ci: pin just@1.34.0 in build-gossamer-gui — Tooling Version Integrity (cf. burble#39)#270
Closed
hyperpolymath wants to merge 1 commit into
Closed
ci: pin just@1.34.0 in build-gossamer-gui — Tooling Version Integrity (cf. burble#39)#270hyperpolymath wants to merge 1 commit into
hyperpolymath wants to merge 1 commit into
Conversation
Unversioned `tool: just` resolves via taiki-e/install-action's bundled manifest, which can ship an old just (<1.19.0). The Justfile uses `import? "contractile.just"` (just >= 1.19.0), so an old just dies with `error: Unknown start of token` and the build silently breaks — the exact root cause of the dead Elixir gate in burble#39, here armed in another repo. Estate Tooling Version Integrity policy: never install a rhyming-family tool unversioned. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/standards
that referenced
this pull request
May 17, 2026
…sson (#94) ## Why For months a burble Elixir test gate was bolted open on the belief the suite was failing. It never ran: CI installed an unpinned `just` (1.14.0), the Justfile used `import?` (needs ≥1.19.0), so `just` died at parse time. A runner-layer crash misdiagnosed as inner-layer test failure, frozen by a `continue-on-error` on a wrong root cause. This PR makes that class of failure structurally impossible estate-wide. ## What - **`TOOLING-VERSION-INTEGRITY-POLICY.adoc`** — 5 rules + post-mortem: pin family tools; declare the min-version floor in-file; gates prove execution not exit-0; every soft-gate explained (dated suppression *or* `by-design:`); resolve at source. - **`tasks/tooling-integrity-lint.sh`** — R0 `just ≥ 1.19.0` floor (blocking when `just` present — the execution-proof check an in-file guard structurally *cannot* do, since `import?` fails at parse time), R1 unversioned family-tool install (blocking), R4 unexplained `continue-on-error` (**advisory-first** per the estate's own gating doctrine, `--strict` to enforce). Self-tested against standards/burble/hypatia. - **`contractiles/must/Mustfile`** — canonical dependency-free `tooling-version-integrity` check; propagates to every repo adopting the canonical `must` contract. - **`Mustfile`** — this repo dogfoods the full lint. - **`Justfile`** — Rule-2 floor annotation. ## Rollout context P1+P2 of a full rollout. P0 (live armed instance) shipped: hyperpolymath/hypatia#270. Remaining: propagate the pinned-install snippet through canonical CI templates + estate re-adoption sweep (tracked separately). The `contractile` generator repo is out-of-band — `contractiles/` source edited here; regen/propagation tracked in the sweep issue. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: hyperpolymath <hyperpolymath@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 13 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_workflow",
"file": "mirror.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/hypatia/hypatia/src/abi/RuleEngine.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/hypatia/hypatia/configs/config.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (22 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "as_ptr exposes raw pointer that may dangle or alias unsafely (10 occurrences, CWE-676)",
"type": "as_ptr",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/codeberg.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/radicle.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
to hyperpolymath/standards
that referenced
this pull request
May 18, 2026
…guage checks (#120) ## Root cause The shared `governance-reusable.yml` `Language / package anti-pattern policy` job enforces the TypeScript ban with a full exemption mechanism, but the **ReScript / Go / Python** checks were crude `find` one-liners with **no escape**. They ignored the estate's declared machine-readable exemption — `.hypatia-ignore` rule `cicd_rules/banned_language_file` and the inline `# hypatia:ignore … cicd_rules/banned_language_file` pragma — even though the Hypatia scanner itself honours it. Per the **Explicit-Escape Principle** (Refs standards#72): re-emergence of a banned default despite a declared, tool-honoured escape is a *tooling defect*, not a policy violation. ## Symptom this fixes `hyperpolymath/hypatia#270` (a 1-line CI pin) and transitively **#271** are `BLOCKED` because two intentionally-exempted criterion bench scripts (`scripts/check-bench-regression.py`, `scripts/update-bench-baselines.py` — carrying the inline pragma, listed in `.hypatia-ignore`, documented in `.hypatia-exemptions.md`, used by `tests.yml`) trip this shared gate. The defect is estate-wide; fixing it here resolves every consumer of the shared bundle. ## Change Replaces the three crude checks with a single exemption-aware step. A file is exempt from `cicd_rules/banned_language_file` iff it is listed in `.hypatia-ignore` for that rule **or** carries the inline pragma in its first 8 lines. ## Verification (dry-run, `bash -eo pipefail`) - Only-exempt files present → **PASS** (the #270/#271 case) - A non-exempt `.py` added → **FAIL** (enforcement preserved) - Clean repo, zero banned files → **PASS** (no `grep -v`/pipefail false-fail; the old behaviour was preserved via `|| true`) Refs standards#72 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 19, 2026
Folds in hypatia#270's one-line pin so this Python-eradication branch satisfies the Security policy check (R1 unversioned family-tool). Subsumes #270. cf. burble#39. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 19, 2026
## Why The org Python ban is now **total, with no exceptions** (no SaltStack-style carve-outs). This removes every Python site in hypatia and replaces each with a faithful, verified **Rust** port. Also unblocks the `governance / Language / package anti-pattern policy → Check for Python (non-SaltStack)` gate that was failing **unrelated** PRs (e.g. #270, a pure `just` version pin) as inherited baseline rot — not per-PR defects. ## What | Was (Python) | Now (Rust) | |---|---| | `scripts/check-bench-regression.py` | `scripts/bench-tools` → `check-bench-regression` | | `scripts/update-bench-baselines.py` | `scripts/bench-tools` → `update-bench-baselines` | | inline `python3`+`jsonschema` in `build-gossamer-gui.yml` | `scripts/ci-tools` → `validate-panll-harness` (TOML → JSON-Schema Draft 2020-12) | | inline `python3` in `ci.yml` | `scripts/ci-tools` → `check-k9iser-paths` | - `bench-tools` is zero-dependency (was authored on the #272 lineage; **vendored here so this PR is self-contained** and order-independent). - `build-gossamer-gui.yml` loses its `pip install jsonschema` step entirely. - Callers rewired: `tests.yml` (×2), `build-gossamer-gui.yml`, `ci.yml`, benchmarks README. - Exemptions **revoked** (no exceptions): `.hypatia-ignore` block, `.hypatia-exemptions.md` rows, `.hypatia-baseline.json` entries. ## Verification - All 4 Rust bins build clean (cargo 1.95.0). - `check-k9iser-paths`: real `k9iser.toml` → `OK … 5 source(s), 3 constraint(s)`, exit 0. - `validate-panll-harness`: real `panll.harness.toml` vs the **live** panll-harness/v2 schema → `OK …`, exit 0. - Tracked `.py` files: **2 → 0**. ## Follow-up (separate, standards-level) The governance rule itself should stop honouring `banned_language_file` exemptions now the ban is total — likely an estate-wide standards change, out of scope here. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Owner
Author
|
Subsumed by #279 (merged 2026-05-19). The one-line |
auto-merge was automatically disabled
May 19, 2026 16:17
Pull request was closed
Owner
Author
|
Superseding (no re-open). Verified 2026-05-19: the exact fix proposed here — pin Forward enforcement is provided by the R0 just-floor blocking gate added to Closure outcome: superseded. No re-open needed. Closes the corresponding criterion on hyperpolymath/standards#95. Refs hyperpolymath/standards#95, hyperpolymath/standards#94, burble#39. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
build-gossamer-gui.ymlinstalledtool: justunversioned viataiki-e/install-action. That action's bundled manifest can ship an oldjust(e.g. 1.14.0).hypatia/Justfile:10usesimport? "contractile.just"— an optional-import feature requiring just ≥ 1.19.0. An oldjustdies at parse time (error: Unknown start of token) before any recipe runs, silently breaking the build.This is the exact root cause of the long-misdiagnosed dead Elixir test gate in burble#39 (fixed there by pinning
just@1.34.0), here found armed in another repo by an estate-wide sweep.Fix
Pin
tool: just@1.34.0(≥ 1.19.0, supportsimport?) with an explanatory comment referencing the estate Tooling Version Integrity policy.Context
P0 of a full rollout institutionalising this lesson (policy doc in
standards,mustcheck, lint rule, canonical-template propagation). Immediate stop-the-bleeding fix for the only live armed instance found.🤖 Generated with Claude Code