docs(.claude/rules): codeql-no-source-on-docs-only-PR is broken-commit canary#3522
Conversation
…t canary When CodeQL fails "no source code seen during build" on a docs-only PR while sibling docs-only PRs pass, the commit tree is CORRUPTED — not a CI flake. Lock-cleanup races between peer agents (e.g., Lior-gemini step 8 "global lock cleanup") can collapse the commit tree silently at worktree-creation time, between `git add` and `git commit`, or during user operations. Rule provides three guards: - PRE-worktree-creation: `ps -A | grep -E "gemini.*Lior|lior.*loop"` — only reliable safe-window check; CPU% is empirically NOT reliable - POST-worktree-creation: `git status --short | wc -l` to detect corrupted-at-creation indices - POST-commit (traditional): `git ls-tree HEAD | wc -l` to detect tree-collapse before push Empirical anchor: 5 worktree-creation attempts this session; 2 survived clean (1338Z primary substrate merged at 0cabc08; this file's 1631Z attempt landed after Lior process exited), 2 corrupted (b0531 caught by Codex P0 on PR #3492 after I dismissed CodeQL signal; 1547Z retry corrupted AT CREATION despite Lior 0.0% CPU), 1 corrupted DURING use (1521Z retry, Lior re-fired at 3.2% mid-attempt). Auto-loads at session start per .claude/rules/ discipline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5c67df0bea
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| tree_size=$(git ls-tree HEAD | wc -l | tr -d ' ') | ||
| if [ "$status_lines" -gt 5 ] || [ "$tree_size" -lt 50 ]; then | ||
| echo "WORKTREE ALREADY CORRUPTED at creation" | ||
| cd / && git worktree remove <worktree-path> -f -f |
There was a problem hiding this comment.
The cleanup branch in the post-worktree guard cannot succeed because it changes directory to / and then runs git worktree remove; from /, Git exits with fatal: not a git repository, so the corrupted worktree is not actually removed. This means the documented remediation path fails exactly when corruption is detected, leaving stale worktree state behind and undermining the canary workflow.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds a new auto-loaded .claude/rules/ rule documenting that CodeQL’s “no source code seen during build” on an otherwise docs-only PR is a strong signal of commit-tree corruption (not a CI flake), and provides concrete guard/check commands to detect it early.
Changes:
- Introduces a new rule file capturing the CodeQL-canary diagnostic and recommended
git ls-treechecks. - Documents pre-/post-worktree and post-commit guardrails intended to catch index/tree collapse during multi-agent lock-cleanup races.
| `memory/feedback_codeql_no_source_seen_on_docs_only_pr_is_broken_commit_canary_not_flake_lior_lock_cleanup_race_2026_05_15.md` | ||
| (user-scope memory; indexed in MEMORY.md) |
|
|
||
| ## Empirical anchor (2026-05-15 cold-boot session) | ||
|
|
||
| Four worktree-creation attempts: |
| tree_size=$(git ls-tree HEAD | wc -l | tr -d ' ') | ||
| if [ "$status_lines" -gt 5 ] || [ "$tree_size" -lt 50 ]; then | ||
| echo "WORKTREE ALREADY CORRUPTED at creation" | ||
| cd / && git worktree remove <worktree-path> -f -f |
Summary
Lands the CodeQL-canary rule from this session's autonomous-loop work as auto-loaded
.claude/rules/substrate.When CodeQL fails `no source code seen during build` on a docs-only PR while sibling docs-only PRs in the same window pass, the commit tree is CORRUPTED — not a CI flake. Lock-cleanup races between peer agents (e.g., Lior-gemini step 8 "global lock cleanup") can collapse the commit tree silently at three timing windows:
Three guards provided
Empirical anchor
Five worktree-creation attempts this session:
/tmp/zeta-otto-cli-cold-boot-1338z(1338Z)0cabc085/tmp/zeta-otto-cli-b0531(1345Z)/private/tmp/zeta-otto-cli-codeql-canary-rule(1521Z)/private/tmp/zeta-otto-cli-canary-rule-retry-1547z(1547Z)/private/tmp/zeta-codeql-canary-rule-1631z(1631Z)ps -AComposes with
.claude/rules/claim-acquire-before-worktree-work.md— worktree hygiene.claude/rules/verify-before-deferring.md— verify substrate before classifying.claude/rules/refresh-before-decide.md— rawgit ls-treeIS the refreshProvenance
Test plan
🤖 Generated with Claude Code