{"decision":"block","reason":"Execution-mode menu detected in your final message. boma standing preference (docs/FRICTION.md + always-subagent-driven-execution memory): never present the subagent-driven-vs-inline menu. Drop the menu and proceed with subagent-driven execution directly (superpowers:subagent-driven-development)."}
## 2026-05-30 — initial seed (from the Claude-Code setup session)
_(append new raw signals here; the next kaizen review consumes them)_
- `[recurring]` Every `git commit` needs `rbw` unlocked (the pre-commit ansible-lint
hook decrypts `vault.yml` for its syntax-check). Mitigated with a 5h lock timeout
and an `rbw unlocked` pre-flight convention. → _Open:_ could ansible-lint skip vault
decryption for syntax-check, so committing doesn't need the vault at all?
- `[gotcha]` pre-commit stashes _unstaged_ changes before running hooks, so a partial
commit reverted an interdependent file (`ansible.cfg`) and failed. → Commit
interdependent changes together, or stage the config change first.
- `[gotcha]``make new-role` had never worked on this host: `mkdir {a,b,c}` brace
expansion fails under `/bin/sh` (dash). Fixed with explicit paths. → A real run
catches what static review can't; consider smoke-testing scaffold commands.
- `[gotcha]``rbw sync` is required after adding a Vaultwarden item before `rbw get`
finds it (stale local cache).
- `[gotcha]` This shell is zsh — unquoted `$VAR` does not word-split, so a variable
holding a file list was passed as a single argument. → Use explicit args/arrays.
- `[friction]` Long sessions: I make a batch of edits but can't commit until you
`rbw unlock`. The 5h timeout + pre-flight check address the symptom; watch whether
it still bites.
- `[gotcha]` Hooks (or any new `.claude/settings.json`) added mid-session don't
activate until a Claude Code **restart** — the settings watcher only tracks settings
files that existed at session start. Opening `/hooks` and dismissing did _not_ load
them. → Fresh sessions load them normally; restart after adding hooks.
- `[friction]`**ADR-writing policy is unsettled** (2026-05-31): drafting an ADR, I
invented a Status header ("Proposed") on the fly because there's no documented
convention for how we write ADRs (status lifecycle, required sections). → TODO 10.2 —
decide a minimal ADR template / status convention.
## 2026-05-31
---
- I asked to draft an ADR and got: No formal status-header convention, but since this is a draft for discussion I'll mark it Proposed so it isn't mistaken for an
accepted decision. Here's the draft.
## Kaizen reviews — decisions ledger
## 2026-06-01
Consumed signals and where their resolution now lives. Newest first.
- `[friction]` The `finishing-a-development-branch` flow (and generic AI/dev tooling)
offers "push and open a Pull Request," but our Forgejo `origin` is trunk-based with
no merge-request / approval gate (CLAUDE.md git conventions). That option doesn't
apply — the real path is local fast-forward merge to `main`, then push. → Skills and
conventions that assume a GitHub-style PR workflow need a homelab-aware variant;
encode that here "finishing a branch" means merge-locally-then-push, not open-a-PR.
### 2026-06-10
## 2026-06-05
| Signal (first seen) | Verdict | Resolution / where it lives now |
|---|---|---|
| Execution-mode menu asked at plan handoff — 4× (06-05/06/09/10) | CHANGE → mechanical | Stop hook in `.claude/settings.json` blocks the turn if the menu appears and tells me to proceed subagent-driven. Prose reminders (CLAUDE.md, memory, 3 FRICTION entries) had failed four times — the lesson is that a behaviour conflicting with an external skill's script needs a *mechanical* guard, not another note. |
| Every `git commit` needs `rbw` unlock — recurring (05-30) | CHANGE | Root cause was **not** the vault syntax-check (`.ansible-lint` already excludes `vault.yml`); it was ansible-lint auto-loading + decrypting `inventories/production/group_vars/all/vault.yml` via the wired `vault_password_file`. Scoped the pre-commit `ansible-lint` hook (`always_run: false` + `files:` ansible content) so **docs-/config-only commits skip it and need no vault**. Ansible-content commits still need `rbw` (intrinsic to linting vault-backed plays; accepted). |
| `make test` fails when run non-activated — `ansible-config` not found (06-06) | CHANGE | `Makefile``test`/`test-all` now prepend `$(CURDIR)/.venv/bin` to `PATH`. |
| Molecule image missing from the Forgejo registry (06-06) | already built | `make molecule-image-push` target exists. |
| Deferred decision goes stale across docs — 3× (06-05) | already built | `scripts/repo-scan.py``open-deferred-item` / `stale-deferred` checks, run by `/review-repo`. |
| `make new-role` brace-expansion fails under dash (05-30) | fixed | Explicit paths in the Makefile target. |
| `finishing-a-development-branch` offers open-a-PR vs our trunk-based merge (06-01) | accepted | Same root cause as the menu ask (external skill script vs boma convention). CLAUDE.md already mandates trunk-based merge-to-main; covered by the Stop-hook family + awareness. Revisit if it recurs. |
- `[recurring]` The `writing-plans` skill ends by asking "subagent-driven vs inline