bucket A total**: ~4 days port + 4 new AC entries + ~36 corpus fixtures preserved.\n\n---\n\n### Bucket B \u2014 Medium-architectural (port if AC slot exists)\n\n#### FF-28 \u2014 Admin HREF Validity\n- **Principle**: framework-mounted route table is the truth; static hrefs must agree. Maps to existing **AC-02 (Admin-List Primary-Column Navigability)** as a peer invariant, OR a new \"Admin UI Surface Integrity\" AC consolidating FF-28/29.\n- **Lift gate verdict**: PASS. Q1 \u2713 (mental-model-drift class generalizes). Q2 \u2713 (cross-BC). Q3 \u2713 (B1 typo, /admin/ops/* drops). Q4-Q6 \u2713.\n- **Port effort**: 1.5 days. Route registry needs refresh (hardcoded snapshot from 2026-05-03 \u2014 likely already stale on dev-a). No `kind:` declared \u2192 needs `tripwire` (each broken href = silent regression).\n- **Risk**: route registry maintenance cost \u2014 every collection slug change requires an update. Could be auto-derived from payload.config.ts.\n\n#### FF-29 \u2014 Admin Shell Wiring\n- **Principle**: components that don't get referenced from config are dead. Companion to FF-19. Same AC slot as FF-28 (Admin UI Surface Integrity).\n- **Lift gate verdict**: PASS. Q1 \u2713. Q2 \u2713 (any shell component). Q3 \u2713 (EventOpsNavBlock incident). Q4-Q6 \u2713.\n- **Port effort**: 1 day. Probably consolidate with FF-28 into one \"admin-config-vs-code drift\" lift.\n\n#### FF-34 \u2014 Invariant Parity (ADR-046 cross-layer enforcement)\n- **Principle**: if you publish a pure invariant module, it must be consumed by both server hooks AND client UI (otherwise bare PATCH bypasses the gate). **Already declared `kind: 'tripwire'`**.\n- **AC candidate**: NEW \u2014 **AC-08 \u2014 Cross-Layer Enforcement Discipline** (would map to \"tripwire FF for ADR-046 violations\"). Or fold into a broader \"Approval Pipeline Input Fidelity\" extension (AC-01 already exists for FF-46 \u2014 but that's about preservation, not parity).\n- **Lift gate verdict**: PASS, but Q1 is borderline. Axes declares `coverage: 'domain-specific'` \u2014 acknowledging the rule is project-specific (ADR-046 + ADR-006). Q2 generalizes across BCs \u2713 (any pure-invariant module). Q3 \u2713 (TASK-4161, TASK-4291).\n- **Port effort**: 2 days. Architectural-lift gate Q1 will need defense \u2014 \"is this architectural or domain?\" The principle (cross-layer enforcement of pure functions) is architectural; the specific mechanism (ADR-046 module convention) is project-specific. Frame it as ADR-046 \u2192 arch char.\n\n#### FF-36 \u2014 Cross-BC Event Coverage\n- **Principle**: cross-BC interactions must mediate via eventBus, not direct imports. Same AC-04 as FF-40 (or sibling).\n- **Lift gate verdict**: PASS. Q1-Q6 mirror FF-40.\n- **Port effort**: 1.5 days. **Note overlap with FF-40** \u2014 they detect the same import pattern but score differently (FF-36 = D/(D+E), FF-40 = LOC-ratio). Worth deciding if both add signal or one is redundant.\n\n**Bucket B total**: ~6 days port if all four ported; could collapse to ~4 days if FF-28+29 merged and FF-36/40 merged.\n\n---\n\n### Bucket C \u2014 Borderline / process-flavored\n\n#### FF-35 \u2014 State-Transition Idiom (ADR-048)\n- **Principle**: `dispatchFields` is racy under React 18 batching \u2192 use `submit({ overrides })`. Already declared `kind: 'tripwire'`.\n- **Lift gate verdict**: BORDERLINE. Q1 \u2014 the rule is **specific to one Payload UI primitive in one BC pattern** (admin gate components). Q2 generalizes across \"transition fields\" but only within Payload admin gates. The principle (avoid stale-snapshot reads) is architectural; the specific manifestation is narrow.\n- **Recommendation**: **lift gate first** \u2014 likely demotes to ADR-048 enforcement test, not a top-level FF. Or keep as a tripwire under a \"React Concurrency Discipline\" AC if other patterns surface.\n- **Port effort if kept**: 1 day.\n\n#### FF-37 \u2014 Hook Side-Effect Declarativeness\n- **Principle**: hooks should be EMITS / AUDIT_WRITES / PURE / OPAQUE; declarative ratio measures architectural debt.\n- **Lift gate verdict**: BORDERLINE. Q1 \u2014 declarativeness IS an architectural characteristic. Q3 \u2014 **no anchor incidents cited**. Q4 \u2014 classification heuristic is fragile (e.g., \"import-anchored publish() detection\" can false-positive/negative).\n- **Recommendation**: lift gate first. Likely outcome: defer until anchor incidents surface OR demote to \"hook code review checklist\" via `.claude/skills/`. The 4-class classification has subjective edges.\n- **Port effort if kept**: 2 days.\n\n#### FF-38 \u2014 Access Control Completeness\n- **Principle**: scope filters (Where conditions) are stronger than role-only checks. Score = STRONG / total.\n- **Lift gate verdict**: BORDERLINE. Q1 \u2713 (security boundary). Q3 \u2014 **no anchor incident**; this is a preventive gradient. Q4 \u2014 STRONG vs ROLE_ONLY classification is heuristic and false-positive prone (e.g., a role check inside `where:` clause might miscount). Q6 \u2014 501 LOC suggests the heuristic is fragile.\n- **Recommendation**: lift gate first. Probably lands as report-only-forever \u2014 useful as a surveillance metric but not a tripwire. Could re-frame as ADR-009 enforcement audit.\n- **Port effort if kept**: 2 days. Highest LOC in the set.\n\n#### FF-41 \u2014 Invariant Test Coverage Gradient (per-BC)\n- **Principle**: every BC has \u22651 invariant test. Companion to FF-09.\n- **Lift gate verdict**: BORDERLINE. Q1 \u2014 this is a **process-FF** (Ford ch.2 \u00a7Coverage uses these for governance, not arch). Q3 no anchor incident. The principle (\"all BCs have tests\") is testing hygiene, not architectural integrity.\n- **Recommendation**: **probably DON'T port as architectural FF.** Either keep as a `kind: 'process'` (introduce that classifier), or demote to a CI gate alongside `pnpm test`.\n- **Port effort if kept**: 1 day.\n\n**Bucket C verdict**: 1-2 of these likely get demoted/deferred during the gate pass. Saves 4-6 days vs porting all.\n\n---\n\n## Recommended phasing IF (3) is chosen\n\n**Tier-1 Reconcile (sprint 1, ~5 days)** \u2014 port Bucket A:\n- FF-40 + FF-42 + FF-43 + FF-45\n- Charter additions: AC-04 (Module-Boundary), AC-05 (Source Integrity), AC-06 (Traceability), AC-07 (Diagnosability)\n- Single audit PR + 4 port PRs\n\n**Tier-2 Reconcile (sprint 2, ~6 days)** \u2014 port Bucket B:\n- FF-28+29 merged into one Admin Surface Integrity lift\n- FF-34 (cross-layer enforcement)\n- FF-36 (decide vs FF-40 overlap)\n- Charter: AC-08 + AC-09 (or consolidate into AC-04)\n\n**Tier-3 Reconcile (sprint 3, ~3 days)** \u2014 Bucket C lift-gate:\n- Run architectural-lift Q1-Q6 gate on FF-35/37/38/41\n- Output: Demote 1-2 to process FFs / ADR-only / regression tests; port the survivors\n- Likely: keep FF-35 (already tripwire-classified), demote FF-41 to process-FF, defer FF-37/38 until anchor incidents\n\n**Total Tier-1+2+3**: ~14 days for ~10 ported predicates + 5-6 new AC charter entries + ~110 corpus fixtures preserved.\n\n**Compare to from-scratch sequential** (the dev-a \"drop-and-rederive\" plan): ~5 days \u00d7 13 FFs = ~65 days at the FF-23 cadence. Net savings from (3): ~50 days.\n\n---\n\n## Decision matrix \u2014 (1) vs (2) vs (3)\n\n| | (1) Port FF-39 only | (2) Rebuild FF-39 from scratch | (3) Reconcile substrates first |\n|---|---|---|---|\n| Time to ship FF-39 | ~1.5 days | ~4 days | ~6 days (1.5 audit + Tier-1 Bucket A includes FF-39) |\n| Strategy clarity | Low \u2014 repeats decision 12 more times | Medium \u2014 each FF gets fresh gate | **High** \u2014 decide once, execute |\n| Lift-gate value | Skipped retroactively | Applied per-FF | **Applied across substrate** \u2014 discovers patterns |\n| AC charter completeness | +1 entry (AC-04) | +1 entry (AC-04) | **+5-6 entries** (AC-04..09) |\n| Risk if FF-40/42/43/45 get stale | Low (will be re-lifted later) | Low | **Eliminates risk** \u2014 they all land |\n| PR count to clear backlog | 1 now + 12 later = 13 PRs | 1 now + 12 later = 13 PRs | 1 audit + ~10 port = ~11 PRs |\n| Effort cost if you only want FF-39 | **Lowest** | High | Highest (sunk cost on Bucket A/B even if you don't use them) |\n| Effort cost if you want full v2 | **Highest** (sequential drag) | Highest (rebuild \u00d7 13) | **Lowest** (~14 days vs ~65 days) |\n\n---\n\n## Annex A \u2014 FF-22 divergence\n\ndev-signals has a **217-line larger FF-22** than dev-a (490 LOC vs 273 LOC). dev-a's version is the architectural-lift output of PR #18537. dev-signals' version pre-dates it \u2014 likely has the calibration logic from PR #18410 sidecar phase 1 plus subsequent fixes.\n\n**Decision needed regardless of (1)/(2)/(3)**: which FF-22 wins on dev-a if dev-signals work ever merges? Recommend: dev-a's version (architectural-lift-gated) is canonical; dev-signals' version absorbs its delta into adversarial corpus fixtures or gets discarded.\n\n---\n\n## My recommendation\n\nIf the goal is **\"v2 substrate complete in <1 month\"** \u2192 **(3) Reconcile**, executing Tier-1 first (covers FF-39 + 3 high-value Bucket A FFs).\n\nIf the goal is **\"FF-39 specifically because of an anchor incident I haven't surfaced yet\"** \u2192 **(1) Port**, then defer the rest until an actual incident demands a port.\n\nIf the goal is **\"force every FF through the architectural-lift gate ceremony\"** \u2192 **(2) Rebuild**, accepting the ~65-day re-lift cost.\n\nThe **Bucket A** FFs (FF-40/42/43/45) are unambiguously high-value \u2014 the question for (3) is mainly whether to take them now or accept they'll get sequentially re-lifted later anyway. Each month of delay = month of dev-signals work being increasingly stale (the sidecar branch hasn't been touched since 2026-05-04 PR #18410, and dev-a has diverged 57 commits ahead \u2014 including substantial test reorganization).\n", "creation_timestamp": "2026-05-10T19:16:47.000000Z"}2026-05-10T19:16:47+00:00