Data integrity & safety: - Atomic writes (temp+rename) for filesystem objects, packs, HEAD - Lock-file CAS for ref updates (prevents race conditions) - Path traversal prevention in filesystem storage - zlib compress/decompress wrapped in try/rescue/after across all modules - Base.decode16! replaced with safe Base.decode16 pattern matching Input validation: - Tree entry name validation (empty, dot, dotdot, slash, null byte) - Ref name validation (reject .., .lock, //, control chars, etc.) - SHA hex format validation before storage writes - Pack object count limits (10M max) - Pack index fanout monotonicity validation - Delta base_size header verification against actual base - Merge tree depth limiting (max 64) Performance: - ETS cache rewritten with dual-table LRU (ordered_set index, O(N) eviction) - Diff group_changes: prepend+reverse instead of O(n^2) append - Diff add_context: :array + index_map for O(1) lookups - Walk merge_base: configurable ancestor_limit (default 100K) Protocol compliance: - upload_pack/receive_pack: only advertise implemented capabilities - TODO comments preserve scaffolding for ofs-delta, side-band-64k, multi_ack - HEAD symref advertisement in upload_pack Other fixes: - S3 list pagination with continuation tokens - Memory storage CAS consistency (nil old_sha = unconditional write) - ETS cache destroy/1 to prevent table leaks Tests: - 47 new Ref module tests (validation, CRUD, HEAD operations) - 14 new ObjectResolver tests (loose, pack, fallback, not found) - 24 new S3 storage tests using local MinIO (excluded by default) - All 287 tests pass, 0 failures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>