diff --git a/docs/refactor/database-first.md b/docs/refactor/database-first.md
index aa1f95f4c7e..a1038526c14 100644
--- a/docs/refactor/database-first.md
+++ b/docs/refactor/database-first.md
@@ -791,8 +791,9 @@ sessionId}` and session key context.
   legacy store names with write-style filesystem APIs. It also fails runtime
   source that reintroduces transcript bridge contracts such as
   `transcriptLocator`, `sqlite-transcript://...`, or `sessionFile`, and scans
-  tests for those bridge-contract names too. Migration, doctor, import, and
-  explicit export code remain allowed. The guard now also covers runtime
+  tests for those bridge-contract names too. It also bans the old session JSONL
+  downloader hook/class from export UI. Migration, doctor, import, and explicit
+  non-session export code remain allowed. The guard now also covers runtime
   `cache/*.json` stores, generic `thread-bindings.json` sidecars, cron
   state/run-log JSON, config health JSON, restart and lock sidecars, Voice Wake
   settings, plugin binding approvals, installed plugin index JSON, File
diff --git a/scripts/check-database-first-legacy-stores.mjs b/scripts/check-database-first-legacy-stores.mjs
index 7dd899c5f5f..4ec0b563a42 100644
--- a/scripts/check-database-first-legacy-stores.mjs
+++ b/scripts/check-database-first-legacy-stores.mjs
@@ -209,6 +209,14 @@ const forbiddenRuntimeLocatorContractMarkers = [
     label: "context engine compaction transcript locator output",
     pattern: /\bresult\??\.transcriptLocator\b/u,
   },
+  {
+    label: "session JSONL export downloader",
+    pattern: /\bdownloadSessionJson\b/u,
+  },
+  {
+    label: "session JSONL export button",
+    pattern: /\bdownload-json-btn\b/u,
+  },
 ];
 
 const allowedExactPaths = new Set([