-
Notifications
You must be signed in to change notification settings - Fork 1
ops(0-0-0): post-reset cleanup — stale-prose fixes + protection-config memory #844
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from 1 commit
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| | 2026-04-29T14:10:00Z | claude-opus-4-7 | b9ccd753 | **🎯 0/0/0 ACHIEVED + post-reset cleanup PR opened.** Sequence: (1) PR #843 (final ledger-flip 235→273 / 38→0) merged 2026-04-29T13:32:27Z; classification phase complete with 273 = 273 + 0 + 0 ledger satisfied. (2) Triple-check buddy review packet ferried to Amara with 6-bucket decomposition of all 273 lines (9 infra files / 5 calibration / Batch 1-3a-3b / option-c migration); Amara approved meaningful-content-loss-free. (3) Verify-only gate packet ran 2026-04-29T13:39Z: fsck/fetch/SHA-match/content-drift/dry-run all 5/5 PASS. (4) Aaron explicit EXECUTE 13:58Z. (5) Step A succeeded — `archive/acehack-main-pre-000-reset-2026-04-29` ref preserves old AceHack tip `6755081...` indefinitely. (6) Step B FAILED first try with GH013 (repository-rules layer); after disabling ruleset, FAILED again with GH006 (legacy branch-protection layer) — discovered AceHack/Zeta had BOTH protection surfaces enforcing independently. (7) Aaron decision: DELETE legacy, leave off, restore only rulesets. (8) Path 1 v3 succeeded 2026-04-29T14:04:50Z: AceHack/main = LFG/main = `621aae082d70fcbf36931718ecf1b6d9e149295f`, 0 ahead, 0 behind, 0 file content diff. Trap-restored ruleset enforcement to active. **The pre-v1 starting line is reached.** This tick: opens post-reset cleanup PR with stale-prose fixes in active-trajectory.md (flip "Currently NOT signoff-eligible" + "Hard-reset is NOT YET signoff-eligible" to in-force 0/0/0-achieved language) + protection-config memory file documenting GH013/GH006 error mapping + legacy-deleted decision. Recovery inventory parked at `/tmp/recovery-inventory-2026-04-29.tsv` (918 branches: 123 ALREADY_REACHABLE / 795 NOT_REACHABLE; 58 worktrees all clean; 7 stashes). Awaiting Amara's recovery-classification framework before any branch/worktree mutation. Authority boundary now: reversible+in-lane → proceed; irreversible/loss/identity → ask Aaron. Cron `b9ccd753` alive. | [PR #843 merged](https://github.com/Lucent-Financial-Group/Zeta/pull/843) → [post-reset cleanup PR (next)](https://github.com/Lucent-Financial-Group/Zeta/pulls) | **Best blade across the session (Amara)**: *"The last file was not easy; it was just well-evidenced."* + *"Cross first; archaeology after."* + *"Buddies review the crossing. Claude walks the lane. Aaron decides irreversible loss."* Six rule candidates earned for post-hard-reset consolidation: Residual-Set Drift, Decision-Resolution Drift, Diff-Direction Identity Drift, Migration Preflight Ledger, Derived-Rollup Drift, Evidence-Tense Discipline + Second-Agent Design Review Gate framework + Aurora Immune Governance Extension (P2 research). Plus newly-validated authority boundary post-0/0/0: Reversible + in-lane + PR-reviewed = proceed autonomously. Irreversible loss / deletion / force-push / authority config / identity canon = ask Aaron. Inventory + provisional classification = proceed. Mutation = wait. **Aaron's quote that anchored the whole post-reset stance**: *"yeah you can relax branch prtection or tell me if you need me to and turn it back on afterwards on AceHack"* — explicit delegation of reversible config-toggle authority. | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
83 changes: 83 additions & 0 deletions
83
...ta_protection_config_dual_layer_legacy_deleted_rulesets_canonical_2026_04_29.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| --- | ||
| name: AceHack/Zeta protection config — legacy branch protection deleted, repository rulesets canonical (2026-04-29) | ||
| description: During 0/0/0 hard-reset on 2026-04-29, AceHack/Zeta was discovered to have BOTH legacy branch protection (`/repos/{owner}/{repo}/branches/main/protection`) AND repository rulesets (`/repos/{owner}/{repo}/rulesets`) configured on `main`. The two layers enforce independently, and GitHub's UI does not surface that they're separate. Per maintainer call 2026-04-29 (Aaron), legacy protection was DELETED and rulesets are now the canonical protection surface for AceHack/Zeta. Future protection-config changes go through rulesets only. | ||
| type: feedback | ||
| --- | ||
|
|
||
| # AceHack/Zeta protection config — dual-layer surprise + decommission decision | ||
|
|
||
| ## What happened (2026-04-29T14:00–14:05Z) | ||
|
|
||
| During the 0/0/0 hard-reset, `git push --force-with-lease` against AceHack/main was rejected with: | ||
|
|
||
| ``` | ||
| remote: error: GH013: Repository rule violations found for refs/heads/main. | ||
| remote: - Cannot force-push to this branch | ||
| ``` | ||
|
|
||
| After disabling the only rulesets ruleset (id=15524390 "Default", `enforcement: disabled`) and retrying, the push was rejected AGAIN with a **different error code**: | ||
|
|
||
| ``` | ||
| remote: error: GH006: Protected branch update failed for refs/heads/main. | ||
| remote: - Cannot force-push to this branch | ||
| ``` | ||
|
|
||
| That second rejection came from the **legacy branch protection layer** at `/repos/{owner}/{repo}/branches/main/protection` (with `allow_force_pushes: {enabled: false}`), which is a separate enforcement surface from the rulesets system. | ||
|
|
||
| ## Aaron's confirmation | ||
|
|
||
| > *"GH006 (legacy branch protection). i might have had them both turned on"* | ||
| > *"I knew there were two but I was confused why, the UI does not make it clear one is legacy, their UI is confusing but I do remember setting it twice."* | ||
|
|
||
| So both layers had been configured at different times, both enforced together, and GitHub's UI does not visually surface that they coexist. | ||
|
|
||
| ## Maintainer decision (2026-04-29) | ||
|
|
||
| > *"you could turn off both and leave the legacy off — when you turn back on, just turn back on the rulesets"* | ||
|
|
||
| Executed: | ||
| - `gh api -X DELETE repos/AceHack/Zeta/branches/main/protection` → "Branch not protected" (404) | ||
| - `gh api -X PUT repos/AceHack/Zeta/rulesets/15524390 --input '{"enforcement": "disabled"}'` (briefly disabled for the push) | ||
|
AceHack marked this conversation as resolved.
Outdated
|
||
| - `git push --force-with-lease=...` → succeeded | ||
| - `gh api -X PUT repos/AceHack/Zeta/rulesets/15524390 --input '{"enforcement": "active"}'` (re-enabled rulesets) | ||
|
|
||
| Final config: rulesets active, legacy gone. Single source of truth for AceHack/Zeta branch policy. | ||
|
|
||
| ## Error-code mapping (load-bearing for future debugging) | ||
|
|
||
| | GitHub error code | Source | Surface | | ||
| |---|---|---| | ||
| | `GH013` | Rulesets ("Repository rules") | `/repos/{owner}/{repo}/rulesets` | | ||
| | `GH006` | Classic / legacy branch protection | `/repos/{owner}/{repo}/branches/{branch}/protection` | | ||
|
|
||
| If a push gets rejected with one error code, disabling that layer alone does NOT guarantee the push will succeed — the OTHER layer may also be enforcing. Always check both surfaces when diagnosing protection-related rejection. | ||
|
|
||
| ## How to detect both layers exist on a repo (script) | ||
|
|
||
| ```bash | ||
| # Legacy branch protection | ||
| gh api repos/{owner}/{repo}/branches/{branch}/protection 2>&1 | head -3 | ||
| # Returns full config OR "Branch not protected" (404) | ||
|
|
||
| # Repository rulesets | ||
| gh api repos/{owner}/{repo}/rulesets --jq '.[] | {id, name, enforcement, target}' | ||
| # Returns array of rulesets with enforcement state | ||
|
Comment on lines
+76
to
+82
|
||
|
|
||
| # Status flag (high-level) | ||
| gh api repos/{owner}/{repo}/branches/{branch} --jq '.protected' | ||
| # true if EITHER layer is active; doesn't tell you which one | ||
| ``` | ||
|
|
||
| ## Why this matters going forward | ||
|
|
||
| 1. **Operational diagnosis**: future force-push or branch-policy issues should check BOTH surfaces. Don't trust `branch.protected` flag alone. | ||
| 2. **Config drift**: future config changes must go through rulesets only; never re-create legacy branch protection on AceHack/Zeta. | ||
| 3. **Cross-org applicability**: this is a GitHub-wide UI confusion (not specific to AceHack). Other repos in Lucent-Financial-Group / etc. might have the same dual-layer config. Worth checking on cadence. | ||
| 4. **CLAUDE.md protocol verification**: CLAUDE.md says *"Force-push to AceHack main is part of the protocol"*. The rulesets `non_fast_forward` rule blocks this, which means **the rulesets config still doesn't match the documented protocol**. Either the protocol gets revised (no force-push, only sync via PR) or the ruleset's `non_fast_forward` rule needs a bypass-actor allowlist for the maintainer credential. Task #305-adjacent ("Set up acehack-first development workflow") is the home for that decision. | ||
|
|
||
| ## Composes with | ||
|
|
||
| - `memory/feedback_destructive_git_op_5_pre_flight_disciplines_codex_gemini_2026_04_28.md` — pre-flight disciplines for destructive git ops (force-push needs `--force-with-lease=ref:exact-old-sha`) | ||
| - `docs/active-trajectory.md` — 0/0/0 hard-reset gate spec + post-reset state | ||
| - Task #305 (BACKLOG, pending) — set up acehack-first development workflow; protection-config protocol-vs-ruleset alignment goes here | ||
| - `memory/feedback_aaron_visibility_constraint_no_changes_he_cant_see_2026_04_28.md` — Aaron's visibility constraint; this case satisfied it because Aaron was repo admin on AceHack/Zeta and could see the toggles in UI (even if confused by the dual-layer surface) | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor wording nit: “the only rulesets ruleset” reads like a duplication. Consider rephrasing to “the only ruleset” / “the only rulesets entry” for clarity.