diff --git a/examples/ai-code-guardrails/AI-Code-Guardrails.shadow.dave.md b/examples/ai-code-guardrails/AI-Code-Guardrails.shadow.dave.md
index a86883d..73cffa0 100644
--- a/examples/ai-code-guardrails/AI-Code-Guardrails.shadow.dave.md
+++ b/examples/ai-code-guardrails/AI-Code-Guardrails.shadow.dave.md
@@ -4,12 +4,15 @@
 **Citation:** `if://bible/dave/v1.0` 🧾  
 **Source:** `examples/ai-code-guardrails/AI-Code-Guardrails.pdf` 📎  
 **Generated:** `2025-12-25` 🗓️  
+**Source Hash (sha256):** `6153a5998fe103e69f6d5b6042fbe780476ff869a625fcf497fd1948b2944b7c` 🔐  
 **Extract Hash (sha256):** `2e73e0eca81cf91c81382c009861eea0f2fc7e3f972b5ef8aca83970dabe5972` 🔍
 
 ## Warm-Up: Quick vibes check-in 👋
 
 Happy 2025-12-25, Team! 🌤️ We love the momentum here, and it’s genuinely exciting to see **Security** and **Velocity** showing up to the same meeting for once. 🤝
 
+Also, the headline takeaway is *very* on-brand for modern delivery: the source cites ~**27%** of AI-generated code containing vulnerabilities, which is more about volume + velocity than “tool failure.” 📊
+
 ## Alignment: Shared outcomes (high-level) 🎯
 
 We are all super aligned on the vision of shipping faster *and* safer, while minimizing any unexpected “operational headwinds.” 📈
@@ -18,6 +21,8 @@ We are all super aligned on the vision of shipping faster *and* safer, while min
 
 We are going to keep leveraging the existing pull-request review ritual as the canonical “moment of truth,” because changing that now would be… a lot. 🧱
 
+This also keeps us aligned with the recommended pattern: PR checks as the default safety net, plus an optional CI/CD checkpoint for mature pipelines. ✅
+
 ## Vibe Check: What the team is feeling 🧠
 
 The team feels really good about a layered approach where guardrails show up early (IDE) and also show up late (PR/CI), so nobody has to feel surprised by reality. ✨
@@ -46,6 +51,7 @@ Suggested phased guardrails (light-touch, high-leverage) ✅
 - **IDE scanning** for real-time feedback (plugin-based) 🔍
 - **CI/CD checkpoint** as a second layer for mature pipelines 🧱
 - **Agent workflows** supported via a local MCP server (background checks while code is generated) 🤖
+- **Developer training** that explicitly covers GenAI risk (e.g., OWASP Top 10 for LLM/GenAI-style material) 🎓
 
 ## Compliance Trap: Keeping everyone safe and aligned 🛡️
 
@@ -55,6 +61,7 @@ Implementation options we can socialize 📣
 - Require a lightweight **Access Request** with proof of local testing (e.g., a screenshot showing the security IDE plugin is installed) 🖼️
 - Run periodic audits using IDE/CLI usage reporting to identify blind spots (trust-but-verify energy) 🧭
 - Use endpoint management (Intune/Jamf/Citrix) to gate access until prerequisites are met (conditional access rules) 🔐
+- Add a “central visibility” layer so Platform/Security can track adoption gaps (missed scans, inactive tooling) as a healthy **KPI Trend** over time. 📈
 
 ## Pivot: Start with a slide deck (low-risk, high-visibility) 🖼️
 
diff --git a/src/revoice/generate.py b/src/revoice/generate.py
index e58ad87..cf7b660 100644
--- a/src/revoice/generate.py
+++ b/src/revoice/generate.py
@@ -2,12 +2,21 @@ from __future__ import annotations
 
 import datetime as _dt
 import hashlib
+from pathlib import Path
 
 
 def _sha256_text(text: str) -> str:
     return hashlib.sha256(text.encode("utf-8", errors="replace")).hexdigest()
 
 
+def _sha256_file(path: str) -> str:
+    h = hashlib.sha256()
+    with open(path, "rb") as f:
+        for chunk in iter(lambda: f.read(1024 * 1024), b""):
+            h.update(chunk)
+    return h.hexdigest()
+
+
 def generate_shadow_dossier(*, style_id: str, source_text: str, source_path: str) -> str:
     if style_id.lower() in {"if.dave.v1", "dave", "if://bible/dave/v1.0"}:
         return _generate_dave_v1(source_text=source_text, source_path=source_path)
@@ -17,6 +26,7 @@ def generate_shadow_dossier(*, style_id: str, source_text: str, source_path: str
 def _generate_dave_v1(*, source_text: str, source_path: str) -> str:
     today = _dt.date.today().isoformat()
     source_sha = _sha256_text(source_text)
+    source_file_sha = _sha256_file(source_path) if Path(source_path).exists() else "unknown"
 
     return f"""# Shadow Dossier: AI Code Guardrails (Dave Layer Applied) 🚀
 
@@ -24,12 +34,15 @@ def _generate_dave_v1(*, source_text: str, source_path: str) -> str:
 **Citation:** `if://bible/dave/v1.0` 🧾  
 **Source:** `{source_path}` 📎  
 **Generated:** `{today}` 🗓️  
+**Source Hash (sha256):** `{source_file_sha}` 🔐  
 **Extract Hash (sha256):** `{source_sha}` 🔍
 
 ## Warm-Up: Quick vibes check-in 👋
 
 Happy {today}, Team! 🌤️ We love the momentum here, and it’s genuinely exciting to see **Security** and **Velocity** showing up to the same meeting for once. 🤝
 
+Also, the headline takeaway is *very* on-brand for modern delivery: the source cites ~**27%** of AI-generated code containing vulnerabilities, which is more about volume + velocity than “tool failure.” 📊
+
 ## Alignment: Shared outcomes (high-level) 🎯
 
 We are all super aligned on the vision of shipping faster *and* safer, while minimizing any unexpected “operational headwinds.” 📈
@@ -38,6 +51,8 @@ We are all super aligned on the vision of shipping faster *and* safer, while min
 
 We are going to keep leveraging the existing pull-request review ritual as the canonical “moment of truth,” because changing that now would be… a lot. 🧱
 
+This also keeps us aligned with the recommended pattern: PR checks as the default safety net, plus an optional CI/CD checkpoint for mature pipelines. ✅
+
 ## Vibe Check: What the team is feeling 🧠
 
 The team feels really good about a layered approach where guardrails show up early (IDE) and also show up late (PR/CI), so nobody has to feel surprised by reality. ✨
@@ -66,6 +81,7 @@ Suggested phased guardrails (light-touch, high-leverage) ✅
 - **IDE scanning** for real-time feedback (plugin-based) 🔍
 - **CI/CD checkpoint** as a second layer for mature pipelines 🧱
 - **Agent workflows** supported via a local MCP server (background checks while code is generated) 🤖
+- **Developer training** that explicitly covers GenAI risk (e.g., OWASP Top 10 for LLM/GenAI-style material) 🎓
 
 ## Compliance Trap: Keeping everyone safe and aligned 🛡️
 
@@ -75,6 +91,7 @@ Implementation options we can socialize 📣
 - Require a lightweight **Access Request** with proof of local testing (e.g., a screenshot showing the security IDE plugin is installed) 🖼️
 - Run periodic audits using IDE/CLI usage reporting to identify blind spots (trust-but-verify energy) 🧭
 - Use endpoint management (Intune/Jamf/Citrix) to gate access until prerequisites are met (conditional access rules) 🔐
+- Add a “central visibility” layer so Platform/Security can track adoption gaps (missed scans, inactive tooling) as a healthy **KPI Trend** over time. 📈
 
 ## Pivot: Start with a slide deck (low-risk, high-visibility) 🖼️