policy: Guix primary + sealed-container escape; retire Nix-mirror-everywhere#101
Merged
Merged
Conversation
…rywhere RULED 2026-05-18 (estate-wide). Supersedes the prior standing rule "Nix shard fallback on Guix channel primary everywhere". - spec/LANGUAGE-POLICY.adoc §Package Management: canonical statement updated. One packager per repo; sealed container (not a Nix mirror) is the single universal escape hatch for the not-in-Guix / non-free tail; a second packager only as the sole source of a specific named dependency. - debt.a2ml: estate-wide flake.nix-mirror removal + consumer-doc reconciliation recorded as a SHOULD debt item (echidna PR #73 is the landed pilot). Rationale: a Nix file that only mirrors the Guix manifest is two incomplete manifests kept in sync by hand plus containers anyway = pure drift surface, never exercised as a real fallback. Fewer moving parts; thesis-aligned with Guix full-source bootstrap + time-machine provenance. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 18, 2026
Closes the actionable of #103 (Wave 0 of campaign #102; policy #101). Read-only discovery over all **379** hyperpolymath repos (top-level `HEAD`), committed as the durable worklist `rhodium-standard-repositories/spec/nix-retirement-inventory.adoc`: | Class | Count | |---|---| | Candidate (→ 14 waves) | 277 | | Monorepo → handle at source | 8 | | Excluded (standards, echidna #73) | 2 | | Out-of-scope (no flake / no Guix) | 92 | Verdicts are **provisional** — final keep/remove is per-repo at wave time (`flake` inputs vs `Guix ∪ sealed-container`). The `.guix-channel`-only and flake-without-Guix traps were checked and are **empty**; the earlier triage's "my-lang = channel-only" was inaccurate (my-lang has no flake.nix → out-of-scope). The `Wave` column is authoritative for slicing the wave sub-issues. Gate rules are **not duplicated** here — the artifact links to #102 / `LANGUAGE-POLICY.adoc`. Refs #103 Refs #101 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 18, 2026
🔍 Hypatia Security ScanFindings: 100 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/standards/standards/lol/src/abi/Locale.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
to hyperpolymath/hypatia
that referenced
this pull request
May 19, 2026
…289) Refs standards#101 standards#102. Refs not Closes — this PR does not close any issue. ## What Retire the Nix-mirror in hypatia. Guix-primary + sealed-container-escape is the canonical packaging policy per [standards#101](hyperpolymath/standards#101); the Nix-mirror was a hand-mirrored twin retired estate-wide. ## Verified pure mirror (the standards#102 gate) `guix.scm` covers the entire flake devShell dep set verbatim: | flake devShell buildInput | guix.scm native-input | |---|---| | elixir | elixir | | erlang | erlang | | rustc + cargo + clippy + rustfmt | rust + rust-cargo | | idris2 | idris2 | | zig | zig | | pkg-config | pkg-config | | openssl | openssl | Every flake dep is mirrored — pure mirror per the campaign gate (`flake vs Guix ∪ sealed-container`). `guix.scm`'s `(source #f)` is the standard dev-shell form (paired with a real `native-inputs` list); not the disqualifying empty-stub form. `guix shell -D -f guix.scm` is the direct replacement for `nix develop`. ## Changes - `git rm flake.nix flake.lock` - `CONTRIBUTING.md` §Getting Started: `nix develop` → `guix shell -D -f guix.scm` (links standards#101). - `TESTING-AUDIT.md` Reproducibility row: dereferences `flake.nix` (canonical = `guix.scm`). - Historical audit reports (`docs/reports/audit/`, `docs/governance/CRG-AUDIT-2026-04-18.adoc`) retain their `flake.nix` references as dated snapshots — not edited. ## Campaign context Estate-wide verification (Waves 1–14, ~280 in-scope repos) found that **hypatia is the single genuine pure-mirror in the campaign so far**. Most other repos have scaffold-stub `guix.scm` (KEEP+FLAG) or load-bearing flake-only dev tooling (KEEP+DEP). Personally re-verified against the agent-flagged candidates (proof-of-work and tma-mark2 were over-called; hypatia stood up). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Canonicalises the estate ruling of 2026-05-18 and supersedes the prior standing
rule "Nix shard fallback on Guix channel primary everywhere".
spec/LANGUAGE-POLICY.adoc§Package Management — the canonical statement.Guix primary; sealed container (not a Nix mirror) is the single universal
escape hatch for the not-in-Guix / non-free tail; one packager per repo; a
second packager only as the sole source of a specific named dependency.
.machine_readable/agent_instructions/debt.a2ml— estate-wideflake.nix-mirror removal + consumer-doc reconciliation logged as a SHOULDdebt item.
Why
A
flake.nixthat only mirrors the Guix manifest is two incomplete manifestshand-synced plus containers anyway = pure drift surface, never exercised as a
real fallback. Guix's full-source bootstrap +
guix time-machineisprovenance-thesis-aligned; the non-free / not-in-Guix tail (which Guix's FSDG
structurally excludes) goes to the already-mandated sealed container, not a Nix
twin.
Pilot already landed
hyperpolymath/echidnaPR #73 applied this:flake.nix/flake.lockremoved,9 Tier-3 prover Containerfiles consolidated into one sealed multi-target
Containerfile.wave3, manifest/CLAUDE/Justfile/STATE reconciled.Scope
Surgical: only the canonical §Package Management statement + the debt record.
The broad consumer-repo sweep (other docs that still say "Fallback: Nix") is
deliberately deferred to the tracked debt item, per centralised-standards
(link-don't-copy) — not swept here.
🤖 Generated with Claude Code