…t script dependency) (Lucent-Financial-Group#660)

* sync(acehack→lfg): infra-batch clean-additive forward-port (4 files, 524+/1-)

First measurable forward-sync step toward 0/0/0 divergence.
Per the human maintainer's 2026-04-28 input: "the numbers are just
growing can you make them go down" — corrective action for the
manufactured-patience-on-forward-sync pattern (Otto-275-FOREVER:
knowing-rule != applying-rule; the ADR for option-c
cherry-pick-with-rewrites landed in PR #31 today, applying it now).

This batch is the SAFE subset: 4 files where the diff between
AceHack/main and LFG/main has zero LFG-only changes since the
last sync (only AceHack-side changes, all forward-portable
without 3-way merge).

Files (all from AceHack/main wholesale):
- .github/workflows/budget-snapshot-cadence.yml (NEW; weekly
  budget cadence per task Lucent-Financial-Group#297)
- .github/workflows/memory-index-duplicate-lint.yml (NEW; lint
  for memory/MEMORY.md duplicate-link detection)
- tools/setup/common/curl-fetch.sh (NEW; sourceable curl-with-
  retry helper, two-function file/streamed split per the
  curl-from-shell-pipe partial-replay caveat)
- tools/setup/macos.sh (modified; uses curl_fetch_stream for the
  Homebrew install path with the two-gate empty-string + exit-
  status defensive check)

The other 9 infra files (`gate.yml`, `codeql.yml`, `mise.toml`,
`.markdownlint-cli2.jsonc`, `linux.sh`, `elan.sh`, `verifiers.sh`,
`resume-diff.yml`, `scorecard.yml`) all have bidirectional changes
(both LFG-only and AceHack-only commits) and need per-file 3-way
merge — deferred to a follow-up batch per the documented option-c
plan in `docs/DECISIONS/2026-04-26-sync-drain-plan-acehack-lfg-roundtrip-option-c.md`.

Expected divergence impact: drops AceHack-ahead by ~5-8 commits
(commits that touched only these 4 files).

Conceived: human maintainer (forward-sync framing)
Authored: agent (option-c batch identification + clean-subset
extraction)
Action-Mode: supervised
Verification: 4 files each individually verified as zero-LFG-only-
changes via `git log --oneline acehack/main..origin/main -- <file>`

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(pr-660): warn-only mode on memory-index-duplicate-lint for initial LFG land

LFG main's memory/MEMORY.md has 8+ pre-existing duplicate-link entries
(feedback_regulated_titles.md x2, feedback_path_hygiene.md x2,
feedback_outcomes_over_vanity_metrics_*.md x2, etc). The lint that
correctly catches them is shipping in this PR for the first time on
LFG side; LFG just hasn't run it before.

Two paths considered:
  (a) Drop the lint workflow from this batch — defer landing
      until LFG dedup PR also lands. Means the workflow lives in
      a not-yet-shipped state.
  (b) Land the lint in WARN-ONLY mode — surface the duplicate
      count to reviewers but don't block PR merges. Then a
      separate dedup PR addresses the data, and a third PR
      promotes the lint back to --enforce mode.

Picked (b) — visibility is the value of the lint; reviewers see
the duplicate count immediately, dedup PR has a clear scope, and
the promote-to-enforce step happens once data is clean.

Per the structural-fix-beats-process discipline (Aaron 2026-04-28):
the lint stays in code, the data gets cleaned in a separate PR,
the lint promotes to enforce mode in a third PR. Three discrete
PRs, each clean-scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Revert "fix(pr-660): warn-only mode on memory-index-duplicate-lint for initial LFG land"

This reverts commit f1dc10f.

* fix(pr-660): strip name attribution + fix retry-count + correct caller paths in curl-fetch.sh

Three form-1 fixes per LFG Lucent-Financial-Group#660 review:

1. Name-attribution strip on code-surface (threads 10, 16): replace
   'Codex P0 review on PR #75 surfaced/confirmed' with role-ref
   'Reviewers surfaced/confirmed'. Per Otto-279 carve-out, code-
   surface stays role-ref-only; named attribution belongs in
   commit-trailers and history surfaces. Per the orphan-role-ref
   discipline (B-0070), removing the source-name leaves the
   technical content standing on its own — no orphan ferry-N
   reference left behind.

2. Retry-count documentation fix (thread 11): 'curl --retry 5'
   means UP TO 5 retries (6 total attempts including initial),
   not 'five attempts total' per curl(1). Updated the RETRY POLICY
   header to reflect curl semantics correctly.

3. Caller-path correction (thread 3): IDEMPOTENCE comment said
   'linux.sh / macos.sh / elan.sh' but actual paths are
   'tools/setup/linux.sh', 'tools/setup/macos.sh',
   'tools/setup/common/elan.sh'. Used full paths so readers can
   navigate to the actual files.

Remaining LFG Lucent-Financial-Group#660 threads (13 of 17) are similar shape — name-
attribution strips on macos.sh, budget-snapshot-cadence.yml,
memory-index-duplicate-lint.yml, audit-memory-index-duplicates.sh,
plus prose accuracy fixes on macos.sh + budget-snapshot-cadence.yml
+ PR description discrepancy. Will batch the remaining as a separate
focused commit in next tick — clean stop-point now to avoid context
staleness compounding.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(pr-660): strip persona/name attribution + fix shellcheck rationale + B-0063 path on current-state surfaces

PR Lucent-Financial-Group#660 review threads addressed (8 of 13 in this commit):

Name-attribution stripping (current-state surfaces — workflows + tools/
that aren't history surfaces under Otto-279 carve-out):

- .github/workflows/budget-snapshot-cadence.yml: removed "Codex review
  #25 P1", "post-ferry-7", "four-ferry consensus", "Amara ferry-7 +
  Grok ferry-16" attribution; replaced with role-refs ("the canonical
  10-trailer convention", "the maintainer's standing direction"). Also
  corrected the misleading top-comment claim "arms auto-merge so the
  row lands without human intervention" — the implementation explicitly
  does NOT arm auto-merge (the workflow opens the PR and leaves it for
  the next pass; auto-merge limitation section already documents why).
- .github/workflows/memory-index-duplicate-lint.yml: removed "Amara
  2026-04-23 decision-proxy + technical review action item #2 (PR Lucent-Financial-Group#219
  absorb)" + the ferry-with-the-proposal pointer; kept the substantive
  rationale.
- tools/hygiene/audit-memory-index-duplicates.sh: removed "Amara's
  2026-04-23 decision-proxy + technical review (PR Lucent-Financial-Group#219)" framing +
  "this tool is the extension Amara named"; kept the substantive
  pattern description.
- tools/setup/macos.sh: removed "per Aaron's 'just install everything'
  round-29 call" → "per the maintainer's standing 'just install
  everything' framing for first-run setup"; removed "codex P0 review on
  PR #75 flagged this" → kept the substantive technical description.

Shellcheck rationale fix (tools/setup/macos.sh line 27):
- Previous SC1091 rationale claimed "CI runs without -x" which is
  unrelated to SC1091 (SC1091 is about source-not-following). Replaced
  with the actual reason: source path constructed via $SETUP_DIR
  (runtime variable) cannot be statically resolved, so the source=
  directive points shellcheck at the actual path and the SC1091
  disable is the runtime-side suppression.
- Also corrected the source= path from `common/curl-fetch.sh`
  (relative to source file's directory, which is unconventional and
  doesn't match shellcheck's path-resolution-from-repo-root behaviour
  in CI) to `tools/setup/common/curl-fetch.sh` (repo-root-relative,
  the convention shellcheck expects).

B-0063 path fix (tools/setup/common/curl-fetch.sh line 178-180):
- Previous comment referenced
  `docs/backlog/P1/B-0063-streamed-installer-download-to-temp-pattern-
  codex-p0-pr-75.md` which doesn't exist on the LFG branch (it's
  AceHack-side). Replaced with bare "B-0063 (streamed-installer
  download-to-temp pattern)" — the ID is enough; future readers can
  grep for B-0063 to find the canonical row regardless of which
  repo/branch they're on.

Otto-279 history-surface attribution carve-out: persona names remain
on memory/, docs/research/, docs/aurora/, ROUND-HISTORY, DECISIONS,
docs/pr-preservation/, hygiene-history, commit messages. Workflows
(.github/workflows/) and tools/ are current-state surfaces — role-refs
only.

Remaining 5 threads (outdated phantom-blocker class + PR description
fix + 1 outdated workflow path) addressed in follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(pr-660): address 3 unresolved review threads — curl feature-detect + drop label flag (PR-body-arithmetic was already-fixed)

PR Lucent-Financial-Group#660 review threads addressed:

1. P1 copilot on tools/setup/common/curl-fetch.sh:155 — `--retry-all-errors`
   not supported on older curl builds (added in 7.71.0, 2020-06-24);
   pre-2020 LTS distros, embedded environments, and some macOS system
   curl will reject it as unknown option and fail the entire call. This
   helper is sourced from install.sh BEFORE any toolchain manager has
   put a newer curl on PATH, so the OS-provided curl IS what runs first.
   Applied the suggested feature-detection wrapper:
   `_curl_fetch_supports_retry_all_errors` runs `curl --help all | grep`
   once per shell (memoised), and `curl_fetch` falls back to plain
   --retry/--retry-delay when the flag isn't supported.

2. P1 copilot on .github/workflows/budget-snapshot-cadence.yml:248 —
   `gh pr create --label "agent-otto"` adds a label via the Issues API
   (PRs are issues); workflow only grants `contents: write +
   pull-requests: write`, so the label call would fail with "resource
   not accessible". Dropped the --label flag entirely. The
   AgencySignature commit-trailer-block already provides git-native
   attribution; host-native label is a nice-to-have not worth widening
   permissions for. Labeling deferred to maintainer/human pass through
   the queue, or to a future workflow with explicit `issues: write`
   scope. Documented inline why the flag was removed.

3. P1 copilot on .github/workflows/memory-index-duplicate-lint.yml:12 —
   "PR description says 4 files but actually 5". This is OUT OF DATE;
   the PR title + body were already updated to "5 files" in the prior
   commit chain. Form-2 closure (already-fixed): the current PR body
   shows 5 files in the table.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(pr-660): add actions:read permission so snapshot-burn.sh can populate burn metrics

PR Lucent-Financial-Group#660 P1 codex thread on .github/workflows/budget-snapshot-cadence.yml:
the workflow runs tools/budget/snapshot-burn.sh which calls the Actions
REST endpoints (/repos/.../actions/runs and /actions/runs/{id}/timing)
to populate burn metrics. With explicit workflow permissions, omitted
scopes are `none`, so those API calls 403 silently — snapshot-burn.sh
falls back to empty timing data, still writes a snapshot, still opens
a PR, but the evidence is misleading zeroed values instead of real
burn history.

Fix: add `actions: read` to the permissions block. The minimal addition
keeps the workflow's least-privilege posture (no other scopes added)
while making the timing API calls succeed.

Documented inline why the scope is needed + the silent-degradation
failure mode it prevents.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(pr-660): address 4 of 5 codex/copilot threads — P0 inputs context + validator consistency + persona-name strip

PR Lucent-Financial-Group#660 review threads addressed (4 of 5 fixed; 1 deferred):

1. P0 copilot line 131 — `inputs.note` is only defined for
   workflow_dispatch / reusable workflows. On `schedule` runs the
   `inputs` context is undefined and expression evaluation can fail.
   Fix: switched to `github.event.inputs.note || ''` which is safe
   across both trigger types (returns empty string on schedule).
   Documented inline why the form changed.

2. P1 copilot line 209 — AgencySignature trailer mismatch:
   Human-Review="not-implied-by-credential" + Human-Review-Evidence=
   "signed-policy" violates the validator consistency rule (Amara
   ferry-5: when Human-Review != explicit, Evidence MUST be "none").
   Fix: changed Evidence to "none" in both trailer-block emissions
   (commit message + PR body). The signed-policy authorization for
   the cadence itself is documented in the commit body prose, not
   the per-run trailer fields — per-run trailers describe per-run
   state, not deployment-time authorization. Updated the top-of-file
   AgencySignature comment to explain the new shape.

3. P1 copilot line 175 — workflow comment had persona-name "Otto"
   ("required a maintainer or Otto"). Otto-279: workflows are
   current-state surface, role-refs only. Fix: replaced with "human
   maintainer or agent" role-ref form.

DEFERRED:

4. P1 copilot line 212 — `Co-authored-by: Otto` in the emitted
   commit trailer block. Per Otto-279, commit messages ARE history
   surface (explicit carve-out item). The destination of the
   emission is history-surface; the workflow code is just the
   source of the value. Keeping as-is is consistent with the
   Otto-279 spirit (the persona name lives where it belongs — in
   the commit trailer history). Replied form-2 with that rationale.

5. P1 copilot line 66 — Homebrew install still uses streamed pipe-
   to-sh. The structurally-safe fix (download-to-temp + checksum-
   verify via curl_fetch) is exactly what backlog item B-0063
   tracks. Implementing it here would expand PR scope substantially
   (~30 lines, security-relevant, needs maintainer review). Form-2
   deferral with B-0063 reference is the right shape.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>