docs(rules): ingest AP#136-137 + KG#62,123,163,164 from issues #418-426 (#427)

AP#136: Go interface extension requires updating all test mocks
AP#137: Hardcoded count assertions break when adding features
KG#62: +Python binary-mode CRLF -- find() returns -1, content[:-1] silently corrupts
KG#123: +Gitea force-push 'stale info' (fetch first); +semantic-release EGITNOPERMISSION via Cloudflare Tunnel; KG#161 updated (resolved in Samverk #38)
KG#163: semantic-release/git incompatible with branch protection requiring PR status checks
KG#164: Gitea act_runner actcache grows unboundedly, causes ENOSPC

Also update status.md: Samverk URL (github→gitea), pattern counts (119→123), queued section.

Closes #418, #419, #422, #423, #424, #425, #426

Co-authored-by: Claude <noreply@anthropic.com>

Author: HerbHall

.samverk/status.md

@@ -1,6 +1,6 @@
 ---
 phase: execution
-updated: 2026-03-17T21:00:00Z
+updated: 2026-03-17T22:00:00Z
 updated_by: claude-code
 managed_by: samverk
 ---
@@ -15,7 +15,7 @@ Active maintenance and execution. AI tooling methodology, Claude Code configurat
 ## What Is Running
 
 - Symlinked rules loaded by all Claude Code sessions via ~/.claude/
-- 25 skills, 7 agents, 11 rules files, 119 active patterns (AP: 66, KG: 53)
+- 25 skills, 7 agents, 11 rules files, 123 active patterns (AP: 68, KG: 55)
 - 3 Claude Code hooks (SessionStart, SessionStop, SubagentVerify) + 3 git hooks (pre-push, pre-commit, commit-msg)
 - Credentials migrated to PowerShell SecretStore vault (HomeLabVault)
 
@@ -25,10 +25,11 @@ None.
 
 ## Queued
 
-None. 0 open issues as of 2026-03-17.
+- **Issue ingestion** (#418, #419, #422-#426): 7 autolearn patterns from Samverk/Synapset sessions — in this PR
 
 ## Recently Completed
 
+- **KG#156 correction** (2026-03-17): CI validator scope (PR #420)
 - **KG#162 ingestion** (2026-03-17): GitHub issues-disabled API quirk (PR #417)
 - **Rules compaction** (2026-03-17): KG 63->52 entries, AP 72->66 entries (39.8k/38.6k -> 35.1k/35.9k), Synapset SYN#595-602
 - **KG#160-161 ingestion** (2026-03-17): Gitea tunnel auth + Samverk MCP init gating
@@ -44,7 +45,7 @@ None. 0 open issues as of 2026-03-17.
 ## Related Projects
 
 - **Synapset** (gitea:samverk-admin/synapset) — Vector memory MCP server, DevKit is primary consumer
-- **Samverk** (github:HerbHall/samverk) — Project lifecycle manager
+- **Samverk** (gitea:samverk/samverk) — Project lifecycle manager
 
 ## Start Here (Cold Start Protocol)
 

claude/rules/autolearn-patterns.md

@@ -1,7 +1,7 @@
 ---
 description: Learned patterns from past sessions. Read when encountering similar situations.
 tier: 2
-entry_count: 66
+entry_count: 68
 last_updated: "2026-03-17"
 ---
 
@@ -690,3 +690,19 @@ MUI Popper needs `anchorEl` during render. `useRef` + `ref.current` triggers Rea
 **Category:** process-pattern
 **Context:** Issue spec said "call into existing `dispatcher.Claim()`" but no such public method existed, and the caller and callee were in separate processes. A 2-minute codebase check would have caught both problems.
 **Fix:** Before writing implementation specs that reference internal methods, verify: (1) the method exists and is exported, (2) the caller and callee are in the same process. Extends AP#47 (check existing assets before scoping) and AP#83 (sprint scope reduction via exploration).
+
+## 136. Go Interface Extension Requires Updating All Test Mocks
+
+**Added:** 2026-03-17 | **Source:** Samverk | **Status:** active
+
+**Category:** correction
+**Context:** Adding a method to a Go interface requires updating ALL structs implementing it, including private test mocks. The compiler catches missing methods, but if a mock adds the new method stub without calling it in any test, golangci-lint's `unused` linter fails.
+**Fix:** Before submitting a PR that extends a Go interface, grep for all types implementing it. Ensure every mock (1) adds the new method and (2) exercises it in at least one test case.
+
+## 137. Hardcoded Count Assertions Break When Adding Features
+
+**Added:** 2026-03-17 | **Source:** Samverk | **Status:** active
+
+**Category:** gotcha
+**Context:** Tests asserting exact counts (e.g., `len(tools) != 41`) fail whenever a new item is added. Common in tool-discovery tests, route-registration tests, and enum exhaustiveness checks.
+**Fix:** Before creating a PR that adds tools/routes/handlers, search for `len(...) != N` or `assert.Equal(t, N, len(...))` patterns and update the expected count. For non-correctness counts, prefer `>= N` over exact equality.

claude/rules/known-gotchas.md

@@ -1,7 +1,7 @@
 ---
 description: Known gotchas and platform-specific issues. Read when debugging unexpected behavior.
 tier: 2
-entry_count: 53
+entry_count: 55
 last_updated: "2026-03-17"
 ---
 
@@ -230,6 +230,7 @@ Windows CRLF (`\r\n`) causes silent failures across multiple tools. Three known
 - **Bash grep in CI:** `\r\n` in Windows-committed files causes trailing `\r` in grep output, breaking comparisons. Fix: `tr -d '\r' < "$file" > "$clean_file"`.
 - **Claude Code Edit tool:** `old_string` matching fails silently on CRLF files. Workaround: use Write tool for new files, or Python binary-mode (`open('file', 'rb')`).
 - **GitHub API body fields:** `gh api` returns `\r\n` in `body` field on Windows. Python regex fails silently. Fix: `body = body.replace("\r\n", "\n")` before parsing.
+- **Python binary-mode file manipulation:** `open(f, 'rb').read()` then `content.find(b'...\n')` returns -1 on CRLF files -- endings are `\r\n`. Using -1 as a slice index (`content[:-1]`) silently corrupts the file with no error. Fix: use `b'...\r\n'` in binary-mode searches.
 
 **Universal fix:** Normalize `\r\n` to `\n` before any string processing on Windows.
 
@@ -521,10 +522,25 @@ Windows CRLF (`\r\n`) causes silent failures across multiple tools. Three known
 **Issue:** Gitea REST API calls via the Cloudflare tunnel URL fail with "token is required" because the tunnel strips the `Authorization` header.
 **Fix:** Use the internal URL (e.g., `http://192.168.1.160:3000`) for all Gitea API calls. Token extraction: `printf 'protocol=https\nhost=gitea.example.com\n' | git credential fill | grep password`
 
-### Samverk MCP handler init gated on GitHub env vars (was KG#161)
+### Samverk MCP handler init gated on GitHub env vars (was KG#161, resolved)
 
-**Issue:** Samverk MCP handler init is gated on `GITHUB_TOKEN + SAMVERK_GITHUB_OWNER + SAMVERK_GITHUB_REPO` all being set. If any is missing, all MCP routes and server.yaml projects are skipped -- even Gitea-only projects.
-**Fix:** Set env vars to a non-colliding bootstrap project (e.g., `herbhall/devkit`) to keep the handler alive when migrating to Gitea. Proper fix: decouple Gitea project registry from GitHub init gate.
+**Issue:** Samverk MCP handler init was gated on `GITHUB_TOKEN + SAMVERK_GITHUB_OWNER + SAMVERK_GITHUB_REPO` all being set. If any was missing, all MCP routes and server.yaml projects were skipped.
+**Fix:** Resolved in Samverk refactor/38 -- MCP handler and server.yaml projects now initialize unconditionally. GitHub env vars only needed for GitHub-hosted projects.
+
+### Force-push rejected with 'stale info' -- fetch first
+
+**Issue:** `git push --force` or `--force-with-lease` to Gitea fails with "stale info" when the local remote-tracking ref is stale or missing (e.g., branch was created remotely via a PR or prior push from another worktree).
+**Fix:** `git fetch gitea <branch>` first, then force-push. The fetch creates the tracking ref. Occurs every time rebasing a branch originally created by a Gitea PR. Different from GitHub, which allows force-push with stale refs.
+
+### semantic-release EGITNOPERMISSION via Cloudflare Tunnel -- needs second url.insteadOf
+
+**Issue:** semantic-release uses `repositoryUrl` for both release notes link generation AND the git push target. If `repositoryUrl` points to the public Cloudflare Tunnel URL and Cloudflare strips `Authorization` headers, the tag push fails with `EGITNOPERMISSION`.
+**Fix:** Add a second `url.insteadOf` rule in CI that rewrites the public URL to authenticated localhost -- the first rule covering `localhost:3000` is not enough alone:
+
+```yaml
+git config --global url."http://user:${TOKEN}@localhost:3000/".insteadOf "http://localhost:3000/"
+git config --global url."http://user:${TOKEN}@localhost:3000/".insteadOf "https://gitea.herbhall.net/"
+```
 
 ## 125. go:embed Cache Misses Embedded File Changes
 
@@ -619,3 +635,20 @@ Windows CRLF (`\r\n`) causes silent failures across multiple tools. Three known
 **Issue:** When `has_issues=false` on a GitHub repo, individual issue GETs return 410 and PATCH on regular issues returns 403. However, PRs (which share the `/issues` endpoint) can still be closed via PATCH even with issues disabled.
 **Fix:** To close regular issues when issues are disabled: (1) re-enable: `GITHUB_TOKEN= gh api repos/OWNER/REPO -X PATCH -f has_issues=true`, (2) close the issues, (3) re-disable. The `GITHUB_TOKEN=` prefix clears any fine-grained PAT that lacks repo settings scope.
 **See also:** KG#120 (fine-grained PAT shadows gh CLI OAuth)
+
+## 163. semantic-release/git Incompatible With Branch Protection Requiring PR Status Checks
+
+**Added:** 2026-03-17 | **Source:** Synapset | **Status:** active
+
+**Platform:** Gitea / GitHub Actions
+**Issue:** `@semantic-release/git` and `@semantic-release/changelog` push commits directly to the default branch. Branch protection requiring `(pull_request)` status checks always rejects these -- direct commits can never have a `pull_request` CI context. Error: "Protected branch update failed: changes must be made through a pull request".
+**Fix:** Remove `@semantic-release/git` and `@semantic-release/changelog` from the plugin chain. Keep: `@semantic-release/commit-analyzer`, `@semantic-release/release-notes-generator`, and the release plugin. Semantic-release still creates the git tag and platform release without the direct-commit plugins.
+
+## 164. Gitea act_runner actcache Grows Unboundedly, Causes ENOSPC
+
+**Added:** 2026-03-17 | **Source:** Synapset | **Status:** active
+
+**Platform:** Gitea Actions (act_runner / Linux)
+**Issue:** act_runner caches workflow artifacts at `/home/git/.cache/actcache/cache/`. No built-in eviction. Can consume 20+ GB on a 40GB disk, causing ENOSPC in all running CI workflows.
+**Fix:** (1) Immediate cleanup: `rm -rf /home/git/.cache/actcache/cache/*`. (2) Daily pruning cron (run as `git` user): `0 3 * * * find /home/git/.cache/actcache/cache -mindepth 1 -maxdepth 1 -mtime +7 -exec rm -rf {} +`. (3) Disk alert at >80% usage via `logger`.
+**Infrastructure note:** `proxmox.herbhall.net` resolves to the dns-proxy LXC, NOT the Proxmox host. Actual Proxmox host is `192.168.1.203`. `pct resize` and `pvesm` are only available on the Proxmox host itself.