feat(scripts): reusable registry-readiness remediation#105
Merged
Conversation
Codifies the burble#39 lesson estate-wide so a runner-layer version skew can never again masquerade for months as an inner-layer failure. - TOOLING-VERSION-INTEGRITY-POLICY.adoc: 5 rules + post-mortem. Pin family tools; declare the min-version floor; gates prove execution not exit-0; every soft-gate explained (dated suppression OR by-design); resolve at source. - tasks/tooling-integrity-lint.sh: R0 just>=1.19.0 floor (blocking when just present — the execution-proof check an in-file guard cannot do), R1 unversioned family-tool install (blocking), R4 unexplained continue-on-error (advisory-first per the estate gating doctrine; --strict to enforce). Self-tested vs standards/burble/hypatia. - contractiles/must/Mustfile: canonical 'tooling-version-integrity' check (dependency-free inline floor assertion) — propagates to every repo adopting the canonical must contract on contractile regen. - Mustfile: live repo dogfoods the full lint. - Justfile: Rule-2 'requires: just >= 1.19.0' annotation. NOTE: the contractile generator repo is out-of-band; contractiles/ source is edited here, regen + propagation tracked in the estate sweep issue. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…tate trufflehog soft-gate P3 propagation: the estate-wide workflow_call reusable now enforces R0 (just>=1.19.0 floor, blocking when just present) and R1 (unversioned family-tool install, blocking) inline and dependency-free, so every repo invoking governance-reusable inherits the burble#39 guard with one existing `uses:` line — no per-repo PR, no script vendoring. R4 stays advisory via the standards lint. Also dogfoods Rule 4: the pre-existing bare continue-on-error on the trufflehog step now carries a by-design rationale, so the canonical template is itself policy-clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ation Relicense→MPL-2.0 + REUSE + SPDX-normalise + de-LLM + manifest sanity. Battle-hardened across Axiom/AcceleratorGate/KnotTheory/KRLAdapter/Skein. Idempotent, branch-only, no fabrication (flags ambiguous). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 100 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/standards/standards/lol/src/abi/Locale.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/standards/standards/axel-protocol/src/Tea.res.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Canonical home for the remediation proven across the Julia chain (Axiom/AcceleratorGate/KnotTheory/KRLAdapter/Skein PRs). Idempotent, branch-only, no fabrication. Licensing→MPL-2.0/REUSE, SPDX-normalise, de-LLM, manifest sanity. 🤖 Generated with Claude Code