docs: file actual HB-005 — AceHack fork settings mirror LFG (un-phantomize #377 reference)

docs/HUMAN-BACKLOG.md

@@ -237,6 +237,8 @@ are ordered by `State: Open` first, then `Stale`, then
 
 | HB-004 | 2026-04-23 | decision / branch-protection | **REVISED TWICE 2026-04-23 same day; finally resolved on empirical finding.** First revision: the human maintainer's sharpening ("more checks that gate merges the better ... ignore with peer-reviewed justification") inverted my initial "remove from required" recommendation. Second revision (auto-loop-69): empirical check of LFG's actual `branches/main/protection` via `gh api` showed `submit-nuget` is **NOT in required checks**. Required set: `build-and-test (ubuntu-22.04)`, `lint (semgrep)`, `lint (shellcheck)`, `lint (actionlint)`, `lint (markdownlint)`. Verified on PR #170: all required checks pass (`submit-nuget: FAILURE` but not in required set); `mergeStateStatus: BLOCKED` with `req_failing: []`. Real blocker is `required_status_checks.strict: true` (branch-currency — PR base is at `d548219`, main has advanced); PR must be updated with main before merge. Correct resolution: **no settings change needed** — submit-nuget isn't gating merges. Stuck PRs should rebase / update from main (mechanical free work) or enable auto-merge-with-squash so GitHub updates + merges when criteria met. HB-004's entire premise ("submit-nuget blocks merge") was wrong; I saw `FAILURE` in the checks list and assumed it blocked without reading the protection rules. Lesson: investigate the actual gate-set before proposing gate-changes. | `gh api /repos/Lucent-Financial-Group/Zeta/branches/main/protection` (2026-04-23 auto-loop-69) + `gh pr view 170 --json mergeStateStatus,mergeable,reviewDecision` + the human maintainer's 2026-04-23 branch-protection delegation + same-day sharpening directive + per-user memory (not in-repo; lives at `~/.claude/projects/<slug>/memory/feedback_branch_protection_settings_are_agent_call_external_contribution_ready_2026_04_23.md`) | Resolved | No settings change. Stuck PRs unblock by rebasing / updating from main (mechanical free work) or enabling auto-merge-with-squash. `submit-nuget` FAILURE is visible but non-blocking. Real gate: `strict: true` branch-currency. |
 
+| HB-005 | 2026-04-24 | decision / settings-parity | Crank up AceHack fork's branch-protection + settings to match Lucent-Financial-Group/Zeta (LFG) canonical, where the feature is available on personal accounts. Aaron directive 2026-04-24: *"they are cranked up good on LFG but should also be cranked up good on AceHack very similar if not the same where possible."* Some features are **platform-limit asymmetric** (merge queue is GitHub-org-only; personal repos like AceHack/Zeta cannot enable it — per HB-001 migration rationale). This asymmetry is unwanted — Aaron 2026-04-24 on the correction: *"it's not intentional, i wish we could use merge queue on acehack but i don't think they give that to personal repos only org repos."* Everything else (required-status-checks, required-conversation-resolution, dismiss-stale-reviews, auto-delete-head-branch, auto-merge, dependabot, secret-scanning where available on personal tier, etc) should be symmetric. PR hygiene implication: AceHack's `strict=true` is tolerable because all PRs post-drain route two-hop (AceHack → LFG, per Otto-223), so LFG's merge queue + stricter settings catch stale-merge cases downstream; document the platform-forced merge-queue asymmetry (not a preference) in `docs/GITHUB-SETTINGS.md`. Approach: run `tools/hygiene/snapshot-github-settings.sh --repo AceHack/Zeta` + same for LFG; diff the 13 settings groups; write up the diff for human review; apply changes where the feature is available. | maintainer 2026-04-24 tick *"ACTIONLINT_VERSION should be part of our deployed tooling... dev machines will need this to, remember the dev machine / build machine parity requirement"* + same-day *"they are cranked up good on LFG but should also be cranked up good on AceHack very similar if not the same where possible"*; HB-001 (org migration) established the LFG canonical + AceHack fork two-repo setup; Otto-223 two-hop flow (`feedback_post_drain_prs_to_acehack_first_for_copilot_then_push_to_lfg_otto_223_2026_04_24.md`). | Open |  |
+
 | HB-001 | 2026-04-21 | decision / org-migration | Plan + execute the migration of `AceHack/Zeta` → `Lucent-Financial-Group/Zeta` (the human maintainer's LFG umbrella org). Drivers: (a) GitHub gates merge queue and other org-level features to organization-owned repos — user-owned repos cannot enable merge queue on any plan tier, which is the real blocker behind the `422 Invalid rule 'merge_queue':` failure against `POST /repos/AceHack/Zeta/rulesets` (see §10.3 of `docs/research/parallel-worktree-safety-2026-04-22.md`); (b) aligns the repo with Aaron's stated destination for external contributors. **Constraints (Aaron 2026-04-21):** (1) **preserve all current settings** — rulesets, required checks (gate + CodeQL + semgrep), branch-protection behaviours, auto-delete-head-branch, auto-merge, Dependabot, CodeScanning, Copilot Code Review, concurrency groups, workflow triggers incl. `merge_group:`; (2) **public from the start** at the new location — no private-during-transition staging period. No deadline — "at some point". Until transferred, the factory accepts the rebase-tax on serial PRs and relies on `gh pr merge --auto --squash` alone (merge queue off). | `docs/research/parallel-worktree-safety-2026-04-22.md` §10.3; session transcript 2026-04-21 (Aaron: "we can move tih to https://github.com/Lucent-Financial-Group at some point it's my org for LFG" + "we need to move it to lucent for contributor at some point anyways, we want to keep all the settings we have now" + "i think we are going to have to go without merge queue parallelism for now" + "we can just make it public from the start") | Resolved | Executed 2026-04-21 via `POST /repos/AceHack/Zeta/transfer` with `new_owner=Lucent-Financial-Group`. Transfer completed instantly (Aaron admin on both sides). Verification diffed 13 settings groups against pre-transfer scorecard: all preserved **except** `secret_scanning` and `secret_scanning_push_protection` both silently flipped `enabled→disabled` by GitHub's org-transfer code path; re-enabled same session via `PATCH /repos/Lucent-Financial-Group/Zeta` with `security_and_analysis`. Ruleset id 15256879 "Default" preserved byte-identical (6 rules); classic branch protection on main preserved (6 required contexts); Actions variables preserved (2 COPILOT_AGENT_FIREWALL_*); environments + Pages config preserved (Pages URL redirected `acehack.github.io/Zeta` → `lucent-financial-group.github.io/Zeta`). Local `git remote` updated. Declarative settings file landed at `docs/GITHUB-SETTINGS.md` per Aaron's companion directive ("its nice having the expected settings declarative defined" + "i hate things in GitHub where I can't check in the declarative settgins"). Merge queue enable remains a separate opt-in step. |
 
 ### For: `any` (any human contributor)