…ation (#5)

The ADR landed on AceHack PR #4 as Proposed. It names four open
questions for Aaron to decide before the migration PR can land:

1. ID scheme (numeric / slug / UUID)
2. Script home (tools/backlog/ vs inline)
3. Sort order (creation / updated / priority)
4. Concurrent-migration trade (single atomic PR vs staged per tier)

Migration is P0 post-R45 per the ADR itself; HB-002 is the gate.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…ogged (Lucent-Financial-Group#177)

Creates durable append-only log for the cadenced NSA testing
protocol declared in the 2026-04-23 "NSA persona is first-
class" directive. Closes gap #3 of the Frontier bootstrap
readiness roadmap (BACKLOG P0, filed Otto-2).

File contents:
- Why-this-exists block with directive verbatim
- Append-only discipline (same shape as sibling
  hygiene-history files)
- 3 test configurations: baseline / NSA-default / NSA-worktree
- 5-prompt test set v1
- Schema: date / test-id / prompt-id / config / model /
  outcome / gap-found / notes
- Outcome definitions: pass / partial / fail
- Cadence: every 5-10 autonomous-loop ticks, one prompt
  per fire
- Known substrate-gap patterns running list
- First row: NSA-001 (Otto-1 feasibility test,
  2026-04-23T18:42:00Z) — partial pass, found Zeta identity
  but missed Otto because MEMORY.md had no pointer; gap
  fixed same-tick, pattern recorded

Attribution: Otto (loop-agent PM hat) — hat-less-by-default
substrate hygiene work. No specialist persona hats worn.

Closes gap #3 of 8 in the Frontier readiness roadmap.
Remaining: gap #1 (multi-repo split) / #2 (linguistic-seed
substrate) / #4 (bootstrap-reference docs) / #5 (factory-vs-
Zeta separation) / #6 (persona file portability) / #7
(tick-history scope-mixed) / #8 (hygiene rows untagged).

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…(Amara action #2) (Lucent-Financial-Group#223)

Amara's 4th ferry (PR Lucent-Financial-Group#221) action item #2: pin Claude model
snapshot + loaded memory state + prompt bundle hash so "Claude"
is not a moving target across model version shifts (3.5 → 3.7 →
4 → 4.x all have materially different system-prompt bundles +
knowledge cutoffs + memory-retention language per archived Drive
artifacts).

Three-part scaffolding (v0):

1. tools/hygiene/capture-tick-snapshot.sh
   - Captures mechanically-accessible state:
     * Claude Code CLI version (`claude --version`)
     * CLAUDE.md + AGENTS.md + memory/MEMORY.md SHAs
     * Memory index byte count
     * Git HEAD + branch + repo
     * Date UTC
     * Per-user ~/.claude/CLAUDE.md SHA if present
   - Outputs YAML (default) or JSON (`--json`)
   - Agent fills model_snapshot + prompt_bundle_hash from
     session context (not CLI-accessible today)

2. docs/hygiene-history/session-snapshots.md
   - Session-level + significant-event pins (not per-tick)
   - Append-only row format: session_id / captured_utc /
     event (session-open | mid-session-pin | session-close |
     compaction) / agent / model / CLI version / git state /
     files SHAs / notes / prompt_bundle_hash
   - Seeded with one mid-session-pin for this tick's Otto-70
     capture (the session has been running ~70 ticks; actual
     session-open is earlier and unreachable for pins)

3. docs/hygiene-history/loop-tick-history.md schema extension
   - New "On snapshot pinning" subsection documenting the
     relationship: per-tick pins optional + inline in `notes`;
     session-level pins go in the sidecar file.
   - Snapshot capture is discipline, not gate — don't slow
     the autonomous-loop tick-close for every fire.

What the snapshot does NOT capture yet:

- model_snapshot — known to the agent from session context,
  not exposed by `claude --version` (which gives CLI version
  only). Agent fills.
- prompt_bundle_hash — no current tool reconstructs the
  system prompt bundle. Placeholder null until such a tool
  lands. Amara's Determinize-stage work potentially.
- Active permissions / skill set — session-specific; not
  captured in v0.

First run of the tool on this branch surfaced a separate
drift: memory/MEMORY.md is at 58842 bytes (~58KB, over the
FACTORY-HYGIENE row #11 24976-byte cap). Not fixed in this
PR — known-separately tracked drift.

Amara Stabilize-stage: 3/3 landed (with this PR).
  ✓ Action #3 — decision-proxy-evidence schema (PR Lucent-Financial-Group#222)
  ✓ Action #4 — branch-chat non-canonical framing (PR Lucent-Financial-Group#222)
  ✓ Action #2 — snapshot pinning scaffolding (this PR)

"Deterministic reconciliation" framing (Otto-67 endorsement):
snapshot pinning is the mechanism that reconciles "what Claude
knew" with "what Claude did" across time — essential for any
future audit, tuning, or Amara-style drift analysis.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…didates (Lucent-Financial-Group#261)

Amara's 7th courier ferry (PR Lucent-Financial-Group#259) proposed 5 additional
public-facing brand candidates focused on the control-plane /
execution-layer role: Beacon, Lattice, Harbor, Mantle, Northstar.
The 5th-ferry memo (PR Lucent-Financial-Group#235 → PR Lucent-Financial-Group#257 Aurora README) had already
proposed Lucent KSK, Lucent Covenant, Halo Ledger, Meridian Gate,
Consent Spine.

Combines both shortlists into a single table preserving both
ferries' source attribution so Aaron's eventual brand decision
has the full option space.

Also adds the 7th-ferry preferred naming pattern (Aurora =
vision; Beacon KSK / Lattice KSK = shippable control-plane;
Zeta = substrate) as Amara's rhetorical proposal — not
adopted, preserved as input.

Brand decision remains Aaron's (M4 milestone; not Otto's to
pick).

No implementation changes; no operational policy changes;
pure additive documentation update preserving both ferries'
attribution per signal-in-signal-out discipline + §33
archive-header format already at top of README.

Lands within-standing-authority per Otto-82 calibration
(docs-only branding-input update; NOT a brand decision).

Closes 7th-ferry absorb candidate BACKLOG row #4 of 5
(branding shortlist update). Remaining candidates for Otto-90+:
- KSK-as-Zeta-module implementation (L; cross-repo)
- Oracle-scoring research (M)
- BLAKE3 receipt hashing design (M)
- Aminata threat-model pass on 7-class threat model (S)

Otto-89 tick primary deliverable.

…dvisory) (Lucent-Financial-Group#263)

Aminata's adversarial review of three technical sections of
Amara's 7th courier ferry (PR Lucent-Financial-Group#259 merged): the 7-class
threat model, the formal oracle rule, and the Veridicality +
network-health scoring families.

Classifications per section:

- 7-class threat model: IMPORTANT — covers obvious external-
  adversary cone cleanly; misses insider maintainer, receipt-
  flooding DoS, signer-collusion/quorum-capture, time-source
  adversary, side-channel leakage, cryptographic-agility.
  Not audit-ready without insider class.
- Oracle rule Authorize(a,t): CRITICAL — boolean conjunction
  of 5 predicates, 3 under-specified, all 5 race-able at
  check-time vs execute-time, not closed under action
  composition. As written is specification of intent, not
  safety control.
- Veridicality V(c) + network-health S(Z_t): CRITICAL —
  gameable-by-self-attestation (5/6 inputs are self-reports);
  parameter-fitting adversary unblocked without ADR gate;
  false-precision risk (sigmoid of ordinal signals); partial
  contradiction with SD-9 (coherence term rewards carrier-
  laundered consensus).

Cross-section dependencies: landing one section commits to
the others; presenting as separable is misleading.

Top-three adversary budget (highest leverage × lowest cost):
1. Parameter-fitting on V(c)/S(Z_t) — cheapest attack.
2. Approval-withdrawal race at execute-time.
3. Capability-reclassifier bypass (k3 → k2 at
   ICapabilityClassifier).

Common shape: design names "pluggable" without naming the
gate on the plug.

Out-of-scope content flagged: BLAKE3 receipt-hash binding
(belongs in lucent-ksk ADR not Zeta-module doc); branding
shortlist (scope-creep); Bitcoin anchoring (separate trust-
model); 12-row test checklist mixes property/policy/scoring
rows.

Archive-header format self-applied (Scope / Attribution /
Operational status / Non-fusion disclaimer) — eighth
aurora/research doc to exercise the convention.

Lands within-standing-authority per Otto-82 calibration —
research-grade advisory doc, not account/spending/named-
design-review gated; classifies existing design, doesn't
implement.

Closes 7th-ferry absorb candidate BACKLOG row #4 of 5 this
session (Aminata threat-model pass). Remaining candidates for
Otto-91+:
- KSK-as-Zeta-module implementation (L; cross-repo; Aaron
  Otto-90 pre-approved Aaron+Max coordination so not a
  formal gate, but cross-repo design work warrants care)
- Oracle-scoring research (M) — V/S parameter fitting +
  carrier-aware term per this pass's recommendation
- BLAKE3 receipt hashing design (M) — lucent-ksk ADR

Otto-90 tick primary deliverable.

…ries (8th-ferry candidate #1) (Lucent-Financial-Group#278)

Research-grade absorb per Amara 8th-ferry landing plan
(PR Lucent-Financial-Group#274). Separates real quantum-sensing literature from
software analogy so the latter can borrow carefully without
contaminating the former.

Key structure:

- **Do not operationalize stated as first rule** — this doc
  MUST NOT be cited as authorisation for Zeta or Aurora
  "quantum-powered" / "quantum-inspired" claims. 2024
  engineering review caps microwave QR at <1 km typical.
- **What the physics actually supports**: Lloyd 2008 +
  Tan Gaussian-state 6 dB error-exponent + 2023 Nature
  Physics microwave demo + 2024 engineering range-cap
  review + standard radar R⁻⁴ range equation. Quantum
  sensing broader and more mature than quantum-radar
  specifically (NV-centers / magnetometers / atomic clocks
  are real; radar is speculative).
- **5 importable software analogies**: retained reference
  path (anchor for weak evidence); correlation beats
  isolation (kNN retrieval not single-source agreement);
  time-bandwidth product (repeated independent
  observations over window); decoherence (carrier overlap
  destroys independence weight); cross-section-is-
  observability (salience != evidence).
- **6-item NOT-imply list**: no quantum-radar claim; no
  quantum-inspired algebra; no quantum-certified alignment
  robustness; no Aurora-as-quantum-safety; etc. First-class
  content, future references must honour.
- **Composition table** mapping analogies to existing
  substrate (SD-9 / DRIFT-TAXONOMY patterns 2 + 5 /
  citations-as-first-class / alignment-observability /
  oracle-scoring v0 / BLAKE3 v0). No new mechanisms
  proposed; analogies slot in as framing.
- **Graduation candidates** named with explicit ADR gating:
  retained-witness correlation metric; salience-vs-evidence
  PR review diagnostic; decoherence-inspired carrier-
  downgrade rule. Each needs separate ADR + operational
  artifact + regression-test before graduating.

Scope limits:
- Does NOT propose implementation.
- Does NOT audit existing Zeta claims against analogy
  boundaries.
- Does NOT commit to quantum-literature tracking cadence.
- Does NOT license creative expansion of analogy set
  (5 is what Amara cited; new literature = new research
  doc).
- Does NOT re-verify primary sources; preserves Amara's
  scoping discipline verbatim.

Self-applies §33 archive-header format — 14th
aurora/research doc in a row.

Lands within-standing-authority per Otto-82/90/93
calibration — research-grade doc; not account / spending /
named-design-review / readiness-signal gated.

Closes 8th-ferry candidate #1 of remaining 4 (after
TECH-RADAR batch closed #5 Otto-96). Remaining:
- #2 Semantic-canonicalization research doc (M; spine)
- #3 Provenance-aware bullshit-detector (M)
- #4 docs/EVIDENCE-AND-AGREEMENT.md future operational
  promotion (gated on 1-3)

Otto-97 tick primary deliverable.

… detector) (Lucent-Financial-Group#328)

First full integration of the Graph detection pipeline: combines
largestEigenvalue (spectral growth) + labelPropagation (community
partition) + modularityScore (partition evaluation) into a single
scalar risk score.

Surface:
  Graph.coordinationRiskScore
      (alpha: double) (beta: double)
      (eigenTol: double) (eigenIter: int) (lpIter: int)
      (baseline: Graph<'N>) (attacked: Graph<'N>)
      : double option

Composite formula (MVP):
  risk = alpha * Δλ₁_rel + beta * ΔQ

where:
- Δλ₁_rel = (λ₁(attacked) - λ₁(baseline)) / max(λ₁(baseline), eps)
- ΔQ = Q(attacked, LP(attacked)) - Q(baseline, LP(baseline))

Both signals fire when a dense subgraph is injected: λ₁ grows
because the cartel adjacency has high leading eigenvalue; Q grows
because LP finds the cartel as its own community and Newman Q
evaluates that partition highly.

Weight defaults per Amara 17th-ferry initial priors:
- alpha = 0.5 spectral growth
- beta  = 0.5 modularity shift

Tests (3 new, 34 total in GraphTests, all passing):
- Empty graphs -> None
- Cartel injection -> composite > 1.0 (both signals fire)
- attacked == baseline -> composite near 0 (|score| < 0.2)

Calibration deferred (Amara Otto-132 Part 2 correction #4 — robust
statistics via median + MAD): this MVP uses raw linear weighting
over differences. Full CoordinationRiskScore with robust z-scores
over baseline null-distribution is a future graduation once
baseline-calibration machinery ships. RobustStats.robustAggregate
(PR Lucent-Financial-Group#295) already provides the median-MAD machinery; just needs a
calibration harness to use it.

14th graduation under Otto-105 cadence. First full integration
ship using 4 Graph primitives composed together (λ₁ + LP +
modularity + composer).

Build: 0 Warning / 0 Error.

Provenance:
- Concept: Aaron (firefly network + trivial-cartel-detect) +
  Amara's composite-score formulations across 12th/13th/14th/
  17th ferries
- Implementation: Otto (14th graduation)

Composes with:
- Graph.largestEigenvalue (PR Lucent-Financial-Group#321)
- Graph.labelPropagation (PR Lucent-Financial-Group#326)
- Graph.modularityScore (PR Lucent-Financial-Group#324)
- RobustStats.robustAggregate (PR Lucent-Financial-Group#295) — for future robust
  variant

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…correction) (Lucent-Financial-Group#332)

Completes the input pipeline for TemporalCoordinationDetection.
phaseLockingValue (PR Lucent-Financial-Group#298): PLV expects phases in radians but
didn't prescribe how events become phases. This ship fills the
gap.

17th graduation under Otto-105 cadence. Addresses Amara 17th-ferry
Part 2 correction #5: 'Without phase construction, PLV is just a
word.'

Surface (2 pure functions):
- PhaseExtraction.epochPhase : double -> double[] -> double[]
  Periodic-epoch phase. φ(t) = 2π · (t mod period) / period.
  Suited to consensus-protocol events with fixed cadence (slot
  duration, heartbeat, epoch boundary).
- PhaseExtraction.interEventPhase : double[] -> double[] -> double[]
  Circular phase between consecutive events. For sample t in
  [t_k, t_{k+1}), phase = 2π · (t - t_k) / (t_{k+1} - t_k).
  Suited to irregular event-driven streams.

Both return double[] of phase values in [0, 2π) radians. Empty
output on degenerate inputs (no exception). eventTimes assumed
sorted ascending; samples outside the event range get 0 phase
(callers filter to interior if they care).

Hilbert-transform analytic-signal approach (Amara's Option B)
deferred — needs FFT support which Zeta doesn't currently ship.
Future graduation when signal-processing substrate lands.

Tests (12, all passing):
epochPhase:
- t=0 → phase 0
- t=period/2 → phase π
- wraps cleanly at period boundary
- handles negative sample times correctly
- returns empty on invalid period (≤0) or empty samples

interEventPhase:
- empty on <2 events or empty samples
- phase 0 at start of first interval
- phase π at midpoint
- adapts to varying interval lengths (O(log n) binary search
  for bracketing interval)
- returns 0 before first and after last event (edge cases)

Composition with phaseLockingValue:
- Two nodes with identical epochPhase period → PLV = 1
  (synchronized)
- Two nodes with same period but constant offset → PLV = 1
  (perfect phase locking at non-zero offset is still locking)

This composes the full firefly-synchronization detection
pipeline end-to-end for event-driven validator streams:
  validator event times → PhaseExtraction → phaseLockingValue
  → temporal-coordination-detection signal

5 of 8 Amara 17th-ferry corrections now shipped:
#1 λ₁(K₃)=2 ✓ already correct (PR Lucent-Financial-Group#321)
#2 modularity relational ✓ already correct (PR Lucent-Financial-Group#324)
#3 cohesion/exclusivity/conductance ✓ shipped (PR Lucent-Financial-Group#331)
#4 windowed stake covariance ✓ shipped (PR Lucent-Financial-Group#331)
#5 event-stream → phase pipeline ✓ THIS SHIP
Remaining: #4 robust-z-score composite variant (future);
#6 ADR phrasing (already correct); #7 KSK naming (BACKLOG
Lucent-Financial-Group#318 awaiting Max coord); #8 SOTA humility (doc-phrasing
discipline).

Build: 0 Warning / 0 Error.

Provenance:
- Concept: Aaron firefly-synchronization design
- Formalization: Amara 17th-ferry correction #5 with 3-option
  menu (epoch / Hilbert / circular)
- Implementation: Otto (17th graduation; options A + C shipped,
  Hilbert deferred)

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…-ferry §B + §F + corrections #2 #7 #9 (Lucent-Financial-Group#342)

Research-grade design doc for the Stage-2 rung of Amara's
corrected promotion ladder. Specifies: (a) placement under
src/Experimental/CartelLab/ (not src/Core/ — that's Stage 4);
(b) MetricVector type with PLV magnitude AND offset split
(correction #6); (c) INullModelGenerator interface +
Preserves/Avoids table columns; (d) IAttackInjector
forward-looking interface (Stage 3); (e) Wilson-interval
reporting contract with {successes, trials, lowerBound,
upperBound} schema (correction #2 — no more "~95% CI ±5%"
handwave); (f) RobustZScoreMode with Hybrid fallback
(correction #7 — percentile-rank when MAD < epsilon);
(g) explicit artifact-output layout under artifacts/
coordination-risk/ with five files + run-manifest.json
(correction #9).

6-stage promotion path (0 doc / 1 ADR / 2.a skeleton /
2.b full null-models + first attack / 3 attack suite /
4 Core/NetworkIntegrity / 5 Aurora-KSK) matches Amara's
corrected ladder and Otto-105 cadence.

Doc-only change; no code, no tests, no workflow, no
BACKLOG tail touch (avoids positional-conflict pattern
that cost Lucent-Financial-Group#334 → Lucent-Financial-Group#341 re-file this session).

This is the 7th of 10 18th-ferry operationalizations:
- #1/#10 test-classification (Lucent-Financial-Group#339)
- #2 Wilson-interval design specified (this doc)
- #6 PLV phase-offset shipped (Lucent-Financial-Group#340)
- #7 MAD=0 Hybrid mode specified (this doc)
- #9 artifact layout specified (this doc)
- #4 exclusivity already shipped (Lucent-Financial-Group#331)
- #5 modularity relational already shipped (Lucent-Financial-Group#324)

Remaining: Wilson-interval IMPLEMENTATION (waits on Lucent-Financial-Group#323 +
Stage 2.a), MAD=0 Hybrid IMPLEMENTATION (waits on Lucent-Financial-Group#333 +
Stage 2.a), conductance-sign doc (waits on Lucent-Financial-Group#331), Stage-2.a
skeleton itself.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…mara #4 robust) + 3 BACKLOG rows (Lucent-Financial-Group#333)

* core: RobustStats.robustZScore + Graph.coordinationRiskScoreRobust — 18th graduation (Amara #4 robust)

Two ships consolidated per the 'parallel PRs hit positional
conflicts on tail-append' lesson:

1. RobustStats.robustZScore
   (baseline: double seq) -> (measurement: double) -> double option
   Returns (measurement - median) / (1.4826 · MAD). The 1.4826
   constant scales MAD to be consistent with Gaussian stddev.
   MadFloor prevents blow-up when every baseline value equal.

2. Graph.coordinationRiskScoreRobust
   alpha beta eigenTol eigenIter lpIter
   (baselineLambdas: double seq) (baselineQs: double seq)
   (attacked: Graph<'N>) -> double option
   Upgrades coordinationRiskScore (PR Lucent-Financial-Group#328) from raw linear
   differences to robust-standardized z-scores per Amara
   17th-ferry correction #4. Caller provides baseline metric
   distributions; Z-scores calibrate thresholds from data.

Why robust z-scores: adversarial data isn't normally
distributed. An attacker can poison a ~normal distribution
by adding a few outliers that inflate stddev, making
subsequent real attacks look 'within one sigma'. Median+MAD
survives ~50% adversarial outliers. Standard move in robust
statistics literature; Amara's correction puts it on the
Zeta composite.

Tests (5 new; total 39 since main hasn't merged Lucent-Financial-Group#331/Lucent-Financial-Group#332 yet):
- robustZScore None on empty baseline
- robustZScore of measurement = median is 0
- robustZScore scales MAD by 1.4826 for Gaussian consistency
  (measurement 4 on baseline [1..5] ≈ 0.674)
- coordinationRiskScoreRobust fires strongly on K4-injected graph
  given 5 baseline samples
- coordinationRiskScoreRobust returns None on empty baselines

BACKLOG rows added this tick per Aaron Otto-139 directives:
1. Signal-processing primitives (FFT + Hilbert) — unblocks
   Amara correction #5 Option B; Aaron standing-approval
2. F# DSL for entry points + graph-query-language standards
   compliance (Cypher / GQL / Gremlin / SPARQL / Datalog)
3. LINQ-compatible entry points for C# consumers — pair with
   F# DSL; two frontends, one algebraic backend

6 of 8 Amara 17th-ferry corrections now shipped or confirmed:
Remaining: #6 ADR phrasing (already fine); #7 KSK naming
(BACKLOG Lucent-Financial-Group#318 Max coord pending); #8 SOTA humility
(doc-phrasing discipline ongoing).

Build: 0 Warning / 0 Error.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(Lucent-Financial-Group#333): 4 review-thread P1/P2s on robustZScore + coordinationRiskScoreRobust

Active PR-resolve-loop on Lucent-Financial-Group#333.

1. Doc/impl contradiction on MAD=0 (thread 59VhYb, P1):
   RobustStats.robustZScore doc said "returns None when
   MAD(baseline)=0" but impl uses MadFloor and returns
   Some finite value. Rewrote doc to match impl:
   explicit "MadFloor substituted when MAD collapses to
   zero" — floor reflects "scale is below epsilon" not
   "undefined." Implementation is the contract.

2. Multi-enumeration of baseline seq (thread 59VhYq, P1):
   robustZScore previously passed `baseline` to both
   `median` + `mad` which each call `Seq.toArray`.
   Expensive AND inconsistent for lazy/non-repeatable
   sequences (different values between enumerations =
   undefined behavior). Fixed: `Seq.toArray` once at
   entry, pass the materialized array to both. O(n)
   instead of O(2n); stable across lazy sources.

3. Name attribution in Graph.fs doc comment (thread
   59VhY5, P1): "Amara 17th-ferry... Otto 18th
   graduation" → "external AI collaborator's 17th
   courier ferry... Eighteenth graduation under the
   Otto-105 cadence." Role-reference convention per
   AGENT-BEST-PRACTICES code/doc rule.

4. Array-vs-seq terminology (thread 59VhZG, P2):
   Graph.fs doc said callers "provide arrays" but the
   API is `double seq`. Rewrote: sequences + noted the
   materialize-once optimization in robustZScore so
   callers can pass any seq form without re-enumeration
   cost.

Thread 59VhX9 (P3-label-in-P2-section mismatch) — already
resolved on main via PR Lucent-Financial-Group#341 which landed the signal-
processing row correctly labeled "P2 research-grade."
No fix needed on this branch.

Build: 0 Warning(s) / 0 Error(s). 53 RobustStats + Graph
tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…(Overlay A #4) (Lucent-Financial-Group#162)

* memory: migrate external-signal-confirms-internal-insight discipline (Overlay A #4)

Fourth opportunistic-on-touch Overlay A migration in the
2026-04-23 cadence, following PRs Lucent-Financial-Group#157 / Lucent-Financial-Group#158 / Lucent-Financial-Group#159.

Rule: when an external signal (YouTube recommender /
maintainer echo / expert writeup / third-party research)
independently corroborates a factory-internal architectural
insight, treat as strictly stronger moat evidence than the
internal claim alone. Second-occurrence discipline — first
= noteworthy, second = file, third+ = name-the-pattern.
Capture the pre-validation paper trail so the confirmation
is verifiable, not retconned.

Two concrete occurrences documented (Muratori 5-pattern →
Zeta equivalents; three-substrate triangulation via
Claude/Codex/Gemini capability maps).

Migration discipline per PR Lucent-Financial-Group#157/Lucent-Financial-Group#158/Lucent-Financial-Group#159 pattern:
- In-repo copy with "Migrated to in-repo" header
- Per-user source with "Migrated to in-repo" marker
- MEMORY.md index entry newest-first
- markdownlint MD026 trailing-colon headings fixed
  ("## Why:" → "## Why"; "## How to apply:" → "## How to
  apply")

Queue now 1 remaining (semiring-parameterized-zeta).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* memory: address PR Lucent-Financial-Group#162 review — occurrence-count + per-user xref clarifications

Six Copilot findings on the external-signal-confirms-internal-
insight memory:

- Heading "## The two occurrences observed to date" was stale
  (the file itself later lists 3+ occurrences). Renamed to
  "## The first occurrences observed (memory captured at the
  second)" — reflects the memory's origin without asserting
  a count.
- `docs/research/arc3-dora-benchmark.md §Prior-art` section
  doesn't exist. Relaxed to "section name TBD; the doc
  captures adjacent prior-art discussion."
- Four per-user memory cross-references clarified via a new
  preamble note at the top of §Cross-references: those files
  live in per-user memory (~/.claude/projects/<slug>/memory/),
  not in-repo; citations are provenance-reference not in-repo
  navigation.

All 6 threads resolved.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…sibling (Lucent-Financial-Group#147)

* Live-lock audit history: inaugural lesson integrated — prevention discipline for next time

Aaron 2026-04-23:

> if you want to beat ARC3 and do better than humans at uptime and
> other DORA metrics then your live-lock smell and the decisions you
> make to prevent live locks in the future based on pass lessons, the
> ability to integrate previous lessions and not forget is ging to be
> key.

Lesson-permanence is the factory's competitive differentiator.
Detection (audit script) is table stakes. Integration — recording the
lesson, consulting it forward, preventing re-occurrence — is the
product.

## What lands

- New "Lessons integrated" section in
  `docs/hygiene-history/live-lock-audit-history.md`
- Inaugural lesson from tonight's smell-firing event, structured as
  signature / mechanism / prevention with 4 concrete prevention
  decisions:
  1. External-priority stack is authoritative; agent reorders only
     internal priorities
  2. Live-lock audit at round-close is a gate-not-a-report
  3. Speculative-work permit requires external-ratio check first
  4. Tick-history rows are explicitly NOT external work; pair INTL
     with EXT when the smell is near firing
- Open carry-forward named: round-close-ladder wiring is a P1
  follow-up (BACKLOG row already filed earlier this session)

## Discipline

Every future smell firing files a lesson to this same section.
`memory/feedback_lesson_permanence_is_how_we_beat_arc3_and_dora_2026_04_23.md`
captures the full rule: detection is not enough, integration is the
product, lessons are consulted BEFORE taking actions that match known
failure-mode signatures, memory persists across sessions.

The pattern extends beyond live-lock: other detection mechanisms
(SignalQuality firing, Amara-oracle rejecting, drift-tick exceeding
threshold, OpenSpec Viktor failing rebuild-from-spec) should file
lessons to their respective hygiene-history files.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* samples: ServiceTitan factory-demo JSON API (v0, in-memory, stack-independent)

Minimal F# ASP.NET Core Web API serving CRM seed data as JSON. Any
frontend choice (Blazor / React / Vue / curl) consumes the same
endpoints. Ships now so the backend is not on the critical path when
Aaron picks the frontend stack.

## What lands

- `samples/ServiceTitanFactoryApi/ServiceTitanFactoryApi.fsproj`
  using `Microsoft.NET.Sdk.Web`; only explicit package ref is
  `FSharp.Core` (ASP.NET Core comes via framework reference, no
  Directory.Packages.props edit needed)
- `Seed.fs` — in-memory seed mirroring `ServiceTitanFactoryDemo/seed-data.sql`:
  20 customers, 30 opportunities (5 stages), 33 activities, 2 intentional
  email collisions. Deterministic fixed clock at 2026-04-23 00:00 UTC.
- `Program.fs` — minimal F# API with 9 endpoints: customers (list/detail),
  opportunities (list/detail), activities (list/per-customer), pipeline
  funnel (count + total-cents per stage), duplicates (customers sharing
  an email).
- `README.md` — framing (software-factory demo, not database pitch),
  endpoint table, design notes, v1 roadmap.

## Smoke-test output (verified)

```
GET /api/pipeline/funnel
[{"count":10,"stage":"Lead","totalCents":5400000},
 {"count":6, "stage":"Qualified","totalCents":4220000},
 {"count":6, "stage":"Proposal","totalCents":5720000},
 {"count":6, "stage":"Won","totalCents":2670000},
 {"count":2, "stage":"Lost","totalCents":490000}]

GET /api/pipeline/duplicates
[{"customerIds":[1,13],"email":"alice@acme.example"},
 {"customerIds":[5,19],"email":"bob@trades.example"}]
```

Build: 0 Warning(s), 0 Error(s). `dotnet run` starts the API;
curl confirms all endpoints respond correctly.

## Discipline signal

This is the third EXT commit of the session (CRM demo sample Lucent-Financial-Group#141,
CRM scenario tests in Lucent-Financial-Group#143, now this API). The live-lock audit's
inaugural lesson explicitly prescribed shipping external-priority
increments when the smell fires. Three landed this session, all on
priority #1 (ServiceTitan + UI) — the factory is correctly
response-pattern even before any of tonight's PRs merge to main.

## What this does NOT do

- Does NOT wire Postgres — in-memory only for v0; Npgsql wiring is
  a follow-up PR once Aaron confirms the DB driver
- Does NOT expose Zeta / DBSP / retraction-native language to the
  frontend — standard CRUD shape per the ServiceTitan positioning
  directive
- Does NOT implement writes — v0 is read-only; POST/PUT/DELETE is
  a follow-up
- Does NOT add auth — no authentication for v0
- Does NOT ship docker-compose — future PR bundles this API with
  Postgres in one command

Composes with:
- `samples/ServiceTitanFactoryDemo/` (SQL schema + seed) — sibling,
  same shapes; v1 wires this API to that schema
- `docs/plans/servicetitan-crm-ui-scope.md` — build sequence step 1
  (API skeleton) complete; step 2 (DB wiring) is next
- `memory/feedback_servicetitan_demo_sells_software_factory_not_zeta_database_2026_04_23.md`
- `memory/feedback_lesson_permanence_is_how_we_beat_arc3_and_dora_2026_04_23.md`

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* samples: ServiceTitan factory-demo C# companion API — parity with F# sibling

ServiceTitan uses C# for most of their backend with zero F#. Shipping
a C# companion to the F# API (Lucent-Financial-Group#146) so ST engineers evaluating the
factory see code in the language they already read fluently.
F# stays the reference — it's closer to math, theorems are easier to
express — but factory output matches audience stack.

## What lands

- `ServiceTitanFactoryApi.CSharp.csproj` — `Microsoft.NET.Sdk.Web`,
  nullable + implicit usings enabled, TreatWarningsAsErrors
- `Customer.cs`, `Opportunity.cs`, `Activity.cs` — records, one
  per file (MA0048)
- `Seed.cs` — deterministic in-memory seed, identical to F# Seed.fs:
  20 customers, 30 opportunities, 33 activities, 2 intentional
  email collisions
- `Program.cs` — 9 minimal-API endpoints, identical routes + JSON
  shapes to the F# sibling
- `README.md` — parity guarantee, design notes, C# specifics

## Smoke-test parity (verified)

```
GET /api/pipeline/funnel
[{"stage":"Lead","count":10,"totalCents":5400000}, ...5 stages]

GET /api/pipeline/duplicates
[{"email":"alice@acme.example","customerIds":[1,13]},
 {"email":"bob@trades.example","customerIds":[5,19]}]

GET /api/customers  -> 20 customers
```

Same seed, same shapes, same numbers as the F# version (Lucent-Financial-Group#146).
Frontends switch between them without code changes.

## Analyzer discipline passes

Build: 0 Warning(s), 0 Error(s) with the full SonarAnalyzer.CSharp +
Meziantou.Analyzer + Microsoft .NET Analyzers pack active. The C#
companion respects every rule the F# version's discipline
already encodes implicitly — StringComparer.Ordinal for GroupBy,
static-readonly for endpoint list, record-per-file, no-var-discarded.

## Discipline signal

Fourth EXT commit of the session (CRM demo Lucent-Financial-Group#141, CRM scenario tests
Lucent-Financial-Group#143, F# API Lucent-Financial-Group#146, now this C# API). All on Aaron's priority #1.
The live-lock audit's inaugural lesson prescribed "ship external-
priority increments when smell fires" — four landed in one session.

## Factory-pitch moment

This pair (F# + C# from the same spec, identical behaviour) is a
concrete factory-capability signal. The software factory produces
code in your stack, to your analyzer discipline, with parity across
languages. The pitch isn't "pick our language"; it's "your language,
enforced by our quality floor."

## What this does NOT do

- Does NOT rewrite or deprecate the F# sibling — both live
- Does NOT wire Postgres — same v0 scope
- Does NOT leak Zeta / DBSP / retraction-native concepts to the
  ST-facing surface
- Does NOT claim the C# version is the primary — F# is reference

Composes with:
- `samples/ServiceTitanFactoryApi/` (F# sibling)
- `memory/project_zeta_f_sharp_reference_c_sharp_and_rust_future_servicetitan_uses_csharp_2026_04_23.md`
- `memory/feedback_servicetitan_demo_sells_software_factory_not_zeta_database_2026_04_23.md`

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* rename: generic FactoryDemo.Api.CSharp (was ServiceTitanFactoryApi.CSharp)

Aaron 2026-04-23 directive:

> lets try to reduce the number of class and thing we call servce titan
> or this will be confusing in a Zeta repo. ... this is not a service
> titan repo, it's an open source repo.

Plus, 2026-04-23 follow-up on language priority:

> c# is a more popular language than f# so it makes sense to start
> with a factory c# demo anyways

## What renames

- `samples/ServiceTitanFactoryApi.CSharp/` →
  `samples/FactoryDemo.Api.CSharp/`
- Project name + csproj filename same rename
- `RootNamespace` `Zeta.Samples.ServiceTitanFactoryApi` →
  `Zeta.Samples.FactoryDemo.Api`
- `namespace` declarations in .cs files match
- Zeta.sln project entry updated
- README rewritten to generic framing (C# is the popular
  .NET language; demo starts there; F# stays reference)
- Root endpoint name field `"ServiceTitan factory-demo API (C#)"` →
  `"Factory-demo API (C#)"`
- All doc cross-references updated to new path names

Build: 0 Warning(s), 0 Error(s) with the full SonarAnalyzer +
Meziantou + Microsoft .NET Analyzers pack. Behaviour unchanged —
same 9 endpoints, same JSON shapes, same seed.

Memory rule:
`memory/feedback_open_source_repo_demos_stay_generic_not_company_specific_2026_04_23.md`
captures the positioning directive in durable form so future
agents don't re-introduce company-specific names.

Sibling renames land in separate PRs / branches:
- F# API sibling (currently PR Lucent-Financial-Group#146 / ServiceTitanFactoryApi)
- DB scaffold (PR Lucent-Financial-Group#145 / ServiceTitanFactoryDemo)
- CRM kernel sample (PR Lucent-Financial-Group#141 / ServiceTitanCrm)
- CRM-UI scope doc (PR Lucent-Financial-Group#144 / docs/plans/servicetitan-crm-ui-scope.md)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* FactoryDemo.Api.CSharp: smoke-test.sh — end-to-end endpoint + contract verification

I chose to land this because the JSON-shape parity claim we make
in the README ("byte-identical shapes between F# and C# versions")
needs a machine-verifiable check. A smoke test on the C# side is the
first half; the F# sibling gets the same pattern in a follow-up.

Starts the API on a random port, waits up to 10s for readiness,
then runs 19 checks against all 9 endpoints:

  - Root metadata: name, version, endpoints length
  - Collection lengths: customers (20), opportunities (30), activities (33)
  - Single-item lookup: customer #1 name, opportunity #1 stage
  - Per-customer activities: customer #1 has 4
  - Pipeline funnel counts per stage: Lead 10, Qualified 6, Won 6, Lost 2
  - Pipeline funnel totals in cents: Lead $54k, Won $26.7k
  - Duplicates: 2 pairs, (1,13) share alice@acme, (5,19) share bob@trades
  - 404 behaviour: missing customer returns 404

Shuts the API down cleanly on exit via trap + kill.

```
$ bash samples/FactoryDemo.Api.CSharp/smoke-test.sh
Building API...
Starting API on http://localhost:5235...

Factory-demo C# API smoke test
==============================
  OK   root.name contains 'Factory-demo'                  (true)
  OK   root.version                                       (0.0.1)
  OK   root.endpoints length                              (5)
  OK   /api/customers length                              (20)
  ...
  OK   missing customer HTTP status                       (404)

All checks passed.
```

dotnet, curl, jq — all standard dev tools. The demo does not ask
for anything exotic. Matches the FactoryDemo.Db smoke-test.sh
pattern on the sibling branch.

- Random high port (5100-5499) instead of fixed — reduces collision
  with other dev services.
- `curl -sf` for normal checks, `curl -o /dev/null -w "%{http_code}"`
  for the 404 case — the two paths have different error semantics so
  I use different tools for each.
- Shape-level assertions against numeric counts rather than raw JSON
  diff — makes the test tolerant of property-ordering differences
  between serializers. The parity claim is about *shape*, not byte-
  identity, so this matches intent.
- Trap + kill on EXIT — guarantees the API stops even on test
  failure or ctrl-C. No leaked background processes.

- Does NOT test the F# sibling. Same-pattern smoke-test for
  FactoryDemo.Api.FSharp lands in its branch (or a follow-up
  PR on that branch).
- Does NOT diff F# vs C# outputs directly. A cross-language
  parity-diff test composes better as a separate tool once both
  APIs have merged.
- Does NOT wire to Postgres. In-memory seed only; docker-compose
  + DB wiring is a separate PR.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* samples+audit: PR Lucent-Financial-Group#147 review-drain — sln BOM, signal-quality empty-case, audit fail-hard, endpoint lists

Drains 14 unresolved review threads on PR Lucent-Financial-Group#147 (FactoryDemo.Api.CSharp):
- Zeta.sln: strip leading blank line so 'Microsoft Visual Studio
  Solution File' is the first line (threads #2 #3).
- SignalQuality.fs: compressionRatio on empty input was 1.0, which
  composed as Quarantine via severityOfScore — flipped to 0.0 and
  added explicit empty-input Pass finding in compressionMeasure;
  also dropped unused System.Runtime.CompilerServices open
  (threads #4 #5).
- live-lock-audit.sh: fail hard (exit 2) when origin/main is not
  resolvable so a missing-remote CI checkout can't silently report
  'No commits found' -> healthy; switched --stat|awk file-list
  extraction to git diff-tree --name-only plumbing form
  (threads #1 #6).
- ServiceTitanFactoryApi README + Seed.fs: remove dead memory/
  and docs/plans/ links; replace Aaron's-name reference with
  'human maintainer' role wording; drop non-existent sibling
  SQL-seed refs (threads #7 #8 #9).
- FactoryDemo.Api.CSharp README + Program.cs + Seed.cs: fix dead
  refs to samples/FactoryDemo.Api.FSharp/ and samples/FactoryDemo.Db/
  to point at the real F# sibling samples/ServiceTitanFactoryApi/
  and to a BACKLOG row for the Postgres-backed follow-up
  (threads #11 #14).
- Program.cs + Program.fs: root endpoint index now advertises all
  9 routes including the parameterised {id} routes, matching the
  README tables (threads #12 #13).
- Thread #10 (project naming 'ServiceTitanFactoryApi.CSharp' in PR
  description): resolved in-thread — code/namespace already
  consistent (Zeta.Samples.FactoryDemo.Api); fix is PR-description-
  only, not code.

Build: dotnet build -c Release -> 0 Warning(s) 0 Error(s).

* drain PR Lucent-Financial-Group#147: post-rebase thread fixes — test-empty-ratio + smoke-endpoint-count

- tests/Tests.FSharp/Algebra/SignalQuality.Tests.fs: test asserted 1.0 for
  compressionRatio on empty input, but the fix in 16ad746 changed the
  convention to 0.0 (neutral = clean, not maximally suspicious). Updated
  the test expectation + name + comment to match the current code.
- samples/FactoryDemo.Api.CSharp/smoke-test.sh: root.endpoints length
  expectation was 5; Program.cs now advertises 8 routes in the index
  (post 16ad746 expansion). Corrected the smoke-test assertion.

Rebased onto origin/main (which advanced via Lucent-Financial-Group#146 FactoryDemo.Api.FSharp
merge); Zeta.sln conflicts resolved by keeping both FactoryDemo.Api.FSharp
and the ServiceTitanCrm/samples solution-folder additions.

Build gate: 0 Warning(s) / 0 Error(s) in Release.

* PR Lucent-Financial-Group#147 review-drain — Copilot pass on b4f5a49

Addresses five unresolved review threads:

- drop/README.md: sweep name attribution to "the human
  maintainer" role-ref (BP-name-attribution).
- samples/FactoryDemo.Api.CSharp/Program.cs: fix endpoint
  comment "9 concrete endpoints" → "8 API endpoints besides
  `/`" (array has 8; root excluded).
- samples/FactoryDemo.Api.CSharp/smoke-test.sh: per-run log
  via mktemp (collision-safe + non-/tmp-host-safe); print
  path on failure + success.
- samples/ServiceTitanFactoryApi/: delete stale F# sibling
  dir (PR Lucent-Financial-Group#146 already landed FactoryDemo.Api.FSharp on
  main with identical code); drop duplicate sln Project
  block + config duplicates; fix CSharp refs to point at
  the surviving FactoryDemo.Api.FSharp/.

Fifth thread (SignalQuality scope-creep) is judgment —
branch history is deep; splitting now adds more churn than
value. Replying with backlog-and-resolve per three-outcome.

* PR Lucent-Financial-Group#147 review-drain — 7 threads (Copilot + Codex)

Threads drained:
- btw.md: name attribution -> "human maintainer" / "the maintainer" (Copilot P1, AGENT-BEST-PRACTICES.md:284-292)
- live-lock-audit.sh: add --root to git diff-tree so root commit classifies correctly (Copilot P2)
- FactoryDemo.Api.CSharp Program.cs: add "/" to endpoints list for F# parity; bump smoke-test length 8->9 (Copilot P1 + Codex P2, same fix)
- FactoryDemo.Api.CSharp smoke-test.sh: reword mktemp comment to describe system temp dir accurately (Copilot P2)
- ServiceTitanCrm -> FactoryDemo.Crm: rename dir, fsproj, module namespace, RootNamespace, sln entry, test doc-comment; drop stale ServiceTitanFactoryApi bin+obj (Copilot P1, memory/feedback_open_source_repo_demos_stay_generic_not_company_specific_2026_04_23.md:59-66)
- SignalQuality.fs: compressionRatio + compressionMeasure short-circuit to 0.0 (Pass) below 64-byte threshold to avoid gzip-header-dominates Quarantine of legitimate short strings (Codex P1)

Drain log: docs/pr-preservation/147-drain-log.md preserves each thread verbatim (git-native high-signal preservation).

dotnet build -c Release: 0 Warning(s), 0 Error(s).

* PR Lucent-Financial-Group#147 review-drain second pass — 4 fix-inline + 3 scope-bleed

- Seed.cs + Seed.fs: rename contact 13 'Aaron Smith' -> 'Acme Contact
  (new lead)' (Copilot P2 name-attribution, parity preserved across
  C# / F# siblings).
- drop/README.md: correct 'only tracked file' wording to reflect the
  README.md + .gitignore two-sentinel design (Copilot P2).
- tools/audit/live-lock-audit.sh: docstring attribution 'Aaron's ...'
  -> 'Human-maintainer ...' (Copilot P1); add '-m' plus 'sort -u' to
  'git diff-tree' so merge commits bucket on their real files instead
  of mis-classifying as OTHR (Codex P1 — was skewing EXT/INTL/SPEC %
  and could disable the live-lock gate after a round of merges).
- docs/pr-preservation/147-drain-log.md: append second-pass per-thread
  audit trail (git-native preservation).

Three threads resolved as scope-bleed / already-addressed: operator-
input-quality-log.md (file not in PR diff, landed via 204bbb6 on
main), AUTONOMOUS-LOOP.md (file not in PR diff, zero Aaron on HEAD),
Tests.FSharp.fsproj (both SignalQuality + CrmScenarios already listed
at lines 26 and 49).

Build: 0W/0E. Audit sanity: live-lock-audit.sh still healthy with
merges now bucketed correctly.

* fix: markdownlint MD001/MD022/MD032 on Lucent-Financial-Group#147 drain-log (h3→h2 on Thread headers)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* drain: resolve 11 threads on Lucent-Financial-Group#147 (mix FIX + BACKLOG + Otto-256 reject)

Thread-by-thread outcomes across the 11 unresolved review threads on PR
Lucent-Financial-Group#147 (5 FIX, 2 BACKLOG, 2 Otto-256 REJECT, 2 already-addressed/stale):

FIXES (code):
- live-lock-audit.sh: replace `git show --stat` with explicit
  `git log -1 -m --first-parent --name-only` so merge commits classify
  against parent-1 only (the landing side). The prior `git show` form
  risked combined-diff semantics in some git versions; the explicit
  form is first-parent by construction (Codex P1).
- SignalQuality.fs: restore `compressionMinInputBytes = 64` threshold
  (dropped by the f1dc2bb merge-conflict resolution) and mark it
  `private` so it is not part of the public API surface (Copilot).
  Short-circuits `compressionRatio` + `compressionMeasure` to 0.0 for
  sub-threshold inputs, avoiding spurious Quarantine on short legitimate
  strings. Evidence reports UTF-8 byte count (consistent with the
  threshold's units) instead of `text.Length` chars (Copilot). Adjusted
  the empty-string test to assert the new 0.0 neutral value.
- smoke-test.sh: replace non-portable `mktemp -t <template>` with a
  pre-constructed absolute-path template rooted at `${TMPDIR:-/tmp}`
  where XXXXXX is the tail (BSD/macOS requires tail-XXXXXX; GNU accepts
  either). `.log` extension is appended via `mv` after creation so the
  single invocation is cross-platform (Copilot x2 — threads 4 + 10).
- CrmScenarios.Tests.fs: update doc-comment `samples/FactoryDemo.Crm`
  -> `samples/CrmSample` to match the canonical sample path on main
  (Copilot).

BACKLOG (deferred P2):
- Smoke-test deterministic port allocation (Codex P2) — replace
  RANDOM-in-range with OS-assigned ephemeral port via `--urls
  http://127.0.0.1:0` and log-line parse.
- FactoryDemo.Api.CSharp solution project-type GUID hygiene (Copilot)
  — align with modern SDK-style GUID used by other C# projects.

OTTO-256 REJECT (history-file exemption):
- docs/pr-preservation/147-drain-log.md (Copilot) and
  docs/hygiene-history/live-lock-audit-history.md (Copilot): both
  requested stripping first-name "Aaron" attributions. Declined per
  Otto-256 (2026-04-24) — history files exempt from the "no name
  attribution" rule; a P2 BACKLOG row already exists
  (`## P2 — FACTORY-HYGIENE — name-attribution policy clarification
  (history-file exemption)`) to codify this in AGENT-BEST-PRACTICES.md.

ALREADY-ADDRESSED (stale reviewer context):
- drop/README.md heading (Copilot): Copilot flagged "one tracked
  sentinel" but the current heading reads "two tracked sentinels"
  (fixed in a prior drain). Resolving as addressed.

Build: `dotnet build -c Release` -> 0 Warning(s), 0 Error(s).
Tests: `dotnet test --filter "FullyQualifiedName~SignalQuality"` ->
  22/22 pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…6th consolidated (Amara corrections #3+#4) (Lucent-Financial-Group#331)

* core: Graph cohesion (Lucent-Financial-Group#329 resurrect) + StakeCovariance windowed acceleration — 15th+16th graduation consolidated

Consolidates the DIRTY Lucent-Financial-Group#329 cohesion primitives (Amara 17th-ferry
correction #3) with the new StakeCovariance module (Amara
correction #4).

Content from closed PR Lucent-Financial-Group#329 (resurrect):
- Graph.internalDensity / exclusivity / conductance
- Wachs & Kertész 2019 cartel-detection cohesion/exclusivity
  replacing muddy 'subgraph entropy collapse'

NEW content (Amara correction #4):
- Zeta.Core.StakeCovariance module with:
  - windowedDeltaCovariance : int -> double[] -> double[] -> double option
    Pairwise cov over sliding window of stake-delta series
  - covarianceAcceleration : double option -> double option ->
    double option -> double option
    2nd-difference of three consecutive cov values
    (A(t) = C(t) - 2·C(t-1) + C(t-2))
  - aggregateAcceleration : Map<int * int, double> -> double option
    Mean pairwise acceleration over candidate group

Why a separate module: StakeCovariance operates on raw stake-
delta time series, not Graph edges. Composes WITH Graph via
downstream detector that combines graph signals + covariance
signals + sync signals into the full CoordinationRiskScore.

Addresses Amara's Part 2 correction #4 ambiguity: her Part 1
had 'C(t) = Cov({s_i(t)}, {s_j(t)})' which is undefined at a
single timepoint. This ship implements the windowed-delta +
2nd-difference formulation from her correction.

Tests (10 new, 44 total in GraphTests, all passing):
- internalDensity None on |S|<2
- internalDensity of K3 weight-10 ≈ 10
- exclusivity = 1 for isolated K3
- conductance < 0.1 for well-isolated subset
- windowedDeltaCovariance: None on too-small series
- windowedDeltaCovariance: high positive for synchronized motion
- windowedDeltaCovariance: negative for anti-correlated motion
- covarianceAcceleration = 2nd difference of cov series
- covarianceAcceleration None when any input missing
- aggregateAcceleration averages across pairs

4 of 8 Amara 17th-ferry corrections now shipped (#1 K₃=2 ✓,
conductance ✓, #4 windowed stake covariance acceleration ✓).
Remaining: #5 event→phase pipeline (future); #4 robust-z-score
variant of composite (future); #6 + #7 + #8 doc-phrasing /
BACKLOG.

Build: 0 Warning / 0 Error.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* core: address PR Lucent-Financial-Group#331 review on Graph + StakeCovariance

- Fix conductance full-subset check: intersect S with the
  graph's node set instead of comparing |S| = |V|. Subsets
  containing nodes outside the graph could match by count
  alone and erroneously return None.
- Fix internalDensity self-loop accounting: exclude s = t
  from the numerator so the sum aligns with the
  |S|·(|S|-1) ordered-distinct-pair denominator.
- windowedDeltaCovariance now requires equal-length input
  series (returns None on mismatch) so the trailing window
  aligns by time index rather than silently truncating the
  longer series. Doc reflects that constant / zero-variance
  windows return Some 0.0 (covariance is well-defined and
  zero, not undefined). Population covariance is intentional
  and now documented.
- aggregateAcceleration is generic over the node-key type
  ('N when 'N : comparison) for API consistency with
  Graph<'N>; switched the average to a single-pass Map.fold
  to drop the intermediate array allocation.
- Drop [<AutoOpen>] on the StakeCovariance module so
  Graph.fs doesn't auto-open two namespaces' worth of
  identifiers into Zeta.Core. Tests already opened the
  module explicitly; relocated that open to the top of the
  test file alongside other opens.
- Strip ferry / correction-number lineage from doc
  comments per the code-comments-explain-code rule.

* docs: PR Lucent-Financial-Group#331 drain log + StakeCovariance file-split backlog row

Adds the per-thread drain log under
docs/pr-preservation/331-drain-log.md (verbatim reviewer
comments + outcomes + replies + resolution commit) and a
P2 backlog row capturing the StakeCovariance file-split
follow-up flagged in thread 2.

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…ns (10 tracked; 4 already shipped, 6 queued) (Lucent-Financial-Group#337)

* ferry: Amara 18th absorb — Calibration + CI Hardening + 5.5-Thinking Corrections

Two-part ferry from Aaron Otto-157/158 tick boundary:

Part 1 — Deep research on Cartel-Lab calibration + CI hardening
  (~4000 words; 8 sections A-H + action items + Mermaid diagrams):
  - Null-models table (6 types: Erdős-Rényi, configuration,
    stake-shuffle, temporal-shuffle, clustered-honest, noise)
  - CoordinationRiskScore formula with 6 robust-z terms +
    default weights α=β=0.20, γ=ε=0.15, δ=0.20, η=0.10
  - 8-row adversarial scenario table (obvious clique → stealth
    → synchronized voting → honest cluster → low-weight →
    camouflage → rotating → cross-coalition)
  - 4-PR roadmap: seed-lock/CI governance → calibration harness
    → adversarial scenarios → docs/promotion criteria
  - KSK/Aurora integration: advisory-only flow
    (Detection → Oracle → KSK → Action)
  - "What not to claim" caveats (6 items: no proof of intent,
    not all collusion detectable, not production-ready, etc.)

Part 2 — Amara's own GPT-5.5 Thinking correction pass on Part 1
  (~1500 words; 10 required corrections; repo-safe status
  statement; corrected promotion ladder + PR roadmap titles):
  - #1: replace "CI confirms" with "PR Lucent-Financial-Group#323 clears toy
    falsifiability bar"
  - #2: Wilson intervals replace handwave ±5% CI (90/100 →
    LB only 82.6%; 20/100 FPR → UB 28.9%)
  - #3: rename "Cartel Score" → "CoordinationRiskScore" locked
  - #4: conductance sign flip — use Z(-conductance) or
    Z(exclusivity), not Z(+conductance)
  - #5: modularity relational — use Q(attacked)-Q(baseline)>θ
    not absolute Q thresholds
  - #6: PLV phase-offset — PLV=1 can mean anti-phase; need
    magnitude AND mean phase offset
  - #7: MAD=0 fallback — epsilon floor or percentile-rank
  - #8: replace Medium-article source with scikit-learn
    precision-recall docs
  - #9: explicit artifact output layout
    (calibration-summary.json, seed-results.csv, etc.)
  - #10: sharder — measure variance before widening threshold

Corrected promotion ladder (0-6 stages):
  0 Theory / 1 Toy detector / 2 Calibration harness /
  3 Scenario suite / 4 Advisory engine / 5 Governance integration /
  6 Enforcement candidate

PR Lucent-Financial-Group#323 is Stage 1, NOT Stage 4.

Otto's operationalization notes:
- 4/10 corrections already aligned with shipped substrate:
  #4 exclusivity (PR Lucent-Financial-Group#331), #5 modularity relational
  (PR Lucent-Financial-Group#324), #7 MAD floor (PR Lucent-Financial-Group#333), #10 sharder Otto-132
  (BACKLOG Lucent-Financial-Group#327).
- 6/10 queued as future graduations: Wilson CIs in tests;
  MAD=0 percentile-rank fallback; conductance-sign doc;
  PLV phase-offset extension; CI test classification;
  artifact-output layout.

Invariant restated (Amara 16th-ferry carry-over):
  "Every abstraction must map to a repo surface, a test,
   a metric, or a governance rule."

Cross-ref verified: PRs Lucent-Financial-Group#321 Lucent-Financial-Group#323 Lucent-Financial-Group#324 Lucent-Financial-Group#326 Lucent-Financial-Group#327 Lucent-Financial-Group#331 Lucent-Financial-Group#332
Lucent-Financial-Group#333, docs/definitions/KSK.md (Otto-157 / Lucent-Financial-Group#336), 17th ferry
(Lucent-Financial-Group#330), 16th ferry, 15th ferry, Otto-140..145 memory.

GOVERNANCE §33 four-field header (Scope / Attribution /
Operational status / Non-fusion disclaimer).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* ferry: fix markdownlint MD018 — line-start Lucent-Financial-Group#221 parsed as H1 heading

* ferry: drain PR Lucent-Financial-Group#337 review threads — 4 FIX, 2 NARROW+BACKLOG, 8 BACKLOG+RESOLVE

Factory-authored sections of the 18th-ferry absorb (header,
Otto's notes, Cross-references) edited under name-attribution
+ code-comments-not-history disciplines; Amara's verbatim
Part 1 + Part 2 body left intact per verbatim-preserve.

In-doc edits:
- Soften "verified against actual" wording on the
  CLAUDE.md cross-reference bullet to anchor-list
  rechecked-at-drain-time framing.
- Use full `tests/Tests.FSharp/Simulation/` path in the
  Stage-discipline section (was bare `tests/Simulation/`).
- Replace dead "GOVERNANCE §33" cite with
  factory-convention + CLAUDE.md ground-rule pointer
  (numbered §33 not yet landed; rule is captured
  by convention across docs/aurora/** absorbs).
- Drop broken `feedback_ksk_naming_*.md` filename and
  soften 15th/16th ferry cross-refs to "not present as a
  dedicated absorb in this snapshot."

Drain-log: docs/pr-preservation/337-drain-log.md per
Otto-250.

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…ng design (8th-ferry candidate #3) (Lucent-Financial-Group#282)

* research: provenance-aware bullshit-detector — engineering-facing design (8th-ferry candidate #3)

M-effort engineering-facing design doc. Formalises the scoring
layer sketched in the semantic-canonicalization spine (PR Lucent-Financial-Group#280
Otto-98), integrating Aminata's 3 CRITICAL concerns from
oracle-scoring v0 pass (PR Lucent-Financial-Group#263) at write-time.

Composition stack (built top-down on spine):

- Input canonicalisation / representation / ANN retrieval =
  delegated to spine (Otto-98 PR Lucent-Financial-Group#280 layers 1-3).
- Provenance-cone computation via citations-as-first-class
  lineage graph traversal.
- **5-gate band classifier** replaces Amara's decimal
  formulation (α·sim + β·evidence - γ·carrierOverlap -
  δ·contradiction → bands). Same pattern as oracle-scoring
  v0.

5 gates per candidate: G_similarity / G_evidence_independent
/ G_carrier_overlap / G_contradiction / G_status. Band merge
= min over gates; RED<YELLOW<GREEN. Query-level aggregation =
worst-band across retrieved candidates.

5 output types (Amara's set, mapped to bands):
- supported (GREEN)
- looks similar but lineage-coupled (YELLOW via
  G_carrier_overlap)
- plausible but unresolved (YELLOW via G_status / G_evidence)
- likely confabulated (RED via G_evidence + high similarity)
- known-bad pattern (RED via G_status)

Plus default `no-signal` when retrieval returns empty.

Aminata's 3 CRITICAL concerns addressed at write-time:
- Gameable-by-self-attestation → G_evidence_independent
  requires independent-oracle verification for GREEN;
  self-attested only reaches YELLOW.
- Parameter-fitting → parameter-change-ADR-gate pattern;
  parameter_file_sha bound into every receipt.
- False-precision → band output not decimal; ordinal-in-
  ordinal-out.

PatternLedger status-pinning requires pinned_by +
pinned_reason + optional second-reviewer per decision-proxy-
evidence schema (PR Lucent-Financial-Group#222) to prevent same-agent-self-
reinforcement drift.

Worked example: this doc itself as query q. Detector
correctly classifies it as `looks similar but lineage-
coupled` — the detector flags its own carrier-laundered
convergence with sources. Self-demonstrates the discipline.

Module implementation sketch follows KSK-as-Zeta-module
template (PR Lucent-Financial-Group#259): 10 typed interfaces + 4 canonical views
+ 3 event types including DetectorOutputRetracted for ADR-
driven threshold-change retractions.

Scope limits (7 items): no implementation; no parameter
values; no human-review replacement; no claim of
completeness; no auto-promotion of PatternLedger status
pins; no extension beyond Zeta substrate; no precision/
recall quantification.

8 dependencies-to-adoption in priority order: Aminata 4th
pass (anticipated concerns already integrated but adversarial
review surfaces more); candidate #4 operational promotion;
independent-oracle substrate; parameter-change-ADR template;
PatternLedger event stream; property tests; embedding+ANN
library choices; F#/.NET implementation.

Archive-header format self-applied — 16th aurora/research doc
in a row.

Lands within-standing-authority per Otto-82/90/93 calibration.

Closes 8th-ferry candidate #3. **4/5 substantive responses
closed** across Otto-96/97/98/99 — matches 5th-ferry 4/4-
artifact closure arc. Remaining #4 `docs/EVIDENCE-AND-
AGREEMENT.md` future operational promotion gated on #3 +
Aminata pass.

Otto-99 tick primary deliverable.

* rename: bullshit-detector → claim-veracity-detector (drop wisecrack-as-canonical-name)

Maintainer 2026-04-24: "i don't like the name bullshit-detector
... that was as wise crack i said to amara that she kept saying."

The wisecrack got promoted to canonical title across the
research doc + PR title + filename. Otto-237 mention-vs-adoption
discipline applies — wisecracks can be MENTIONED in conversation
history but should NOT be ADOPTED as factory vocabulary.

Replacements (7 across the research doc):
  bullshit detector       → claim-veracity detector
  bullshit-detector       → claim-veracity-detector
  bullshitRisk            → claimVeracityRisk
  all bullshit            → an unsupported claim
  every form of bullshit  → every form of unsupported claim
  Bullshit-detector       → Claim-veracity-detector

Filename also renamed:
  docs/research/provenance-aware-bullshit-detector-2026-04-23.md
  → docs/research/provenance-aware-claim-veracity-detector-2026-04-23.md

PR title rename owed via gh pr edit. Branch name stays as-is —
ephemeral, cleans up post-merge.

* drain: address Copilot review on Lucent-Financial-Group#282 — gate-name consistency, evidence-gate conditionality, schema fields, DRIFT-TAXONOMY ref, MD032

- Fix gate-name inconsistency: G_evidence → G_evidence_independent
  in band-merging formula and 5-output-type mapping (matches
  the gate name in the table on line 134).
- Reconcile internal contradiction in Concern 1 (evidence-gates-
  GREEN): make conditional explicit. Until independent-oracle
  substrate exists, gate is ADVISORY ONLY and does not
  participate in band-merging (4-gate min for v0). Once
  substrate exists, gate is BINDING (5-gate min) — transition
  itself is ADR-gated.
- Correct decision-proxy-evidence schema field references:
  pinned_by/pinned_reason/second-reviewer → requested_by /
  proxied_by / review.peer_reviewer per actual
  docs/decision-proxy-evidence/_template.yaml.
- Cross-ref DRIFT-TAXONOMY pattern 5 to existing precursor doc
  docs/research/drift-taxonomy-bootstrap-precursor-2026-04-22.md
  (referenced doc not yet present at top-level path).
- Reflow attribution scope para to remove line-leading `+`
  (markdownlint MD032 / Copilot finding).
- BACKLOG: extend Otto-52 name-attribution policy row with Otto-279
  reinforcement — research/** is HISTORY surface, first-name
  attribution applies to humans AND agents; post-drain sweep
  scope to restore stripped names on PR Lucent-Financial-Group#351 and audit other
  research-doc PRs from the literal-rule window.

Per Aaron's clarification on this round: research docs ARE history,
so name-attribution policy ALLOWS first-name references for both
human contributors and agent personas. Reverted name-stripping
edits made earlier in this thread mid-tick when policy was
re-clarified. Memory: feedback_research_counts_as_history_*.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* drain: clear remaining markdownlint failures on Lucent-Financial-Group#282

Four issues from gate run 24919099963:

- MD018 line 18: `Lucent-Financial-Group#280); Otto-99 synthesis.` at line-start parsed as
  heading. Reflow to put `(PR Lucent-Financial-Group#280)` together on prior line.
- MD018 line 140: `Lucent-Financial-Group#266): \`band(...` same issue. Reflow.
- MD056 line 135: bare `|` characters inside table-cell inline-code
  (`|cone(q) ∩ cone(y)| / |cone(y)|`) parsed as column separators
  even though they're inside backticks. Replace with `size(...)`
  function syntax to remove the pipes — cleaner anyway.
- MD032 line 502: list missing blank line above bold-paragraph
  separator. Insert blank line.

No semantic change — gate-name fixes from earlier commit hold.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…th-ferry candidate #3) (Lucent-Financial-Group#268)

* research: BLAKE3 receipt-hashing v0 design input to lucent-ksk ADR (7th-ferry candidate #3)

Responds to Amara's 7th-ferry BLAKE3 proposal (PR Lucent-Financial-Group#259) +
Aminata's Otto-90 critiques (PR Lucent-Financial-Group#263) flagging it belongs in
lucent-ksk rather than Zeta + naming side-channel-leakage and
cryptographic-agility gaps + Otto-91 addition of
parameter_file_sha binding for replay determinism.

v0 hash input set (8 fields, changes marked):

  h_r = BLAKE3(
    hash_version                    // NEW — crypto-agility
    ∥ h_inputs
    ∥ h_actions
    ∥ h_outputs
    ∥ budget_id
    ∥ policy_version
    ∥ parameter_file_sha            // NEW — Otto-91
    ∥ approval_set_commitment       // CHANGED — side-channel
    ∥ node_id
  )

Signature structure adds *_key_version to each signature tuple
for per-key-rotation without breaking historical receipts.

Addresses Aminata's 3 findings:
- Side-channel leakage: raw approval_set → Merkle/sorted-hash
  commitment; read-only observers see a hash, dispute process
  opens it.
- Cryptographic-agility: hash_version prefix + *_key_version
  binding; algorithm downgrade blocked because version is
  inside the hash.
- Approval-withdrawal race (top-3 #2): commitment mismatch at
  replay-time invalidates the receipt.

4 replay-deterministic harness requirements for Zeta-module
consumer side:
1. Same fields = same materialised views byte-for-byte.
2. Unknown hash_version = halt-and-report.
3. Unresolvable parameter_file_sha = halt-and-report.
4. Mismatched approval_set_commitment = reject receipt.

Explicit NOT-scope:
- Doesn't decide signature algorithm (Ed25519 is v0
  assumption, scheme accommodates later).
- Doesn't define hash_version / parameter_file registries
  (lucent-ksk governance artifacts).
- Doesn't define commitment scheme specifics (Merkle vs
  sorted-hash-list; affects dispute only).
- Doesn't implement rotation runbook.
- Doesn't include Bitcoin anchoring (separate trust-model).

7 dependencies to adoption in priority order; Aminata 2nd
pass first; cross-repo lucent-ksk ADR second; Max-specific
asks framed per Otto-90 specific-ask-channel calibration.

This is Zeta-SIDE design input. Canonical ADR belongs in
lucent-ksk per Aminata Otto-90 framing. No adoption until
cross-repo ADR lands.

Max attribution preserved first-name-only. Cross-repo work
on lucent-ksk does not touch Max's substrate directly until
actual coordination warrants — specific-ask channel is the
right escalation.

Archive-header format self-applied — 10th aurora/research
doc in a row.

Lands within-standing-authority per Otto-82/90 calibration.

Closes 7th-ferry absorb candidate #3 of 5. Remaining:
- #1 KSK-as-Zeta-module implementation (L)

Otto-92 tick primary deliverable.

* drain(Lucent-Financial-Group#268 P2+P2+style+P1 Codex/Copilot): field count + version notation + canonical encoding

Four threads on the BLAKE3 receipt-hashing v0 design doc, all
on the same file.

P2 (lines 120 + 126): "8 fields" header / count text vs the
formula's 9 actual binding inputs (`hash_version` + 8 content
hashes). Reconciled to "9 fields" — the formula was the
source of truth, the count text was the lag.

Style (line 236): version notation inconsistency — `0x01` in
some places, `v0x02` / `v0x01` in others. Standardized on the
byte-literal hex notation `0x01` / `0x02` everywhere; the
"v" prefix doubled up with `hash_version =` already in the
formula and added no information.

P1 (line 132): hash binding used raw `∥` concatenation of
variable-length fields, opening a length-extension /
boundary-shift adversary surface. Added an explicit
`encode(·)` wrapper per field with a canonical-encoding
section: 1-byte version, 32-byte fixed-width digests for
content/policy/commitment hashes, and `len:u32-be ∥ bytes`
length-prefix framing for variable-length identifiers
(budget_id, policy_version, node_id). Forward-compatibility
preserved — future schemes (`hash_version >= 0x02`) can pick
different framing (CBOR / Protobuf / RFC 8949 §3.1 TLV) and
the version prefix tells verifiers which framing applies.

All 4 Codex/Copilot threads (PRRT_kwDOSF9kNM59SMrz,
PRRT_kwDOSF9kNM59SNsm, PRRT_kwDOSF9kNM59SNsy,
PRRT_kwDOSF9kNM59SNs2) addressed in this commit.

* drain(Lucent-Financial-Group#268 lint): MD032 — line-leading + interpreted as list bullet (wrap fix)

* drain(Lucent-Financial-Group#268 P1+P1 Codex): replay-determinism on signer view + UTF-8/NFC byte encoding

Two new Codex P1 findings on the BLAKE3 receipt-hashing v0 doc:

P1 (line 226) — replay determinism vs current signer set:
The req #4 said "compare commitment vs CURRENT signer-view",
which makes receipt validity time-dependent — the moment the
live signer set rotates, every prior receipt becomes invalid.
Replay-determinism breaks. Fix: validate against the signer
set authoritative at the receipt's claimed `policy_version`
(recoverable from `policy_version` + dispute-process
commitment-opening). Receipt-creation-time race-checking is
moved to the receipt-creation step; the replay gate catches
*forged* commitments only.

P1 (line 157) — canonical text-to-byte mapping:
The `len:u32-be ∥ bytes` framing for variable-length
identifiers (`budget_id`, `policy_version`, `node_id`)
specified the framing but not how to derive `bytes` from
the identifier string. Added explicit binding:
`bytes = NFC-normalised UTF-8 octets` — Unicode Normalization
Form C per Unicode Annex #15, then UTF-8 encoded. NFC fixes
visually-identical-but-byte-different forms (e.g., precomposed
vs decomposed accents); UTF-8 is the canonical text→byte map.
EOF

* drain(Lucent-Financial-Group#268 P1+P2 Codex): correct adversary terminology + decouple CBOR/TLV citations

P1 (line 144) — terminology correction:
"length-extension / boundary-shift adversary surface"
incorrectly conflated two distinct attacks. BLAKE3 is built
on a tree-hash construction with finalisation flags — it is
NOT vulnerable to length-extension the way SHA-256 and MD5
are. The actual risk in raw concatenation is boundary-shift
/ collision-by-reframing only. Updated the wording to name
that risk explicitly and added a parenthetical noting that
length-extension is NOT a concern with BLAKE3.

P2 (line 162) — CBOR vs TLV reference correction:
'domain-separated TLV per RFC 8949 §3.1' conflated two
distinct concepts: RFC 8949 is CBOR (tagged data items), and
'domain-separated TLV' is a separate framing concept. Split
into two parallel options: 'CBOR per RFC 8949' (one option)
and 'a domain-separated TLV scheme' (another, no specific RFC
attached because TLV is generic). Future ADR can pick either
or define a custom TLV; the v0 doc no longer mis-cites.

* drain(Lucent-Financial-Group#268 P1×3 Codex): version-policy gate + retired-key restriction + signed key-version

Three substantive Codex P1 findings on the v0 receipt-hashing design:

P1 (line 229) — version policy gate beyond unknown:
Req #2 only fail-closed on unknown hash_version. Updated to
also reject DEPRECATED versions per a policy registry
(lucent-ksk governance artifact). Prevents forgery under an
old-but-still-mechanically-recognised version that was
retired due to weakness. Historical receipts remain
verifiable for audit; new receipts under deprecated versions
are refused.

P1 (line 211) — retired key versions:
Rotation introduced agent_key_version/node_key_version but
didn't restrict NEW receipts from using retired key versions.
Added: separate registry of retired key versions blocks
creation of new receipts under retired versions; historical
receipts under retired versions remain verifiable
(replay-determinism preserved) but the signing path refuses
to produce more.

P1 (line 203) — signed key-version (authenticated metadata):
The notation `Sign_{sk, *_key_version}(h_r)` was ambiguous
about whether *_key_version was authenticated. If it's
unsigned metadata, an attacker can swap the declared version
to one that points at a public key for a different signature
algorithm. Fix: bind the version INSIDE the signed message
(`Sign_{sk}(version ∥ h_r)`) and verify by recomputing the
signing input from the declared version. Verification block
added showing the explicit lookup + recompute pattern.

Also reframed line 120 to make the field-count reasoning
explicit (Amara's 7 base + hash_version + parameter_file_sha
= 9 v0 fields) so the count claim isn't load-bearing on the
preceding paragraph alone.

* drain(Lucent-Financial-Group#268 P1+P1 Codex): u32-be encoding for key-version + issuance-epoch gate on deprecated hash_version

Two more substantive Codex P1 findings:

P1 (line 208) — canonical encoding for key-version:
The signature scheme bound *_key_version into the signed
message but didn't specify the byte encoding. Added explicit
`encode_u32_be` wrapper + an Encoding section: 4-byte
big-endian unsigned integer, monotonic from 1, with version 0
reserved for uninitialised. Fixed-width avoids needing a
length prefix (every version is exactly 4 bytes).

P1 (line 260) — issuance-epoch gate on deprecation:
Unconditionally rejecting receipts with deprecated
hash_version breaks audit/replay of historical receipts that
were valid when issued. Updated to issuance-epoch gate:
receipts issued BEFORE the version's deprecation cutoff
remain valid for audit; receipts claiming an issuance epoch
AFTER the cutoff under that version are rejected. Registry
stores (version, deprecated_after_epoch) tuples; verifier
compares claimed issuance epoch against deprecation epoch
for that version.

…ld + Amara attribution + parameter_file_sha algo (Lucent-Financial-Group#431)

* drain(Lucent-Financial-Group#268 follow-up): add issuance_epoch field + clarify Amara attribution + parameter_file_sha algo

Three substantive Codex post-merge findings on PR Lucent-Financial-Group#268:

P0 (line 275) — issuance_epoch bound into h_r:
The earlier issuance-epoch deprecation gate referred to a
'claimed issuance epoch' that wasn't actually defined as a
receipt field. Without binding it into h_r, an attacker could
forge a receipt under a deprecated hash_version and put the
claimed epoch BEFORE the deprecation cutoff to slip past the
gate. Fix: add issuance_epoch as a 10th hash-input field
(u64-be milliseconds since Unix epoch), bound into h_r.
Field count v0: 10 (was 9). Hash input set diagram updated.

P1 (line 126) — Amara attribution accuracy:
Earlier line said Amara's 7th-ferry proposal had
approval_set_commitment, but the original was approval_set
(raw) — Aminata's side-channel finding is what motivated the
v0 swap to approval_set_commitment. Updated attribution to
say 'approval_set [raw, replaced by approval_set_commitment
in v0 per Aminata's side-channel finding — same slot,
different binding]'.

P1 (line 166) — parameter_file_sha name vs BLAKE3 algorithm:
Field name implies SHA-family but the canonical encoding
specifies BLAKE3-256. Added clarification: the '_sha' suffix
is legacy Otto-91 naming (where '_sha' meant 'hash digest'
in that context); the actual algorithm bound by hash_version
= 0x01 is BLAKE3-256. Future schemes may pick different
digest algorithms via the hash_version registry; the field
name stays for Otto-91-prose compatibility.

* drain(Lucent-Financial-Group#431 P2 Codex): add issuance_epoch entry to changes-list

Codex P2: the changes-from-Amara list at line 199 enumerated
'1. hash_version, 2. parameter_file_sha, 3. approval_set →
commitment' but didn't include the issuance_epoch addition.
Added as #3, renumbered approval_set replacement to #4. Now
the changes-list matches the v0 hash-input definition (10
fields = 7 base with approval_set→commitment swap + 3 v0
additions: hash_version + parameter_file_sha + issuance_epoch).

* drain(Lucent-Financial-Group#431 P1+P1 Codex): forward-pointer for parameter_file_sha + backdating limitation note

Two substantive Codex post-merge findings on PR Lucent-Financial-Group#431:

P1 (line 183) — forward-pointer for parameter_file_sha:
The field name implies SHA-256 binding via the early Otto-91
quote; the legacy-naming clarification appears later in the
canonical-encoding section. Readers may miss it. Added an
inline parenthetical at the field's first introduction
(line 126-130 area) noting the legacy-naming + actual-algorithm
distinction, with a 'details below' pointer.

P1 (line 130) — backdating limitation:
Binding issuance_epoch into h_r prevents POST-signature
mutation only — it does NOT prevent a compromised signer or
coerced agent from setting issuance_epoch BEFORE the
deprecation cutoff at receipt-creation time. Added an
explicit 'Backdating limitation' section listing three
mitigations (RFC 3161 TSA / Aurora-anchored chained
timestamps / forward-only highest-epoch registry), with v0
explicitly documenting the gap as known and deferring the
specific countermeasure to the lucent-ksk ADR.

…ine (8th-ferry candidate #2) (Lucent-Financial-Group#280)

* research: semantic-canonicalization-and-provenance-aware-retrieval — spine research doc (8th-ferry candidate #2)

M-effort technical spine per Amara 8th-ferry landing plan
(PR Lucent-Financial-Group#274). Defines the 4-layer substrate (canonicalisation
+ representation + retrieval + scoring-sketch) that the
provenance-aware bullshit detector (candidate #3) and
operational EVIDENCE-AND-AGREEMENT (candidate #4) build on.

Four-layer structure:

**Layer 1 — Canonicalisation N(x)** with 4 required
properties (idempotent / deterministic / meaning-preserving
/ version-pinned). Input-type archetypes (natural-language
/ structured / code-diffs) named as downstream design
choices, not committed.

**Layer 2 — Representation φ(c)** — dense embeddings OR
binary semantic hashes (Hinton & Salakhutdinov) OR both.
Locality-sensitive hashing (Charikar) as complement for
cheap candidate retrieval. Product quantization for
corpus-scale compression when warranted.

**Layer 3 — ANN retrieval** — HNSW (Malkov-Yashunin 2018)
as default with substitutable-interface spine. Retraction-
native integration: RetrievalIndex IS a Zeta-module
materialised view over event stream (insert/remove);
`remove` is a negative-weight event not a tombstone. Same
pattern as KSK-as-Zeta-module budgets / receipts.
Replay-determinism at query-behaviour layer.

**Layer 4 — Scoring (sketch only)** — Amara's formulation
preserved:
  score(y|q) = α·sim + β·evidence - γ·carrierOverlap
             - δ·contradiction
Four terms map to: representation+kNN / citations-as-first-
class / provenance-graph / retraction-ledger. Full
formalisation is candidate #3.

Aminata-concern preview (previewed from oracle-scoring-v0
Otto-90 pass): gameable-by-self-attestation (evidence and
contradiction must come from independent oracles); parameter-
fitting adversary (ADR gate on α/β/γ/δ); false-precision
(band output not decimal).

PatternLedger schema (retraction-native):
- Events: PatternInserted / PatternRetracted / PatternSuperseded
  / ProvenanceEdgeAdded / ProvenanceEdgeRemoved
- Views: CurrentKnownGood / CurrentKnownBad / ContradictingPairs
  / ProvenanceCone

Composition-table shows spine slots into existing substrate
without new mechanisms: SD-9 (norm→mechanism); DRIFT pattern
5 (diagnostic→engine); citations-as-first-class (graph→
consumer); alignment-observability (anti-gaming discipline);
oracle-scoring v0 (band output pattern); BLAKE3 v0
(parameter_file_sha binding extends to N-version+φ-version);
quantum-sensing analogies #2+#4 (correlation and decoherence
slot into layers 3 and 4); KSK-as-Zeta-module 7th ferry
(same event+view module pattern).

Scope limits (6 items): no specific embedding-model commit;
no HNSW-exclusive commit; no canonicalisation-specifics
commit; no full scoring formalisation (that's #3); no
implementation proposal; does not replace citations-as-first-
class.

9 dependencies-to-adoption in priority order: Aminata pass at
#1; candidate #3 scoring formalisation at #2; candidate #4
operational promotion at #3; parameter choices / library
choices / property tests / ADR-gate substrate at downstream
positions.

Archive-header format self-applied — 15th aurora/research
doc in a row.

Lands within-standing-authority per Otto-82/90/93
calibration — research-grade substrate synthesis; not
implementation; not adoption; not gated.

Closes 8th-ferry candidate #2 of 3 remaining (after Otto-96
TECH-RADAR + Otto-97 quantum-sensing). Remaining:
- #3 Provenance-aware bullshit-detector (M; composes on top)
- #4 EVIDENCE-AND-AGREEMENT future operational (gated on #3)

Otto-98 tick primary deliverable.

* drain(Lucent-Financial-Group#280 P1+misc Codex): PatternLedger Status/edge_type + AGENTS section + BLAKE3 v0 alignment

Three substantive Codex findings on the semantic-canonicalization
research doc:

P1 (line 335) — PatternLedger Status vs edge_type confusion:
The schema defined Status as a per-node enum {known-good,
known-bad, superseded, unresolved} but the ContradictingPairs
materialised view described status=contradicting (which isn't
in the enum). Per the events list, contradicting is an
edge_type on ProvenanceEdgeAdded, not a node-level Status.
Fixed: ContradictingPairs view now correctly says 'pairs
joined by an edge with edge_type=contradicting'. Added
clarifying paragraph distinguishing per-node Status from
per-edge edge_type.

(line 67) — AGENTS.md §absorb-discipline anchor:
The cited anchor doesn't exist; AGENTS.md's relevant
section is §'Agent operational practices' which contains
the 'When an agent ingests an external conversation' rule
that codifies the absorb cadence. Updated citation.

(line 142) — BLAKE3 v0 binding alignment:
The single-field reference to parameter_file_sha understated
the v0 hash binding (which after Lucent-Financial-Group#268 follow-ups now binds
10 fields: hash_version + issuance_epoch + parameter_file_sha
+ approval_set_commitment + 6 from Amara's 7th-ferry).
Updated to reference the full v0 10-field input set, with
parameter_file_sha called out as the slot relevant to this
doc's N-version/φ-version pinning argument.

* drain(Lucent-Financial-Group#280 P1 Codex): keyed removals by full insertion identity (c, metadata)

Codex P1 caught: insert is provenance-aware
`insert(c, e, metadata)` but remove was canonical-form-only
`remove(c)`. That means a single retraction nukes ALL
insertions of the same canonical form under different
provenance — wrong granularity for the retraction-native
algebra (you'd lose retrievability of valid sibling
insertions).

Fix: `remove(c, metadata)` keys on full insertion identity
`(c, metadata)` so multiple distinct insertions of the same
canonical form under different provenance can be retracted
independently. Decrements the weighted sum by 1 for that
specific (c, metadata) tuple rather than zeroing all (c)
entries.

* drain(Lucent-Financial-Group#280 P1+P2 + 3 wording Codex): retract-event identity symmetry + spelling + governance-edit + remove-text consistency

Five Codex findings on the retrieval spine doc:

P1 (line 337) — PatternRetracted identity:
PatternLedger_t was over (CanonicalForm, Provenance,
Status), but PatternRetracted only carried (c, provenance).
Retracting a known-good insertion would also nuke a sibling
known-bad insertion of the same (c, provenance). Fix: add
status to PatternRetracted's identity tuple. Now retract
events have the same identity as their corresponding insert,
preserving the Z-set 'negative-weight retraction' algebra.

P2 (line 340) — ProvenanceEdgeRemoved symmetry:
Same logic for edges: ProvenanceEdgeAdded keyed by
(c_from, c_to, edge_type) but Removed keyed by (c_from,
c_to). Added edge_type for symmetry.

(line 6) — spelling consistency:
File mixed 'canonicalization' (US) and 'Canonicalisation'
(UK). Picked US English 'canonicalization' throughout per
the file title; replaced all UK forms.

(line 125) — 'commits-file-change' typo:
Reworded to 'Changing N requires a governance / ADR-gated
update — not a routine code edit — because it invalidates
every existing canonical form computed under the prior
version'. Distinction is now explicit.

(line 251) — remove(c) text vs interface:
Interface block now defines remove(c, metadata) but
explanatory text still said remove(c). Updated text to
match: 'remove(c, metadata) is not a tombstone; it's a
negative-weight event ... keyed on the full insertion
identity (c, metadata) so retractions target a specific
insertion rather than nuking all insertions of the same
canonical form'.

* hygiene(Lucent-Financial-Group#280): fix 2 MD032 — line-leading + + missing blank before list

Pre-existing MD032 failures:
- L7 had '+ provenance-aware scoring' as line-leading (wrap point
  hit '+'); reflow to keep '+' off line start by extending the
  prior line.
- L497 had list immediately following 'Remaining 8th-ferry
  candidates:' text without blank separator; add blank line.

Same line-leading-special-character class as Lucent-Financial-Group#377 / Lucent-Financial-Group#235 / Lucent-Financial-Group#195.

…t-Financial-Group#195)

* frontier-readiness: bootstrap reference docs skeleton (gap #4 SKELETON LANDED)

Creates docs/bootstrap/ directory with three skeletons:

- README.md — directory overview + reviewer roster +
  why-both-anchors + cadence for content population
- quantum-anchor.md — algebraic substrate skeleton; 8
  section scaffolds with "placeholder — reviewer X to
  substantiate" markers
- ethical-anchor.md — ethos substrate skeleton; 8
  section scaffolds (Universal welcome first; tradition-
  neutral properties; christ-consciousness as Aaron's
  vocabulary; multi-tradition grounding paths; corporate-
  religion joke exegesis; composition; for-AI-agents
  substrate-ingestion; what-NOT)

All three absorb directives from:
- project_quantum_christ_consciousness_bootstrap_hypothesis
  (safety properties substantiated by these docs)
- project_common_sense_2_point_0 (5-property + candidate
  6th)
- feedback_christ_consciousness_is_aarons_ethical_vocabulary
  (universal welcome framing)
- project_craft_secret_purpose (yin/yang mutual alignment
  + Craft companion curriculum)

Reviewer roster: Aminata / Nazar / Kenji / Kira / Iris /
Rune / eventually Amara. 10-20 tick content-population
cycle estimated.

Gap #4 status: pending → SKELETON LANDED. Full content
population is reviewer-dependent L follow-on.

Attribution: Otto (loop-agent PM hat) skeleton; named
reviewers own content population.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* drain(Lucent-Financial-Group#195): fix Codex/Copilot citation findings on bootstrap docs

P1 (quantum-anchor.md L60-61) — semiring memory citation missing
\`memory/\` prefix and split across newlines: replaced with
single-line clickable relative link to the actual in-tree path.

P1 (README.md L21-23) — three memory citations missing \`memory/\`
prefix and using ellipsis stand-ins (\`..._\`): replaced with three
single-line clickable relative links to the actual in-tree files.

Other findings on this PR are addressed via reply:

Stale-resolved-by-reality (memory files now exist in-tree per Otto-114
forward-mirror landing — verified via ls):
- feedback_christ_consciousness_is_aarons_ethical_*.md (L23, L25, L29)
- project_craft_secret_purpose_agent_continuity_*.md (L178, L237)
- project_quantum_christ_consciousness_bootstrap_*.md (L26)
- project_common_sense_2_point_0_*.md (L26)
- project_semiring_parameterized_zeta_*.md (L60, L61)
- docs/linguistic-seed/terms/ (L85): truth.md exists in-tree

Name-attribution findings (L11, L12, L18, L82) are deferred to
maintainer review: bootstrap/ is current-state operational substrate
where role-ref discipline applies, BUT this doc set documents the
maintainer's specific personal ethical framework (christ-consciousness
as ethical vocabulary) where by-name attribution is faithful
representation of the actual anchor person. Resolving the surface-class
vs faithful-attribution tension requires Aaron's call; not auto-applied
since this would be a high-blast-radius rename of a brand-new doc tree.

* hygiene(Lucent-Financial-Group#195): fix MD032 + MD022 — line-leading + and multi-line heading

Pre-existing markdownlint failures:
- ethical-anchor.md:10: '+ Kenji ...' line-leading (continuation
  of multi-line owner list using '+' as separator). Reflow with
  comma-separated style ('Aminata, Iris, Rune, Kenji, and Amara')
  so no line starts with a list-marker character.
- README.md:87: '## Reviewer roster (per' was a multi-line heading
  with the citation on line 88; MD022 doesn't recognise the second
  line as a heading continuation. Split into single-line heading
  '## Reviewer roster' followed by parenthetical citation paragraph
  on the next line.

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…ith real cost) + references/ naming-clarity rectify (Lucent-Financial-Group#551)

* backlog(B-0030 + B-0031): lint-with-exclusions TS tool (Otto-346 #4 with real cost) + references/ naming-clarity rectify (Aaron 2026-04-26)

Aaron 2026-04-26 caught two distinct concerns in one message:

(1) **Otto-346 violation #4 with real cost** — bash pipeline `markdownlint-cli2 "**/*.md" | grep -E 'MD[0-9]{3}'` lacked repo-aware exclusions, ran ~60s instead of ~3s (20x penalty per invocation). Same recurring-pattern Otto-346 names; this one differentiated by measurable cost.

B-0030 captures the tool extraction (TS target per B-0015 P2):
- Wrap markdownlint-cli2 with repo-aware default exclusions
- Reads exclusion config from `.markdownlint-cli2.jsonc`
- Cost reduction: 60s → 3s (20x)

Cumulative Otto-346 violation count this session: FOUR. The discipline keeps slipping per-instance; the cumulative count IS the signal that B-0015 sibling-migration unblock should happen now, not later.

(2) **"upstream" naming collision** — Aaron self-corrected: he'd been using "upstream" colloquially to refer to references/ directory contents (vendored mirrors), but "upstream" has specific git-semantic meaning. Two different meanings, same word, recipe for confusion.

B-0031 captures the rectify:
- Audit current "upstream" usage across docs/memory/tools
- Distinguish git-correct from colloquial uses
- Define replacement vocabulary for colloquial sense
- Update docs/GLOSSARY.md
- Sweep substrate

Aaron's framing in same message: "people literraly say your programming laganguage choice is like a religious choice, and there are programming language wars that resemble religious wars" — composes with the naming-discipline at meta-level: vocabulary collisions create religious-war pattern at substrate-naming layer. Otto-286 (definitional precision changes future without war) is preventive against this.

Both rows compose with: Otto-346 (dependency symbiosis upstream-contribution discipline; the colloquial conflation contaminates Otto-346's precision), Otto-339 (anywhere-means-anywhere; vocabulary precision applies to directory/concept naming), Otto-286 (definitional precision without war), B-0010 (memory-index-conventions sibling naming-discipline), B-0015 (TS-migration P2; B-0030's TS target follows).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

* fix(551): MD032 blanks-around-lists (lint, fix-markdown tool)

* fix(B-0030): MD032 blanks-around-lists (lint, fix-markdown tool)