AceHack · AceHack · Apr 28, 2026 · Apr 28, 2026
diff --git a/...-0073-lfg-csharp-code-scanning-cleanup-13-alerts-blocking-ruleset-2026-04-28.md b/...-0073-lfg-csharp-code-scanning-cleanup-13-alerts-blocking-ruleset-2026-04-28.md
@@ -0,0 +1,100 @@
+---
+id: B-0073
+priority: P0
+status: open
+title: LFG csharp Code Scanning cleanup — 13 open alerts gating code_quality severity:all ruleset on every PR
+effort: M
+ask: Otto autonomous (per Aaron full-delegation 2026-04-28 "fuck it ui sucks you got it" + static-analysis-grade quality bar)
+created: 2026-04-28
+last_updated: 2026-04-28
+tags: [code-scanning, codeql, ruleset, lfg, blocker, task-306]
+---
+
+# B-0073 — LFG csharp Code Scanning cleanup
+
+## Source
+
+Investigation 2026-04-28T09:14Z while diagnosing why all 6 LFG
+PRs are BLOCKED with 0 unresolved threads + all-green CI.
+
+`gh api repos/Lucent-Financial-Group/Zeta/code-scanning/alerts?state=open`
+returns 13 open alerts on `refs/heads/main` driving the
+`code_quality: severity=all` ruleset gate to block every PR.
+
+## Alert breakdown
+
+**Build-artifact noise (2 alerts — should be excluded from
+analysis, NOT fixed in source):**
+
+- #1, #2: `cs/missed-ternary-operator` in
+  `tests/{Tests.CSharp,Core.CSharp.Tests}/obj/Release/net10.0/XunitAutoGenerated*.cs`
+- These are auto-generated xunit build artifacts under `obj/`
+- Structural fix: extend CodeQL config to exclude `**/obj/**`
+  paths from analysis. Build artifacts shouldn't be scanned.
+
+**Mechanical source fixes (10 alerts — `cs/useless-cast-to-self`):**
+
+- #3-#7: `tests/Tests.CSharp/CircuitTests.cs` lines 70-72
+- #8-#12: `tests/Tests.CSharp/ZSetTests.cs` lines 30-31, 43-45
+- All are `((int, long))(N, NL)` redundant casts on tuple
+  literals where the compiler already infers `(int, long)`
+  from `N` (int) and `NL` (long)
+- Mechanical fix: remove the cast `((int, long))(N, NL)` →
+  `(N, NL)` — but verify there's no overload-resolution
+  reason the cast was added
+- Test code, low-risk
+
+**OpenSSF Scorecard SAST alert (1 alert):**
+
+- #24: `Scorecard SAST` `score: 9, sev: error, sec_sev: medium`:
+  "SAST tool detected but not run on all commits: 28/30
+  commits checked"
+- This is meta-finding from OpenSSF Scorecard, not a real
+  source-code defect. Task #304 was filed for this earlier in
+  the session and marked completed; the alert may have been
+  generated against an old commit-window.
+- Re-investigation required: is this still applicable, or has
+  the 30-commit window rolled forward enough that Scorecard
+  no longer flags?
+
+## Why this is P0
+
+All 6 LFG PRs (`#655 #656 #657 #658 #659 #660`) are BLOCKED
+on this ruleset. Until cleared, no LFG-side merging can
+happen. AceHack→LFG forward-sync is dead-letter. The 0/0/0
+divergence target is unreachable.
+
+## Plan
+
+1. **Verify Scorecard alert #24 still fires** (may have aged
+   out; if not applicable, dismiss with reason).
+2. **Extend CodeQL config to exclude `**/obj/**`** — single
+   config change (paths-ignore in `.github/codeql/codeql-config.yml`
+   or paths-ignore in workflow). Drops alerts #1, #2 to 0.
+3. **Triage the 10 useless-cast-to-self warnings** — each
+   needs a quick verify that removing the cast doesn't break
+   compilation (overload-resolution check). If clean, batch
+   remove. Test with `dotnet build -c Release` per AGENTS.md.
+4. **Re-scan and verify ruleset clears**. CodeQL re-runs on
+   merge to main; verify alert count drops to 0 (or only the
+   note-severity Scorecard).
+
+## Composes with
+
+- task #306 — Cadence-fast revisit on `Analyze (csharp)` skip
+  on PR (this row is the discovered substrate explaining WHY
+  task #306 matters: it's the ruleset gate, not the workflow
+  cost)
+- task #304 — Scorecard alerts unblock for forward-sync (this
+  row reveals the Scorecard alert may still be live)
+- AceHack #72 + LFG #655-660 all currently unmergeable
+  pending this work
+
+## Acceptance
+
+- 0 open Code Scanning alerts on LFG main (or only
+  note-severity findings that the ruleset is configured to
+  ignore)
+- LFG #655 / #656 / #657 / #658 (the simplest BLOCKED PRs)
+  flip from BLOCKED to CLEAN/MERGEABLE with no ruleset gate
+- Forward-sync from AceHack to LFG resumes