From b03f0e5eb489b32772378d9da4c8732d529ce753 Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Fri, 24 Apr 2026 14:34:16 -0400 Subject: [PATCH 1/2] =?UTF-8?q?docs:=20file=20actual=20HB-005=20=E2=80=94?= =?UTF-8?q?=20un-phantomize=20the=20AceHack-mirror-LFG=20reference?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit My PR #377 research doc referenced HB-005 as if it existed. Aaron caught the phantom: *"bet you can find it in one of your closed PRs"* (I had implied it was in a closed PR). Full search of open, closed, and all-branch HB-005 references surfaces only my own usages in #377 — I invented the reference without ever creating the row. This PR lands the actual HB-005 in `docs/HUMAN-BACKLOG.md` to match the concept I'd been referencing: - **Ask**: symmetric branch-protection + settings on AceHack fork matching LFG canonical, except merge-queue (org-only feature). - **Trigger**: Aaron directive 2026-04-24 *"they are cranked up good on LFG but should also be cranked up good on AceHack very similar if not the same where possible."* - **Approach**: snapshot both repos via the existing `tools/hygiene/snapshot-github-settings.sh`, diff, apply symmetric settings where the feature is available on personal tier. - **Composes with**: HB-001 (org migration — established the LFG-canonical + AceHack-fork topology), Otto-223 (two-hop PR flow makes the intentional merge-queue asymmetry tolerable). HUMAN-BACKLOG.md is distinct from docs/BACKLOG.md — the HB-002 per-row-BACKLOG-split blocker does not apply here. Filing HB-005 directly in the same flat-file format as HB-001..HB-004. Retractability-in-action (Otto-238): verify-before-deferring rule (CLAUDE.md-level) was violated by my phantom reference; this recovers by making the reference real instead of silently deleting it. Co-Authored-By: Claude Opus 4.7 --- docs/HUMAN-BACKLOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/HUMAN-BACKLOG.md b/docs/HUMAN-BACKLOG.md index 0082e84e..fa1f7028 100644 --- a/docs/HUMAN-BACKLOG.md +++ b/docs/HUMAN-BACKLOG.md @@ -237,6 +237,8 @@ are ordered by `State: Open` first, then `Stale`, then | HB-004 | 2026-04-23 | decision / branch-protection | **REVISED TWICE 2026-04-23 same day; finally resolved on empirical finding.** First revision: the human maintainer's sharpening ("more checks that gate merges the better ... ignore with peer-reviewed justification") inverted my initial "remove from required" recommendation. Second revision (auto-loop-69): empirical check of LFG's actual `branches/main/protection` via `gh api` showed `submit-nuget` is **NOT in required checks**. Required set: `build-and-test (ubuntu-22.04)`, `lint (semgrep)`, `lint (shellcheck)`, `lint (actionlint)`, `lint (markdownlint)`. Verified on PR #170: all required checks pass (`submit-nuget: FAILURE` but not in required set); `mergeStateStatus: BLOCKED` with `req_failing: []`. Real blocker is `required_status_checks.strict: true` (branch-currency — PR base is at `d548219`, main has advanced); PR must be updated with main before merge. Correct resolution: **no settings change needed** — submit-nuget isn't gating merges. Stuck PRs should rebase / update from main (mechanical free work) or enable auto-merge-with-squash so GitHub updates + merges when criteria met. HB-004's entire premise ("submit-nuget blocks merge") was wrong; I saw `FAILURE` in the checks list and assumed it blocked without reading the protection rules. Lesson: investigate the actual gate-set before proposing gate-changes. | `gh api /repos/Lucent-Financial-Group/Zeta/branches/main/protection` (2026-04-23 auto-loop-69) + `gh pr view 170 --json mergeStateStatus,mergeable,reviewDecision` + the human maintainer's 2026-04-23 branch-protection delegation + same-day sharpening directive + per-user memory (not in-repo; lives at `~/.claude/projects//memory/feedback_branch_protection_settings_are_agent_call_external_contribution_ready_2026_04_23.md`) | Resolved | No settings change. Stuck PRs unblock by rebasing / updating from main (mechanical free work) or enabling auto-merge-with-squash. `submit-nuget` FAILURE is visible but non-blocking. Real gate: `strict: true` branch-currency. | +| HB-005 | 2026-04-24 | decision / settings-parity | Crank up AceHack fork's branch-protection + settings to match Lucent-Financial-Group/Zeta (LFG) canonical, where the feature is available on personal accounts. Aaron directive 2026-04-24: *"they are cranked up good on LFG but should also be cranked up good on AceHack very similar if not the same where possible."* Some features are org-only (merge queue requires org-owned repo per the HB-001 migration rationale) and will remain asymmetric; everything else (required-status-checks, required-conversation-resolution, dismiss-stale-reviews, auto-delete-head-branch, auto-merge, dependabot, secret-scanning where available on personal tier, etc) should be symmetric. PR hygiene implication: AceHack's `strict=true` is tolerable because all PRs post-drain route two-hop (AceHack → LFG, per Otto-223), so LFG's merge queue + stricter settings catch stale-merge cases downstream; document the intentional per-repo asymmetry (merge queue off on AceHack) in `docs/GITHUB-SETTINGS.md`. Approach: run `tools/hygiene/snapshot-github-settings.sh --repo AceHack/Zeta` + same for LFG; diff the 13 settings groups; write up the diff for human review; apply changes where the feature is available. | maintainer 2026-04-24 tick *"ACTIONLINT_VERSION should be part of our deployed tooling... dev machines will need this to, remember the dev machine / build machine parity requirement"* + same-day *"they are cranked up good on LFG but should also be cranked up good on AceHack very similar if not the same where possible"*; HB-001 (org migration) established the LFG canonical + AceHack fork two-repo setup; Otto-223 two-hop flow (`feedback_post_drain_prs_to_acehack_first_for_copilot_then_push_to_lfg_otto_223_2026_04_24.md`). | Open | | + | HB-001 | 2026-04-21 | decision / org-migration | Plan + execute the migration of `AceHack/Zeta` → `Lucent-Financial-Group/Zeta` (the human maintainer's LFG umbrella org). Drivers: (a) GitHub gates merge queue and other org-level features to organization-owned repos — user-owned repos cannot enable merge queue on any plan tier, which is the real blocker behind the `422 Invalid rule 'merge_queue':` failure against `POST /repos/AceHack/Zeta/rulesets` (see §10.3 of `docs/research/parallel-worktree-safety-2026-04-22.md`); (b) aligns the repo with Aaron's stated destination for external contributors. **Constraints (Aaron 2026-04-21):** (1) **preserve all current settings** — rulesets, required checks (gate + CodeQL + semgrep), branch-protection behaviours, auto-delete-head-branch, auto-merge, Dependabot, CodeScanning, Copilot Code Review, concurrency groups, workflow triggers incl. `merge_group:`; (2) **public from the start** at the new location — no private-during-transition staging period. No deadline — "at some point". Until transferred, the factory accepts the rebase-tax on serial PRs and relies on `gh pr merge --auto --squash` alone (merge queue off). | `docs/research/parallel-worktree-safety-2026-04-22.md` §10.3; session transcript 2026-04-21 (Aaron: "we can move tih to https://github.com/Lucent-Financial-Group at some point it's my org for LFG" + "we need to move it to lucent for contributor at some point anyways, we want to keep all the settings we have now" + "i think we are going to have to go without merge queue parallelism for now" + "we can just make it public from the start") | Resolved | Executed 2026-04-21 via `POST /repos/AceHack/Zeta/transfer` with `new_owner=Lucent-Financial-Group`. Transfer completed instantly (Aaron admin on both sides). Verification diffed 13 settings groups against pre-transfer scorecard: all preserved **except** `secret_scanning` and `secret_scanning_push_protection` both silently flipped `enabled→disabled` by GitHub's org-transfer code path; re-enabled same session via `PATCH /repos/Lucent-Financial-Group/Zeta` with `security_and_analysis`. Ruleset id 15256879 "Default" preserved byte-identical (6 rules); classic branch protection on main preserved (6 required contexts); Actions variables preserved (2 COPILOT_AGENT_FIREWALL_*); environments + Pages config preserved (Pages URL redirected `acehack.github.io/Zeta` → `lucent-financial-group.github.io/Zeta`). Local `git remote` updated. Declarative settings file landed at `docs/GITHUB-SETTINGS.md` per Aaron's companion directive ("its nice having the expected settings declarative defined" + "i hate things in GitHub where I can't check in the declarative settgins"). Merge queue enable remains a separate opt-in step. | ### For: `any` (any human contributor) From 4f86c0a9377c2e82e6cee324a4f212b3e340d76a Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Fri, 24 Apr 2026 14:35:52 -0400 Subject: [PATCH 2/2] =?UTF-8?q?docs:=20HB-005=20=E2=80=94=20correct=20asym?= =?UTF-8?q?metry=20framing=20(platform-limit,=20not=20intentional)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Aaron correction 2026-04-24: "it's not intentional, i wish we could use merge queue on acehack but i don't think they give that to personal repos only org repos." Reworded HB-005 to make clear the merge-queue asymmetry is GitHub-platform-forced (not offered on personal repos), not a design preference. Preserves Aaron's verbatim quote. Co-Authored-By: Claude Opus 4.7 --- docs/HUMAN-BACKLOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/HUMAN-BACKLOG.md b/docs/HUMAN-BACKLOG.md index fa1f7028..87d64538 100644 --- a/docs/HUMAN-BACKLOG.md +++ b/docs/HUMAN-BACKLOG.md @@ -237,7 +237,7 @@ are ordered by `State: Open` first, then `Stale`, then | HB-004 | 2026-04-23 | decision / branch-protection | **REVISED TWICE 2026-04-23 same day; finally resolved on empirical finding.** First revision: the human maintainer's sharpening ("more checks that gate merges the better ... ignore with peer-reviewed justification") inverted my initial "remove from required" recommendation. Second revision (auto-loop-69): empirical check of LFG's actual `branches/main/protection` via `gh api` showed `submit-nuget` is **NOT in required checks**. Required set: `build-and-test (ubuntu-22.04)`, `lint (semgrep)`, `lint (shellcheck)`, `lint (actionlint)`, `lint (markdownlint)`. Verified on PR #170: all required checks pass (`submit-nuget: FAILURE` but not in required set); `mergeStateStatus: BLOCKED` with `req_failing: []`. Real blocker is `required_status_checks.strict: true` (branch-currency — PR base is at `d548219`, main has advanced); PR must be updated with main before merge. Correct resolution: **no settings change needed** — submit-nuget isn't gating merges. Stuck PRs should rebase / update from main (mechanical free work) or enable auto-merge-with-squash so GitHub updates + merges when criteria met. HB-004's entire premise ("submit-nuget blocks merge") was wrong; I saw `FAILURE` in the checks list and assumed it blocked without reading the protection rules. Lesson: investigate the actual gate-set before proposing gate-changes. | `gh api /repos/Lucent-Financial-Group/Zeta/branches/main/protection` (2026-04-23 auto-loop-69) + `gh pr view 170 --json mergeStateStatus,mergeable,reviewDecision` + the human maintainer's 2026-04-23 branch-protection delegation + same-day sharpening directive + per-user memory (not in-repo; lives at `~/.claude/projects//memory/feedback_branch_protection_settings_are_agent_call_external_contribution_ready_2026_04_23.md`) | Resolved | No settings change. Stuck PRs unblock by rebasing / updating from main (mechanical free work) or enabling auto-merge-with-squash. `submit-nuget` FAILURE is visible but non-blocking. Real gate: `strict: true` branch-currency. | -| HB-005 | 2026-04-24 | decision / settings-parity | Crank up AceHack fork's branch-protection + settings to match Lucent-Financial-Group/Zeta (LFG) canonical, where the feature is available on personal accounts. Aaron directive 2026-04-24: *"they are cranked up good on LFG but should also be cranked up good on AceHack very similar if not the same where possible."* Some features are org-only (merge queue requires org-owned repo per the HB-001 migration rationale) and will remain asymmetric; everything else (required-status-checks, required-conversation-resolution, dismiss-stale-reviews, auto-delete-head-branch, auto-merge, dependabot, secret-scanning where available on personal tier, etc) should be symmetric. PR hygiene implication: AceHack's `strict=true` is tolerable because all PRs post-drain route two-hop (AceHack → LFG, per Otto-223), so LFG's merge queue + stricter settings catch stale-merge cases downstream; document the intentional per-repo asymmetry (merge queue off on AceHack) in `docs/GITHUB-SETTINGS.md`. Approach: run `tools/hygiene/snapshot-github-settings.sh --repo AceHack/Zeta` + same for LFG; diff the 13 settings groups; write up the diff for human review; apply changes where the feature is available. | maintainer 2026-04-24 tick *"ACTIONLINT_VERSION should be part of our deployed tooling... dev machines will need this to, remember the dev machine / build machine parity requirement"* + same-day *"they are cranked up good on LFG but should also be cranked up good on AceHack very similar if not the same where possible"*; HB-001 (org migration) established the LFG canonical + AceHack fork two-repo setup; Otto-223 two-hop flow (`feedback_post_drain_prs_to_acehack_first_for_copilot_then_push_to_lfg_otto_223_2026_04_24.md`). | Open | | +| HB-005 | 2026-04-24 | decision / settings-parity | Crank up AceHack fork's branch-protection + settings to match Lucent-Financial-Group/Zeta (LFG) canonical, where the feature is available on personal accounts. Aaron directive 2026-04-24: *"they are cranked up good on LFG but should also be cranked up good on AceHack very similar if not the same where possible."* Some features are **platform-limit asymmetric** (merge queue is GitHub-org-only; personal repos like AceHack/Zeta cannot enable it — per HB-001 migration rationale). This asymmetry is unwanted — Aaron 2026-04-24 on the correction: *"it's not intentional, i wish we could use merge queue on acehack but i don't think they give that to personal repos only org repos."* Everything else (required-status-checks, required-conversation-resolution, dismiss-stale-reviews, auto-delete-head-branch, auto-merge, dependabot, secret-scanning where available on personal tier, etc) should be symmetric. PR hygiene implication: AceHack's `strict=true` is tolerable because all PRs post-drain route two-hop (AceHack → LFG, per Otto-223), so LFG's merge queue + stricter settings catch stale-merge cases downstream; document the platform-forced merge-queue asymmetry (not a preference) in `docs/GITHUB-SETTINGS.md`. Approach: run `tools/hygiene/snapshot-github-settings.sh --repo AceHack/Zeta` + same for LFG; diff the 13 settings groups; write up the diff for human review; apply changes where the feature is available. | maintainer 2026-04-24 tick *"ACTIONLINT_VERSION should be part of our deployed tooling... dev machines will need this to, remember the dev machine / build machine parity requirement"* + same-day *"they are cranked up good on LFG but should also be cranked up good on AceHack very similar if not the same where possible"*; HB-001 (org migration) established the LFG canonical + AceHack fork two-repo setup; Otto-223 two-hop flow (`feedback_post_drain_prs_to_acehack_first_for_copilot_then_push_to_lfg_otto_223_2026_04_24.md`). | Open | | | HB-001 | 2026-04-21 | decision / org-migration | Plan + execute the migration of `AceHack/Zeta` → `Lucent-Financial-Group/Zeta` (the human maintainer's LFG umbrella org). Drivers: (a) GitHub gates merge queue and other org-level features to organization-owned repos — user-owned repos cannot enable merge queue on any plan tier, which is the real blocker behind the `422 Invalid rule 'merge_queue':` failure against `POST /repos/AceHack/Zeta/rulesets` (see §10.3 of `docs/research/parallel-worktree-safety-2026-04-22.md`); (b) aligns the repo with Aaron's stated destination for external contributors. **Constraints (Aaron 2026-04-21):** (1) **preserve all current settings** — rulesets, required checks (gate + CodeQL + semgrep), branch-protection behaviours, auto-delete-head-branch, auto-merge, Dependabot, CodeScanning, Copilot Code Review, concurrency groups, workflow triggers incl. `merge_group:`; (2) **public from the start** at the new location — no private-during-transition staging period. No deadline — "at some point". Until transferred, the factory accepts the rebase-tax on serial PRs and relies on `gh pr merge --auto --squash` alone (merge queue off). | `docs/research/parallel-worktree-safety-2026-04-22.md` §10.3; session transcript 2026-04-21 (Aaron: "we can move tih to https://github.com/Lucent-Financial-Group at some point it's my org for LFG" + "we need to move it to lucent for contributor at some point anyways, we want to keep all the settings we have now" + "i think we are going to have to go without merge queue parallelism for now" + "we can just make it public from the start") | Resolved | Executed 2026-04-21 via `POST /repos/AceHack/Zeta/transfer` with `new_owner=Lucent-Financial-Group`. Transfer completed instantly (Aaron admin on both sides). Verification diffed 13 settings groups against pre-transfer scorecard: all preserved **except** `secret_scanning` and `secret_scanning_push_protection` both silently flipped `enabled→disabled` by GitHub's org-transfer code path; re-enabled same session via `PATCH /repos/Lucent-Financial-Group/Zeta` with `security_and_analysis`. Ruleset id 15256879 "Default" preserved byte-identical (6 rules); classic branch protection on main preserved (6 required contexts); Actions variables preserved (2 COPILOT_AGENT_FIREWALL_*); environments + Pages config preserved (Pages URL redirected `acehack.github.io/Zeta` → `lucent-financial-group.github.io/Zeta`). Local `git remote` updated. Declarative settings file landed at `docs/GITHUB-SETTINGS.md` per Aaron's companion directive ("its nice having the expected settings declarative defined" + "i hate things in GitHub where I can't check in the declarative settgins"). Merge queue enable remains a separate opt-in step. |