diff --git a/docs/backlog/P0/B-0073-lfg-csharp-code-scanning-cleanup-13-alerts-blocking-ruleset-2026-04-28.md b/docs/backlog/P0/B-0073-lfg-csharp-code-scanning-cleanup-13-alerts-blocking-ruleset-2026-04-28.md new file mode 100644 index 00000000..0d0b6567 --- /dev/null +++ b/docs/backlog/P0/B-0073-lfg-csharp-code-scanning-cleanup-13-alerts-blocking-ruleset-2026-04-28.md @@ -0,0 +1,100 @@ +--- +id: B-0073 +priority: P0 +status: open +title: LFG csharp Code Scanning cleanup — 13 open alerts gating code_quality severity:all ruleset on every PR +effort: M +ask: Otto autonomous (per Aaron full-delegation 2026-04-28 "fuck it ui sucks you got it" + static-analysis-grade quality bar) +created: 2026-04-28 +last_updated: 2026-04-28 +tags: [code-scanning, codeql, ruleset, lfg, blocker, task-306] +--- + +# B-0073 — LFG csharp Code Scanning cleanup + +## Source + +Investigation 2026-04-28T09:14Z while diagnosing why all 6 LFG +PRs are BLOCKED with 0 unresolved threads + all-green CI. + +`gh api repos/Lucent-Financial-Group/Zeta/code-scanning/alerts?state=open` +returns 13 open alerts on `refs/heads/main` driving the +`code_quality: severity=all` ruleset gate to block every PR. + +## Alert breakdown + +**Build-artifact noise (2 alerts — should be excluded from +analysis, NOT fixed in source):** + +- #1, #2: `cs/missed-ternary-operator` in + `tests/{Tests.CSharp,Core.CSharp.Tests}/obj/Release/net10.0/XunitAutoGenerated*.cs` +- These are auto-generated xunit build artifacts under `obj/` +- Structural fix: extend CodeQL config to exclude `**/obj/**` + paths from analysis. Build artifacts shouldn't be scanned. + +**Mechanical source fixes (10 alerts — `cs/useless-cast-to-self`):** + +- #3-#7: `tests/Tests.CSharp/CircuitTests.cs` lines 70-72 +- #8-#12: `tests/Tests.CSharp/ZSetTests.cs` lines 30-31, 43-45 +- All are `((int, long))(N, NL)` redundant casts on tuple + literals where the compiler already infers `(int, long)` + from `N` (int) and `NL` (long) +- Mechanical fix: remove the cast `((int, long))(N, NL)` → + `(N, NL)` — but verify there's no overload-resolution + reason the cast was added +- Test code, low-risk + +**OpenSSF Scorecard SAST alert (1 alert):** + +- #24: `Scorecard SAST` `score: 9, sev: error, sec_sev: medium`: + "SAST tool detected but not run on all commits: 28/30 + commits checked" +- This is meta-finding from OpenSSF Scorecard, not a real + source-code defect. Task #304 was filed for this earlier in + the session and marked completed; the alert may have been + generated against an old commit-window. +- Re-investigation required: is this still applicable, or has + the 30-commit window rolled forward enough that Scorecard + no longer flags? + +## Why this is P0 + +All 6 LFG PRs (`#655 #656 #657 #658 #659 #660`) are BLOCKED +on this ruleset. Until cleared, no LFG-side merging can +happen. AceHack→LFG forward-sync is dead-letter. The 0/0/0 +divergence target is unreachable. + +## Plan + +1. **Verify Scorecard alert #24 still fires** (may have aged + out; if not applicable, dismiss with reason). +2. **Extend CodeQL config to exclude `**/obj/**`** — single + config change (paths-ignore in `.github/codeql/codeql-config.yml` + or paths-ignore in workflow). Drops alerts #1, #2 to 0. +3. **Triage the 10 useless-cast-to-self warnings** — each + needs a quick verify that removing the cast doesn't break + compilation (overload-resolution check). If clean, batch + remove. Test with `dotnet build -c Release` per AGENTS.md. +4. **Re-scan and verify ruleset clears**. CodeQL re-runs on + merge to main; verify alert count drops to 0 (or only the + note-severity Scorecard). + +## Composes with + +- task #306 — Cadence-fast revisit on `Analyze (csharp)` skip + on PR (this row is the discovered substrate explaining WHY + task #306 matters: it's the ruleset gate, not the workflow + cost) +- task #304 — Scorecard alerts unblock for forward-sync (this + row reveals the Scorecard alert may still be live) +- AceHack #72 + LFG #655-660 all currently unmergeable + pending this work + +## Acceptance + +- 0 open Code Scanning alerts on LFG main (or only + note-severity findings that the ruleset is configured to + ignore) +- LFG #655 / #656 / #657 / #658 (the simplest BLOCKED PRs) + flip from BLOCKED to CLEAN/MERGEABLE with no ruleset gate +- Forward-sync from AceHack to LFG resumes