fix(bfld security): close HIGH privacy-bypass in process_to_frame (identity surface leaked despite restrictive class) + JSON-injection (#1075)

* fix(bfld): route process_to_frame payload through PrivacyGate (ADR-141 privacy bypass)

BfldPipeline::process_to_frame stamped the frame header with the active
privacy class but serialized the caller-supplied BfldPayload UNCHANGED via
BfldFrame::from_payload. This let a frame labeled Anonymous(2) or
Restricted(3) carry the full identity-leaky compressed_angle_matrix
(+ amplitude/phase proxies, csi_delta) that PrivacyGate::demote is documented
and tested (privacy_gate_demote.rs) to strip at exactly those classes.

A NetworkSink accepts class >= Derived(1), so such a frame would publish the
beamforming angle matrix — the identity surface — across the node boundary
despite its restrictive class byte. The class byte lied about payload content.

Fix: after building the frame at the active class, apply PrivacyGate::demote to
the same class. demote() strips sections by target-class threshold (independent
of any class transition), so a same-class demote performs no class change but
brings the payload into policy compliance. Research classes (Raw/Derived) keep
the full payload — demote is a no-op there.

Pinned by three fails-on-old tests in pipeline_to_frame.rs:
- process_to_frame_at_anonymous_strips_identity_leaky_sections (FAILED pre-fix)
- process_to_frame_in_privacy_mode_strips_amplitude_and_phase (FAILED pre-fix)
- process_to_frame_at_derived_preserves_full_payload (guards against over-strip)
The pre-existing round-trip test is updated to assert the gated payload.

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(bfld): JSON-escape zone_id in MQTT state-topic payload

render_events emitted the zone_activity payload as format!("\"{zone}\"") with no
escaping, while ha_discovery.rs already escapes operator-controlled strings via
push_str_field. A zone name containing a double-quote or backslash therefore
produced malformed / injectable JSON on the state topic that Home Assistant
parses (e.g. zone `a"b` -> payload `"a"b"`).

Fix: add json_string_literal() mirroring ha_discovery's escaping (", \, \n, \r,
\t, control chars) and use it for the zone payload. Value-identical for normal
zone names (living_room etc.).

Pinned by zone_payload_escapes_json_metacharacters (FAILED pre-fix); the
existing zone_payload_is_json_string_with_quotes still passes unchanged.

Co-Authored-By: claude-flow <ruv@ruv.net>

* docs(adr-141): record bfld privacy+security review findings + CHANGELOG

Document the two fixed bugs (process_to_frame privacy-bypass; zone_id JSON
injection) and the dimensions confirmed clean (event-field gating, witness/hash
framing, fail-closed) in ADR-141, plus CHANGELOG [Unreleased] Security/Fixed
entries.

Co-Authored-By: claude-flow <ruv@ruv.net>

CHANGELOG.md

@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Security
 - **`wifi-densepose-engine` governed-trust review — witness domain-separation gap FIXED + privacy monotonicity confirmed clean (ADR-137 / ADR-141 / ADR-032).** Beyond-SOTA correctness+security review of the security-critical composition root (the cycle enforcing RuView's privacy guarantees), not covered by the ADR-154–159 sweep. **One real witness-integrity bug fixed.** `witness_of` concatenated `model_version`, `calibration_version`, and `privacy_decision` boundary-to-boundary and left the variable-length evidence list without a count, so a string straddling a field boundary collided with a *different* trust decision — e.g. a per-room adapter id (ADR-150 §3.4, operator-influenceable) absorbing the leading bytes of the calibration epoch (`model="…cal:00a"`,`cal="b"`) yields the same witness as `model="…"`,`cal="cal:00ab"`. Two distinct privacy-relevant input tuples → one witness defeats the ADR-137 §2.7 "any privacy-relevant delta → different witness" tamper/drift audit. **Fix:** domain-tag the BLAKE3 hash (`ruview.engine.witness.v1`), write an explicit evidence count, and **length-prefix every field** (8-byte LE length ‖ bytes) — unambiguous framing regardless of contents. Witness-layout change by design (prior witness bytes invalidated); downstream consumers (`engine_bridge`, rufield) assert only witness *relationships* (`assert_ne`/`assert_eq` across runs), never absolute bytes, so nothing breaks. Pinned by two fails-on-old tests: `witness_distinguishes_model_calibration_boundary`, `witness_distinguishes_evidence_model_boundary`. **Dimensions confirmed clean (with evidence, no invented issues):** (1) **privacy monotonicity** — `effective_class` is recomputed each cycle from the active mode's floor with at most a single-step `demote_one` (clamped at `Restricted`), no cross-cycle state, proven over **all 5 modes** by `forced_contradiction_never_relaxes_class` (forced contradiction only ever raises the class byte; clean cycle == base); (2) **fail-closed** — empty cycle errors with no degenerate output (`empty_cycle_fails_closed`), single-node boundary characterized (`single_node_cycle_is_well_formed`), NaN coupling → `max(0.0)`→absent edge→at-risk (more restrictive); (3) **witness determinism** — no HashMap iteration / float formatting feeds the hash; (4) **mesh_guard** (ADR-032) — partition-risk → demotion path verified, thresholds already named documented fields. De-magicked the engine-construction literals (coherence accept gate, ADR-143 SLAM discovery + static-anchor thresholds) into named documented consts, value-identical, pinned by `engine_constants_match_prior_values`. `wifi-densepose-engine --no-default-features`: **27→33 tests**, 0 failed (+2 witness, +1 monotonicity property, +2 fail-closed boundary, +1 de-magic pin). Python deterministic proof unchanged (`f8e76f21…46f7a`, bit-exact — the engine is off the signal proof path). Review notes appended to ADR-137 (witness) and ADR-141 (monotonicity).
+- **ADR-141 BFLD privacy-bypass closed — `process_to_frame` now routes the payload through `PrivacyGate` (`wifi-densepose-bfld`).** `BfldPipeline::process_to_frame` stamped the emitted `BfldFrame` header with the active `PrivacyClass` but serialized the caller-supplied `BfldPayload` **unchanged** via `BfldFrame::from_payload`. A frame labeled `Anonymous`(2) or `Restricted`(3) therefore carried the full identity-leaky `compressed_angle_matrix` (the beamforming-angle identity surface) + amplitude/phase proxies + `csi_delta` — exactly the sections `PrivacyGate::demote` is documented and tested (`privacy_gate_demote.rs`) to strip at those classes. Because a `NetworkSink` accepts class ≥ `Derived`(1), such a frame would publish the identity surface across the node boundary despite its restrictive class byte; the class byte lied about payload content. **Fix:** after building the frame at the active class, apply `PrivacyGate::demote` to the same class — a no-op class transition that strips the sections that class forbids (research classes `Raw`/`Derived` keep the full payload). Pinned by three fails-on-old tests in `pipeline_to_frame.rs` (`…_at_anonymous_strips_identity_leaky_sections`, `…_in_privacy_mode_strips_amplitude_and_phase` — both FAILED pre-fix; `…_at_derived_preserves_full_payload` guards against over-stripping). Grade: privacy-bypass FIXED + regression-pinned.
 - **ADR-157 Milestone-1 B4 - constant-time HMAC sync-beacon tag compare (`wifi-densepose-hardware`).** `AuthenticatedBeacon::verify` compared the 8-byte HMAC-SHA256 tag with `self.hmac_tag == expected`, which short-circuits on the first differing byte and leaks, through verification latency, how many leading bytes an attacker's forged tag matched - a byte-by-byte tag-recovery oracle (~256*N trials instead of 256^N). Replaced with a hand-rolled branch-free `constant_time_tag_eq` (XOR-accumulate every byte difference into a single `u8`, no early exit, `#[inline(never)]` + `core::hint::black_box` to stop the optimizer reintroducing a short-circuit or a non-constant-time `memcmp`). **No new dependency** - ADR-157 had deferred this only to avoid adding the `subtle` crate; a fixed 8-byte compare needs none. Grade MEASURED (constant-time *construction*; micro-timing on a noisy host is a smoke check only, gated `#[ignore]`). Pinned by `tag_compare_is_constant_time_shape` (equal/first-differ/last-differ/all-differ/length-mismatch + an end-to-end `verify()` last-byte tamper), proven to fail on a last-byte-skipping constant-time bug. ADR-157 §8 B4 -> RESOLVED.
 - **ADR-080 open HIGH findings closed on the Rust `wifi-densepose-sensing-server` boundary (ADR-164 G11).** The QE sweep's three HIGH findings — XFF-spoofing bypass, leaked stack traces, JWT-in-URL (CWE-598) — were logged against the Python v1 API and never re-verified against the shipped Rust sensing-server; the HOMECORE/M7 sweep (ADR-161) covered `homecore-server`, not this crate.
   - **#2 leaked internal errors (the one live exposure) — FIXED.** Six handlers in `main.rs` serialized the internal error `Display` straight into the JSON response body: `edge_registry_endpoint` returned a panicked `spawn_blocking` `JoinError` (`"task … panicked"`) in a `500`, plus the raw upstream error in a `503`; `delete_model`/`delete_recording`/`start_recording` returned `std::io::Error` strings (OS detail / path); `calibration_start`/`calibration_stop` returned the `FieldModel` error chain. New `error_response` module logs the full detail **server-side only** (with a correlation id) and returns a generic body (`{"error":"internal_error","correlation_id":…}`) — no `panicked`, no file paths, no Debug chain. 5 module tests (a leak-substring guard proven to fail on the reverted old body) + the existing handler suite.
@@ -27,6 +28,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - **#3 JWT-in-URL (CWE-598) — VERIFIED ABSENT, regression-pinned.** `require_bearer` reads the token only from the `Authorization` header; the WebSocket handlers take no token query param and the sole `Query` extractor (`EdgeRegistryParams`) is a non-secret `refresh` flag. Added a regression proving `?token=`/`?access_token=` in the URL never authenticates while the header path still does.
 
 ### Fixed
+- **BFLD MQTT `zone_activity` payload now JSON-escapes the zone name (`wifi-densepose-bfld`).** `mqtt_topics::render_events` emitted the zone payload as `format!("\"{zone}\"")` with no escaping, while `ha_discovery.rs` already escapes operator-controlled strings. A zone name containing a `"` or `\` produced malformed/injectable JSON on the Home-Assistant state topic (e.g. zone `a"b` → payload `"a"b"`). Added a `json_string_literal` escaper mirroring `ha_discovery::push_str_field` and applied it to the zone payload — value-identical for normal zone names (`living_room`, …). Pinned by `zone_payload_escapes_json_metacharacters` (FAILED pre-fix; round-trips through `serde_json`); the existing `zone_payload_is_json_string_with_quotes` still passes unchanged.
 - **ESP32 vitals: `n_persons` over-counted (reported 4 for one person) + presence flag flickered at close range (#998, #996).** Two firmware logic bugs in `firmware/esp32-csi-node/main/edge_processing.c`, both robustness/logic fixes — **not** validated-accuracy claims (true count/PCK vs labelled ground truth stays hardware/data-gated on the COM9 ESP32-S3).
   - **#998 over-count — root cause + fix.** `update_multi_person_vitals()` split the top-K subcarriers into `top_k_count/2` groups and marked **every** group `active` unconditionally, so one body's multipath always reported the full `EDGE_MAX_PERSONS` (=4). New pure, host-testable `count_distinct_persons()` gates each candidate group: (1) **energy gate** — a group's phase variance must be ≥ `EDGE_PERSON_MIN_ENERGY_RATIO` (0.35) × the strongest group's, so weak multipath echoes don't count; (2) **spatial dedup** — groups whose representative subcarriers sit within `EDGE_PERSON_MIN_SC_SEP` (4) of each other are the same body. A `person_count_debounce()` then requires the gated count to hold `EDGE_PERSON_PERSIST_FRAMES` (3) consecutive frames before it's emitted, so a single noisy frame can't promote a phantom. The strongest group always counts (a present body yields ≥1). All thresholds are named, documented constants in `edge_processing.h`.
   - **#996 presence flicker — root cause + fix.** Presence was a bare `score > threshold` compare on a noisy `presence_score` (field-observed 2.6–26.7 frame-to-frame for one stationary person), so the boolean chattered at the boundary while the score clearly indicated a person. New pure `presence_flag_update()` is a Schmitt trigger + clear-debounce: assert above `threshold`, **hold** in the dead band down to `threshold × EDGE_PRESENCE_HYST_RATIO` (0.5), and only clear after the score stays below the low threshold for `EDGE_PRESENCE_CLEAR_FRAMES` (5) consecutive frames. The score itself is unchanged (and still emitted at packet offset 20 for consumer-side thresholding). Constants named/documented in `edge_processing.h`.

docs/adr/ADR-141-bfld-privacy-control-plane-modes-attestation.md

@@ -629,3 +629,23 @@ is characterized as a valid non-demoting mode (`single_node_cycle_is_well_formed
 
 The related witness domain-separation fix from the same review is recorded in
 ADR-137 (the witness folds `effective_class`, so the demotion is auditable).
+## Security & Privacy Review (2026-06-14)
+
+Beyond-SOTA privacy+security review of `wifi-densepose-bfld` (the crate was not in the ADR-154–159 sweep). Two real bugs fixed (each pinned by a fails-on-old test), several dimensions confirmed clean.
+
+### Findings
+
+| # | Severity | Site | Issue | Fix | Pinned by |
+|---|----------|------|-------|-----|-----------|
+| 1 | **privacy-bypass (HIGH)** | `pipeline.rs::process_to_frame` | The documented wire-bytes production path stamped the frame header with the active `PrivacyClass` but serialized the caller's `BfldPayload` **unchanged** via `BfldFrame::from_payload` — never routing through `PrivacyGate::demote`. A frame labeled `Anonymous`(2)/`Restricted`(3) carried the full `compressed_angle_matrix` (identity surface) + amplitude/phase + `csi_delta`. A `NetworkSink` accepts class ≥ `Derived`(1), so the identity surface could cross the node boundary despite the restrictive class byte — the byte lied about content. | Apply `PrivacyGate::demote(frame, active_class)` after construction: a same-class transition that strips the sections the class forbids; `Raw`/`Derived` keep the full payload. | `tests/pipeline_to_frame.rs::process_to_frame_at_anonymous_strips_identity_leaky_sections`, `…_in_privacy_mode_strips_amplitude_and_phase` (both FAILED pre-fix); `…_at_derived_preserves_full_payload` (over-strip guard) |
+| 2 | **PII/injection (MEDIUM)** | `mqtt_topics.rs::render_events` | `zone_activity` payload built as `format!("\"{zone}\"")` with no JSON escaping (while `ha_discovery.rs` already escapes). A zone name with `"`/`\` produced malformed/injectable JSON on the HA state topic. | `json_string_literal()` escaper mirroring `ha_discovery::push_str_field`. Value-identical for normal zone names. | `tests/mqtt_topic_routing.rs::zone_payload_escapes_json_metacharacters` (FAILED pre-fix) |
+
+### Dimensions confirmed clean (with evidence)
+
+- **Event-field privacy gating** — `BfldEvent::apply_privacy_gating` nulls `identity_risk_score` + `rf_signature_hash` at `Restricted`, and `serde(skip_serializing_if = "Option::is_none")` omits them entirely. `render_events`/`render_discovery_payloads` refuse class < `Anonymous` (stricter than the `sink.rs` `NetworkKind` `MIN_CLASS = Derived` — defense in depth toward less leakage). Covered by `event_privacy_gating.rs`, `mqtt_topic_routing.rs`, `ha_discovery.rs`.
+- **Witness/hash framing (the engine `witness_of` bug class)** — CLEAN. `SignatureHasher::compute` prefixes a **fixed 4-byte** `day_epoch` then a **fixed-width canonical-f32** feature block (`IdentityFeatures`: Embedding = `EMBEDDING_DIM*4`, RiskFactors = 16 B). `PrivacyAttestationProof::compute` hashes a fixed 32-byte `prev_hash` + three fixed 1-byte values. No variable-length operator-influenceable string is concatenated into any digest — no length-prefix-framing collision is possible.
+- **Fail-closed** — `payload.rs::from_bytes` rejects truncated/overflowing/trailing-byte sections (`checked_add`, bounds checks); `frame.rs::from_bytes` validates magic/version/length/CRC; `PrivacyClass::try_from` rejects unknown bytes; `identity_risk::score` maps NaN/degenerate factors → 0.0 (privacy-conservative). The `from_score(NaN) → Accept` choice is a documented, deliberate publish-aggregate-only fallback (NaN never reaches it from `score()`); risk-driven NaN cannot leak identity because identity gating is class-byte-driven, not risk-driven.
+
+### Observation (not a bug)
+
+The ADR-141 control plane (`PrivacyMode`/`PrivacyModeRegistry`) is **not yet wired into the emit path** — the emitter/pipeline enforce the raw `PrivacyClass` directly; the registry is exported + unit-tested but advisory. This matches the "Integration glue — not yet on the live path" status above. The class-byte enforcement (emitter + event + renderers + the now-fixed `process_to_frame`) is the live guarantee. Wiring the registry is the documented next step.

v2/crates/wifi-densepose-bfld/src/mqtt_topics.rs

@@ -135,10 +135,13 @@ pub fn render_events(event: &BfldEvent) -> Vec<TopicMessage> {
 
     if let Some(zone) = &event.zone_id {
         // Emit a JSON string so consumers can distinguish "no zone" (omitted)
-        // from "single-zone deployment" (always the same zone string).
+        // from "single-zone deployment" (always the same zone string). The zone
+        // name is operator-controlled; escape JSON metacharacters so a name
+        // containing a quote or backslash cannot produce malformed/injected
+        // JSON. Mirrors ha_discovery.rs::push_str_field's escaping.
         out.push(TopicMessage {
             topic: TopicMessage::ruview_topic(node, "zone_activity"),
-            payload: format!("\"{zone}\""),
+            payload: json_string_literal(zone),
         });
     }
 
@@ -155,3 +158,26 @@ pub fn render_events(event: &BfldEvent) -> Vec<TopicMessage> {
 
     out
 }
+
+/// Wrap `value` in JSON double-quote delimiters, escaping the metacharacters
+/// that would otherwise break out of the string literal (`"`, `\`, control
+/// chars, and the bare `\n`/`\r`/`\t` whitespace). Kept in lockstep with
+/// `ha_discovery::push_str_field` so state-topic and discovery payloads escape
+/// identically.
+fn json_string_literal(value: &str) -> String {
+    let mut out = String::with_capacity(value.len() + 2);
+    out.push('"');
+    for ch in value.chars() {
+        match ch {
+            '"' => out.push_str("\\\""),
+            '\\' => out.push_str("\\\\"),
+            '\n' => out.push_str("\\n"),
+            '\r' => out.push_str("\\r"),
+            '\t' => out.push_str("\\t"),
+            c if (c as u32) < 0x20 => out.push_str(&format!("\\u{:04x}", c as u32)),
+            c => out.push(c),
+        }
+    }
+    out.push('"');
+    out
+}

v2/crates/wifi-densepose-bfld/src/pipeline.rs

@@ -141,6 +141,15 @@ impl BfldPipeline {
     /// builds the frame via [`BfldFrame::from_payload`] so the CRC covers the
     /// section-prefixed bytes.
     ///
+    /// The emitted frame's payload is forced into compliance with the active
+    /// privacy class via [`crate::PrivacyGate::demote`]: at `Anonymous` the
+    /// identity-leaky `compressed_angle_matrix` and `csi_delta` sections are
+    /// stripped, and at `Restricted` the amplitude/phase proxies are stripped
+    /// too. This closes the gap (ADR-141) where a frame stamped with a
+    /// restrictive class byte could otherwise carry the full high-information
+    /// BFI payload across a [`crate::NetworkSink`]. Research classes (`Raw`,
+    /// `Derived`) keep the full payload — `demote` is a no-op there.
+    ///
     /// Returns `None` whenever the gate drops the underlying event (Reject or
     /// Recalibrate), so `process_to_frame` is a strict subset of `process`.
     pub fn process_to_frame(
@@ -151,11 +160,21 @@ impl BfldPipeline {
         embedding: Option<IdentityEmbedding>,
     ) -> Option<BfldFrame> {
         let timestamp_ns = inputs.timestamp_ns;
+        let active_class = self.current_privacy_class();
         let _gate_signal = self.process(inputs, embedding)?;
         let mut header = header_template;
         header.timestamp_ns = timestamp_ns;
-        header.privacy_class = self.current_privacy_class().as_u8();
-        Some(BfldFrame::from_payload(header, &payload))
+        header.privacy_class = active_class.as_u8();
+        let frame = BfldFrame::from_payload(header, &payload);
+        // Enforce the payload-content policy for the stamped class. The frame
+        // is already at `active_class`, so this is a same-class demotion: it
+        // performs no class change but strips the sections that class forbids.
+        // demote() only fails on InvalidDemote (target < source), which cannot
+        // happen here because source == target, so the expect is unreachable.
+        Some(
+            crate::PrivacyGate::demote(frame, active_class)
+                .expect("same-class demote is always valid"),
+        )
     }
 
     /// `true` if `enable_privacy_mode()` has been called more recently than

v2/crates/wifi-densepose-bfld/tests/mqtt_topic_routing.rs

@@ -127,6 +127,38 @@ fn zone_payload_is_json_string_with_quotes() {
     assert_eq!(zone.payload, "\"living_room\"");
 }
 
+#[test]
+fn zone_payload_escapes_json_metacharacters() {
+    // A zone name containing a double-quote or backslash must not break out of
+    // the JSON string literal it is emitted into. ha_discovery.rs already
+    // escapes operator-controlled strings via push_str_field; render_events
+    // must do the same for parity so the state-topic payload is always valid
+    // JSON that Home Assistant can parse.
+    let ev = BfldEvent::with_privacy_gating(
+        "seed-01".into(),
+        0,
+        true,
+        0.1,
+        1,
+        0.9,
+        Some(r#"living"room\back"#.into()),
+        PrivacyClass::Anonymous,
+        None,
+        None,
+    );
+    let msgs = render_events(&ev);
+    let zone = msgs
+        .iter()
+        .find(|m| m.topic.contains("zone_activity"))
+        .expect("zone_activity topic");
+    // Expected: the inner quote and backslash are backslash-escaped, wrapped in
+    // one pair of unescaped delimiter quotes -> a single valid JSON string.
+    assert_eq!(zone.payload, r#""living\"room\\back""#);
+    // And it must parse as JSON back to the original zone string.
+    let parsed: String = serde_json::from_str(&zone.payload).expect("valid JSON string");
+    assert_eq!(parsed, r#"living"room\back"#);
+}
+
 #[test]
 fn identity_risk_payload_is_fixed_precision_decimal() {
     let msgs = render_events(&sample_event(PrivacyClass::Anonymous, false));

v2/crates/wifi-densepose-bfld/tests/pipeline_to_frame.rs

@@ -88,6 +88,11 @@ fn process_to_frame_returns_none_under_sustained_high_risk() {
 
 #[test]
 fn process_to_frame_round_trips_through_bytes() {
+    // Default pipeline class is Anonymous(2). The frame must round-trip through
+    // wire bytes with no CRC error; the payload it carries is the privacy-gated
+    // (angle-matrix-stripped) form, not the raw input — see
+    // process_to_frame_at_anonymous_strips_identity_leaky_sections for the
+    // content assertion. This test pins byte/CRC consistency only.
     let mut p = BfldPipeline::new(BfldConfig::new("seed-01"));
     let frame = p
         .process_to_frame(
@@ -100,7 +105,10 @@ fn process_to_frame_round_trips_through_bytes() {
     let bytes = frame.to_bytes();
     let parsed = BfldFrame::from_bytes(&bytes).expect("frame must round-trip");
     let parsed_payload = parsed.parse_payload().expect("payload must round-trip");
-    assert_eq!(parsed_payload, typed_payload());
+    // Round-trip preserves whatever the privacy gate left in place.
+    assert_eq!(parsed_payload, frame.parse_payload().unwrap());
+    // And the identity surface is gone at Anonymous.
+    assert!(parsed_payload.compressed_angle_matrix.is_empty());
 }
 
 #[test]
@@ -141,6 +149,94 @@ fn process_to_frame_preserves_header_template_identity_fields() {
     assert_eq!({ frame.header.channel }, 36);
 }
 
+// --- ADR-141 privacy-gate-correctness regression -------------------------
+//
+// `process_to_frame` stamps the frame with the pipeline's privacy_class but
+// (pre-fix) serialized the caller-supplied payload UNCHANGED. That let a frame
+// labeled Anonymous(2) / Restricted(3) carry the full identity-leaky
+// `compressed_angle_matrix` (+ amplitude/phase/csi_delta) that
+// `PrivacyGate::demote` is documented (privacy_gate_demote.rs) to strip at
+// exactly those classes. A NetworkSink accepts class >= Derived, so such a
+// frame would publish the beamforming angle matrix (identity surface) to the
+// network despite its restrictive class byte. These tests pin that the payload
+// content matches what the stamped class permits.
+
+#[test]
+fn process_to_frame_at_anonymous_strips_identity_leaky_sections() {
+    // Default pipeline class is Anonymous(2): the angle matrix and csi_delta
+    // MUST NOT survive into the emitted frame, matching PrivacyGate::demote.
+    let mut p = BfldPipeline::new(BfldConfig::new("seed-01"));
+    let mut leaky = typed_payload();
+    leaky.csi_delta = Some(vec![0x55; 24]);
+    let frame = p
+        .process_to_frame(
+            inputs(1_700_000_000_000_000_000, [0.1, 0.1, 0.1, 0.1]),
+            header_template(),
+            leaky,
+            Some(embedding()),
+        )
+        .expect("low-risk frame must be emitted");
+    assert_eq!({ frame.header.privacy_class }, PrivacyClass::Anonymous.as_u8());
+    let payload = frame.parse_payload().expect("payload parses");
+    assert!(
+        payload.compressed_angle_matrix.is_empty(),
+        "Anonymous frame must NOT carry the compressed_angle_matrix (identity surface)",
+    );
+    assert!(
+        payload.csi_delta.is_none(),
+        "Anonymous frame must NOT carry csi_delta",
+    );
+    // Aggregate sensing sections survive.
+    assert_eq!(payload.snr_vector.len(), 8);
+    assert_eq!(payload.amplitude_proxy.len(), 16);
+}
+
+#[test]
+fn process_to_frame_in_privacy_mode_strips_amplitude_and_phase() {
+    // privacy_mode -> Restricted(3): amplitude + phase proxies must ALSO drop.
+    let mut p = BfldPipeline::new(
+        BfldConfig::new("seed-01").with_privacy_class(PrivacyClass::Anonymous),
+    );
+    p.enable_privacy_mode();
+    let frame = p
+        .process_to_frame(
+            inputs(0, [0.1, 0.1, 0.1, 0.1]),
+            header_template(),
+            typed_payload(),
+            Some(embedding()),
+        )
+        .expect("frame emitted");
+    assert_eq!({ frame.header.privacy_class }, PrivacyClass::Restricted.as_u8());
+    let payload = frame.parse_payload().expect("payload parses");
+    assert!(payload.compressed_angle_matrix.is_empty(), "angle matrix stripped at Restricted");
+    assert!(payload.amplitude_proxy.is_empty(), "amplitude stripped at Restricted");
+    assert!(payload.phase_proxy.is_empty(), "phase stripped at Restricted");
+    assert_eq!(payload.snr_vector.len(), 8, "snr_vector survives");
+}
+
+#[test]
+fn process_to_frame_at_derived_preserves_full_payload() {
+    // Derived(1) is a research mode that legitimately keeps the angle matrix.
+    // The strip must NOT over-fire at classes below Anonymous.
+    let mut p = BfldPipeline::new(
+        BfldConfig::new("seed-01").with_privacy_class(PrivacyClass::Derived),
+    );
+    let frame = p
+        .process_to_frame(
+            inputs(0, [0.1, 0.1, 0.1, 0.1]),
+            header_template(),
+            typed_payload(),
+            Some(embedding()),
+        )
+        .expect("frame emitted");
+    assert_eq!({ frame.header.privacy_class }, PrivacyClass::Derived.as_u8());
+    let payload = frame.parse_payload().expect("payload parses");
+    assert_eq!(
+        payload, typed_payload(),
+        "Derived research frame keeps the full payload unchanged",
+    );
+}
+
 #[test]
 fn process_to_frame_uses_input_timestamp_not_template_timestamp() {
     let mut p = BfldPipeline::new(BfldConfig::new("seed-01"));