From 64159ff1eb8d0ed15708001353d8c3a7fc182aed Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Tue, 28 Apr 2026 05:25:24 -0400 Subject: [PATCH 1/2] fix(codeql): exclude obj/ and bin/ build artifacts from CodeQL analysis (B-0073) (#96) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CodeQL was scanning .NET build artifacts under obj/ and bin/, including auto-generated xunit test entry points (`XunitAutoGeneratedEntry*.cs`). Findings on those files ask us to fix MSBuild's output, not source — wrong dependency direction. Empirically discovered 2026-04-28 while diagnosing why all 6 LFG PRs were BLOCKED with all-green CI: two open `cs/missed-ternary-operator` alerts on `obj/Release/net10.0/XunitAutoGenerated*.cs` were among 13 total Code Scanning alerts gating the LFG `code_quality:severity=all` ruleset on every PR. This config change drops 2 of 13 alerts via a single structural change with zero source-code risk. Composes with B-0073 (which covers the remaining 10 source alerts + 1 Scorecard meta-finding) and task #306 (the original 'Analyze (csharp) on PR' workflow-cost concern, which this helps reduce by limiting scan scope). Verification: next CodeQL run on main should report 11 (or fewer) open alerts instead of 13. Agency-Signature-Version: 1 Agent: otto Agent-Runtime: claude-code Agent-Model: claude-opus-4-7 Credential-Identity: AceHack-shared Credential-Mode: shared-with-aaron Human-Review: not-implied-by-credential Human-Review-Evidence: aaron-explicit-ask Action-Mode: autonomous-fail-open Task: B-0073-step-1-codeql-exclude-build-artifacts --- .github/codeql/codeql-config.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 1356169d9..f82631e3b 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -46,6 +46,18 @@ paths-ignore: # fix a generator, not the file. - "**/*.generated.cs" + # .NET build artifacts. The `obj/` and `bin/` trees contain + # generated test scaffolding (xunit auto-generated entry + # points: `XunitAutoGeneratedEntry*.cs`) and compiler + # intermediates that aren't authored source. CodeQL findings + # here ask us to fix MSBuild's output, not the source — + # which is the wrong dependency direction. Empirically + # discovered 2026-04-28 (B-0073): two open csharp alerts on + # `obj/Release/net10.0/XunitAutoGenerated*.cs` were gating + # the LFG `code_quality:severity=all` ruleset on every PR. + - "**/obj/**" + - "**/bin/**" + # Custom query packs — reserved for the follow-up round that # ships Zeta-specific taint / CWE rules. The formal- # verification-expert (Soraya) routes the rule authoring From 6f783e92fcb77169a91944911150f012c5b8b8fa Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Tue, 28 Apr 2026 09:58:09 -0400 Subject: [PATCH 2/2] chore(pr-661): empty commit to retrigger CodeQL + ruleset re-eval Per Aaron's autonomous-loop diagnostic at 13:57Z: PR #661 is BLOCKED with 'Code quality results are pending for 4 analyzed languages' even though CodeQL analyses ARE uploaded for refs/pull/661/merge (commit 82d37fb0, 4 languages, all results_count=0). Possible GitHub-side staleness in rule evaluation. Empty commit forces new CodeQL run on new merge commit, which often pokes the rule into re-evaluating. If this still doesn't clear the gate within ~10 min, escalate to: (a) Aaron admin-merge bypass on this single bootstrap PR, OR (b) temporarily disable code_quality rule in ruleset. Agency-Signature-Version: 1 Agent: otto Agent-Runtime: claude-code Agent-Model: claude-opus-4-7 Credential-Identity: AceHack-shared Credential-Mode: shared-with-aaron Human-Review: not-implied-by-credential Human-Review-Evidence: aaron-explicit-ask Action-Mode: autonomous-fail-open Task: pr-661-codeql-rule-retrigger-empty-commit