diff --git a/memory/MEMORY.md b/memory/MEMORY.md index 5bc25b79..11744e71 100644 --- a/memory/MEMORY.md +++ b/memory/MEMORY.md @@ -2,6 +2,7 @@ **๐Ÿ“Œ Fast path: read `CURRENT-aaron.md` and `CURRENT-amara.md` first.** These per-maintainer distillations show what's currently in force. Raw memories below are the history; CURRENT files are the projection. (`CURRENT-aaron.md` refreshed 2026-04-28 with sections 26-29 โ€” speculation rule + EVIDENCE-BASED labeling + JVM preference + dependency honesty + threading lineage Albahari/Toub/Fowler.) +- [**Version-currency rule covers inheriting existing repo pins, not just fresh assertions (Aaron 2026-04-27)**](feedback_version_currency_covers_inheriting_existing_pins_not_just_fresh_assertions_aaron_2026_04_27.md) โ€” Otto-247 wake-time discipline #4 applies whenever a version pin LANDS in a new file, even when the same SHA is already pinned elsewhere. Pasting a pin into a new workflow IS asserting it current. Verify against upstream API releases/latest. - [**Self-healing metrics on regime change โ€” factory design principle (Aaron 2026-04-28)**](feedback_self_healing_metrics_on_regime_change_factory_design_principle_aaron_2026_04_28.md) โ€” When system is correctly designed, transient metric gaps from regime transitions resolve organically as new regime accumulates evidence in rolling window. Prefer self-heal over manual rebaseline. NOT applicable when system is broken (verify first). - [**Emit empty security-tool result on conditional-skip โ€” CI security-maturity pattern (Aaron 2026-04-28)**](feedback_emit_empty_security_result_on_conditional_skip_ci_maturity_pattern_aaron_2026_04_28.md) โ€” Trajectory: when security-tool workflow skips (path-gate, branch-filter, etc.), STILL emit minimal no-findings result so coverage metrics see tool-ran. Already in codeql.yml; propagate to Semgrep/dep-scan/container-scan as added. - [**Elizabeth-canonical-spelling ยง33 carve-out for sister-name (Aaron 2026-04-28)**](feedback_elizabeth_canonical_spelling_overrides_section_33_history_preservation_aaron_2026_04_28.md) โ€” Replace older-spelling tokens with canonical Elizabeth repo-wide including history surfaces. Name-specific; does not generalize. diff --git a/memory/feedback_version_currency_covers_inheriting_existing_pins_not_just_fresh_assertions_aaron_2026_04_27.md b/memory/feedback_version_currency_covers_inheriting_existing_pins_not_just_fresh_assertions_aaron_2026_04_27.md new file mode 100644 index 00000000..d77dcfec --- /dev/null +++ b/memory/feedback_version_currency_covers_inheriting_existing_pins_not_just_fresh_assertions_aaron_2026_04_27.md @@ -0,0 +1,91 @@ +--- +name: Version-currency rule covers inheriting existing repo pins, not just new version numbers (Aaron 2026-04-27) +description: Aaron 2026-04-27 โ€” Otto-247 version-currency rule (CLAUDE.md wake-time discipline #4) applies whenever a version pin LANDS in a new file, not just when proposing a fresh version number. Inheriting the existing repo pin (e.g. `actions/checkout@de0fac2... # v6.0.2`) without WebSearch-verifying it's still latest counts as the failure mode. The rule reads "search before asserting"; pasting a pin into a new workflow IS asserting it's current. +type: feedback +--- + +# Version-currency rule covers existing-pin inheritance, not just fresh assertions + +## Rule (refined from Otto-247) + +When adding any version pin to a new file โ€” including a SHA pin +copied from another workflow in the same repo โ€” WebSearch the +upstream's authoritative latest-release endpoint before +committing. + +The act of *landing* a pin in a new place IS asserting it is +current. "I just used what was already in `gate.yml`" does not +clear the bar; the inheriting commit re-asserts the version is +correct at land-time. + +## Why + +**Aaron's correction 2026-04-27** (autonomous-loop tick fixing +PR #25 budget-cadence workflow): + +> "checkout v4 is that the lastest make sure you search for +> latest whenever adding new versions we have some rules +> aorund that, make sure you search cause your traing data +> will be out of date" + +The Web-search Otto ran *after* the correction surfaced two +distinct things: + +1. v6.0.2 (the existing repo pin) IS the actual latest stable + release per `gh api repos/actions/checkout/releases/latest` + (published 2026-01-09). The pin was correct. +2. A Web-search top result was a stale community discussion + claiming "v6.0.2 not marked as latest" โ€” which, if Otto + had treated as authoritative without verifying against the + API, would have led to using v6.0.1 (older). + +Both failure modes (a) skipping the search entirely and +(b) trusting stale narrative results without API verification +land in the same place: an asserted-current pin that isn't. + +## How to apply + +Workflow when adding a third-party action pin: + +1. **WebSearch upstream's release page / latest tag** โ€” + `/` releases. +2. **Verify against the API:** + `gh api repos///releases/latest --jq '{tag_name, published_at}'` + The API answer wins over Web-search narrative. +3. **Get the SHA:** + `gh api repos///git/ref/tags/ --jq '.object.sha'` +4. **Pin format (Zeta convention):** + `/@ # vN.N.N` + (two-space gap before the trailing comment matches the + existing pins in `gate.yml`, `codeql.yml`, etc.) + +Skip-the-search is allowed only when: + +- Reviewing existing code without modifying the pin (passive read). +- The pin is already in another workflow in the repo AND the + inheriting commit doesn't substantively change the workflow + (e.g. a pure rename / move with no version-relevant edits). + Even then, prefer to verify on cadence. + +## Composes with + +- Otto-247 โ€” the original version-currency rule (CLAUDE.md + wake-time discipline #4). +- Otto-210 โ€” corrective on a wrong version-fact (macOS-is-free + on public repos): the same shape, "trust upstream API not + Web-search narrative." +- `.semgrep.yml` rule `gha-action-mutable-tag` โ€” enforces + full-SHA pinning (defense-in-depth against tag-rewrite + attacks like the tj-actions/changed-files cascade + CVE-2025-30066 March 2025). Triggered on PR #25 when Otto + initially used `actions/checkout@v4`; the rule is the + factory's compile-time enforcement of the discipline this + memory captures at the human-judgment layer. + +## Pre-mortem signature for next time + +If next-Otto thinks "I'll just use the SHA already in +`gate.yml` for this new workflow," THAT is the failure mode. +The land-time assertion is what triggers the rule โ€” search +first, then pin, even when the same SHA was already in the repo. +