ops(0-0-0): FINAL ledger-flip 235→273 / 38→0 — strict gate's classification condition SATISFIED

docs/0-0-0-readiness/CLASSIFICATION.md

@@ -134,7 +134,7 @@ Per `docs/active-trajectory.md` strict bucket taxonomy: classification requires
 |---|---|---|---|
 | `.github/workflows/budget-snapshot-cadence.yml` | +38/-75 | **SAFE_TO_RESET_LFG_SUPERSEDES** | LFG has 3 commits AceHack lacks: `2ce1abb fix(scorecard): scope budget-cadence permissions job-level (TokenPermissionsID) (#679)`, `5298114 sync(acehack→lfg): infra clean-additive batch (#660)`, `dfb49e5 sync(acehack→lfg): forward-port 63 AceHack-only files (#663)`. AceHack-only `+38` lines contain **six distinct regressions** vs LFG: (1) **Auto-merge dead-end risk** — AceHack arms `gh pr merge --auto` despite GitHub's anti-recursion guard that prevents `GITHUB_TOKEN`-triggered events from firing downstream workflow runs; auto-merge would silently stall every weekly run. LFG explicitly NOT armed with detailed GITHUB_TOKEN limitation explanation citing an external AI reviewer's P1 finding on the AceHack-side originating PR (`b42e9e5 ops(ci): weekly budget-snapshot-cadence workflow (task #297, follow-up to #287) (#25)`). (2) **Token permissions** — AceHack uses broader top-level `contents: write` + `pull-requests: write`; LFG uses top-level `contents: read` + job-level `contents: write` + `pull-requests: write` + `actions: read` per Scorecard `TokenPermissionsID` minimum-blast-radius best practice. (3) **Missing `actions: read`** — AceHack drops job-level `actions: read` entirely, which means snapshot-burn.sh's calls to Actions REST API (`/repos/.../actions/runs` and `/actions/runs/{id}/timing`) would 403 silently and fall back to empty/zeroed timing data while still writing a snapshot — producing misleading evidence rather than a hard failure. (4) **AgencySignature validator inconsistency** — AceHack sets `Human-Review-Evidence: signed-policy` in both commit trailer + PR body; LFG sets `Human-Review-Evidence: none` per the deployed validator's consistency rule (Evidence must be "none" when Human-Review is `not-implied-by-credential`, not "explicit"). The deployed pre-merge AgencySignature validator at `tools/hygiene/validate-agencysignature-pr-body.sh` (per task #298) would block AceHack-version PRs. (5) **Schedule-context input expression** — AceHack uses `${{ inputs.note }}` (less safe / less portable across `schedule` + `workflow_dispatch` event types since `inputs` context is supplied by `workflow_dispatch` but not by `schedule`); LFG uses `${{ github.event.inputs.note \|\| '' }}` which is safer across both. (6) **Persona-name attribution on current-state CI surface** — AceHack version contains two persona-name attribution comments on this CI workflow file (one citing two named external-AI reviewers + their respective ferry-numbers as Squash-Merge Invariant authority; another prefixed "Per the [N]-ferry consensus" framing); LFG version uses role-ref form ("per the canonical 10-trailer convention") which is rule-compliant per the closed-list role-vs-name rule (`docs/AGENT-BEST-PRACTICES.md`). Same pattern as Batch 2 files. **Buddy review (Level-1, 2026-04-29)** approved this classification with two named tightenings (ledger tense + softer wording on item 5), both applied. |
 
-**Batch 3b result: 1 of 1 files SAFE_TO_RESET_LFG_SUPERSEDES.** (Post-merge of this PR — atomic with merge per decision-vs-resolution discipline. Ledger update from headline `classified_safe_lines = 235 → 273` and `unclassified_lines = 38 → 0` lands in a small follow-up ledger-flip PR after this PR merges; this PR holds the classification record only, not the ledger headline edit.)
+**Batch 3b result (in-force as of #842 merge, 2026-04-29T13:27:07Z): 1 of 1 files SAFE_TO_RESET_LFG_SUPERSEDES.** Ledger headline flipped `classified_safe_lines = 235 → 273` and `unclassified_lines = 38 → 0` in the follow-up ledger-flip PR (per the two-PR split that avoids contingent-prose churn). **All files now classified — strict gate's classification condition satisfied.**
 
 **After Batch 3b lands and the follow-up ledger-flip PR lands, the strict gate's classification condition is satisfied** (`unclassified_lines = 0`, `unsafe_lines = 0`, `binary_*_unclassified = 0`). Remaining gate conditions are all operational (fresh-clone fsck = clean, hard-reset preflight = clean, ls-remote-vs-fetch SHA match = verified, dry-run push shape = clean, maintainer signoff = yes).
 

docs/active-trajectory.md

@@ -140,16 +140,16 @@ Current ledger (last updated 2026-04-29T12:31Z, post-option-(c)-migration-PR —
 
 ```text
 potential_loss_lines  = 273    all AceHack-only +lines (would be erased on hard-reset)
-classified_safe_lines = 235    semantic evidence in BUCKET 2 (SAFE_TO_RESET_LFG_SUPERSEDES)
+classified_safe_lines = 273    semantic evidence in BUCKET 2 (SAFE_TO_RESET_LFG_SUPERSEDES)
 unsafe_lines          = 0      no NEEDS_FORWARD_SYNC or NEEDS_HUMAN_DECISION
-unclassified_lines    = 38     HEURISTIC_LFG_DOMINATES — pending per-file semantic inspection
+unclassified_lines    = 0      ALL FILES CLASSIFIED — strict gate's classification condition satisfied
 ```
 
 **Ledger state**: in-force as of post-#839-merge (option-(c) migration landed 2026-04-29T12:46:29Z). The 9 ACEHACK_ONLY tick rows are durably preserved as Option B shards under `docs/hygiene-history/ticks/2026/04/28/` on LFG main. Hard-reset of `loop-tick-history.md` is content-preservation-safe.
 
 `potential_loss_lines = 273` was computed 2026-04-29T10:25Z via `git diff --numstat refs/remotes/origin/main..refs/remotes/acehack/main` and remains canonical: the AceHack and LFG main tips have not advanced relative to each other in a way that touched the divergent files (#837 + #838 + the option-(c) migration only touch docs in `docs/0-0-0-readiness/` and add new shard files in `docs/hygiene-history/ticks/2026/04/28/` — neither set affects the existing AceHack-vs-LFG diff for the divergent file set). Re-compute on next batch open if either tip moves materially.
 
-Arithmetic sanity check: `273 = 235 + 0 + 38` ✓ (per the multi-AI review discipline — verify mechanically, do not trust the math because it "looks plausible").
+Arithmetic sanity check: `273 = 273 + 0 + 0` ✓ (per the multi-AI review discipline — verify mechanically, do not trust the math because it "looks plausible"). **All 273 AceHack-only `+` lines now have classified-safe semantic evidence.**
 
 ### Option-(c) Migration Preflight Ledger (loop-tick-history.md, 2026-04-29T12:31Z)
 
@@ -170,14 +170,15 @@ Per the Migration Preflight Ledger discipline (per multi-AI review 2026-04-29 pa
 
 Net: 9 shard writes; 1 no-op (COMMON_IDENTICAL with positional drift). The misclassification of `2026-04-21T17:28` as SAME_TIMESTAMP_DRIFT (caught during the trajectory's earlier prose-only classification on #838) was corrected here by the preflight ledger's content-hash check — exactly the bug-class the discipline is designed to prevent. **A timestamp is an address, not an identity.**
 
-Composition of `classified_safe_lines = 235` (in-force post-#840-merge):
+Composition of `classified_safe_lines = 273` (in-force post-#842-merge — ALL FILES CLASSIFIED):
 
 - 9 infra files (97 lines): see "9 infra files" table above. SAFE_TO_RESET_LFG_SUPERSEDES with named per-file evidence.
 - 5 calibration-batch files (28 lines, 2026-04-28): MEMORY.md (11) + codeql_umbrella (12) + doc_class_mirror_beacon (1) + CURRENT-aaron (2) + CURRENT-amara (2). Originally labeled "ALREADY-COVERED" in older taxonomy; under strict bucket each has named evidence in `docs/0-0-0-readiness/CLASSIFICATION.md` → SAFE_TO_RESET_LFG_SUPERSEDES.
 - Batch 1 (9 lines, 2026-04-29T11:32Z): SECURITY.md (4) + validate-agencysignature-pr-body.sh (5). See `docs/0-0-0-readiness/CLASSIFICATION.md` Batch 1 table for named evidence per file.
 - Batch 2 (81 lines, 2026-04-29T12:05Z): codeql-config.yml (6) + memory-index-duplicate-lint.yml (8) + audit-memory-index-duplicates.sh (8) + Shard.fs (9) + AUTONOMOUS-LOOP.md (9) + macos.sh (11) + fix-markdown-md032-md026.py (16) + curl-fetch.sh (14). See `docs/0-0-0-readiness/CLASSIFICATION.md` Batch 2 table for named evidence per file. Common pattern: LFG version is either rule-compliant (role-refs vs persona-name violations on current-state surfaces), more accurate (correct retry-math on curl-fetch.sh), the perf-fixed form (Shard.fs non-boxing comparer), the current doctrine (AUTONOMOUS-LOOP.md Option B shard-mode), or strict superset (fix-markdown-md032-md026.py YAML frontmatter handling).
 - Option-(c) migration (12 lines, #839 merged 2026-04-29T12:46:29Z): `loop-tick-history.md` reclassified from NEEDS_HUMAN_DECISION → SAFE_TO_RESET_LFG_SUPERSEDES because the 9 ACEHACK_ONLY rows are durably preserved as Option B shards under `docs/hygiene-history/ticks/2026/04/28/`. Hard-reset of the table on AceHack is content-preservation-safe.
 - Batch 3a (8 lines, #840 merged 2026-04-29T12:54:53Z): `memory/project_laptop_only_*.md`. AceHack drops the closed-list-scope qualifier from the `../scratch` / `../SQLSharp` zero-matches completion criterion (technically unsatisfiable without the qualifier); LFG version is rule-compliant. See `docs/0-0-0-readiness/CLASSIFICATION.md` Batch 3a table.
+- Batch 3b (38 lines, #842 merged 2026-04-29T13:27:07Z, post-Level-1-buddy-review): `.github/workflows/budget-snapshot-cadence.yml`. AceHack-only +38 lines contain six distinct regressions — auto-merge dead-end risk (would silently stall every weekly run due to GITHUB_TOKEN anti-recursion guard), broader top-level token permissions, missing `actions: read` (snapshot-burn.sh would 403 silently), AgencySignature validator rule violation (`Human-Review-Evidence: signed-policy` while not "explicit"), less-portable schedule-context input expression, persona-name attribution on current-state CI surface. LFG has 3 commits AceHack lacks including `2ce1abb fix(scorecard): scope budget-cadence permissions job-level (TokenPermissionsID) (#679)`. See `docs/0-0-0-readiness/CLASSIFICATION.md` Batch 3b table for named per-regression evidence.
 
 Composition of `unsafe_lines = 0` (in-force post-#839-merge):
 
@@ -187,13 +188,13 @@ Composition of `unsafe_lines = 0` (in-force post-#839-merge):
 
 `loop-tick-history.md` was previously NEEDS_HUMAN_DECISION (12 lines, mutual divergence — 9 truly-unique-AceHack timestamps + 9 truly-unique-LFG timestamps + 1 COMMON_IDENTICAL_REORDERED row per the Migration Preflight Ledger above). Maintainer chose option (c); the option-(c) migration PR (#839, merged 2026-04-29T12:46:29Z) wrote 9 ACEHACK_ONLY rows as Option B shards on LFG, making hard-reset content-preservation-safe. File now classifies SAFE_TO_RESET_LFG_SUPERSEDES.
 
-Composition of `unclassified_lines = 38` (1 file):
+Composition of `unclassified_lines = 0` (in-force post-#842-merge — ALL FILES CLASSIFIED):
 
 ```text
-38  .github/workflows/budget-snapshot-cadence.yml
+(empty — strict gate's classification condition satisfied)
 ```
 
-This is the last unclassified file. It has real behavioral divergence (auto-merge policy + Scorecard `TokenPermissionsID` security fix) requiring explicit Level-1 buddy review per the Second-Agent Design Review Gate (Amara 2026-04-29 packet 10) before classification. After Batch 3b classifies it, `unclassified_lines = 0` and the strict gate's classification condition is satisfied.
+**Strict gate's classification condition is now SATISFIED.** Remaining gate conditions are all operational + maintainer-irreversible: fresh-clone fsck = clean, hard-reset preflight = clean, ls-remote-vs-fetch SHA match = verified, dry-run push shape = clean, maintainer signoff = yes.
 
 ### Hard-reset signoff gate (strict)