Merge branch 'main' into fix/clippy-baseline-rot

hyperpolymath · web-flow · commit e3b626f5f98b · 2026-05-26T09:33:59.000+01:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0
+# SPDX-License-Identifier: MPL-2.0
 name: CodeQL Security Analysis
 
 on:
@@ -30,7 +30,11 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - language: javascript-typescript
+          # Repo is pure Rust; CodeQL does not support Rust as a target.
+          # We analyse `actions` (GitHub Actions workflow files) so the
+          # SAST capability still adds value — workflow files are a real
+          # supply-chain surface for this repo.
+          - language: actions
             build-mode: none
 
     steps:
diff --git a/.github/workflows/dogfood-gate.yml b/.github/workflows/dogfood-gate.yml
@@ -90,6 +90,19 @@ jobs:
         with:
           path: '.'
           strict: 'false'
+          # Preserves the action's default carve-outs and adds generated/ —
+          # k9iser output in generated/ uses a scaffold dialect that lacks
+          # the K9! magic + pedigree block the validator requires. Track the
+          # generator fix in the k9iser repo, not here.
+          paths-ignore: |
+            vendor/
+            vendored/
+            verified-container-spec/
+            .audittraining/
+            integration/fixtures/
+            test/fixtures/
+            tests/fixtures/
+            generated/
 
       - name: Write summary
         run: |
diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml
@@ -1,4 +1,4 @@
-# SPDX-License-Identifier: PMPL-1.0
+# SPDX-License-Identifier: MPL-2.0
 # Prevention workflow - scans for hardcoded secrets before they reach main
 name: Secret Scanner
 
@@ -67,9 +67,17 @@ jobs:
             'password.*=.*"[^"]+"'
           )
 
+          # panic-attack is itself a static-analysis tool: src/assail/ and
+          # src/signatures/ contain the secret-detection regexes by design.
+          # Excluding them prevents the scanner from flagging its own pattern
+          # definitions (see hyperpolymath/hypatia#243 — the same fixture-vs-
+          # target carve-out the k9-validate-action documents).
+          EXCLUDE_RE='^src/(assail|signatures)/'
           found=0
           for pattern in "${PATTERNS[@]}"; do
-            if grep -rn --include="*.rs" -E "$pattern" src/; then
+            matches=$(grep -rn --include="*.rs" -E "$pattern" src/ | grep -vE "$EXCLUDE_RE" || true)
+            if [ -n "$matches" ]; then
+              echo "$matches"
               echo "WARNING: Potential hardcoded secret found matching: $pattern"
               found=1
             fi
diff --git a/docs/figures/generate_histogram.py b/docs/figures/generate_histogram.py
diff --git a/tests/e2e_tests.rs b/tests/e2e_tests.rs
@@ -116,35 +116,31 @@ fn e2e_scan_vulnerable_examples() {
 // ============================================================================
 
 /// E2E test: Scan single Python file
+///
+/// The fixture is written to a tempdir at test time so no `.py` source
+/// is committed to the tree — the estate-wide Python ban is governance-
+/// enforced (see .github/workflows/governance.yml), and a committed
+/// `.py` fixture would fail that gate even though its purpose here is
+/// to exercise Python-pattern detection.
 #[test]
 fn e2e_scan_python_file() {
-    let py_file = Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/fixtures/example.py");
-
-    // Create temp Python file if it doesn't exist
-    if !py_file.exists() {
-        use std::fs;
-        let _ = fs::create_dir_all(py_file.parent().unwrap_or(std::path::Path::new(".")));
-        let _ = fs::write(
-            &py_file,
-            r#"
-import pickle
-import subprocess
-
-def unsafe_deserialization(data):
-    return pickle.loads(data)  # Unsafe!
-
-def command_injection(user_input):
-    subprocess.call("echo " + user_input, shell=True)  # Unsafe!
-"#,
-        );
-    }
-
-    if py_file.exists() {
-        let report = assail::analyze(&py_file).expect("Python analysis should succeed");
-
-        assert_eq!(report.language, Language::Python);
-        // Should detect unsafe patterns in Python code
-    }
+    let tmp = tempfile::tempdir().expect("create tempdir");
+    let py_file = tmp.path().join("example.py");
+    std::fs::write(
+        &py_file,
+        "import pickle\n\
+         import subprocess\n\
+         \n\
+         def unsafe_deserialization(data):\n    \
+             return pickle.loads(data)  # Unsafe!\n\
+         \n\
+         def command_injection(user_input):\n    \
+             subprocess.call(\"echo \" + user_input, shell=True)  # Unsafe!\n",
+    )
+    .expect("write python fixture");
+
+    let report = assail::analyze(&py_file).expect("Python analysis should succeed");
+    assert_eq!(report.language, Language::Python);
 }
 
 // ============================================================================
diff --git a/tests/fixtures/example.py b/tests/fixtures/example.py
