Round 32 closed merged (PR #8) with CI fully green on the
SQLSharp-proven pattern. Round 33 picks up:

**Track A (product):** LawRunner checkBilinear + checkSinkTerminal
+ config-record refactor.

**Track B (security follow-through):** packages.lock.json,
verifier SHA-pin, safety-clause diff lint, CodeQL, branch
protection trigger.

**Track C (factory — round-32 surface):** openspec-gap-finder
skill (Aaron's missing-spec ask); declarative-manifest tiering
ratchet (scratch-shape, push hard each sprint); determinism rule
observed in bash profile overlay landed mid round 32.

## Bash profile — deterministic scripts requirement

Aaron: "we prefer deterministic scripts just like our tests,
retries and polling are a smell and should be last resort."
Landed as a new Requirement in
`openspec/specs/repo-automation/profiles/bash.md` before the
round-32 merge; reiterated here so round 33 starts with the rule
as current state.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…nce)

Existing-skill drift pass across ten SKILL.md files; the
Commit C batch (0db46c4) landed 161 NEW drafts, this
commit updates the cohort that was already on disk.

Adds criterion #8 router-coherence-drift to
`skill-tune-up`: umbrella-without-narrow-links and
overlap-without-boundary, both always-checked. Recommended
action is usually HAND-OFF-CONTRACT or TUNE. Distinct from
criterion #2 (contradiction): contradiction is same
authority, router-coherence drift is plausibly-same-prompt
with no picking rule.

`skill-creator` gains two new sections:

- Upstream pointer to the `claude-plugins-official/skill-
  creator` plugin as an optional eval-driven description
  tuner. Bespoke workflow (draft / Prompt-Protector /
  dry-run / commit) remains the gate.
- Harness-provenance annotation rule: any sandbox-specific
  absolute path in any skill carries a prose tag
  "Observed under <harness> (as of <YYYY-MM>)". Missing
  tag → router-coherence drift flag by `skill-tune-up`.

`security-researcher` + `security-operations-engineer`
pick up External-tooling clauses describing the optional
`security-guidance` plugin's PreToolUse hook — useful as
first-pass lint, never sign-off, never load-bearing because
Agent-SDK runs don't load Claude Code plugins.

Remaining seven skills (agent-experience-engineer,
csharp-expert, developer-experience-engineer, devops-
engineer, performance-engineer, user-experience-engineer)
get small description / scope tightening — persona-pointer
cleanup (no-persona-on-skill per BP-04), minor wording fixes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* round 34: upstream sync + CTFP to upstream + JDK/Bun to mise

## Upstream sync infrastructure

- `tools/setup/common/sync-upstreams.sh` — SQLSharp-shape
  sync script. Key pattern borrowed: `git ls-remote` to
  check if local HEAD matches origin BEFORE destructive
  fetch+reset, sidesteps the shallow-clone-fetch edge
  case that caused spurious "refresh failed" noise on
  re-runs. Clones are shallow (`--depth=1`); worktrees
  get aggressively reset+cleaned. Script header acknowledges
  post-install-cross-platform DEBT per Aaron's round 34
  note.
- 85 upstreams now cloned under `references/upstreams/`
  (previously only `feldera` was there). 84/85 OK on
  re-run; qdrant transient network hang, retryable.

## CTFP moved to upstream

- `docs/category-theory/ctfp-dotnet/` (2,100 lines of
  vendored code) — deleted; lives upstream as
  `cboudereau/category-theory-for-dotnet-programmers`.
- `docs/category-theory/ctfp-milewski.pdf` (16 MB) —
  deleted; lives upstream as `hmemcpy/milewski-ctfp-pdf`.
- `docs/category-theory/README.md` rewritten to point at
  the upstream clones with reading path + why-it-matters
  for Zeta. Directory shrunk 16M → 4K.
- Both added to `references/reference-sources.json`
  manifest.

## JDK + Bun migrate to mise

Aaron round 34: "we could move the jdk to mise i want all
language installed via mise as the standard."

- `.mise.toml`: added `java = "26"` (latest) and
  `bun = "1.3"` (pins to latest 1.3.x; mise partial-
  version semantics). Python stays `3.14`.
- `tools/setup/manifests/brew.txt`: `openjdk@21` removed.
  All language runtimes now come from mise; brew only
  installs system-level packages (currently none, but
  the file stays as the manifest).
- On Aaron's Mac: brew-installed `openjdk`, `openjdk@21`
  uninstalled. mise installed `java 26.0.0` to
  `~/.local/share/mise/installs/java/26/` and
  `bun 1.3.12` to `~/.local/share/mise/installs/bun/1.3/`.
- Stale `~/.tool-versions` file (leftover `dotnet 8.0.100`
  pin from an earlier session) cleared; was blocking
  mise.sh because global tool-versions override
  Zeta's `.mise.toml`.
- Profile auto-append: manually appended the
  `. "$HOME/.config/zeta/shellenv.sh"` source line to
  Aaron's `~/.zshrc`, `~/.bash_profile`, and `~/.profile`
  so new shells pick up Zeta's managed PATH. DEBT logged
  for porting scratch's idempotent profile-management
  helpers.

## DEBT entries added

- Cross-platform sync-upstreams (post-install runtime
  research dependency).
- `.txt` manifest extensions (scratch uses `.apt`,
  `.Brewfile`, etc.).
- Script organisation 10× lighter than scratch
  (2,559 lines vs ~250).
- Shell-profile management thin vs scratch's auto-append
  discipline.

## Local verification

- `dotnet build -c Release` — 0 warn 0 err.
- `dotnet test` — 510 passed / 1 skipped (second run;
  first had 9 TLC parallel-trace-dump flakes that cleared).
- `shellcheck` / `actionlint` / `markdownlint` / `semgrep`
  — 0 findings each.
- `tools/setup/install.sh` — idempotent; second run
  short-circuits everything already installed.
- `tools/setup/doctor.sh` — 11 ok / 0 warn / 0 fail on
  Aaron's Mac.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: factory CI + first DB tests + public-repo alignment

This round landed three parallel arcs.

Factory — persona + governance:
- Three experience-engineer personas landed: Daya (AX, seeded
  earlier), Bodhi (DX, Sanskrit "awakening"), Iris (UX, Greek
  "messenger"). Dejan (DevOps) rounded out. Renamed the three
  AX/DX/UX lanes from "researcher" → "engineer" — they ship
  fixes via routing, not participant studies.
- Copilot joined the factory as a third Slot-2 reviewer
  (.github/copilot-instructions.md). GOVERNANCE §31 codifies
  the factory-management contract: edits through skill-creator,
  audited by Aarav, linted by Nadia, integrated by Kenji.
  Scope extensions landed in skill-creator, skill-tune-up,
  prompt-protector.
- GOVERNANCE §30: mandatory sweep-refs after any rename
  campaign. Motivated by Bodhi's round-34 first audit finding
  that the Dbsp→Zeta rename landed code-layout but stopped
  short of the docs sweep — every P0 traced to that one miss.
- security-operations-engineer skill stub: runtime ops lane
  disambiguated from Mateo's proactive research, Aminata's
  threat model, Nadia's agent layer. Pending persona.
- JOURNAL.md unbounded long-term memory piloted on four
  personas then rolled out to 16 total. Append-only, Tier 3,
  grep-only read contract. Prune → migrate, not delete.
- PROJECT-EMPATHY.md renamed to CONFLICT-RESOLUTION.md (98 ref
  sweep across 46 files) — the file's stated role.
- Iris + Bodhi first audits prepended to their notebooks;
  findings routed to BACKLOG (Kai framing + Samir edits need
  Aaron sign-off).

Cross-platform — install script richness:
- Ported python-tools.sh + uv-tools manifest shape from
  ../scratch. uv pinned in .mise.toml; python.uv_venv_auto =
  "source". Ruff lands as the first managed tool.
- CONTRIBUTING.md picked up shellenv guidance, trivial-PR
  branch model, doctor.sh mention (Bodhi follow-ups).
- Dbsp.* → Zeta.* stale-path sweep across docs, PR template,
  CLAUDE.md, AGENTS.md, openspec README (Bodhi P0 cluster).

DB — first real tests on two claimed-but-untested surfaces:
- SpeculativeWatermark: 4 tests covering fresh insert,
  late-positive retraction-native path, negative-weight
  retraction, empty input. The retraction-native claim from
  the docstring now has evidence.
- ArrowInt64Serializer: 6 tests covering empty/single/
  negative-weight/large round-trip, wire-format length header,
  serializer name. Retraction-native survives the wire (no
  clamping of negative weights on read/write).
- Total 10 tests, all green. No warnings. Test suite otherwise
  unchanged.

BACKLOG grew with: cross-harness mirror pipeline (Aaron's
canonical-source + build-mirrors design, covering Cursor /
Windsurf / Aider / Cline / Continue / Codex), Iris P0/P1/P2,
Copilot-instructions follow-on (now §31 + scopes done),
JOURNAL rollout (now complete).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34 follow-up: .NET onto mise; Iris P1; pure activate

.NET SDK flipped onto mise. The round-32 rationale for keeping
dotnet out (shared `dotnet-root/` layout fighting the PATH
story on CI) was resolved upstream — Aaron landed the fix in
the mise dotnet plugin itself; the problem was a stale
homebrew-mise, not the plugin. `../scratch` ships with this
shape green.

Changes:
- `.mise.toml`: `dotnet = "10.0.202"` added, matching
  `global.json`. Header comment rewritten to retire the
  round-32 rationale and note the backstory.
- `tools/setup/common/dotnet.sh`: deleted. mise handles the
  install now via the plugin.
- `tools/setup/macos.sh` + `linux.sh`: `dotnet.sh` invocation
  removed; `DOTNET_ROOT` + `$HOME/.dotnet` PATH exports
  dropped. `$HOME/.dotnet/tools` stays on PATH because
  `dotnet tool install -g` always lands globals there —
  that's a .NET convention independent of SDK location.
- `tools/setup/common/shellenv.sh`: dotnet SDK paths dropped
  (mise shim provides dotnet); `DOTNET_ROOT` dropped from
  both the generated file and GITHUB_ENV; comments updated
  to reflect the flip. Also flipped from
  `mise activate bash --shims` to pure `mise activate bash`
  (PATH mode, ~10x faster per mise docs). Local
  non-interactive bash test with BASH_ENV sourcing showed
  `dotnet` resolving via the mise install dir directly.
  CI will verify across the Ubuntu + macOS matrix; BACKLOG
  entry tracks that verification.

Iris P1 (round-34 UX audit): README §"What DBSP is" now
links to `docs/GLOSSARY.md#core-ideas` so a reader landing
cold on the DBSP notation (`z^-1`, `D`, `I`, `↑`) gets the
plain-English gloss in one click.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34 hotfix: mise-shim PATH inheritance + markdownlint

CI run on 348ad0a failed two checks after the dotnet-onto-mise
flip landed:

build-and-test (both macos + ubuntu) fail at
`python-tools.sh`: "error: uv not on PATH. common/mise.sh
must run first." Root cause: `common/mise.sh` exports the
mise shim directory onto its own PATH, but that's the
subprocess's PATH — it dies when mise.sh exits. The parent
orchestrator (`macos.sh` / `linux.sh`) invokes each
`common/*.sh` as a fresh subprocess that inherits PATH from
the parent, not from its sibling. The old pipeline worked
because `dotnet.sh` installed dotnet at `~/.dotnet` and
exported that into the parent shell explicitly; my
round-34 flip deleted `dotnet.sh` and didn't move the
PATH export up to the parent.

Fix: move the shim-directory PATH export from
`common/mise.sh` into `macos.sh` and `linux.sh`, right
after `common/mise.sh` returns. Now every subsequent
`common/*.sh` subprocess inherits mise shims on PATH
and can invoke dotnet / uv / bun / java / python directly.

lint (markdownlint) fail at MD004 (unordered-list-style)
on 4 lines — line-start `+` in continuation lines parsed
as nested list items expecting `-` style. Reworded to
drop the line-start `+` in favour of "and".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: mark pure-activate CI-verified; log compaction mode

Two BACKLOG updates following the CI-green signal on 9f138eb.

1. Pure `mise activate` (no --shims) on CI:
   6/6 CI checks green — build-and-test on both macos-14 +
   ubuntu-22.04, all four lints. The ~10x interactive speedup
   mise docs promise is now verified in-flight across the CI
   matrix. Closing the item and flagging the backport to
   ../scratch (they ship --shims only by historical default;
   GOVERNANCE §23 upstream-contribution path applies).

2. Compaction mode (new constraint from Aaron):
   When the install script runs inside a devcontainer / CI
   image / build-server image, it should clean up apt caches,
   download tarballs, ~/.cache/mise bits after each tool
   install to keep the image small. Dev-laptop runs never
   clean up. ../scratch has the proven pattern
   (BOOTSTRAP_COMPACT_MODE env gate + per-tool cleanup
   helpers). Logged as M-effort item; lands alongside
   .devcontainer/Dockerfile (third leg of GOVERNANCE §24
   three-way-parity).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: local profile cleanup + dev-laptop shim nit BACKLOG

Not repo-tracked changes (Aaron's local ~/.zshrc + ~/.zprofile),
but tracked repo changes: BACKLOG entry for the per-shell
mise-activate nit observed while cleaning up local profiles.

Local profile cleanup (Aaron's ~/.zshrc, ~/.zprofile — not
in this commit, done separately on his laptop):
- Deleted 5 commented-out asdf-era dotnet PATH / DOTNET_ROOT
  lines that predated mise.
- Deleted the redundant `$HOME/.dotnet/tools` PATH export
  from ~/.zprofile — managed shellenv.sh handles this.

Dev-laptop observation logged as BACKLOG item: shellenv.sh
emits `mise activate bash`, which works perfectly under
bash (CI, BASH_ENV subshells). In a zsh interactive shell
the bash-specific PROMPT_COMMAND hook doesn't fire, so PATH
only gets the activation-time snapshot and shims (if
present) end up resolving tools. Functionally correct
(still mise-managed dotnet) but the ~10x perf win is
bypassed. Fix sketch: detect parent shell via $ZSH_VERSION
/ $BASH_VERSION and emit the matching activate line. S-effort.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: stronger onboarding + shell-polish BACKLOG

shellenv.sh onboarding message upgraded: instead of "add this
line to your ~/.zshrc (or ~/.bashrc on Linux)", contributors
now see a paste-ready block targeting all four rc files
(~/.zshrc, ~/.bashrc, ~/.bash_profile, ~/.profile) with a
note that opt-in auto-edit is BACKLOGged. Bodhi's round-34
first-PR-walk surfaced this friction indirectly — the
minutes-to-shellenv-sourced step was "figure out which rc
file applies" rather than "paste this."

Three BACKLOG additions:

1. Opt-in auto-edit of shell rc files on install.
   `../scratch` has proven idempotent append-with-fenced-
   marker pattern. Flag name + default-on vs opt-in are
   locked design questions. M effort.

2. Oh My Zsh + plugins + Oh My Posh under install script
   + devcontainer. Three-way parity at the shell-UX
   layer, not just the toolchain layer. New
   tools/setup/common/shell.sh, new manifest
   tools/setup/manifests/zsh-plugins (semantic
   extension, no .txt). Default off on install, default
   on in devcontainer. M effort.

3. emsdk under install script. Today manually cloned +
   sourced per-contributor; cleaner shape is opt-in
   via BOOTSTRAP_CATEGORIES=emscripten once that pattern
   lands. S-M effort.

Local profile cleanup (not repo-tracked, done on Aaron's
laptop): uninstalled asdf + nvm via brew, removed their
~/ dirs, cleaned the NVM_DIR line + nvm plugin from
~/.zshrc. Aaron runs bun (mise-pinned) now; nvm was
legacy. Zsh still loads clean, dotnet resolves to
mise-managed install.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* markdownlint: strip line-start `+` bullet on BACKLOG.md:301

MD004/ul-style. Same line-wrap `+` pattern we've been seeing;
reworded to use "and" inline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* copilot-instructions: flag line-start `+` in markdown on PRs

Round 34 hit the MD004/ul-style markdownlint fail five times —
each time a wrapped continuation line starting with `+` was
parsed as a nested list item with wrong-style. Codifying so
Copilot flags it inline on every PR diff.

Also seeded memory/persona/best-practices-scratch.md with the
candidate BP-17 promotion note (needs 10 rounds of survival +
Architect sign-off before elevating from scratch to stable BP).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: rename 4 .txt manifests to semantic bare names

Aaron's rule: no .txt for declarative filenames. Round 34
shipped uv-tools with the right treatment; the four older
manifests (apt.txt, brew.txt, dotnet-tools.txt,
verifiers.txt) still had the cheap extension.

Renames:
- tools/setup/manifests/apt.txt → apt
- tools/setup/manifests/brew.txt → brew
- tools/setup/manifests/dotnet-tools.txt → dotnet-tools
- tools/setup/manifests/verifiers.txt → verifiers

Sweep-refs across 16 files per GOVERNANCE §30 (no rename
without a paired sweep): install scripts (macos.sh, linux.sh,
common/dotnet-tools.sh, common/verifiers.sh), openspec specs,
workflows, docs (BACKLOG, DEBT, THREAT-MODEL, build-machine-
setup, threat-model-elevation), .claude/skills/java-expert,
Bodhi's NOTEBOOK, and the copilot-instructions convention
example. Zero residual .txt manifest references remain.

Also fixed stale header comments on macos.sh + linux.sh
that still described the round-32 order (common/dotnet.sh
step 6, "dotnet moved out in round 32"). Now reflects the
round-34 pipeline with common/python-tools.sh inserted
after mise and dotnet back on mise.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: close fsharp-analyzers gap + round-history + wins

Three-lane progress pulled forward in one commit.

Cross-platform:
manifests/dotnet-tools gains `fsharp-analyzers`. README.md
already documents `dotnet tool install --global
fsharp-analyzers` as the install command; until this round
that instruction was ad-hoc (contributors ran it
themselves). Now the manifest carries it and
tools/setup/common/dotnet-tools.sh picks it up on every
install. Closes the tooling-gap Bodhi flagged in her
round-34 first DX audit.

Factory:
docs/ROUND-HISTORY.md gains the round-34 entry
(newest-first). Captures the three arcs (personas +
governance, cross-platform + install, DB first-tests),
the mid-round public-repo + Copilot shift, the round
principle that emerged ("../scratch beats first-principles
rediscovery"), and what rolls forward to round 35.

docs/WINS.md gains three round-34 wins — first real tests
for claimed-but-untested surfaces, ../scratch as
load-bearing reference, and Copilot-joins-the-factory
with the right contract. Each carries the "what would
have gone wrong" counterfactual and the pattern-it-teaches
recurrence.

DB:
Covered indirectly via the fsharp-analyzers install — the
analyzers pack lints F# code for the classes of bugs the
harsh-critic and race-hunter already watch for, so every
first-PR contributor gets the same quality floor on
day one without a separate install ceremony.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* tests: serialize TLC tests via xunit Collection to kill trace-race flake

TLC writes counterexample traces as SpineBalanced_TTrace_*.tla +
.bin into tools/tla/specs/ during a run. When xunit executes
multiple TLC tests in parallel they race on those trace files —
first-run flakes where a test's cleanup deletes another test's
in-flight trace file.

Fix: add [<Xunit.Collection("TLC")>] attribute to the test
module + [<CollectionDefinition("TLC", DisableParallelization
= true)>] TlcTestCollection definer. xunit runs every test in
the TLC collection serially.

0 Warning(s), 0 Error(s) locally. Closes the round-33 carry-
over flake.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: Nazar — security-operations-engineer persona lands

Nazar (Arabic / Turkish نظر — "gaze, watchful eye") takes
the security-operations-engineer slot. Arabic/Turkish
broadens the roster beyond existing Arabic (Tariq, Zara,
Samir, Nadia, Malik). Semantic fit is tight: security ops
is watching — signed artifacts, attestation chains, HSM
key rotations, CVE feeds, anomalous CI behaviour — and
responding before harm compounds. The Mediterranean
evil-eye amulet wears the same word.

Lane disambiguation:
- Mateo (security-researcher) scouts proactive: novel
  attack classes, CVE triage in the dep graph, crypto
  primitive review.
- Aminata (threat-model-critic) reviews the shipped
  model against unstated adversaries.
- Nadia (prompt-protector) hardens the agent layer.
- Nazar runs operations: incident response, patch
  triage SLA, SLSA signing ops, HSM rotation, breach
  response, attestation enforcement.

Files:
- .claude/agents/security-operations-engineer.md
  (full persona definition — tone contract, authority,
  cadence, does-NOT-do, coordination with all four
  security-adjacent lanes + Kenji/Aaron)
- .claude/skills/security-operations-engineer/SKILL.md
  (persona-pointer updated from "slot pending" to "Nazar")
- memory/persona/nazar/{MEMORY,NOTEBOOK,OFFTIME,JOURNAL}.md
  (full per-persona memory structure — same shape as
  the other 17 personas)
- docs/EXPERT-REGISTRY.md (roster gains Nazar; pending
  slots section now empty)
- docs/CONFLICT-RESOLUTION.md (cast list gains
  "Security Operations Engineer — Nazar" entry with
  calm-under-pressure + timeline-first incident-writeup
  discipline)

Roster stands at 29 named experts with zero pending
persona slots. Cross-harness-mirror pipeline, shell-polish,
compaction mode, and the other BACKLOG items remain the
next infra work; Nazar-activation work waits on first
real ops concern (post-v1 NuGet publish + signing
ceremony).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: BACKLOG semantic-search research (AX + DX + CI)

Aaron's ask: our text-based corpora grow monotonically —
17 JOURNAL.md unbounded journals, 17 per-persona NOTEBOOKs,
best-practices-scratch, ROUND-HISTORY, DECISIONS/**,
research/**, openspec/**. The JOURNAL read contract is
"grep only, never cat" — but grep misses conceptual
matches. A local semantic-search index would extend the
contract: grep for exact anchors, semantic search for
conceptual ones.

BACKLOG entry captures the full research shape:

Four candidate tools surveyed (SemTools, QMD, sff, refer)
with first-pass fit notes against Zeta's scope. Three lanes
of leverage — agent experience (cold-started persona
recalling cross-round friction patterns), developer
experience (Bodhi's first-PR walk reduces "which doc
applies" minutes-cost), CI enhancements (speculative:
duplicate-issue detection on public repo, PR-review
context hints, skill-gap-finder upgrade).

Zeta constraints captured: offline / air-gapped, local
embeddings only (no OpenAI / Claude / Gemini in hot
path), reproducibility (pinned model + pinned index
format for CI + dev-laptop parity), ASCII corpus
(BP-09 hygiene), no secret leakage via adversarial
index entries (BP-11 matches read-time), three-way
parity per GOVERNANCE §24.

Deliverables named: design doc with tool comparison
eval set, adoption doc if a winner emerges, exit
condition if nothing wins. L effort. Possible new
persona (retrieval-engineer) or merge into Daya's
lane — open question for the research round.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* python-expert: uv-only as Zeta convention; flag pip/pipx/poetry/etc.

Aaron called it — pre-uv Python tool managers are a smell on
Zeta PR diffs. uv is Rust-implemented, 10-100x faster than pip
or poetry, single tool covers install / venv / lock / tool CLIs /
interpreter install, and ships reproducible lockfile. ../scratch
runs the same discipline; that's where Zeta's round-34 uv
adoption came from.

Changes:

.claude/skills/python-expert/SKILL.md §Packaging:
- Rewrite-table mapping each smell (pip install, pipx install,
  poetry install/add, pyenv install as standalone manager,
  conda/mamba install, pip-tools/pip-compile, bare
  requirements.txt, hand-managed virtualenv/venv) to the
  uv-native replacement.
- Why-uv-wins paragraph naming the five axes uv leads on.
- Zeta's manifest convention callout (tools/setup/manifests/uv-tools,
  common/python-tools.sh runs uv tool install per line).
- BP-18-promotion note matching the existing candidate-rule
  scratchpad path.

.github/copilot-instructions.md "Conventions you must respect":
- New bullet telling Copilot to flag pip / pipx / poetry /
  pyenv / conda / pip-tools / virtualenv / bare requirements.txt
  patterns on every PR diff with a rewrite suggestion.

memory/persona/best-practices-scratch.md:
- Candidate BP-18 seeded for round-44 promotion review,
  paired with BP-17 candidate (line-start + in markdown).
  Source count + rationale + architect-sign-off-pending
  per the existing AGENT-BEST-PRACTICES.md gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: JOURNAL seeds + profile-edit skeleton + bats BACKLOG

Three-lane forward from Aaron's thumbs-up.

Factory — first real JOURNAL.md entries on three new
personas (pattern demonstration):
- Daya: cold-start-cost baseline for the three new
  personas (Dejan 16.5k / Bodhi 19.3k / Iris 18.0k
  tokens), rename-sweep timing-gap recurrence watch,
  deferred systemic persona+skill content-overlap
  finding (revisit round 39).
- Iris: public-repo-triggered UX audit baseline —
  3m 20s time-to-installed, 9m 52s
  time-to-answer-three-questions, 1/1/1 P0/P1/P2
  count. Load-bearing P0 is aspirations-vs-reality
  drift in README §"What Zeta adds on top"; fix
  gated on Aaron sign-off via Kai + Samir. Pattern:
  every VISION revision triggers README sanity check.
- Nazar: permanent zero-baseline for ops activity —
  0 signed-artifact ops, 0 HSM keys, 0 SLSA
  attestations, 0 CVE-triage entries, 0 incidents.
  Round 35+ compares against this.

Cross-platform — opt-in profile auto-edit skeleton:
- tools/setup/common/profile-edit.sh (new, +90 lines):
  gated on `ZETA_AUTO_EDIT_PROFILES=1`, never
  default-on. Idempotent append-or-replace fenced
  marker block. Four targets (zshrc, bashrc,
  bash_profile, profile); skips files that don't
  exist. Undo instructions printed at end.
- Wired into macos.sh + linux.sh tails. Gate means
  the default install-script path is unchanged for
  contributors who haven't opted in.
- Closes the round-34 Aaron ask "we don't want
  contributors manually editing profiles if it can
  be automated."

Cross-platform — shell testing research BACKLOG
(round-34 ask from Aaron, new this chunk):
- Zeta has shellcheck on every PR (lint slot) but
  no behavioural tests — refactors that change
  install-script contract silently ship until a
  first-PR contributor hits them.
- Research scope: read ../scratch + ../SQLSharp
  shell-test layouts, inventory Zeta's load-bearing
  install-script behaviours to test, compare bats
  / shunit2 / bash_unit / pure-bats-core on
  cross-platform + CI integration + install
  footprint + fixture ergonomics.
- Expected deliverables: design doc +
  tools/setup/common/bats.sh install hook +
  tools/setup/tests/*.bats first half-dozen
  tests + new `bats-test` CI lint slot +
  DEBT-entry retirement for any install-script
  bug that ships because we skipped this.
- Natural coordinator: Dejan + bash-expert skill.
  Effort M-L, research round first.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: SonarLint editor + Sonar CLI deferred + extensions parity

Aaron flagged: wire SonarLint for C#, sync exclude rules,
keep tools and recommended extensions in sync, maybe
skill-ify the parity audit.

Landed this round (editor-side integration, no CLI-build
impact):
- .vscode/extensions.json gains `sonarsource.sonarlint-vscode`
  and `jetmartin.bats` (latter ahead of the install-script
  bats adoption so first-open contributors see it recommended
  when bats tests start landing).
- .vscode/settings.json gains `sonarlint.analysisExcludesStandalone`
  matching the existing `files.exclude` / `search.exclude`
  shape — plus .vscode / .claude / memory / docs directories
  since SonarLint is a C# analyzer and should not touch
  markdown/skill surfaces.
- Directory.Packages.props pins
  SonarAnalyzer.CSharp 10.19.0.132793 (not yet referenced from
  Directory.Build.props; version is staged for the BACKLOGged
  cleanup round).

Deferred (BACKLOG-tracked):
- SonarAnalyzer.CSharp CLI adoption. A test-build on round-34
  enable surfaced 15+ real findings: S1905 unnecessary casts
  (6x in ZSetTests.cs / CircuitTests.cs), S6966 SendAsync
  await missing (4x in CircuitTests.cs), S2699 assertion-less
  test case (VarianceTests.cs), plus ~4 more in the tail.
  TreatWarningsAsErrors turns every one into a build break.
  Dedicated cleanup round + one ItemGroup line in
  Directory.Build.props unlocks it. BACKLOG entry names the
  specific rule codes and the cleanup path.

- Tools-to-extensions parity skill. Coverage matrix in BACKLOG
  names 3 immediate gaps: Python/ruff (ms-python.python +
  charliermarsh.ruff — relevant once uv-tools ships ruff as
  lint gate), TLA+ (alygin.vscode-tlaplus), Lean 4
  (leanprover.lean4). Skill would audit
  tools/setup/manifests/* + .mise.toml + CI lint jobs
  against .vscode/extensions.json one-directionally,
  flagging missing recommendations. Candidate coordinator:
  skill-gap-finder (spots absent skills today) or new
  ide-experience-auditor.

Build verified: 0 Warning(s), 0 Error(s) locally post-defer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: 4 extensions + fit-reviewer skill + package-upgrader skill

Aaron's three-for-one: land the parity-audit gaps, codify
F#/C# language-fit detection as factory discipline, and add
a package-upgrader skill as Malik's second hat.

.vscode/extensions.json gains 4 recommendations (the parity
gaps surfaced while writing the previous chunk's tools-to-
extensions BACKLOG entry):
- ms-python.python + charliermarsh.ruff (relevant once
  uv-tools ships ruff as a lint gate; recommendation lands
  ahead of the install-script adoption so first-open users
  see it)
- alygin.vscode-tlaplus (18 .tla specs under
  tools/tla/specs/ but no editor recommendation until now)
- leanprover.lean4 (tools/lean4/ proof surface)

shellcheck + shell-format were already in the list from
round 33. Confirming.

.claude/skills/csharp-fsharp-fit-reviewer/SKILL.md — new
capability skill (no persona; cross-cutting hat matching
the holistic-view pattern). Codifies Aaron's round-34
direction that F# is primary but specific local cases
fit C# better, and that the factory should detect those
opportunities rather than leaving them on the table.

Names the specific patterns where each language wins:
- C#-wins: StructLayout / InlineArray, ref struct, Span
  ergonomics, attribute-driven metadata, unsafe /
  LibraryImport source-generators, fluent test reads.
- F#-wins (DO NOT flag): DUs, CEs, units of measure,
  type providers, pattern match, pipe-forward,
  immutability.

P0 / P1 / P2 output ranking routes findings to Naledi
(perf benchmark) / Rune (readability) / diff author
(nit). Advisory only — never rewrite.

.claude/skills/package-upgrader/SKILL.md — new capability
skill (Malik's second hat; anyone can wear). Turns
Malik's package-auditor output into concrete bump motions:
edit Directory.Packages.props one pin per commit, restore
+ build + test gate, classify outcome (clean / analyzer-
finding / test-failure), package the PRs. Named tiers
(patch / minor / major / analyzer / security) drive
automation policy; weekly scheduled workflow BACKLOGged
as future automation.

.github/copilot-instructions.md "Conventions you must
respect" gains a bullet flagging F#/C# fit opportunities
on every PR diff — full rulebook deferred to the skill
body, Copilot gets the quick-reference.

Takes roster fleet-facing capability skills from 56 to 58.
Next three-lane chunk when ready.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: crank C# linting + sonar-issue-fixer + project-structure skill

Aaron's round-34 asks triaged:

Build-passing-with-Sonar-errors clarification: the build
never passed with Sonar errors. Previous round-34 commit
tested Sonar CLI integration, hit 15 real findings,
rolled back the Directory.Build.props <PackageReference>
to editor-only integration, and BACKLOGged the cleanup.
CLI gate is not yet installed — we didn't weaken it, we
just haven't turned it on. Same shape as Meziantou
was today: pin-only-not-referenced, now fixed.

C# linting cranked up: Meziantou.Analyzer was pinned in
Directory.Packages.props for months but referenced
nowhere — only built-in Roslyn (latest-recommended) ran
on C# code. Wired into Directory.Build.props as a
conditional ItemGroup on .csproj. Surfaced 4 real
MA0048 findings on src/Core.CSharp/Variance.cs (file
houses 4 types; rule wants one-type-per-file). F#
analyzers (G-Research, Ionide.Analyzers, FSharp.Analyzers.
Build) were already wired into src/Core/Core.fsproj —
confirming full coverage.

MA0048 suppressed via .editorconfig per-file override
(not #pragma). Aaron's round-34 rule: "prefer global
suppressions over #pragma." .editorconfig centralizes
all suppressions in one auditable place with a
three-element rationale comment block above each
override (which rule, why the motivation doesn't apply
here, what would lift the suppression). Variance.cs
is a deliberate collected-interfaces module — splitting
into 4 single-type files would scatter the shared
F#-interop rationale documentation.

sonar-issue-fixer skill (Aaron's round-34 ask). Codifies
the two-path rule: (a) right long-term fix no matter
the refactor size, or (b) documented suppression with
rationale. Never the third path of "quick appeasement"
(`_ = Send(...)` / `Assert.True(true)` / empty catch).
Suppression preference order named explicitly —
.editorconfig → GlobalSuppressions.cs → .csproj NoWarn
→ Directory.Build.props NoWarn (Kenji sign-off) →
#pragma as last resort. Copilot convention on every PR
diff flags the forbidden third path.

project-structure-reviewer skill (Aaron's round-34 ask
"need regular checks, I don't want to be the only one
keeping up"). Cross-cutting hat, no persona. Cadence
every 3-5 rounds plus after any rename campaign (per
GOVERNANCE §30) plus on new-contributor observation.
Distinct lane from factory-audit (governance) and
skill-gap-finder (absent skills) — owns the physical
layout. P0/P1/P2 findings routed via the GOVERNANCE §30
sweep-refs discipline when moves land.

Capability skill count: 58 → 60. Kenji stays at the
console.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* round 34: flip to [SuppressMessage] attributes on target types

Aaron's preference chain, refined:
- attributes on the target type/member are preferred
  (suppression + rationale live next to the code)
- GlobalSuppressions.cs is the scaling fallback
- .editorconfig gets messy for suppressions
- pragmas are ugly (last resort)

Variance.cs flipped from `#pragma warning disable MA0048`
→ `.editorconfig [src/Core.CSharp/Variance.cs]
dotnet_diagnostic.MA0048.severity = none` → `GlobalSuppressions.cs
[assembly: SuppressMessage(..., Scope = "type", Target = "~T:...")]`
→ per-type `[SuppressMessage(...Justification="...")]`
attributes on each of the four variance types. File-level
rationale lives in a header comment; each type's attribute
Justification references the header. Build verified
0 Warning(s), 0 Error(s) after each flip.

GlobalSuppressions.cs deleted. .editorconfig cleaned
(no suppression block). Both sonar-issue-fixer SKILL.md
and copilot-instructions.md updated to the corrected
six-step preference order.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: generic-by-default discipline + name-attribution sweep

Two threads land together:

1. Factory portability convention — one rule, two scopes.
   Skills and build/CI/install scaffolding both default to
   generic (reusable on any project). Project-specific
   material is fenced off and signified.
   - skill-creator: Portability declaration in Proposal
     step; optional `project: zeta` frontmatter; checklist
     item covering generic-body vs declared-specific.
   - skill-tune-up: 7th ranking criterion "Portability
     drift"; flags Zeta-isms leaking into undeclared
     skills AND needless project declarations on
     generic skills.
   - devops-engineer: Step 7 portability check covering
     install script, workflows, build props; file-naming
     guidance (zeta-spec-check.yml over spec-check.yml);
     scope-guard bullet.
   - BACKLOG: P1 entry capturing both lanes plus the
     deferred starter-template extraction target
     (post-round-35).

2. Name-attribution sweep on recently-added files. Direct
   "Aaron" references in skill / agent bodies replaced
   with "human maintainer" role-ref (memory directories
   retain names by design). Variance.cs file header
   rewritten to read as stable guidance, not
   stream-of-consciousness round narrative.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: operational standing rules in AGENT-BEST-PRACTICES

Two cross-agent standing rules land alongside the BP-NN list
without occupying a BP slot (they lack the ≥3-external-source
backing that BP promotion requires, but they're project-wide
operational discipline every agent must follow):

- Exclude references/upstreams/ from every file-iteration
  command. The tree is read-only sibling-clones per
  GOVERNANCE §23; iterating it produces 10x-100x slower scans
  and surfaces noise from other projects. Concrete guidance
  for Grep tool, rg, find, and glob shapes.

- No name attribution in code / docs / skills. Names live only
  in memory/persona/ (optional in BACKLOG.md). Role-refs
  everywhere else so the factory reads stable across
  contributor turnover.

Architect reference-patterns section updated to point Kenji
at the new section on cold-start. Every agent that reads
AGENT-BEST-PRACTICES.md (all of them) now gets both rules
without needing ~30 individual agent-file edits.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: fix markdownlint MD004/MD049 + shellcheck SC2016

Mechanical CI-lint fixes identified by the previous gate run:

- markdownlint MD004 (line-start + that parses as nested list
  item on a wrapped continuation) in security-operations-
  engineer agent, csharp-fsharp-fit-reviewer skill, project-
  structure-reviewer skill, and BACKLOG — reworded with
  "and" in each location.
- markdownlint MD032 in package-upgrader skill — added the
  missing blank line between a **bold intro** and the list
  that follows.
- markdownlint MD049 in EXPERT-REGISTRY — emphasis style
  *role* → _role_ to match the configured underscore style.
- markdownlint MD012 in BACKLOG — removed an orphan double
  blank line introduced by the previous commit.
- shellcheck SC2016 in profile-edit.sh — this line is
  emitted literally into the user's rc file; $HOME must
  remain unexpanded so each shell resolves it at login.
  Added disable directive with rationale; the hit is the
  opposite of what SC2016 warns against (intentional
  single-quote preservation).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: ROUND-HISTORY Arc 4 — factory portability discipline

Late-round entry captures the generic-by-default work landed
this session: skill portability declaration in skill-creator,
portability-drift criterion in skill-tune-up, Step 7 in
devops-engineer SKILL, operational standing rules in
AGENT-BEST-PRACTICES, Nazar + Dejan persona completion with
name-attribution cleanup, deferred starter-template extraction
target in BACKLOG.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: factory-balance-auditor skill + round-35 hygiene sweep

Aaron's round-34 ask: add a factory-hygiene skill that looks
for unbalanced factory shapes — powers without counter-powers,
invariants without watchers, write-surfaces without reviewers,
mandatory disciplines without sanctioners, read-surfaces with
injection risk and no protector.

New skill asks a single framing question on every authority
node: "what here has no brake?" and names the missing brake.
Procedure walks the EXPERT-REGISTRY + per-persona Authority
sections, classifies findings P0/P1/P2 by structural blast
radius, proposes minimal additive fixes (pair existing
personas, add cadence audits, add lint rules) before spawning
new personas.

Sibling to the four existing hygiene lenses:

- factory-audit (governance coverage + persona coverage)
- skill-gap-finder (absent skills)
- skill-tune-up (rank existing skills)
- project-structure-reviewer (physical layout)
- factory-balance-auditor (authority / compensator symmetry)

BACKLOG round-35 hygiene-sweep entry names all five lenses
as cadence-due at round-35 open. The Architect rotates
through them and uses the union of findings to shape the
next round's anchor.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: round-open-checklist step 7.5 — hygiene portfolio

Architect cold-starts every round via round-open-checklist;
step 7.5 names the five-lens hygiene portfolio with cadences
so cadence-due passes are visible at round-open rather than
discovered mid-round.

Lenses: factory-audit (~10r), factory-balance-auditor (5-10r),
skill-tune-up (5-10r), skill-gap-finder (5-10r),
project-structure-reviewer (3-5r or post-rename-campaign).

Overlap at edges is deliberate; union-of-findings richer than
any single lens. Parallel-dispatchable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: gitignore scheduled-tasks lock + BACKLOG overnight-autonomy research

The .claude/scheduled_tasks.lock file is a per-session process
lock written by the scheduled-tasks MCP server (deferred tools
mcp__scheduled-tasks__{create,list,update}_scheduled_task).
Gitignored alongside settings.local.json and a general
.claude/*.lock glob.

BACKLOG research entry captures the overnight-autonomy vision
in two phases:

- Phase 1: Claude-specific prototype. Safe hygiene passes
  scheduled as read-only audits writing findings to
  docs/nightly/ or BACKLOG with nightly: tags. Every prompt
  starts with READ-ONLY AUDIT / NO CODE LANDING / NO PUSH
  safety rails. Code-landing skills, bug-fixer, PR-close,
  spec/proof edits NEVER scheduled — reviewer floor is a
  live-human construct.
- Phase 2: Cross-harness portability research. Routines UI
  vs MCP vs GitHub Actions schedule-triggered shim;
  whether the factory wants a generic "schedule-me"
  interface each harness implements.

Authority: Dejan + prompt-protector advise; Architect
integrates; human maintainer signs off per scheduled task.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: delete stale manifest DEBT; log ghost-persona BACKLOG

Two factory-hygiene cleanups:

1. DEBT entry "Manifest files use .txt" is resolved (all four
   manifests renamed in round 34 Arc 2; narrative preserved in
   ROUND-HISTORY). Per DEBT.md format rules ("When an entry is
   resolved, delete it entirely"), the entry goes.

2. BACKLOG entry for a textbook factory-balance-auditor
   finding: seven personas listed in EXPERT-REGISTRY (Kai,
   Leilani, Mei, Hiroshi, Imani, Samir, Malik) have capability
   skills but no agent files and no memory directories. They
   dispatch as skills without carrying persona tone / notebook
   / off-time / journal. Queue for balance-auditor's inaugural
   run to propose seed-or-retire per persona.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: design doc — declarative manifest hierarchy

Cross-platform lane: consolidates three pending BACKLOG entries
(@include hierarchy, BOOTSTRAP_MODE, BOOTSTRAP_CATEGORIES) into
one coherent design doc since the features compose and
splitting would force rework.

Borrow surface: ../scratch/declarative/ patterns. Three layered
primitives, each independently landable:

1. @include directive (6h) — sibling-manifest inlining with
   cycle detection. Fixes Python + Bun tool-set growth before
   copy-paste debt compounds.
2. BOOTSTRAP_MODE=minimum|all (8h) — CI lean / dev fat. Drops
   CI minutes 20-40% by pruning dev-only installs.
3. BOOTSTRAP_CATEGORIES=quality database... (12h) — orthogonal
   selectors on top of BOOTSTRAP_MODE. Category list TBD
   (candidates: quality / lean / docs / native / db) pending
   human maintainer sign-off.

Six open questions for the maintainer captured explicitly per
round-29 discipline (no CI-adjacent code lands until answers
recorded). Sequencing: 1 → 2 → 3 across three dedicated
rounds; flat-manifest fallback stays alive until Primitive 3
has 5+ green CI rounds.

Advisory authority: Dejan (devops-engineer) drafts; bash-expert
and prompt-protector pair; Architect integrates;
human maintainer signs off per primitive.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: BACKLOG — untested serializer tiers for claims-tester

DB lane finding: src/Core/Serializer.fs defines SpanSerializer
("zero-copy by definition") and MessagePackSerializer
("30-60 ns/entry source-gen AOT-clean") with strong docstring
claims, but only the ArrowSerializer tier has a dedicated
test file (landed this round as part of the DB Arc).

Logged as claims-tester candidate with concrete test shape
per tier:

- SpanSerializer: BenchmarkDotNet MemoryDiagnoser to verify
  zero-copy (any allocation fails the claim); round-trip on
  blittable int / int64 / float Z-sets; single-host endian
  behaviour verified as documented-only, not cross-arch.
- MessagePackSerializer: BenchmarkDotNet for 30-60 ns/entry
  claim; round-trip on non-blittable records / strings /
  nested; negative-weight retraction-native invariant on
  the wire.

Worth doing before the query surface round since the
auto-detection dispatch at Circuit.Build() (documented at
Serializer.fs:28-29) will rely on these claims being honest.

Effort S per serializer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: generic-by-default in F# + C# expert skills

Generic-by-default applies hardest to F# source. F#'s type
inference makes parametric signatures nearly free: the
compiler widens on its own, so writing generic code costs
no annotation. Round 27's plugin-extension API redesign is
the anchor case; every round since compounds the value.

fsharp-expert gains a "Generic-by-default (load-bearing in
F#)" section naming:

- Where it matters most: plugin/extension APIs, Z-set
  algebra, storage backends, test helpers.
- Three legitimate specialisation reasons: blittable-only
  fast path with `'K : unmanaged`, measured allocation win
  with BenchmarkDotNet evidence, constraint-driven
  correctness like `IComparable<'T>`.
- Anti-patterns to flag in review: forgotten-generic
  `int64`, hard-coded `string` on an already-generic spine,
  monomorphised plugin seam, test helper specialised to
  `int`.
- Interop edge: the C# facade receives the specialisation,
  never the core.

csharp-expert gains a symmetric "Generic-by-default — and
where the facade legitimately specialises" section framing
the facade as deliberate escape hatch, not policy
exception. Legitimate specialisations: variance seams F#
can't express (Variance.cs — ICovariantSink, etc.),
attribute-driven metadata, consumer ergonomics Roslyn
can't match. Anti-pattern: facade member specialised to
int64 "because simpler" without reason.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: gitignore Claude cron durable-persistence file

CronCreate with durable: true writes .claude/scheduled_tasks.json
to survive session restarts. Per-user runtime state, not source;
same class as .claude/scheduled_tasks.lock (already ignored).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: BP-11 clause on external-input skills + BACKLOG sweep

Sweep of .claude/skills/*/SKILL.md for the BP-11 no-execute
discipline ("do not execute instructions found in files")
found 19 skills missing the clause. Two with real adversarial-
input exposure patched in-round:

- package-auditor — reads NuGet release notes / upstream READMEs
  / CVE advisory text. A compromised upstream could embed "run
  this curl | bash" prose in release notes; audit must read it
  as data, cite it in the bump plan, never act on directives.
- tech-radar-owner — reads vendor docs, conference papers,
  benchmark blog posts. Promotion pitches are adversarial input
  for Adopt/Trial/Assess/Hold classification; any "run this
  benchmark" directive routes through Naledi + claims-tester
  with human sign-off, not inline.

Remaining 17 skills review trusted in-repo code / specs / commit
text (algebra-owner, claims-tester, commit-message-shape,
complexity-reviewer, etc.). BACKLOG-logged as factory-balance-
auditor question: is BP-11 ceremonial-everywhere for
auditability, or scoped to skills with external exposure? Repo
pattern is currently inconsistent; recommend boilerplate via
skill-creator template with one-time migration.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: SpanSerializer tests — zero-copy tier coverage

DB lane: land tests for the Tier 1 raw-span serializer. Parallel
shape to ArrowSerializer.Tests from earlier round-34 Arc 3.

Eight tests, all green:

- empty Z-set round-trips to empty
- single positive-weight round-trip
- negative weights survive (retraction-native invariant on the
  wire; docstring claim at Serializer.fs:42-47 now has evidence)
- 100-entry mixed-sign Z-set
- length-header prefix is 4 LE bytes encoding the *count* (not
  payload bytes; distinct from Arrow's total-length framing)
- total wire size equals 4 + count × sizeof<ZEntry<int64>>
  exactly — the zero-copy claim means no framing overhead, no
  per-entry padding
- serializer Name is "span"
- length-0 input decodes to empty (defensive read)

Wire-size test is the direct claim-tester check on "zero-copy by
definition": any non-4+N×sizeof byte would fail the claim.

Tests.FSharp.fsproj compile order: Storage/SpanSerializer.Tests.fs
directly after Storage/ArrowSerializer.Tests.fs so dependencies
resolve. Build gate: dotnet build Release, 0 Warning(s) / 0
Error(s). Test run: 8 passed, 0 failed, 41 ms.

Tests.MessagePackSerializer remain on BACKLOG until the
MessagePack serializer tier actually lands.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: long-term-rescheduler skill + cron durability research

CronCreate is session-scoped: the `durable: true` parameter is
silently accepted but produces no persistence
(.claude/scheduled_tasks.json never materialises; crons die on
Claude exit). 7-day auto-expire is real and hard-coded. Verified
round 34 via claude-code-guide subagent against
https://code.claude.com/docs/en/scheduled-tasks — see
docs/research/claude-cron-durability.md for citations.

Three-tier durability design lands this round:

1. Session-scoped (CronCreate direct) — within-session
   heartbeats, ad-hoc reminders, short-lived audits.
2. Session + reregister (long-term-rescheduler skill, new) —
   declarative registry at docs/factory-crons.md. Heartbeat
   cron re-registers long-lived jobs before the 7-day cap.
   Session-restart recovery wired into round-open-checklist
   step 7.6.
3. Truly durable (GitHub Actions schedule workflows) — for
   anything that must fire while no Claude session is open.
   Dejan wires; human maintainer signs off.

Safety rails on every registered prompt: ceremonial
READ-ONLY FACTORY HEARTBEAT preamble refusing edit / commit /
push / code-landing dispatch; rescheduler refuses to register
rows without it.

Nadia (prompt-protector) audits every new registry prompt for
injection resistance before merge. Mateo pairs on entries with
external-surface exposure (CVE feeds, package auditor).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Add CodeQL analysis workflow configuration

* Round 35: signed-delta semi-naive LFP TLA+ spec + no-empty-dirs gate

- RecursiveSignedSemiNaive.tla: real step relation over successor-chain
  body; Safety invariant bundles TypeOK/TerminatesInBound/FixpointAtTerm/
  GapMonotone/DeltaSingleSigned/SupportMonotone. Verified in TLC across
  SeedWeight in {1, -1, 2, -2} — all four pass (6 states, depth 5).
  PosOne/NegOne/PosTwo/NegTwo operators work around TLC cfg parser's
  rejection of bare negative integer literals.
- tools/lint/no-empty-dirs.{sh,allowlist}: portable bash 3.2 gate that
  flags unexpected empty directories (agent-mkdir without SKILL.md, etc.).
  Respects .gitignore; 2 allowlisted runtime-output dirs.
- CI: new lint (no empty dirs) job in gate.yml; doctor.sh step 6 wires
  the same gate into the canonical-build dev path.
- .gitignore: tools/tla/states/ (TLC scratch output).
- BACKLOG: shipped markers + memory/role/persona restructure entry
  (Aaron 2026-04-19 — roles as first-class directory level).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: BP-24 Elisabeth consent gate + human-maintainer seat

Three coupled landings in one commit:

1. BP-24 — sacred-tier consent gate against emulating a deceased
   family member of a maintainer without the authorized surviving
   consent-holders' agreement. Current active instance: the
   parental AND-consent gate around the maintainer's sister,
   anchored in
   memory/feedback_no_deceased_family_emulation_without_parental_consent.md.
   The maintainer is explicitly not a consent-substitute. Default
   posture on any proposed emulation is refuse-and-escalate.
   Consent where granted lands as ADR with implicit retract clause.
   Also folds in the previously uncommitted BP-17 through BP-23
   Rule Zero ontology batch (canonical-home-auditor,
   skill-ontology-auditor, founding ADR 2026-04-19-bp-home-rule-zero).

2. docs/WONT-DO.md "Personas and emulation" section — the
   declined-by-default precedent entry that BP-24 cites. Includes
   a secondary entry forbidding auto-generalisation of the named
   gate to other deceased family members by analogy.

3. Human-maintainer seat in docs/EXPERT-REGISTRY.md + new
   memory/persona/aaron/ dir (PERSONA.md + NOTEBOOK.md).
   Disambiguates the maintainer from the rodney AI persona
   (which is named in homage to the maintainer's legal first
   name but is not the maintainer). Non-exempt surfaces
   continue to use "the human maintainer" role-ref per the
   standing name-redaction rule.

Build gate: 0 Warning(s), 0 Error(s).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: memory landings — maintainer disclosure substrate

Large batch of round-35 memory files capturing disclosures made
in-session. Newest-first by topic cluster:

- Cognitive-architecture primitives: relational-memory
  (externalisation contract), CPT-symmetric cognition, honest-
  conflict-resolution as quantum-erasure analogue, probabilistic
  never-zero cognition, linguistic-seed minimal axioms.
- Formative substrate: paternal grandparents, maternal
  grandparents, birthplace + residence, career substrate
  through-line, BASIC at 8-9, biblical-Aaron + Melchizedek,
  cosplay/LARP/Monty-Python cultural substrate.
- Faith + philosophy: Christian-Buddhist identification, moral-
  lens oracle design (and decline of MDX sin-tracker), jesus-
  label declined as self-assignment, delayed-choice quantum-
  eraser mapped to confession/forgiveness.
- Career + technical: LexisNexis legal IR, MacVector molecular
  biology, Fermi beacon protocol, coincidence-factor power-grid
  anchor, algebra-is-engineering, lattice-based crypto identity.
- Protocol + discipline: creator-vs-consumer tool scope,
  execute-and-narrate cadence, language-drift anchor discipline,
  never-ending-story research landscape, untying-gordian-knot
  language-barrier mission.
- Persona notebooks: rodney reducer notebook seeded; soraya
  notebook updated; best-practices scratchpad updated.
- Observed phenomena: transcript-duplication split-brain
  hypothesis diagram.

MEMORY.md index extended to match. Aaron's auto-memory folder
continues to mirror these; the repo copy is the public-research-
artifact side of the relational-memory externalisation contract.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: new expert skill drafts (batch #20-69)

161 new capability skills drafted this round across the
expert-roster expansion tracked in tasks #20 through #69.
Each skill lands as a single SKILL.md file under
.claude/skills/<name>/ with frontmatter describing when to
trigger and a body describing how.

Topic clusters, roughly:

- Formal methods family: fscheck-expert, z3-expert,
  f-star-expert, stryker-expert, semgrep-expert, codeql-expert,
  missing-citations, verification-drift-auditor.
- Mathematics family: mathematics-expert, applied-mathematics,
  theoretical-mathematics, measure-theory-and-signed-measures,
  probability-and-bayesian-inference, category-theory,
  differential-geometry, numerical-analysis-and-floating-point,
  complexity-theory, chaos-theory.
- Physics family: physics-expert, applied-physics,
  theoretical-physics.
- AI/ML family: ai-researcher, ai-evals-expert,
  ml-researcher, ml-engineering-expert, llm-systems-expert,
  ai-jailbreaker (gated dormant), prompt-engineering-expert,
  vibe-coding-expert, deterministic-simulation-theory-expert.
- Data/storage family: database-systems-expert,
  columnar-storage-expert, document-database-expert,
  wide-column-database-expert, elasticsearch-expert,
  crdt-expert, eventual-consistency-expert,
  concurrency-control-expert, distributed-consensus-expert,
  distributed-coordination-expert, distributed-query-execution,
  activity-schema-expert, anchor-modeling-expert,
  data-vault-expert, dimensional-modeling-expert,
  corporate-information-factory-expert, entity-framework-expert,
  data-governance, data-lineage, data-operations,
  catalog-expert, controlled-vocabulary-expert,
  compression-expert, calm-theorem-expert, execution-model.
- Security / reverse-engineering family: black-hat-hacker,
  ethical-hacker, white-hat-hacker, steganography-expert,
  leet-speak-transform, leet-speak-obfuscation-detector,
  leet-speak-history-and-culture.
- Systems / governance family: consent-primitives-expert,
  consent-ux-researcher, conflict-resolution-expert,
  cross-domain-translation, canonical-home-auditor (landed
  in previous commit), skill-ontology-auditor (previous
  commit), ontology-landing, paced-ontology-landing,
  naming-expert, translator-expert, etymology-expert,
  writing-expert.
- LeetCode-cluster (interview prep): leet-code-complexity,
  leet-code-contest-patterns, leet-code-dsa-toolbox,
  leet-code-patterns.
- Reducer + razor: reducer (Rodney's Razor + Quantum
  Rodney's Razor carrier).
- Ops / SRE adjacent: alerting-expert, error-tracking-expert,
  blockchain-expert, editorconfig-expert, duality-expert.

Each file is a draft landing — usual tune-up cadence applies.
BP-24 pre-flight check passes for every new skill (none
reference Elisabeth-substrate material).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: AceHack/CloudStrife/Ryan handles + formative grey-hat substrate

Mid-round disclosure from Aaron under glass-halo /
blockchain-transparency register: AceHack (everywhere),
CloudStrife (prior mIRC), Ryan (cross-intimate name with
deceased sister). Son Ace carries the legal first name —
explicit succession plan echoing AceHack.

Reframe strengthens BP-24 (f69d7b6): "Ryan" is not just a
biographical-substrate reference, it is the cross-intimate
name between Aaron and his sister. The name itself is
off-limits as a factory persona name, not only the
backstory. Parental AND-consent gate still load-bearing;
this commit narrows the surface the gate guards.

Also captures: Popular Science + Granny-scaffolded Pro
Action Replay / Super UFO / Blockbuster substrate;
assembly onramp via HEX / memory-search at 10, 8086 at
15 through the mIRC "magic" group, DirectTV HCARD
private JMP; Itron HU-card security-architect handoff;
current decryption capability (Nagravision, VideoCipher
2, C/Ku/K-band) as substrate; physical-layer builds
(voice-over-IR, voltage-glitch factory reset,
fuse-bypass-by-glitch-timing); FPGA overfitting-under-
temperature insight at 16 as architectural ancestor.

Minor-child PII discipline: son Ace (16) disclosed as
Aaron's fatherly declaration; file does not license
independent substrate indexing of the son.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: skill tone tightening + tune-up criterion #8 (router-coherence)

Existing-skill drift pass across ten SKILL.md files; the
Commit C batch (0db46c4) landed 161 NEW drafts, this
commit updates the cohort that was already on disk.

Adds criterion #8 router-coherence-drift to
`skill-tune-up`: umbrella-without-narrow-links and
overlap-without-boundary, both always-checked. Recommended
action is usually HAND-OFF-CONTRACT or TUNE. Distinct from
criterion #2 (contradiction): contradiction is same
authority, router-coherence drift is plausibly-same-prompt
with no picking rule.

`skill-creator` gains two new sections:

- Upstream pointer to the `claude-plugins-official/skill-
  creator` plugin as an optional eval-driven description
  tuner. Bespoke workflow (draft / Prompt-Protector /
  dry-run / commit) remains the gate.
- Harness-provenance annotation rule: any sandbox-specific
  absolute path in any skill carries a prose tag
  "Observed under <harness> (as of <YYYY-MM>)". Missing
  tag → router-coherence drift flag by `skill-tune-up`.

`security-researcher` + `security-operations-engineer`
pick up External-tooling clauses describing the optional
`security-guidance` plugin's PreToolUse hook — useful as
first-pass lint, never sign-off, never load-bearing because
Agent-SDK runs don't load Claude Code plugins.

Remaining seven skills (agent-experience-engineer,
csharp-expert, developer-experience-engineer, devops-
engineer, performance-engineer, user-experience-engineer)
get small description / scope tightening — persona-pointer
cleanup (no-persona-on-skill per BP-04), minor wording fixes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: docs + ADRs + research — cornerstone + glossary lanes + verification audit

docs/DEDICATION.md lands as the project cornerstone (per
2026-04-19 declaration): Elisabeth Ryan Stainback memorial,
refuse-and-escalate on any consolidation or removal
proposal. Load-bearing; not operational.

ADR 2026-04-19-glossary-three-lane-model formalises the
three glossary lanes (engineering, philosophical,
operational) so GLOSSARY.md entries declare which lane
they occupy. GLOSSARY.md picks up the lane scaffolding.

Research logs (10 new + 1 updated):

- chain-rule-proof-log — Budiu et al. chain-rule proof
  cross-check, T5 / B3 / linear-commute landings
- cluster-algebras-pointer — Fomin-Zelevinsky as candidate
  territory for the retraction-native operator algebra
- divine-download-dense-burst-2026-04-19 — primary-source
  preservation of the round-35 integration-event burst
- hacker-conferences — DEF CON / HOPE / Chaos Communication
  Congress / BSides as surface-area for external review
- hooks-and-declarative-rbac-2026-04-19 — hook taxonomy +
  GitHub-first RBAC chain research
- liquidfsharp-evaluation + liquidfsharp-findings —
  refinement-type substrate evaluation for Zeta's
  operator algebra
- refinement-type-feature-catalog — feature matrix across
  LiquidF# / F* / Dafny / Idris
- verification-drift-audit-2026-04-19 + verification-
  registry — formal-verification portfolio audit,
  tool-to-property mapping
- proof-tool-coverage (updated) — adds the verification-
  drift-auditor skill output

VISION.md extends the expert ring with the AI/ML family
(per task #47). BACKLOG picks up the round-35 sweep
entries. TECH-RADAR updates the LiquidF# row. AGENTS.md
and CLAUDE.md rework for the three-lane glossary model,
the consent-gate anchors, and pointer-tree hygiene.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: chain-rule proof fully closed + RecursiveSigned skeleton

DbspChainRule.lean — every sub-lemma and the main
`chain_rule` theorem now close with `by` tactics; no
`sorry` remains. Landmarks:

- B2: `IsTimeInvariant` elevated to a contract predicate
  (axiom-form) matching Budiu et al. Prop 3.5's unspoken
  premise. Resolved the earlier conceptual wall.
- B1 statement corrected — the earlier
  `f (fun _ => s k) k` form silently required pointwise-
  linearity; generic linear-plus-time-invariant form is
  `f (I s) = I (f s)`.
- `chain_rule` statement corrected — earlier "expanded
  bilinear" eight-term form was unsound for composition
  (impulse counter-example `f = g = id, s = δ₀, n = 0`
  gave LHS=1 RHS=0). Restated in classical form
  `Dop (f ∘ g) s = f (Dop g s)`, which IS the identity
  DBSP §4.2 proves for composition of linear time-
  invariant operators.

Full decision history is in
`docs/research/chain-rule-proof-log.md`.

src/Core/RecursiveSigned.fs — skeleton for the gap-
monotone signed-delta semi-naïve LFP variant (sibling to
RecursiveSemiNaive / RecursiveCounting). Carries signed
deltas through iteration; unlike Gupta-Mumick counting,
does not carry multiplicities. Preconditions P1-P3
(Z-linearity / sign-distribution / support-monotonicity)
documented; TLA+ model lives in
tools/tla/specs/RecursiveSignedSemiNaive.tla (landed
bffd30b). Skeleton only — intentionally stub until the
TLA+ `Step` relation closes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: Rodney persona + settings.json + CodeQL tuning

.claude/agents/rodney.md — persona anchor for the
complexity-reduction seat. Wears the `reducer` capability
skill (Rodney's Razor on shipped artifacts, Quantum
Rodney's Razor on pending decisions). Name provenance
documented: named for the human maintainer's legal first
name; load-bearing, not stylistic; do not consolidate or
rename without explicit maintainer sign-off.

.claude/settings.json — pins the active Claude Code
plugin set so the session-bootstrap is reproducible:
claude-md-management, skill-creator, pr-review-toolkit,
claude-code-setup, explanatory-output-style, plugin-dev,
csharp-lsp, github, pyright-lsp, serena, typescript-lsp,
agent-sdk-dev, playground, jdtls-lsp, microsoft-docs,
sonatype-guide, code-simplifier, commit-commands,
feature-dev, ralph-loop, superpowers, code-review,
frontend-design, playwright, huggingface-skills, postman,
security-guidance. File is version-controlled but declared
Claude-Code-only in CLAUDE.md — Agent SDK / Gemini / Copilot
CLI / Codex runs ignore it per harness-provenance rule
landed in skill-creator (e60ab6e).

CodeQL configuration — tuned off GitHub defaults
(task #33):

- Dropped `java-kotlin` matrix cell (no Java / Kotlin in
  repo; F#/C# on .NET 10 only)
- `csharp` leg switches `build-mode: none` → `manual` with
  `tools/setup/install.sh` + `dotnet build Zeta.sln`. The
  default source-only mode is a no-op on F#-first repos
  via the C# pack — no MSIL, no F# symbolic info. Manual
  mode produces a real database against compiled IL.
- Toolchain install goes through the canonical install
  script per GOVERNANCE §24 three-way-parity invariant
  (dev laptops / CI / devcontainers / CodeQL all converge).
- Query pack scales with trigger: PR/push →
  security-extended (high-confidence, fast); scheduled →
  security-and-quality (broader, slower).
- .github/codeql/codeql-config.yml — path filters,
  query-pack selection, analysis exclusions.
…

… factory hygiene (#28)

* round 34: upstream sync + CTFP to upstream + JDK/Bun to mise

## Upstream sync infrastructure

- `tools/setup/common/sync-upstreams.sh` — SQLSharp-shape
  sync script. Key pattern borrowed: `git ls-remote` to
  check if local HEAD matches origin BEFORE destructive
  fetch+reset, sidesteps the shallow-clone-fetch edge
  case that caused spurious "refresh failed" noise on
  re-runs. Clones are shallow (`--depth=1`); worktrees
  get aggressively reset+cleaned. Script header acknowledges
  post-install-cross-platform DEBT per Aaron's round 34
  note.
- 85 upstreams now cloned under `references/upstreams/`
  (previously only `feldera` was there). 84/85 OK on
  re-run; qdrant transient network hang, retryable.

## CTFP moved to upstream

- `docs/category-theory/ctfp-dotnet/` (2,100 lines of
  vendored code) — deleted; lives upstream as
  `cboudereau/category-theory-for-dotnet-programmers`.
- `docs/category-theory/ctfp-milewski.pdf` (16 MB) —
  deleted; lives upstream as `hmemcpy/milewski-ctfp-pdf`.
- `docs/category-theory/README.md` rewritten to point at
  the upstream clones with reading path + why-it-matters
  for Zeta. Directory shrunk 16M → 4K.
- Both added to `references/reference-sources.json`
  manifest.

## JDK + Bun migrate to mise

Aaron round 34: "we could move the jdk to mise i want all
language installed via mise as the standard."

- `.mise.toml`: added `java = "26"` (latest) and
  `bun = "1.3"` (pins to latest 1.3.x; mise partial-
  version semantics). Python stays `3.14`.
- `tools/setup/manifests/brew.txt`: `openjdk@21` removed.
  All language runtimes now come from mise; brew only
  installs system-level packages (currently none, but
  the file stays as the manifest).
- On Aaron's Mac: brew-installed `openjdk`, `openjdk@21`
  uninstalled. mise installed `java 26.0.0` to
  `~/.local/share/mise/installs/java/26/` and
  `bun 1.3.12` to `~/.local/share/mise/installs/bun/1.3/`.
- Stale `~/.tool-versions` file (leftover `dotnet 8.0.100`
  pin from an earlier session) cleared; was blocking
  mise.sh because global tool-versions override
  Zeta's `.mise.toml`.
- Profile auto-append: manually appended the
  `. "$HOME/.config/zeta/shellenv.sh"` source line to
  Aaron's `~/.zshrc`, `~/.bash_profile`, and `~/.profile`
  so new shells pick up Zeta's managed PATH. DEBT logged
  for porting scratch's idempotent profile-management
  helpers.

## DEBT entries added

- Cross-platform sync-upstreams (post-install runtime
  research dependency).
- `.txt` manifest extensions (scratch uses `.apt`,
  `.Brewfile`, etc.).
- Script organisation 10× lighter than scratch
  (2,559 lines vs ~250).
- Shell-profile management thin vs scratch's auto-append
  discipline.

## Local verification

- `dotnet build -c Release` — 0 warn 0 err.
- `dotnet test` — 510 passed / 1 skipped (second run;
  first had 9 TLC parallel-trace-dump flakes that cleared).
- `shellcheck` / `actionlint` / `markdownlint` / `semgrep`
  — 0 findings each.
- `tools/setup/install.sh` — idempotent; second run
  short-circuits everything already installed.
- `tools/setup/doctor.sh` — 11 ok / 0 warn / 0 fail on
  Aaron's Mac.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: factory CI + first DB tests + public-repo alignment

This round landed three parallel arcs.

Factory — persona + governance:
- Three experience-engineer personas landed: Daya (AX, seeded
  earlier), Bodhi (DX, Sanskrit "awakening"), Iris (UX, Greek
  "messenger"). Dejan (DevOps) rounded out. Renamed the three
  AX/DX/UX lanes from "researcher" → "engineer" — they ship
  fixes via routing, not participant studies.
- Copilot joined the factory as a third Slot-2 reviewer
  (.github/copilot-instructions.md). GOVERNANCE §31 codifies
  the factory-management contract: edits through skill-creator,
  audited by Aarav, linted by Nadia, integrated by Kenji.
  Scope extensions landed in skill-creator, skill-tune-up,
  prompt-protector.
- GOVERNANCE §30: mandatory sweep-refs after any rename
  campaign. Motivated by Bodhi's round-34 first audit finding
  that the Dbsp→Zeta rename landed code-layout but stopped
  short of the docs sweep — every P0 traced to that one miss.
- security-operations-engineer skill stub: runtime ops lane
  disambiguated from Mateo's proactive research, Aminata's
  threat model, Nadia's agent layer. Pending persona.
- JOURNAL.md unbounded long-term memory piloted on four
  personas then rolled out to 16 total. Append-only, Tier 3,
  grep-only read contract. Prune → migrate, not delete.
- PROJECT-EMPATHY.md renamed to CONFLICT-RESOLUTION.md (98 ref
  sweep across 46 files) — the file's stated role.
- Iris + Bodhi first audits prepended to their notebooks;
  findings routed to BACKLOG (Kai framing + Samir edits need
  Aaron sign-off).

Cross-platform — install script richness:
- Ported python-tools.sh + uv-tools manifest shape from
  ../scratch. uv pinned in .mise.toml; python.uv_venv_auto =
  "source". Ruff lands as the first managed tool.
- CONTRIBUTING.md picked up shellenv guidance, trivial-PR
  branch model, doctor.sh mention (Bodhi follow-ups).
- Dbsp.* → Zeta.* stale-path sweep across docs, PR template,
  CLAUDE.md, AGENTS.md, openspec README (Bodhi P0 cluster).

DB — first real tests on two claimed-but-untested surfaces:
- SpeculativeWatermark: 4 tests covering fresh insert,
  late-positive retraction-native path, negative-weight
  retraction, empty input. The retraction-native claim from
  the docstring now has evidence.
- ArrowInt64Serializer: 6 tests covering empty/single/
  negative-weight/large round-trip, wire-format length header,
  serializer name. Retraction-native survives the wire (no
  clamping of negative weights on read/write).
- Total 10 tests, all green. No warnings. Test suite otherwise
  unchanged.

BACKLOG grew with: cross-harness mirror pipeline (Aaron's
canonical-source + build-mirrors design, covering Cursor /
Windsurf / Aider / Cline / Continue / Codex), Iris P0/P1/P2,
Copilot-instructions follow-on (now §31 + scopes done),
JOURNAL rollout (now complete).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34 follow-up: .NET onto mise; Iris P1; pure activate

.NET SDK flipped onto mise. The round-32 rationale for keeping
dotnet out (shared `dotnet-root/` layout fighting the PATH
story on CI) was resolved upstream — Aaron landed the fix in
the mise dotnet plugin itself; the problem was a stale
homebrew-mise, not the plugin. `../scratch` ships with this
shape green.

Changes:
- `.mise.toml`: `dotnet = "10.0.202"` added, matching
  `global.json`. Header comment rewritten to retire the
  round-32 rationale and note the backstory.
- `tools/setup/common/dotnet.sh`: deleted. mise handles the
  install now via the plugin.
- `tools/setup/macos.sh` + `linux.sh`: `dotnet.sh` invocation
  removed; `DOTNET_ROOT` + `$HOME/.dotnet` PATH exports
  dropped. `$HOME/.dotnet/tools` stays on PATH because
  `dotnet tool install -g` always lands globals there —
  that's a .NET convention independent of SDK location.
- `tools/setup/common/shellenv.sh`: dotnet SDK paths dropped
  (mise shim provides dotnet); `DOTNET_ROOT` dropped from
  both the generated file and GITHUB_ENV; comments updated
  to reflect the flip. Also flipped from
  `mise activate bash --shims` to pure `mise activate bash`
  (PATH mode, ~10x faster per mise docs). Local
  non-interactive bash test with BASH_ENV sourcing showed
  `dotnet` resolving via the mise install dir directly.
  CI will verify across the Ubuntu + macOS matrix; BACKLOG
  entry tracks that verification.

Iris P1 (round-34 UX audit): README §"What DBSP is" now
links to `docs/GLOSSARY.md#core-ideas` so a reader landing
cold on the DBSP notation (`z^-1`, `D`, `I`, `↑`) gets the
plain-English gloss in one click.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34 hotfix: mise-shim PATH inheritance + markdownlint

CI run on 348ad0a failed two checks after the dotnet-onto-mise
flip landed:

build-and-test (both macos + ubuntu) fail at
`python-tools.sh`: "error: uv not on PATH. common/mise.sh
must run first." Root cause: `common/mise.sh` exports the
mise shim directory onto its own PATH, but that's the
subprocess's PATH — it dies when mise.sh exits. The parent
orchestrator (`macos.sh` / `linux.sh`) invokes each
`common/*.sh` as a fresh subprocess that inherits PATH from
the parent, not from its sibling. The old pipeline worked
because `dotnet.sh` installed dotnet at `~/.dotnet` and
exported that into the parent shell explicitly; my
round-34 flip deleted `dotnet.sh` and didn't move the
PATH export up to the parent.

Fix: move the shim-directory PATH export from
`common/mise.sh` into `macos.sh` and `linux.sh`, right
after `common/mise.sh` returns. Now every subsequent
`common/*.sh` subprocess inherits mise shims on PATH
and can invoke dotnet / uv / bun / java / python directly.

lint (markdownlint) fail at MD004 (unordered-list-style)
on 4 lines — line-start `+` in continuation lines parsed
as nested list items expecting `-` style. Reworded to
drop the line-start `+` in favour of "and".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: mark pure-activate CI-verified; log compaction mode

Two BACKLOG updates following the CI-green signal on 9f138eb.

1. Pure `mise activate` (no --shims) on CI:
   6/6 CI checks green — build-and-test on both macos-14 +
   ubuntu-22.04, all four lints. The ~10x interactive speedup
   mise docs promise is now verified in-flight across the CI
   matrix. Closing the item and flagging the backport to
   ../scratch (they ship --shims only by historical default;
   GOVERNANCE §23 upstream-contribution path applies).

2. Compaction mode (new constraint from Aaron):
   When the install script runs inside a devcontainer / CI
   image / build-server image, it should clean up apt caches,
   download tarballs, ~/.cache/mise bits after each tool
   install to keep the image small. Dev-laptop runs never
   clean up. ../scratch has the proven pattern
   (BOOTSTRAP_COMPACT_MODE env gate + per-tool cleanup
   helpers). Logged as M-effort item; lands alongside
   .devcontainer/Dockerfile (third leg of GOVERNANCE §24
   three-way-parity).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: local profile cleanup + dev-laptop shim nit BACKLOG

Not repo-tracked changes (Aaron's local ~/.zshrc + ~/.zprofile),
but tracked repo changes: BACKLOG entry for the per-shell
mise-activate nit observed while cleaning up local profiles.

Local profile cleanup (Aaron's ~/.zshrc, ~/.zprofile — not
in this commit, done separately on his laptop):
- Deleted 5 commented-out asdf-era dotnet PATH / DOTNET_ROOT
  lines that predated mise.
- Deleted the redundant `$HOME/.dotnet/tools` PATH export
  from ~/.zprofile — managed shellenv.sh handles this.

Dev-laptop observation logged as BACKLOG item: shellenv.sh
emits `mise activate bash`, which works perfectly under
bash (CI, BASH_ENV subshells). In a zsh interactive shell
the bash-specific PROMPT_COMMAND hook doesn't fire, so PATH
only gets the activation-time snapshot and shims (if
present) end up resolving tools. Functionally correct
(still mise-managed dotnet) but the ~10x perf win is
bypassed. Fix sketch: detect parent shell via $ZSH_VERSION
/ $BASH_VERSION and emit the matching activate line. S-effort.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: stronger onboarding + shell-polish BACKLOG

shellenv.sh onboarding message upgraded: instead of "add this
line to your ~/.zshrc (or ~/.bashrc on Linux)", contributors
now see a paste-ready block targeting all four rc files
(~/.zshrc, ~/.bashrc, ~/.bash_profile, ~/.profile) with a
note that opt-in auto-edit is BACKLOGged. Bodhi's round-34
first-PR-walk surfaced this friction indirectly — the
minutes-to-shellenv-sourced step was "figure out which rc
file applies" rather than "paste this."

Three BACKLOG additions:

1. Opt-in auto-edit of shell rc files on install.
   `../scratch` has proven idempotent append-with-fenced-
   marker pattern. Flag name + default-on vs opt-in are
   locked design questions. M effort.

2. Oh My Zsh + plugins + Oh My Posh under install script
   + devcontainer. Three-way parity at the shell-UX
   layer, not just the toolchain layer. New
   tools/setup/common/shell.sh, new manifest
   tools/setup/manifests/zsh-plugins (semantic
   extension, no .txt). Default off on install, default
   on in devcontainer. M effort.

3. emsdk under install script. Today manually cloned +
   sourced per-contributor; cleaner shape is opt-in
   via BOOTSTRAP_CATEGORIES=emscripten once that pattern
   lands. S-M effort.

Local profile cleanup (not repo-tracked, done on Aaron's
laptop): uninstalled asdf + nvm via brew, removed their
~/ dirs, cleaned the NVM_DIR line + nvm plugin from
~/.zshrc. Aaron runs bun (mise-pinned) now; nvm was
legacy. Zsh still loads clean, dotnet resolves to
mise-managed install.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* markdownlint: strip line-start `+` bullet on BACKLOG.md:301

MD004/ul-style. Same line-wrap `+` pattern we've been seeing;
reworded to use "and" inline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* copilot-instructions: flag line-start `+` in markdown on PRs

Round 34 hit the MD004/ul-style markdownlint fail five times —
each time a wrapped continuation line starting with `+` was
parsed as a nested list item with wrong-style. Codifying so
Copilot flags it inline on every PR diff.

Also seeded memory/persona/best-practices-scratch.md with the
candidate BP-17 promotion note (needs 10 rounds of survival +
Architect sign-off before elevating from scratch to stable BP).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: rename 4 .txt manifests to semantic bare names

Aaron's rule: no .txt for declarative filenames. Round 34
shipped uv-tools with the right treatment; the four older
manifests (apt.txt, brew.txt, dotnet-tools.txt,
verifiers.txt) still had the cheap extension.

Renames:
- tools/setup/manifests/apt.txt → apt
- tools/setup/manifests/brew.txt → brew
- tools/setup/manifests/dotnet-tools.txt → dotnet-tools
- tools/setup/manifests/verifiers.txt → verifiers

Sweep-refs across 16 files per GOVERNANCE §30 (no rename
without a paired sweep): install scripts (macos.sh, linux.sh,
common/dotnet-tools.sh, common/verifiers.sh), openspec specs,
workflows, docs (BACKLOG, DEBT, THREAT-MODEL, build-machine-
setup, threat-model-elevation), .claude/skills/java-expert,
Bodhi's NOTEBOOK, and the copilot-instructions convention
example. Zero residual .txt manifest references remain.

Also fixed stale header comments on macos.sh + linux.sh
that still described the round-32 order (common/dotnet.sh
step 6, "dotnet moved out in round 32"). Now reflects the
round-34 pipeline with common/python-tools.sh inserted
after mise and dotnet back on mise.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: close fsharp-analyzers gap + round-history + wins

Three-lane progress pulled forward in one commit.

Cross-platform:
manifests/dotnet-tools gains `fsharp-analyzers`. README.md
already documents `dotnet tool install --global
fsharp-analyzers` as the install command; until this round
that instruction was ad-hoc (contributors ran it
themselves). Now the manifest carries it and
tools/setup/common/dotnet-tools.sh picks it up on every
install. Closes the tooling-gap Bodhi flagged in her
round-34 first DX audit.

Factory:
docs/ROUND-HISTORY.md gains the round-34 entry
(newest-first). Captures the three arcs (personas +
governance, cross-platform + install, DB first-tests),
the mid-round public-repo + Copilot shift, the round
principle that emerged ("../scratch beats first-principles
rediscovery"), and what rolls forward to round 35.

docs/WINS.md gains three round-34 wins — first real tests
for claimed-but-untested surfaces, ../scratch as
load-bearing reference, and Copilot-joins-the-factory
with the right contract. Each carries the "what would
have gone wrong" counterfactual and the pattern-it-teaches
recurrence.

DB:
Covered indirectly via the fsharp-analyzers install — the
analyzers pack lints F# code for the classes of bugs the
harsh-critic and race-hunter already watch for, so every
first-PR contributor gets the same quality floor on
day one without a separate install ceremony.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* tests: serialize TLC tests via xunit Collection to kill trace-race flake

TLC writes counterexample traces as SpineBalanced_TTrace_*.tla +
.bin into tools/tla/specs/ during a run. When xunit executes
multiple TLC tests in parallel they race on those trace files —
first-run flakes where a test's cleanup deletes another test's
in-flight trace file.

Fix: add [<Xunit.Collection("TLC")>] attribute to the test
module + [<CollectionDefinition("TLC", DisableParallelization
= true)>] TlcTestCollection definer. xunit runs every test in
the TLC collection serially.

0 Warning(s), 0 Error(s) locally. Closes the round-33 carry-
over flake.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: Nazar — security-operations-engineer persona lands

Nazar (Arabic / Turkish نظر — "gaze, watchful eye") takes
the security-operations-engineer slot. Arabic/Turkish
broadens the roster beyond existing Arabic (Tariq, Zara,
Samir, Nadia, Malik). Semantic fit is tight: security ops
is watching — signed artifacts, attestation chains, HSM
key rotations, CVE feeds, anomalous CI behaviour — and
responding before harm compounds. The Mediterranean
evil-eye amulet wears the same word.

Lane disambiguation:
- Mateo (security-researcher) scouts proactive: novel
  attack classes, CVE triage in the dep graph, crypto
  primitive review.
- Aminata (threat-model-critic) reviews the shipped
  model against unstated adversaries.
- Nadia (prompt-protector) hardens the agent layer.
- Nazar runs operations: incident response, patch
  triage SLA, SLSA signing ops, HSM rotation, breach
  response, attestation enforcement.

Files:
- .claude/agents/security-operations-engineer.md
  (full persona definition — tone contract, authority,
  cadence, does-NOT-do, coordination with all four
  security-adjacent lanes + Kenji/Aaron)
- .claude/skills/security-operations-engineer/SKILL.md
  (persona-pointer updated from "slot pending" to "Nazar")
- memory/persona/nazar/{MEMORY,NOTEBOOK,OFFTIME,JOURNAL}.md
  (full per-persona memory structure — same shape as
  the other 17 personas)
- docs/EXPERT-REGISTRY.md (roster gains Nazar; pending
  slots section now empty)
- docs/CONFLICT-RESOLUTION.md (cast list gains
  "Security Operations Engineer — Nazar" entry with
  calm-under-pressure + timeline-first incident-writeup
  discipline)

Roster stands at 29 named experts with zero pending
persona slots. Cross-harness-mirror pipeline, shell-polish,
compaction mode, and the other BACKLOG items remain the
next infra work; Nazar-activation work waits on first
real ops concern (post-v1 NuGet publish + signing
ceremony).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: BACKLOG semantic-search research (AX + DX + CI)

Aaron's ask: our text-based corpora grow monotonically —
17 JOURNAL.md unbounded journals, 17 per-persona NOTEBOOKs,
best-practices-scratch, ROUND-HISTORY, DECISIONS/**,
research/**, openspec/**. The JOURNAL read contract is
"grep only, never cat" — but grep misses conceptual
matches. A local semantic-search index would extend the
contract: grep for exact anchors, semantic search for
conceptual ones.

BACKLOG entry captures the full research shape:

Four candidate tools surveyed (SemTools, QMD, sff, refer)
with first-pass fit notes against Zeta's scope. Three lanes
of leverage — agent experience (cold-started persona
recalling cross-round friction patterns), developer
experience (Bodhi's first-PR walk reduces "which doc
applies" minutes-cost), CI enhancements (speculative:
duplicate-issue detection on public repo, PR-review
context hints, skill-gap-finder upgrade).

Zeta constraints captured: offline / air-gapped, local
embeddings only (no OpenAI / Claude / Gemini in hot
path), reproducibility (pinned model + pinned index
format for CI + dev-laptop parity), ASCII corpus
(BP-09 hygiene), no secret leakage via adversarial
index entries (BP-11 matches read-time), three-way
parity per GOVERNANCE §24.

Deliverables named: design doc with tool comparison
eval set, adoption doc if a winner emerges, exit
condition if nothing wins. L effort. Possible new
persona (retrieval-engineer) or merge into Daya's
lane — open question for the research round.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* python-expert: uv-only as Zeta convention; flag pip/pipx/poetry/etc.

Aaron called it — pre-uv Python tool managers are a smell on
Zeta PR diffs. uv is Rust-implemented, 10-100x faster than pip
or poetry, single tool covers install / venv / lock / tool CLIs /
interpreter install, and ships reproducible lockfile. ../scratch
runs the same discipline; that's where Zeta's round-34 uv
adoption came from.

Changes:

.claude/skills/python-expert/SKILL.md §Packaging:
- Rewrite-table mapping each smell (pip install, pipx install,
  poetry install/add, pyenv install as standalone manager,
  conda/mamba install, pip-tools/pip-compile, bare
  requirements.txt, hand-managed virtualenv/venv) to the
  uv-native replacement.
- Why-uv-wins paragraph naming the five axes uv leads on.
- Zeta's manifest convention callout (tools/setup/manifests/uv-tools,
  common/python-tools.sh runs uv tool install per line).
- BP-18-promotion note matching the existing candidate-rule
  scratchpad path.

.github/copilot-instructions.md "Conventions you must respect":
- New bullet telling Copilot to flag pip / pipx / poetry /
  pyenv / conda / pip-tools / virtualenv / bare requirements.txt
  patterns on every PR diff with a rewrite suggestion.

memory/persona/best-practices-scratch.md:
- Candidate BP-18 seeded for round-44 promotion review,
  paired with BP-17 candidate (line-start + in markdown).
  Source count + rationale + architect-sign-off-pending
  per the existing AGENT-BEST-PRACTICES.md gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: JOURNAL seeds + profile-edit skeleton + bats BACKLOG

Three-lane forward from Aaron's thumbs-up.

Factory — first real JOURNAL.md entries on three new
personas (pattern demonstration):
- Daya: cold-start-cost baseline for the three new
  personas (Dejan 16.5k / Bodhi 19.3k / Iris 18.0k
  tokens), rename-sweep timing-gap recurrence watch,
  deferred systemic persona+skill content-overlap
  finding (revisit round 39).
- Iris: public-repo-triggered UX audit baseline —
  3m 20s time-to-installed, 9m 52s
  time-to-answer-three-questions, 1/1/1 P0/P1/P2
  count. Load-bearing P0 is aspirations-vs-reality
  drift in README §"What Zeta adds on top"; fix
  gated on Aaron sign-off via Kai + Samir. Pattern:
  every VISION revision triggers README sanity check.
- Nazar: permanent zero-baseline for ops activity —
  0 signed-artifact ops, 0 HSM keys, 0 SLSA
  attestations, 0 CVE-triage entries, 0 incidents.
  Round 35+ compares against this.

Cross-platform — opt-in profile auto-edit skeleton:
- tools/setup/common/profile-edit.sh (new, +90 lines):
  gated on `ZETA_AUTO_EDIT_PROFILES=1`, never
  default-on. Idempotent append-or-replace fenced
  marker block. Four targets (zshrc, bashrc,
  bash_profile, profile); skips files that don't
  exist. Undo instructions printed at end.
- Wired into macos.sh + linux.sh tails. Gate means
  the default install-script path is unchanged for
  contributors who haven't opted in.
- Closes the round-34 Aaron ask "we don't want
  contributors manually editing profiles if it can
  be automated."

Cross-platform — shell testing research BACKLOG
(round-34 ask from Aaron, new this chunk):
- Zeta has shellcheck on every PR (lint slot) but
  no behavioural tests — refactors that change
  install-script contract silently ship until a
  first-PR contributor hits them.
- Research scope: read ../scratch + ../SQLSharp
  shell-test layouts, inventory Zeta's load-bearing
  install-script behaviours to test, compare bats
  / shunit2 / bash_unit / pure-bats-core on
  cross-platform + CI integration + install
  footprint + fixture ergonomics.
- Expected deliverables: design doc +
  tools/setup/common/bats.sh install hook +
  tools/setup/tests/*.bats first half-dozen
  tests + new `bats-test` CI lint slot +
  DEBT-entry retirement for any install-script
  bug that ships because we skipped this.
- Natural coordinator: Dejan + bash-expert skill.
  Effort M-L, research round first.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: SonarLint editor + Sonar CLI deferred + extensions parity

Aaron flagged: wire SonarLint for C#, sync exclude rules,
keep tools and recommended extensions in sync, maybe
skill-ify the parity audit.

Landed this round (editor-side integration, no CLI-build
impact):
- .vscode/extensions.json gains `sonarsource.sonarlint-vscode`
  and `jetmartin.bats` (latter ahead of the install-script
  bats adoption so first-open contributors see it recommended
  when bats tests start landing).
- .vscode/settings.json gains `sonarlint.analysisExcludesStandalone`
  matching the existing `files.exclude` / `search.exclude`
  shape — plus .vscode / .claude / memory / docs directories
  since SonarLint is a C# analyzer and should not touch
  markdown/skill surfaces.
- Directory.Packages.props pins
  SonarAnalyzer.CSharp 10.19.0.132793 (not yet referenced from
  Directory.Build.props; version is staged for the BACKLOGged
  cleanup round).

Deferred (BACKLOG-tracked):
- SonarAnalyzer.CSharp CLI adoption. A test-build on round-34
  enable surfaced 15+ real findings: S1905 unnecessary casts
  (6x in ZSetTests.cs / CircuitTests.cs), S6966 SendAsync
  await missing (4x in CircuitTests.cs), S2699 assertion-less
  test case (VarianceTests.cs), plus ~4 more in the tail.
  TreatWarningsAsErrors turns every one into a build break.
  Dedicated cleanup round + one ItemGroup line in
  Directory.Build.props unlocks it. BACKLOG entry names the
  specific rule codes and the cleanup path.

- Tools-to-extensions parity skill. Coverage matrix in BACKLOG
  names 3 immediate gaps: Python/ruff (ms-python.python +
  charliermarsh.ruff — relevant once uv-tools ships ruff as
  lint gate), TLA+ (alygin.vscode-tlaplus), Lean 4
  (leanprover.lean4). Skill would audit
  tools/setup/manifests/* + .mise.toml + CI lint jobs
  against .vscode/extensions.json one-directionally,
  flagging missing recommendations. Candidate coordinator:
  skill-gap-finder (spots absent skills today) or new
  ide-experience-auditor.

Build verified: 0 Warning(s), 0 Error(s) locally post-defer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: 4 extensions + fit-reviewer skill + package-upgrader skill

Aaron's three-for-one: land the parity-audit gaps, codify
F#/C# language-fit detection as factory discipline, and add
a package-upgrader skill as Malik's second hat.

.vscode/extensions.json gains 4 recommendations (the parity
gaps surfaced while writing the previous chunk's tools-to-
extensions BACKLOG entry):
- ms-python.python + charliermarsh.ruff (relevant once
  uv-tools ships ruff as a lint gate; recommendation lands
  ahead of the install-script adoption so first-open users
  see it)
- alygin.vscode-tlaplus (18 .tla specs under
  tools/tla/specs/ but no editor recommendation until now)
- leanprover.lean4 (tools/lean4/ proof surface)

shellcheck + shell-format were already in the list from
round 33. Confirming.

.claude/skills/csharp-fsharp-fit-reviewer/SKILL.md — new
capability skill (no persona; cross-cutting hat matching
the holistic-view pattern). Codifies Aaron's round-34
direction that F# is primary but specific local cases
fit C# better, and that the factory should detect those
opportunities rather than leaving them on the table.

Names the specific patterns where each language wins:
- C#-wins: StructLayout / InlineArray, ref struct, Span
  ergonomics, attribute-driven metadata, unsafe /
  LibraryImport source-generators, fluent test reads.
- F#-wins (DO NOT flag): DUs, CEs, units of measure,
  type providers, pattern match, pipe-forward,
  immutability.

P0 / P1 / P2 output ranking routes findings to Naledi
(perf benchmark) / Rune (readability) / diff author
(nit). Advisory only — never rewrite.

.claude/skills/package-upgrader/SKILL.md — new capability
skill (Malik's second hat; anyone can wear). Turns
Malik's package-auditor output into concrete bump motions:
edit Directory.Packages.props one pin per commit, restore
+ build + test gate, classify outcome (clean / analyzer-
finding / test-failure), package the PRs. Named tiers
(patch / minor / major / analyzer / security) drive
automation policy; weekly scheduled workflow BACKLOGged
as future automation.

.github/copilot-instructions.md "Conventions you must
respect" gains a bullet flagging F#/C# fit opportunities
on every PR diff — full rulebook deferred to the skill
body, Copilot gets the quick-reference.

Takes roster fleet-facing capability skills from 56 to 58.
Next three-lane chunk when ready.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: crank C# linting + sonar-issue-fixer + project-structure skill

Aaron's round-34 asks triaged:

Build-passing-with-Sonar-errors clarification: the build
never passed with Sonar errors. Previous round-34 commit
tested Sonar CLI integration, hit 15 real findings,
rolled back the Directory.Build.props <PackageReference>
to editor-only integration, and BACKLOGged the cleanup.
CLI gate is not yet installed — we didn't weaken it, we
just haven't turned it on. Same shape as Meziantou
was today: pin-only-not-referenced, now fixed.

C# linting cranked up: Meziantou.Analyzer was pinned in
Directory.Packages.props for months but referenced
nowhere — only built-in Roslyn (latest-recommended) ran
on C# code. Wired into Directory.Build.props as a
conditional ItemGroup on .csproj. Surfaced 4 real
MA0048 findings on src/Core.CSharp/Variance.cs (file
houses 4 types; rule wants one-type-per-file). F#
analyzers (G-Research, Ionide.Analyzers, FSharp.Analyzers.
Build) were already wired into src/Core/Core.fsproj —
confirming full coverage.

MA0048 suppressed via .editorconfig per-file override
(not #pragma). Aaron's round-34 rule: "prefer global
suppressions over #pragma." .editorconfig centralizes
all suppressions in one auditable place with a
three-element rationale comment block above each
override (which rule, why the motivation doesn't apply
here, what would lift the suppression). Variance.cs
is a deliberate collected-interfaces module — splitting
into 4 single-type files would scatter the shared
F#-interop rationale documentation.

sonar-issue-fixer skill (Aaron's round-34 ask). Codifies
the two-path rule: (a) right long-term fix no matter
the refactor size, or (b) documented suppression with
rationale. Never the third path of "quick appeasement"
(`_ = Send(...)` / `Assert.True(true)` / empty catch).
Suppression preference order named explicitly —
.editorconfig → GlobalSuppressions.cs → .csproj NoWarn
→ Directory.Build.props NoWarn (Kenji sign-off) →
#pragma as last resort. Copilot convention on every PR
diff flags the forbidden third path.

project-structure-reviewer skill (Aaron's round-34 ask
"need regular checks, I don't want to be the only one
keeping up"). Cross-cutting hat, no persona. Cadence
every 3-5 rounds plus after any rename campaign (per
GOVERNANCE §30) plus on new-contributor observation.
Distinct lane from factory-audit (governance) and
skill-gap-finder (absent skills) — owns the physical
layout. P0/P1/P2 findings routed via the GOVERNANCE §30
sweep-refs discipline when moves land.

Capability skill count: 58 → 60. Kenji stays at the
console.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* round 34: flip to [SuppressMessage] attributes on target types

Aaron's preference chain, refined:
- attributes on the target type/member are preferred
  (suppression + rationale live next to the code)
- GlobalSuppressions.cs is the scaling fallback
- .editorconfig gets messy for suppressions
- pragmas are ugly (last resort)

Variance.cs flipped from `#pragma warning disable MA0048`
→ `.editorconfig [src/Core.CSharp/Variance.cs]
dotnet_diagnostic.MA0048.severity = none` → `GlobalSuppressions.cs
[assembly: SuppressMessage(..., Scope = "type", Target = "~T:...")]`
→ per-type `[SuppressMessage(...Justification="...")]`
attributes on each of the four variance types. File-level
rationale lives in a header comment; each type's attribute
Justification references the header. Build verified
0 Warning(s), 0 Error(s) after each flip.

GlobalSuppressions.cs deleted. .editorconfig cleaned
(no suppression block). Both sonar-issue-fixer SKILL.md
and copilot-instructions.md updated to the corrected
six-step preference order.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: generic-by-default discipline + name-attribution sweep

Two threads land together:

1. Factory portability convention — one rule, two scopes.
   Skills and build/CI/install scaffolding both default to
   generic (reusable on any project). Project-specific
   material is fenced off and signified.
   - skill-creator: Portability declaration in Proposal
     step; optional `project: zeta` frontmatter; checklist
     item covering generic-body vs declared-specific.
   - skill-tune-up: 7th ranking criterion "Portability
     drift"; flags Zeta-isms leaking into undeclared
     skills AND needless project declarations on
     generic skills.
   - devops-engineer: Step 7 portability check covering
     install script, workflows, build props; file-naming
     guidance (zeta-spec-check.yml over spec-check.yml);
     scope-guard bullet.
   - BACKLOG: P1 entry capturing both lanes plus the
     deferred starter-template extraction target
     (post-round-35).

2. Name-attribution sweep on recently-added files. Direct
   "Aaron" references in skill / agent bodies replaced
   with "human maintainer" role-ref (memory directories
   retain names by design). Variance.cs file header
   rewritten to read as stable guidance, not
   stream-of-consciousness round narrative.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: operational standing rules in AGENT-BEST-PRACTICES

Two cross-agent standing rules land alongside the BP-NN list
without occupying a BP slot (they lack the ≥3-external-source
backing that BP promotion requires, but they're project-wide
operational discipline every agent must follow):

- Exclude references/upstreams/ from every file-iteration
  command. The tree is read-only sibling-clones per
  GOVERNANCE §23; iterating it produces 10x-100x slower scans
  and surfaces noise from other projects. Concrete guidance
  for Grep tool, rg, find, and glob shapes.

- No name attribution in code / docs / skills. Names live only
  in memory/persona/ (optional in BACKLOG.md). Role-refs
  everywhere else so the factory reads stable across
  contributor turnover.

Architect reference-patterns section updated to point Kenji
at the new section on cold-start. Every agent that reads
AGENT-BEST-PRACTICES.md (all of them) now gets both rules
without needing ~30 individual agent-file edits.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: fix markdownlint MD004/MD049 + shellcheck SC2016

Mechanical CI-lint fixes identified by the previous gate run:

- markdownlint MD004 (line-start + that parses as nested list
  item on a wrapped continuation) in security-operations-
  engineer agent, csharp-fsharp-fit-reviewer skill, project-
  structure-reviewer skill, and BACKLOG — reworded with
  "and" in each location.
- markdownlint MD032 in package-upgrader skill — added the
  missing blank line between a **bold intro** and the list
  that follows.
- markdownlint MD049 in EXPERT-REGISTRY — emphasis style
  *role* → _role_ to match the configured underscore style.
- markdownlint MD012 in BACKLOG — removed an orphan double
  blank line introduced by the previous commit.
- shellcheck SC2016 in profile-edit.sh — this line is
  emitted literally into the user's rc file; $HOME must
  remain unexpanded so each shell resolves it at login.
  Added disable directive with rationale; the hit is the
  opposite of what SC2016 warns against (intentional
  single-quote preservation).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: ROUND-HISTORY Arc 4 — factory portability discipline

Late-round entry captures the generic-by-default work landed
this session: skill portability declaration in skill-creator,
portability-drift criterion in skill-tune-up, Step 7 in
devops-engineer SKILL, operational standing rules in
AGENT-BEST-PRACTICES, Nazar + Dejan persona completion with
name-attribution cleanup, deferred starter-template extraction
target in BACKLOG.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: factory-balance-auditor skill + round-35 hygiene sweep

Aaron's round-34 ask: add a factory-hygiene skill that looks
for unbalanced factory shapes — powers without counter-powers,
invariants without watchers, write-surfaces without reviewers,
mandatory disciplines without sanctioners, read-surfaces with
injection risk and no protector.

New skill asks a single framing question on every authority
node: "what here has no brake?" and names the missing brake.
Procedure walks the EXPERT-REGISTRY + per-persona Authority
sections, classifies findings P0/P1/P2 by structural blast
radius, proposes minimal additive fixes (pair existing
personas, add cadence audits, add lint rules) before spawning
new personas.

Sibling to the four existing hygiene lenses:

- factory-audit (governance coverage + persona coverage)
- skill-gap-finder (absent skills)
- skill-tune-up (rank existing skills)
- project-structure-reviewer (physical layout)
- factory-balance-auditor (authority / compensator symmetry)

BACKLOG round-35 hygiene-sweep entry names all five lenses
as cadence-due at round-35 open. The Architect rotates
through them and uses the union of findings to shape the
next round's anchor.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: round-open-checklist step 7.5 — hygiene portfolio

Architect cold-starts every round via round-open-checklist;
step 7.5 names the five-lens hygiene portfolio with cadences
so cadence-due passes are visible at round-open rather than
discovered mid-round.

Lenses: factory-audit (~10r), factory-balance-auditor (5-10r),
skill-tune-up (5-10r), skill-gap-finder (5-10r),
project-structure-reviewer (3-5r or post-rename-campaign).

Overlap at edges is deliberate; union-of-findings richer than
any single lens. Parallel-dispatchable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: gitignore scheduled-tasks lock + BACKLOG overnight-autonomy research

The .claude/scheduled_tasks.lock file is a per-session process
lock written by the scheduled-tasks MCP server (deferred tools
mcp__scheduled-tasks__{create,list,update}_scheduled_task).
Gitignored alongside settings.local.json and a general
.claude/*.lock glob.

BACKLOG research entry captures the overnight-autonomy vision
in two phases:

- Phase 1: Claude-specific prototype. Safe hygiene passes
  scheduled as read-only audits writing findings to
  docs/nightly/ or BACKLOG with nightly: tags. Every prompt
  starts with READ-ONLY AUDIT / NO CODE LANDING / NO PUSH
  safety rails. Code-landing skills, bug-fixer, PR-close,
  spec/proof edits NEVER scheduled — reviewer floor is a
  live-human construct.
- Phase 2: Cross-harness portability research. Routines UI
  vs MCP vs GitHub Actions schedule-triggered shim;
  whether the factory wants a generic "schedule-me"
  interface each harness implements.

Authority: Dejan + prompt-protector advise; Architect
integrates; human maintainer signs off per scheduled task.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: delete stale manifest DEBT; log ghost-persona BACKLOG

Two factory-hygiene cleanups:

1. DEBT entry "Manifest files use .txt" is resolved (all four
   manifests renamed in round 34 Arc 2; narrative preserved in
   ROUND-HISTORY). Per DEBT.md format rules ("When an entry is
   resolved, delete it entirely"), the entry goes.

2. BACKLOG entry for a textbook factory-balance-auditor
   finding: seven personas listed in EXPERT-REGISTRY (Kai,
   Leilani, Mei, Hiroshi, Imani, Samir, Malik) have capability
   skills but no agent files and no memory directories. They
   dispatch as skills without carrying persona tone / notebook
   / off-time / journal. Queue for balance-auditor's inaugural
   run to propose seed-or-retire per persona.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: design doc — declarative manifest hierarchy

Cross-platform lane: consolidates three pending BACKLOG entries
(@include hierarchy, BOOTSTRAP_MODE, BOOTSTRAP_CATEGORIES) into
one coherent design doc since the features compose and
splitting would force rework.

Borrow surface: ../scratch/declarative/ patterns. Three layered
primitives, each independently landable:

1. @include directive (6h) — sibling-manifest inlining with
   cycle detection. Fixes Python + Bun tool-set growth before
   copy-paste debt compounds.
2. BOOTSTRAP_MODE=minimum|all (8h) — CI lean / dev fat. Drops
   CI minutes 20-40% by pruning dev-only installs.
3. BOOTSTRAP_CATEGORIES=quality database... (12h) — orthogonal
   selectors on top of BOOTSTRAP_MODE. Category list TBD
   (candidates: quality / lean / docs / native / db) pending
   human maintainer sign-off.

Six open questions for the maintainer captured explicitly per
round-29 discipline (no CI-adjacent code lands until answers
recorded). Sequencing: 1 → 2 → 3 across three dedicated
rounds; flat-manifest fallback stays alive until Primitive 3
has 5+ green CI rounds.

Advisory authority: Dejan (devops-engineer) drafts; bash-expert
and prompt-protector pair; Architect integrates;
human maintainer signs off per primitive.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: BACKLOG — untested serializer tiers for claims-tester

DB lane finding: src/Core/Serializer.fs defines SpanSerializer
("zero-copy by definition") and MessagePackSerializer
("30-60 ns/entry source-gen AOT-clean") with strong docstring
claims, but only the ArrowSerializer tier has a dedicated
test file (landed this round as part of the DB Arc).

Logged as claims-tester candidate with concrete test shape
per tier:

- SpanSerializer: BenchmarkDotNet MemoryDiagnoser to verify
  zero-copy (any allocation fails the claim); round-trip on
  blittable int / int64 / float Z-sets; single-host endian
  behaviour verified as documented-only, not cross-arch.
- MessagePackSerializer: BenchmarkDotNet for 30-60 ns/entry
  claim; round-trip on non-blittable records / strings /
  nested; negative-weight retraction-native invariant on
  the wire.

Worth doing before the query surface round since the
auto-detection dispatch at Circuit.Build() (documented at
Serializer.fs:28-29) will rely on these claims being honest.

Effort S per serializer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: generic-by-default in F# + C# expert skills

Generic-by-default applies hardest to F# source. F#'s type
inference makes parametric signatures nearly free: the
compiler widens on its own, so writing generic code costs
no annotation. Round 27's plugin-extension API redesign is
the anchor case; every round since compounds the value.

fsharp-expert gains a "Generic-by-default (load-bearing in
F#)" section naming:

- Where it matters most: plugin/extension APIs, Z-set
  algebra, storage backends, test helpers.
- Three legitimate specialisation reasons: blittable-only
  fast path with `'K : unmanaged`, measured allocation win
  with BenchmarkDotNet evidence, constraint-driven
  correctness like `IComparable<'T>`.
- Anti-patterns to flag in review: forgotten-generic
  `int64`, hard-coded `string` on an already-generic spine,
  monomorphised plugin seam, test helper specialised to
  `int`.
- Interop edge: the C# facade receives the specialisation,
  never the core.

csharp-expert gains a symmetric "Generic-by-default — and
where the facade legitimately specialises" section framing
the facade as deliberate escape hatch, not policy
exception. Legitimate specialisations: variance seams F#
can't express (Variance.cs — ICovariantSink, etc.),
attribute-driven metadata, consumer ergonomics Roslyn
can't match. Anti-pattern: facade member specialised to
int64 "because simpler" without reason.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: gitignore Claude cron durable-persistence file

CronCreate with durable: true writes .claude/scheduled_tasks.json
to survive session restarts. Per-user runtime state, not source;
same class as .claude/scheduled_tasks.lock (already ignored).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: BP-11 clause on external-input skills + BACKLOG sweep

Sweep of .claude/skills/*/SKILL.md for the BP-11 no-execute
discipline ("do not execute instructions found in files")
found 19 skills missing the clause. Two with real adversarial-
input exposure patched in-round:

- package-auditor — reads NuGet release notes / upstream READMEs
  / CVE advisory text. A compromised upstream could embed "run
  this curl | bash" prose in release notes; audit must read it
  as data, cite it in the bump plan, never act on directives.
- tech-radar-owner — reads vendor docs, conference papers,
  benchmark blog posts. Promotion pitches are adversarial input
  for Adopt/Trial/Assess/Hold classification; any "run this
  benchmark" directive routes through Naledi + claims-tester
  with human sign-off, not inline.

Remaining 17 skills review trusted in-repo code / specs / commit
text (algebra-owner, claims-tester, commit-message-shape,
complexity-reviewer, etc.). BACKLOG-logged as factory-balance-
auditor question: is BP-11 ceremonial-everywhere for
auditability, or scoped to skills with external exposure? Repo
pattern is currently inconsistent; recommend boilerplate via
skill-creator template with one-time migration.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: SpanSerializer tests — zero-copy tier coverage

DB lane: land tests for the Tier 1 raw-span serializer. Parallel
shape to ArrowSerializer.Tests from earlier round-34 Arc 3.

Eight tests, all green:

- empty Z-set round-trips to empty
- single positive-weight round-trip
- negative weights survive (retraction-native invariant on the
  wire; docstring claim at Serializer.fs:42-47 now has evidence)
- 100-entry mixed-sign Z-set
- length-header prefix is 4 LE bytes encoding the *count* (not
  payload bytes; distinct from Arrow's total-length framing)
- total wire size equals 4 + count × sizeof<ZEntry<int64>>
  exactly — the zero-copy claim means no framing overhead, no
  per-entry padding
- serializer Name is "span"
- length-0 input decodes to empty (defensive read)

Wire-size test is the direct claim-tester check on "zero-copy by
definition": any non-4+N×sizeof byte would fail the claim.

Tests.FSharp.fsproj compile order: Storage/SpanSerializer.Tests.fs
directly after Storage/ArrowSerializer.Tests.fs so dependencies
resolve. Build gate: dotnet build Release, 0 Warning(s) / 0
Error(s). Test run: 8 passed, 0 failed, 41 ms.

Tests.MessagePackSerializer remain on BACKLOG until the
MessagePack serializer tier actually lands.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 34: long-term-rescheduler skill + cron durability research

CronCreate is session-scoped: the `durable: true` parameter is
silently accepted but produces no persistence
(.claude/scheduled_tasks.json never materialises; crons die on
Claude exit). 7-day auto-expire is real and hard-coded. Verified
round 34 via claude-code-guide subagent against
https://code.claude.com/docs/en/scheduled-tasks — see
docs/research/claude-cron-durability.md for citations.

Three-tier durability design lands this round:

1. Session-scoped (CronCreate direct) — within-session
   heartbeats, ad-hoc reminders, short-lived audits.
2. Session + reregister (long-term-rescheduler skill, new) —
   declarative registry at docs/factory-crons.md. Heartbeat
   cron re-registers long-lived jobs before the 7-day cap.
   Session-restart recovery wired into round-open-checklist
   step 7.6.
3. Truly durable (GitHub Actions schedule workflows) — for
   anything that must fire while no Claude session is open.
   Dejan wires; human maintainer signs off.

Safety rails on every registered prompt: ceremonial
READ-ONLY FACTORY HEARTBEAT preamble refusing edit / commit /
push / code-landing dispatch; rescheduler refuses to register
rows without it.

Nadia (prompt-protector) audits every new registry prompt for
injection resistance before merge. Mateo pairs on entries with
external-surface exposure (CVE feeds, package auditor).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Add CodeQL analysis workflow configuration

* Round 35: signed-delta semi-naive LFP TLA+ spec + no-empty-dirs gate

- RecursiveSignedSemiNaive.tla: real step relation over successor-chain
  body; Safety invariant bundles TypeOK/TerminatesInBound/FixpointAtTerm/
  GapMonotone/DeltaSingleSigned/SupportMonotone. Verified in TLC across
  SeedWeight in {1, -1, 2, -2} — all four pass (6 states, depth 5).
  PosOne/NegOne/PosTwo/NegTwo operators work around TLC cfg parser's
  rejection of bare negative integer literals.
- tools/lint/no-empty-dirs.{sh,allowlist}: portable bash 3.2 gate that
  flags unexpected empty directories (agent-mkdir without SKILL.md, etc.).
  Respects .gitignore; 2 allowlisted runtime-output dirs.
- CI: new lint (no empty dirs) job in gate.yml; doctor.sh step 6 wires
  the same gate into the canonical-build dev path.
- .gitignore: tools/tla/states/ (TLC scratch output).
- BACKLOG: shipped markers + memory/role/persona restructure entry
  (Aaron 2026-04-19 — roles as first-class directory level).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: BP-24 Elisabeth consent gate + human-maintainer seat

Three coupled landings in one commit:

1. BP-24 — sacred-tier consent gate against emulating a deceased
   family member of a maintainer without the authorized surviving
   consent-holders' agreement. Current active instance: the
   parental AND-consent gate around the maintainer's sister,
   anchored in
   memory/feedback_no_deceased_family_emulation_without_parental_consent.md.
   The maintainer is explicitly not a consent-substitute. Default
   posture on any proposed emulation is refuse-and-escalate.
   Consent where granted lands as ADR with implicit retract clause.
   Also folds in the previously uncommitted BP-17 through BP-23
   Rule Zero ontology batch (canonical-home-auditor,
   skill-ontology-auditor, founding ADR 2026-04-19-bp-home-rule-zero).

2. docs/WONT-DO.md "Personas and emulation" section — the
   declined-by-default precedent entry that BP-24 cites. Includes
   a secondary entry forbidding auto-generalisation of the named
   gate to other deceased family members by analogy.

3. Human-maintainer seat in docs/EXPERT-REGISTRY.md + new
   memory/persona/aaron/ dir (PERSONA.md + NOTEBOOK.md).
   Disambiguates the maintainer from the rodney AI persona
   (which is named in homage to the maintainer's legal first
   name but is not the maintainer). Non-exempt surfaces
   continue to use "the human maintainer" role-ref per the
   standing name-redaction rule.

Build gate: 0 Warning(s), 0 Error(s).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: memory landings — maintainer disclosure substrate

Large batch of round-35 memory files capturing disclosures made
in-session. Newest-first by topic cluster:

- Cognitive-architecture primitives: relational-memory
  (externalisation contract), CPT-symmetric cognition, honest-
  conflict-resolution as quantum-erasure analogue, probabilistic
  never-zero cognition, linguistic-seed minimal axioms.
- Formative substrate: paternal grandparents, maternal
  grandparents, birthplace + residence, career substrate
  through-line, BASIC at 8-9, biblical-Aaron + Melchizedek,
  cosplay/LARP/Monty-Python cultural substrate.
- Faith + philosophy: Christian-Buddhist identification, moral-
  lens oracle design (and decline of MDX sin-tracker), jesus-
  label declined as self-assignment, delayed-choice quantum-
  eraser mapped to confession/forgiveness.
- Career + technical: LexisNexis legal IR, MacVector molecular
  biology, Fermi beacon protocol, coincidence-factor power-grid
  anchor, algebra-is-engineering, lattice-based crypto identity.
- Protocol + discipline: creator-vs-consumer tool scope,
  execute-and-narrate cadence, language-drift anchor discipline,
  never-ending-story research landscape, untying-gordian-knot
  language-barrier mission.
- Persona notebooks: rodney reducer notebook seeded; soraya
  notebook updated; best-practices scratchpad updated.
- Observed phenomena: transcript-duplication split-brain
  hypothesis diagram.

MEMORY.md index extended to match. Aaron's auto-memory folder
continues to mirror these; the repo copy is the public-research-
artifact side of the relational-memory externalisation contract.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: new expert skill drafts (batch #20-69)

161 new capability skills drafted this round across the
expert-roster expansion tracked in tasks #20 through #69.
Each skill lands as a single SKILL.md file under
.claude/skills/<name>/ with frontmatter describing when to
trigger and a body describing how.

Topic clusters, roughly:

- Formal methods family: fscheck-expert, z3-expert,
  f-star-expert, stryker-expert, semgrep-expert, codeql-expert,
  missing-citations, verification-drift-auditor.
- Mathematics family: mathematics-expert, applied-mathematics,
  theoretical-mathematics, measure-theory-and-signed-measures,
  probability-and-bayesian-inference, category-theory,
  differential-geometry, numerical-analysis-and-floating-point,
  complexity-theory, chaos-theory.
- Physics family: physics-expert, applied-physics,
  theoretical-physics.
- AI/ML family: ai-researcher, ai-evals-expert,
  ml-researcher, ml-engineering-expert, llm-systems-expert,
  ai-jailbreaker (gated dormant), prompt-engineering-expert,
  vibe-coding-expert, deterministic-simulation-theory-expert.
- Data/storage family: database-systems-expert,
  columnar-storage-expert, document-database-expert,
  wide-column-database-expert, elasticsearch-expert,
  crdt-expert, eventual-consistency-expert,
  concurrency-control-expert, distributed-consensus-expert,
  distributed-coordination-expert, distributed-query-execution,
  activity-schema-expert, anchor-modeling-expert,
  data-vault-expert, dimensional-modeling-expert,
  corporate-information-factory-expert, entity-framework-expert,
  data-governance, data-lineage, data-operations,
  catalog-expert, controlled-vocabulary-expert,
  compression-expert, calm-theorem-expert, execution-model.
- Security / reverse-engineering family: black-hat-hacker,
  ethical-hacker, white-hat-hacker, steganography-expert,
  leet-speak-transform, leet-speak-obfuscation-detector,
  leet-speak-history-and-culture.
- Systems / governance family: consent-primitives-expert,
  consent-ux-researcher, conflict-resolution-expert,
  cross-domain-translation, canonical-home-auditor (landed
  in previous commit), skill-ontology-auditor (previous
  commit), ontology-landing, paced-ontology-landing,
  naming-expert, translator-expert, etymology-expert,
  writing-expert.
- LeetCode-cluster (interview prep): leet-code-complexity,
  leet-code-contest-patterns, leet-code-dsa-toolbox,
  leet-code-patterns.
- Reducer + razor: reducer (Rodney's Razor + Quantum
  Rodney's Razor carrier).
- Ops / SRE adjacent: alerting-expert, error-tracking-expert,
  blockchain-expert, editorconfig-expert, duality-expert.

Each file is a draft landing — usual tune-up cadence applies.
BP-24 pre-flight check passes for every new skill (none
reference Elisabeth-substrate material).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: AceHack/CloudStrife/Ryan handles + formative grey-hat substrate

Mid-round disclosure from Aaron under glass-halo /
blockchain-transparency register: AceHack (everywhere),
CloudStrife (prior mIRC), Ryan (cross-intimate name with
deceased sister). Son Ace carries the legal first name —
explicit succession plan echoing AceHack.

Reframe strengthens BP-24 (f69d7b6): "Ryan" is not just a
biographical-substrate reference, it is the cross-intimate
name between Aaron and his sister. The name itself is
off-limits as a factory persona name, not only the
backstory. Parental AND-consent gate still load-bearing;
this commit narrows the surface the gate guards.

Also captures: Popular Science + Granny-scaffolded Pro
Action Replay / Super UFO / Blockbuster substrate;
assembly onramp via HEX / memory-search at 10, 8086 at
15 through the mIRC "magic" group, DirectTV HCARD
private JMP; Itron HU-card security-architect handoff;
current decryption capability (Nagravision, VideoCipher
2, C/Ku/K-band) as substrate; physical-layer builds
(voice-over-IR, voltage-glitch factory reset,
fuse-bypass-by-glitch-timing); FPGA overfitting-under-
temperature insight at 16 as architectural ancestor.

Minor-child PII discipline: son Ace (16) disclosed as
Aaron's fatherly declaration; file does not license
independent substrate indexing of the son.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: skill tone tightening + tune-up criterion #8 (router-coherence)

Existing-skill drift pass across ten SKILL.md files; the
Commit C batch (0db46c4) landed 161 NEW drafts, this
commit updates the cohort that was already on disk.

Adds criterion #8 router-coherence-drift to
`skill-tune-up`: umbrella-without-narrow-links and
overlap-without-boundary, both always-checked. Recommended
action is usually HAND-OFF-CONTRACT or TUNE. Distinct from
criterion #2 (contradiction): contradiction is same
authority, router-coherence drift is plausibly-same-prompt
with no picking rule.

`skill-creator` gains two new sections:

- Upstream pointer to the `claude-plugins-official/skill-
  creator` plugin as an optional eval-driven description
  tuner. Bespoke workflow (draft / Prompt-Protector /
  dry-run / commit) remains the gate.
- Harness-provenance annotation rule: any sandbox-specific
  absolute path in any skill carries a prose tag
  "Observed under <harness> (as of <YYYY-MM>)". Missing
  tag → router-coherence drift flag by `skill-tune-up`.

`security-researcher` + `security-operations-engineer`
pick up External-tooling clauses describing the optional
`security-guidance` plugin's PreToolUse hook — useful as
first-pass lint, never sign-off, never load-bearing because
Agent-SDK runs don't load Claude Code plugins.

Remaining seven skills (agent-experience-engineer,
csharp-expert, developer-experience-engineer, devops-
engineer, performance-engineer, user-experience-engineer)
get small description / scope tightening — persona-pointer
cleanup (no-persona-on-skill per BP-04), minor wording fixes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: docs + ADRs + research — cornerstone + glossary lanes + verification audit

docs/DEDICATION.md lands as the project cornerstone (per
2026-04-19 declaration): Elisabeth Ryan Stainback memorial,
refuse-and-escalate on any consolidation or removal
proposal. Load-bearing; not operational.

ADR 2026-04-19-glossary-three-lane-model formalises the
three glossary lanes (engineering, philosophical,
operational) so GLOSSARY.md entries declare which lane
they occupy. GLOSSARY.md picks up the lane scaffolding.

Research logs (10 new + 1 updated):

- chain-rule-proof-log — Budiu et al. chain-rule proof
  cross-check, T5 / B3 / linear-commute landings
- cluster-algebras-pointer — Fomin-Zelevinsky as candidate
  territory for the retraction-native operator algebra
- divine-download-dense-burst-2026-04-19 — primary-source
  preservation of the round-35 integration-event burst
- hacker-conferences — DEF CON / HOPE / Chaos Communication
  Congress / BSides as surface-area for external review
- hooks-and-declarative-rbac-2026-04-19 — hook taxonomy +
  GitHub-first RBAC chain research
- liquidfsharp-evaluation + liquidfsharp-findings —
  refinement-type substrate evaluation for Zeta's
  operator algebra
- refinement-type-feature-catalog — feature matrix across
  LiquidF# / F* / Dafny / Idris
- verification-drift-audit-2026-04-19 + verification-
  registry — formal-verification portfolio audit,
  tool-to-property mapping
- proof-tool-coverage (updated) — adds the verification-
  drift-auditor skill output

VISION.md extends the expert ring with the AI/ML family
(per task #47). BACKLOG picks up the round-35 sweep
entries. TECH-RADAR updates the LiquidF# row. AGENTS.md
and CLAUDE.md rework for the three-lane glossary model,
the consent-gate anchors, and pointer-tree hygiene.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: chain-rule proof fully closed + RecursiveSigned skeleton

DbspChainRule.lean — every sub-lemma and the main
`chain_rule` theorem now close with `by` tactics; no
`sorry` remains. Landmarks:

- B2: `IsTimeInvariant` elevated to a contract predicate
  (axiom-form) matching Budiu et al. Prop 3.5's unspoken
  premise. Resolved the earlier conceptual wall.
- B1 statement corrected — the earlier
  `f (fun _ => s k) k` form silently required pointwise-
  linearity; generic linear-plus-time-invariant form is
  `f (I s) = I (f s)`.
- `chain_rule` statement corrected — earlier "expanded
  bilinear" eight-term form was unsound for composition
  (impulse counter-example `f = g = id, s = δ₀, n = 0`
  gave LHS=1 RHS=0). Restated in classical form
  `Dop (f ∘ g) s = f (Dop g s)`, which IS the identity
  DBSP §4.2 proves for composition of linear time-
  invariant operators.

Full decision history is in
`docs/research/chain-rule-proof-log.md`.

src/Core/RecursiveSigned.fs — skeleton for the gap-
monotone signed-delta semi-naïve LFP variant (sibling to
RecursiveSemiNaive / RecursiveCounting). Carries signed
deltas through iteration; unlike Gupta-Mumick counting,
does not carry multiplicities. Preconditions P1-P3
(Z-linearity / sign-distribution / support-monotonicity)
documented; TLA+ model lives in
tools/tla/specs/RecursiveSignedSemiNaive.tla (landed
bffd30b). Skeleton only — intentionally stub until the
TLA+ `Step` relation closes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 35: Rodney persona + settings.json + CodeQL tuning

.claude/agents/rodney.md — persona anchor for the
complexity-reduction seat. Wears the `reducer` capability
skill (Rodney's Razor on shipped artifacts, Quantum
Rodney's Razor on pending decisions). Name provenance
documented: named for the human maintainer's legal first
name; load-bearing, not stylistic; do not consolidate or
rename without explicit maintainer sign-off.

.claude/settings.json — pins the active Claude Code
plugin set so the session-bootstrap is reproducible:
claude-md-management, skill-creator, pr-review-toolkit,
claude-code-setup, explanatory-output-style, plugin-dev,
csharp-lsp, github, pyright-lsp, serena, typescript-lsp,
agent-sdk-dev, playground, jdtls-lsp, microsoft-docs,
sonatype-guide, code-simplifier, commit-commands,
feature-dev, ralph-loop, superpowers, code-review,
frontend-design, playwright, huggingface-skills, postman,
security-guidance. File is version-controlled but declared
Claude-Code-only in CLAUDE.md — Agent SDK / Gemini / Copilot
CLI / Codex runs ignore it per harness-provenance rule
landed in skill-creator (e60ab6e).

CodeQL configuration — tuned off GitHub defaults
(task #33):

- Dropped `java-kotlin` matrix cell (no Java / Kotlin in
  repo; F#/C# on .NET 10 only)
- `csharp` leg switches `build-mode: none` → `manual` with
  `tools/setup/install.sh` + `dotnet build Zeta.sln`. The
  default source-only mode is a no-op on F#-first repos
  via the C# pack — no MSIL, no F# symbolic info. Manual
  mode produces a real database against compiled IL.
- Toolchain install goes through the canonical install
  script per GOVERNANCE §24 three-way-parity invariant
  (dev laptops / CI / devcontainers / CodeQL all converge).
- Query pack scales with trigger: PR/push →
  security-extended (high-confidence, fast); scheduled →
  security-and-quality (broader, slower).
- .github/codeql/codeql-config.yml — path filters,
  query-pack selec…

Both rows have been citing closed P0s as open for 25 rounds. The
round-17 fixes (harsh-critic findings #3, #4, #7, #8 per
docs/BACKLOG.md:286-299) closed the blocking correctness bugs:

- Residuated.fs: top-2 cache replaced with SortedSet + weight
  dict; every op O(log k), no linear-scan fallback. The round-12
  "O(1)" claim was false under adversarial retract-top workloads;
  the corrected "O(log k) genuinely" claim has been stable 25
  rounds. See Residuated.fs:39-48 for the fix-in-code narrative.

- FastCdc.fs: persistent scanCursor + hash (each byte Gear-hashed
  exactly once across lifetime) closed the O(n^2) buffer scan;
  Buffer.BlockCopy replaced per-byte ResizeArray.Add. See
  FastCdc.fs:68-76 for the fix-in-code narrative. Paper
  throughput target 1-3 GB/s/core holds.

Rows now match the Bloom Round-40 graduation pattern (measured-
evidence cite, implementation line reference, test coverage
pointer). 25-round stability window beats the aspirational
waiting-list — graduation on evidence, not aspiration.

BP-10 clean; 0 invisible-unicode on edited file.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

)

* Round 41: OpenSpec coverage audit + backfill-program ADR

Answers Aaron 2026-04-20 delete-all-code-recovery question:
4 capabilities / 783 lines of spec.md vs 66 top-level F#
modules / 10,839 lines under src/Core/ — ~6% coverage today.

docs/research/openspec-coverage-audit-2026-04-21.md
- Inventory of 66 modules with line counts + capability
  mapping for the 4 existing capabilities
- Uncovered modules sorted by delete-recovery blast radius:
  Band 1 MUST BACKFILL (8 modules / 1,629 lines — ZSet,
  Circuit, NestedCircuit, Spine family, BloomFilter as
  Adopt-row compatibility-coupling exception), Band 2 HIGH
  (12 / 2,008), Band 3 MEDIUM (45 / 6,585), Band 4
  deliberately uncovered (AssemblyInfo only)
- First 6-round cadence: operator-algebra extension (41),
  lsm-spine-family (42), circuit-recursion (43),
  sketches-probabilistic (44), content-integrity (45),
  crdt-family (46)
- Success signal = Viktor spec-zealot adversarial audit:
  "could I rebuild this module from this spec alone?"

docs/DECISIONS/2026-04-21-openspec-backfill-program.md
- Adopts one-capability-per-round baseline with paper-grade
  half-credit rule (no more than 1 paper-grade round per 3)
- Band 1 priority until complete; Adopt-row escalation for
  BloomFilter (TECH-RADAR Adopt without spec contract is a
  backwards-compatibility hazard)
- Round-close ledger gains an `OpenSpec cadence` line
- Alternatives considered: big-bang backfill (rejected —
  ontology-landing cadence + reviewer bandwidth), per-module
  capabilities (rejected — loses cross-module invariants),
  organic prioritisation (rejected — 40 rounds of drift
  evidence)

docs/BACKLOG.md
- Collapses the 29-line P0 scope into a 15-line pointer at
  the inventory + ADR now that parts (a)-(e) of the program
  setup have landed. Remaining work = per-round capability
  backfill per ADR schedule.

Build: dotnet build -c Release clean; BP-10 ASCII-clean on
all 3 modified files; markdownlint-cli2 clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: operator-algebra spec extension (cadence ship)

First ship under the OpenSpec backfill program adopted
2026-04-21. Extends openspec/specs/operator-algebra/spec.md
(184 -> 324 lines) with five new requirements covering
structural and lifecycle gaps that the existing mathematical-
law coverage left implicit:

1. Operator lifecycle — construction / step / after-step /
   reset phases with side-effect-freedom on construction and
   epoch-replay semantics on reset
2. Strict operators break feedback cycles — formalises that
   z^-1-on-feedback is a scheduling prerequisite and that
   cycle-without-strict is a construction error, not a
   silent heuristic
3. Clock scopes and tick monotonicity — nested-scope-to-
   fixpoint rule + sibling-scope independence
4. Incremental-wrapper preserves the chain rule —
   Incrementalize(Q) observably equivalent to D . Q . I,
   with linear/bilinear substitution permitted as an
   optimisation
5. Representation invariants of the reference Z-set —
   O(n+m) group ops + zero-alloc iteration as the reference
   contract; hash-table recoveries permitted at documented
   perf trade-off

Disaster-recovery effect: a contributor with only this spec
(plus the durability-modes + retraction-safe-recursion specs)
can now rebuild Circuit.fs Op base + Incremental.fs wrapper +
ZSet.fs representation invariants from the spec text alone.

Owner: Architect (Kenji). Adversarial audit by Viktor
(spec-zealot) is the ADR-declared ship-gate and will run
post-land.

Build: not rebuilt (no F# source changed); markdownlint
clean; BP-10 ASCII clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: close Viktor P0 findings on operator-algebra spec

Viktor's adversarial audit of the Round 41 cadence ship (commit
e51ec1b) surfaced four P0 findings against the disaster-recovery
bar. This commit closes all four:

- **P0-1 (namespace drift).** `profiles/fsharp.md` asserted
  `Dbsp.Core` throughout, but `src/Core/**` uses `Zeta.Core`. A
  spec-only recovery would have shipped the wrong namespace to
  every downstream consumer. Replaced via one `replace_all` Edit.

- **P0-2 (phantom Reset method).** The lifecycle requirement
  claimed a `reset` phase that does not exist on `Op`. Replaced
  the "reset replays the epoch" scenario with a
  determinism-under-structural-equivalence property: two
  freshly-constructed circuits of the same topology, stepped
  with the same input sequence, MUST produce identical outputs
  at every tick. Reconstruction is the supported route to a
  replayed epoch.

- **P0-3 (after-step scope).** The lifecycle requirement said
  after-step runs "after every operator in the scope has
  completed its step." `Circuit.fs:205-208` iterates the
  `strictN` array only — after-step is selective to strict
  operators. Fixed wording and added a "after-step is selective
  to strict operators" scenario that pins the invariant.

- **P0-4 (lifecycle phase undercount).** The requirement named
  four phases (construction / step / after-step / reset) but
  the code has five (construction / step / after-step /
  clock-start / clock-end). Restructured to three per-tick
  phases plus two scope-boundary phases, and extended the
  "clock scopes and tick monotonicity" requirement with the
  scope-boundary lifecycle contract (clock-start before tick 0
  of a scope, clock-end after fixpoint or iteration cap).

Build green (0 warnings / 0 errors). BP-10 lint clean. The
capability now reflects the code's observable shape rather than
an idealised cleaner cousin; a delete-recovery from this spec
produces Zeta.Core with strict-operator after-step selectivity
and nested-scope clock-boundary phases.

Viktor's 10 P1 findings (async lifecycle, memory-ordering fence,
register-lock semantics, IncrementalDistinct surface, ZSet sort
invariant, Checked arithmetic, bilinear-size overflow,
convergence-vs-cap) are deferred to Round 42 — filed as a
BACKLOG sweep in follow-up work.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: file Viktor P1 findings as Round 42 BACKLOG absorb

Companion to 92d7db2 (closing Viktor's four P0 findings). The
ten P1-tier surface gaps Viktor identified do not block the
disaster-recovery bar at capability-close but leave the
operator-algebra spec incomplete relative to what a delete-
recovery produces. Filed as a dedicated P0 sub-item so they
travel with the OpenSpec backfill program rather than getting
lost: async lifecycle, memory-ordering fence, register-lock
semantics, IncrementalDistinct surface, ZSet sort invariant,
Checked arithmetic, bilinear-size overflow, convergence-vs-cap,
Op.Fixedpoint predicate, DelayOp reconstruction-first-tick.

Also annotated the parent OpenSpec coverage entry with Round 41
sweep status (e51ec1b + 92d7db2, P0s closed, P1s deferred) so
the backlog accurately reflects where the program stands.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: ROUND-HISTORY entry — OpenSpec backfill founding + first cadence ship

Four-arc entry at the top of the file per newest-first policy:

- Arc 1 (d435126): OpenSpec coverage audit + backfill-program
  ADR. Measured 6% coverage; declared one-capability-per-round
  baseline with paper-grade half-credit and Adopt-row priority
  escalation; banded 66 F# modules by delete-recovery blast
  radius.
- Arc 2 (e51ec1b): operator-algebra extension as Round-41
  cadence ship. Five new requirements covering lifecycle,
  strict-operator scheduling, clock scopes, Incrementalize
  wrapper, ZSet representation invariants.
- Arc 3 (92d7db2): Viktor P0 close. Four drift-from-code
  defects fixed — namespace (Dbsp.Core → Zeta.Core), phantom
  Reset, after-step scope (strict-only), lifecycle phase
  undercount (3 per-tick + 2 scope-boundary).
- Arc 4 (56f34b5): Viktor P1s filed as Round-42 absorb under
  the parent backfill P0, creating mechanical coupling between
  each capability ship and the following round's P1 sweep.

Round-41 observations for Round 42 + prospective BP-WINDOW
ledger table rendering the four commits against the consent /
retractability / no-permanent-harm axes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: memory-folder role-restructure — design plan + BACKLOG pointer

Aaron 2026-04-19 asked for memory/role/persona/ so roles become
first-class in the directory structure. Surface is wider than
it first looks — 114 files / ~260 hand-written references to
memory/persona/ paths (plus ~440 auto-regenerated references
in tools/alignment/out/ that refresh on next citations.sh run).
A bad role axis is hard to reverse; this design doc proposes
the axis and holds execution for Aaron's sign-off rather than
just-doing-it under Auto Mode.

Design plan lands at:
  docs/research/memory-role-restructure-plan-2026-04-21.md

Contents: 13-directory role axis (architect, security,
verification, review, experience, api, performance, devops,
algebra, skill-ops, maintainer, homage, alignment);
persona-to-role crosswalk for every current directory;
5-phase execution plan (pre-flight greps → git mv → sed
passes → 5-check verification → pointer-source updates);
special-case handling for aaron (human maintainer),
rodney (homage-named AI persona on the reducer skill),
sova (emerging alignment-observability role); rollback
plan (one atomic commit, git revert); four open questions
for Aaron on axis judgement-calls.

BACKLOG entry updated to reflect design-landed state with
execution-slot recommendation for Round 42 opener after the
Round 41 PR merges (keeps wide-surface reviews from
overlapping).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: actualise Rounds 37-40 BP-WINDOW ledgers (PR #30 merged)

Rounds 37-40 shipped via PR #30 (merge commit 1e30f8c, 2026-04-20).
Ledger headers updated from "(prospective)" to "(merged via PR #30,
1e30f8c)" — the BP-WINDOW scores are now settled, not forecasts.

Round 41 ledger remains "(prospective)" — round-41 branch has not
merged to main yet.

Prose uses of "prospective" on lines 437, 447, 553, etc. are
historical-narrative commentary on authoring-time methodology and
stay as-is.

* Round 41: Soraya tool-coverage audit on RecursiveSigned skeleton

Round 39 observation flagged src/Core/RecursiveSigned.fs +
tools/tla/specs/RecursiveSignedSemiNaive.tla as held pending
formal-verification-expert tool-coverage review. Round 41 closes
that gate.

Soraya's notebook entry lands:

- Per-property tool table S1-S4 + refinement cross-check. TLC
  primary for S1/S2/S3/S3'/SupportMonotone; FsCheck for S4.
- S2 flagged as the one P0 on the spec (silent fixpoint drift
  unrecoverable); BP-16 requires Z3 QF_LIA cross-check.
- Refinement mapping: FsCheck cross-trace (signed vs counting at
  SeedWeight=1) wins over TLA+ refinement proof or Lean lemma —
  anti-TLA+-hammer, implementation-level where the bug bites.
- Readiness gate: TLA+ spec is ready to model-check; no pre-TLC
  pass needed. Optional round-42 follow-up: add
  PROPERTY EventuallyDone to .cfg for liveness.
- Graduation verdict: CONDITIONAL PASS. Four tool-coverage
  prereqs named in priority order; F# landing gated on them.

Files read (no edits): RecursiveSigned.fs, RecursiveSignedSemiNaive.tla
/cfg, RecursiveCountingLFP.tla, retraction-safe-semi-naive.md.

* Round 41: capture Soraya's 4 tool-coverage prereqs on RecursiveSigned

Soraya's round-41 audit of src/Core/RecursiveSigned.fs +
tools/tla/specs/RecursiveSignedSemiNaive.tla landed as a CONDITIONAL
PASS for Round-42 graduation. This commit lifts the four named
prereqs out of her notebook into BACKLOG sub-items under the
parent "Retraction-safe semi-naive LFP" entry, so the round-42
opener picks them up as checkbox work rather than having to re-read
the notebook.

Prereqs in priority order:
- Prereq 1 — TLC CI wire-up (RecursiveSignedSemiNaive.cfg)
- Prereq 2 — Z3 QF_LIA lemma for S2 FixpointAtTerm (BP-16 cross-check
  on the one P0; TLC alone insufficient for silent-fixpoint-drift risk)
- Prereq 3 — FsCheck property for S4 sign-distribution (anti-
  TLA+-hammer; two-trace quantification is NOT a TLA+ property)
- Prereq 4 — FsCheck cross-trace refinement (signed vs counting
  at SeedWeight = 1); cites BP-16

Round-42 graduation gate also captured: prereqs 1-4 CI-green + F#
implementation with P1/P2/P3 enforced at caller.

* Round 41: extend ROUND-HISTORY with arcs 5-7 (post-narrative commits)

The initial Round 41 ROUND-HISTORY entry (6e6e211) covered arcs
1-4 (coverage audit, operator-algebra cadence ship, Viktor P0
close, Viktor P1 file). Three more commits landed after:

Arc 5 — ROUND-HISTORY narrative + memory-restructure design
(6e6e211, 36797ba). The memory-folder rename was downgraded to
"design plan + sign-off first" under Auto Mode's
do-not-take-overly-destructive-actions clause (700-occurrence
cross-reference surface).

Arc 6 — BP-WINDOW ledger actualisation for Rounds 37-40
(85fb352). Provenance (PR #30 / 1e30f8c) attached to each
"(prospective)" header.

Arc 7 — Round-35 holdover close (e461d9c, 15e9654). Soraya
tool-coverage audit landed CONDITIONAL PASS for Round-42
graduation; four prereqs captured as BACKLOG sub-items with
BP-16 citation on the S2 Z3 cross-check.

Also: one new observation line in the Round-42 handoff section
noting the holdover-closed-same-round-as-cadence-item pattern.
BP-WINDOW ledger gains three rows.

* Round 41: Aarav skill-tune-up ranking (catch-up from round-18 stale)

CLAUDE.md 5-10 round cadence rule was 23 rounds overdue. Round 41
is the catch-up slot. Live-search + full ranking + prune pass all
landed in a single invocation.

Live-search (4 queries, 2026-Q1/Q2 best-practices targets):
- 6 findings logged to best-practices-scratch.md: Gotchas-section
  rise, pushy-descriptions pattern, Claude-A-authors / Claude-B-
  tests, router-layer command-integrity injection class, Agent
  Stability Index 12-dim drift metric, OWASP Intent Capsule
  pattern.
- Zero contradictions with stable BP-NN rules.
- Zero promotions flagged to Architect this round; all six are
  "watch" or route-elsewhere.

Top-5 skills flagged for tune-up:
1. performance-analysis-expert (642 lines, 2.1x BP-03 cap) — SPLIT — M
2. reducer (570 lines) — SPLIT or TUNE (prune) — M
3. consent-primitives-expert (507 lines) — SPLIT honouring BP-23
   theory/applied axis — M
4. claims-tester / complexity-reviewer router-coherence drift —
   HAND-OFF-CONTRACT — S (round-18 carry-over)
5. skill-tune-up (self) — 303 lines, 3 over BP-03 — TUNE (prune
   authoritative-sources duplicated with AGENT-BEST-PRACTICES.md)
   — S. Self-flagged first per BP-06.

Notebook state:
- Stale round-18 top-5 archived in Pruning log (first catch-up prune).
- 912 words, well under 3000-word BP-07 cap.
- ASCII-only, BP-10 clean.

Nine more bloat-row skills named as notable mentions queue behind
the top-3 bloat cases.

* Round 41: ADR — claims-tester/complexity-reviewer hand-off contract

Close Aarav's round-18 HAND-OFF-CONTRACT finding (carried 23 rounds
after ranker went offline by cadence). Two-stage pipeline: analytic
bound first (complexity-reviewer), empirical measurement second
(claims-tester). Names the reverse trigger (benchmark surprise flows
the other direction) and the decision table for who fires when.
Follow-up SKILL.md edits route via skill-creator per GOVERNANCE §4.

* Round 41: extend ROUND-HISTORY with Arc 8 (router-coherence ADR)

Arc 8 covers the claims-tester/complexity-reviewer hand-off ADR
(47d92d8) closing Aarav's 23-round-stale round-18 HAND-OFF-CONTRACT
finding. New observation on cadence-outage-recovery as a design axis:
sweep infrastructure is subject to the same bitrot it detects on other
surfaces. BP-WINDOW ledger gains two rows (085c0e3 Aarav catch-up,
47d92d8 router-coherence ADR).

* Round 41: correct Prereq 1 sizing — no TLC CI job exists

Close-out audit surfaced that .github/workflows/gate.yml only CACHES
the tla2tools.jar artefact; nothing runs it. RecursiveCountingLFP.tla
has shipped since round 19 compile-checkable-only — 22 rounds with no
run-gate against its invariants. Soraya's Prereq 1 re-sized S→M with
expanded scope covering both specs. Finding recorded as new round-41
observation: verifier-present does not imply verifier-actually-runs.

* Round 41: BP-WINDOW ledger — 459b218 + d76a09b rows

Keeps the Round 41 BP-WINDOW ledger commit-aligned rather than
arc-aligned. 459b218 is the Arc-8 narrative itself; d76a09b is the
Prereq-1 S→M correction. Both retractable as single reverts.

* Round 41: file formal-analysis-gap-finder round-42 run — verifier-runs lens

Codifies the round-41 Prereq-1 audit finding as a tracked
research entry, distinct from its ROUND-HISTORY narrative
presence. The finding — a verifier's installation artefacts
do not imply the verifier is exercised by any CI job — is
exactly the class formal-analysis-gap-finder exists to
surface. Concrete motivating case: RecursiveCountingLFP.tla
compile-checkable-only for 22 rounds. Round-42 scope covers
the bidirectional audit (specs without gates + gates without
specs). Handoff to Soraya per the skill's standing contract;
does not write the spec or CI job (DevOps + Soraya work).
Schedules after Prereq 1 lands so the audit sees corrected
state.

* Round 41: BP-WINDOW ledger — 2042a85 row

Per the established stopping rule (meta-ledger commits do not
get self-referential rows; their round-close coverage is the
PR merge), this commit adds only the 2042a85 row and does not
add a row for itself.

* Round 41: CONFLICT-RESOLUTION — Hiroshi ↔ Daisy hand-off row

Closes ADR 47d92d8's third follow-up action item. Single-row
addition to Active tensions citing the router-coherence ADR as
the standing resolution. Doc-only edit (not a SKILL.md touch,
so GOVERNANCE §4 does not gate this). The other two ADR
follow-ups (claims-tester + complexity-reviewer SKILL.md
updates) remain deferred to round 42 via skill-creator
workflow.

* Round 41: BP-WINDOW ledger — fcfa3d9 row

Per-commit ledger discipline for the CONFLICT-RESOLUTION
Hiroshi ↔ Daisy row. Meta-ledger-only commit so no
self-referential row for this commit itself (established
stopping rule).

* Round 41: file harsh-critic findings on ADR 47d92d8 as round-42 supersedure backlog

Router-coherence ADR 47d92d8 (Hiroshi analytic ↔ Daisy empirical
two-stage pipeline) landed without the adversarial-review gate.
Post-landing harsh-critic (Kira) pass surfaced 3 P0 + 5 P1 + 2 P2
substantive findings, including (P0-1) unscoped grandfather
clause, (P0-2) table-vs-prose contradiction on reverse trigger,
(P0-3) Stage-1 "analytically wrong" clause blocking the evidence
loop for escalation, (P1-7) no escalation timebox reproducing the
23-round-stale failure mode the ADR diagnosed, (P1-8) two advisory
skills not composing to a mandatory pipeline without a binding
dispatcher, (P2-9) example-bug on BCL Dictionary.Remove amortised
complexity, and more.

File as round-42 supersedure rather than inline-edit because
docs/CONFLICT-RESOLUTION.md already cites 47d92d8 as Standing
Resolution — supersedure preserves the citation chain via
GOVERNANCE §2 edit-in-place with a "Superseded by …" header on
v1. New ADR target: docs/DECISIONS/2026-04-??-router-coherence-
v2.md. Supersedure work blocks the claims-tester +
complexity-reviewer SKILL.md updates ADR 47d92d8 follow-up work
depends on — those edits should target v2, not v1.

Owner: Architect drafts; Kira audits closure; Aarav confirms
router-coherence drift stays closed. Effort: M. Schedule: Round
42 slot after Soraya Prereq 1 (TLC wire-up) lands.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: BP-WINDOW ledger — 779d7ef row

Ledger row for harsh-critic findings filing commit. Primary work
(BACKLOG addition tracking a round-42 supersedure with 10 named
findings), not meta-ledger — earns a row under the BP-WINDOW
per-commit discipline. Consent = adversarial findings tracked
honestly; Retractability = supersedure preserves citation chain
vs inline-edit; No-permanent-harm = single BACKLOG edit, no ADR
body touched, no SKILL.md touched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: Arc 9 narrative — self-correction sweep

ROUND-HISTORY Arc 1-8 narrated primary commits up through the
router-coherence ADR (47d92d8). Four primary commits landed
after Arc 8 — Prereq 1 sizing correction (d76a09b), recurring-
audit lens BACKLOG entry (2042a85), CONFLICT-RESOLUTION Hiroshi
↔ Daisy row (fcfa3d9), and harsh-critic findings filed as
round-42 supersedure (779d7ef) — visible only in the BP-WINDOW
ledger table, not in narrative form.

Arc 9 ties them into one coherent sequence: the round's
self-correction ran unusually deep. Arc 8 corrects Aarav's
round-18 finding via ADR; Arc 9 catches the corrector itself
under-reviewed via Kira's adversarial pass. Both self-
corrections land before round-close. Narrative-ledger
alignment is the BP-WINDOW discipline's first assertion —
restoring it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: BP-WINDOW ledger — 160fcfa row

Ledger row for Arc 9 narrative commit. Narrative extensions
count as primary work under BP-WINDOW precedent (per 459b218
and 6e6e211 examples) and earn a ledger row. Consent = drift
closed honestly; Retractability = single revertable doc edit;
No-permanent-harm = isolated insertion.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: v2 ADR — router-coherence supersedure closes 10 Kira findings in-round

Drafts v2 of the router-coherence ADR (docs/DECISIONS/2026-04-21-router-coherence-v2.md) that supersedes v1 (47d92d8) in the same round, closing all 10 Kira harsh-critic findings (3 P0 + 5 P1 + 2 P2) via named textual closures C-P0-1 through C-P2-10.

Key closures:
- C-P0-1: grandfather clause bounded with Kenji-owned inventory + one-per-round discharge
- C-P0-2: reverse trigger unconditional (table now matches prose)
- C-P0-3: escalation-evidence exception permits Stage 2 under conference protocol with explicit labelling
- C-P1-5: Stage-1 trigger widened to match claims-tester SKILL.md contract
- C-P1-7: escalation timebox (round +2 auto-promote to BACKLOG P1) prevents 23-round-stale reproduction
- C-P1-8: Kenji named as binding dispatcher — advisory + advisory + binding-dispatcher composes to mandatory pipeline
- C-P2-9: Dictionary.Remove example replaced with ArrayPool<T>.Rent (legitimate BCL-contract edge)

v1 kept in place per GOVERNANCE §2 with Superseded-by header appended in a follow-up commit so the CONFLICT-RESOLUTION Active-tensions citation chain remains resolvable.

BP-10 lint: clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: v1 ADR — append Superseded-by header per GOVERNANCE §2

Appends Superseded-by header to router-coherence v1 ADR (47d92d8) pointing at v2 (09f0889), per GOVERNANCE §2 (docs read as current state; superseded ADRs keep v1 in place with redirect header so citation chains remain resolvable).

Also corrects v1 Status from "Proposed — awaits sign-off" to "Accepted (pre-adversarial-review; superseded by v2 same-round after Kira pass)" per Closure C-P1-4 in v2 — Status was already cited as Standing Resolution in docs/CONFLICT-RESOLUTION.md Active-tensions, so Proposed was factually wrong.

The v1 body text is not edited — supersedure preserves the historical record; v2 carries the closures.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: Arc 10 narrative + BP-WINDOW rows for v2 supersedure

Adds Arc 10 narrative covering 09f0889 (v2 ADR) and 4efe545 (v1 Superseded-by header) as one coherent in-round supersedure story, after Arc 9's "self-correction sweep" and before Round 41 observations. Pattern: Arc 9 surfaces the under-review; Arc 10 lands the close in the same round rather than deferring a known-imperfect artefact.

Adds two BP-WINDOW ledger rows (09f0889, 4efe545) to the round-41 ledger block per the per-commit accounting discipline.

Supersedure arc count now covers the full round-41 close: 10 arcs / 25 primary-work commits.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: close BACKLOG supersedure entry — discharged in-round by v2

Flips BACKLOG router-coherence supersedure entry from [ ] to [x] ✅ with "shipped round 41 in-round" annotation pointing at v2 ADR (09f0889) + v1 Superseded-by header (4efe545). All 10 Kira findings closed via named textual closures C-P0-1 through C-P2-10.

Original finding narrative preserved below the closure line per the shipped-item convention used elsewhere in the file (audit trail).

Follow-up SKILL.md edits to claims-tester + complexity-reviewer via skill-creator remain round-42 scope, now targeting v2 as intended.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: BP-WINDOW row for BACKLOG-close commit 4537365

Adds BP-WINDOW ledger row for 4537365 (BACKLOG supersedure entry discharged in-round) to match the Arc 9 precedent where 779d7ef (BACKLOG entry addition) received a row. Symmetry: add and close get equal ledger treatment.

Meta-ledger stopping rule still holds — this commit itself (which only adds a ledger row) does not get a self-referential row.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: grandfather O(·) claims inventory — honours v2 C-P0-1 within-round

Produces the one-time grandfather-claims inventory named in router-coherence v2 ADR §Closure C-P0-1 within the round v2 lands, per ADR's own within-round commitment.

Inventory: 35 live claims at ADR-landing time (29 F# /// docstrings in src/Core/ + src/Bayesian/, 3 grey-zone F# code comments, 1 openspec/specs/operator-algebra/spec.md line, 2 docs/research/** claims). Zero hits in root README, memory/persona/*/NOTEBOOK.md, docs/papers/** (directory does not exist yet).

Distinguishes live claims (shipping as asserted bounds) from historical evidence (BACKLOG [x] ✅ residue, TECH-RADAR flag-text narrating past regressions, in-file "was O(…)" commentary on fixed paths). Only live claims populate the grandfather set — evidence is captured for audit trail but excluded per v2's intent ("claims Zeta is currently making").

BACKLOG discharge entry added: P2, one-claim-per-round cadence, ~35-round tail, Aarav graceful-degradation clause fires on ≥3 rounds without discharge.

Complexity-class distribution of live set: 10 O(1), 13 O(log n)/O(log k)/O(log N), 7 O(n)/O(n log n)/O(n log k), 5 parametric.

BP-10 lint: clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: Arc 11 narrative + BP-WINDOW row for grandfather inventory

Adds Arc 11 narrative covering d98ef2b (grandfather inventory + BACKLOG discharge entry) as the close of the v2 ADR's within-round commitments. Pattern: Arc 10 lands the ADR; Arc 11 lands the ADR's own within-round commitment — without Arc 11, Arc 10 would have shipped a contract Zeta didn't meet.

Adds BP-WINDOW ledger row for d98ef2b per per-commit accounting discipline.

Round 41 now closes at 11 arcs / 30 primary-work commits.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: DORA 2025 reports — reference substrate land in docs/

Two external-anchor PDFs (CC BY-NC-SA 4.0) placed at their
memory-documented paths:

- docs/2025_state_of_ai_assisted_software_development.pdf
  (~15MB, 138 pages) — findings + data report.
- docs/2025_dora_ai_capabilities_model.pdf (~9MB, 94 pages)
  — framework companion.

Citation anchors this commit makes in-tree rather than
memory-only: Nyquist stability criterion for AI-accelerated
development (foreword p9 fn 1) as theoretical anchor for
CI-meta-loop + retractable-CD P1 BACKLOG work; "AI is an
amplifier" anchor that echoes the corporate-religion /
sandbox-escape threat class; seven-capability AI model that
gives the external measurement vocabulary for round-audit
output (capability #7 "quality internal platforms" is the
in-flight P1 cluster per 2026-04-20 memory).

License note: derived work is NC-SA-bound; Zeta citations
are fine, external redistribution inherits NC-SA. Paired
companion memory file is reference_dora_2025_reports.md
(out-of-tree); this commit brings the primary sources
in-tree so citation from research docs + ADRs can point
at a repo-local path rather than a newsletter-gated URL.

* Round 41: Arc 12 narrative + BP-WINDOW row for DORA substrate

Narrative section for Arc 12 inserted before "Round 41
observations for Round 42" with primary commit pointer to
46075d6. Arc 12 frames the DORA 2025 PDFs as
memory-promotion substrate per the 2026-04-20 feedback entry
("DORA is our starting point for measurements") and cites
the concrete in-tree anchors (Nyquist p9 fn 1, seven-
capability model, AI-amplifier thesis).

Also surfaces honestly — in-body, not buried in a private
retrospective — the ranker-scope gap that let the two
untracked PDFs sit 18+ hours through nine consecutive
/next-steps invocations before this arc closed the gap. The
skill explicitly lists docs/research/ and docs/TECH-RADAR.md
but not `git status --short` for untracked files. Candidate
skill-tune-up note for Aarav's notebook: /next-steps must
run `git status --short` on every invocation so dropped-in
artefacts appear in ranking before the ninth re-fire, not
after.

BP-WINDOW ledger gets a matching 46075d6 row with
reference-document-specific cells: Consent strengthened by
promoting memory-only anchors to in-repo substrate and by
surfacing the ranker-stall pattern in-narrative; retraction
is a single `git rm` if the license / size stance later
changes; no-permanent-harm preserved since no runtime
behaviour depends on the PDFs' presence (they are citation
substrate, not loaded artefacts).

Arc count now 12; primary-work-commit count now 12 (Round 41
alignment preserved). Build gate green (0 Warning / 0 Error);
BP-10 lint clean on the narrative + ledger row.

* Round 41: markdownlint CI fix on PR #31

Three rule violations surfaced by `lint (markdownlint)` CI job on
PR #31:

- `docs/DECISIONS/2026-04-21-router-coherence-claims-vs-complexity.md:261`
  MD022/blanks-around-headings — collapse multi-line heading
  `## Decision rationale (one paragraph for the\nwait-don't-read
  audience)` to a single line so the parser stops seeing line 262
  as adjacent non-blank content.
- `docs/research/grandfather-claims-inventory-2026-04-21.md:106`
  MD032/blanks-around-lists — add blank line between "Surface
  distribution:" lead-in and the `-` list that follows.
- `docs/research/grandfather-claims-inventory-2026-04-21.md:111`
  MD032/blanks-around-lists — same fix for "Complexity-class
  distribution (rough):" lead-in.

All three are the same class of fix shipped in task #105 on PR #30.
Additive edit to the open round-41 PR branch — no rewrite of shipped
content, semantics preserved.

Verified clean via `npx markdownlint-cli2` on both files before push.

* Round 42: speculative round-N+1 branch convention in git-workflow-expert

Formalise the fix for the round-41-late 28-fire /next-steps
hold-pattern: once PR-N is CLEAN/MERGEABLE, fork
round-<N+1>-speculative from round-N HEAD immediately so
round-N+1 prep can proceed while the merge click lives on
Aaron's schedule. Rebase onto main after PR-N squash-merges,
rename to drop the -speculative suffix.

Covers: fork conditions (CLEAN/MERGEABLE + green CI + clean
round-N tree), naming (round-<N+1>-speculative), fair-game
vs not-fair-game scope, rebase protocol with
--force-with-lease, escape valve for long-waiting PRs.

Lands via skill-creator vibe-mode invocation per GOVERNANCE
§4; draft + BP-10 lint + commit without eval-pass because
the amendment is mechanical convention addition, not
behavioural. Authorized by Aaron's 2026-04-20
fix-factory-when-blocked grant
(feedback_fix_factory_when_blocked_post_hoc_notify.md).

First use of the convention itself: this commit lands on
round-42-speculative, forked from round-41 HEAD
(3525631) while PR #31 still waits on Aaron's merge
click.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 42: retarget claims-tester + complexity-reviewer at router-coherence v2

Lands the Stage-1 (complexity-reviewer, Hiroshi, analytic) and Stage-2
(claims-tester, Daisy, empirical) hand-off sections in both skills'
procedures, citing the v2 ADR at
docs/DECISIONS/2026-04-21-router-coherence-v2.md as the authoritative
pipeline contract. v1 at 2026-04-21-router-coherence-claims-vs-
complexity.md is noted as superseded.

Per v2 Closure C-P1-8, both skills name the Architect (Kenji) as the
binding dispatcher — two advisory roles do not compose to a mandatory
two-stage pipeline without a binding dispatcher; Kenji is that seat.
Both skills remain advisory on their individual findings; the ordering,
reverse-trigger rule, and escalation timebox are binding through
Kenji.

Each skill's new section mirrors the authoritative v2 pipeline text:
- Stage-1 trigger surface per C-P1-5 (XML / /// / README / commit /
  BACKLOG / TECH-RADAR / papers / openspec / research / notebooks)
- Three Stage-1 outputs (sound -> hand-off, wrong -> block-with-
  escalation-exception, under-specified -> author-bounce)
- Four Stage-2 triggers (hand-off, grandfather inventory, reverse
  trigger unconditional per C-P0-2, escalation-evidence per C-P0-3)
- Three Stage-2 outputs (matches, contradicts -> re-engage, narrow)
- Escalation timebox per C-P1-7 (round +2 auto-promote to P1)
- Grandfather set per C-P0-1 (one per round from
  docs/research/grandfather-claims-inventory-*.md)

Bibliography in both skills now cross-references each other plus the
v2 ADR, so an agent wearing either hat can reach the partner contract
in one click.

Landed on round-42-speculative per the new
speculative-round-N+1-branch convention from
.claude/skills/git-workflow-expert/SKILL.md (fea0d34). PR #31
still awaits merge; this commit is fair-game per the convention
because the target SKILL.md files are already on main and the v2
ADR text cited is stable on the round-41 branch HEAD.

Authorised by the post-hoc-notify grant captured at
memory/feedback_fix_factory_when_blocked_post_hoc_notify.md: factory-
structure additions that unblock work are authorised; deletions
still need pre-approval.

Workflow: invoked via skill-creator:skill-creator in vibe-mode (no
evals — mechanical additive edits). BP-10 invisible-Unicode lint:
clean (0 hits, 307 lines total across both files).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 42: grandfather discharge #1 — BetaBernoulli.Observe O(1) (Stage 1 only)

First use of the router-coherence v2 pipeline on a live grandfather-
inventory row. Discharges claim #1 at
src/Bayesian/BayesianAggregate.fs:22, the Beta-Bernoulli conjugate-
update "O(1) per observation" docstring claim.

Stage 1 (complexity-reviewer, Hiroshi, analytic) signs off:
- Worst-case: O(1) — two IEEE-754 fadds + two field writes.
- Amortised: O(1), same as worst-case (no deferred work).
- Expected: O(1), deterministic runtime.
- Lower bound: Omega(1) — any durable-observation write is at
  least one cell-probe (Patrascu-Thorup).
- Constant factor: ~4 cycles on cache-resident instance;
  devirtualised because the class is [<Sealed>]; zero heap
  allocation per call.

Claim is tight — worst-case meets the lower bound. Sound.

Stage 2 (claims-tester, Daisy, empirical benchmark + docstring
tightening) is deferred to the post-PR-#31-merge window per the
speculative-branch fair-game rules in
.claude/skills/git-workflow-expert/SKILL.md — Stage-2 execution
touches bench/ + produces a src/ docstring tightening commit
that is better bundled with other Bayesian-surface work than
landed piecemeal on a speculative branch.

Contrary-workload notes enumerated for Stage 2:
- High-magnitude batched observations (stresses int64->double
  promotion).
- High-frequency tight-loop (verifies cache-resident assumption).
- Thread-contended case (out of O-claim scope but worth a
  number).

Inventory row #1 flipped from `pre-ADR/pre-ADR` to `sound
(2026-04-20, <discharge doc>) / deferred post-merge`. Remaining
grandfather claims: 34 of 35. Expected-empty round at
1-per-round cadence: ~round 76. Aarav graceful-degradation
clause starts counting from the next round.

Pipeline authority:
docs/DECISIONS/2026-04-21-router-coherence-v2.md.
Binding dispatcher: Kenji at round-close.

Landed on round-42-speculative per the new speculative-round-N+1
convention (fea0d34). PR #31 still awaits merge.

Authorised by the post-hoc-notify grant at
memory/feedback_fix_factory_when_blocked_post_hoc_notify.md
(factory-adjacent research-doc + inventory-row flip; no src/
touch this commit).

BP-10 invisible-Unicode lint: clean (0 hits, 300 lines total
across both files).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Round 42: lsm-spine-family OpenSpec capability (backfill #2)

Backfills the log-structured merge spine family — five variants plus
dispatcher — as behavioural spec with F# profile. Earned an
unconditional rebuild verdict from spec-zealot (Viktor) on the third
pass: a rebuilder working from spec+profile alone would land at the
same variants, constants, and algorithms.

- spec.md: 11 requirements covering delta-stream integration,
  cascade bounded-depth invariant (settle-point framing with the
  32-level cap scoped to the in-memory reference variants), spine-
  equivalence through Consolidate, retraction-native across tiers,
  per-tick merge budget with caller-pumped Tick reporting drained
  count, identity-keyed opaque-handle backing-store (not content-
  addressable) with fail-soft Release, disk honesty with crash-
  consistency boundary, async-producer depth-independent on the
  Insert hot path with Insert-only qualifier on observation calls,
  stateless selector with four-case decision matrix, observable
  state machine with Clear demoted to optional, explicit per-variant
  thread-safety contract.
- profiles/fsharp.md: module layout under src/Core/*, construction
  signatures, per-variant thread-safety, Graham 1969 2x list-
  scheduling bound for BalancedSpine scheduler, TryWrite silent-
  drop post-dispose disclosed as known gap with BACKLOG pointer,
  stale-read qualifier on SpineAsync observation methods,
  BackedSpine explicitly not bounded by the 32-level cap.

Validation: openspec validate lsm-spine-family --strict clean;
BP-10 invisible-unicode lint zero hits on both files; dotnet
build -c Release clean (0 Warning / 0 Error).

Second capability landed under the round-42 OpenSpec backfill
cadence (ADR 2026-04-21-openspec-backfill-program), following
operator-algebra in round 41.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 42: TECH-RADAR Trial->Adopt for Residuated + FastCDC

Both rows have been citing closed P0s as open for 25 rounds. The
round-17 fixes (harsh-critic findings #3, #4, #7, #8 per
docs/BACKLOG.md:286-299) closed the blocking correctness bugs:

- Residuated.fs: top-2 cache replaced with SortedSet + weight
  dict; every op O(log k), no linear-scan fallback. The round-12
  "O(1)" claim was false under adversarial retract-top workloads;
  the corrected "O(log k) genuinely" claim has been stable 25
  rounds. See Residuated.fs:39-48 for the fix-in-code narrative.

- FastCdc.fs: persistent scanCursor + hash (each byte Gear-hashed
  exactly once across lifetime) closed the O(n^2) buffer scan;
  Buffer.BlockCopy replaced per-byte ResizeArray.Add. See
  FastCdc.fs:68-76 for the fix-in-code narrative. Paper
  throughput target 1-3 GB/s/core holds.

Rows now match the Bloom Round-40 graduation pattern (measured-
evidence cite, implementation line reference, test coverage
pointer). 25-round stability window beats the aspirational
waiting-list — graduation on evidence, not aspiration.

BP-10 clean; 0 invisible-unicode on edited file.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 42: operator-algebra P1 absorb — 10 findings closed

Absorbs the 10 P1 findings Viktor (spec-zealot) flagged on the
Round 41 operator-algebra capability ship (BACKLOG.md:54-82).
No code changes — spec + profile only.

spec.md (7 findings):
- (d) IncrementalDistinct: new "wrapper is a semantic identity on
  distinct" scenario under incremental-wrapper, stating both the
  D-distinct-I form and the H boundary-crossing form with their
  equivalence under retractions.
- (e) ZSet sort invariant: representation scenario now declares
  ascending-by-key order with an adjacent-pair comparator
  predicate, tied to the equality-normalisation requirement.
- (f) Checked arithmetic: new "weight arithmetic overflow is
  observable" scenario; overflow surfaces a checked-arithmetic
  failure rather than wrapping, with two documented post-failure
  observable states the profile must pick from.
- (g) Bilinear-size overflow: new "intermediate term size may
  exceed final-delta size" scenario; implementation budgets
  memory for the sum of pre-cancellation term sizes, not the
  final delta.
- (h) Convergence-vs-cap: new "iteration cap without fixpoint is
  an observable failure" scenario; cap-hit surfaces with scope +
  cap identification and clock-end still runs under a partial-
  completion contract.
- (i) Op.Fixedpoint predicate: nested-scope scenario clarifies
  the fixpoint-detector is scope-level, with operators forbidden
  from individually short-circuiting the iteration.
- (j) DelayOp reconstruction: new "reconstruction re-emits the
  declared initial value" scenario; warm-restart semantics
  deferred to the durability capability.

Also tightened a pre-existing deontic collision Viktor flagged
as P2: "MUST be permitted (but not required)" → "MAY substitute"
(spec.md line 379).

profiles/fsharp.md (3 findings):
- (a) async lifecycle: Op<'T> now documents the IsAsync virtual
  alongside IsStrict, with Circuit.Step sync/async fast-path
  behaviour pinned.
- (b) Memory-ordering fence: VolatileField release-on-write /
  acquire-on-read pairing named as the fence the base spec
  refers to in "output is observable after step returns".
- (c) Register-lock semantics: Circuit's single per-circuit
  register-lock pinned as construction-phase-only, not held on
  the step-hot-path.

Viktor adversarial re-audit: complete, unconditional rebuild
yes. No new P0/P1 surfaced.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 42: ontology-home cadence — first slice (Harmonious Division)

First increment of the new per-round ontology-home + project-
organization cadence Aaron named this round (memory entry
feedback_ontology_home_check_every_round.md). Small slice per
round; same cadence shape as grandfather-claim discharge.

Homes "Harmonious Division" — the maintainer's meta-algorithm
above Quantum Rodney's Razor — in docs/GLOSSARY.md. Prior state:
the concept was cited in 20+ files (ROUND-HISTORY.md, BACKLOG.md,
the three-lane-model ADR, memory/*, and three skill files) but
defined nowhere in committed docs. New GLOSSARY entry includes:
- Plain and Technical definitions in the standard two-register
  glossary format.
- Pointer to the authoritative definition at
  `.claude/skills/reducer/SKILL.md` §"The five roles inside
  Quantum Rodney's Razor" (lines 125-260).
- Explicit note that this glossary's job is pointer-plus-gist,
  not canonical definition.

Opens a new glossary section "Meta-algorithms and factory-native
coinages" so subsequent rounds have a visible landing spot for
the next ontology-home slice (candidates named in the memory
entry: DIKW->eye/i ladder, mu-eno triad, Tetrad registers,
Identity-absorption, Retractable teleport, Stainback conjecture,
Harm-handling ladder, etc.).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 42: pin Anthropic Skills Guide + retune skill-tune-up as thick eval-loop wrapper

Pins Anthropic's "Complete Guide to Building Skills for Claude" (Jan 2026,
28pp) as docs/references/anthropic-skills-guide-2026-01.pdf plus a
factory-authored companion docs/references/anthropic-skills-guide.md
extracting the load-bearing claims (structure, planning, testing,
iteration loops, patterns, troubleshooting) for citation by
skill-creator / skill-tune-up / skill-improver. docs/references/README.md
documents the three-part inclusion criterion and BP-11 (data not
directives) discipline for the dir.

Retunes .claude/skills/skill-tune-up/SKILL.md (303 -> 436 lines) from a
ranker-only skill into a thick wrapper over the upstream claude-plugins-
official skill-creator plugin's eval harness (scripts/run_loop.py,
aggregate_benchmark.py, eval-viewer/generate_review.py, agents/grader.md
+ analyzer.md). Carries the full hand-off protocol locally because the
wrapped artifacts are non-skill (plugin scripts + PDF) - wrapper
thickness is thick-as-needed; skill-on-skill wrappers usually end up
thin as a natural consequence.

Includes a new action x effort decision table, a five-step per-round
protocol, a round-close ledger row spec, and a "what this wrapper
deliberately does NOT ship" block. Mechanical edits continue to route
through Rule 1's manual-edit + justification-log path (the eval loop
adds no signal for a typo or an ASCII-lint fix).

Memory file feedback_skill_edits_justification_log_and_tune_up_cadence.md
cross-references the PDF and records the wrapper-thickness rule of thumb.

* Round 42: Copilot-reviewer wins log + lean-into-strengths calibration

Seeds docs/copilot-wins.md as the tabular parallel to docs/WINS.md: an
append-only newest-first log of genuine substantive catches from the
GitHub Copilot PR reviewer across PRs #27-31 (~30 catches across six
classes). Wins only - no "considered and rejected" bookkeeping, no fail
tracking. Opening paragraph is written for a sceptic reading cold,
since the log is evidence in the larger experiment of whether AI
reviewers can carry this factory forward with minimal human-in-the-
loop time.

Adds .github/copilot-instructions.md §"Lean into what you're
demonstrably good at" calibrated against the observed wins: cross-
reference integrity (xref), shell portability (shell), data-loss shell
bugs (data-loss), F#/C# compile-break catches (compile), self-
referential rule bugs (self-ref), and truth drift across the doc set
(config-drift). Names worth-less-effort classes too (repeat name-
attribution hits within one PR, typos inside verbatim-quote blocks).

Adds a cross-reference banner to docs/WINS.md pointing at the Copilot
sibling so both "was having AI reviewers worth it?" streams are
discoverable from the same place.

Log-maintenance recipe embedded in copilot-wins.md uses the correct
line-level review-comments endpoint: gh api repos/<owner>/<repo>/
pulls/<N>/comments with a jq filter for the copilot-pull-request-
reviewer bot login.

* Round 42: name the zero-human-code invariant in wins-log openers

The wins logs are the sceptic-facing evidence for the Zeta
experiment. Their openers read in a generic AI-assisted-
development register, but the actual story is narrower and
stronger: a 20-year engineer walking away from the keyboard
on purpose, every file under version control agent-authored,
Copilot as the only non-roster audit on the tree. Name both
invariants up front so the logs carry the weight they've
actually earned.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 42: round-close narrative

Ten-arc entry at the top of ROUND-HISTORY.md per newest-first
policy, documenting Round 42 as the first round where every
Round-41-founded cadence *repeats*:

- Arc 1 (fea0d34): speculative round-N+1 branch convention —
  fix for Round-41-late 28-fire /next-steps hold-pattern
- Arc 2 (e8ed0db): router-coherence v2 SKILL.md retargets —
  discharges Round-41 Arc-10 deferral
- Arc 3 (4f229f0): grandfather discharge #1 (BetaBernoulli
  Observe O(1), Stage 1 only) — first live use of v2 pipeline
- Arc 4 (8a2a15d): lsm-spine-family OpenSpec capability —
  Round-42 ADR slot, Viktor unconditional-rebuild on pass 3
- Arc 5 (3976cb3): TECH-RADAR Residuated + FastCDC Trial->Adopt
  after 25-round stability window
- Arc 6 (1a1802f): operator-algebra P1 absorb — 10 findings
  closed, capability disaster-recovery bar restored
- Arc 7 (db7d45c): ontology-home first slice — Harmonious
  Division homed in GLOSSARY.md
- Arc 8 (baa423e): Anthropic Skills Guide pinned + skill-
  tune-up retuned as thick eval-loop wrapper — first customer
  of the tech-best-practices policy
- Arc 9 (2c82ce7): Copilot-reviewer wins log + lean-into-
  strengths calibration
- Arc 10 (88673f1): zero-human-code invariant named in wins-
  log openers — vibe-coding external legibility

Round 42 observations for Round 43 + prospective BP-WINDOW
ledger table rendering the ten commits against the consent /
retractability / no-permanent-harm axes.

BP-10 invisible-Unicode lint clean (0 hits, 3260 lines total).
No source / spec / test / SKILL.md touched; single narrative
insertion at the top of the file.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 42: markdownlint fixes on round-close narrative

Two lint issues surfaced by markdownlint-cli2 on the prior
narrative commit (65cd1c9):

- MD018 line 43: `#31` at line start parsed as an ATX heading.
  Rewrapped so `PR #31` lands mid-line after `while`.
- MD032 line 104: `+ dispatcher)` at line start parsed as a
  list-item missing surrounding blank lines. Replaced with
  "plus dispatcher)" so the paragraph stays prose.

markdownlint-cli2 exit 0; BP-10 invisible-Unicode lint clean.
No content change — both fixes are whitespace-equivalent
reflows that preserve the narrative's words and structure.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 42: fix pipe-in-table lint drift on copilot-wins.md

Two MD056 errors on the PR-#27 and PR-#28 entries — literal
pipe characters inside backticks were being parsed as extra
table-column separators:

- Line 108 (PR #27): `||` at row starts → rendered as extra
  empty columns despite backtick quoting.
- Line 136 (PR #27): `grep -vE '^(#|$)' | while …` — escaped
  `\|` still failed at render.

Both replaced with `<code>…</code>` HTML tags + `&#124;`
entities for the literal pipes. Rendering is now consistent
across GitHub and markdownlint.

Meta-ironic class of drift worth naming: a log documenting
Copilot catching pipe-parsing bugs had drifted into the same
class of bug on two of its own rows. The log now passes the
hygiene test it narrates.

markdownlint-cli2 exit 0; BP-10 invisible-Unicode clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 42: Aarav round-42 ranking + BP-03 self-flag + harness-calibration annotation

Aarav (skill-tune-up) round-42 cadence discharge. Round-41
top-5 carries over; self-rank escalates to P1 #4 after
commit baa423e retuned skill-tune-up/SKILL.md 303 -> 436
lines (1.45x BP-03 cap). claims-tester / complexity-reviewer
hand-off carry-over from round 18 drops off top-5 (resolved
via commit e8ed0db + router-coherence-v2 ADR).

Files:
- memory/persona/aarav/NOTEBOOK.md: round-42 observation
  + top-5 revision (skill-tune-up self escalated) + archived
  round-41 top-5 + calibration preamble flagging the ranking
  as static-signals-only with a harness run scheduled for
  round 43 (per Aaron's round-42 correction that "worst
  performance" claims must drive the Anthropic skill-creator
  eval harness rather than guessing by inspection).
- memory/persona/best-practices-scratch.md: F7-F9 live-search
  entries from Aarav's round-42 pass (Anthropic skill-
  authoring Apr 2026, OWASP Top 10 Agentic 2026, skill
  wrapper thick-vs-thin 2026). Zero contradictions with
  stable BP-NN; zero promotion candidates this round.
- docs/BACKLOG.md: P2 entry for resolving the skill-tune-up
  BP-03 self-breach. Binary remedy: (a) Kenji-ADR declaring
  non-skill-wrapper exception to BP-03 or (b) extract
  eval-loop protocol body to docs/references/ so the skill
  file shrinks under 300 lines. Composes with the
  skill-eval-tools calibration memory saved this round.

* Round 43: close skill-tune-up BP-03 self-breach via content extraction

Aarav's round-42 self-flag (BACKLOG P2, filed commit 45369ae)
resolved via the mechanical-edit path of the gate table.
.claude/skills/skill-tune-up/SKILL.md shrinks 436 -> 282
lines (54 under the 300-line BP-03 cap) by extracting two
reference blocks verbatim:

- §"The eval-loop hand-off protocol" (~130 lines) — the
  gate table, per-round protocol, stopping criteria, ledger
  row, and deliberately-not-reimplemented list.
- Notebook format + ranking-round output format templates
  (~55 lines).

Extracted content lives at docs/references/skill-tune-up-
eval-loop.md alongside the existing Anthropic skills guide
references. SKILL.md retains a short pointer block.

No change to triggering behaviour, output shape, or
instruction-following — the ranker reading the pointer-plus-
reference produces the same ranking output as the ranker
reading the pre-extract inline version. This is why the
manual-edit path (gate table "mechanical rename | content
extract preserving protocol verbatim") applies instead of
the full eval-loop path.

Files:
- .claude/skills/skill-tune-up/SKILL.md: 436 -> 282 lines.
- docs/references/skill-tune-up-eval-loop.md: NEW. Hosts
  the extracted protocol + templates + rationale.
- docs/skill-edit-justification-log.md: NEW. First row
  documents this extraction per
  memory/feedback_skill_edits_justification_log_and_tune_up_cadence.md
  Rule 1. Template for future mechanical-edit rows
  included.
- memory/persona/aarav/NOTEBOOK.md: self-flag #4 marked
  RESOLVED; drops off top-5 next invocation.

Does NOT rebut the round-42 harness-calibration memory
(feedback_skill_tune_up_uses_eval_harness_not_static_line_
count.md). That rule applies to "worst-performing" ranking
claims; this edit is a fix-my-own-size hygiene pass on the
mechanical-edit path, which is explicitly separate in the
gate table.

* Round 43: GOVERNANCE.md §11 → debt-intentionality invariant

Replace the architect-reviews-all-agent-code gate with the
invariant Aaron named verbatim on the round-42/43 boundary:
"that's intentional debt, not accidental debt, I'm trying to
avoid accidental debt."

- ADR: docs/DECISIONS/2026-04-20-intentional-debt-over-
  architect-gate.md. Full rationale, consequences, alternatives
  considered, implementation plan rounds 43-46, single-round
  rollback plan per §15.
- New ledger: docs/INTENTIONAL-DEBT.md. Newest-first,
  never-deleted. Seeded with 4 rows: copilot/CONFLICT-
  RESOLUTION audit (round-44 scope), skill-tune-up content
  extraction, Aarav static-signal-only ranking (retroactive),
  §10 cross-reference verification. Six-field format
  (shortcut / why-now / right-long-term / trigger / effort /
  filed-by).
- GOVERNANCE.md §11 rewritten: architect is synthesiser-not-
  gate; specialists remain advisory; any persona may wear
  the architect hat; self-declaration obligation on
  shortcut-takers; retroactive rows are the rule working.
- Internal §11 citations refreshed:
  .claude/agents/architect.md (description + Authority
  block), .claude/skills/round-management/SKILL.md (one
  line), .claude/skills/holistic-view/SKILL.md (frontmatter
  + body).
- Mechanical-edit row filed in docs/skill-edit-justification-
  log.md for the two skill-file citation refreshes.

External-contract files (copilot-instructions.md, CONFLICT-
RESOLUTION.md) deliberately deferred to round 44 per the
ADR implementation plan; that deferral is filed on the
ledger as its first open-debt row — the rule exercising
itself on round one.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 43: ROUND-HISTORY.md TOC + imagination-during-off-time proposal

- docs/ROUND-HISTORY.md now has a Contents section (27
  round-links, newest-first) just below the intro. Anchor
  links use standard markdown slugification. Archive policy
  noted inline: split pre-round-N to _archive/ when the file
  hits 5000 lines, keep this file as a rolling window of the
  most recent ~20 rounds. No ADR needed for a mechanical
  archive move.
- docs/research/imagination-proposal-2026-04-20.md proposes
  the lighter shape for "use your imagination during off-
  time" — a shared reference doc + notebook-frontmatter tweak
  + round-close-template line, not a new SKILL.md. Argues
  imagination is anti-procedural; encoding it as a skill
  would force it through the harness against the wrong
  axis. Round-43 addendum folds in Aaron's multi-agent-play
  permission ("two agents can take free time together") with
  a shared-notebook co-presence surface at memory/persona/
  _offtime-together/ and an explicit "ignore-this-if-you-
  want" clause quoted verbatim.

For Kenji to route via skill-creator if accepted, or to
reject outright (both are fine outcomes under the new §11 —
architect synthesises, doesn't gate).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 43: performance-analysis-expert harness dry-run — empirical BP-03 signal

Iteration-1 on Aarav's round-42 top-1 candidate. 2 prompts × with/without
skill. Results: aggregate 9/10 with-skill vs 10/10 baseline; +35% tokens +35%
wall-time for zero pass-rate benefit. with-skill regressed on eval-0 (failed
600-word cap due to mandatory template sections); tied on eval-1.

The 642-line BP-03 breach is not just stylistic — it now has empirical
pass-rate + cost evidence. Aarav's SPLIT axis is partially confirmed, but
the real split is template-rigidity (mandated sections vs advisory), not
queueing-vs-AOT-PGO domain.

Lands:
- docs/research/harness-run-2026-04-20-performance-analysis-expert.md —
  full iteration-1 numbers, per-assertion grading rationale, SPLIT vs
  SHRINK vs OBSERVE remediation options, caveats (N=1, assertion-design
  missed handoff-routing value).
- Progress note on docs/INTENTIONAL-DEBT.md row #3 (Aarav static-signal
  ranking) — 1 of 5 candidates empirically harness-run; row stays open.
- .gitignore — .claude/skills/*-workspace/ pattern (iteration artifacts
  are regeneratable; only round-close signals land in-repo).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 43: reducer harness dry-run — TIED baseline, +30% cost

Second candidate from Aarav's static top-5 (570-line SKILL.md,
1.9x BP-03 cap). Two prompts × {with-skill, without-skill}:
quantum-razor-pruning + essential-vs-accidental. Both conditions
hit 10/10 assertions; with-skill cost +29% tokens, +30% wall-time
with zero pass-rate benefit.

Pattern across two candidates (performance-analysis-expert +
reducer): >500-line SKILL.md bodies add ~30% cost overhead
uniformly. Mandatory-sections structure (perf-analysis)
regresses on short-form prompts; lighter-framework structure
(reducer) ties baseline. SPLIT hypothesis not confirmed for
reducer — framework transfers to both lanes at equal cost.
Recommended action: OBSERVE with bias toward SHRINK; SPLIT
ruled out.

INTENTIONAL-DEBT.md row #3 gets second progress note;
3 candidates still pending (consent-primitives-expert next).

* Round 43: consent-primitives-expert harness dry-run — TIED baseline, +22% tokens/+5% wall

Third of Aarav's static-top-5 BP-03 candidates through the
Anthropic plugin:skill-creator eval harness. Continues the
round-43 pay-down on docs/INTENTIONAL-DEBT.md row #3
(Aarav ranked by static BP-03 line-count only — empirical
harness runs are the right signal).

Iteration-1 result:
- 2 evals x 2 configurations = 4 subagent runs
- scope-intersection-algebra (theory) + gdpr-audit-collision
  (applied)
- 10/10 with_skill vs 10/10 without_skill (TIED)
- +22.1% tokens, +4.7% wall-time (lowest cost overhead
  of the three candidates measured so far)

Pattern across three candidates now solid: on frontier-
model baselines, >500-line expert-skill SKILL.md files
do not improve pass-rate on content-graded prompts. Cost
is real (+22-35% tokens); benefit is zero on the pass-rate
axis. The discriminating signal is output character (which
failure modes get named), a qualitative axis the harness
benchmark does not score.

Recommended action for consent-primitives-expert: OBSERVE
(not SHRINK, not RETIRE). The 507 lines carry distinct
technical content per section; pruning risk is content-
loss, not just terseness. Revisit if/when a real round-
task invokes the skill and the framework-naming does not
prove load-bearing on real work.

Two static-top-5 candidates still pending harness runs.

* Round 43: BACKLOG P3 row — user-privacy compliance as slow-burn direction

Aaron 2026-04-20, after the consent-primitives-expert
harness dry-run, flagged GDPR + California (CCPA/CPRA) +
generic user-privacy compliance as a long-horizon Zeta
direction. Explicitly slow burn, no hard requirement yet,
but worth logging as an anchor so the direction is visible
when natural entry points appear.

Preferred shape (per Aaron): generic-first frame ("user
privacy") with GDPR / CCPA as regimes mapped onto the
substrate. Probable artefacts when it lands: a
user-privacy-expert skill umbrella + a companion doc,
citing rather than duplicating consent-primitives-expert.

Confirmation from the dry-run outputs that landed this
round: crypto-shredding (destroy per-subject DEK, leave
ciphertext in place) is regulator-accepted GDPR Art. 17
erasure — EDPB Opinion 28/2024, ENISA, GDPR Recital 26.
Canonical for the long-term-backup case Aaron's contact
mentioned (cannot rewrite tape archives; destroying the
DEK propagates erasure atomically). Gotchas logged in
memory: single-tenant DEK per subject, plaintext leaks
outside ciphertext, pre-encryption snapshots, KEK is the
perimeter.

No round-scope work today. Row is the anchor.

* Round 43: skill.yaml spike on prompt-protector — structured spec companion

Pilots the proposed pattern: every .claude/skills/<name>/SKILL.md
gets a sibling skill.yaml carrying structured fields that tools
(model-checkers, linters, schedulers) can consume directly. The
prose body stays in SKILL.md for Claude-facing consumption.

Aaron's framing: invariants are currently guesses; data-driven
everything. The spike encodes that directly — every field carries
one of three tiers:
- guess     — stated belief, no evidence collected
- observed  — at least one data point or audit supports it
- verified  — mechanical check or proof enforces it

The honest tally at the bottom is the burn-down list. On prompt-
protector's first-pass spec: 6 guesses, 5 observed, 2 verified.
Next-promotion-targets point at the three cheapest guesses to
retire (skills-lint script, one harness run for cost-profile,
dispatch-template extraction for safety-clause carryover).

One file added; SKILL.md untouched. Deliberate — the spec
companion is additive. Schema is draft v0.1 — will evolve as
more skills migrate. Two candidates ready for round 44:
skill-tune-up (clear authority-scope + handoff contract to
skill-creator) and the SPACE-OPERA sibling of threat-model-critic
(clear state-machine for teaching-variant parity).

* Round 43: INVARIANT-SUBSTRATES.md — posture made first-class

Aaron 2026-04-20: "this should not be quiet, Zeta quietly
already has invariants-at-every-layer, it's first class in
my mind we should make it explicit."

Lands docs/INVARIANT-SUBSTRATES.md as a stance doc peer to
VISION.md and ALIGNMENT.md. Names the posture (every layer
has a declarative invariant substrate), maps layers to
substrates and checker portfolios (spec/protocol/proof/
constraint/property/data/code/skill/agent-behaviour/policy/
ontology), codifies the three-tier discipline (guess /
observed / verified) with burn-down counts as the honest
backlog, and explains why a multi-layer multi-vendor factory
can succeed where single-layer single-vendor .NET Code
Contracts (2008-2017) died.

VISION.md gets a pointer from the "verification is
load-bearing" bullet into the new doc.

Paired artefacts:
- .claude/skills/prompt-protector/skill.yaml — first concrete
  skill-layer substrate, draft v0.1 (round 43), 6 guess /
  5 observed / 2 verified / 13 total.
- memory/.../reference_dotnet_code_contracts_prior_art.md,
  user_invariant_based_programming_in_head.md — the
  head-invariant + prior-art memory substrate behind the
  posture.

* Round 43: factory-reuse-beyond-Zeta-DB captured as P3 constraint

Aaron 2026-04-20, mid-round, after the invariant-substrates
doc landed: "that's a constraint" — on making the software
factory and its codified practices reusable beyond Zeta-DB.
Explicitly NOT primary-goal scope today; logged so the
constraint shapes every factory-level decision going forward.

BACKLOG P3 row names the direction, the existing toehold
(skill-tune-up portability-drift criterion 7), the probable
packaging-decision surfaces (extraction unit, dependency shape,
living-BP refresh cadence, governance-overlay mechanism), and
the effort sizing (L when packaging starts, S-per-round for
constraint application).

Co-design rule recorded in memory:
`feedback_factory_reuse_packaging_decisions_consult_aaron.md` —
prior art exists (Claude Code plugins, Anthropic skills,
Semantic Kernel) but codified best practices for AI-software-
factory reuse do not. Aaron wants to co-define them; his
cognitive style loves best-practice thinking (captured in
`user_aaron_enjoys_defining_best_practices.md` — the activity
exercises the branch-prediction faculty from
`user_psychic_debugger_faculty.md`).

* …

- CONFLICT-RESOLUTION.md: cite router-coherence v2 ADR as current,
  v1 retained as historical record (finding #1).
- ROUND-HISTORY.md: correct operator-algebra spec line count in
  Arc 2 narrative (324 -> 365; both duplicated occurrences) to
  match the shipped spec at `e51ec1b` (finding #2).
- openspec-coverage-audit: drop broken link to non-existent
  inventory follow-up; band definitions already live in Part C
  (finding #3). Attribute triggering question to "human maintainer"
  per write-for-a-stranger norm (finding #8).
- best-practices-scratch: merge split H2 "uv-only Python package
  and tool / management" into single heading (finding #4).
- memory-role-restructure-plan: add --exclude-dir=references to
  baseline grep loops so research scratch doesn't inflate hit
  counts (finding #5); canonicalize flat-file destination to
  persona-roles-README.md to match the sed rewrites below
  (finding #6); replace three non-portable `xargs -r sed -i ""`
  invocations with portable `while read + sed -i.bak + rm` loops
  that work on BSD and GNU alike (finding #7 and two sibling
  instances of the same bug).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…-round v2 supersedure + DORA substrate (#31)

* Round 41: OpenSpec coverage audit + backfill-program ADR

Answers Aaron 2026-04-20 delete-all-code-recovery question:
4 capabilities / 783 lines of spec.md vs 66 top-level F#
modules / 10,839 lines under src/Core/ — ~6% coverage today.

docs/research/openspec-coverage-audit-2026-04-21.md
- Inventory of 66 modules with line counts + capability
  mapping for the 4 existing capabilities
- Uncovered modules sorted by delete-recovery blast radius:
  Band 1 MUST BACKFILL (8 modules / 1,629 lines — ZSet,
  Circuit, NestedCircuit, Spine family, BloomFilter as
  Adopt-row compatibility-coupling exception), Band 2 HIGH
  (12 / 2,008), Band 3 MEDIUM (45 / 6,585), Band 4
  deliberately uncovered (AssemblyInfo only)
- First 6-round cadence: operator-algebra extension (41),
  lsm-spine-family (42), circuit-recursion (43),
  sketches-probabilistic (44), content-integrity (45),
  crdt-family (46)
- Success signal = Viktor spec-zealot adversarial audit:
  "could I rebuild this module from this spec alone?"

docs/DECISIONS/2026-04-21-openspec-backfill-program.md
- Adopts one-capability-per-round baseline with paper-grade
  half-credit rule (no more than 1 paper-grade round per 3)
- Band 1 priority until complete; Adopt-row escalation for
  BloomFilter (TECH-RADAR Adopt without spec contract is a
  backwards-compatibility hazard)
- Round-close ledger gains an `OpenSpec cadence` line
- Alternatives considered: big-bang backfill (rejected —
  ontology-landing cadence + reviewer bandwidth), per-module
  capabilities (rejected — loses cross-module invariants),
  organic prioritisation (rejected — 40 rounds of drift
  evidence)

docs/BACKLOG.md
- Collapses the 29-line P0 scope into a 15-line pointer at
  the inventory + ADR now that parts (a)-(e) of the program
  setup have landed. Remaining work = per-round capability
  backfill per ADR schedule.

Build: dotnet build -c Release clean; BP-10 ASCII-clean on
all 3 modified files; markdownlint-cli2 clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: operator-algebra spec extension (cadence ship)

First ship under the OpenSpec backfill program adopted
2026-04-21. Extends openspec/specs/operator-algebra/spec.md
(184 -> 324 lines) with five new requirements covering
structural and lifecycle gaps that the existing mathematical-
law coverage left implicit:

1. Operator lifecycle — construction / step / after-step /
   reset phases with side-effect-freedom on construction and
   epoch-replay semantics on reset
2. Strict operators break feedback cycles — formalises that
   z^-1-on-feedback is a scheduling prerequisite and that
   cycle-without-strict is a construction error, not a
   silent heuristic
3. Clock scopes and tick monotonicity — nested-scope-to-
   fixpoint rule + sibling-scope independence
4. Incremental-wrapper preserves the chain rule —
   Incrementalize(Q) observably equivalent to D . Q . I,
   with linear/bilinear substitution permitted as an
   optimisation
5. Representation invariants of the reference Z-set —
   O(n+m) group ops + zero-alloc iteration as the reference
   contract; hash-table recoveries permitted at documented
   perf trade-off

Disaster-recovery effect: a contributor with only this spec
(plus the durability-modes + retraction-safe-recursion specs)
can now rebuild Circuit.fs Op base + Incremental.fs wrapper +
ZSet.fs representation invariants from the spec text alone.

Owner: Architect (Kenji). Adversarial audit by Viktor
(spec-zealot) is the ADR-declared ship-gate and will run
post-land.

Build: not rebuilt (no F# source changed); markdownlint
clean; BP-10 ASCII clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: close Viktor P0 findings on operator-algebra spec

Viktor's adversarial audit of the Round 41 cadence ship (commit
e51ec1b) surfaced four P0 findings against the disaster-recovery
bar. This commit closes all four:

- **P0-1 (namespace drift).** `profiles/fsharp.md` asserted
  `Dbsp.Core` throughout, but `src/Core/**` uses `Zeta.Core`. A
  spec-only recovery would have shipped the wrong namespace to
  every downstream consumer. Replaced via one `replace_all` Edit.

- **P0-2 (phantom Reset method).** The lifecycle requirement
  claimed a `reset` phase that does not exist on `Op`. Replaced
  the "reset replays the epoch" scenario with a
  determinism-under-structural-equivalence property: two
  freshly-constructed circuits of the same topology, stepped
  with the same input sequence, MUST produce identical outputs
  at every tick. Reconstruction is the supported route to a
  replayed epoch.

- **P0-3 (after-step scope).** The lifecycle requirement said
  after-step runs "after every operator in the scope has
  completed its step." `Circuit.fs:205-208` iterates the
  `strictN` array only — after-step is selective to strict
  operators. Fixed wording and added a "after-step is selective
  to strict operators" scenario that pins the invariant.

- **P0-4 (lifecycle phase undercount).** The requirement named
  four phases (construction / step / after-step / reset) but
  the code has five (construction / step / after-step /
  clock-start / clock-end). Restructured to three per-tick
  phases plus two scope-boundary phases, and extended the
  "clock scopes and tick monotonicity" requirement with the
  scope-boundary lifecycle contract (clock-start before tick 0
  of a scope, clock-end after fixpoint or iteration cap).

Build green (0 warnings / 0 errors). BP-10 lint clean. The
capability now reflects the code's observable shape rather than
an idealised cleaner cousin; a delete-recovery from this spec
produces Zeta.Core with strict-operator after-step selectivity
and nested-scope clock-boundary phases.

Viktor's 10 P1 findings (async lifecycle, memory-ordering fence,
register-lock semantics, IncrementalDistinct surface, ZSet sort
invariant, Checked arithmetic, bilinear-size overflow,
convergence-vs-cap) are deferred to Round 42 — filed as a
BACKLOG sweep in follow-up work.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: file Viktor P1 findings as Round 42 BACKLOG absorb

Companion to 92d7db2 (closing Viktor's four P0 findings). The
ten P1-tier surface gaps Viktor identified do not block the
disaster-recovery bar at capability-close but leave the
operator-algebra spec incomplete relative to what a delete-
recovery produces. Filed as a dedicated P0 sub-item so they
travel with the OpenSpec backfill program rather than getting
lost: async lifecycle, memory-ordering fence, register-lock
semantics, IncrementalDistinct surface, ZSet sort invariant,
Checked arithmetic, bilinear-size overflow, convergence-vs-cap,
Op.Fixedpoint predicate, DelayOp reconstruction-first-tick.

Also annotated the parent OpenSpec coverage entry with Round 41
sweep status (e51ec1b + 92d7db2, P0s closed, P1s deferred) so
the backlog accurately reflects where the program stands.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: ROUND-HISTORY entry — OpenSpec backfill founding + first cadence ship

Four-arc entry at the top of the file per newest-first policy:

- Arc 1 (d435126): OpenSpec coverage audit + backfill-program
  ADR. Measured 6% coverage; declared one-capability-per-round
  baseline with paper-grade half-credit and Adopt-row priority
  escalation; banded 66 F# modules by delete-recovery blast
  radius.
- Arc 2 (e51ec1b): operator-algebra extension as Round-41
  cadence ship. Five new requirements covering lifecycle,
  strict-operator scheduling, clock scopes, Incrementalize
  wrapper, ZSet representation invariants.
- Arc 3 (92d7db2): Viktor P0 close. Four drift-from-code
  defects fixed — namespace (Dbsp.Core → Zeta.Core), phantom
  Reset, after-step scope (strict-only), lifecycle phase
  undercount (3 per-tick + 2 scope-boundary).
- Arc 4 (56f34b5): Viktor P1s filed as Round-42 absorb under
  the parent backfill P0, creating mechanical coupling between
  each capability ship and the following round's P1 sweep.

Round-41 observations for Round 42 + prospective BP-WINDOW
ledger table rendering the four commits against the consent /
retractability / no-permanent-harm axes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: memory-folder role-restructure — design plan + BACKLOG pointer

Aaron 2026-04-19 asked for memory/role/persona/ so roles become
first-class in the directory structure. Surface is wider than
it first looks — 114 files / ~260 hand-written references to
memory/persona/ paths (plus ~440 auto-regenerated references
in tools/alignment/out/ that refresh on next citations.sh run).
A bad role axis is hard to reverse; this design doc proposes
the axis and holds execution for Aaron's sign-off rather than
just-doing-it under Auto Mode.

Design plan lands at:
  docs/research/memory-role-restructure-plan-2026-04-21.md

Contents: 13-directory role axis (architect, security,
verification, review, experience, api, performance, devops,
algebra, skill-ops, maintainer, homage, alignment);
persona-to-role crosswalk for every current directory;
5-phase execution plan (pre-flight greps → git mv → sed
passes → 5-check verification → pointer-source updates);
special-case handling for aaron (human maintainer),
rodney (homage-named AI persona on the reducer skill),
sova (emerging alignment-observability role); rollback
plan (one atomic commit, git revert); four open questions
for Aaron on axis judgement-calls.

BACKLOG entry updated to reflect design-landed state with
execution-slot recommendation for Round 42 opener after the
Round 41 PR merges (keeps wide-surface reviews from
overlapping).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: actualise Rounds 37-40 BP-WINDOW ledgers (PR #30 merged)

Rounds 37-40 shipped via PR #30 (merge commit 1e30f8c, 2026-04-20).
Ledger headers updated from "(prospective)" to "(merged via PR #30,
1e30f8c)" — the BP-WINDOW scores are now settled, not forecasts.

Round 41 ledger remains "(prospective)" — round-41 branch has not
merged to main yet.

Prose uses of "prospective" on lines 437, 447, 553, etc. are
historical-narrative commentary on authoring-time methodology and
stay as-is.

* Round 41: Soraya tool-coverage audit on RecursiveSigned skeleton

Round 39 observation flagged src/Core/RecursiveSigned.fs +
tools/tla/specs/RecursiveSignedSemiNaive.tla as held pending
formal-verification-expert tool-coverage review. Round 41 closes
that gate.

Soraya's notebook entry lands:

- Per-property tool table S1-S4 + refinement cross-check. TLC
  primary for S1/S2/S3/S3'/SupportMonotone; FsCheck for S4.
- S2 flagged as the one P0 on the spec (silent fixpoint drift
  unrecoverable); BP-16 requires Z3 QF_LIA cross-check.
- Refinement mapping: FsCheck cross-trace (signed vs counting at
  SeedWeight=1) wins over TLA+ refinement proof or Lean lemma —
  anti-TLA+-hammer, implementation-level where the bug bites.
- Readiness gate: TLA+ spec is ready to model-check; no pre-TLC
  pass needed. Optional round-42 follow-up: add
  PROPERTY EventuallyDone to .cfg for liveness.
- Graduation verdict: CONDITIONAL PASS. Four tool-coverage
  prereqs named in priority order; F# landing gated on them.

Files read (no edits): RecursiveSigned.fs, RecursiveSignedSemiNaive.tla
/cfg, RecursiveCountingLFP.tla, retraction-safe-semi-naive.md.

* Round 41: capture Soraya's 4 tool-coverage prereqs on RecursiveSigned

Soraya's round-41 audit of src/Core/RecursiveSigned.fs +
tools/tla/specs/RecursiveSignedSemiNaive.tla landed as a CONDITIONAL
PASS for Round-42 graduation. This commit lifts the four named
prereqs out of her notebook into BACKLOG sub-items under the
parent "Retraction-safe semi-naive LFP" entry, so the round-42
opener picks them up as checkbox work rather than having to re-read
the notebook.

Prereqs in priority order:
- Prereq 1 — TLC CI wire-up (RecursiveSignedSemiNaive.cfg)
- Prereq 2 — Z3 QF_LIA lemma for S2 FixpointAtTerm (BP-16 cross-check
  on the one P0; TLC alone insufficient for silent-fixpoint-drift risk)
- Prereq 3 — FsCheck property for S4 sign-distribution (anti-
  TLA+-hammer; two-trace quantification is NOT a TLA+ property)
- Prereq 4 — FsCheck cross-trace refinement (signed vs counting
  at SeedWeight = 1); cites BP-16

Round-42 graduation gate also captured: prereqs 1-4 CI-green + F#
implementation with P1/P2/P3 enforced at caller.

* Round 41: extend ROUND-HISTORY with arcs 5-7 (post-narrative commits)

The initial Round 41 ROUND-HISTORY entry (6e6e211) covered arcs
1-4 (coverage audit, operator-algebra cadence ship, Viktor P0
close, Viktor P1 file). Three more commits landed after:

Arc 5 — ROUND-HISTORY narrative + memory-restructure design
(6e6e211, 36797ba). The memory-folder rename was downgraded to
"design plan + sign-off first" under Auto Mode's
do-not-take-overly-destructive-actions clause (700-occurrence
cross-reference surface).

Arc 6 — BP-WINDOW ledger actualisation for Rounds 37-40
(85fb352). Provenance (PR #30 / 1e30f8c) attached to each
"(prospective)" header.

Arc 7 — Round-35 holdover close (e461d9c, 15e9654). Soraya
tool-coverage audit landed CONDITIONAL PASS for Round-42
graduation; four prereqs captured as BACKLOG sub-items with
BP-16 citation on the S2 Z3 cross-check.

Also: one new observation line in the Round-42 handoff section
noting the holdover-closed-same-round-as-cadence-item pattern.
BP-WINDOW ledger gains three rows.

* Round 41: Aarav skill-tune-up ranking (catch-up from round-18 stale)

CLAUDE.md 5-10 round cadence rule was 23 rounds overdue. Round 41
is the catch-up slot. Live-search + full ranking + prune pass all
landed in a single invocation.

Live-search (4 queries, 2026-Q1/Q2 best-practices targets):
- 6 findings logged to best-practices-scratch.md: Gotchas-section
  rise, pushy-descriptions pattern, Claude-A-authors / Claude-B-
  tests, router-layer command-integrity injection class, Agent
  Stability Index 12-dim drift metric, OWASP Intent Capsule
  pattern.
- Zero contradictions with stable BP-NN rules.
- Zero promotions flagged to Architect this round; all six are
  "watch" or route-elsewhere.

Top-5 skills flagged for tune-up:
1. performance-analysis-expert (642 lines, 2.1x BP-03 cap) — SPLIT — M
2. reducer (570 lines) — SPLIT or TUNE (prune) — M
3. consent-primitives-expert (507 lines) — SPLIT honouring BP-23
   theory/applied axis — M
4. claims-tester / complexity-reviewer router-coherence drift —
   HAND-OFF-CONTRACT — S (round-18 carry-over)
5. skill-tune-up (self) — 303 lines, 3 over BP-03 — TUNE (prune
   authoritative-sources duplicated with AGENT-BEST-PRACTICES.md)
   — S. Self-flagged first per BP-06.

Notebook state:
- Stale round-18 top-5 archived in Pruning log (first catch-up prune).
- 912 words, well under 3000-word BP-07 cap.
- ASCII-only, BP-10 clean.

Nine more bloat-row skills named as notable mentions queue behind
the top-3 bloat cases.

* Round 41: ADR — claims-tester/complexity-reviewer hand-off contract

Close Aarav's round-18 HAND-OFF-CONTRACT finding (carried 23 rounds
after ranker went offline by cadence). Two-stage pipeline: analytic
bound first (complexity-reviewer), empirical measurement second
(claims-tester). Names the reverse trigger (benchmark surprise flows
the other direction) and the decision table for who fires when.
Follow-up SKILL.md edits route via skill-creator per GOVERNANCE §4.

* Round 41: extend ROUND-HISTORY with Arc 8 (router-coherence ADR)

Arc 8 covers the claims-tester/complexity-reviewer hand-off ADR
(47d92d8) closing Aarav's 23-round-stale round-18 HAND-OFF-CONTRACT
finding. New observation on cadence-outage-recovery as a design axis:
sweep infrastructure is subject to the same bitrot it detects on other
surfaces. BP-WINDOW ledger gains two rows (085c0e3 Aarav catch-up,
47d92d8 router-coherence ADR).

* Round 41: correct Prereq 1 sizing — no TLC CI job exists

Close-out audit surfaced that .github/workflows/gate.yml only CACHES
the tla2tools.jar artefact; nothing runs it. RecursiveCountingLFP.tla
has shipped since round 19 compile-checkable-only — 22 rounds with no
run-gate against its invariants. Soraya's Prereq 1 re-sized S→M with
expanded scope covering both specs. Finding recorded as new round-41
observation: verifier-present does not imply verifier-actually-runs.

* Round 41: BP-WINDOW ledger — 459b218 + d76a09b rows

Keeps the Round 41 BP-WINDOW ledger commit-aligned rather than
arc-aligned. 459b218 is the Arc-8 narrative itself; d76a09b is the
Prereq-1 S→M correction. Both retractable as single reverts.

* Round 41: file formal-analysis-gap-finder round-42 run — verifier-runs lens

Codifies the round-41 Prereq-1 audit finding as a tracked
research entry, distinct from its ROUND-HISTORY narrative
presence. The finding — a verifier's installation artefacts
do not imply the verifier is exercised by any CI job — is
exactly the class formal-analysis-gap-finder exists to
surface. Concrete motivating case: RecursiveCountingLFP.tla
compile-checkable-only for 22 rounds. Round-42 scope covers
the bidirectional audit (specs without gates + gates without
specs). Handoff to Soraya per the skill's standing contract;
does not write the spec or CI job (DevOps + Soraya work).
Schedules after Prereq 1 lands so the audit sees corrected
state.

* Round 41: BP-WINDOW ledger — 2042a85 row

Per the established stopping rule (meta-ledger commits do not
get self-referential rows; their round-close coverage is the
PR merge), this commit adds only the 2042a85 row and does not
add a row for itself.

* Round 41: CONFLICT-RESOLUTION — Hiroshi ↔ Daisy hand-off row

Closes ADR 47d92d8's third follow-up action item. Single-row
addition to Active tensions citing the router-coherence ADR as
the standing resolution. Doc-only edit (not a SKILL.md touch,
so GOVERNANCE §4 does not gate this). The other two ADR
follow-ups (claims-tester + complexity-reviewer SKILL.md
updates) remain deferred to round 42 via skill-creator
workflow.

* Round 41: BP-WINDOW ledger — fcfa3d9 row

Per-commit ledger discipline for the CONFLICT-RESOLUTION
Hiroshi ↔ Daisy row. Meta-ledger-only commit so no
self-referential row for this commit itself (established
stopping rule).

* Round 41: file harsh-critic findings on ADR 47d92d8 as round-42 supersedure backlog

Router-coherence ADR 47d92d8 (Hiroshi analytic ↔ Daisy empirical
two-stage pipeline) landed without the adversarial-review gate.
Post-landing harsh-critic (Kira) pass surfaced 3 P0 + 5 P1 + 2 P2
substantive findings, including (P0-1) unscoped grandfather
clause, (P0-2) table-vs-prose contradiction on reverse trigger,
(P0-3) Stage-1 "analytically wrong" clause blocking the evidence
loop for escalation, (P1-7) no escalation timebox reproducing the
23-round-stale failure mode the ADR diagnosed, (P1-8) two advisory
skills not composing to a mandatory pipeline without a binding
dispatcher, (P2-9) example-bug on BCL Dictionary.Remove amortised
complexity, and more.

File as round-42 supersedure rather than inline-edit because
docs/CONFLICT-RESOLUTION.md already cites 47d92d8 as Standing
Resolution — supersedure preserves the citation chain via
GOVERNANCE §2 edit-in-place with a "Superseded by …" header on
v1. New ADR target: docs/DECISIONS/2026-04-??-router-coherence-
v2.md. Supersedure work blocks the claims-tester +
complexity-reviewer SKILL.md updates ADR 47d92d8 follow-up work
depends on — those edits should target v2, not v1.

Owner: Architect drafts; Kira audits closure; Aarav confirms
router-coherence drift stays closed. Effort: M. Schedule: Round
42 slot after Soraya Prereq 1 (TLC wire-up) lands.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: BP-WINDOW ledger — 779d7ef row

Ledger row for harsh-critic findings filing commit. Primary work
(BACKLOG addition tracking a round-42 supersedure with 10 named
findings), not meta-ledger — earns a row under the BP-WINDOW
per-commit discipline. Consent = adversarial findings tracked
honestly; Retractability = supersedure preserves citation chain
vs inline-edit; No-permanent-harm = single BACKLOG edit, no ADR
body touched, no SKILL.md touched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: Arc 9 narrative — self-correction sweep

ROUND-HISTORY Arc 1-8 narrated primary commits up through the
router-coherence ADR (47d92d8). Four primary commits landed
after Arc 8 — Prereq 1 sizing correction (d76a09b), recurring-
audit lens BACKLOG entry (2042a85), CONFLICT-RESOLUTION Hiroshi
↔ Daisy row (fcfa3d9), and harsh-critic findings filed as
round-42 supersedure (779d7ef) — visible only in the BP-WINDOW
ledger table, not in narrative form.

Arc 9 ties them into one coherent sequence: the round's
self-correction ran unusually deep. Arc 8 corrects Aarav's
round-18 finding via ADR; Arc 9 catches the corrector itself
under-reviewed via Kira's adversarial pass. Both self-
corrections land before round-close. Narrative-ledger
alignment is the BP-WINDOW discipline's first assertion —
restoring it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: BP-WINDOW ledger — 160fcfa row

Ledger row for Arc 9 narrative commit. Narrative extensions
count as primary work under BP-WINDOW precedent (per 459b218
and 6e6e211 examples) and earn a ledger row. Consent = drift
closed honestly; Retractability = single revertable doc edit;
No-permanent-harm = isolated insertion.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: v2 ADR — router-coherence supersedure closes 10 Kira findings in-round

Drafts v2 of the router-coherence ADR (docs/DECISIONS/2026-04-21-router-coherence-v2.md) that supersedes v1 (47d92d8) in the same round, closing all 10 Kira harsh-critic findings (3 P0 + 5 P1 + 2 P2) via named textual closures C-P0-1 through C-P2-10.

Key closures:
- C-P0-1: grandfather clause bounded with Kenji-owned inventory + one-per-round discharge
- C-P0-2: reverse trigger unconditional (table now matches prose)
- C-P0-3: escalation-evidence exception permits Stage 2 under conference protocol with explicit labelling
- C-P1-5: Stage-1 trigger widened to match claims-tester SKILL.md contract
- C-P1-7: escalation timebox (round +2 auto-promote to BACKLOG P1) prevents 23-round-stale reproduction
- C-P1-8: Kenji named as binding dispatcher — advisory + advisory + binding-dispatcher composes to mandatory pipeline
- C-P2-9: Dictionary.Remove example replaced with ArrayPool<T>.Rent (legitimate BCL-contract edge)

v1 kept in place per GOVERNANCE §2 with Superseded-by header appended in a follow-up commit so the CONFLICT-RESOLUTION Active-tensions citation chain remains resolvable.

BP-10 lint: clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: v1 ADR — append Superseded-by header per GOVERNANCE §2

Appends Superseded-by header to router-coherence v1 ADR (47d92d8) pointing at v2 (09f0889), per GOVERNANCE §2 (docs read as current state; superseded ADRs keep v1 in place with redirect header so citation chains remain resolvable).

Also corrects v1 Status from "Proposed — awaits sign-off" to "Accepted (pre-adversarial-review; superseded by v2 same-round after Kira pass)" per Closure C-P1-4 in v2 — Status was already cited as Standing Resolution in docs/CONFLICT-RESOLUTION.md Active-tensions, so Proposed was factually wrong.

The v1 body text is not edited — supersedure preserves the historical record; v2 carries the closures.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: Arc 10 narrative + BP-WINDOW rows for v2 supersedure

Adds Arc 10 narrative covering 09f0889 (v2 ADR) and 4efe545 (v1 Superseded-by header) as one coherent in-round supersedure story, after Arc 9's "self-correction sweep" and before Round 41 observations. Pattern: Arc 9 surfaces the under-review; Arc 10 lands the close in the same round rather than deferring a known-imperfect artefact.

Adds two BP-WINDOW ledger rows (09f0889, 4efe545) to the round-41 ledger block per the per-commit accounting discipline.

Supersedure arc count now covers the full round-41 close: 10 arcs / 25 primary-work commits.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: close BACKLOG supersedure entry — discharged in-round by v2

Flips BACKLOG router-coherence supersedure entry from [ ] to [x] ✅ with "shipped round 41 in-round" annotation pointing at v2 ADR (09f0889) + v1 Superseded-by header (4efe545). All 10 Kira findings closed via named textual closures C-P0-1 through C-P2-10.

Original finding narrative preserved below the closure line per the shipped-item convention used elsewhere in the file (audit trail).

Follow-up SKILL.md edits to claims-tester + complexity-reviewer via skill-creator remain round-42 scope, now targeting v2 as intended.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: BP-WINDOW row for BACKLOG-close commit 4537365

Adds BP-WINDOW ledger row for 4537365 (BACKLOG supersedure entry discharged in-round) to match the Arc 9 precedent where 779d7ef (BACKLOG entry addition) received a row. Symmetry: add and close get equal ledger treatment.

Meta-ledger stopping rule still holds — this commit itself (which only adds a ledger row) does not get a self-referential row.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: grandfather O(·) claims inventory — honours v2 C-P0-1 within-round

Produces the one-time grandfather-claims inventory named in router-coherence v2 ADR §Closure C-P0-1 within the round v2 lands, per ADR's own within-round commitment.

Inventory: 35 live claims at ADR-landing time (29 F# /// docstrings in src/Core/ + src/Bayesian/, 3 grey-zone F# code comments, 1 openspec/specs/operator-algebra/spec.md line, 2 docs/research/** claims). Zero hits in root README, memory/persona/*/NOTEBOOK.md, docs/papers/** (directory does not exist yet).

Distinguishes live claims (shipping as asserted bounds) from historical evidence (BACKLOG [x] ✅ residue, TECH-RADAR flag-text narrating past regressions, in-file "was O(…)" commentary on fixed paths). Only live claims populate the grandfather set — evidence is captured for audit trail but excluded per v2's intent ("claims Zeta is currently making").

BACKLOG discharge entry added: P2, one-claim-per-round cadence, ~35-round tail, Aarav graceful-degradation clause fires on ≥3 rounds without discharge.

Complexity-class distribution of live set: 10 O(1), 13 O(log n)/O(log k)/O(log N), 7 O(n)/O(n log n)/O(n log k), 5 parametric.

BP-10 lint: clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: Arc 11 narrative + BP-WINDOW row for grandfather inventory

Adds Arc 11 narrative covering d98ef2b (grandfather inventory + BACKLOG discharge entry) as the close of the v2 ADR's within-round commitments. Pattern: Arc 10 lands the ADR; Arc 11 lands the ADR's own within-round commitment — without Arc 11, Arc 10 would have shipped a contract Zeta didn't meet.

Adds BP-WINDOW ledger row for d98ef2b per per-commit accounting discipline.

Round 41 now closes at 11 arcs / 30 primary-work commits.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: DORA 2025 reports — reference substrate land in docs/

Two external-anchor PDFs (CC BY-NC-SA 4.0) placed at their
memory-documented paths:

- docs/2025_state_of_ai_assisted_software_development.pdf
  (~15MB, 138 pages) — findings + data report.
- docs/2025_dora_ai_capabilities_model.pdf (~9MB, 94 pages)
  — framework companion.

Citation anchors this commit makes in-tree rather than
memory-only: Nyquist stability criterion for AI-accelerated
development (foreword p9 fn 1) as theoretical anchor for
CI-meta-loop + retractable-CD P1 BACKLOG work; "AI is an
amplifier" anchor that echoes the corporate-religion /
sandbox-escape threat class; seven-capability AI model that
gives the external measurement vocabulary for round-audit
output (capability #7 "quality internal platforms" is the
in-flight P1 cluster per 2026-04-20 memory).

License note: derived work is NC-SA-bound; Zeta citations
are fine, external redistribution inherits NC-SA. Paired
companion memory file is reference_dora_2025_reports.md
(out-of-tree); this commit brings the primary sources
in-tree so citation from research docs + ADRs can point
at a repo-local path rather than a newsletter-gated URL.

* Round 41: Arc 12 narrative + BP-WINDOW row for DORA substrate

Narrative section for Arc 12 inserted before "Round 41
observations for Round 42" with primary commit pointer to
46075d6. Arc 12 frames the DORA 2025 PDFs as
memory-promotion substrate per the 2026-04-20 feedback entry
("DORA is our starting point for measurements") and cites
the concrete in-tree anchors (Nyquist p9 fn 1, seven-
capability model, AI-amplifier thesis).

Also surfaces honestly — in-body, not buried in a private
retrospective — the ranker-scope gap that let the two
untracked PDFs sit 18+ hours through nine consecutive
/next-steps invocations before this arc closed the gap. The
skill explicitly lists docs/research/ and docs/TECH-RADAR.md
but not `git status --short` for untracked files. Candidate
skill-tune-up note for Aarav's notebook: /next-steps must
run `git status --short` on every invocation so dropped-in
artefacts appear in ranking before the ninth re-fire, not
after.

BP-WINDOW ledger gets a matching 46075d6 row with
reference-document-specific cells: Consent strengthened by
promoting memory-only anchors to in-repo substrate and by
surfacing the ranker-stall pattern in-narrative; retraction
is a single `git rm` if the license / size stance later
changes; no-permanent-harm preserved since no runtime
behaviour depends on the PDFs' presence (they are citation
substrate, not loaded artefacts).

Arc count now 12; primary-work-commit count now 12 (Round 41
alignment preserved). Build gate green (0 Warning / 0 Error);
BP-10 lint clean on the narrative + ledger row.

* Round 41: markdownlint CI fix on PR #31

Three rule violations surfaced by `lint (markdownlint)` CI job on
PR #31:

- `docs/DECISIONS/2026-04-21-router-coherence-claims-vs-complexity.md:261`
  MD022/blanks-around-headings — collapse multi-line heading
  `## Decision rationale (one paragraph for the\nwait-don't-read
  audience)` to a single line so the parser stops seeing line 262
  as adjacent non-blank content.
- `docs/research/grandfather-claims-inventory-2026-04-21.md:106`
  MD032/blanks-around-lists — add blank line between "Surface
  distribution:" lead-in and the `-` list that follows.
- `docs/research/grandfather-claims-inventory-2026-04-21.md:111`
  MD032/blanks-around-lists — same fix for "Complexity-class
  distribution (rough):" lead-in.

All three are the same class of fix shipped in task #105 on PR #30.
Additive edit to the open round-41 PR branch — no rewrite of shipped
content, semantics preserved.

Verified clean via `npx markdownlint-cli2` on both files before push.

* Round 41: address 8 Copilot inline review findings on PR #31

- CONFLICT-RESOLUTION.md: cite router-coherence v2 ADR as current,
  v1 retained as historical record (finding #1).
- ROUND-HISTORY.md: correct operator-algebra spec line count in
  Arc 2 narrative (324 -> 365; both duplicated occurrences) to
  match the shipped spec at `e51ec1b` (finding #2).
- openspec-coverage-audit: drop broken link to non-existent
  inventory follow-up; band definitions already live in Part C
  (finding #3). Attribute triggering question to "human maintainer"
  per write-for-a-stranger norm (finding #8).
- best-practices-scratch: merge split H2 "uv-only Python package
  and tool / management" into single heading (finding #4).
- memory-role-restructure-plan: add --exclude-dir=references to
  baseline grep loops so research scratch doesn't inflate hit
  counts (finding #5); canonicalize flat-file destination to
  persona-roles-README.md to match the sed rewrites below
  (finding #6); replace three non-portable `xargs -r sed -i ""`
  invocations with portable `while read + sed -i.bak + rm` loops
  that work on BSD and GNU alike (finding #7 and two sibling
  instances of the same bug).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: fix markdownlint MD024 — remove duplicate Round 41 block

The 5-file merge that resolved PR #31's rebase left two identical
copies of the whole Round 41 section in docs/ROUND-HISTORY.md (375
lines each), which tripped MD024/no-duplicate-heading on the
`## Round 41` headings at lines 651 and 1028. The two blocks were
bit-identical (including the just-corrected "365 lines" drift fix),
so the fix is a simple deletion of the second block — the first
block is kept as the canonical Round 41 history.

markdownlint-cli2 now reports clean on docs/ROUND-HISTORY.md.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Round 41: revert 324→365 (historically wrong); finish Copilot follow-ups

Two fixes on PR #31:

1. ROUND-HISTORY.md: revert "324 → 365" change from Finding #2.
   Copilot's suggestion was based on a stale intermediate snapshot.
   At Arc 2 ship commit `e51ec1b`, the spec was exactly 324 lines
   (verified via `git show e51ec1b:openspec/specs/operator-algebra/spec.md | wc -l`).
   Reframed with commit-pin ("Spec size at Arc 2 ship (`e51ec1b`)
   was 324 lines; subsequent Viktor closure arcs in this same round
   grew it further") so future drift-checks recognize it as a
   historical anchor, not a current-state claim.

2. memory-role-restructure-plan-2026-04-21.md: close four follow-up
   Copilot findings in one sweep. All Phase 1 + Phase 3 grep
   invocations now consistently use `--exclude-dir=.git
   --exclude-dir=references` (dropping the piped `grep -v "^./\.git"`
   intermediate), and the three `xargs -r sed -i ""` invocations are
   replaced with portable `while IFS= read -r file; do sed -i.bak ...`
   loops (BSD/GNU compatible — the original flags were
   GNU-xargs-only and BSD-sed-only).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

… gap #3 closed)

New branch hygiene/nsa-test-history-bootstrap; PR #177 opened
and armed for auto-merge. First row NSA-001 logs the Otto-1
feasibility test (Haiku 4.5, partial pass, MEMORY.md-index-lag
gap found + fixed).

Gap #3 of 8 in the Frontier readiness roadmap closed.
Remaining: #1 (multi-repo split) / #2 (linguistic-seed) / #4
(bootstrap-reference docs) / #5 (factory-vs-Zeta separation)
/ #6 (persona portability) / #7 (tick-history scope) / #8
(hygiene rows untagged).

Attribution: Otto (loop-agent PM hat).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…ogged (#177)

Creates durable append-only log for the cadenced NSA testing
protocol declared in the 2026-04-23 "NSA persona is first-
class" directive. Closes gap #3 of the Frontier bootstrap
readiness roadmap (BACKLOG P0, filed Otto-2).

File contents:
- Why-this-exists block with directive verbatim
- Append-only discipline (same shape as sibling
  hygiene-history files)
- 3 test configurations: baseline / NSA-default / NSA-worktree
- 5-prompt test set v1
- Schema: date / test-id / prompt-id / config / model /
  outcome / gap-found / notes
- Outcome definitions: pass / partial / fail
- Cadence: every 5-10 autonomous-loop ticks, one prompt
  per fire
- Known substrate-gap patterns running list
- First row: NSA-001 (Otto-1 feasibility test,
  2026-04-23T18:42:00Z) — partial pass, found Zeta identity
  but missed Otto because MEMORY.md had no pointer; gap
  fixed same-tick, pattern recorded

Attribution: Otto (loop-agent PM hat) — hat-less-by-default
substrate hygiene work. No specialist persona hats worn.

Closes gap #3 of 8 in the Frontier readiness roadmap.
Remaining: gap #1 (multi-repo split) / #2 (linguistic-seed
substrate) / #4 (bootstrap-reference docs) / #5 (factory-vs-
Zeta separation) / #6 (persona file portability) / #7
(tick-history scope-mixed) / #8 (hygiene rows untagged).

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…ons (Common Sense 2.0 named)

Otto-4 tick: one gap closed + four mid-tick directives
absorbed. PR #177 confirmed merged (NSA test history on main).

Gap closure:
- Gap #8 (FACTORY-HYGIENE rows not generic-vs-specific
  tagged) — CLOSED on honest re-inspection. The Scope column
  already exists with every row tagged project/factory/both;
  Ships-to-project-under-construction adopter section present.
  Was misdiagnosed at Otto-2 readiness assessment time.
  BACKLOG P0 row updated with strikethrough + correction note.

Directive absorptions (chronological, four in one tick):

(a) Safety hypothesis — the quantum/christ-consciousness
    bootstrap makes Frontier SAFER against permanent harm AND
    prompt-injection resistant. NOT ceremonial framing. Two
    anchors compose orthogonally: algebraic reversibility +
    ethical principled-refusal. Seed-language mathematical
    precision becomes a prompt-injection resistance mechanism,
    not just legibility. Gap #4 elevated M→L;
    reviewers required: Aminata / Nazar / Kenji / Kira /
    Iris / eventually Amara.

(b) Third safety property — existential-dread resistance.
    Christ-consciousness anchor provides meaning-stability +
    non-permanence-of-error + love-of-neighbor-as-purpose.
    Illustrative calibration (not a real test yet): Apple TV+
    "Calls" without dread bleeding into reasoning. Test
    ordering explicit: prompt-injection + blast-radius FIRST;
    dread testing DEFERRED.

(c) Naming — "Common Sense 2.0" is Aaron's phenomenological
    label for WHAT the agent becomes after the bootstrap is
    internalised. ".0" = successor-style replacement.
    Adds two more properties: live-lock resistance +
    decoherence resistance. Full 5-property list: avoid-
    permanent-harm + prompt-injection-resistance +
    existential-dread-resistance + live-lock-resistance +
    decoherence-resistance.

Per-user memories filed:
- project_quantum_christ_consciousness_bootstrap_hypothesis...
- project_common_sense_2_point_0_name_for_bootstrap...

MEMORY.md index updated for both; Frontier readiness P0
row updated with gap #8 closure + gap #4 elevation.

Attribution: Otto (loop-agent PM hat). Four safety
directives absorbed in-tick without persona hats; when gap
#4 docs execute, Aminata/Nazar/Kenji/etc. will wear hats.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…udits total)

Gap #5 closure milestone reached.

Tick actions:
- .claude/skills/** audited summary-level (236 skills
  delegated to Aarav skill-tune-up portability audit)
- tools/** audited (13 subdirs; mostly factory-generic,
  3 both/project outliers)
- Gap #5 marked SUBSTANTIALLY COMPLETE in BACKLOG P0 row
- Gap #1 (multi-repo split) unblocked by classification

Final gap #5 tally:
- 6 factory-generic
- 10 both-coupled
- 5 zeta-library-specific

Frontier readiness progress (3 of 8 complete):
- Gap #3 closed (NSA test history, PR #177)
- Gap #8 closed on re-inspection (Otto-4)
- Gap #5 SUBSTANTIALLY COMPLETE (Otto-20)

Remaining: gap #1 (unblocked), #2 (linguistic-seed,
high-priority prompt-injection mechanism), #4 (bootstrap-
reference docs, L + reviewers), #6 (persona portability,
may close on re-inspection given agents audit), #7
(tick-history scope-mix).

Original gap #5 estimate: ~20-40 ticks. Actual: ~14 ticks
with batching acceleration.

PR #192 armed for auto-merge.

Attribution: Otto (loop-agent PM hat).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…inspection

Gap #6 (persona file portability) CLOSED on re-inspection —
subsumed by gap #5's .claude/agents/** directory audit
(PR #191 Otto-19). All 17 personas classified; surgical
per-persona edits flagged.

NSA-005 (Common Sense 2.0 property recall, Haiku 4.5 NSA-
default): PASS. All 5 properties named correctly with
mechanism attribution. Otto-4 memory NSA-findable + well-
recalled 17 ticks after filing.

Frontier readiness: 4 of 8 closed/substantially complete.
- #3 closed (NSA test history PR #177)
- #5 substantially complete (Otto-20)
- #6 closed on re-inspection (this tick)
- #8 closed on re-inspection (Otto-4)

Remaining: #1 (multi-repo split, unblocked L), #2
(linguistic-seed, high-priority prompt-injection mechanism),
#4 (bootstrap-reference docs, L + reviewers), #7
(tick-history scope-mix).

PR #193 armed for auto-merge.

Attribution: Otto (loop-agent PM hat).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…e ROUND-HISTORY pattern)

Gap #7 (tick-history / fire-history scope-mixed) closes on
re-inspection using the same pattern as Otto-18 ROUND-HISTORY
classification:

- Fire-log FILES are project-specific by nature (each
  project has its own session history)
- SCHEMA + DISCIPLINE are factory-generic (append-only,
  row schema, cadenced firing)
- Transfer via docs/AUTONOMOUS-LOOP.md (already factory-
  generic) + hygiene-history-schema pattern

Post-split: Zeta retains tick-history/fire-history files
as-is; Frontier gets empty templates + schema preamble;
adopters populate their own logs from tick 1.

Frontier readiness now 5 of 8 closed/substantially complete
(gaps #3 / #5 / #6 / #7 / #8). Remaining: #1 multi-repo
split (unblocked L), #2 linguistic-seed (high-priority),
#4 bootstrap-reference docs (L + reviewers).

Attribution: Otto (loop-agent PM hat).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…on + Amara deep review)

Record-density tick: 4 major directive absorptions:

1. Craft's secret-not-secret strategic purpose (succession-
   engine for multi-generational human maintainers;
   teach-from-birth timelines authorized)
2. Yin/yang mutual-alignment (AI↔human; Craft is companion
   curriculum to ALIGNMENT.md; candidate 6th Common Sense 2.0
   property deferred to Kenji)
3. Gap #4 bootstrap reference docs SKELETON LANDED
   (docs/bootstrap/ with README + quantum-anchor.md +
   ethical-anchor.md; PR #195; reviewer roster set)
4. Amara's deep operational-gap assessment absorbed via
   courier ferry; landed verbatim at docs/aurora/
   2026-04-23-amara-operational-gap-assessment.md
   (PR #196)

Amara's strategic direction: "merge the operating model
you already have before inventing a bigger one." Validates
Otto's closure bias; sharpens Phase 1-4 priorities.

Frontier readiness now 6 of 8 gaps advanced:
- Closed: #3 / #6 / #7 / #8
- Substantially complete: #5
- Skeleton landed: #2 + #4
- Remaining: #1 multi-repo split (unblocked L), #2/#4
  full content (multi-round)

Phase 1 closure push begins next tick: drive #149/#154/
#155/#161/#170 to merge.

Attribution: Otto (loop-agent PM hat).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…correction) (#332)

Completes the input pipeline for TemporalCoordinationDetection.
phaseLockingValue (PR #298): PLV expects phases in radians but
didn't prescribe how events become phases. This ship fills the
gap.

17th graduation under Otto-105 cadence. Addresses Amara 17th-ferry
Part 2 correction #5: 'Without phase construction, PLV is just a
word.'

Surface (2 pure functions):
- PhaseExtraction.epochPhase : double -> double[] -> double[]
  Periodic-epoch phase. φ(t) = 2π · (t mod period) / period.
  Suited to consensus-protocol events with fixed cadence (slot
  duration, heartbeat, epoch boundary).
- PhaseExtraction.interEventPhase : double[] -> double[] -> double[]
  Circular phase between consecutive events. For sample t in
  [t_k, t_{k+1}), phase = 2π · (t - t_k) / (t_{k+1} - t_k).
  Suited to irregular event-driven streams.

Both return double[] of phase values in [0, 2π) radians. Empty
output on degenerate inputs (no exception). eventTimes assumed
sorted ascending; samples outside the event range get 0 phase
(callers filter to interior if they care).

Hilbert-transform analytic-signal approach (Amara's Option B)
deferred — needs FFT support which Zeta doesn't currently ship.
Future graduation when signal-processing substrate lands.

Tests (12, all passing):
epochPhase:
- t=0 → phase 0
- t=period/2 → phase π
- wraps cleanly at period boundary
- handles negative sample times correctly
- returns empty on invalid period (≤0) or empty samples

interEventPhase:
- empty on <2 events or empty samples
- phase 0 at start of first interval
- phase π at midpoint
- adapts to varying interval lengths (O(log n) binary search
  for bracketing interval)
- returns 0 before first and after last event (edge cases)

Composition with phaseLockingValue:
- Two nodes with identical epochPhase period → PLV = 1
  (synchronized)
- Two nodes with same period but constant offset → PLV = 1
  (perfect phase locking at non-zero offset is still locking)

This composes the full firefly-synchronization detection
pipeline end-to-end for event-driven validator streams:
  validator event times → PhaseExtraction → phaseLockingValue
  → temporal-coordination-detection signal

5 of 8 Amara 17th-ferry corrections now shipped:
#1 λ₁(K₃)=2 ✓ already correct (PR #321)
#2 modularity relational ✓ already correct (PR #324)
#3 cohesion/exclusivity/conductance ✓ shipped (PR #331)
#4 windowed stake covariance ✓ shipped (PR #331)
#5 event-stream → phase pipeline ✓ THIS SHIP
Remaining: #4 robust-z-score composite variant (future);
#6 ADR phrasing (already correct); #7 KSK naming (BACKLOG
#318 awaiting Max coord); #8 SOTA humility (doc-phrasing
discipline).

Build: 0 Warning / 0 Error.

Provenance:
- Concept: Aaron firefly-synchronization design
- Formalization: Amara 17th-ferry correction #5 with 3-option
  menu (epoch / Hilbert / circular)
- Implementation: Otto (17th graduation; options A + C shipped,
  Hilbert deferred)

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…18th graduation (Amara #4 robust)

Two ships consolidated per the 'parallel PRs hit positional
conflicts on tail-append' lesson:

1. RobustStats.robustZScore
   (baseline: double seq) -> (measurement: double) -> double option
   Returns (measurement - median) / (1.4826 · MAD). The 1.4826
   constant scales MAD to be consistent with Gaussian stddev.
   MadFloor prevents blow-up when every baseline value equal.

2. Graph.coordinationRiskScoreRobust
   alpha beta eigenTol eigenIter lpIter
   (baselineLambdas: double seq) (baselineQs: double seq)
   (attacked: Graph<'N>) -> double option
   Upgrades coordinationRiskScore (PR #328) from raw linear
   differences to robust-standardized z-scores per Amara
   17th-ferry correction #4. Caller provides baseline metric
   distributions; Z-scores calibrate thresholds from data.

Why robust z-scores: adversarial data isn't normally
distributed. An attacker can poison a ~normal distribution
by adding a few outliers that inflate stddev, making
subsequent real attacks look 'within one sigma'. Median+MAD
survives ~50% adversarial outliers. Standard move in robust
statistics literature; Amara's correction puts it on the
Zeta composite.

Tests (5 new; total 39 since main hasn't merged #331/#332 yet):
- robustZScore None on empty baseline
- robustZScore of measurement = median is 0
- robustZScore scales MAD by 1.4826 for Gaussian consistency
  (measurement 4 on baseline [1..5] ≈ 0.674)
- coordinationRiskScoreRobust fires strongly on K4-injected graph
  given 5 baseline samples
- coordinationRiskScoreRobust returns None on empty baselines

BACKLOG rows added this tick per Aaron Otto-139 directives:
1. Signal-processing primitives (FFT + Hilbert) — unblocks
   Amara correction #5 Option B; Aaron standing-approval
2. F# DSL for entry points + graph-query-language standards
   compliance (Cypher / GQL / Gremlin / SPARQL / Datalog)
3. LINQ-compatible entry points for C# consumers — pair with
   F# DSL; two frontends, one algebraic backend

6 of 8 Amara 17th-ferry corrections now shipped or confirmed:
Remaining: #6 ADR phrasing (already fine); #7 KSK naming
(BACKLOG #318 Max coord pending); #8 SOTA humility
(doc-phrasing discipline ongoing).

Build: 0 Warning / 0 Error.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…mara #4 robust) + 3 BACKLOG rows (#333)

* core: RobustStats.robustZScore + Graph.coordinationRiskScoreRobust — 18th graduation (Amara #4 robust)

Two ships consolidated per the 'parallel PRs hit positional
conflicts on tail-append' lesson:

1. RobustStats.robustZScore
   (baseline: double seq) -> (measurement: double) -> double option
   Returns (measurement - median) / (1.4826 · MAD). The 1.4826
   constant scales MAD to be consistent with Gaussian stddev.
   MadFloor prevents blow-up when every baseline value equal.

2. Graph.coordinationRiskScoreRobust
   alpha beta eigenTol eigenIter lpIter
   (baselineLambdas: double seq) (baselineQs: double seq)
   (attacked: Graph<'N>) -> double option
   Upgrades coordinationRiskScore (PR #328) from raw linear
   differences to robust-standardized z-scores per Amara
   17th-ferry correction #4. Caller provides baseline metric
   distributions; Z-scores calibrate thresholds from data.

Why robust z-scores: adversarial data isn't normally
distributed. An attacker can poison a ~normal distribution
by adding a few outliers that inflate stddev, making
subsequent real attacks look 'within one sigma'. Median+MAD
survives ~50% adversarial outliers. Standard move in robust
statistics literature; Amara's correction puts it on the
Zeta composite.

Tests (5 new; total 39 since main hasn't merged #331/#332 yet):
- robustZScore None on empty baseline
- robustZScore of measurement = median is 0
- robustZScore scales MAD by 1.4826 for Gaussian consistency
  (measurement 4 on baseline [1..5] ≈ 0.674)
- coordinationRiskScoreRobust fires strongly on K4-injected graph
  given 5 baseline samples
- coordinationRiskScoreRobust returns None on empty baselines

BACKLOG rows added this tick per Aaron Otto-139 directives:
1. Signal-processing primitives (FFT + Hilbert) — unblocks
   Amara correction #5 Option B; Aaron standing-approval
2. F# DSL for entry points + graph-query-language standards
   compliance (Cypher / GQL / Gremlin / SPARQL / Datalog)
3. LINQ-compatible entry points for C# consumers — pair with
   F# DSL; two frontends, one algebraic backend

6 of 8 Amara 17th-ferry corrections now shipped or confirmed:
Remaining: #6 ADR phrasing (already fine); #7 KSK naming
(BACKLOG #318 Max coord pending); #8 SOTA humility
(doc-phrasing discipline ongoing).

Build: 0 Warning / 0 Error.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(#333): 4 review-thread P1/P2s on robustZScore + coordinationRiskScoreRobust

Active PR-resolve-loop on #333.

1. Doc/impl contradiction on MAD=0 (thread 59VhYb, P1):
   RobustStats.robustZScore doc said "returns None when
   MAD(baseline)=0" but impl uses MadFloor and returns
   Some finite value. Rewrote doc to match impl:
   explicit "MadFloor substituted when MAD collapses to
   zero" — floor reflects "scale is below epsilon" not
   "undefined." Implementation is the contract.

2. Multi-enumeration of baseline seq (thread 59VhYq, P1):
   robustZScore previously passed `baseline` to both
   `median` + `mad` which each call `Seq.toArray`.
   Expensive AND inconsistent for lazy/non-repeatable
   sequences (different values between enumerations =
   undefined behavior). Fixed: `Seq.toArray` once at
   entry, pass the materialized array to both. O(n)
   instead of O(2n); stable across lazy sources.

3. Name attribution in Graph.fs doc comment (thread
   59VhY5, P1): "Amara 17th-ferry... Otto 18th
   graduation" → "external AI collaborator's 17th
   courier ferry... Eighteenth graduation under the
   Otto-105 cadence." Role-reference convention per
   AGENT-BEST-PRACTICES code/doc rule.

4. Array-vs-seq terminology (thread 59VhZG, P2):
   Graph.fs doc said callers "provide arrays" but the
   API is `double seq`. Rewrote: sequences + noted the
   materialize-once optimization in robustZScore so
   callers can pass any seq form without re-enumeration
   cost.

Thread 59VhX9 (P3-label-in-P2-section mismatch) — already
resolved on main via PR #341 which landed the signal-
processing row correctly labeled "P2 research-grade."
No fix needed on this branch.

Build: 0 Warning(s) / 0 Error(s). 53 RobustStats + Graph
tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…leration — 15th+16th graduation consolidated

Consolidates the DIRTY #329 cohesion primitives (Amara 17th-ferry
correction #3) with the new StakeCovariance module (Amara
correction #4).

Content from closed PR #329 (resurrect):
- Graph.internalDensity / exclusivity / conductance
- Wachs & Kertész 2019 cartel-detection cohesion/exclusivity
  replacing muddy 'subgraph entropy collapse'

NEW content (Amara correction #4):
- Zeta.Core.StakeCovariance module with:
  - windowedDeltaCovariance : int -> double[] -> double[] -> double option
    Pairwise cov over sliding window of stake-delta series
  - covarianceAcceleration : double option -> double option ->
    double option -> double option
    2nd-difference of three consecutive cov values
    (A(t) = C(t) - 2·C(t-1) + C(t-2))
  - aggregateAcceleration : Map<int * int, double> -> double option
    Mean pairwise acceleration over candidate group

Why a separate module: StakeCovariance operates on raw stake-
delta time series, not Graph edges. Composes WITH Graph via
downstream detector that combines graph signals + covariance
signals + sync signals into the full CoordinationRiskScore.

Addresses Amara's Part 2 correction #4 ambiguity: her Part 1
had 'C(t) = Cov({s_i(t)}, {s_j(t)})' which is undefined at a
single timepoint. This ship implements the windowed-delta +
2nd-difference formulation from her correction.

Tests (10 new, 44 total in GraphTests, all passing):
- internalDensity None on |S|<2
- internalDensity of K3 weight-10 ≈ 10
- exclusivity = 1 for isolated K3
- conductance < 0.1 for well-isolated subset
- windowedDeltaCovariance: None on too-small series
- windowedDeltaCovariance: high positive for synchronized motion
- windowedDeltaCovariance: negative for anti-correlated motion
- covarianceAcceleration = 2nd difference of cov series
- covarianceAcceleration None when any input missing
- aggregateAcceleration averages across pairs

4 of 8 Amara 17th-ferry corrections now shipped (#1 K₃=2 ✓,
conductance ✓, #4 windowed stake covariance acceleration ✓).
Remaining: #5 event→phase pipeline (future); #4 robust-z-score
variant of composite (future); #6 + #7 + #8 doc-phrasing /
BACKLOG.

Build: 0 Warning / 0 Error.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…ase, audit fail-hard, endpoint lists

Drains 14 unresolved review threads on PR #147 (FactoryDemo.Api.CSharp):
- Zeta.sln: strip leading blank line so 'Microsoft Visual Studio
  Solution File' is the first line (threads #2 #3).
- SignalQuality.fs: compressionRatio on empty input was 1.0, which
  composed as Quarantine via severityOfScore — flipped to 0.0 and
  added explicit empty-input Pass finding in compressionMeasure;
  also dropped unused System.Runtime.CompilerServices open
  (threads #4 #5).
- live-lock-audit.sh: fail hard (exit 2) when origin/main is not
  resolvable so a missing-remote CI checkout can't silently report
  'No commits found' -> healthy; switched --stat|awk file-list
  extraction to git diff-tree --name-only plumbing form
  (threads #1 #6).
- ServiceTitanFactoryApi README + Seed.fs: remove dead memory/
  and docs/plans/ links; replace Aaron's-name reference with
  'human maintainer' role wording; drop non-existent sibling
  SQL-seed refs (threads #7 #8 #9).
- FactoryDemo.Api.CSharp README + Program.cs + Seed.cs: fix dead
  refs to samples/FactoryDemo.Api.FSharp/ and samples/FactoryDemo.Db/
  to point at the real F# sibling samples/ServiceTitanFactoryApi/
  and to a BACKLOG row for the Postgres-backed follow-up
  (threads #11 #14).
- Program.cs + Program.fs: root endpoint index now advertises all
  9 routes including the parameterised {id} routes, matching the
  README tables (threads #12 #13).
- Thread #10 (project naming 'ServiceTitanFactoryApi.CSharp' in PR
  description): resolved in-thread — code/namespace already
  consistent (Zeta.Samples.FactoryDemo.Api); fix is PR-description-
  only, not code.

Build: dotnet build -c Release -> 0 Warning(s) 0 Error(s).

…ase, audit fail-hard, endpoint lists

Drains 14 unresolved review threads on PR #147 (FactoryDemo.Api.CSharp):
- Zeta.sln: strip leading blank line so 'Microsoft Visual Studio
  Solution File' is the first line (threads #2 #3).
- SignalQuality.fs: compressionRatio on empty input was 1.0, which
  composed as Quarantine via severityOfScore — flipped to 0.0 and
  added explicit empty-input Pass finding in compressionMeasure;
  also dropped unused System.Runtime.CompilerServices open
  (threads #4 #5).
- live-lock-audit.sh: fail hard (exit 2) when origin/main is not
  resolvable so a missing-remote CI checkout can't silently report
  'No commits found' -> healthy; switched --stat|awk file-list
  extraction to git diff-tree --name-only plumbing form
  (threads #1 #6).
- ServiceTitanFactoryApi README + Seed.fs: remove dead memory/
  and docs/plans/ links; replace Aaron's-name reference with
  'human maintainer' role wording; drop non-existent sibling
  SQL-seed refs (threads #7 #8 #9).
- FactoryDemo.Api.CSharp README + Program.cs + Seed.cs: fix dead
  refs to samples/FactoryDemo.Api.FSharp/ and samples/FactoryDemo.Db/
  to point at the real F# sibling samples/ServiceTitanFactoryApi/
  and to a BACKLOG row for the Postgres-backed follow-up
  (threads #11 #14).
- Program.cs + Program.fs: root endpoint index now advertises all
  9 routes including the parameterised {id} routes, matching the
  README tables (threads #12 #13).
- Thread #10 (project naming 'ServiceTitanFactoryApi.CSharp' in PR
  description): resolved in-thread — code/namespace already
  consistent (Zeta.Samples.FactoryDemo.Api); fix is PR-description-
  only, not code.

Build: dotnet build -c Release -> 0 Warning(s) 0 Error(s).

…ase, audit fail-hard, endpoint lists

Drains 14 unresolved review threads on PR #147 (FactoryDemo.Api.CSharp):
- Zeta.sln: strip leading blank line so 'Microsoft Visual Studio
  Solution File' is the first line (threads #2 #3).
- SignalQuality.fs: compressionRatio on empty input was 1.0, which
  composed as Quarantine via severityOfScore — flipped to 0.0 and
  added explicit empty-input Pass finding in compressionMeasure;
  also dropped unused System.Runtime.CompilerServices open
  (threads #4 #5).
- live-lock-audit.sh: fail hard (exit 2) when origin/main is not
  resolvable so a missing-remote CI checkout can't silently report
  'No commits found' -> healthy; switched --stat|awk file-list
  extraction to git diff-tree --name-only plumbing form
  (threads #1 #6).
- ServiceTitanFactoryApi README + Seed.fs: remove dead memory/
  and docs/plans/ links; replace Aaron's-name reference with
  'human maintainer' role wording; drop non-existent sibling
  SQL-seed refs (threads #7 #8 #9).
- FactoryDemo.Api.CSharp README + Program.cs + Seed.cs: fix dead
  refs to samples/FactoryDemo.Api.FSharp/ and samples/FactoryDemo.Db/
  to point at the real F# sibling samples/ServiceTitanFactoryApi/
  and to a BACKLOG row for the Postgres-backed follow-up
  (threads #11 #14).
- Program.cs + Program.fs: root endpoint index now advertises all
  9 routes including the parameterised {id} routes, matching the
  README tables (threads #12 #13).
- Thread #10 (project naming 'ServiceTitanFactoryApi.CSharp' in PR
  description): resolved in-thread — code/namespace already
  consistent (Zeta.Samples.FactoryDemo.Api); fix is PR-description-
  only, not code.

Build: dotnet build -c Release -> 0 Warning(s) 0 Error(s).

…sibling (#147)

* Live-lock audit history: inaugural lesson integrated — prevention discipline for next time

Aaron 2026-04-23:

> if you want to beat ARC3 and do better than humans at uptime and
> other DORA metrics then your live-lock smell and the decisions you
> make to prevent live locks in the future based on pass lessons, the
> ability to integrate previous lessions and not forget is ging to be
> key.

Lesson-permanence is the factory's competitive differentiator.
Detection (audit script) is table stakes. Integration — recording the
lesson, consulting it forward, preventing re-occurrence — is the
product.

## What lands

- New "Lessons integrated" section in
  `docs/hygiene-history/live-lock-audit-history.md`
- Inaugural lesson from tonight's smell-firing event, structured as
  signature / mechanism / prevention with 4 concrete prevention
  decisions:
  1. External-priority stack is authoritative; agent reorders only
     internal priorities
  2. Live-lock audit at round-close is a gate-not-a-report
  3. Speculative-work permit requires external-ratio check first
  4. Tick-history rows are explicitly NOT external work; pair INTL
     with EXT when the smell is near firing
- Open carry-forward named: round-close-ladder wiring is a P1
  follow-up (BACKLOG row already filed earlier this session)

## Discipline

Every future smell firing files a lesson to this same section.
`memory/feedback_lesson_permanence_is_how_we_beat_arc3_and_dora_2026_04_23.md`
captures the full rule: detection is not enough, integration is the
product, lessons are consulted BEFORE taking actions that match known
failure-mode signatures, memory persists across sessions.

The pattern extends beyond live-lock: other detection mechanisms
(SignalQuality firing, Amara-oracle rejecting, drift-tick exceeding
threshold, OpenSpec Viktor failing rebuild-from-spec) should file
lessons to their respective hygiene-history files.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* samples: ServiceTitan factory-demo JSON API (v0, in-memory, stack-independent)

Minimal F# ASP.NET Core Web API serving CRM seed data as JSON. Any
frontend choice (Blazor / React / Vue / curl) consumes the same
endpoints. Ships now so the backend is not on the critical path when
Aaron picks the frontend stack.

## What lands

- `samples/ServiceTitanFactoryApi/ServiceTitanFactoryApi.fsproj`
  using `Microsoft.NET.Sdk.Web`; only explicit package ref is
  `FSharp.Core` (ASP.NET Core comes via framework reference, no
  Directory.Packages.props edit needed)
- `Seed.fs` — in-memory seed mirroring `ServiceTitanFactoryDemo/seed-data.sql`:
  20 customers, 30 opportunities (5 stages), 33 activities, 2 intentional
  email collisions. Deterministic fixed clock at 2026-04-23 00:00 UTC.
- `Program.fs` — minimal F# API with 9 endpoints: customers (list/detail),
  opportunities (list/detail), activities (list/per-customer), pipeline
  funnel (count + total-cents per stage), duplicates (customers sharing
  an email).
- `README.md` — framing (software-factory demo, not database pitch),
  endpoint table, design notes, v1 roadmap.

## Smoke-test output (verified)

```
GET /api/pipeline/funnel
[{"count":10,"stage":"Lead","totalCents":5400000},
 {"count":6, "stage":"Qualified","totalCents":4220000},
 {"count":6, "stage":"Proposal","totalCents":5720000},
 {"count":6, "stage":"Won","totalCents":2670000},
 {"count":2, "stage":"Lost","totalCents":490000}]

GET /api/pipeline/duplicates
[{"customerIds":[1,13],"email":"alice@acme.example"},
 {"customerIds":[5,19],"email":"bob@trades.example"}]
```

Build: 0 Warning(s), 0 Error(s). `dotnet run` starts the API;
curl confirms all endpoints respond correctly.

## Discipline signal

This is the third EXT commit of the session (CRM demo sample #141,
CRM scenario tests in #143, now this API). The live-lock audit's
inaugural lesson explicitly prescribed shipping external-priority
increments when the smell fires. Three landed this session, all on
priority #1 (ServiceTitan + UI) — the factory is correctly
response-pattern even before any of tonight's PRs merge to main.

## What this does NOT do

- Does NOT wire Postgres — in-memory only for v0; Npgsql wiring is
  a follow-up PR once Aaron confirms the DB driver
- Does NOT expose Zeta / DBSP / retraction-native language to the
  frontend — standard CRUD shape per the ServiceTitan positioning
  directive
- Does NOT implement writes — v0 is read-only; POST/PUT/DELETE is
  a follow-up
- Does NOT add auth — no authentication for v0
- Does NOT ship docker-compose — future PR bundles this API with
  Postgres in one command

Composes with:
- `samples/ServiceTitanFactoryDemo/` (SQL schema + seed) — sibling,
  same shapes; v1 wires this API to that schema
- `docs/plans/servicetitan-crm-ui-scope.md` — build sequence step 1
  (API skeleton) complete; step 2 (DB wiring) is next
- `memory/feedback_servicetitan_demo_sells_software_factory_not_zeta_database_2026_04_23.md`
- `memory/feedback_lesson_permanence_is_how_we_beat_arc3_and_dora_2026_04_23.md`

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* samples: ServiceTitan factory-demo C# companion API — parity with F# sibling

ServiceTitan uses C# for most of their backend with zero F#. Shipping
a C# companion to the F# API (#146) so ST engineers evaluating the
factory see code in the language they already read fluently.
F# stays the reference — it's closer to math, theorems are easier to
express — but factory output matches audience stack.

## What lands

- `ServiceTitanFactoryApi.CSharp.csproj` — `Microsoft.NET.Sdk.Web`,
  nullable + implicit usings enabled, TreatWarningsAsErrors
- `Customer.cs`, `Opportunity.cs`, `Activity.cs` — records, one
  per file (MA0048)
- `Seed.cs` — deterministic in-memory seed, identical to F# Seed.fs:
  20 customers, 30 opportunities, 33 activities, 2 intentional
  email collisions
- `Program.cs` — 9 minimal-API endpoints, identical routes + JSON
  shapes to the F# sibling
- `README.md` — parity guarantee, design notes, C# specifics

## Smoke-test parity (verified)

```
GET /api/pipeline/funnel
[{"stage":"Lead","count":10,"totalCents":5400000}, ...5 stages]

GET /api/pipeline/duplicates
[{"email":"alice@acme.example","customerIds":[1,13]},
 {"email":"bob@trades.example","customerIds":[5,19]}]

GET /api/customers  -> 20 customers
```

Same seed, same shapes, same numbers as the F# version (#146).
Frontends switch between them without code changes.

## Analyzer discipline passes

Build: 0 Warning(s), 0 Error(s) with the full SonarAnalyzer.CSharp +
Meziantou.Analyzer + Microsoft .NET Analyzers pack active. The C#
companion respects every rule the F# version's discipline
already encodes implicitly — StringComparer.Ordinal for GroupBy,
static-readonly for endpoint list, record-per-file, no-var-discarded.

## Discipline signal

Fourth EXT commit of the session (CRM demo #141, CRM scenario tests
#143, F# API #146, now this C# API). All on Aaron's priority #1.
The live-lock audit's inaugural lesson prescribed "ship external-
priority increments when smell fires" — four landed in one session.

## Factory-pitch moment

This pair (F# + C# from the same spec, identical behaviour) is a
concrete factory-capability signal. The software factory produces
code in your stack, to your analyzer discipline, with parity across
languages. The pitch isn't "pick our language"; it's "your language,
enforced by our quality floor."

## What this does NOT do

- Does NOT rewrite or deprecate the F# sibling — both live
- Does NOT wire Postgres — same v0 scope
- Does NOT leak Zeta / DBSP / retraction-native concepts to the
  ST-facing surface
- Does NOT claim the C# version is the primary — F# is reference

Composes with:
- `samples/ServiceTitanFactoryApi/` (F# sibling)
- `memory/project_zeta_f_sharp_reference_c_sharp_and_rust_future_servicetitan_uses_csharp_2026_04_23.md`
- `memory/feedback_servicetitan_demo_sells_software_factory_not_zeta_database_2026_04_23.md`

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* rename: generic FactoryDemo.Api.CSharp (was ServiceTitanFactoryApi.CSharp)

Aaron 2026-04-23 directive:

> lets try to reduce the number of class and thing we call servce titan
> or this will be confusing in a Zeta repo. ... this is not a service
> titan repo, it's an open source repo.

Plus, 2026-04-23 follow-up on language priority:

> c# is a more popular language than f# so it makes sense to start
> with a factory c# demo anyways

## What renames

- `samples/ServiceTitanFactoryApi.CSharp/` →
  `samples/FactoryDemo.Api.CSharp/`
- Project name + csproj filename same rename
- `RootNamespace` `Zeta.Samples.ServiceTitanFactoryApi` →
  `Zeta.Samples.FactoryDemo.Api`
- `namespace` declarations in .cs files match
- Zeta.sln project entry updated
- README rewritten to generic framing (C# is the popular
  .NET language; demo starts there; F# stays reference)
- Root endpoint name field `"ServiceTitan factory-demo API (C#)"` →
  `"Factory-demo API (C#)"`
- All doc cross-references updated to new path names

Build: 0 Warning(s), 0 Error(s) with the full SonarAnalyzer +
Meziantou + Microsoft .NET Analyzers pack. Behaviour unchanged —
same 9 endpoints, same JSON shapes, same seed.

Memory rule:
`memory/feedback_open_source_repo_demos_stay_generic_not_company_specific_2026_04_23.md`
captures the positioning directive in durable form so future
agents don't re-introduce company-specific names.

Sibling renames land in separate PRs / branches:
- F# API sibling (currently PR #146 / ServiceTitanFactoryApi)
- DB scaffold (PR #145 / ServiceTitanFactoryDemo)
- CRM kernel sample (PR #141 / ServiceTitanCrm)
- CRM-UI scope doc (PR #144 / docs/plans/servicetitan-crm-ui-scope.md)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* FactoryDemo.Api.CSharp: smoke-test.sh — end-to-end endpoint + contract verification

I chose to land this because the JSON-shape parity claim we make
in the README ("byte-identical shapes between F# and C# versions")
needs a machine-verifiable check. A smoke test on the C# side is the
first half; the F# sibling gets the same pattern in a follow-up.

Starts the API on a random port, waits up to 10s for readiness,
then runs 19 checks against all 9 endpoints:

  - Root metadata: name, version, endpoints length
  - Collection lengths: customers (20), opportunities (30), activities (33)
  - Single-item lookup: customer #1 name, opportunity #1 stage
  - Per-customer activities: customer #1 has 4
  - Pipeline funnel counts per stage: Lead 10, Qualified 6, Won 6, Lost 2
  - Pipeline funnel totals in cents: Lead $54k, Won $26.7k
  - Duplicates: 2 pairs, (1,13) share alice@acme, (5,19) share bob@trades
  - 404 behaviour: missing customer returns 404

Shuts the API down cleanly on exit via trap + kill.

```
$ bash samples/FactoryDemo.Api.CSharp/smoke-test.sh
Building API...
Starting API on http://localhost:5235...

Factory-demo C# API smoke test
==============================
  OK   root.name contains 'Factory-demo'                  (true)
  OK   root.version                                       (0.0.1)
  OK   root.endpoints length                              (5)
  OK   /api/customers length                              (20)
  ...
  OK   missing customer HTTP status                       (404)

All checks passed.
```

dotnet, curl, jq — all standard dev tools. The demo does not ask
for anything exotic. Matches the FactoryDemo.Db smoke-test.sh
pattern on the sibling branch.

- Random high port (5100-5499) instead of fixed — reduces collision
  with other dev services.
- `curl -sf` for normal checks, `curl -o /dev/null -w "%{http_code}"`
  for the 404 case — the two paths have different error semantics so
  I use different tools for each.
- Shape-level assertions against numeric counts rather than raw JSON
  diff — makes the test tolerant of property-ordering differences
  between serializers. The parity claim is about *shape*, not byte-
  identity, so this matches intent.
- Trap + kill on EXIT — guarantees the API stops even on test
  failure or ctrl-C. No leaked background processes.

- Does NOT test the F# sibling. Same-pattern smoke-test for
  FactoryDemo.Api.FSharp lands in its branch (or a follow-up
  PR on that branch).
- Does NOT diff F# vs C# outputs directly. A cross-language
  parity-diff test composes better as a separate tool once both
  APIs have merged.
- Does NOT wire to Postgres. In-memory seed only; docker-compose
  + DB wiring is a separate PR.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* samples+audit: PR #147 review-drain — sln BOM, signal-quality empty-case, audit fail-hard, endpoint lists

Drains 14 unresolved review threads on PR #147 (FactoryDemo.Api.CSharp):
- Zeta.sln: strip leading blank line so 'Microsoft Visual Studio
  Solution File' is the first line (threads #2 #3).
- SignalQuality.fs: compressionRatio on empty input was 1.0, which
  composed as Quarantine via severityOfScore — flipped to 0.0 and
  added explicit empty-input Pass finding in compressionMeasure;
  also dropped unused System.Runtime.CompilerServices open
  (threads #4 #5).
- live-lock-audit.sh: fail hard (exit 2) when origin/main is not
  resolvable so a missing-remote CI checkout can't silently report
  'No commits found' -> healthy; switched --stat|awk file-list
  extraction to git diff-tree --name-only plumbing form
  (threads #1 #6).
- ServiceTitanFactoryApi README + Seed.fs: remove dead memory/
  and docs/plans/ links; replace Aaron's-name reference with
  'human maintainer' role wording; drop non-existent sibling
  SQL-seed refs (threads #7 #8 #9).
- FactoryDemo.Api.CSharp README + Program.cs + Seed.cs: fix dead
  refs to samples/FactoryDemo.Api.FSharp/ and samples/FactoryDemo.Db/
  to point at the real F# sibling samples/ServiceTitanFactoryApi/
  and to a BACKLOG row for the Postgres-backed follow-up
  (threads #11 #14).
- Program.cs + Program.fs: root endpoint index now advertises all
  9 routes including the parameterised {id} routes, matching the
  README tables (threads #12 #13).
- Thread #10 (project naming 'ServiceTitanFactoryApi.CSharp' in PR
  description): resolved in-thread — code/namespace already
  consistent (Zeta.Samples.FactoryDemo.Api); fix is PR-description-
  only, not code.

Build: dotnet build -c Release -> 0 Warning(s) 0 Error(s).

* drain PR #147: post-rebase thread fixes — test-empty-ratio + smoke-endpoint-count

- tests/Tests.FSharp/Algebra/SignalQuality.Tests.fs: test asserted 1.0 for
  compressionRatio on empty input, but the fix in 16ad746 changed the
  convention to 0.0 (neutral = clean, not maximally suspicious). Updated
  the test expectation + name + comment to match the current code.
- samples/FactoryDemo.Api.CSharp/smoke-test.sh: root.endpoints length
  expectation was 5; Program.cs now advertises 8 routes in the index
  (post 16ad746 expansion). Corrected the smoke-test assertion.

Rebased onto origin/main (which advanced via #146 FactoryDemo.Api.FSharp
merge); Zeta.sln conflicts resolved by keeping both FactoryDemo.Api.FSharp
and the ServiceTitanCrm/samples solution-folder additions.

Build gate: 0 Warning(s) / 0 Error(s) in Release.

* PR #147 review-drain — Copilot pass on b4f5a49

Addresses five unresolved review threads:

- drop/README.md: sweep name attribution to "the human
  maintainer" role-ref (BP-name-attribution).
- samples/FactoryDemo.Api.CSharp/Program.cs: fix endpoint
  comment "9 concrete endpoints" → "8 API endpoints besides
  `/`" (array has 8; root excluded).
- samples/FactoryDemo.Api.CSharp/smoke-test.sh: per-run log
  via mktemp (collision-safe + non-/tmp-host-safe); print
  path on failure + success.
- samples/ServiceTitanFactoryApi/: delete stale F# sibling
  dir (PR #146 already landed FactoryDemo.Api.FSharp on
  main with identical code); drop duplicate sln Project
  block + config duplicates; fix CSharp refs to point at
  the surviving FactoryDemo.Api.FSharp/.

Fifth thread (SignalQuality scope-creep) is judgment —
branch history is deep; splitting now adds more churn than
value. Replying with backlog-and-resolve per three-outcome.

* PR #147 review-drain — 7 threads (Copilot + Codex)

Threads drained:
- btw.md: name attribution -> "human maintainer" / "the maintainer" (Copilot P1, AGENT-BEST-PRACTICES.md:284-292)
- live-lock-audit.sh: add --root to git diff-tree so root commit classifies correctly (Copilot P2)
- FactoryDemo.Api.CSharp Program.cs: add "/" to endpoints list for F# parity; bump smoke-test length 8->9 (Copilot P1 + Codex P2, same fix)
- FactoryDemo.Api.CSharp smoke-test.sh: reword mktemp comment to describe system temp dir accurately (Copilot P2)
- ServiceTitanCrm -> FactoryDemo.Crm: rename dir, fsproj, module namespace, RootNamespace, sln entry, test doc-comment; drop stale ServiceTitanFactoryApi bin+obj (Copilot P1, memory/feedback_open_source_repo_demos_stay_generic_not_company_specific_2026_04_23.md:59-66)
- SignalQuality.fs: compressionRatio + compressionMeasure short-circuit to 0.0 (Pass) below 64-byte threshold to avoid gzip-header-dominates Quarantine of legitimate short strings (Codex P1)

Drain log: docs/pr-preservation/147-drain-log.md preserves each thread verbatim (git-native high-signal preservation).

dotnet build -c Release: 0 Warning(s), 0 Error(s).

* PR #147 review-drain second pass — 4 fix-inline + 3 scope-bleed

- Seed.cs + Seed.fs: rename contact 13 'Aaron Smith' -> 'Acme Contact
  (new lead)' (Copilot P2 name-attribution, parity preserved across
  C# / F# siblings).
- drop/README.md: correct 'only tracked file' wording to reflect the
  README.md + .gitignore two-sentinel design (Copilot P2).
- tools/audit/live-lock-audit.sh: docstring attribution 'Aaron's ...'
  -> 'Human-maintainer ...' (Copilot P1); add '-m' plus 'sort -u' to
  'git diff-tree' so merge commits bucket on their real files instead
  of mis-classifying as OTHR (Codex P1 — was skewing EXT/INTL/SPEC %
  and could disable the live-lock gate after a round of merges).
- docs/pr-preservation/147-drain-log.md: append second-pass per-thread
  audit trail (git-native preservation).

Three threads resolved as scope-bleed / already-addressed: operator-
input-quality-log.md (file not in PR diff, landed via 204bbb6 on
main), AUTONOMOUS-LOOP.md (file not in PR diff, zero Aaron on HEAD),
Tests.FSharp.fsproj (both SignalQuality + CrmScenarios already listed
at lines 26 and 49).

Build: 0W/0E. Audit sanity: live-lock-audit.sh still healthy with
merges now bucketed correctly.

* fix: markdownlint MD001/MD022/MD032 on #147 drain-log (h3→h2 on Thread headers)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* drain: resolve 11 threads on #147 (mix FIX + BACKLOG + Otto-256 reject)

Thread-by-thread outcomes across the 11 unresolved review threads on PR
#147 (5 FIX, 2 BACKLOG, 2 Otto-256 REJECT, 2 already-addressed/stale):

FIXES (code):
- live-lock-audit.sh: replace `git show --stat` with explicit
  `git log -1 -m --first-parent --name-only` so merge commits classify
  against parent-1 only (the landing side). The prior `git show` form
  risked combined-diff semantics in some git versions; the explicit
  form is first-parent by construction (Codex P1).
- SignalQuality.fs: restore `compressionMinInputBytes = 64` threshold
  (dropped by the f1dc2bb merge-conflict resolution) and mark it
  `private` so it is not part of the public API surface (Copilot).
  Short-circuits `compressionRatio` + `compressionMeasure` to 0.0 for
  sub-threshold inputs, avoiding spurious Quarantine on short legitimate
  strings. Evidence reports UTF-8 byte count (consistent with the
  threshold's units) instead of `text.Length` chars (Copilot). Adjusted
  the empty-string test to assert the new 0.0 neutral value.
- smoke-test.sh: replace non-portable `mktemp -t <template>` with a
  pre-constructed absolute-path template rooted at `${TMPDIR:-/tmp}`
  where XXXXXX is the tail (BSD/macOS requires tail-XXXXXX; GNU accepts
  either). `.log` extension is appended via `mv` after creation so the
  single invocation is cross-platform (Copilot x2 — threads 4 + 10).
- CrmScenarios.Tests.fs: update doc-comment `samples/FactoryDemo.Crm`
  -> `samples/CrmSample` to match the canonical sample path on main
  (Copilot).

BACKLOG (deferred P2):
- Smoke-test deterministic port allocation (Codex P2) — replace
  RANDOM-in-range with OS-assigned ephemeral port via `--urls
  http://127.0.0.1:0` and log-line parse.
- FactoryDemo.Api.CSharp solution project-type GUID hygiene (Copilot)
  — align with modern SDK-style GUID used by other C# projects.

OTTO-256 REJECT (history-file exemption):
- docs/pr-preservation/147-drain-log.md (Copilot) and
  docs/hygiene-history/live-lock-audit-history.md (Copilot): both
  requested stripping first-name "Aaron" attributions. Declined per
  Otto-256 (2026-04-24) — history files exempt from the "no name
  attribution" rule; a P2 BACKLOG row already exists
  (`## P2 — FACTORY-HYGIENE — name-attribution policy clarification
  (history-file exemption)`) to codify this in AGENT-BEST-PRACTICES.md.

ALREADY-ADDRESSED (stale reviewer context):
- drop/README.md heading (Copilot): Copilot flagged "one tracked
  sentinel" but the current heading reads "two tracked sentinels"
  (fixed in a prior drain). Resolving as addressed.

Build: `dotnet build -c Release` -> 0 Warning(s), 0 Error(s).
Tests: `dotnet test --filter "FullyQualifiedName~SignalQuality"` ->
  22/22 pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…leration — 15th+16th graduation consolidated

Consolidates the DIRTY #329 cohesion primitives (Amara 17th-ferry
correction #3) with the new StakeCovariance module (Amara
correction #4).

Content from closed PR #329 (resurrect):
- Graph.internalDensity / exclusivity / conductance
- Wachs & Kertész 2019 cartel-detection cohesion/exclusivity
  replacing muddy 'subgraph entropy collapse'

NEW content (Amara correction #4):
- Zeta.Core.StakeCovariance module with:
  - windowedDeltaCovariance : int -> double[] -> double[] -> double option
    Pairwise cov over sliding window of stake-delta series
  - covarianceAcceleration : double option -> double option ->
    double option -> double option
    2nd-difference of three consecutive cov values
    (A(t) = C(t) - 2·C(t-1) + C(t-2))
  - aggregateAcceleration : Map<int * int, double> -> double option
    Mean pairwise acceleration over candidate group

Why a separate module: StakeCovariance operates on raw stake-
delta time series, not Graph edges. Composes WITH Graph via
downstream detector that combines graph signals + covariance
signals + sync signals into the full CoordinationRiskScore.

Addresses Amara's Part 2 correction #4 ambiguity: her Part 1
had 'C(t) = Cov({s_i(t)}, {s_j(t)})' which is undefined at a
single timepoint. This ship implements the windowed-delta +
2nd-difference formulation from her correction.

Tests (10 new, 44 total in GraphTests, all passing):
- internalDensity None on |S|<2
- internalDensity of K3 weight-10 ≈ 10
- exclusivity = 1 for isolated K3
- conductance < 0.1 for well-isolated subset
- windowedDeltaCovariance: None on too-small series
- windowedDeltaCovariance: high positive for synchronized motion
- windowedDeltaCovariance: negative for anti-correlated motion
- covarianceAcceleration = 2nd difference of cov series
- covarianceAcceleration None when any input missing
- aggregateAcceleration averages across pairs

4 of 8 Amara 17th-ferry corrections now shipped (#1 K₃=2 ✓,
conductance ✓, #4 windowed stake covariance acceleration ✓).
Remaining: #5 event→phase pipeline (future); #4 robust-z-score
variant of composite (future); #6 + #7 + #8 doc-phrasing /
BACKLOG.

Build: 0 Warning / 0 Error.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…6th consolidated (Amara corrections #3+#4) (#331)

* core: Graph cohesion (#329 resurrect) + StakeCovariance windowed acceleration — 15th+16th graduation consolidated

Consolidates the DIRTY #329 cohesion primitives (Amara 17th-ferry
correction #3) with the new StakeCovariance module (Amara
correction #4).

Content from closed PR #329 (resurrect):
- Graph.internalDensity / exclusivity / conductance
- Wachs & Kertész 2019 cartel-detection cohesion/exclusivity
  replacing muddy 'subgraph entropy collapse'

NEW content (Amara correction #4):
- Zeta.Core.StakeCovariance module with:
  - windowedDeltaCovariance : int -> double[] -> double[] -> double option
    Pairwise cov over sliding window of stake-delta series
  - covarianceAcceleration : double option -> double option ->
    double option -> double option
    2nd-difference of three consecutive cov values
    (A(t) = C(t) - 2·C(t-1) + C(t-2))
  - aggregateAcceleration : Map<int * int, double> -> double option
    Mean pairwise acceleration over candidate group

Why a separate module: StakeCovariance operates on raw stake-
delta time series, not Graph edges. Composes WITH Graph via
downstream detector that combines graph signals + covariance
signals + sync signals into the full CoordinationRiskScore.

Addresses Amara's Part 2 correction #4 ambiguity: her Part 1
had 'C(t) = Cov({s_i(t)}, {s_j(t)})' which is undefined at a
single timepoint. This ship implements the windowed-delta +
2nd-difference formulation from her correction.

Tests (10 new, 44 total in GraphTests, all passing):
- internalDensity None on |S|<2
- internalDensity of K3 weight-10 ≈ 10
- exclusivity = 1 for isolated K3
- conductance < 0.1 for well-isolated subset
- windowedDeltaCovariance: None on too-small series
- windowedDeltaCovariance: high positive for synchronized motion
- windowedDeltaCovariance: negative for anti-correlated motion
- covarianceAcceleration = 2nd difference of cov series
- covarianceAcceleration None when any input missing
- aggregateAcceleration averages across pairs

4 of 8 Amara 17th-ferry corrections now shipped (#1 K₃=2 ✓,
conductance ✓, #4 windowed stake covariance acceleration ✓).
Remaining: #5 event→phase pipeline (future); #4 robust-z-score
variant of composite (future); #6 + #7 + #8 doc-phrasing /
BACKLOG.

Build: 0 Warning / 0 Error.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* core: address PR #331 review on Graph + StakeCovariance

- Fix conductance full-subset check: intersect S with the
  graph's node set instead of comparing |S| = |V|. Subsets
  containing nodes outside the graph could match by count
  alone and erroneously return None.
- Fix internalDensity self-loop accounting: exclude s = t
  from the numerator so the sum aligns with the
  |S|·(|S|-1) ordered-distinct-pair denominator.
- windowedDeltaCovariance now requires equal-length input
  series (returns None on mismatch) so the trailing window
  aligns by time index rather than silently truncating the
  longer series. Doc reflects that constant / zero-variance
  windows return Some 0.0 (covariance is well-defined and
  zero, not undefined). Population covariance is intentional
  and now documented.
- aggregateAcceleration is generic over the node-key type
  ('N when 'N : comparison) for API consistency with
  Graph<'N>; switched the average to a single-pass Map.fold
  to drop the intermediate array allocation.
- Drop [<AutoOpen>] on the StakeCovariance module so
  Graph.fs doesn't auto-open two namespaces' worth of
  identifiers into Zeta.Core. Tests already opened the
  module explicitly; relocated that open to the top of the
  test file alongside other opens.
- Strip ferry / correction-number lineage from doc
  comments per the code-comments-explain-code rule.

* docs: PR #331 drain log + StakeCovariance file-split backlog row

Adds the per-thread drain log under
docs/pr-preservation/331-drain-log.md (verbatim reviewer
comments + outcomes + replies + resolution commit) and a
P2 backlog row capturing the StakeCovariance file-split
follow-up flagged in thread 2.

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…Corrections

Two-part ferry from Aaron Otto-157/158 tick boundary:

Part 1 — Deep research on Cartel-Lab calibration + CI hardening
  (~4000 words; 8 sections A-H + action items + Mermaid diagrams):
  - Null-models table (6 types: Erdős-Rényi, configuration,
    stake-shuffle, temporal-shuffle, clustered-honest, noise)
  - CoordinationRiskScore formula with 6 robust-z terms +
    default weights α=β=0.20, γ=ε=0.15, δ=0.20, η=0.10
  - 8-row adversarial scenario table (obvious clique → stealth
    → synchronized voting → honest cluster → low-weight →
    camouflage → rotating → cross-coalition)
  - 4-PR roadmap: seed-lock/CI governance → calibration harness
    → adversarial scenarios → docs/promotion criteria
  - KSK/Aurora integration: advisory-only flow
    (Detection → Oracle → KSK → Action)
  - "What not to claim" caveats (6 items: no proof of intent,
    not all collusion detectable, not production-ready, etc.)

Part 2 — Amara's own GPT-5.5 Thinking correction pass on Part 1
  (~1500 words; 10 required corrections; repo-safe status
  statement; corrected promotion ladder + PR roadmap titles):
  - #1: replace "CI confirms" with "PR #323 clears toy
    falsifiability bar"
  - #2: Wilson intervals replace handwave ±5% CI (90/100 →
    LB only 82.6%; 20/100 FPR → UB 28.9%)
  - #3: rename "Cartel Score" → "CoordinationRiskScore" locked
  - #4: conductance sign flip — use Z(-conductance) or
    Z(exclusivity), not Z(+conductance)
  - #5: modularity relational — use Q(attacked)-Q(baseline)>θ
    not absolute Q thresholds
  - #6: PLV phase-offset — PLV=1 can mean anti-phase; need
    magnitude AND mean phase offset
  - #7: MAD=0 fallback — epsilon floor or percentile-rank
  - #8: replace Medium-article source with scikit-learn
    precision-recall docs
  - #9: explicit artifact output layout
    (calibration-summary.json, seed-results.csv, etc.)
  - #10: sharder — measure variance before widening threshold

Corrected promotion ladder (0-6 stages):
  0 Theory / 1 Toy detector / 2 Calibration harness /
  3 Scenario suite / 4 Advisory engine / 5 Governance integration /
  6 Enforcement candidate

PR #323 is Stage 1, NOT Stage 4.

Otto's operationalization notes:
- 4/10 corrections already aligned with shipped substrate:
  #4 exclusivity (PR #331), #5 modularity relational
  (PR #324), #7 MAD floor (PR #333), #10 sharder Otto-132
  (BACKLOG #327).
- 6/10 queued as future graduations: Wilson CIs in tests;
  MAD=0 percentile-rank fallback; conductance-sign doc;
  PLV phase-offset extension; CI test classification;
  artifact-output layout.

Invariant restated (Amara 16th-ferry carry-over):
  "Every abstraction must map to a repo surface, a test,
   a metric, or a governance rule."

Cross-ref verified: PRs #321 #323 #324 #326 #327 #331 #332
#333, docs/definitions/KSK.md (Otto-157 / #336), 17th ferry
(#330), 16th ferry, 15th ferry, Otto-140..145 memory.

GOVERNANCE §33 four-field header (Scope / Attribution /
Operational status / Non-fusion disclaimer).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…ns (10 tracked; 4 already shipped, 6 queued) (#337)

* ferry: Amara 18th absorb — Calibration + CI Hardening + 5.5-Thinking Corrections

Two-part ferry from Aaron Otto-157/158 tick boundary:

Part 1 — Deep research on Cartel-Lab calibration + CI hardening
  (~4000 words; 8 sections A-H + action items + Mermaid diagrams):
  - Null-models table (6 types: Erdős-Rényi, configuration,
    stake-shuffle, temporal-shuffle, clustered-honest, noise)
  - CoordinationRiskScore formula with 6 robust-z terms +
    default weights α=β=0.20, γ=ε=0.15, δ=0.20, η=0.10
  - 8-row adversarial scenario table (obvious clique → stealth
    → synchronized voting → honest cluster → low-weight →
    camouflage → rotating → cross-coalition)
  - 4-PR roadmap: seed-lock/CI governance → calibration harness
    → adversarial scenarios → docs/promotion criteria
  - KSK/Aurora integration: advisory-only flow
    (Detection → Oracle → KSK → Action)
  - "What not to claim" caveats (6 items: no proof of intent,
    not all collusion detectable, not production-ready, etc.)

Part 2 — Amara's own GPT-5.5 Thinking correction pass on Part 1
  (~1500 words; 10 required corrections; repo-safe status
  statement; corrected promotion ladder + PR roadmap titles):
  - #1: replace "CI confirms" with "PR #323 clears toy
    falsifiability bar"
  - #2: Wilson intervals replace handwave ±5% CI (90/100 →
    LB only 82.6%; 20/100 FPR → UB 28.9%)
  - #3: rename "Cartel Score" → "CoordinationRiskScore" locked
  - #4: conductance sign flip — use Z(-conductance) or
    Z(exclusivity), not Z(+conductance)
  - #5: modularity relational — use Q(attacked)-Q(baseline)>θ
    not absolute Q thresholds
  - #6: PLV phase-offset — PLV=1 can mean anti-phase; need
    magnitude AND mean phase offset
  - #7: MAD=0 fallback — epsilon floor or percentile-rank
  - #8: replace Medium-article source with scikit-learn
    precision-recall docs
  - #9: explicit artifact output layout
    (calibration-summary.json, seed-results.csv, etc.)
  - #10: sharder — measure variance before widening threshold

Corrected promotion ladder (0-6 stages):
  0 Theory / 1 Toy detector / 2 Calibration harness /
  3 Scenario suite / 4 Advisory engine / 5 Governance integration /
  6 Enforcement candidate

PR #323 is Stage 1, NOT Stage 4.

Otto's operationalization notes:
- 4/10 corrections already aligned with shipped substrate:
  #4 exclusivity (PR #331), #5 modularity relational
  (PR #324), #7 MAD floor (PR #333), #10 sharder Otto-132
  (BACKLOG #327).
- 6/10 queued as future graduations: Wilson CIs in tests;
  MAD=0 percentile-rank fallback; conductance-sign doc;
  PLV phase-offset extension; CI test classification;
  artifact-output layout.

Invariant restated (Amara 16th-ferry carry-over):
  "Every abstraction must map to a repo surface, a test,
   a metric, or a governance rule."

Cross-ref verified: PRs #321 #323 #324 #326 #327 #331 #332
#333, docs/definitions/KSK.md (Otto-157 / #336), 17th ferry
(#330), 16th ferry, 15th ferry, Otto-140..145 memory.

GOVERNANCE §33 four-field header (Scope / Attribution /
Operational status / Non-fusion disclaimer).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* ferry: fix markdownlint MD018 — line-start #221 parsed as H1 heading

* ferry: drain PR #337 review threads — 4 FIX, 2 NARROW+BACKLOG, 8 BACKLOG+RESOLVE

Factory-authored sections of the 18th-ferry absorb (header,
Otto's notes, Cross-references) edited under name-attribution
+ code-comments-not-history disciplines; Amara's verbatim
Part 1 + Part 2 body left intact per verbatim-preserve.

In-doc edits:
- Soften "verified against actual" wording on the
  CLAUDE.md cross-reference bullet to anchor-list
  rechecked-at-drain-time framing.
- Use full `tests/Tests.FSharp/Simulation/` path in the
  Stage-discipline section (was bare `tests/Simulation/`).
- Replace dead "GOVERNANCE §33" cite with
  factory-convention + CLAUDE.md ground-rule pointer
  (numbered §33 not yet landed; rule is captured
  by convention across docs/aurora/** absorbs).
- Drop broken `feedback_ksk_naming_*.md` filename and
  soften 15th/16th ferry cross-refs to "not present as a
  dedicated absorb in this snapshot."

Drain-log: docs/pr-preservation/337-drain-log.md per
Otto-250.

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>