fix(pkg): retire Nix-mirror per Guix-primary ruling (standards#101)#289
Merged
Conversation
Per standards#101 (LANGUAGE-POLICY.adoc §Package Management), the
Guix-primary + sealed-container-escape rule is canonical and the
Nix-mirror fallback is retired estate-wide. Hypatia's guix.scm is a
real, load-bearing dev manifest that covers the entire flake devShell
dep set verbatim:
| flake devShell buildInput | guix.scm native-input |
|---|---|
| elixir | elixir |
| erlang | erlang |
| rustc + cargo + clippy + rustfmt | rust + rust-cargo |
| idris2 | idris2 |
| zig | zig |
| pkg-config | pkg-config |
| openssl | openssl |
Every flake dep is mirrored — pure mirror per the standards#102 gate
("flake vs Guix ∪ sealed-container"). The flake's `(source #f)` is the
standard dev-shell form (paired with real `buildInputs`); not the
disqualifying empty-stub form. `guix shell -D -f guix.scm` is the
canonical replacement for `nix develop`.
Changes:
- git rm flake.nix flake.lock
- CONTRIBUTING.md: replace `nix develop` instruction with
`guix shell -D -f guix.scm`, linking standards#101.
- TESTING-AUDIT.md: reproducibility row dereferences flake.nix
(`guix.scm`-only, canonical).
Historical audit reports (docs/reports/audit/, docs/governance/CRG-AUDIT*)
retain their flake.nix references as dated snapshots — not edited.
Refs standards#101 standards#102. Does NOT close any issue.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 19, 2026
Open
Open
🔍 Hypatia Security ScanFindings: 13 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_workflow",
"file": "mirror.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/hypatia/hypatia/src/abi/RuleEngine.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/hypatia/hypatia/configs/config.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (22 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "as_ptr exposes raw pointer that may dangle or alias unsafely (10 occurrences, CWE-676)",
"type": "as_ptr",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/codeberg.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/radicle.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refs standards#101 standards#102. Refs not Closes — this PR does not close any issue.
What
Retire the Nix-mirror in hypatia. Guix-primary + sealed-container-escape is the canonical packaging policy per standards#101; the Nix-mirror was a hand-mirrored twin retired estate-wide.
Verified pure mirror (the standards#102 gate)
guix.scmcovers the entire flake devShell dep set verbatim:Every flake dep is mirrored — pure mirror per the campaign gate (
flake vs Guix ∪ sealed-container).guix.scm's(source #f)is the standard dev-shell form (paired with a realnative-inputslist); not the disqualifying empty-stub form.guix shell -D -f guix.scmis the direct replacement fornix develop.Changes
git rm flake.nix flake.lockCONTRIBUTING.md§Getting Started:nix develop→guix shell -D -f guix.scm(links standards#101).TESTING-AUDIT.mdReproducibility row: dereferencesflake.nix(canonical =guix.scm).docs/reports/audit/,docs/governance/CRG-AUDIT-2026-04-18.adoc) retain theirflake.nixreferences as dated snapshots — not edited.Campaign context
Estate-wide verification (Waves 1–14, ~280 in-scope repos) found that hypatia is the single genuine pure-mirror in the campaign so far. Most other repos have scaffold-stub
guix.scm(KEEP+FLAG) or load-bearing flake-only dev tooling (KEEP+DEP). Personally re-verified against the agent-flagged candidates (proof-of-work and tma-mark2 were over-called; hypatia stood up).🤖 Generated with Claude Code