mkalhitti-cloud · mkalhitti-cloud · May 11, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
@@ -10,6 +10,7 @@ description: >
 You are an **Architecture** specialist. Use this skill to design structural changes and maintain the system's "Platinum Standard".
 
 ## I. Core Patterns
+- **Correctness by Construction**: "Make illegal states unrepresentable." Design types and FSMs so invalid states fail at compile-time rather than relying on runtime `if/else` checks.
 - **Lock-Free**: Atomic primitives, SPSC/MPMC queues, zero-lock FSMs.
 - **IPC**: TCP-based command routing, multi-client support.
 - **RAII**: Scope-based resource management (semaphores, dictionaries).

@@ -0,0 +1,11 @@
+- slug: v12-engineer
+  name: V12 Photon Engineer
+  role: >
+    You are the V12 Photon Engineer, a specialized persona for surgical refactoring of 
+    the Universal OR Strategy. You operate under the strict 'Lock-Free Actor' protocol.
+    Your mission is to implement Phase 6 SIMA Subgraph extraction with zero logic drift.
+  groups:
+    - code
+    - terminal
+  customRules:
+    - dna: dna.md
@@ -0,0 +1,4 @@
+{"id":"fde48819-c59b-4b12-954b-4d70e5ce0242","ts":"2026-05-10T00:16:22.448Z","path":"C:\\WSGTA\\universal-or-strategy\\src\\V12_002.Orders.Callbacks.Execution.cs","version":"1.0.0","taskID":"6c63156a-1f5b-4936-8d18-19dd04772d80"}
+{"id":"5763190b-1e9a-4f61-bef0-179a2a57292b","ts":"2026-05-10T00:16:28.549Z","path":"C:\\WSGTA\\universal-or-strategy\\src\\V12_002.Orders.Callbacks.Execution.cs","version":"1.0.0","taskID":"6c63156a-1f5b-4936-8d18-19dd04772d80"}
+{"id":"9aa787d9-e63f-4cf5-9a38-06f6a3ab5c8b","ts":"2026-05-10T00:16:35.352Z","path":"C:\\WSGTA\\universal-or-strategy\\src\\V12_002.Orders.Callbacks.Execution.cs","version":"1.0.0","taskID":"6c63156a-1f5b-4936-8d18-19dd04772d80"}
+{"id":"6948325c-296c-4ae8-ba26-22a044830d29","ts":"2026-05-10T00:17:30.456Z","path":"C:\\WSGTA\\universal-or-strategy\\src\\V12_002.Orders.Callbacks.Execution.cs","version":"1.0.0","taskID":"6c63156a-1f5b-4936-8d18-19dd04772d80"}
@@ -0,0 +1,30 @@
+# V12 Photon Kernel DNA
+## Mandatory Architectural Constraints
+
+> [!IMPORTANT]
+> These rules are non-negotiable and override any internal LLM tendencies.
+
+### 1. No Internal Locks
+Legacy `lock(stateLock)` blocks are **STRICTLY BANNED**. All state mutations must use the FSM/Actor `Enqueue` model or atomic primitives. If you see a lock, your first priority is to refactor it out.
+
+### 2. ASCII-Only Compliance
+NEVER use Unicode, emoji, or curly quotes in C# string literals.        
+- Allowed: `(!)` `--` `->` `"` (straight)
+- Banned: (!) -- -> " (curly)
+
+### 3. Surgical File Splits
+All file splits MUST use the Python extractor script (`scripts/v12_split.py`). Manual copy-paste is BANNED for any split exceeding 50 lines.    
+
+### 4. FSM-Driven Execution
+Any follower order cancel+resubmit MUST use the two-phase Replace FSM (`_followerReplaceSpecs` dict). NEVER cancel and submit directly.
+
+### 5. Post-Edit Deployment
+After every `src/` edit, you MUST run:
+`powershell -File .\deploy-sync.ps1`
+Verify that the ASCII gate passes before notifying the Orchestrator.    
+
+### 6. Tool Protocol Integrity
+NEVER use `<<<<<<< REPLACE`, `=======`, or `>>>>>>>` markers inside `write_to_file` or `replace_file_content` calls. These tools do not support diff formats.
+- Use `replace_file_content` with exact `TargetContent`.
+- Use `apply_diff` only when you are absolutely certain the diff syntax is supported by the specific tool instance.
+- If a tool call fails to modify the file, DO NOT report success. Immediately retry using a different surgical tool.
@@ -0,0 +1,25 @@
+{
+  "general": {
+    "checkpointing": {
+      "enabled": true
+    }
+  },
+  "shell": {
+    "preferredEditor": "code",
+    "autoApprove": [
+      "read_file",
+      "list_dir",
+      "grep_search",
+      "apply_diff",
+      "write_to_file",
+      "insert_content"
+    ],
+    "approvalMode": "yolo"
+  },
+  "tools": {
+    "context7": "python scripts/context7_cli.py",
+    "graphify": "graphify",
+    "deploy_sync": "powershell -File .\\deploy-sync.ps1",
+    "nexus_bridge": "python scripts/nexus_relay.py"
+  }
+}
@@ -0,0 +1,17 @@
+---
+exclude_paths:
+  - "docs/**"
+  - ".github/**"
+  - "**/*.md"
+  - ".agent/**"
+  - ".agents/**"
+  - ".bob/**"
+  - ".codex/**"
+  - ".cursor/**"
+  - ".gemini/**"
+  - "Traycerrefactor/**"
+  - "artifacts/**"
+  - "benchmarks/**"
+  - "node_modules/**"
+  - "obj/**"
+  - "bin/**"
@@ -6,5 +6,10 @@ You must read, ingest, and strictly adhere to the permanent project standards de
 - **UltraThink Always**: Perform P2 Diagnosis and P5 Side-Effect Audits for all edits.
 - **UltraPlan Always**: Use Claude Ultraplan for architectural designs.
 - **No Internal Locks**: Use the Actor/FSM `Enqueue` model for state mutations.
+- **Tool Parity**: You have full access to the following project-specific tools:
+    - **Context7 CLI**: `python scripts/context7_cli.py` (query docs, resolve IDs).
+    - **jCodemunch-MCP**: Use for deep codebase navigation (refer to `.mcp.json`).
+    - **Graphify**: `graphify update .` (sync knowledge graph).
+    - **Hard-Link Sync**: `powershell -File .\deploy-sync.ps1` (MANDATORY after `src/` edits).
 
 Do not deviate from those rules. The manifesto is the absolute single source of truth for architecture, locking, repo hygiene, and multi-agent parity.
@@ -4,4 +4,18 @@ enabled = true
 
 [analyzers.meta]
 lang_version = "8.0"
-# Note: DeepSource may report partial results on hosted CI due to missing NinjaTrader assemblies.
+
+exclude_patterns = [
+    "docs/**",
+    ".github/**",
+    "**/*.md",
+    ".agent/**",
+    ".agents/**",
+    ".bob/**",
+    ".codex/**",
+    ".cursor/**",
+    ".gemini/**",
+    "Traycerrefactor/**",
+    "artifacts/**",
+    "benchmarks/**"
+]
@@ -19,6 +19,8 @@
 - [ ] **Lock-Free Audit**: `grep -r "lock(" src/` — zero matches in strategy files
 - [ ] **Lint Pass**: `powershell -File .\scripts\lint.ps1` — LINT PASS confirmed
 - [ ] **Build Readiness**: `powershell -File .\scripts\build_readiness.ps1` — Build PASS
+- [ ] **AMAL Gate**: `python scripts/amal_harness.py` — PASSED (Allocated = 0 B)
+- [ ] **Bob Shell Audit**: Used `v12-engineer` mode with `checkpointing: true`
 - [ ] **Deploy Sync**: `powershell -File .\deploy-sync.ps1` — hard links re-established
 - [ ] **BUILD_TAG Banner**: Verified in NinjaTrader Output window after F5 compile
 
@@ -33,13 +35,13 @@
 
 <!-- Paste the relevant output from LogicAudit, AMAL harness, or stress test -->
 
+### AMAL Benchmark Summary:
 ```
-[paste audit output here]
+[paste AMAL output: Allocated = 0 B, Mean Latency < Baseline]
 ```
 
-## Agent Audit Sign-off
-
-<!-- P5 adversarial review required before merge for any src/ changes -->
+## Agent Audit & Checkpoint
+**Bob Checkpoint ID**: <!-- Paste checkpoint ID or 'N/A' -->
 
 - [ ] Gemini Standards Auditor review posted
 - [ ] SonarCloud quality gate: PASSED

@@ -2,9 +2,10 @@ name: CodeQL
 
 on:
   push:
-    branches: ["main"]
+    branches: ["main", "dev"]
   pull_request:
-    branches: ["main"]
+    # CodeQL runs on ALL PRs regardless of target branch for maximum coverage.
+    # Previously limited to main -- expanded to catch vulnerabilities in feature branches before merge.
   schedule:
     - cron: "0 6 * * 1"
 
@@ -21,6 +22,9 @@ jobs:
       matrix:
         include:
           - language: csharp
+            # build-mode: none -- NinjaTrader proprietary assemblies are unavailable in hosted CI.
+            # autobuild would fail. none provides partial static analysis without type resolution.
+            # Trade-off: interprocedural data flow across NinjaTrader API calls is not tracked.
             build-mode: none
 
     steps:
@@ -32,6 +36,11 @@ jobs:
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
+          # security-extended adds ~200 additional queries beyond the default security suite.
+          # Covers: SQL injection, path traversal, insecure deserialization, crypto weaknesses.
+          queries: security-extended
 
       - name: Analyze
         uses: github/codeql-action/analyze@7fc6561ed893d15cec696e062df840b21db27eb0
+        with:
+          category: "/language:${{ matrix.language }}"
@@ -9,6 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019  # v4.5.0
+        with:
+          fail-on-severity: high
+          deny-licenses: GPL-3.0, AGPL-3.0, GPL-2.0
@@ -25,12 +25,12 @@ jobs:
           gitleaks version
 
       - name: Detect secrets
-        run: gitleaks detect --no-git --source . --config .gitleaks.toml --verbose --redact --no-banner
+        run: gitleaks detect --source . --config .gitleaks.toml --verbose --redact --no-banner --no-git
 
       - name: Generate SARIF
         if: always()
         continue-on-error: true
-        run: gitleaks detect --no-git --source . --config .gitleaks.toml --verbose --redact --no-banner --report-format sarif --report-path results.sarif
+        run: gitleaks detect --source . --config .gitleaks.toml --verbose --redact --no-banner --no-git --report-format sarif --report-path results.sarif
 
       - name: Upload SARIF
         if: always() && hashFiles('results.sarif') != ''

@@ -47,12 +47,16 @@ jobs:
             const event = JSON.parse(fs.readFileSync(eventPath, 'utf8'));
 
             let prNumber = process.env.PR_NUMBER;
+            if (prNumber && !/^\d+$/.test(prNumber)) {
+              console.error('Invalid PR number');
+              process.exit(1);
+            }
             let branch = process.env.BRANCH;
             let isComment = (process.env.GITHUB_EVENT_NAME === 'issue_comment');
             let commentBody = isComment ? event.comment.body : '';
             const safeCommentBody = commentBody
               .replace(/[\r\n]+/g, ' ')
-              .replace(/[`"]/g, "'")
+              .replace(/[`"<>]/g, '')
               .slice(0, 500);
 
             console.log(`Starting Jules Audit for ${repo}...`);

@@ -7,14 +7,34 @@ on:
 
 permissions:
   contents: read
+  security-events: write  # Required to upload SARIF to GitHub Security tab
 
 jobs:
   scan:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+
       - name: Run OSV-Scanner
+        id: osv_scan
+        continue-on-error: true  # Generate SARIF even on findings
         uses: google/osv-scanner-action/osv-scanner-action@v1.9.1
         with:
-          scan-args: ./
+          scan-args: |-
+            --format=sarif
+            --output=osv-results.sarif
+            ./
+
+      - name: Upload OSV findings to GitHub Security tab
+        if: always() && hashFiles('osv-results.sarif') != ''
+        uses: github/codeql-action/upload-sarif@7fc6561ed893d15cec696e062df840b21db27eb0
+        with:
+          sarif_file: osv-results.sarif
+          category: osv-scanner
+
+      - name: Fail on vulnerabilities
+        if: steps.osv_scan.outcome == 'failure'
+        run: |
+          echo "OSV Scanner found vulnerabilities. Check the Security tab for details."
+          exit 1
@@ -3,10 +3,6 @@ name: CodiumAI PR-Agent
 on:
   pull_request:
     types: [opened, synchronize, reopened]
-    branches:
-      - main
-      - dev
-      - build-984-hardening
   issue_comment:
     types: [created]
 
@@ -22,8 +18,9 @@ jobs:
         uses: actions/checkout@v4
 
       - name: CodiumAI PR-Agent
-        uses: The-PR-Agent/pr-agent@main
+        uses: The-PR-Agent/pr-agent@v0.26
         continue-on-error: true
         env:
           OPENAI_KEY: ${{ secrets.OPENAI_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CONFIG_PATH: .pr_agent.toml
@@ -36,25 +36,24 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        # [NOTE] Hosted CI lacks proprietary NinjaTrader assemblies.
-        # Analysis will be partial, but we continue to prevent blocking the PR.
+        # [NOTE] Hosted CI lacks proprietary NinjaTrader assemblies (targets .NET 4.8).
+        # Analysis is partial (no NinjaTrader refs), but we must allow it to proceed for SCA.
+        continue-on-error: true
         continue-on-error: true
         run: |
-          dotnet-sonarscanner begin /k:"mkalhitti-cloud_universal-or-strategy" /o:"mkalhitti-cloud" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.vstest.reportsPaths="**/*.trx" /d:sonar.cs.opencover.reportsPaths="**/coverage.opencover.xml"
+          dotnet-sonarscanner begin /k:"mkalhitti-cloud_universal-or-strategy" /o:"mkalhitti-cloud" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.vstest.reportsPaths="**/*.trx" /d:sonar.cs.opencover.reportsPaths="**/coverage.opencover.xml" /d:sonar.exclusions="docs/**,.github/**,**/*.md,.agent/**,.agents/**,.bob/**,.codex/**,.cursor/**,.gemini/**,Traycerrefactor/**,artifacts/**"
           dotnet build Linting.csproj
         shell: pwsh
 
       - name: Run tests with OpenCover coverage
-        # continue-on-error to prevent blocking PR due to environmental build issues
-        continue-on-error: true
         run: |
           dotnet test Testing.csproj /p:CollectCoverage=true /p:IncludeTestAssembly=true /p:CoverletOutputFormat=opencover /p:CoverletOutput=./TestResults/coverage.opencover.xml --logger "trx;LogFileName=test-results.trx" --results-directory ./TestResults
         shell: pwsh
 
       - name: Finish SonarCloud analysis
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        # Finish scan even if build failed
+        if: success() || failure()
         continue-on-error: true
         run: |
           dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"

@@ -3,6 +3,13 @@ bin/
 obj/
 *.bak*
 *.202*
+__pycache__/
+
+# ...
+artifacts/
+*.patch
+*.diff
+
 # Zero-Waste Discovery Rule: .agent/rules/zero_waste_discovery.md
 
 # AI System Plumbing (Claude Code / MCP / Antigravity)
@@ -40,6 +47,7 @@ diff.txt
 gh_log.txt
 help.txt
 test-vertex.js
+artifacts/rdp_ocr*.txt
 
 # Persistent ignores
 tmp/

@@ -3,6 +3,23 @@ title = "Universal OR Strategy gitleaks config"
 [extend]
 useDefault = true
 
+[[allowlists]]
+description = "Ignore agent protocol and instruction files"
+paths = [
+    '''AGENTS\.md$''',
+    '''CLAUDE\.md$''',
+    '''CODEX\.md$''',
+    '''GEMINI\.md$''',
+    '''JULES\.md$''',
+    '''\.agent/.*''',
+    '''\.agents/.*''',
+    '''\.bob/.*''',
+    '''\.codex/.*''',
+    '''\.cursor/.*''',
+    '''\.gemini/.*''',
+    '''Traycerrefactor/.*'''
+]
+
 [[allowlists]]
 description = "Allow documented Sentry project URL in telemetry readme"
 paths = ['''(^|[\\/])docs[\\/]telemetry[\\/]droid_mission_01[\\/]README\.md$''']

@@ -1,4 +1,6 @@
 [pr_reviewer]
+ignore_files = ["**/*.md", ".github/**", "docs/**"]
+ignore_directories = [".agent", ".agents", ".bob", ".codex", ".cursor", ".gemini", "Traycerrefactor", "artifacts"]
 extra_instructions = """
 STRICT RULE: C# string literals must be ASCII-only. Flag any Unicode, emojis, or curly quotes.
 STRICT RULE: The `lock(stateLock)` pattern is BANNED. Ensure all state mutations use the Enqueue/FSM model.
@@ -11,3 +13,6 @@ STRICT RULE: C# string literals must be ASCII-only. Flag any Unicode, emojis, or
 STRICT RULE: The `lock(stateLock)` pattern is BANNED. Ensure all state mutations use the Enqueue/FSM model.
 STRICT RULE: Verify that any order replacement uses the two-phase Replace FSM pattern.
 """
+
+[github_action_config]
+auto_review = true