Skip to content

drain(#405/#411/#413/#415 post-merge): empty-cone safeguard + GITHUB_TOKEN header + grammar + Otto-279 policy reply#424

Merged
AceHack merged 1 commit intomainfrom
drain/405-411-413-415-followup
Apr 25, 2026
Merged

drain(#405/#411/#413/#415 post-merge): empty-cone safeguard + GITHUB_TOKEN header + grammar + Otto-279 policy reply#424
AceHack merged 1 commit intomainfrom
drain/405-411-413-415-followup

Conversation

@AceHack
Copy link
Copy Markdown
Member

@AceHack AceHack commented Apr 25, 2026

Summary

Combined drain for 7 post-merge threads across 4 merged PRs.

Test plan

  • G_carrier_overlap empty-cone case is now RED, not silent-pass.
  • gate.yml header accurately describes what's referenced.
  • Grammar fix.
  • CI passes.

🤖 Generated with Claude Code

@AceHack @claude
drain(#405 + #411 + #413 post-merge): empty-cone fail-YELLOW + GITHUB…
f68ebc7 
…_TOKEN header doc + grammar

- **#405 P1 (Codex):** empty provenance cone now FAILS G_carrier_overlap
  (treats missing-lineage as suspicious, not best-case). Prior fix made
  overlap=0 which let provenance-empty + advisory-evidence-v0 stack into
  GREEN — the carrier-laundering safeguard would have missed exactly the
  records that should trigger review. Now the gate definition reads:
  fail-RED on (overlap > θ_high) OR (cone empty); fail-YELLOW on
  (overlap > θ_med).
- **#411 P1 (Copilot):** gate.yml header 'No secrets referenced' was
  inaccurate after I added the workflow-level GITHUB_TOKEN env. Updated
  the header bullet to name the token explicitly + reference its
  read-only inheritance from permissions: contents: read + the
  workflow-vs-step-scope trade-off (DRY for ~7 install steps).
- **#413 P2 (Copilot):** 'requires any modify' → 'requires any
  add-or-modify on' grammar fix.

Note on #411 P2 (restrict GITHUB_TOKEN to install steps): trade-off
documented in the header bullet rather than refactoring 7 install steps
to per-step env. Reply explains.

Note on #415 (name attribution in drain-log): docs/pr-preservation/ is
a HISTORY surface per Otto-279 — names are policy-correct there.
Reply explains.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@AceHack AceHack enabled auto-merge (squash) April 25, 2026 03:36
Copilot AI review requested due to automatic review settings April 25, 2026 03:36
Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates post-merge drain-thread outcomes across documentation and CI workflow commentary, aligning spec behavior and workflow documentation with the intended safeguards and token usage.

Changes:

  • Treats an empty provenance cone as suspicious (RED) in the G_carrier_overlap gate definition (doc/spec update).
  • Updates gate.yml header commentary to accurately describe secrets.GITHUB_TOKEN usage and the workflow-level env scoping trade-off.
  • Fixes grammar in a BACKLOG entry describing the memory index integrity guard.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
docs/research/provenance-aware-claim-veracity-detector-2026-04-23.md Updates G_carrier_overlap gate definition so empty provenance is treated as suspicious (RED).
docs/BACKLOG.md Grammar/wording correction to match the workflow’s “add-or-modify” trigger semantics.
.github/workflows/gate.yml Clarifies header documentation regarding secrets.GITHUB_TOKEN and why it’s set at workflow scope.

@AceHack AceHack merged commit 478b54f into main Apr 25, 2026
18 checks passed
@AceHack AceHack deleted the drain/405-411-413-415-followup branch April 25, 2026 03:38
@AceHack AceHack mentioned this pull request Apr 25, 2026
Merged
3 tasks
AceHack added a commit that referenced this pull request Apr 25, 2026
@AceHack
hygiene(#268+): pr-preservation drain-log for #424 (4-parent cascade) (
789dc53 
…#453)

Otto-268 follow-on: drain-log for the **maximum-multi-parent cascade**
observed in this drain wave — #424 was a follow-up to FOUR parent PRs
simultaneously (#405 empty-cone + #411 GITHUB_TOKEN header + #413
grammar + #415 Otto-279 policy reply). Composes-vs-serializes
tradeoff favored compose: one commit + one merge gate addressed all
four parents.

Per Otto-250 training-signal discipline. Pattern observations:

1. Maximum-multi-parent cascade: 4 parents in one follow-up. Composes
   when findings are independent + small. #423 had 2 parents; #424
   doubled to 4.
2. fail-YELLOW vs fail-RED on structurally-normal empty-input cases
   (empty cone, zero qualifying findings, no diff to lint) — over-
   blocking risk when fail-RED on empty-input. CI-design candidate:
   every audit script should explicitly classify "empty-input"
   behavior at design time.
3. GitHub canonical-example form (`Authorization: token
   $GITHUB_TOKEN`) vs accepted-also (`Authorization: Bearer
   $GITHUB_TOKEN`); prefer canonical for reader friction reduction.
4. Otto-279 surface-class reply remains stamp-uniform across the
   corpus regardless of multi-parent grouping; the multi-parent
   grouping doesn't change per-finding response.
Copilot AI mentioned this pull request Apr 25, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AceHack