Skip to content

fix(k9): regenerate contracts with merged k9iser codegen (Refs #77)#89

Merged
hyperpolymath merged 1 commit into
mainfrom
fix/k9-dogfood-regen-merged-k9iser
May 18, 2026
Merged

fix(k9): regenerate contracts with merged k9iser codegen (Refs #77)#89
hyperpolymath merged 1 commit into
mainfrom
fix/k9-dogfood-regen-merged-k9iser

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 18, 2026

Summary

PR #87 merged with a known-red Dogfood Gate → "Validate K9 contracts" job. The root cause was upstream: k9iser's codegen did not emit the K9! magic line or a pedigree block, so idaptik's generated contracts failed the canonical hyperpolymath/k9-validate-action.

k9iser#9 has since merged (squash c7626ca on hyperpolymath/k9iser main): the codegen now emits the K9! magic line and a pedigree block as required by hyperpolymath/k9-validate-action.

This PR regenerates idaptik's three K9 contracts from k9iser.toml using the merged generator:

  • generated/k9iser/container-build.k9
  • generated/k9iser/deno-workspace.k9
  • generated/k9iser/prod-compose-overrides.k9

Each now carries, as produced by the fixed generator:

  • K9! as the first non-empty line (magic number)
  • an SPDX header (# SPDX-License-Identifier: PMPL-1.0-or-later)
  • a pedigree block: schema_version, metadata.name/metadata.version, security.leash = "yard", signature_required = false

This is a real regeneration from source — not a hand-patch / paper-over. No workflow pin change is needed: the Dogfood Gate pins the validator (hyperpolymath/k9-validate-action@2d96f43, unchanged by k9iser#9); only the generated contracts needed regeneration.

Verification

Validated against the exact validator the Dogfood Gate pins (hyperpolymath/k9-validate-action@2d96f43c538964b097d159ed3a56ba5b5ceca227, validate-k9.sh), traced check-by-check over all three contracts:

Check Result
1. K9! magic on first non-empty line PASS (line 1 in all 3)
2. SPDX header in first 10 lines PASS (line 2)
3. pedigree block + name + version/schema_version PASS (correct brace-depth detection)
4. Security level (leash) is kennel/yard/hunt PASS (yard)
5. Hunt-level signature requirement N/A (level is yard)

Expected gate result: 3 files scanned, 0 errors, 0 warnings, exit 0 — the "Validate K9 contracts" job goes green. The Dogfood Gate runs on pull_request, so opening this PR exercises the gate directly.

Refs #77 — does not close; #77 is the open CI-triage / requirements-target issue and stays open pending explicit sign-off.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

🤖 Generated with Claude Code

@hyperpolymath @claude
fix(k9): regenerate contracts with merged k9iser codegen (Refs #77)
6c7c247 
k9iser#9 merged (squash c7626ca on hyperpolymath/k9iser main): the
codegen now emits the `K9!` magic line and a `pedigree` block as
required by the canonical hyperpolymath/k9-validate-action.

Regenerated idaptik's three K9 contracts (container-build,
prod-compose-overrides, deno-workspace) from k9iser.toml using the
merged generator. Each now carries:
  - `K9!` as the first non-empty line (magic number)
  - an SPDX header
  - a `pedigree` block (schema_version, metadata.name/version,
    security.leash=yard, signature_required=false)

The generator also tightened a few rule types (e.g. verify.* from
string to bool), which the validator accepts.

Verified locally end-to-end against the exact validator the Dogfood
Gate pins (hyperpolymath/k9-validate-action@2d96f43): 3 files scanned,
0 errors, 0 warnings, exit 0 — the Dogfood "Validate K9 contracts"
job is now green. No workflow pin change required: that pin is the
validator (unchanged by k9iser#9), and the contracts were verified
against it.

Refs #77 — does not close; #77 is a requirements-target issue.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath mentioned this pull request May 18, 2026
Open
@hyperpolymath hyperpolymath merged commit 26c41d9 into main May 18, 2026
14 of 17 checks passed
@hyperpolymath hyperpolymath deleted the fix/k9-dogfood-regen-merged-k9iser branch May 18, 2026 08:55
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026

🔍 Hypatia Security Scan

Findings: 55 issues detected

Severity Count
🔴 Critical 12
🟠 High 29
🟡 Medium 14

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "No permissions declaration -- add permissions: read-all",
    "type": "missing_permissions",
    "file": "serviceworker-check.yml",
    "action": "add_permissions",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/idaptik/idaptik/dlc/idaptik-dlc-reversible/robot-repo-bot/_modules/robot_repo.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "Deno -A grants all permissions -- use specific --allow-* flags (3 occurrences, CWE-250)",
    "type": "js_deno_all_perms",
    "file": "/home/runner/work/idaptik/idaptik/run.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
    "type": "ncl_missing_spdx",
    "file": "/home/runner/work/idaptik/idaptik/configs/config.ncl",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "getExn on external data -- use pattern matching (2 occurrences, CWE-754)",
    "type": "getexn_on_external",
    "file": "/home/runner/work/idaptik/idaptik/src/app/devices/VMBridge.res",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "JSON decode without validation (2 occurrences, CWE-20)",
    "type": "json_decode_no_validation",
    "file": "/home/runner/work/idaptik/idaptik/src/app/proven/SafeJson.res",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "JSON decode without validation (1 occurrences, CWE-20)",
    "type": "json_decode_no_validation",
    "file": "/home/runner/work/idaptik/idaptik/src/app/screens/BalanceAnalyserModel.res",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath