docs: drop require-linear-history from protect-main ruleset#7
Merged
Conversation
Initially set to `enabled` at Pass 1 branch-protection config. Three sequential dev→main PRs (Phase M #4, Phase 404 #5, Phase B.1 #6) each tripped on the same friction: GitHub's rebase-merge rewrites SHAs, leaving dev's history "stale" against main's new SHAs. Each time required a manual realignment — temp-disable protect-dev's force-push block, reset dev to main, force-push, re-enable. Three toggle dances in two days. Allowing merge commits on main removes the rewrite, preserving original SHAs across both branches. Future dev→main PRs use "Create a merge commit" (now the GitHub default since linear history is off). dev and main never drift. Trade-off: main's git log gains one merge commit per release. `git log --first-parent main` gives the linear release-only view. Squash and rebase merges remain available but are not the default. Documents the change in §8.4 with the full reasoning chain so the next contributor (or future Lars) understands why merge commits sit alongside otherwise-strict main protection. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
blackbrowed-labs
added a commit
that referenced
this pull request
Apr 29, 2026
…failures" design
Adds verify-cloudflare-facts.yml weekly cron workflow + scripts/checks/dpf.mjs
+ scripts/checks/cwa-retention.mjs + 6 fixtures + scripts/run-verifier.mjs
orchestrator. Extends scripts/check-cloudflare-facts-freshness.mjs to read
_meta.last_check_attempt with 30-day threshold (down from 90).
Migrates src/data/cloudflare-facts.json to verifier-era schema (schema_version
1; per-fact status + value fields; _meta block; structured cwa_retention with
integer month values; raw_events_retention_months explicitly null per
Cloudflare's documented absence). Updates src/lib/cloudflare-facts.ts type +
adds getEffectiveVerifiedDate helper (worst-case freshness signal: older of
the two per-fact verified_at). Privacy pages (datenschutz.astro, en/privacy.astro)
read via the helper.
Verifier shape per plans/active/pass-2/g-d-2/spec.md: 1/5/15-min retry budget
(21 min total, fits 30-min workflow timeout); status-return error handling
(no throws cross check boundaries); explicit registry per spec §9.6;
hand-written validator per §9.7; status-enum rename ('ok' CheckResult →
'active' JSON) per §6.2; v1-coverage smoke step inside verifier workflow only,
mode #8 deploy-triggered limitation acknowledged per §3.8.
All synthetic failure modes (#2, #4, #5, #6) verified via MOCK_SCENARIO=
fixture routing. Mode #1 (freshness gate) verified via stale last_check_attempt.
Modes #3, #7, #8, #9 deferred to controller-side post-commit per prompt's
"may defer" guidance. Outcome record at
plans/active/pass-2/g-d-7/verifier-test-matrix.md (workspace, gitignored).
Closes backlog #8.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
blackbrowed-labs
added a commit
that referenced
this pull request
Apr 29, 2026
MAJOR 1: Workflow Issue heredoc malformed — replaced cat <<EOF with printf '%s\n' array. Avoids the YAML-block-scalar / bash-heredoc indentation interaction the reviewer flagged. Body and EOF placement are no longer load-bearing; YAML stays valid; result is plain markdown. MAJOR 2 (highest impact): Mode #6 semantics broken. Spec §2.6 / §3.6 / §4.6 require BOTH an Issue AND an auto-PR on status='changed'. Refactored the orchestrator's per-fact update routing per spec §1.3: - 'ok' → advance verified_at + last_known_good_at + value fields - 'changed' → advance verified_at + value fields; pin last_known_good_at - other → leave all pinned The orchestrator now always exits 0 (unless it threw) and surfaces two GH-output flags: has_diff (drives auto-PR) and has_attention (drives Issue). Both can fire on the same run. Workflow gating updated to match. Mode #6 dry-run now logs "would open auto-PR AND open verifier-alert Issue" with the new value persisted to JSON. MAJOR 3: Smoke step ISO vs locale-formatted date. Privacy pages now emit hidden <meta name="bbl-verified-at" content="YYYY-MM-DD"> markers (plus per-fact -dpf / -cwa variants) via a new <slot name="head" /> in BaseLayout. Smoke step greps for the locale-independent marker instead of the rendered "29. April 2026" / "April 29, 2026" text. MINOR 1: Stale-escalation comments now carry a hidden marker (<!-- verifier-stale-Nd -->); the post step skips when the marker is already present on the target. Six-week-stale Issues no longer accumulate weekly duplicate comments. MINOR 2: Mode #7 (auto-PR staleness) coverage. Path chosen: extend the step. Stale-escalation now scans both `gh issue list` and `gh pr list --base dev` filtered by `headRefName startswith "verifier/"`, with the same 14/30/60d cadence and marker idempotency. MINOR 3: Smoke step `node -e` JSON parse now Date.parse()-validates each verified_at and exits 1 with a named error if either is unparseable, instead of silently emitting `undefined.slice(0,10)`. MINOR 4: formatVerifiedDate throws on empty/non-string input rather than rendering "Invalid Date" silently. Workspace test matrix updated with new mode #6 + mode #7 outcomes, the rationale block at the top of the document, and post-fixup synthetic-test outputs. Verification: - npm run check: 0 errors / 0 warnings / 1 unrelated hint. - PUBLIC_ENVIRONMENT=staging npm run build: 17 pages clean. - Synthetic scenarios (5 modes): all pass; mode #6 now correctly advances aggregated_retention_months 6→12 + verified_at, pins last_known_good_at, and would fire both PR + Issue on real runs. - bbl-verified-at markers present in dist/{datenschutz,en/privacy}/index.html; absent from non-privacy pages. - python3 yaml.safe_load: workflow YAML parses clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
blackbrowed-labs
added a commit
that referenced
this pull request
May 12, 2026
Closes Pass 2 backlog row #5 (paper-trail residue). The PR-triggered CI workflow (.github/workflows/ci-pr.yml, job `build-pr`) shipped in April under Pass 2 backlog row #7's umbrella — commit 8831927 authored it, 6103789 refined it — and the protect-main ruleset (id 15468856) was updated on 2026-04-28 to require the build-pr check before merge. Row #5 was never closed when its dependency landed. §8.4 still asserted "Status checks deliberately not required" and pointed at backlog #5 as future work. Both halves now stale; replaced with the as-deployed description (workflow steps, ruleset id, strict required-checks policy, job-name pinning rationale). Per CLAUDE.md §Scope boundaries, TECH_STACK.md is not edited without explicit instruction; backlog row #5's deferred-since-April-2026 scope is that instruction. No workflow YAML or ruleset change. Phase K is reconciliation, not implementation — verified by gh api + gh run list during planning. Backlog row #5 heading DONE-marker is controller-side housekeeping batched after this commit lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
9 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
protect-main'sRequire linear history: enabledrule was dropped from the GitHub ruleset on 2026-04-28 to remove the SHA-divergence friction that hit Phase M / Phase 404 / Phase B.1 dev → main rebase-merges. This PR documents the change indocs/TECH_STACK.md§8.4 with the rationale chain.First PR under the new merge-commit workflow. When merging, please use "Create a merge commit" (the GitHub default once linear-history is off) rather than rebase or squash. That preserves the original commit SHA on both dev and main with no realignment needed.
Test plan
docs/TECH_STACK.md§8.4 updated with new state + reasoningdevandmainshared8d6e35after merge (no force-push, no realignment)🤖 Generated with Claude Code