Re-audit 2026年05月29日 (PR #7). Opportunistic hardening; none block merge.

• CI cargo build/test omit --locked (ci.yml:27) — committed Cargo.lock not enforced.
• rust-toolchain.toml (1.85.0) not honored in CI — floating stable used (ci.yml).
• rust-cache emits "could not find Cargo.toml" exit-101 ×ばつ2 at workspace root (ci.yml:19) — non-fatal, disables caching + masks signal.
• brotli-wasm ^3.0.1 unpinned → wire-byte determinism risk for a perpetual codec (receiptHash safe; wire URLs not).
• engines.node >=24 (codec) vs >=18 (types/networks/brotli-wasm) — narrows adoption with no stated reason.
• PF-3 crates.io reserve + Rust crate publishability (cargo publish --dry-run, license-file, excluded test/vector bloat) unverified.
• 3 dead CodecError variants (SignatureInvalid, DictionaryMismatch, CompressionFailed); salt-length/missing-salt reported as ChecksumMismatch (taxonomy overlap).
• WASM gzip ~95.7% of locked 80KB cap (~3.5KB headroom) — watch.
• Token-list liveness in a 'perpetual' surface: tokens.ts logoURI → Uniswap master CDN; chains.ts rpcUrls[0] → llamarpc.
• 4 dead golden vectors (loaded by no test); malformed-non-canonical-varint vector hits the Overflow path, not the non-canonical-varint branch it claims (vectors/v4-codec.json).

Source: 43-agent audit dimensions + completeness critic.