diff --git a/docs/status/handover-2026-06-20.md b/docs/status/handover-2026-06-20.md new file mode 100644 index 0000000..738d333 --- /dev/null +++ b/docs/status/handover-2026-06-20.md @@ -0,0 +1,73 @@ + + + +# Session handover — estate hygiene continuation (2026-06-20) + +Snapshot at the end of a cross-repo hygiene session spanning `hypatia`, +`gitbot-fleet`, and `.git-private-farm`. Its first purpose is to warn the next +agent that **the container clones used in this session are stale relative to +live `main`**, then to record what was closed, grounded, and deferred. + +## Clone-vs-live drift (read this first) + +| Repo | Live `main` HEAD | This session's clone base | Behind by | +|------|------------------|---------------------------|-----------| +| hypatia | `e9998fc` (#516) | ~`#460`/`#462` | #510, #511, #514, #515, #516 | +| gitbot-fleet | `f39d3d5` (#298) | `c513fff` (#261) | #294–#298 | + +The local remotes are a frozen `local_proxy` snapshot, **not** a live +pass-through — `git fetch` does not retrieve the newer commits (the proxy does +not even have the live HEAD objects). Consequences: + +- **Do not push the local working branches.** gitbot-fleet's clone still + contains the 99 vendored sustainabot files that PR #297 deleted; pushing would + re-vendor them and trip the anti-vendoring deletion-guard added in #298. +- **Safe write pattern:** cut a fresh branch from live `main` and push via the + GitHub API (`get_file_contents` → edit → `create_or_update_file` → draft PR), + exactly as hypatia #510–#516 were done. This document was added that way. +- **Code changes that need `cargo`/`mix` verification need a genuinely fresh + clone outside this container** — the proxy snapshot cannot be refreshed. + +## Closed / grounded this session + +- **gitbot-fleet #246 — CLOSED (completed).** The build-breaking `panic-attacker` + path dependency was removed wholesale by the sustainabot→oikosbot extraction + (#297), which emptied the `bots/sustainabot/` slot. Resolved by deletion, not a + patch — patching would have re-vendored the removed tree. +- **gitbot-fleet #255 — grounded (comment), still open.** Survived the + extraction; ≤29 `expect_in_hot_path` findings remain in `accessibilitybot` / + `cipherbot`. They are `.expect()` on compile-time-constant `Selector::parse` / + `Regex::new`; fix = hoist into `LazyLock` / `once_cell` statics (removes the + hot-path `.expect()` *and* the per-call re-parse). Do from a fresh clone; verify + with `cargo clippy --workspace -- -W clippy::expect_used`. +- **hypatia #426 — re-scoped (comment), still open.** Not a clean false-positive + fix: it is blocked on the #485 canonical-layout decision. hypatia's own rules + (SD001 / SD007 / SD023 + its `.claude/CLAUDE.md`) encode + `.machine_readable/6a2/`-canonical; gitbot-fleet's `.claude/CLAUDE.md` + invariant #1 asserts flat-canonical. SD004 only false-positives on flat-layout + repos. **Do not flip SD004 until the owner rules layout in #485** — flipping + would desync SD004 from its sibling rules. + +## Blocked on the owner (do not action) + +- **hypatia #417** — license metadata (8 manifests AGPL → MPL). Owner-only by + policy (`feedback_no_automated_licence_edits`): manual, file-by-file. +- **hypatia #485** — rsr-template ↔ standards divergence (the layout decision + #426 depends on). +- **hypatia #486** — neural-convergence PageRank proofs (needs network). +- **hypatia #463 / #464 / #470** — Actions billing wall, estate CI-health + backlog, 71-alert code-scanning backlog. +- **gitbot-fleet #278** — triage 6 Dependabot alerts (1 high, 1 moderate, 4 low). + Needs the repo's Dependabot security tab or a `security_events`-scoped token; no + MCP tool exposes Dependabot vulnerability alerts in-session. 0 open Dependabot + PRs currently; action-group bumps (e.g. #294) have merged since the issue was + filed, so some lows may already be cleared. + +## Fresh-thread items + +- **wokelang** kickoff (prompt drafted earlier in the session). +- **hypatia #482** — bring the GitHub wikis to bleeding-edge. + +--- + +_Recorded by an automated session. See the linked session for full context._