fix(baseline): repair main + estate-policy sweep (unblocks #41)#42
Open
hyperpolymath wants to merge 3 commits into
Open
fix(baseline): repair main + estate-policy sweep (unblocks #41)#42hyperpolymath wants to merge 3 commits into
hyperpolymath wants to merge 3 commits into
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hypatia found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
🔍 Hypatia Security ScanFindings: 135 issues detected
View findings[
{
"reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
"type": "banned",
"file": "AI.a2ml",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Superseded by 0-AI-MANIFEST.a2ml",
"type": "banned",
"file": "AI.djot",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "No test directory or test files found",
"type": "no_tests",
"file": "/home/runner/work/absolute-zero/absolute-zero",
"action": "flag",
"rule_module": "honest_completion",
"severity": "high",
"deduction": 20
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "jekyll-gh-pages.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/configure-pages@v6 needs attention",
"type": "unpinned_action",
"file": "jekyll-gh-pages.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/jekyll-build-pages@v1 needs attention",
"type": "unpinned_action",
"file": "jekyll-gh-pages.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/upload-pages-artifact@v5 needs attention",
"type": "unpinned_action",
"file": "jekyll-gh-pages.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/deploy-pages@v5 needs attention",
"type": "unpinned_action",
"file": "jekyll-gh-pages.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "language-policy.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
May 25, 2026
…ekyll) Three follow-up issues surfaced when #42's CI ran: 1. **cflite `PR (address)` failure** — `.clusterfuzzlite/build.sh` was `cp ./target/x86_64-unknown-linux-gnu/release/$target $OUT/`, but cargo-fuzz writes binaries to `fuzz/target/<triple>/release/<target>` (the fuzz crate's own target dir). The `./target/...` path was a vestige of an earlier layout where fuzz/ depended on the parent's `[lib]`, since removed. Updated the cp source path. 2. **`governance / Language / package anti-pattern policy`** — surfaced `examples/go/nop.go` as a banned-Go-file violation. The file is a per-language CNO reference (alongside `examples/c/`, `examples/clojure/`, `examples/javascript/nop.js`, ~30 langs total) — the Go-specific runtime characteristics ARE the point of the example. Added a `.hypatia-ignore` entry with that rationale. The repo language policy still bans new Go code; this is reference material. 3. **Jekyll workflow** — `.github/workflows/jekyll-gh-pages.yml` tripped `Workflow Security Linter` (5 unpinned actions) and is estate-banned anyway (Jekyll is being replaced by casket-ssg estate-wide). Deleted the workflow entirely. If/when this repo wants a docs site, add a casket-ssg build/deploy workflow modelled on `hyperpolymath/casket-ssg/.github/workflows/pages.yml`. Note on the Hypatia code-scanning check failure (22 errors / 10 warnings): every alert resolves against files I'm deleting in this PR (rescript-deno-ci.yml, jekyll-gh-pages.yml) or against pre-existing issues on main (examples/ada/balanced_ops.adb has `ada_pragma_suppress`, src/abi/Proofs/DivMod.idr has structural_drift warnings). The PR doesn't add new alerts; it just causes Hypatia to re-scan files in the diff scope. These should clear after merge as main shrinks past the removed files. Out of scope here. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 130 issues detected
View findings[
{
"reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
"type": "banned",
"file": "AI.a2ml",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Superseded by 0-AI-MANIFEST.a2ml",
"type": "banned",
"file": "AI.djot",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "No test directory or test files found",
"type": "no_tests",
"file": "/home/runner/work/absolute-zero/absolute-zero",
"action": "flag",
"rule_module": "honest_completion",
"severity": "high",
"deduction": 20
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "language-policy.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action Swatinem/rust-cache@v2 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action codecov/codecov-action@v6 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
pushed a commit
that referenced
this pull request
May 26, 2026
Per .gitignore line 27 comment 'Keep for binaries' — this is a [[bin]] crate (main.rs), so Cargo.lock pins dependency versions for reproducible builds. Not pushed: this commit sits alongside 5 other local commits on claude/upbeat-mendel-lBO9G, all held back pending PR #42 merging into main so the rebase + estate-policy adaptation can land in one clean sweep.
hyperpolymath
pushed a commit
that referenced
this pull request
May 26, 2026
Records all commits, branches, Idris2 bootstrap recipe, rebase recipe for post-PR-#42 adaptation, open audit items, and safe-to-close criteria for container-reclaim safety. https://claude.ai/code/session_01MC3HDKEwGgcRwCuUuRmEeP
Five failing checks on PR #41 — and the same baseline rot on `main` since 2026-05-22 — were the same five problems with five distinct root causes. Each fixed at source: 1. `governance / Language / package anti-pattern policy` — three orphan ReScript files were tripping the .res ban: - src/AuditTrail.res (52 LOC, no callers) - examples/SafeDOMExample.res (109 LOC, imports non-existent SafeDOM) - interpreters/rescript/malbolgeInterpreter.res (256 LOC, sole file under interpreters/) None compiled (no rescript.json / bsconfig.json) and none were imported by any Rust / Idris / Deno code. Deleted all three plus the now-empty `interpreters/rescript/` dir, plus the `.github/workflows/rescript-deno-ci.yml` workflow they fed. 2. `build` (×2) — both `build` failures came from the deleted rescript-deno-ci.yml (`deno lint --config deno.json` → "No target files found" because lint.include lists `mod.ts` which doesn't exist). Removing the workflow removes the check. 3. `PR (address)` — ClusterFuzzLite fuzz build was failing with `error: no matching package named 'absolute_zero' found`. fuzz/ Cargo.toml declared `[dependencies.absolute_zero] path = ".."` but the parent crate has no `[lib]` target — only src/main.rs. The fuzz target (fuzz_targets/fuzz_input.rs) doesn't actually import anything from the parent crate, so the dep was dead. Removed the dead `[dependencies.absolute_zero]` block. 4. `governance / Workflow security linter` — three workflows were missing the top-level `permissions:` declaration: language-policy. yml, rescript-deno-ci.yml (deleted), and rust-ci.yml. Added `permissions: contents: read` to language-policy.yml and rust-ci. yml. 5. `Cargo.toml` had `license = "MIT"`. Bumped to `license = "MPL-2.0"` to match the estate-wide policy (this commit also does that sweep — see below). ## Estate-policy sweep (per user instruction this session) - **PMPL-1.0 / PMPL-1.0-or-later → MPL-2.0** across 67 files. PMPL isn't a real SPDX identifier and the Palimpsest-MPL framing is retired. README's License badge updated to match (Shields.io URL was still `License-PMPL_1.0-blue.svg`). - **MPL-2.0-or-later → MPL-2.0** across 18 files (also not a valid SPDX form — MPL-2.0 has no "-or-later" variant). - `.claude/CLAUDE.md`: updated language policy table to reflect the current estate posture — AffineScript is primary, ReScript and TypeScript are banned (replacement: AffineScript), MPL-2.0 is the only allowed license. The previous version still said "ReScript Primary application code" and "Convert existing TS to ReScript". ## Foundational follow-up (NOT in this PR) Same gap as r-g-t-v#89: `main` branch protection on absolute-zero has no `required_status_checks` block. Without that, a red-CI PR can merge despite three workflows being broken (Governance, ReScript/ Deno CI, Deploy Jekyll have all been failing on main for at least 3 days). Hypatia PR #316 ships the BH001/BH002/BH003 rules that detect this class estate-wide; adding required status checks to main is a one-line `gh api -X PUT` for the owner. ## Test plan - `cargo build --release` — passes locally - `cd fuzz && cargo check` — passes (was the cflite failure mode) - All three deleted files had zero in-repo references (verified via `grep -rln`) - No PMPL-1.0 / MPL-2.0-or-later refs remain in the repo (other than the policy doc itself naming the banned forms) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Build artifacts from a local `cargo check` got included in the previous commit because `.gitignore` only excluded `/target/` (root), not subdirectory `target/` dirs. Removed the 173 stray files and added `**/target/` so this can't recur for fuzz/, vendored crates, or any other Rust subdir. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ekyll) Three follow-up issues surfaced when #42's CI ran: 1. **cflite `PR (address)` failure** — `.clusterfuzzlite/build.sh` was `cp ./target/x86_64-unknown-linux-gnu/release/$target $OUT/`, but cargo-fuzz writes binaries to `fuzz/target/<triple>/release/<target>` (the fuzz crate's own target dir). The `./target/...` path was a vestige of an earlier layout where fuzz/ depended on the parent's `[lib]`, since removed. Updated the cp source path. 2. **`governance / Language / package anti-pattern policy`** — surfaced `examples/go/nop.go` as a banned-Go-file violation. The file is a per-language CNO reference (alongside `examples/c/`, `examples/clojure/`, `examples/javascript/nop.js`, ~30 langs total) — the Go-specific runtime characteristics ARE the point of the example. Added a `.hypatia-ignore` entry with that rationale. The repo language policy still bans new Go code; this is reference material. 3. **Jekyll workflow** — `.github/workflows/jekyll-gh-pages.yml` tripped `Workflow Security Linter` (5 unpinned actions) and is estate-banned anyway (Jekyll is being replaced by casket-ssg estate-wide). Deleted the workflow entirely. If/when this repo wants a docs site, add a casket-ssg build/deploy workflow modelled on `hyperpolymath/casket-ssg/.github/workflows/pages.yml`. Note on the Hypatia code-scanning check failure (22 errors / 10 warnings): every alert resolves against files I'm deleting in this PR (rescript-deno-ci.yml, jekyll-gh-pages.yml) or against pre-existing issues on main (examples/ada/balanced_ops.adb has `ada_pragma_suppress`, src/abi/Proofs/DivMod.idr has structural_drift warnings). The PR doesn't add new alerts; it just causes Hypatia to re-scan files in the diff scope. These should clear after merge as main shrinks past the removed files. Out of scope here. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
force-pushed
the
fix/absolute-zero-baseline-rot
branch
from
4cc97cb to
6efcc2b
Compare
🔍 Hypatia Security ScanFindings: 130 issues detected
View findings[
{
"reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
"type": "banned",
"file": "AI.a2ml",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Superseded by 0-AI-MANIFEST.a2ml",
"type": "banned",
"file": "AI.djot",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "No test directory or test files found",
"type": "no_tests",
"file": "/home/runner/work/absolute-zero/absolute-zero",
"action": "flag",
"rule_module": "honest_completion",
"severity": "high",
"deduction": 20
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "language-policy.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action Swatinem/rust-cache@v2 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/checkout@v6.0.2 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action codecov/codecov-action@v6 needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Five failing checks on PR #41 (and three on
mainsince 2026-05-22) were five distinct root causes. Each fixed at source:governance / Language / package anti-pattern policy.resfiles (no callers, no rescript.json)interpreters/rescript/dirbuild(×2)deno lint --config deno.json→ "No target files found" (lint.include lists non-existentmod.ts)rescript-deno-ci.ymlworkflowPR (address)(ClusterFuzzLite)fuzz/Cargo.tomldeclares[dependencies.absolute_zero]but parent has no[lib]targetgovernance / Workflow security linterpermissions:permissions: contents: readtolanguage-policy.yml+rust-ci.yml(3rd was the deleted rescript-deno-ci.yml)Cargo.toml license = \"MIT\"MPL-2.0Estate-policy sweep (per this session's instructions)
-or-latervariant)..claude/CLAUDE.mdlanguage policy table updated: AffineScript is now primary; ReScript and TypeScript are banned (replacement: AffineScript); MPL-2.0 is the only allowed license. Previous version still said "ReScript Primary application code" and "Convert existing TS to ReScript".What's NOT in this PR (deliberately)
examples/javascript/nop.jsis kept. It's one of 30+ per-language CNO reference implementations (alongsideexamples/ada/,examples/c/,examples/cobol/, etc.). The whole point is JS-specific runtime behavior; migrating to AffineScript would lose the language comparison.license/PMPL-1.0.txt(the old license file) is kept. Removing it would be larger doc cleanup than this PR's scope.r-g-t-v#89. Norequired_status_checksblock, so red-CI merges are possible. Owner-levelgh api -X PUTchange. Flagged separately; Hypatia PR #316 (BH001) detects this estate-wide.Test plan
cargo build --release(root crate) — passescd fuzz && cargo check— passes (was the cflite failure mode).resfiles had zero in-repo references (grep -rln)PMPL-1.0/MPL-2.0-or-laterrefs remain (other than the policy doc itself naming the banned forms)🤖 Generated with Claude Code