From 17bafa70de2f1f9d7a488a834e45f6b5ef8537ce Mon Sep 17 00:00:00 2001
From: masudaso <so.masuda.2003@pm.me>
Date: Mon, 13 Apr 2026 09:23:50 +0900
Subject: [PATCH 1/3] fix: resolve ShellCheck SC2259 and SC2034 CI failures

- on-end-distill.sh: pass JSON as argv instead of pipe+heredoc conflict
- init.sh: remove unused CLAUDE_SETTINGS_LOCAL variable

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 scripts/init.sh           | 1 -
 scripts/on-end-distill.sh | 8 ++++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/scripts/init.sh b/scripts/init.sh
index 783f995..1fec0b4 100755
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -18,7 +18,6 @@ set -uo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 CLAUDE_SETTINGS_DIR="$REPO_ROOT/.claude"
-CLAUDE_SETTINGS_LOCAL="$CLAUDE_SETTINGS_DIR/settings.local.json"
 
 # Optional: vault path override from first argument
 VAULT_PATH_ARG="${1:-}"
diff --git a/scripts/on-end-distill.sh b/scripts/on-end-distill.sh
index ced57de..92bd886 100755
--- a/scripts/on-end-distill.sh
+++ b/scripts/on-end-distill.sh
@@ -94,12 +94,12 @@ fi
 
 # ── Format compact summary ────────────────────────────────────────────────────
 
-SUMMARY="$(printf '%s' "$CANDIDATES_JSON" | python3 - "$DRAFT_COUNT" "$DRAFT_PATHS" <<'PY'
+SUMMARY="$(python3 - "$CANDIDATES_JSON" "$DRAFT_COUNT" "$DRAFT_PATHS" <<'PY'
 import json, sys
 
-data = json.load(sys.stdin)
-draft_count = int(sys.argv[1]) if len(sys.argv) > 1 else 0
-draft_paths = sys.argv[2] if len(sys.argv) > 2 else ""
+data = json.loads(sys.argv[1])
+draft_count = int(sys.argv[2]) if len(sys.argv) > 2 else 0
+draft_paths = sys.argv[3] if len(sys.argv) > 3 else ""
 
 candidates = data.get("candidates", [])
 lines = []

From 0e6250696b214b4cb0ac64e0ef235f5fd1089ee0 Mon Sep 17 00:00:00 2001
From: masudaso <so.masuda.2003@pm.me>
Date: Mon, 13 Apr 2026 09:43:20 +0900
Subject: [PATCH 2/3] fix: remove cascading unused CLAUDE_SETTINGS_DIR variable
 (SC2034)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 scripts/init.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scripts/init.sh b/scripts/init.sh
index 1fec0b4..8632275 100755
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -17,7 +17,6 @@ set -uo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-CLAUDE_SETTINGS_DIR="$REPO_ROOT/.claude"
 
 # Optional: vault path override from first argument
 VAULT_PATH_ARG="${1:-}"

From cf117ec218a6ab7c874e665c76067c5031b8dd90 Mon Sep 17 00:00:00 2001
From: masudaso <so.masuda.2003@pm.me>
Date: Mon, 13 Apr 2026 12:01:49 +0900
Subject: [PATCH 3/3] docs: document branch protection rules for main

Add Branch Protection section to CLAUDE.md describing the protect-main
GitHub Ruleset (PR required, CI gate, linear history, no force push).
Add coupling comment to ci.yml warning that the job name is referenced
by the ruleset.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml |  3 +++
 CLAUDE.md                | 16 ++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fe41d6e..eb3143b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   validate:
+    # NOTE: This name is referenced by the "protect-main" GitHub Ruleset as a
+    # required status check. Renaming it without updating the ruleset will block
+    # all PR merges to main.
     name: Validate hooks, scripts, and init
     runs-on: ubuntu-latest
 
diff --git a/CLAUDE.md b/CLAUDE.md
index aa9d512..3635288 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -53,6 +53,22 @@ Treat the user's vault as external memory, not disposable scratch space. The sys
 - Treat destructive database operations as disallowed unless the user explicitly sets up a separate write-capable path.
 - If a hook or validation script fails, surface the problem clearly rather than silently proceeding.
 
+## Branch Protection
+
+`main` is protected by a GitHub Ruleset (`protect-main`, ID 14985776).
+
+| Rule | Effect |
+|------|--------|
+| Require pull request | Direct pushes to `main` are blocked. All changes require a PR. |
+| Required status checks (strict) | CI job "Validate hooks, scripts, and init" must pass. Branch must be up-to-date with `main`. |
+| Required linear history | Only squash-merge or rebase allowed. No merge commits. |
+| Block force pushes | `git push --force origin main` is rejected. |
+| Block deletion | `main` cannot be deleted. |
+
+- Required approvals: 0 (sole-owner repo; CI is the quality gate). Increase to 1 when a second contributor joins.
+- No bypass actors configured. For emergencies, temporarily set enforcement to `disabled` via `gh api --method PUT /repos/masuda-so/second-brain/rulesets/14985776`.
+- The required status check context `"Validate hooks, scripts, and init"` is coupled to the `name:` field on line 10 of `.github/workflows/ci.yml`. Renaming that job without updating the ruleset will block all merges.
+
 ---
 
 ## Vault