memory: fix Otto-352→Otto-358 cross-ref + apply resolved-mechanism (Codex P2 follow-up)

memory/MEMORY.md

@@ -4,7 +4,7 @@
 
 - [**Only "pushed" signal is Aaron typing in this environment; everything else is pull (Aaron 2026-04-28)**](feedback_only_pushed_signal_is_aaron_typing_everything_else_is_pull_aaron_2026_04_28.md) — In autonomous-loop mode, Aaron's direct typing is the ONLY push channel. CI / threads / mergeability / cron / peer-CLI replies are all PULL signals requiring active query. "No new signal" without pulling is wrong by construction.
 - [**Speculation LEADS investigation; it does NOT DEFINE root cause (Aaron 2026-04-28)**](feedback_speculation_leads_investigation_not_defines_root_cause_aaron_2026_04_28.md) — Aaron's binding correction after my LFG #661 "bullshit answer." Speculation generates hypotheses to direct investigation; speculation has no role in defining root cause. When asked "why?" / "what is the mechanism?", quote the primary source verbatim. Plausible-sounding causal narratives assembled from nearby facts ARE the failure mode.
-- [**CodeQL umbrella check NEUTRAL while per-language Analyze legs SUCCESS — code_quality ruleset BLOCKED detection pattern (Aaron 2026-04-28)**](feedback_codeql_umbrella_neutral_vs_per_language_detection_pattern_aaron_2026_04_28.md) — When `code_quality:severity=all` ruleset says "Code quality results are pending for N analyzed languages" despite per-language `Analyze (X)` legs SUCCESS, check the umbrella `CodeQL` check (no language suffix) for NEUTRAL conclusion + "1 configuration not found" details. Industry-wide pattern; Aaron seen across other projects.
+- [**CodeQL umbrella check NEUTRAL while per-language Analyze legs SUCCESS — code_quality ruleset BLOCKED detection pattern (Aaron 2026-04-28)**](feedback_codeql_umbrella_neutral_vs_per_language_detection_pattern_aaron_2026_04_28.md) — When `code_quality:severity=all` ruleset says "Code quality results are pending for N analyzed languages" despite per-language `Analyze (X)` legs SUCCESS, check the umbrella `CodeQL` check (no language suffix) for NEUTRAL conclusion + "1 configuration not found" details. Industry-wide pattern; Aaron seen across other projects. Mechanism RESOLVED 2026-04-28T14:32Z via primary-source query (see file body); structural fix landed via PR #662.
 - [**`gh workflow run --ref` on PR branch overwrites latest-by-name check-runs — branch-protection collateral risk (Aaron 2026-04-28)**](feedback_workflow_dispatch_overwrites_latest_byname_check_runs_branch_protection_caveat_2026_04_28.md) — Empirical 2026-04-28 LFG #660: dispatched gate.yml to populate missing macos-26; macos-26 succeeded but ubuntu legs flaked + OVERWROTE PR-run successes via latest-by-name; preferred recovery for "missing required check on PR" is `gh run rerun <PR-run-id> --failed` on the EXISTING PR-event run, NOT `gh workflow run --ref`.
 - [**Reviewer false-positive pattern catalog — 7-class taxonomy + per-class resolution forms + ROI-ranked prevention (Aaron 2026-04-28)**](feedback_reviewer_false_positive_pattern_catalog_aaron_2026_04_28.md) — Stale-snapshot / carve-out blind spot / schema drift / wrong-language parser / convention conflict / broken xref / recursive-CI-new-threads; speeds future thread classification; high-ROI prevention candidates listed.
 - [**CALIBRATION — `requiredApprovingReviewCount=0` on both Zeta forks; BLOCKED ≠ reviewer; 5-class taxonomy + complete enum coverage (Aaron 2026-04-28)**](feedback_no_required_approval_on_zeta_BLOCKED_means_threads_or_ci_aaron_2026_04_28.md) — 5 BLOCKED classes (threads / failing-or-pending CI / merge conflicts / required-check-MISSING-from-rollup / repository-ruleset gates); failed-conclusion enum covers FAILURE/CANCELLED/TIMED_OUT/ACTION_REQUIRED/STARTUP_FAILURE/STALE; pending-status enum covers IN_PROGRESS/QUEUED/WAITING/REQUESTED/PENDING; CheckRun.name vs StatusContext.context union extraction; always-double-check-after-CI rule.

memory/feedback_codeql_umbrella_neutral_vs_per_language_detection_pattern_aaron_2026_04_28.md

@@ -73,15 +73,54 @@ oddity.
   — extends Otto-355's BLOCKED-investigate-first to include the umbrella-check
   interrogation when threads are clean and per-language CI is green.
 
-## Open question (deferred)
-
-Why does AceHack's umbrella check go SUCCESS while LFG's goes NEUTRAL despite
-identical default-setup state? Suspects:
-- Different repo settings under `code-scanning/configurations` (org-level vs
-  repo-level)
-- Different `paths-ignore` / `paths` config consumed by GitHub's umbrella
-  evaluator vs the workflow's evaluator
-- Some ingestion-side flag that differs
-
-When the next PR hits this on LFG (or any other repo), grep for this memory file
-and run the detection pattern first; investigate the asymmetry second.
+## Open question — RESOLVED 2026-04-28T14:32Z (primary-source query, not speculation)
+
+The earlier-this-day "deferred" suspects (org-level inheritance, paths-ignore
+divergence, ingestion-side flags) were **all speculation**. The actual
+mechanism, verbatim from the umbrella check's own details URL via
+`gh api repos/Lucent-Financial-Group/Zeta/check-runs/<id> --jq .output.summary`:
+
+> **Warning**: Code scanning cannot determine the alerts introduced by this
+> pull request, because 1 configuration present on `refs/heads/main` was not
+> found:
+>
+> ### Actions workflow (`codeql.yml`)
+> * `/language:java-kotlin`
+
+**EVIDENCE-BASED resolution:**
+
+1. **`tools/alloy/AlloyRunner.java` is first-party Java** that the
+   `codeql.yml` workflow's matrix did NOT include — header comment claimed
+   "no Java/Kotlin source" which was wrong (Aaron 2026-04-28: *"we have java
+   in our codebase, it's just a little but it's there"*).
+2. **Main has java-kotlin analyses** uploaded by (a) GitHub's default-setup
+   runner (older, `analysis_key=dynamic/github-code-scanning/codeql:analyze`,
+   non-deletable) and (b) our path-gate's empty-SARIF baseline upload
+   (`analysis_key=.github/workflows/codeql.yml:path-gate`, deletable).
+3. **PR head's matrix had no java-kotlin leg** → umbrella couldn't compute
+   alert delta for that configuration → emits NEUTRAL.
+4. **AceHack vs LFG asymmetry:** likely the SAME mechanism on both sides;
+   the visible asymmetry was probably a sampling artifact (specific PRs
+   measured) rather than a structural difference. *Speculation flag:* not
+   tested empirically. What would disconfirm: pull umbrella details URLs
+   for matched-pair PRs across forks and compare verbatim summaries.
+
+**The structural fix (PR #662, merged 2026-04-28T16:22:42Z):**
+
+- Added `java-kotlin` to the analyze matrix in `.github/workflows/codeql.yml`
+  with `build-mode: none`
+- Removed `tools/alloy/**` from `paths-ignore` in
+  `.github/codeql/codeql-config.yml` so the extractor actually scans
+  AlloyRunner.java
+- Added `*.java` to path-gate's code-changed patterns (extension to Kotlin /
+  Scala deferred to B-0081)
+
+The deeper structural cause: **runtime dependencies must be honestly
+declared on every surface that touches them**. Java was already managed via
+`.mise.toml:24` (`java = "26"`, round-34 brew/apt → mise migration) but the
+codeql.yml workflow disowned it. Round-34's sweep was incomplete; the
+inconsistency surfaced months later as cross-fork CI failure.
+
+When the next PR hits this on LFG (or any other repo), the detection
+pattern still works as the entry point. The mechanism above is now the
+expected explanation; org-level inheritance is not.

memory/feedback_speculation_leads_investigation_not_defines_root_cause_aaron_2026_04_28.md

@@ -172,7 +172,7 @@ Why this matters across surfaces:
 - `feedback_otto_355_blocked_with_green_ci_means_investigate_review_threads_first_dont_wait_2026_04_27.md`
   — same family of failure: assuming a wait when the primary-source query
   (unresolved threads) gives the actual answer.
-- `feedback_otto_352_live_lock_term_split_three_distinct_classes_2026_04_26.md`
+- `feedback_otto_358_live_lock_too_broad_catch_all_narrow_to_cs_standard_concurrent_state_thrashing_2026_04_27.md`
   — Aaron's precision principle. Less broad framings, primary-source-grounded
   classifications, beat sweeping speculative narratives.
 - The "primary-source-first" line is now a CLAUDE.md candidate; promotion