A map from each concept to the source file that evidences it and the page that explains it, numbered 1 to 10. Where the repo diverges or a name does not match a file, the marking is open. Protection is described as a sum of layers (the coefficient), never as a count of visitors.
✓ no códigoparcial / sutilezanome de sinal, não arquivo
denylist-defender.json (.categories); embutida via include_str! (denylist_loader.rs:33)
Defender: scanner + AST visitors (method)
byte (BiDi/PUA/homoglyph/zero-width), entropy, regex, manifest, recursive decoder; and the semantic-intent visitors
scanner/; visitors/ (15 arquivos de visitor)
Empirical proof: the static pentest suite as a CI gate. Canonical rule of the framing: AGENTS.md §3A.
What diverges and what is not fixed
"18 visitors": the code has 15 visitor files. Names like reverse_shell and manifest_registry_redirect are emitted signals (in regex/decoder/manifest_scanner), not visitor files. And, either way, counting visitors does not measure coverage: a visitor is a method.
Pipeline order: the scanner/mod.rs comment says six layers; the real execution in lib.rs has more calls (byte with four sub-scans, plus ide and exfil). The matrix and page 5 follow the code.
Pentest count: the sources diverge (run-pentest.sh cites "184 tests / 26 modules"; self-audit.yml and AGENTS.md cite "194/194"). The script auto-detects; no number that could go stale is fixed here, and the divergence is pointed out. Detail on page 10.
SLSA: the attestation is in the release flow; this material describes it and points to the file, without pinning lines that could go stale.
nemesis-doctor: the code names G1 (compile), G2 (tests) and G7 (pentest) in the help; the other groups map to the checks/ modules.