Brain Self-Heal Fix — Live Build Tracker

▸ Opus-verified independently: gh pr view 107 → state CLOSED, comment 'superseded by #115'; gh pr view 115 → MERGED 2026-06-17 (documents 6 work_items columns, clears the schema drift). #107 was genuinely redundant. Lane noise removed.

▸ Opus-verified: #108 CLOSED clean (no diff left after rebase); its 24-file frontmatter remediation IS on origin/main as e7918b053 (178+/72-, confirmed ancestor of origin/main). Stuck PR resolved, content landed, lane no longer jammed on #108. Note: outcome was 'content already on main + PR auto-closed', not a literal auto-merge — equivalent result.

▸ Opus-verified: PR #119 both checks PASS; merged to origin/main as 7123e8ea (storage-policy.yml ONLY, 33+/18-, no contamination). Diff confirmed: validate-work-os-schema runs globally on schedule but on PR/push only when work_items-contract files change (merge-base git diff). Future frontmatter-only auto-remediate PRs will no longer be blocked by this check.

▸ Opus INDEPENDENT behavioral proof (not Codex's static lint). Built a synthetic stale-FAILURE auto-remediate PR #121 (branch auto-remediate/storage-drift-90040001, matches the strict regex; no-frontmatter file → storage-policy FAILURE at 18:15:58Z). Dispatched auto-merge-green-remediate.yml --ref the PR branch (run 27841820082, run FROM the new code). Run log: 'Found 1 open production auto-remediate PR(s)' → 'recheck #121: 1 failed check(s) ran before current main; rerunning workflow run(s) 27841789437' → 'merged=0 rechecked=1 skipped=1'. Re-trigger ACTUALLY executed: storage-policy run 27841789437 now has run_attempt=2 (created 18:16:31Z) — old behavior would just 'skip #121: failed checks' forever. merged=0 = no junk merge; correctly failed again (fixture still violates policy). LOCKS: auto-merge branch_re unchanged = ^auto-remediate/(storage-drift|frontmatter-llm|broken-refs-llm)-[0-9]+$ (restricted; only the 1 auto-remediate PR matched, autonomous/* excluded); auto-rebase regex TIGHTENED broad .+ → strict 3-type; no last_validated/confidence paths (CI-only). Synthetic PR #121 CLOSED + branch deleted (no trace on main). MERGED PR #120 to main as 2be7056fd (internal-code HITL carve-out); post-merge CI on main all green (Storage Policy ✓, Structural Integrity ✓, Search Index ✓; Auto-Merge workflow_run ✓; Auto-Rebase skipped correctly).

▸ Opus INDEPENDENT verification (reproduced done-criterion, did not trust Codex note). DONE-CRITERION MET on both cited SHAs. (1) Single normalized health source — audit-runner dcdfb26: results.brainHealth=normalizeBrainHealth(modules) is the one object; generateUnifiedReport(), buildHealthFindings(), generateMonthlyPrompt() all consume results.brainHealth for composite/L1/L2/L3/status/staleCount/staleness (git show confirmed each call site rewired off modules.healthRelay/modules.staleness). node --check src/index.js PARSE OK. (2) Green-icon-with-DEGRADED now impossible — icon=brainHealthStatusIcon(status); replicated logic: composite 89.3->status DEGRADED->icon (warning), 90->HEALTHY->(check), 55->CRITICAL->(red). DEGRADED can never render the green check. (3) Reconciliation assertion — brain a7137009e: brain-health-scan.yml adds expected_composite()/assert_composite_reconciles()/health_status_for_composite(); composite=round(l1*.2+l2*.4+l3*.4,1) and status is a pure fn of composite. FIXTURE RUN myself: live nums (l1=100,l2=86.5,l3=86.8) -> expected_composite=89.3, reconcile PASS, status=DEGRADED; CORRUPTED composite=95.0 -> RuntimeError raised (non-zero exit) -> matches verify method. JSON/MD/event emitters (lines 1247/1540/1612) all read the single reconciled composite+status, so all sources agree. NOTE: assert is recomputed-then-checked (line 570 sets composite=expected, 571 asserts) so it's a defensive guard that can't fire in the live flow — but the real protection is composite & status both being pure fns of one layer formula, so they cannot diverge; literal done-criterion + fixture both satisfied. LOCKS: git show on both SHAs greps clean for last_validated / auto-remediate regex / auto-merge — P1.1 touches neither (no automation wrote last_validated; auto-merge regex unchanged). Diffs scoped to exactly the 2 planned files (src/index.js +118/-13; brain-health-scan.yml +33/-15). MERGE: deferred — gh token invalid + git HTTPS credential unavailable (Device not configured), so PR #2 / PR #122 cannot be merged or have live CI confirmed from this session; branch feat/proj-brain-selfheal-p1-1-health-source on both repos. Code QA PASSES; merge to main pending GitHub re-auth (gh auth login).

▸ Opus INDEPENDENT verification (extracted the real code from src/index.js@67a96fd11 and executed it — did not trust Codex note). DONE-CRITERION MET: HEALTH_ALERT_THRESHOLD=85 fully removed (grep src/ = 0 residual refs) and replaced by BRAIN_HEALTH_BANDS = [90:HEALTHY, 80:DEGRADED, 60:NEEDS ATTENTION, -Infinity:CRITICAL] + BRAIN_HEALTHY_THRESHOLD=90 — exactly the four bands required. node --check src/index.js PARSE OK. VERIFY METHOD REPRODUCED: ran the actual brainHealthBand() + the generateUnifiedReport line on a 89.3 fixture -> '*Brain Health:* warning 89.3% DEGRADED (scanned 2026-06-13)' — DEGRADED, not a healthy pass. Boundary sweep all correct: 95/90->HEALTHY, 89.3/86.5/80->DEGRADED, 79.9/60->NEEDS ATTENTION, 59.9/0->CRITICAL; non-finite composite -> UNKNOWN+needsAttention=true (graceful). runHealthRelay now derives status/icon/needsAttention from composite (keeps scan's own value as sourceStatus for transparency). buildHealthFindings gate is hr.needsAttention, so at 89.3 the composite-below-HEALTHY finding NOW FIRES — old <85 logic would have falsely passed 89.3; this is the exact bug fixed. LOCKS CLEAN: git show 67a96fd greps ZERO matches for last_validated / last_auto_verified / auto-remediate / auto_merge / branch_re / confidence — no automation wrote last_validated, no confidence/stale-cap change, auto-merge regex untouched (lives in brain repo, not this diff). Diff scoped to exactly 1 file (src/index.js, +23/-6). MERGE DEFERRED: internal-code HITL carve-out would permit merge, but gh token invalid + git HTTPS push blocked (Device not configured) this session — same blocker as P1.1; branch feat/proj-brain-selfheal-p1-2-threshold-bands is on origin, merge-to-main + live CI pending GitHub re-auth (gh auth login). Code QA PASSES on the cited SHA.

▸ Opus INDEPENDENT verification — reproduced the verify method by running the REAL code (src/index.js@5d159700d, branch tip = cited SHA, diff scoped to exactly 1 file +91/-58). I did NOT trust Codex's note: copied the actual source, appended exports, mocked fetch, and exercised the real runHealthRelay()/buildHealthFindings()/generateUnifiedReport() on fixtures. DONE-CRITERION MET via the 'audit refuses to score when scan age >24h' branch of the plan's OR (HEALTH_SCORE_MAX_AGE_HOURS=24; scoreable=ageMs<=24h). REPRODUCED OUTPUTS: (1) STALE — the exact 6-day-old (2026-06-13) scan @ 2026-06-19T09:00Z => scoreable=false, ageHours=141, report line '*Brain Health:* Scan stale, not scoring — latest scan 2026-06-13 is 5d old (max 24h)' + 'Run a fresh brain-health-scan...'; findings = ONLY [brain_health:scan-stale, autonomy=alert_only] — the auto_pr warnings/incomplete-pages findings are SUPPRESSED => satisfies the '(no PR-spam)' clause. (2) FRESH 21h scan => scoreable=true, scores normally '89.3% DEGRADED (scanned 2026-06-18)'. (3) BOUNDARY: exactly +24h => scoreable=true (<=); +24h+1min => scoreable=false — clean boundary, no off-by-one. needsAttention=scoreable&&composite<thr, so stale data can never trigger the composite-below-threshold alert. node --check PARSE OK; old HEALTH_STALE_DAYS(14d) fully removed, no dangling refs. LOCKS CLEAN: git show on the SHA greps ZERO matches for last_validated / last_auto_verified / auto-remediate / auto_merge / branch_re / confidence / 0.85 / 0.7 / 30d — P1.3 touches none of them (no automation wrote last_validated; auto-merge regex unchanged, lives in brain repo not this diff; confidence/stale-caps untouched). NOTE: plan explicitly sanctions this OR-branch and the verify method accepts the 'scan stale, not scoring' message as a pass. MERGE DEFERRED — same blocker as P1.1/P1.2: gh token invalid + git push 'Device not configured' (no GitHub auth this session), so PR #3 cannot be merged or have live CI confirmed from here. Code QA PASSES on the cited SHA; merge-to-main pending GitHub re-auth (gh auth login).

▸ Opus INDEPENDENT verification (reproduced done-criterion + verify method on the live system; did not trust Codex's note). SHA 011c5f6 confirmed = branch tip. (1) CODE: isBrainAutoPr() now returns BRAIN_AUTO_REMEDIATION_BRANCH_RE.test(head.ref) where the regex literal in src/index.js:167 = /^auto-remediate\/(storage-drift|frontmatter-llm|broken-refs-llm)-[0-9]+$/ — EXACTLY the locked regex; the old broad substring match (auto/remediate/revalidator/frontmatter/broken-ref) is fully removed. autonomous/* now classified by isAutonomousHitlPr (/^autonomous\//) into a separate HITL bucket (br.hitl.{openCount,staleCount}) and the report prints a distinct 'HITL bucket: N autonomous PR(s) ... (not auto-remediation)' line. node --check PASS. (2) REGEX BATTERY (ran the EXACT regexes extracted from the file, not retyped): 14/14 cases pass incl. trailing-junk/no-digits/non-anchored negatives; auto&hitl overlap=0 (mutually exclusive). (3) LIVE VERIFY METHOD: queried buildwisemedia/buildwise-brain open PRs (15 open) and classified each head ref with the real regexes — NEW remediation lane=[] (correct: #108 is now CLOSED per P0.2, so zero open auto-remediate PRs; it would return ONLY #108 if open), NEW HITL bucket=[117,116,109,76,74,73,72,71]. Ran the OLD broad classifier on the same live refs: it wrongly counted all 8 autonomous/* social-pack PRs as remediation (substring 'auto' in 'autonomous') — the exact RC5 inflation. Fix removes 8 PRs of false remediation count. Done-criterion + verify method MET. (4) LOCKS CLEAN: git show 011c5f6 diff scoped to src/index.js ONLY (+38/-29); greps ZERO for last_validated/last_auto_verified/auto_verify_confidence/confidence/0.85/0.7/30d — no automation wrote last_validated, confidence/stale caps untouched; auto-merge regex unchanged (it lives in the brain repo workflows, not this audit-runner file — and the locked literal here matches P0.4's auto-merge regex char-for-char). (5) MERGED (internal-code HITL carve-out — audit-runner reporting/CI, not client-facing): PR #4 was mergeable=clean; merged to main via API as merge commit 4b1f3505 (parent of 011c5f6 = 5966df0, already on main, so ONLY P1.4 landed — P1.1-P1.3 remain on their own deferred branches). CI on main: 'Deploy Worker to Cloudflare' completed:success — fix is live on the worker.