…2 (ZRT-001/ZRT-003)

- SecurityFinding gains col_start + match_text for surgical caret rendering
- _map_shield_to_finding(): sole authorised Shield→reporter bridge (Mutation Gate target)
- _obfuscate_secret(): partial redaction (AKIA****1234) safe for CI logs
- SentinelReporter: dedicated red breach panels pre-section (Q2); render_quiet one-liner (Q3)
- Remove early-exit hard-stop; breach findings flow through _to_findings() pipeline
- Exit 2 decided post-render by CLI runner, not scanner (Q3 / Obligation 4)

…re fix (Commit 3)

Mutation Gate — manual verification (The Sentinel's Trial):
  KILLED L'Invisibile   scanner.py::_map_shield_to_finding severity=warning → FAIL
  KILLED L'Amnesico     reporter.py::_obfuscate_secret     return raw      → FAIL
  KILLED Il Silenziatore scanner.py::_map_shield_to_finding return None    → FAIL

Test changes:
- TestShieldReportingIntegrity: 3 mutant-killer tests (28 total, all green)
- Promote reporter imports to module level (fix mutmut static analysis)

Infrastructure changes:
- noxfile.py: mutation session targets rules/shield/reporter; non-editable install
- pyproject.toml: correct mutmut v3 config keys (pytest_add_cli_args_test_selection,
  pytest_add_cli_args); expand paths_to_mutate to include shield + reporter;
  relative_files=true for coverage path alignment
- mutmut_pytest.ini: isolated pytest config for mutation runs (prepend + pythonpath=src)

Known gap: cli.py findings.append silencer not covered (integration test deferred)

…ocs (Commit 4)

CHANGELOG [0.5.0a4] additions:
- Z-SEC-002: breach panel, _obfuscate_secret, _map_shield_to_finding, post-render Exit 2
- Z-TEST-003: TestShieldReportingIntegrity — The Sentinel's Trial manual results
  (28 tests, all green; mutmut v3 editable-install waiver documented)

Bilingual parity — security analysis doc (EN + IT):
- Section 6 regression table: added TestShieldReportingIntegrity (Z-SEC-002)

Architecture docs (untracked -> committed):
- docs/arch/vsm_engine.md + docs/it/arch/vsm_engine.md
- docs/internal/security/shattered_mirror_report.md + docs/it/ mirror

CONTRIBUTING.md:
- Obligation 4: correct Silencer target (_map_shield_to_finding returns None);
  correct command (no posargs); add mutmut_pytest.ini note; manual verification workflow
- Mutation targets: rules.py + shield.py + reporter.py

Infrastructure:
- .gitignore: negation rule for mutmut_pytest.ini (comment on separate line)
- mutmut_pytest.ini: SPDX headers added; tracked in repo

Self-check: just check -> ZERO errors (116 files, all clean)

CLI
- Add ok_message parameter to SentinelReporter.render() so each
  individual check command prints a specific success verdict instead
  of the generic "All checks passed" message.
- Extract _count_docs_assets() helper to eliminate duplicated
  file-counting logic across all six check commands.
- All six check commands (links, orphans, snippets, references,
  assets, placeholders) now use SentinelReporter with a dedicated
  ok_message; check-all keeps the default.
- Add snippet fallback in reporter: when the source file is
  unreadable but source_line is available, render a single-line
  snippet instead of silently skipping it.

Docs
- Rewrite Sentinel in Action / Sentinel in Azione homepage section
  as pure HTML to prevent Python-Markdown from wrapping nested divs
  in <p> tags or escaping them as code blocks.
- Add .zz-sentinel-demo CSS component with dark/light mode support
  for branded mini-panel previews (gutter reporter, shield, grouped
  by file, severity summary).
- Add .zz-sentinel-section layout CSS for card containment and
  lateral margins.
- Replace demo link references with plain text to avoid Zenzic
  false positives from Markdown-like syntax inside HTML spans.

Tests
- Update all ok-assertions to match new per-command messages.
- Fix visual test expectations (gutter counting, LINK_ERROR badge).

find_repo_root gains a keyword-only fallback_to_cwd=False parameter.
When True, the function returns cwd instead of raising RuntimeError —
enabling zenzic init to run in a brand-new directory with no .git or
zenzic.toml present (Genesis Fallback).

Only the init command passes fallback_to_cwd=True; all other command
entry-points retain the strict check.

Three new regression tests added (test_scanner + test_cli).

…ranslations

- ADR 003 (EN + IT): Root Discovery Protocol with Genesis Fallback amendment
- CONTRIBUTING.it.md: PSR section + rewrite of 2 rough machine-translated sections
- mkdocs.yml: 5 new nav_translations for the Italian locale (Decisioni Architetturali, ADR 003,
  Gap Architetturali, Guida al Contributo, Scrivere Regole Plugin)
- PATH_TRAVERSAL bug in Italian ADR caught and fixed by dogfood self-check

- Add Root Discovery Protocol (RDP) section to CONTRIBUTING.md

extra.css:
- CSS formatter pass: remove alignment padding in custom properties,
  normalise combinator spacing (> +), padding-left 5ch→2ch,
  text-align right→left on gutter line numbers, remove line-height 1.05

…, SVG screenshots

- checks.md (EN+IT): Blood Sentinel section, Circular links Θ(V+E) admonition
  with ADR 003 cross-ref, full References section (Shield 8 patterns, Exit
  Code 2 contract, Three-Pass Pipeline, violation codes table)
- arch_gaps.md (EN+IT): ZRT-005 Bootstrap Paradox → Resolved, Genesis Test
- architecture.md (EN+IT): new — Iterative DFS O(V+E) Phase 1.5, O(1) Phase 2
- advanced.md (EN+IT): explicit anchor alignment for shield-behaviour
- screenshot.svg: homepage hero — Full Spectrum Report
- screenshot-blood.svg / screenshot-circular.svg: new terminal SVG screenshots
- INTERNAL_GLOSSARY.toml: canonical EN/IT term registry
- mkdocs.yml: Pipeline Architecture added to internal nav

…nfo, hex shield

- validator.py: iterative DFS CIRCULAR_LINK detection (Θ(V+E)); Blood Sentinel
  PATH_TRAVERSAL_SUSPICIOUS → exit code 3
- reporter.py: incidents_count for security_incident; blood-red summary badge;
  show_info filter with suppression note
- cli.py: --show-info on all 7 check commands; Shield block in init template
- shield.py: hex-encoded-payload pattern (3+ consecutive \xNN sequences)
- ui.py: BLOOD palette constant
- test_validator.py: CIRCULAR_LINK tests, Blood Sentinel, anchor torture
  fixture converted from ring to linear chain (avoids CIRCULAR_LINK noise)

- test_cli.py: TestShowInfoFilter (suppressed by default, shown with --show-info,
  check-all flag accepted via 9-patch integration test)
- test_references.py: hex-encoded-payload Shield pattern coverage

- Shield block (8 pattern families, exit code contract) in all 9 example toml
- safety_demonstration.md: circular link + hex payload for live Sentinel testing

- CHANGELOG.md / CHANGELOG.it.md: [0.5.0a4] — Blood Sentinel, Graph Integrity
  Θ(V+E), Hex Shield, --show-info, info suppression, ZRT-005 fix
- RELEASE.md: 7-section pre-release audit checklist