fix: non-megaport baseline sweep (corrective + adaptive + perfective)

.github/workflows/build-validation.yml

@@ -18,14 +18,21 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Zig
-        uses: mlugg/setup-zig@v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
         with:
           version: 0.15.2
 
-      - name: Build escape-hatch
-        run: |
-          cd idaptik-escape-hatch
-          zig build
+      - name: Build top-level Zig FFI
+        run: zig build test
+        working-directory: ffi/zig
+
+      - name: Build idaptik-ums Zig FFI
+        run: zig build test
+        working-directory: idaptik-ums/ffi/zig
+
+      - name: Build VM (wasm32-freestanding)
+        run: zig build
+        working-directory: vm/wasm

.github/workflows/e2e-playwright.yml

@@ -47,7 +47,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Install Deno
-        uses: denoland/setup-deno@5fae568d37c3b73e0e4ca63d4e2c4e324a2b3497  # v2
+        uses: denoland/setup-deno@4606d5cc6fb3f673efd4f594850e3f4b3e9d29cd  # v2.0.0
         with:
           deno-version: v2.x
 

.github/workflows/fuzz.yml

@@ -23,15 +23,15 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Zig
-        uses: mlugg/setup-zig@v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
         with:
           version: 0.15.2
 
       - name: Run VM fuzz tests
         run: |
-          cd tests/fuzz
-          timeout 300 zig build fuzz -- --max_total_time=240 2>/dev/null || true
+          timeout 300 zig test --fuzz tests/fuzz/fuzz_vm_instruction.zig -- --max_total_time=240 2>/dev/null || true
+          timeout 300 zig test --fuzz tests/fuzz/fuzz_level_config.zig -- --max_total_time=240 2>/dev/null || true
         continue-on-error: true

.github/workflows/rust-ci.yml

@@ -33,37 +33,45 @@ jobs:
     name: rustfmt
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable
         with:
           components: rustfmt
       - run: cargo fmt --all -- --check
+        working-directory: idaptik-developers/src/escape-hatch
 
   clippy:
     name: clippy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable
         with:
           components: clippy
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32  # v2
+        with:
+          workspaces: idaptik-developers/src/escape-hatch
       - run: cargo clippy --all-targets -- -D warnings
+        working-directory: idaptik-developers/src/escape-hatch
 
   test:
     name: cargo test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32  # v2
+        with:
+          workspaces: idaptik-developers/src/escape-hatch
       - run: cargo test --no-fail-fast
+        working-directory: idaptik-developers/src/escape-hatch
 
   audit:
     name: cargo audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: rustsec/audit-check@v2.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998  # v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          working-directory: idaptik-developers/src/escape-hatch

.hypatia-baseline.json

@@ -0,0 +1,38 @@
+[
+  {
+    "severity": "high",
+    "rule_module": "cicd_rules",
+    "type": "banned_language_file",
+    "file_pattern": "**/*.res",
+    "tracking_issue": "hyperpolymath/idaptik#84",
+    "note": "ReScript → AffineScript megaport. Tracked at hyperpolymath/idaptik#84 (tech-debt parent) and hyperpolymath/standards#252 (estate umbrella) / standards#279 (STEP 8). Migration assistant at hyperpolymath/affinescript/tools/res-to-affine/ is in flight (affinescript#57); upstream blockers include affinescript#160/#161/#162 (Http/Json/Dict primitives) and affinescript#59 (effect-row Async/IO/Throws). Exemption clears as files convert.",
+    "expires_at": "2027-06-01"
+  },
+  {
+    "severity": "high",
+    "rule_module": "cicd_rules",
+    "type": "banned_language_file",
+    "file_pattern": "**/*.res.mjs",
+    "tracking_issue": "hyperpolymath/idaptik#84",
+    "note": "ReScript-compiled output sibling to **/*.res. In-source compilation is the repo convention (esmodule mode); these clear automatically as .res files port to .affine. See parent exemption above.",
+    "expires_at": "2027-06-01"
+  },
+  {
+    "severity": "high",
+    "rule_module": "cicd_rules",
+    "type": "banned_language_file",
+    "file_pattern": "dlc/**/*.ts",
+    "tracking_issue": "hyperpolymath/idaptik#84",
+    "note": "DLC packs use TypeScript; estate-wide TS→AffineScript campaign is hyperpolymath/standards#254. These files port via the same megaport pipeline once affinescript stdlib AOT coherence (affinescript#128/#136) lands.",
+    "expires_at": "2027-06-01"
+  },
+  {
+    "severity": "high",
+    "rule_module": "cicd_rules",
+    "type": "banned_language_file",
+    "file_pattern": "dlc/idaptik-dlc-reversible/robot-repo-bot/_modules/robot_repo.py",
+    "tracking_issue": "hyperpolymath/idaptik-dlc-reversible#robot-repo-bot-py-removal",
+    "note": "SaltStack execution module inside the dlc/idaptik-dlc-reversible git submodule (origin git@gitlab.com:hyperpolymath/idaptik-dlc-reversible.git). The estate-wide Python ban removed the SaltStack carveout on 2026-01-03 — this file is residual debt belonging to the submodule, not the idaptik parent. Fundamental fix path: rewrite robot-repo-bot in shell/Just/Rust inside the submodule repo and bump the gitlink pointer; until then this exemption acknowledges the cross-repo ownership boundary. Sibling guard: third-party submodule content is not idaptik's responsibility to migrate.",
+    "expires_at": "2026-12-01"
+  }
+]

.hypatia-ignore

@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+#
+# .hypatia-ignore — legacy exemption file for banned-config-file checks.
+#
+# This file complements .hypatia-baseline.json (the canonical format for
+# banned-language-file and other rule-modules). The banned_config_file
+# rule in hyperpolymath/standards governance-reusable.yml ONLY honours
+# the legacy .hypatia-ignore flat-file format (it does NOT read the
+# baseline JSON), so configs like rescript.json must be exempted here
+# even though .res file exemptions live in the JSON baseline.
+#
+# Each line: <rule>:<exact-path>
+# rules: cicd_rules/banned_config_file, cicd_rules/banned_language_file
+
+# rescript.json — root ReScript build config, retained while the
+# .res → .affine megaport is in flight. Tracked by idaptik#84
+# (tech-debt parent). Clears when the root src/ tree converts to
+# .affine and AffineScript replaces rescript as the build coordinator.
+cicd_rules/banned_config_file:rescript.json

.machine_readable/anchors/ANCHOR.a2ml

@@ -1,3 +1,5 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 # ⚓ ANCHOR: idaptik
 # This is the canonical authority for the idaptik repository.
 

audits/assail-classifications.a2ml

@@ -1,87 +1,97 @@
-;; SPDX-License-Identifier: MPL-2.0
-;; Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
-;;
-;; Assail Classifications — idaptik
-;; See panic-attack/.claude/CLAUDE.md § "User-Classification Registry".
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
+#
+# Assail Classifications — idaptik
+# See panic-attack/.claude/CLAUDE.md § "User-Classification Registry".
 
-(assail-classifications
-  (metadata
-    (version "1.0.0")
-    (project "idaptik")
-    (last-updated "2026-05-26")
-    (entries 12)
-    (status "active"))
+[metadata]
+project = "idaptik"
+schema_version = "1.0.0"
+version = "1.0.0"
+last-updated = "2026-05-26"
+entries = 12
+status = "active"
 
-  (classification
-    (file "src/app/tools/PasswordCracker.res")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "src/app/tools/PasswordCracker.res.mjs")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "src/app/devices/GlobalNetworkData.res")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "src/app/devices/GlobalNetworkData.res.mjs")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "tests/unit/tools/PasswordCracker_test.mjs")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "main-game/dist/assets/index-Cdt-JTFK.js")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "lib/bs/src/app/tools/PasswordCracker.res")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "lib/bs/src/app/tools/PasswordCracker.res.mjs")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "lib/bs/src/app/devices/GlobalNetworkData.res")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "lib/bs/src/app/devices/GlobalNetworkData.res.mjs")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "lib/ocaml/PasswordCracker.res")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-  (classification
-    (file "lib/ocaml/GlobalNetworkData.res")
-    (category "HardcodedSecret")
-    (classification "game-content-fixture")
-    (audit "audits/audit-game-content-fixture-2026-05-26.md")
-    (rationale "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."))
-)
+[[classification]]
+file = "src/app/tools/PasswordCracker.res"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "src/app/tools/PasswordCracker.res.mjs"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "src/app/devices/GlobalNetworkData.res"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "src/app/devices/GlobalNetworkData.res.mjs"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "tests/unit/tools/PasswordCracker_test.mjs"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "main-game/dist/assets/index-Cdt-JTFK.js"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "lib/bs/src/app/tools/PasswordCracker.res"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "lib/bs/src/app/tools/PasswordCracker.res.mjs"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "lib/bs/src/app/devices/GlobalNetworkData.res"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "lib/bs/src/app/devices/GlobalNetworkData.res.mjs"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "lib/ocaml/PasswordCracker.res"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."
+
+[[classification]]
+file = "lib/ocaml/GlobalNetworkData.res"
+category = "HardcodedSecret"
+classification = "game-content-fixture"
+audit = "audits/audit-game-content-fixture-2026-05-26.md"
+rationale = "Fictional in-game passwords / credentials for the hacker-themed gameplay; not real secrets. GlobalNetworkData.res carries the explicit SECURITY NOTE."

deno.json

@@ -25,6 +25,7 @@
   },
   "imports": {
     "@assetpack/core": "npm:@assetpack/core@1.7.0",
+    "@playwright/test": "npm:@playwright/test@1.60.0",
     "@rescript/core": "npm:@rescript/core@1.6.1",
     "@rescript/runtime": "npm:@rescript/runtime@12.2.0",
     "rescript": "npm:rescript@12.2.0",

ffi/zig/build.zig

@@ -1,11 +1,25 @@
 // SPDX-License-Identifier: AGPL-3.0-or-later
+// Copyright (c) Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
 const std = @import("std");
+
 pub fn build(b: *std.Build) void {
     const target = b.standardTargetOptions(.{});
     const optimize = b.standardOptimizeOption(.{});
-    const lib = b.addStaticLibrary(.{ .name = "idaptik_ffi", .root_source_file = b.path("src/idaptik_ffi.zig"), .target = target, .optimize = optimize });
+
+    const root_module = b.createModule(.{
+        .root_source_file = b.path("src/idaptik_ffi.zig"),
+        .target = target,
+        .optimize = optimize,
+    });
+
+    const lib = b.addLibrary(.{
+        .name = "idaptik_ffi",
+        .linkage = .static,
+        .root_module = root_module,
+    });
     b.installArtifact(lib);
-    const tests = b.addTest(.{ .root_source_file = b.path("src/idaptik_ffi.zig"), .target = target, .optimize = optimize });
+
+    const tests = b.addTest(.{ .root_module = root_module });
     const test_step = b.step("test", "Run FFI tests");
     test_step.dependOn(&b.addRunArtifact(tests).step);
 }