diff --git a/.gitea/scripts/lint-e2e-ki013-container-names.sh b/.gitea/scripts/lint-e2e-ki013-container-names.sh
index 2fcfeaa82..3b4db439e 100755
--- a/.gitea/scripts/lint-e2e-ki013-container-names.sh
+++ b/.gitea/scripts/lint-e2e-ki013-container-names.sh
@@ -2,35 +2,34 @@
 # Drift-prevention guard: SEV #2499 class (KI-013 container/volume naming).
 #
 # KI-013 removed 12-char UUID truncation from container/volume names.
-# E2E scripts must use FULL workspace IDs (ws-${WSID}) when referencing
-# containers and volumes. Any ${VAR:0:12} truncation in a ws-* context
-# is a regression risk.
+# E2E scripts must use FULL workspace IDs when referencing containers
+# and volumes. Any :0:12 substring-match truncation is a regression risk.
 #
+# Scans ALL .sh files under tests/e2e/ (including lib/ and subdirs).
 # Run: bash .gitea/scripts/lint-e2e-ki013-container-names.sh
 set -euo pipefail
 
 PAT=':0:12([^0-9]|$)'
 ERR=0
 
-for f in tests/e2e/*.sh; do
-  # Allow :0:12 when it is NOT inside a ws-* container/volume reference.
-  # The grep looks for ws- followed anywhere on the same line by ${*:0:12.
+# Use find to recurse into tests/e2e subdirs (lib/, cron/, etc.)
+while IFS= read -r -d '' f; do
   MATCHES=$(grep -nE "$PAT" "$f" 2>/dev/null || true)
   if [ -n "$MATCHES" ]; then
-    echo "::error::SEV-2499 drift guard: truncated workspace ID in container/volume name"
+    echo "::error::SEV-2499 drift guard: truncated workspace ID (:0:12) in E2E script"
     echo "::error::file=$f"
     echo "$MATCHES" | while read -r line; do
       echo "::error::  $line"
     done
     ERR=1
   fi
-done
+done < <(find tests/e2e -type f -name '*.sh' -print0)
 
 if [ "$ERR" -ne 0 ]; then
   echo ""
-  echo "FAIL: E2E scripts reference containers/volumes with 12-char truncated IDs."
+  echo "FAIL: E2E scripts use 12-char truncated IDs (:0:12)."
   echo "      KI-013 requires FULL workspace IDs. Update the flagged lines."
   exit 1
 fi
 
-echo "PASS: No truncated workspace IDs in E2E container/volume references."
+echo "PASS: No truncated workspace IDs in E2E scripts."
diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index d2e18494e..f5f4ef267 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -394,6 +394,14 @@ jobs:
           # a revert of the zero-validated→RED logic goes red on every PR.
           bash tests/e2e/test_require_live_priority_gate_unit.sh
 
+      - if: ${{ needs.changes.outputs.scripts == 'true' }}
+        name: Drift guard — KI-013 container/volume naming (SEV #2499)
+        # KI-013 removed 12-char UUID truncation from container/volume names.
+        # E2E scripts must use FULL workspace IDs. This fail-closed guard
+        # prevents regressions where a new/modified script reintroduces the
+        # old truncated-name pattern (the root cause of SEV #2499).
+        run: bash .gitea/scripts/lint-e2e-ki013-container-names.sh
+
       - if: ${{ needs.changes.outputs.scripts == 'true' }}
         name: Test ECR promote-tenant-image script (mock-driven, no live infra)
         # Covers scripts/promote-tenant-image.sh — the codified