Authored after the May 27, 2026 Trust Incident

The Disease & The Immunity

Ten named pathogens. Four antibody gates. Four hygiene rules. The operating contract that prevents the same fuckup from firing silently again.

Doctrine for Dr. DNicole Fields, Ed.D.  |  Integral Exploration Development Group, LLC

🦴
10
Diseases Named
🧪
4
Antibody Gates
🧹
4
Hygiene Rules
🛡
0
Silent Re-fires
BUILT
ANTIBODY
LIVE
CANARY
Section 01  |  Pathology

The 10 Diseases

Each disease has a name, a symptom, a root cause, an evidence trail from this session, and the antibody that catches it. We name them so they cannot fire silently. We log them so we can grep them. We carry them in every pre-flight. The original 7 (D1 through D7) plus the 3 newer pathogens (R-014, R-015, R-016) surfaced on May 28 to 29.

🦴
D1  |  KEYSTONE
Inherited-Default Blindness
Symptom
Adopting prior code or plan defaults without auditing them under current state.
Root Cause
The architect trusts yesterday's decision as if today's facts have not moved.
Evidence
R5 inherited OpenAI-primary from the May-2 plan. DWD plan inherited from the Q6 sweep when Shutterstock and email had already provided the data.
🧪 Antibody: GATE 1 Pre-flight Audit
🔒
D2  |  TRUST KILLER
Doc / Email / Code Drift
Symptom
Three layers say three different things. The client sees the dissonance.
Root Cause
No verifier holds doc, email, and runtime to the same contract.
Evidence
Trust-repair email said Shutterstock-primary while live docs still said OpenAI-primary. R5 docstring promised OpenAI fallback that the code does not implement, caught LIVE by B3 battletest today.
🧪 Antibody: GATE 2 Triad Verifier
🔄
D3  |  REGRESSION BREEDER
Pattern-Not-Instance Failure
Symptom
Fix one bug, not the class. The same disease re-fires in a sibling system weeks later.
Root Cause
No registry of "what kind of failure this was", only "what bug was patched".
Evidence
Ethnicity rotation fixed twice over 30 days. Image-source silently regressed back to Shutterstock-primary in Sprint 31.
🧪 Antibody: GATE 3 Regression Registry Scan
🔬
D4  |  FALSE-CONFIDENCE TRAP
Corpus Sampling Bias
Symptom
View 5 of 42, then report on all 42 as if the sample is the truth.
Root Cause
No hygiene rule that forces "view ALL, or admit N of M".
Evidence
May 13: sampled 5 of 42 reference photos (alphabetical, all real DN photos), reported "useful context", but 18 of 42 were Canva templates she rejected and 17 violated her own rules.
🧹 Antibody: Hygiene H1 view-ALL or admit-N-of-M
🪴
D5  |  VISUAL LAZINESS
Nexus-Transplant Reflex
Symptom
Transplant assets verbatim from the Nexus Proposal instead of building topic-native centerpieces.
Root Cause
The shortcut is to ship the recognized shape. The work is to design for the topic.
Evidence
Initial U1-U4 reused Flywheel, ELCC orbital, and Pipeline ribbon on Ruflo, GCP, Shutterstock, and Brand Bible docs. Robert had to redirect "TOPIC-NATIVE NOT TRANSPLANTS".
🧪 Antibody: GATE 4 Topic-Native Check
📉
D6  |  PERSISTENCE FAILURE
Silent-Regression Ride
Symptom
A sibling-file fix never reaches production. Production keeps shipping the old, wrong output.
Root Cause
No canary verifies that production behavior matches the fix's promise.
Evidence
Sprint 30 ethnicity patch lived in the .NEW_PILLAR_REWIRE sibling. Never atomic-renamed to the production .py. Production produced all-white outputs for weeks.
🧬 Antibody: Persistence Canary (CI)
🎲
D7  |  SINGLE-CALL DELUSION
Stochastic-Gate-As-Truth
Symptom
Treat one Claude call as ground truth when variance is larger than tolerance.
Root Cause
No average-of-N hygiene rule on any stochastic scoring gate.
Evidence
cand_1798175857 scored BLOCK on slot-1, then PASS 22/12 on slot-2. Same gate. Same image. B2 battletest May 27 verified a 20 percent false-negative rate.
🧹 Antibody: Hygiene H3 average-of-2-calls
💾
D8 / R-014  |  CALENDAR SOURCE POLLUTION
Generator-Embedded Metadata at Rest
Symptom
Internal scaffolding (Pip Decks tactic names, HTML comment frames, paragraph markers like "Show:" and "Tell:") embedded directly INTO the database draft fields. R-011 strips it in transit. Anyone reading Notion still sees the dirty source at rest.
Root Cause
The post-generator writes scaffolding into the Preview field alongside actual prose. The pre-send strip protects clients downstream but not the source-of-truth itself.
Evidence
May 28: Calendar audit found 70 of 136 Content Calendar entries (51 percent) carry tactic-vocab scaffolding in Preview fields. Top leaks: HTML comments 55, "The Dragon" 49, "The City" 45, "Movie Time" 23, "Show:" 21, "Tell:" 21.
🧬 Antibody: Two-pronged · patch generator output + auto-scrub at-rest via Notion API
🔘
D9 / R-015  |  MIRROR FIDELITY LOSS
Structural Paraphrase on Mirror
Symptom
Mirroring a source document into a different store preserves the words but silently rewrites the structure. Paragraph breaks collapsed. Numbered lists flattened to inline. Labeled fields stripped of labels. Downstream consumers think they have a faithful copy when they have a paraphrased shape.
Root Cause
Render functions emit content as the agent's preferred format rather than the source's exact structure. The "mirror" verb gets interpreted as "summarize" by default.
Evidence
May 28, F1 thread msg 19e6eb4db6b13089, Dr. DNicole's CD self-diagnosed: "it collapsed her 30-Day Plan post bodies into block paragraphs, crushed 7-slide carousels into inline runs, and flattened the labeled field structure (Program, Type, Platforms, Source) during the Notion mirror. The mirror was a paraphrase, not a copy." Robert's own CC also fired this when rendering Notion pages into source/assets/dnicole_references/30day_plan_canonical/CANONICAL.raw.md.
🧬 Antibody: Structural-fidelity check · diff source block-type counts (paragraphs, numbered list items, headings) against rendered output; mismatch flags drift
🚀
D10 / R-016  |  LOCAL vs LIVE HTML DRIFT
Ledger Deploy Drift
Symptom
Local HTML edits to /strategy/*.html files accumulate locally. The deploy step (gcloud scp + sudo mv + chown caddy:caddy) silently slips. Live brain.iexdg.com drifts from local source over days or weeks. Visible to her as "the live doc has not been updated since X" even though local has 30 days of new work.
Root Cause
Edit and deploy are separate steps. Fast iteration prioritizes writes; the deploy gets postponed and forgotten. No automated atomic-write-and-deploy and no daily drift check.
Evidence
2026-05-29, IEXDG_Complete_Action_Ledger.html, local 393,952 bytes covering Sprints 29 to 37 (May 3 to May 27) versus live stuck at 298,185 bytes ending at Sprint 28 addendum (May 2). 27-day deploy gap, 95KB of sprint content invisible to her. Robert verbatim: "why the fuck has there been no update to the lie version since may 2".
🧬 Antibody: extend verify_triad.py to md5-diff local vs live per /strategy/*.html · atomic write-and-deploy in the same shell call · cron drift check daily
🔍
D11 / R-017  |  STATIC REVIEW PASSES, LIVE CONTRACT FAILS
Static Verification Misses Live Contract
Symptom
A static review of a new integration script passes a multi-gate audit (signature shape, env vars, headers, retry logic, error handling). When the same script runs against the real API, the live endpoint rejects it with a contract error the static review could not see (wrong default for an undocumented field, wrong content type for one branch, missing optional that turns out to be required).
Root Cause
Static review reads the code, never fires the wire. The live contract has implicit requirements that only the API server knows. Without a live smoke test, the gap between "looks correct" and "is correct" stays invisible until a client-facing run.
Evidence
2026-05-29 W2b ghl_social_planner_push.py. 10-gate static review passed clean. First real call to GHL /medias/upload-file returned HTTP 400 FILE_URL_REQUIRED because the multipart body sent hosted=True when the upload path requires hosted=False. W3b patched in-flight. Robert called this out as a fuckup that should not have escaped review.
🧬 Antibody: every new integration script must run a live one-shot smoke test (real endpoint, throwaway payload, capture HTTP code + body) before the function is declared shippable · result captured in the build log alongside the static-gate report
D12 / R-018  |  SCHEDULE-DATE DEFAULT DRIFT
Placeholder Schedule Drifts Across Midnight
Symptom
A push function defaults its placeholder scheduleDate to "now + 24 hours" expressed in UTC. After 8pm ET the +24h crosses UTC midnight and the visible date in her GHL Social Planner becomes tomorrow, not today. She sees "May 30" on a row that should have read "May 29" and asks why the date is wrong.
Root Cause
Timezone-naive default. now + 86400 seconds is a duration, not an anchored time. Her calendar runs on America/New_York; the API stores UTC. Without anchoring the default to today 9am ET (her actual publish window), the visible date drifts whenever the push fires near the UTC midnight boundary.
Evidence
2026-05-29, Day 13 first push. Three drafts created with scheduleDate now+86400s, fired at 21:30 UTC (5:30pm ET). UTC value rolled over midnight, GHL stored May 30. Dr. DNicole verbatim: "you loded the 30th she said it should be Monday-Friday she does not se the 29th in HHL". Three drafts deleted, function patched to anchor today 9am ET, three new drafts re-pushed with correct May 29 scheduleDate.
🧬 Antibody: every default time field anchors to a named timezone (her America/New_York 9am) and converts to UTC at write-time · never use now+duration for placeholder dates · the test suite covers a fire near UTC midnight from her timezone
Centerpiece 01  |  Coverage

12 × 4 Disease × Antibody Matrix

Which gate catches which disease. A lit cell means the gate, by design, blocks the disease before it ships. A dark cell means the gate is not the primary catch for that pathogen, and the hygiene layer carries it instead.

Coverage Matrix
Caught Not caught here
Disease G1Pre-flight Audit G2Triad Verifier G3Regression Scan G4Topic-Native Check
🦴D1Inherited-Default Blindness
🔒D2Doc / Email / Code Drift
🔄D3Pattern-Not-Instance Failure
🔬D4Corpus Sampling Bias
🪴D5Nexus-Transplant Reflex
📉D6Silent-Regression Ride
🎲D7Stochastic-Gate-As-Truth
💾D8Generator-Embedded Metadata at Rest
🔘D9Structural Paraphrase on Mirror
🚀D10Ledger Deploy Drift (local vs live)
🔍D11Static Verification Misses Live Contract
D12Schedule-Date Default Drift

Newer pathogens (R-014 through R-018)
Surfaced May 28 to 29 from the Notion calendar audit, the CD mirror confession, and the 27-day ledger deploy gap. D8 and D10 are caught by G2 Triad Verifier (extended with the persistence canary and md5 local-vs-live diff). D8 also auto-elevates via G3 because the same R-011 pre-send strip pattern fires the at-rest leak. D9 is caught by G1 pre-flight Q6 (state K of N for the corpus you mirrored) and by G2 because the source-to-mirror diff is a structural triad: source structure must equal rendered structure must equal downstream-consumer structure.

Section 03  |  Antibodies

The 4 Antibody Gates

Each gate is a hard checkpoint. It runs automatically where possible, and is invoked explicitly by the operator where not. A gate that does not block is not a gate. A gate that fires after the email goes out is not an immune response.

Gate
1

Pre-flight Audit

Catches: D1 Inherited-Default Blindness D4 Corpus Sampling Bias
Before any plan, deliverable, or code touch, the 7-question pre-flight runs. No question may be skipped. Inherited defaults and sample-based confidence are flushed to the surface before they ship.
Q1
What is the deeper question this work assumes is already answered?
Q2
When was that question last revalidated?
Q3
Have current-state facts moved since the last validation?
Q4
What inherited defaults am I carrying from prior plans, code, or memory?
Q5
What corpus did I sample? Was it the full population or a slice?
Q6
Did I view ALL N items, or only K of N? State the K and the N.
Q7
What blindspot would Robert catch on review if I shipped this now?
Mechanic. The 7 questions are templated. Answers attach to the task record. Empty answers block the task from leaving "draft" state.
Gate
2

Triad Verifier

Catches: D2 Doc/Email/Code Drift D6 Silent-Regression Ride
For every architecture claim, three sources must agree: the email layer (what was promised to the client), the doc layer (what live docs say), the production code layer (what actually executes). Disagreement triggers an automatic alert. The triad runs on every commit, on every pre-ship, and on a daily cron.
A
Email scan: pull last 30 days of outbound to the client, grep for the architecture claim's keywords.
B
Doc scan: grep the live HTML and Markdown corpus for the same keywords.
C
Code scan: trace the production module path, assert the runtime behavior matches the claim.
D
Disagreement = ALERT in war room, automatic block on next deploy until reconciled.
Mechanic. A daily cron writes triad_status.json. Any value other than "agree" pages the operator. The persistence canary is part of this gate: prod behavior is queried, not assumed.
Gate
3

Regression Registry Scan

Catches: D3 Pattern-Not-Instance Failure D7 Stochastic-Gate-As-Truth
Before touching any area, grep the named-disease registry for prior incidents in that area. If a disease has fired in the area two or more times, the system raises an automatic alert to the operator before any change can be made.
R1
Scope the change. Tag the modules and the surfaces touched.
R2
Grep registry.json for tagged areas. Pull every prior pathogen.
R3
If repeat-count is greater than or equal to 2, raise REPEAT-CLASS alert before edit.
R4
For stochastic gates in scope, force average-of-2-calls hygiene (H3).
Mechanic. registry.json holds the pathogen catalog plus a per-area incident counter. The git pre-commit hook calls it. The deploy pipeline calls it. The operator cannot bypass without a written waiver in the task record.
Gate
4

Topic-Native Check

Catches: D5 Nexus-Transplant Reflex
Before shipping centerpieces in any non-source doc, the system greps for known transplant signatures: the Flywheel asset id, the ELCC orbital tile, the Pipeline ribbon. A match blocks the ship and prompts the operator to build a topic-native centerpiece in its place.
T1
Grep the candidate doc for transplant-signature class names and ids.
T2
Confirm at least N native centerpieces, where N is set by doc type.
T3
If any signature matches, BLOCK and prompt for a topic-native rebuild.
T4
Record the native-build rationale in the doc footer.
Mechanic. A lint script runs at pre-commit and pre-deploy. It exits non-zero if a signature is found. CI refuses to merge until the doc is topic-native.
Centerpiece 02  |  Kill Chain · May 27 to 29

Infection Timeline, May 27 to 29, 2026

The moment-by-moment kill chain of the trust incident plus the two follow-on incidents (calendar source pollution on May 28 and the local-vs-live HTML deploy gap caught May 29). Each event names the pathogen that caused it and the gate that would have caught it. The bottom of the chain is the recovery: where the doctrine was authored, the antibodies issued, and the newer R-014, R-015, R-016 pathogens appended.

03:12
R5 Visual Gate adopts OpenAI-primary as default
Plan inherited from May 2 sweep. No revalidation against current Shutterstock state. Docstring promises an OpenAI fallback the code never implements.
🦴 D1 Inherited-Default Blindness 🔒 D2 Doc/Code Drift G1 + G2 would have blocked
04:48
DWD pipeline plan inherits Q6 sweep assumptions
Plan assumes Shutterstock and email data are not yet available. Both already are. Inherited default carried forward unchallenged.
🦴 D1 Inherited-Default Blindness G1 Q3 (have facts moved?) would have caught
05:30
Content drop produces all-white outputs
Sprint 30 ethnicity patch never atomic-renamed from .NEW_PILLAR_REWIRE to the production .py. Production rode the old code path silently for weeks.
📉 D6 Silent-Regression Ride 🔄 D3 Pattern-Not-Instance Persistence canary + G3 would have blocked
06:14
Same image scored BLOCK then PASS by same gate
cand_1798175857: slot-1 BLOCK, slot-2 PASS 22/12. B2 battletest confirmed a 20 percent false-negative rate on single-call scoring.
🎲 D7 Stochastic-Gate-As-Truth H3 average-of-2-calls would have blocked
06:55
Trust-repair email contradicts live docs
Email sent to Dr. DNicole says Shutterstock-primary. Live brain.iexdg.com still serves docs that say OpenAI-primary. Client sees the dissonance immediately.
🔒 D2 Doc/Email/Code Drift G2 Triad Verifier would have blocked
07:21
"Lost confidence" message arrives
Dr. DNicole names the pattern, not the bug. Robert escalates: systemic immunity, not bug patches. The disease must be named so it cannot fire silently again.
🧴 Compound (D1 + D2 + D6 + D7) All four gates active would have prevented
05-27 09:46
Internal taxonomy leaks into client-facing photo email
F1 photograph email msg 19e69af6bd0b118f printed "Pillar: Culture" and "Sub-vignette: Listening to a Concern" above the photo. Dr. DNicole reply 10:02 EDT: "internal taxonomies. They belong in the ledger, the Notion task, and the asset metadata, but they must never appear in the published post itself."
🔒 R-011 Metadata-Leak-As-Content Pre-send strip rule would have blocked
05-28 audit
Calendar audit finds 70 of 136 entries polluted at rest
R-011 pre-send strip protected clients in transit. The Notion Content Calendar source-of-truth (34601a4a-6f2f-8142-9263-f9989da5cd73) carried HTML comments (55), "The Dragon" (49), "The City" (45), "Movie Time" (23), "Show:" (21), "Tell:" (21) in Preview fields. Dr. DNicole msg 19e6c88f94f634da exposed it: "Why are we still seeing 'show' and 'tell' that is internal. Ugh!"
💾 D8 / R-014 Generator-Embedded Metadata at Rest G2 + G3 (pattern auto-elevation off R-011) would have caught
05-28 F1 thread
CD admits the mirror was a paraphrase, not a copy
F1 thread msg 19e6eb4db6b13089: Dr. DNicole's CD self-diagnosed collapsing her 30-Day Plan post bodies into block paragraphs, crushing 7-slide carousels into inline runs, and flattening the labeled field structure (Program, Type, Platforms, Source) during the Notion mirror. Robert's own CC fired the same disease rendering CANONICAL.raw.md.
🔘 D9 / R-015 Structural Paraphrase on Mirror G1 Q6 (state K of N corpus structure) + G2 structural-fidelity diff would have blocked
05-29 caught
Live brain.iexdg.com Action Ledger 27 days behind local
IEXDG_Complete_Action_Ledger.html: local 393,952 bytes covering Sprints 29 to 37 (May 3 to May 27). Live stuck at 298,185 bytes ending at Sprint 28 addendum (May 2). 95KB of sprint content invisible to Dr. DNicole for 27 days. Robert verbatim: "why the fuck has there been no update to the lie version since may 2".
🚀 D10 / R-016 Ledger Deploy Drift G2 extended with md5 local-vs-live diff + atomic write-and-deploy would have prevented
08:00
Doctrine authored. Antibodies issued. Registry extended.
12 pathogens named (original 7 plus R-014, R-015, R-016, R-017, R-018 appended May 28 to 29). 4 gates defined. 4 hygiene rules locked. Registry stood up at source/_audit/regression_registry.md. This document deployed to brain.iexdg.com/strategy/. Every other doc now links here. The persistence canary (md5 local vs live) closes R-016 in the same shell call as every future edit.
🧬 IMMUNITY ESTABLISHED
Section 05  |  Universal Hygiene

The 4 Hygiene Rules

The gates catch named pathogens. The hygiene rules raise the baseline so new pathogens have a harder time finding a foothold. Hygiene is universal: it applies to every task, every client, every artifact.

H1  |  CORPUS HONESTY

View ALL, or admit N of M

Never speak about a corpus you have not fully read. If you sampled, state the sample size and the population size in the same breath. The reader gets to weight the claim accordingly.

if read < total: prefix report with "viewed N of M"
H2  |  ASSET DISCIPLINE

Topic-native, not transplant

Every centerpiece in a non-source doc must be designed for the topic. The Nexus Proposal's Flywheel, ELCC orbital, and Pipeline ribbon are source-native to the Proposal, not to anything else.

grep doc for transplant signatures; BLOCK on match
H3  |  STOCHASTIC GATING

Average 2 calls, flag delta > 4

Any Claude or LLM gate that decides PASS or BLOCK is run twice, scores averaged, decision taken on the average. If the two scores differ by more than 4 points, the gate is flagged and escalates to a human.

score = avg(call_a, call_b); if |delta| > 4: escalate
H4  |  TRIAD CONTRACT

Doc, Email, Code agree or it does not ship

The three layers are bound to a single source of truth. Drift between any two of them is a deploy block, not a follow-up task. The triad verifier runs daily, on commit, and on pre-ship.

deploy_ok = (doc == email == code); else BLOCK
Centerpiece 03  |  Response Loop

Immune Response Flow

A request enters the system. It traverses four immune checkpoints in order. Any checkpoint may block. Only a clean traversal earns GREENLIGHT.

📧
Request
plan / commit / ship
1
Pre-flight Audit
7 questions on inherited defaults & corpus honesty
BLOCK on empty answer
2
Triad Verifier
Doc, Email, Code must agree on the claim
BLOCK on drift
3
Regression Scan
Registry grep, REPEAT-CLASS alert if N >= 2
BLOCK on repeat
4
Topic-Native Check
Grep transplant signatures, demand native build
BLOCK on match
Greenlight
ship to client
clean traversal yields GREENLIGHT any checkpoint may BLOCK blocks return to operator with reason
Centerpiece 04  |  The Same Pattern, Twice

Without Antibody, vs With Antibody

Same setup. Same architecture claim. Same time-of-day. On the left, the disease ships and Dr. DNicole gets a watermarked-image email at 06:55. On the right, the Triad Verifier catches the drift, the request is blocked, the fix is applied, no client harm.

Without Antibody
The Disease Ships
1
03:12  R5 plan inherits OpenAI-primary default. No revalidation.
2
04:48  Doc updated to "Shutterstock-primary". Code path untouched.
3
05:30  Production produces output from old code path.
4
06:14  Single-call stochastic gate stamps it PASS.
5
06:55  Trust-repair email sent to client. Email says Shutterstock. Doc says Shutterstock. Code shipped openai_generate().
6
07:21  "I am losing confidence" message arrives.
Outcome Client receives watermarked / off-brand image. Doc, email, and code each say something different. Trust eroded. Recovery cost: a doctrine rebuild.
With Antibody
Gate 2 Catches the Drift
1
03:12  R5 plan begins. G1 pre-flight Q4 surfaces "inherited OpenAI-primary default" before code touch.
2
04:48  Doc edit to "Shutterstock-primary" triggers triad_status cron. Code does not match. Status flips to drift.
3
05:30  G2 Triad Verifier BLOCKS the deploy. Operator paged with the diff.
4
06:14  H3 forces average-of-2-calls on the stochastic gate. Variance flagged for review.
5
06:30  Code path updated to shutterstock_first(). Triad reconciles to agree.
6
06:55  Pipeline runs clean. On-brand image delivered. Email matches doc matches code.
Outcome Client receives the right image. Doc, email, and code agree. The would-have-been incident is logged as a near-miss in the registry. Trust intact.
Section 08  |  Operational Promise

The Promise. What Changes Operationally.

This document is not a postmortem. It is a contract. From this point forward, every other IEXDG doc links here. Every pre-flight is mandatory. The regression registry is read before any touch. The triad runs nightly.

01
Mandatory pre-flight. No task leaves draft without the 7 questions answered. Empty answers block. Answers attach to the task record.
02
Triad runs nightly. Doc, email, and production code reconcile on a daily cron, on commit, and on pre-ship. Drift = automatic block.
03
Registry is read first. Before any change in any area, the regression registry is grepped. Repeat-class incidents alert before edit.
04
Topic-native is enforced. CI lints any non-source doc for transplant signatures. A match refuses the merge.
05
Stochastic gates average 2. Single-call PASS or BLOCK on a Claude or LLM gate is forbidden. Variance > 4 escalates.
06
Corpus honesty is universal. If we did not read all N, we say K of N. The reader gets to weight the claim.
07
This doc is the anchor. Every other doc carries a footer link to this protocol. New pathogens are appended here as they are named.
08
Persistence canary is on. Production behavior is queried, not assumed. The canary tests the promise, not the patch.
We do not patch bugs. We name pathogens, we issue antibodies, and we raise the baseline. The disease is named so it cannot fire silently again. Authored after the May 27, 2026 Trust Incident  |  IEXDG Operating Doctrine v1.0