… Aaron 2026-04-27)

Reverts the Docker-container approach in favour of the GOVERNANCE §24
three-way-parity invariant: dev laptops + CI runners + devcontainers
all install semgrep through the same `tools/setup/install.sh` via
mise. CI was the odd one out (had its own actions/setup-python + pip
install), which would have made switching CI hosts costly and broke
host-portability.

Aaron 2026-04-27:

> "actions/setup-python we should be using our base python that our
> install scripts install we are trying to not use github stuff
> unless we have to so it's easy to switch hosts and our dev machine
> and build machine setup is the same, that's one of the invariants
> we want to try to keep as close as possible dev machine / build
> machines are same/very similar for setup/share the setup/install
> scripts and post install scripts. this makes CI more deterministic
> too."

What changed:
- `.mise.toml`: added `pipx = "1.11.1"` (aqua-backed; same SHA-pinned
  release path as actionlint / shellcheck / uv) and
  `"pipx:semgrep" = "1.161.0"`. Now any machine that runs install.sh
  gets the same semgrep version pinned the same way.
- `.github/workflows/gate.yml` lint-semgrep: dropped the
  `container: semgrep/semgrep@sha256:...` block from the previous
  iteration; dropped `actions/setup-python` and the two `pip install`
  steps. Job is now: checkout → install.sh → semgrep. Same shape as
  build-and-test.

This still resolves Scorecard PinnedDependenciesID #17 + #18 (the
unpinned pip-bootstrap surface goes away entirely) and additionally:
- Restores host-portability — no GitHub-specific actions in this job
- First-class dev-laptop parity (semgrep was previously not actually
  installed by install.sh; now it is)
- More deterministic CI (mise resolves declarative pins; no
  pip dependency-resolver wandering)

Verified locally: `mise install` + `mise exec -- semgrep --version`
produces 1.161.0 on the same shape.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…three-way-parity per Aaron 2026-04-27) (Lucent-Financial-Group#653)

* ci: run lint-semgrep via SHA-pinned semgrep/semgrep Docker image (resolves Scorecard PinnedDependenciesID #17 #18)

Replaces `pip install --upgrade pip + pip install semgrep` with the
official semgrep/semgrep:1.161.0 image, pinned by multi-arch manifest
digest sha256:326e5f41cc972bb423b764a14febbb62bbad29ee1c01820805d077dd868fea48.

Why this is a quality improvement, not just rule-appeasement:
- Image bytes are content-addressed by digest. Tag mutation cannot
  affect us; the earlier `pip install semgrep` was version-floating
  and would silently pick up any new semgrep release between CI runs.
- Removes the entire pip-bootstrap surface (Setup Python +
  pip --upgrade + pip install semgrep). Smaller attack surface, faster
  CI, fewer pinning surfaces to maintain.
- Multi-arch index digest covers both x86_64 and arm64 runners.

Per Aaron 2026-04-27: "given we want high quality signals for future
AI training and we persision the PRs do you still agree?" — fix, do
not relax. This commit is the fix.

Resolves Scorecard alerts #17, #18 (PinnedDependenciesID, pipCommand).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* ci/setup: pin elan + mise installers by content hash (resolves Scorecard PinnedDependenciesID #15 #16)

elan.sh — switched from `curl ... master/elan-init.sh | sh` (latest
master, unpinned) to:
  1. Download elan-init.sh at v4.2.1 commit SHA
     (58e8d545e33641f66dbcbd22c4283109e71757be)
  2. Verify SHA256 (4bacca9502cb89736fe63d2685abc2947cfbf34dc87673504f1bb4c43eda9264)
  3. Execute the verified copy

linux.sh — switched from `curl mise.run | sh` (auto-detects latest at
runtime) to:
  1. Download the pinned tarball mise-v2026.4.24-linux-{x64,arm64}.tar.gz
     directly from github.com/jdx/mise/releases
  2. Verify per-arch SHA256 (x64: de2f924…2c58, arm64: cf5f4899…5727)
  3. Extract mise/bin/mise to ~/.local/bin and source PATH

Why this is a quality improvement, not just rule-appeasement:
- The previous shapes silently absorbed any new elan/mise release
  between CI runs. A compromised upstream master branch (elan) or a
  redirector swap (mise.run) would have shipped to every dev laptop
  + every CI run with no signal. Content-hash pinning makes such an
  event a hard fail with a verification message.
- Bumping is a deliberate two-line change (commit/tarball + hash)
  with a documented procedure in each script's comment block — easier
  to audit than `master`/`mise.run`.
- Portable SHA256 verification (sha256sum/shasum fallback) per
  Otto-235 4-shell target.

Per Aaron 2026-04-27: "preserve quality signals" — fix, don't relax.

Resolves Scorecard alerts #15 (elan downloadThenRun) and #16 (mise
downloadThenRun).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* ci: switch semgrep to mise-managed pipx:semgrep (three-way-parity per Aaron 2026-04-27)

Reverts the Docker-container approach in favour of the GOVERNANCE §24
three-way-parity invariant: dev laptops + CI runners + devcontainers
all install semgrep through the same `tools/setup/install.sh` via
mise. CI was the odd one out (had its own actions/setup-python + pip
install), which would have made switching CI hosts costly and broke
host-portability.

Aaron 2026-04-27:

> "actions/setup-python we should be using our base python that our
> install scripts install we are trying to not use github stuff
> unless we have to so it's easy to switch hosts and our dev machine
> and build machine setup is the same, that's one of the invariants
> we want to try to keep as close as possible dev machine / build
> machines are same/very similar for setup/share the setup/install
> scripts and post install scripts. this makes CI more deterministic
> too."

What changed:
- `.mise.toml`: added `pipx = "1.11.1"` (aqua-backed; same SHA-pinned
  release path as actionlint / shellcheck / uv) and
  `"pipx:semgrep" = "1.161.0"`. Now any machine that runs install.sh
  gets the same semgrep version pinned the same way.
- `.github/workflows/gate.yml` lint-semgrep: dropped the
  `container: semgrep/semgrep@sha256:...` block from the previous
  iteration; dropped `actions/setup-python` and the two `pip install`
  steps. Job is now: checkout → install.sh → semgrep. Same shape as
  build-and-test.

This still resolves Scorecard PinnedDependenciesID #17 + #18 (the
unpinned pip-bootstrap surface goes away entirely) and additionally:
- Restores host-portability — no GitHub-specific actions in this job
- First-class dev-laptop parity (semgrep was previously not actually
  installed by install.sh; now it is)
- More deterministic CI (mise resolves declarative pins; no
  pip dependency-resolver wandering)

Verified locally: `mise install` + `mise exec -- semgrep --version`
produces 1.161.0 on the same shape.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* ci: drop redundant pipx pin, bump uv to 0.11.8; document uv-canonical decision (Aaron 2026-04-27)

Removes `pipx = "1.11.1"` from `.mise.toml` — mise's `pipx:` backend
auto-routes through `uv tool install` when uv is available, so adding
pipx as a separate package was redundant. Bumps `uv` from 0.9 to
0.11.8 (latest, verified via gh API today 2026-04-27 — current
training data is stale per Otto-247 version-currency rule).

Adds:
- `docs/DECISIONS/2026-04-27-uv-canonical-python-tool-manager.md` —
  ADR documenting uv as the canonical Python tool manager for Zeta,
  the lineage from `../scratch` (where uv was made first-class
  first), the mise pipx:→uv auto-route behaviour, and the rules for
  using `pipx:foo` pins without an actual pipx package.
- `memory/feedback_three_way_parity_install_scripts_dev_ci_devcontainer_minimize_github_specific_surface_aaron_2026_04_27.md` —
  substrate memory naming Aaron's host-portability invariant; what
  three-way parity buys; what was almost violated by the
  Docker-container draft; the right-fix decision flow.
- MEMORY.md row pointing at the new memory + ADR.

Aaron 2026-04-27 verbatim:
- "we have uv do we need pipx, isn't there a uvx this should be much
  faster also +pipx = '1.11.1' is this latest, remember you mode
  cached latest can't be trusted you have to search the internet
  this goies for all version numbers you add, let's not start on an
  older version."
- "the fact that uv is our desired python setup should be documented
  somewehre this project ../scratch made it first class too"

Verified locally: `mise install` with `uv = "0.11.8"` +
`pipx:semgrep = "1.161.0"` (no separate pipx) installs semgrep
1.161.0 via uv tool install.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* ci/setup: address review feedback on Lucent-Financial-Group#653 (cleanup traps, armv7, role-refs, stale comment)

7 review threads:

1. Copilot P1 — name attribution in gate.yml + .mise.toml comments
   ("Per Aaron 2026-04-27") violates the role-ref-on-current-state
   discipline (history surfaces only). Replaced with role-refs:
   "the host-portability invariant" / "per the three-way-parity
   invariant (GOVERNANCE §24)".

2. Codex P2 — preserve armv7 support that `curl mise.run | sh`
   used to give us implicitly. Added the armv7 case + SHA256
   to the per-arch dispatch in linux.sh.

3. Copilot P1 — temp dir leak on failure in linux.sh: `mktemp -d`
   only cleaned up on the success path. Added `trap 'rm -rf
   "${MISE_TMP}"' EXIT` so the dir is removed even on download /
   SHA / extract failure.

4. Copilot P1 — same pattern in elan.sh tmp file. Added EXIT
   trap.

5. Copilot P1 — gate.yml install-toolchain step comment claimed
   "mise installs python + pipx + semgrep" but pipx was dropped
   in commit d62fc6d (mise auto-routes pipx: through uv).
   Updated the comment to reflect current state and to point at
   the uv-canonical ADR.

6. Copilot P1 — same name-attribution issue in .mise.toml
   semgrep block. Replaced.

7. Copilot P1 — PR description was already updated; thread
   should be re-evaluated by reviewer with the current
   description in view.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…th descriptive rule names; tighten MEMORY.md index entry (Copilot P1+P2)

Three P1 threads (Copilot) on the substrate memory file flagged the
#71/#57/#56/#69 references as colliding with GitHub issue numbering
(see docs/ISSUES-INDEX.md mapping). Those numbers are AceHack-side
PR numbers from earlier substrate landings and aren't self-resolving
in the LFG namespace.

Replaced each with its descriptive rule name:
- `#71` → "the Otto-owns-git/GitHub-settings rule"
- `#57` → "the protect-project critical-evaluation rule"
- `#56` → "the Aaron-communication-classification rule"
- `#69` → "the only-Otto-aware-agents-execute-code rule
   (pre-peer-mode execution authority)"

The remaining `#15-#18` references in the Forward-action section
are Scorecard code-scanning alert numbers (different namespace from
issues/PRs); left unchanged as they're unambiguous in context.

P2 thread (Copilot) on MEMORY.md flagged the new index entry as too
long. Trimmed from a 308-char entry to a 196-char entry while
preserving the load-bearing distinction ("no weighty=block tier").

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…th descriptive rule names; tighten MEMORY.md index entry (Copilot P1+P2)

Three P1 threads (Copilot) on the substrate memory file flagged the
(see docs/ISSUES-INDEX.md mapping). Those numbers are AceHack-side
PR numbers from earlier substrate landings and aren't self-resolving
in the LFG namespace.

Replaced each with its descriptive rule name:
- `#71` → "the Otto-owns-git/GitHub-settings rule"
- `#57` → "the protect-project critical-evaluation rule"
- `#56` → "the Aaron-communication-classification rule"
- `#69` → "the only-Otto-aware-agents-execute-code rule
   (pre-peer-mode execution authority)"

The remaining `#15-#18` references in the Forward-action section
are Scorecard code-scanning alert numbers (different namespace from
issues/PRs); left unchanged as they're unambiguous in context.

P2 thread (Copilot) on MEMORY.md flagged the new index entry as too
long. Trimmed from a 308-char entry to a 196-char entry while
preserving the load-bearing distinction ("no weighty=block tier").

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…al-Group#297, follow-up to Lucent-Financial-Group#287) (#25)

* ops(ci): weekly budget-snapshot-cadence workflow (task Lucent-Financial-Group#297, follow-up to Lucent-Financial-Group#287)

Why:
- docs/budget-history/README.md explicitly recommends weekly cadence
  ("catches drift when no PRs are merging") + names "automated cadence
  via CI workflow" as planned hygiene.
- Task Lucent-Financial-Group#287 cost-monitoring deadline is 2026-04-26..04-29 (today is
  04-26); manual snapshot-burn runs alone don't deliver the visibility
  Aaron asked for. Weekly automated cadence does.
- Tasks Lucent-Financial-Group#285 (tooling) and Lucent-Financial-Group#287 (baseline + first cadence run via
  PR #18) are done. This workflow closes the loop by making the
  cadence run weekly without human intervention.

What:
- New workflow .github/workflows/budget-snapshot-cadence.yml.
- Weekly cron Sundays 16:23 UTC (off-the-hour weekend slot per GHA
  thundering-herd avoidance + PR-cadence non-competition).
- workflow_dispatch with optional `note` input for ad-hoc runs.
- Steps: checkout (fetch-depth=0 for factory_git_sha) → verify
  jq + gh + auth → run snapshot-burn.sh → inspect git diff → if
  changed, open auto-merge-armed PR with the snapshot row using the
  AgencySignature v1 canonical commit shape (post-ferry-7 body
  sections + post-ferry-13 maxim awareness + 11-trailer block with
  github-actions[bot] as Credential-Identity, Credential-Mode:
  dedicated-agent, Human-Review-Evidence: signed-policy).

Why this implementation differs from a transcribed template:
- Authored from understanding of the v1 AgencySignature spec + the
  existing .github/workflows/github-settings-drift.yml pattern
  (header-comment shape, off-the-hour cron, security-pattern
  compliance note). Per Aaron 2026-04-26 "don't copy paste / make
  sure you understand and write our own".
- Safe-pattern compliance: every expression value passed via env:
  into run blocks and quoted as "$VAR"; no expressions interpolated
  directly inside run-block scripts. The workflow_dispatch `note`
  input is routed through env: + quoted to neutralise potentially-
  malicious content if an attacker with dispatch permissions tries
  injection per the GitHub Actions injection guide referenced in
  the workflow header.
- AgencySignature attribution honest about workflow-as-agent:
  Agent: budget-cadence-workflow; Agent-Runtime: GitHub Actions;
  Agent-Model: bash + jq + gh CLI (the actual stack, not a model);
  Credential-Mode: dedicated-agent (github-actions[bot] is the
  workflow's own identity, distinct from human Aaron credentials);
  Human-Review-Evidence: signed-policy (the cadence is authorized
  by README + Aaron's standing direction).
- concurrency group prevents duplicate runs; cancel-in-progress=
  false because we want completion of an in-flight snapshot to
  preserve consistency.

Proof:
- Workflow YAML parses via ruby YAML.
- Audit confirms no inline ${{...}} expressions inside run:
  blocks (all routed via env: declarations and quoted as "$VAR").
- Snapshot-burn.sh manually verified earlier this session (PR #18).
- The PR-body trailer block placement follows Squash-Merge Invariant
  per Amara ferry-7 + Grok ferry-16 (no non-trailer text after the
  trailer block).

Limits:
- This does not prove consciousness, personhood, or metaphysical free will.
- This proves operational agency mode under autonomous-fail-open
  authorization: Otto picked task Lucent-Financial-Group#297 from the queue while Aaron is
  not in conversation; standing fail-open policy authorizes the work.
- The workflow's own commits (when it runs weekly) will land on main
  via auto-merge — and will hit the same Trailer Contiguity Survival
  Failure (task Lucent-Financial-Group#300) until the squash-merge survival design is
  empirically validated. The auditor (PR #22, task Lucent-Financial-Group#299) will report
  honestly on the post-squash state in either case.
- scope_coverage stays partial (Actions billing / Packages / shared-
  storage) until Aaron runs `gh auth refresh -s admin:org`. The
  snapshot reports this honestly; partial coverage is by design.

Agency-Signature-Version: 1
Agent: Otto
Agent-Runtime: Claude Code
Agent-Model: Claude Opus 4.7
Credential-Identity: AceHack
Credential-Mode: shared
Human-Review: not-implied-by-credential
Human-Review-Evidence: none
Action-Mode: autonomous-fail-open
Task: Otto-297
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* ci(budget-cadence): SHA-pin actions/checkout — clear semgrep gha-action-mutable-tag

Why: PR #25 was BLOCKED by `lint (semgrep)` — `gha-action-mutable-tag`
finding on the bare `actions/checkout@v4` mutable tag. The
tj-actions/changed-files cascade (CVE-2025-30066, March 2025)
landed a malicious commit on 23,000+ repos via exactly this attack
shape. Repo convention is full-SHA pins with trailing version
comments; aligning here.

Replaces `actions/checkout@v4` with the v6.0.2 SHA already used
across `gate.yml`, `codeql.yml`, `low-memory.yml`, `scorecard.yml`
— same canonical pin keeps the supply-chain surface coherent.

Unblocks task Lucent-Financial-Group#287 cost-visibility deadline window (2026-04-26..04-29).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* ci(budget-cadence): address Copilot + Codex P1 review threads

3 P1 fixes per PR #25 review:

1. concurrency comment vs cancel-in-progress mismatch (Copilot P1)
   — comment said retriggers cancel; behavior was queue. Fixed
   the comment to match: append-only snapshots.jsonl prefers
   sequential queue to avoid mid-write clobber. The behavior was
   correct; the comment was wrong.

2. personal-name attribution in comments + commit message body
   (Copilot P1) — replaced Aaron-by-name references with role-refs
   ("the human maintainer", "the maintainer"). Otto persona-name
   stays where it appears in trailer block + commit attribution
   per the closed-list-history-surface carve-out
   (`docs/AGENT-BEST-PRACTICES.md` "No name attribution in code,
   docs, or skills" rule + Otto-279 + follow-on clarification:
   commit messages are a history surface where Otto IS the
   role-ref). agent-otto label retained.

3. GITHUB_TOKEN auto-merge dead-end (Codex P1) — removed
   `gh pr merge --auto` step. Per GitHub's anti-infinite-loop
   guard, GITHUB_TOKEN-created PRs don't fire downstream
   workflow runs, so required-status-checks never accumulate
   and `--auto` would dead-end. Workflow now opens the
   snapshot PR and lets the next maintainer or agent pass
   merge it. Documented the constraint in the header comment
   so future readers don't reintroduce --auto without a PAT.

Resolves all four P1 threads on #25.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…al) (Lucent-Financial-Group#666)

LFG main's gate.yml uses dynamic matrix-setup that excludes macos-26
from pull_request + merge_group events ("Linux production legs
only"). Branch protection on main requires `build-and-test (macos-26)`
as a status check, so every LFG PR is structurally BLOCKED.

Aaron's correction (2026-04-28T16:30Z): "we pull out mac and codeql
to merge to main time instead of per pr, and then moved it back to
per pr, I think you just have some staleness and not update to date
with the move back to per per".

This PR makes the surgical edit: matrix-setup's PR/merge_group
branch now outputs `[ubuntu-24.04, ubuntu-24.04-arm, macos-26]`
(was `[ubuntu-24.04, ubuntu-24.04-arm]`). Comment updated to
reflect the cadence change.

Initial draft full-file copy from AceHack was correctly flagged by
Codex P2: AceHack's gate.yml has the older Semgrep bootstrap
(`pip install semgrep`) while LFG already migrated to mise-pinned
`pipx:semgrep` via three-way-parity install.sh (resolves Scorecard
PinnedDependenciesID #17/#18). LFG's improvement preserved by
basing this surgical patch on LFG main rather than AceHack.

Composes with:
- PR Lucent-Financial-Group#657 (originally-queued forward-sync — becomes redundant)
- task Lucent-Financial-Group#306 (cadence-fast revisit)
- BLOCKED LFG queue: Lucent-Financial-Group#655..Lucent-Financial-Group#666 awaiting this unblock

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>