Skip to content

ci: fix remaining external-action failures (a2ml, hypatia, fuzz)#60

Merged
hyperpolymath merged 4 commits into
mainfrom
fix/ci-a2ml-hypatia-fuzz
May 17, 2026
Merged

ci: fix remaining external-action failures (a2ml, hypatia, fuzz)#60
hyperpolymath merged 4 commits into
mainfrom
fix/ci-a2ml-hypatia-fuzz

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 17, 2026

Resolves the last three red lanes tracked in #41. Each had moved past its original plumbing error into a genuine, distinct root cause:

Lane Original (already fixed) Actual current root cause Fix here
A2ML @main not SHA-pinned Pinned SHA fd7b2d8 pre-dated a2ml-validate-action#12; 15 .machine_readable/* files lacked an in-file identity field Bump pin → 59145c7 (treats whole .machine_readable/ tree as structural-identity). 0 identity errors with no repo-side .a2ml edits
Hypatia bad upload-artifact SHA hypatia-scan.yml drifted: cd scanner into a dir that no longer exists in the hypatia repo (mix.exs is at root) → exit 1 Sync workflow to canonical rsr-template-repo version (builds at $HOME/hypatia; also brings || true guard, correct artifact SHA, concurrency, continue-on-error on PR comment)
fuzz Containerfile vs Dockerfile Repo root is a virtual workspace → fuzz/Cargo.toml build failed "believes it's in a workspace when it's not"; also broken+unused neurophone path=".." dep and undeclared serde_json Add empty [workspace] to fuzz/Cargo.toml; drop dead dep; declare serde_json; commit fuzz/Cargo.lock. Builds clean locally

Verification

  • A2ML: ran the 59145c7 validator against this repo's pristine tree → Errors: 0.
  • fuzz: cargo build --manifest-path fuzz/Cargo.tomlFinished clean.
  • Hypatia: canonical template is repo-agnostic and removes the failing cd scanner step; will confirm green on CI.

K9 already passes on main. The redundant cross-repo validator PR (a2ml-validate-action#13) was closed as superseded by #12.

Refs #41

🤖 Generated with Claude Code

@hyperpolymath @claude
ci: fix remaining pre-existing external-action failures (a2ml, hypati…
a60c3ba 
…a, fuzz)

The last three red lanes from #41 had all moved past their original
plumbing errors into genuine, distinct root causes:

a2ml — `Validate A2ML manifests`
  Bump hyperpolymath/a2ml-validate-action fd7b2d8 -> 59145c7. The pinned
  version pre-dated a2ml-validate-action#12, which treats the whole
  `.machine_readable/` tree as structural-identity (identity = owning
  repo + path, not an in-file `name`/`agent-id`). neurophone scores 0
  identity errors against 59145c7 with no repo-side .a2ml edits.

hypatia — `Hypatia Neurosymbolic Analysis`
  hypatia-scan.yml had drifted: it did `cd scanner` inside
  /home/runner/hypatia, but the hypatia repo root has no `scanner/`
  subdir (mix.exs is at the root), so the build step exited 1. Synced
  the workflow to the canonical rsr-template-repo version, which builds
  at `$HOME/hypatia` (`mix escript.build`, binary `hypatia`) and also
  brings the `|| true` scan guard, correct upload-artifact SHA,
  concurrency group, pull-requests: write, and continue-on-error on the
  advisory PR-comment step.

fuzz — ClusterFuzzLite
  The repo root is a *virtual* workspace (no [package]), so building
  fuzz/Cargo.toml failed "current package believes it's in a workspace
  when it's not". The fuzz crate now declares its own empty [workspace]
  table. Also dropped the broken+unused `neurophone path = ".."`
  dependency (root has no package; the target never used it) and
  declared `serde_json`, which the target does use. Builds clean
  locally; fuzz/Cargo.lock committed for reproducibility.

Refs #41

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 17, 2026

🔍 Hypatia Security Scan

Findings: 22 issues detected

Severity Count
🔴 Critical 5
🟠 High 11
🟡 Medium 6

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/neurophone/neurophone",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (1 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/sensors/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (12 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/sensors/benches/sensors_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (5 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/llm/benches/llm_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (2 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/lsm/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "expect() in hot path (1 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/neurophone/neurophone/crates/lsm/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (1 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/neurophone/neurophone/crates/lsm/benches/lsm_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (2 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/neurophone/neurophone/crates/esn/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (2 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/esn/benches/esn_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (2 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/bridge/benches/bridge_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath @claude
ci(cflite): trigger PR fuzzing on nested Cargo manifests
168d38c 
cflite_pr.yml only watched top-level `Cargo.toml`/`Cargo.lock`, so a
change to `fuzz/Cargo.toml` (e.g. the workspace fix in this PR) silently
skipped the fuzz lane entirely — the very change most likely to affect
fuzzing was never exercised. Broaden to `**/Cargo.toml` / `**/Cargo.lock`
(matches root and nested) so fuzz-config changes actually run the lane.

Refs #41

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 17, 2026

🔍 Hypatia Security Scan

Findings: 22 issues detected

Severity Count
🔴 Critical 5
🟠 High 11
🟡 Medium 6

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/neurophone/neurophone",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (1 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/sensors/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (12 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/sensors/benches/sensors_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (5 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/llm/benches/llm_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (2 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/lsm/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "expect() in hot path (1 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/neurophone/neurophone/crates/lsm/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (1 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/neurophone/neurophone/crates/lsm/benches/lsm_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (2 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/neurophone/neurophone/crates/esn/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (2 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/esn/benches/esn_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (2 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/bridge/benches/bridge_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

hyperpolymath and others added 2 commits May 17, 2026 02:57
@hyperpolymath @claude
style: cargo fmt (use-ordering in esn/lsm)
8ec9e2d 
Pre-existing `cargo fmt --check` failure on `main` (rust-ci `test` lane),
unrelated to #41's four external-action lanes but blocking a clean merge.
Mechanical fix: rustfmt orders `ndarray_rand::rand_distr` before
`ndarray_rand::RandomExt`. 2 files, import-order only, no logic change.

Refs #41

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath
Merge branch 'main' into fix/ci-a2ml-hypatia-fuzz
f67e8c2 
Signed-off-by: Jonathan D.A. Jewell <6759885+hyperpolymath@users.noreply.github.com>
@hyperpolymath hyperpolymath merged commit 1249969 into main May 17, 2026
28 of 32 checks passed
@hyperpolymath hyperpolymath deleted the fix/ci-a2ml-hypatia-fuzz branch May 17, 2026 02:15
@hyperpolymath hyperpolymath mentioned this pull request May 17, 2026
Closed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 17, 2026

🔍 Hypatia Security Scan

Findings: 22 issues detected

Severity Count
🔴 Critical 5
🟠 High 11
🟡 Medium 6

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/neurophone/neurophone",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (1 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/sensors/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (12 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/sensors/benches/sensors_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (5 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/llm/benches/llm_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (2 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/lsm/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "expect() in hot path (1 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/neurophone/neurophone/crates/lsm/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (1 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/neurophone/neurophone/crates/lsm/benches/lsm_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (2 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/neurophone/neurophone/crates/esn/src/lib.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (2 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/esn/benches/esn_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (2 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/neurophone/neurophone/crates/bridge/benches/bridge_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath