fix: non-megaport baseline sweep (corrective + adaptive + perfective)#112
Merged
Conversation
🔍 Hypatia Security ScanFindings: 113 issues detected
View findings[
{
"reason": "Action tions/checkout@v6\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action olnay/rust-toolchain@stable\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action tions/checkout@v6\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action olnay/rust-toolchain@stable\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action atinem/rust-cache@v2\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action tions/checkout@v6\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action olnay/rust-toolchain@stable\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action atinem/rust-cache@v2\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action tions/checkout@v6\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action stsec/audit-check@v2.0.0\n needs attention",
"type": "unpinned_action",
"file": "rust-ci.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Goal: establish a known-green baseline for everything OUTSIDE the
ReScript→AffineScript megaport, so any future regression during the
megaport is unambiguously attributable to the megaport itself.
## Corrective (broken surfaces)
- `.github/workflows/build-validation.yml`: was `cd idaptik-escape-hatch
&& zig build` against a separate-git-repo SPARK Ada directory with no
build.zig — never could have worked. Redirect to the actual Zig
surfaces in this repo (`ffi/zig/`, `idaptik-ums/ffi/zig/`, `vm/wasm/`),
all three of which now `zig build test` cleanly under Zig 0.15.2.
- `.github/workflows/fuzz.yml`: was `cd tests/fuzz && zig build fuzz`
but tests/fuzz/ has no build.zig — use `zig test --fuzz` directly on
the two harness files.
- `audits/assail-classifications.a2ml`: was S-expression syntax; the
validator (dogfood-gate) wants TOML with top-level `[metadata]` plus
required identity field (`project`, `agent-id`, or `name`) and
`schema_version`. Converted to TOML with `[[classification]]` array
tables, preserving all 12 entries verbatim.
- `Zig 0.14 → 0.15 adaptive`: `ffi/zig/build.zig` was using removed
`b.addStaticLibrary` — switch to `b.addLibrary(.{.linkage = .static,
.root_module = b.createModule(...)})`. `ffi/zig/src/idaptik_ffi.zig`
was using uppercase `callconv(.C)` — switch to lowercase `.c` (the
ums FFI already uses this; consistency restored).
## Workflow security (governance linter)
- `build-validation.yml` + `fuzz.yml`: SHA-pin `actions/checkout@v6` →
`de0fac2e4500dabe0009e67214ff5f5447ce83dd` and `mlugg/setup-zig@v2` →
`d1434d08867e3ee9daa34448df10607b98908d29`. SHAs verified via GitHub
refs API and already in use elsewhere in `.github/workflows/`.
## Perfective (warnings + lint)
- `idaptik-developers/src/escape-hatch/src/app.rs`: Rust 1.95 clippy
flagged a `collapsible_if` in extract_test_count. Collapsed using
let-chains (`if let Ok(n) = ... && (line.contains("pass") ||
line.contains("test"))`).
- `src/app/screens/training/TrainingMenuScreen.res`: ReScript warning 27
flagged unused `engine` binding in pointertap handler. Prefixed to
`_engine` (the value is genuinely unused — navigateTo doesn't need
it).
- `.machine_readable/anchors/ANCHOR.a2ml`: validator emitted warning
about missing SPDX header in first 10 lines. Added AGPL-3.0-or-later
+ copyright lines.
## Untouched (out of scope)
- `idaptik-escape-hatch/` (the directory at idaptik tree-root): is its
own separate `hyperpolymath/idaptik-escape-hatch.git` clone with its
own MPL-2.0 license; SPARK Ada content, not Rust or Zig. The renamed
build-validation workflow no longer pretends this is a Zig build site.
- Idris2 `idaptik-ums.ipkg` build: not in CI; local-only TTC version
mismatch with `base` is a developer-environment matter, not a code
defect.
- Scorecards supply-chain workflow startup_failure: estate-wide pattern
per `feedback_estate_rust_ci_reusable_zero_jobs_universal.md`-class
pre-existing red; out of scope for this sweep.
## Baseline matrix (post-sweep, local)
| Surface | Status |
|---|---|
| ffi/zig (top-level) | ✅ zig build test exit 0 |
| idaptik-ums/ffi/zig | ✅ zig build test exit 0 |
| vm/wasm | ✅ zig build → 636 KiB idaptik-vm.wasm |
| sync-server (Elixir) | ✅ 106 tests, 0 failures |
| idaptik-developers/src/escape-hatch | ✅ cargo build/test/clippy clean |
| ReScript res:build | ✅ 485 modules, 0 warnings |
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
hyperpolymath
force-pushed
the
fix/non-megaport-baseline-sweep
branch
from
19dcca2 to
3abdfef
Compare
🔍 Hypatia Security ScanFindings: 102 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in build-validation.yml",
"type": "missing_timeout_minutes",
"file": "build-validation.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cflite-pr.yml",
"type": "missing_timeout_minutes",
"file": "cflite-pr.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dco.yml",
"type": "missing_timeout_minutes",
"file": "dco.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
rustfmt formatting fixes only — no behaviour change.
- `src/app.rs`: wrap long `Some("...")` arguments across multiple lines
per rustfmt max_width.
- `src/ui.rs`: align trailing comments + method-chain layout per rustfmt.
These long lines were pre-existing in HEAD; rust-ci was previously red on
main (estate-wide rust-ci-reusable@cc5a372 zero-jobs pattern) so the
rustfmt job never actually ran. Now that this PR re-arms rust-ci with
SHA-pinned actions + a proper working-directory, rustfmt runs and needs
the formatting cleaned up.
Cleared locally: cargo fmt --check passes, cargo clippy + cargo test
still pass.
Signed-off-by: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
🔍 Hypatia Security ScanFindings: 102 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in build-validation.yml",
"type": "missing_timeout_minutes",
"file": "build-validation.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cflite-pr.yml",
"type": "missing_timeout_minutes",
"file": "cflite-pr.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dco.yml",
"type": "missing_timeout_minutes",
"file": "dco.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Fold-in cleanup that turns the remaining two non-required reds on PR #112 into intentional, tracked signals. ## Playwright @playwright/test dependency (closes the E2E `ERR_MODULE_NOT_FOUND`) The `tools/compat-testing/playwright.config.js` imports `@playwright/test` but the package was never declared anywhere in the repo: - root `deno.json` `imports` listed every other npm dep (rescript, vite, pixi, etc.) — but not @playwright/test - root `package.json` `devDependencies` likewise omitted it So when CI ran `deno install --node-modules-dir=auto` it didn't fetch the package, and `npx playwright test` then crashed with `ERR_MODULE_NOT_FOUND` (broken since the workflow was introduced in commit 853b1d6, 2026-05-02). Fix: declare it in both places per the repo's existing convention. ## .hypatia-baseline.json (intentional migration-debt marker) Adopts the canonical estate exemption format (preferred over legacy `.hypatia-ignore`) per `hyperpolymath/standards/docs/EXEMPTION-MECHANISMS.adoc`. Flags the three banned-language file globs as tracked migration debt: - `**/*.res` — ReScript source, ~1,760 files - `**/*.res.mjs` — in-source ReScript-compiled output sibling - `dlc/**/*.ts` — DLC TypeScript packs Each entry carries `tracking_issue: #84` (the tech-debt parent) and `expires_at: 2027-06-01` so drift detection will re-surface the entry if the megaport hasn't cleared it by then. Cross-refs in the `note` field: - standards#252 (estate umbrella for ReScript→AffineScript) - standards#279 (STEP 8: idaptik batched conversion) - standards#254 (TypeScript→AffineScript companion campaign) - affinescript#57 (migration assistant) - affinescript#160/#161/#162 (Http/Json/Dict upstream blockers) - affinescript#59 (effect-row Async/IO/Throws) This converts `governance / Language / package anti-pattern policy` from "red because debt is unannounced" to "green because debt is declared with an owner-set clearance date." The signal is preserved — drift detection will re-flag it as `expires_at` approaches if the megaport is not yet complete. ## Both changes - Adaptive: catch up to estate-canonical exemption format - Corrective: a dep that was never declared Cross-verified the governance reusable workflow at `hyperpolymath/standards@861b5e9` honours `.hypatia-baseline.json` with the format above (sibling repos verisimdb, affinescript, ephapax, burble already use this mechanism for the same migration-target pattern). Signed-off-by: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
🔍 Hypatia Security ScanFindings: 102 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in build-validation.yml",
"type": "missing_timeout_minutes",
"file": "build-validation.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cflite-pr.yml",
"type": "missing_timeout_minutes",
"file": "cflite-pr.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dco.yml",
"type": "missing_timeout_minutes",
"file": "dco.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…policy The governance anti-pattern policy was still failing after the .res / .res.mjs / dlc/**/*.ts exemptions because of one residual hit: dlc/idaptik-dlc-reversible/robot-repo-bot/_modules/robot_repo.py This is a SaltStack execution module living inside the `dlc/idaptik-dlc-reversible` git submodule (origin git@gitlab.com:hyperpolymath/idaptik-dlc-reversible.git). The estate-wide Python ban removed the SaltStack carveout on 2026-01-03 per the standards governance reusable's error message: ❌ Python files detected — Python is fully banned — use AffineScript/Rust/SPARK/Julia (SaltStack carveout removed 2026-01-03) The file is on the submodule's branch, not in idaptik directly. The fundamental fix path lives in the submodule repo: rewrite robot-repo-bot's Salt modules in shell/Just/Rust, then bump the gitlink pointer in this repo. Until that work lands in the submodule, this exemption acknowledges the cross-repo ownership boundary so idaptik's own CI isn't blocked by a third-party file. Tracking is by submodule-anchor (not an idaptik issue number) because the work belongs entirely to the submodule's lifecycle. `expires_at` set to 2026-12-01 — six-month horizon to force the conversation if the submodule maintainer hasn't acted. Cross-refs: - hyperpolymath/standards governance-reusable.yml@861b5e9 — emits the "SaltStack carveout removed" diagnostic - estate memory `feedback_python_saltstack_absolute_no_questions` — Python ban is absolute, never re-ask Signed-off-by: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
3 tasks
🔍 Hypatia Security ScanFindings: 102 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in build-validation.yml",
"type": "missing_timeout_minutes",
"file": "build-validation.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cflite-pr.yml",
"type": "missing_timeout_minutes",
"file": "cflite-pr.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dco.yml",
"type": "missing_timeout_minutes",
"file": "dco.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
After the .hypatia-baseline.json fixes the Python exemption matched (log shows `✅ No non-exempt Python files`), the SAME governance job advanced to its next check and tripped on: ❌ rescript.json detected - use AffineScript config instead The banned_config_file rule in hyperpolymath/standards@861b5e9/governance-reusable.yml (line 423) only honours the legacy `.hypatia-ignore` flat-file format — it does NOT consult `.hypatia-baseline.json`. So config-file exemptions need a separate file even though file-language exemptions live in the JSON baseline. Created `.hypatia-ignore` with the canonical line: cicd_rules/banned_config_file:rescript.json Cross-refs: - Tracked by #84 (tech-debt parent — clears when the root src/ tree migrates to .affine and AffineScript replaces rescript as the build coordinator). - Standards source: governance-reusable.yml line 451 hardcodes the three configs it checks (tsconfig.json, rescript.json, bsconfig.json). Only rescript.json exists at idaptik root; the other two don't apply. - Same exemption pattern in use at verisimdb, affinescript, burble per the earlier subagent survey. Sibling guard: the `.hypatia-ignore` and `.hypatia-baseline.json` mechanisms cover orthogonal rule families — keep both files until the standards repo finishes migrating banned_config_file into the JSON baseline format too. Signed-off-by: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
🔍 Hypatia Security ScanFindings: 102 issues detected
View findings[
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in build-validation.yml",
"type": "missing_timeout_minutes",
"file": "build-validation.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cflite-pr.yml",
"type": "missing_timeout_minutes",
"file": "cflite-pr.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in containers.yml",
"type": "missing_timeout_minutes",
"file": "containers.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dco.yml",
"type": "missing_timeout_minutes",
"file": "dco.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "missing_timeout_minutes",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced Jun 1, 2026
hyperpolymath
added a commit
that referenced
this pull request
Jun 1, 2026
…tion, changelog (#117) ## Summary A multi-subagent audit of idaptik's human-readable and machine-readable documentation against the actual repo state on 2026-06-01 surfaced several stale counts, broken paths, and missing classifications. This PR brings the canonical docs back in sync. ## Human-readable corrections | File | What was wrong | Now | |---|---|---| | `README.adoc` | "Idris2 (15 modules)" + "Zig (12 exports)" | "17 in `idaptik-ums/src/abi/` + 1 in `src/abi/Types.idr`" + "11 source files, 12 C-ABI exports" | | `EXPLAINME.adoc` | Same counts; root `src/abi/Types.idr` undocumented in the file map | Same corrections + file-map entry for the root main-game ABI module | | `PROOF-NEEDS.md` | Path `src/abi/*.idr` was right for one file, missed the 17 UMS modules entirely; no layer classification | Full L1/L2/L3/L4 classification + echo-types verdict recorded | | `PANIC-ATTACK-ANALYSIS-SUMMARY.md` | Looked authoritative but dated 2026-03-20, well before the 2026-05-26 panic-attack re-scan + the PR #115 cleanup | Marked as historical baseline pending re-run after PR #115 lands | ## Machine-readable corrections `0-AI-MANIFEST.a2ml`: | Key | Was | Now | Reason | |---|---|---|---| | `dev-port` | `8080` | `1984` | Matches `vite.config.js` `server.port: 1984, strictPort: true`. Playwright config also corrected in PR #114 to align with this. | | `escape-hatch` (canonical-location) | `escape-hatch/` | `idaptik-developers/src/escape-hatch/` | The top-level path was a phantom — escape-hatch only lives under `idaptik-developers/src/`. Confirmed via repo tree walk. | | `modding-studio` | `Tauri 2 (idaptik-ums)` | `Gossamer (idaptik-ums) — Ephapax-based webview shell; replaced Tauri` | Matches `.machine_readable/6a2/STATE.a2ml` line 13 which already recorded the Tauri → Gossamer pivot. | | Tier-0 ref to `.claude/CLAUDE.md` | Listed in `[context-tiers]` | Removed | File does not exist in the repo (404 from gh api). | ## Provenance `CHANGELOG.md` had no entry for any 2026-04, 2026-05, or 2026-06 work — last entry was 2026-03-14. Backfilled the 2026-06-01 block covering PR #112 (baseline sweep), PR #114 (Playwright fundamental fix), PR #115 (Track C security cleanup), issue #116 (idaptik-ums .res corruption), and the echo-types audit. Future sessions inherit this as the seam. ## Echo-types audit Per the 2026-06-01 owner directive "every proof in ephapax (and any sibling repo with an echo-types link) must first audit `hyperpolymath/echo-types`, reuse if applicable… L1/L4-only obligations audit-and-record-as-not-relevant": - 17 Idris2 modules in `idaptik-ums/src/abi/` + 1 root `src/abi/Types.idr` + ProvenBridge.idr's dependency on `proven` — all classified - 17 modules L1 (region-local validation, entity placement, IP-reference integrity, level-data invariants); 1 module L4 (`Multiplayer.idr` — asymmetric co-op via enums + records, no temporal echo claims); zero L3 - Zero hits for "echo"/"Echo" in idaptik codebase; zero echo-types links in the `proven` dependency surface idaptik uses - **Verdict: RECORD-AS-NOT-RELEVANT** — recorded in PROOF-NEEDS.md so future sessions don't re-derive the audit ## Subagent reports backing this PR - `a22e2f5` — docs truthfulness audit (14 files surveyed) - `aa58c61` — idaptik-ums `.res` corruption sweep (10/11 corrupt; filed as #116) - `af5fac9` — cross-estate idaptik reference audit (3 stale refs identified) - `a0b4a4e` — echo-types layer classification (per-module verdict above) ## No risk to LIVE This PR only touches documentation files. No code, no CI workflow, no `rescript.json`/`deno.json`/`vite.config.js`. Builds and tests are not affected. ## Test plan - [x] All 6 files committed are GPG-signed + DCO-signed-off - [x] `git diff` confirms only doc files modified - [ ] No required-check regression (all 16 required-on-main checks should pass — only doc changes) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 1, 2026
## Summary Addresses the 23 Critical/High panic-attack findings tracked at #99. Mix of one real refactor, four intentional-use classifications, and an ExcessivePermissions tighten + doc cleanup. | Category | Count | Disposition | |---|---:|---| | `HardcodedSecret` | 12 | Already classified `game-content-fixture` in `assail-classifications.a2ml` from PR #112's S-expr→TOML conversion — re-verified, no additions needed | | `UnsafeDeserialization` | 7 | 1 real refactor (`BalanceAnalyserModel.res` → `SafeJson.parse`) + 3 source-level classifications (canonical wrapper, benchmark fixture, build mirror) — remaining lib/ mirrors auto-regenerate | | `DynamicCodeExecution` | 2 | Both classified `compiled-output` (Vite-emitted SPA bootstrap + web-worker bundle) — content-hashed filenames will need refreshing on rotation | | `ExcessivePermissions` | 1 | Tightened `Justfile` recipes + `run.js` header to a scoped permission set; one `documentation-mention-only` classification covers the residual --allow-all warning text | ## The one real refactor `src/app/screens/BalanceAnalyserModel.res:217` was raw `JSON.parseExn(jsonStr)->JSON.Classify.classify` — a malformed balance report file would throw into the host (escape-hatch / PanLL panel). Now wrapped in `SafeJson.parse` (returns `Result<JSON.t, ProvenError.provenError>`); the `Error(_)` arm degrades cleanly to `empty`. `deno task res:build` still compiles 0 errors after the change. ## ExcessivePermissions tighten `Justfile`: ```diff - deno run --allow-all run.js + deno run --allow-read=. --allow-env --allow-run=deno,git,which,xdg-open,open,start --allow-net=127.0.0.1 run.js ``` Per-API audit (now captured inline in `run.js` header): - `--allow-read=.` — `Deno.readTextFile` + `Deno.stat` on tree-relative paths (node_modules, lib/bs, dist) - `--allow-env` — `Deno.env.get(...)` for WAYLAND_DISPLAY/DISPLAY + `Deno.env.toObject()` to propagate env into spawned `deno task dev` / `deno task dev:all`. Narrowing this requires rewriting the child-env passthrough to a whitelist — tracked as follow-up. - `--allow-run=deno,git,which,xdg-open,open,start` — `Deno.Command` spawns of `deno`, `git`, `which`, + platform browser openers - `--allow-net=127.0.0.1` — `Deno.listen({port})` port-probing for Vite port + fallbacks (loopback only) ## Out-of-scope follow-ups (called out in commit body) - Refresh `main-game/dist/assets/` exact-hash classifications on each release rebuild, OR gitignore `main-game/dist/` and regenerate per CI - Narrow `--allow-env` by rewriting `Deno.env.toObject()` passthrough to an explicit whitelist ## Closes closes #99 ## Test plan - [x] `deno task res:build` exit 0 after the SafeJson refactor (3 modules compiled, 0 errors) - [ ] `panic-attack assail` re-run shows 0 Critical / 0 High in idaptik (post-merge) - [ ] `just run` and `just run-full` smoke-test launch the game with the tightened permissions - [ ] No regression in the 16 required-on-main checks 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Goal: establish a known-green baseline for everything OUTSIDE the ReScript→AffineScript megaport, so any future regression during the megaport is unambiguously attributable to the megaport (or a pre-existing red), not to the surrounding non-megaport infrastructure.
What changed (8 files)
Corrective — surfaces that were broken-by-design
.github/workflows/build-validation.yml— wascd idaptik-escape-hatch && zig buildagainst the in-treeidaptik-escape-hatch/directory, which is its own separatehyperpolymath/idaptik-escape-hatch.gitclone containing SPARK Ada (spark/input_parser.ads), not Zig. Redirected to the actual three Zig surfaces in this repo:ffi/zig/,idaptik-ums/ffi/zig/, andvm/wasm/..github/workflows/fuzz.yml— wascd tests/fuzz && zig build fuzz, buttests/fuzz/contains only two.zigharness files with nobuild.zig. Usezig test --fuzzdirectly on the harnesses.audits/assail-classifications.a2ml— was S-expression syntax; the validator (dogfood-gate) needs TOML with top-level[metadata]+ a required identity field +schema_version. Converted to TOML[[classification]]array tables, all 12 entries preserved verbatim.ffi/zig/build.zig+ffi/zig/src/idaptik_ffi.zig— adaptive Zig 0.14 → 0.15 fix:b.addStaticLibrarywas removed, switch tob.addLibrary(.{ .linkage = .static, .root_module = b.createModule(...) }).callconv(.C)→callconv(.c)(lowercase) to match the rest of the estate (ums FFI already uses lowercase).Governance — workflow security linter
build-validation.yml+fuzz.yml— SHA-pinnedactions/checkout@v6→de0fac2e4500dabe0009e67214ff5f5447ce83ddandmlugg/setup-zig@v2→d1434d08867e3ee9daa34448df10607b98908d29. SHAs were verified via GitHub refs API and already appear elsewhere in.github/workflows/.Perfective — warnings + lint
idaptik-developers/src/escape-hatch/src/app.rs— Rust 1.95 clippycollapsible_ifcollapsed via let-chains inextract_test_count.src/app/screens/training/TrainingMenuScreen.res— ReScript warning 27 (unused binding) suppressed byengine→_engine..machine_readable/anchors/ANCHOR.a2ml— validator warned on missing SPDX header in first 10 lines; added AGPL-3.0-or-later.Out of scope
idaptik-escape-hatch/(the directory) — separate vendored repo with its own MPL-2.0 LICENSE + SPARK content. The reworkedbuild-validation.ymlno longer pretends this is a Zig site.idaptik-ums.ipkgbuild — not in CI; local-only TTC mismatch (asdf-installed Idris2 0.8.0 vs installedbaselibrary binaries), developer-environment matter.startup_failure— estate-wide pre-existing pattern.Baseline matrix (post-sweep, local)
ffi/zig(top-level)zig build testexit 0idaptik-ums/ffi/zigzig build testexit 0vm/wasmzig build→ 636 KiBidaptik-vm.wasmsync-server(Elixir)idaptik-developers/src/escape-hatch(Rust)cargo build/test/clippy -D warningscleanres:buildTest plan
Build Validationworkflow flips from red → green on CIGovernanceworkflow flips from red → green on CI (no unpinned actions)Dogfood Gateflips from red → green on CI (a2ml validator accepts new TOML)Testsworkflow stays greenCodeQL,Secret Scanner,Hypatia,OpenSSF Scorecard Enforcerstay greenScorecards supply-chain securityremains a pre-existingstartup_failure(out of scope)🤖 Generated with Claude Code