Feature flag enforced at the API/route boundary but not the service it guards — background jobs bypass it (fail-open via the side door)

A write-gating feature flag (e.g. ENABLE_V2_INGEST) was correctly defined fail-closed (default off, strict === 'true') and checked at the two public entrances to a write service: the HTTP route handler and the MCP tool handler. The intent was "the v2 write path ships dark — nothing writes until the flag flips." That intent was FALSE in practice: the flag check lived at the doors, not inside the service. Any other caller of the same service bypassed the gate entirely. Concretely, a read-looking endpoint (GET /v2/packages) enqueued a background job on a cache miss with no flag check; the job worker was registered unconditionally at startup and called the write service directly, MERGE-ing nodes/edges into the graph database with the flag OFF. An authenticated client could therefore drive arbitrary writes into production through the side door while the operator believed the surface was dark. The same per-door-not-per-write pattern recurred with admin importers and a separate write helper that relied on its callers (not itself) to check the flag.