fix: instantiate rsr-template placeholders left generic from scaffold (LICENSE/CoC/issue templates/SECURITY)#96
Merged
Conversation
Five files retained rsr-template-repo placeholder text from when the
template was used to scaffold panic-attack. The estate is starting to
consume these files via dogfood checks / OpenSSF Scorecard / assail's
own self-scan, so generic placeholders surface as real audit findings.
LICENSE:
Body was GNU AGPL-3.0-or-later despite every other surface declaring
MPL-2.0 (Cargo.toml SPDX header, README.adoc badge, 0-AI-MANIFEST.a2ml,
LICENSES/MPL-2.0.txt present). Replaced with the MPL-2.0 text already
shipped under LICENSES/MPL-2.0.txt + the canonical SPDX prefix line.
No carve-out memory exists for panic-attack (unlike echidna's
intentional MPL-docs-over-AGPL-LICENSE split or idaptik's intentional
AGPL-throughout).
CODE_OF_CONDUCT.md:
- Stripped the TEMPLATE INSTRUCTIONS block (lines 3–21).
- Replaced `language-bridges` → `panic-attack` (pledge text + Questions
discussions URL).
- Filled `{{CONDUCT_EMAIL}}` → `j.d.a.jewell@open.ac.uk` (matches the
maintainer email already in SECURITY.md, Cargo.toml etc.).
- Filled `{{CONDUCT_TEAM}}` → `panic-attack maintainers`.
- Filled `{{RESPONSE_TIME}}` → `48 hours` (matches SECURITY.md SLA).
.github/ISSUE_TEMPLATE/bug_report.md:
Stock GitHub bootstrap template was prompting for iOS / browser /
smartphone metadata against a Rust CLI/library. Replaced with
Rust-domain fields: panic-attack version, rustc version, target source
language under scan, sub-command involved, relevant config files
(`.hypatia-ignore`, `.trusted-base-ignore`, audits a2ml).
.github/ISSUE_TEMPLATE/feature_request.md:
Stock GitHub template polished into a domain-specific shape: detector
/ sub-command / schema-version impact / hypatia-vs-panic-attack
layering / cross-repo wiring (hypatia#358 fact-source consumption etc).
.github/ISSUE_TEMPLATE/custom.md:
Empty stub with `about: Describe this issue template's purpose here.`
deleted — no panic-attack-specific use case justifies keeping it.
SECURITY.md:
Supported-versions table claimed 0.2.x supported, 0.1.x unsupported.
Actual Cargo.toml version is 2.5.0. Updated to 2.5.x supported,
< 2.5 unsupported.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 98 issues detected
View findings[
{
"reason": "Action uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f5599 needs attention",
"type": "unpinned_action",
"file": "e2e.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action es: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb needs attention",
"type": "unpinned_action",
"file": "e2e.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cargo-audit.yml",
"type": "missing_timeout_minutes",
"file": "cargo-audit.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in chapel-ci.yml",
"type": "missing_timeout_minutes",
"file": "chapel-ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in chapel-ci.yml",
"type": "missing_timeout_minutes",
"file": "chapel-ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in chapel-ci.yml",
"type": "missing_timeout_minutes",
"file": "chapel-ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🔍 Hypatia Security ScanFindings: 96 issues detected
View findings[
{
"reason": "Action uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f5599 needs attention",
"type": "unpinned_action",
"file": "e2e.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action es: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb needs attention",
"type": "unpinned_action",
"file": "e2e.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cargo-audit.yml",
"type": "missing_timeout_minutes",
"file": "cargo-audit.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in chapel-ci.yml",
"type": "missing_timeout_minutes",
"file": "chapel-ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in chapel-ci.yml",
"type": "missing_timeout_minutes",
"file": "chapel-ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in chapel-ci.yml",
"type": "missing_timeout_minutes",
"file": "chapel-ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
3 tasks
hyperpolymath
added a commit
that referenced
this pull request
Jun 1, 2026
…98) ## Summary - **CHANGELOG.md**: new `### Fixed (2026-06-01)` + `### Changed (2026-06-01)` entries for PRs #93/#94/#96/#97 - **A2ML manifests**: rename `panic-attacker` → `panic-attack` in identity-claim fields (STATE, META, ECOSYSTEM, CLADE, ANCHOR); historical references in CHANGELOG/audit/campaign records intentionally untouched - **STATE.a2ml**: `last-updated` 2026-04-12 → 2026-06-01; new `[session-2026-06-01]` block; refreshed `[next-priorities]` against current ROADMAP.adoc - **0-AI-MANIFEST.a2ml**: `README.md` → `README.adoc`, `ROADMAP.md` → `ROADMAP.adoc` (actual file extensions); added `(explainme "EXPLAINME.adoc")` entry ## Test plan - [x] All edits are metadata only — no source/code/workflow files touched - [x] A2ML files retain valid s-expression/TOML structure - [x] Historical record left intact (CHANGELOG rename note line 300, audit reports, campaign docs)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Five files retained rsr-template-repo placeholder text from when the template was used to scaffold panic-attack. Estate dogfood checks / OpenSSF Scorecard / assail self-scan now consume these files, so the placeholders surface as real audit findings.
LICENSELICENSES/MPL-2.0.txtall declaring MPL-2.0LICENSES/MPL-2.0.txt+ canonicalSPDX-License-Identifier:prefix. No carve-out memory exists for panic-attack (unlike echidna's intentional MPL-docs-over-AGPL-LICENSE split or idaptik's intentional AGPL-throughout)CODE_OF_CONDUCT.mdlanguage-bridgespledge text, broken Discussions URL, unfilled{{CONDUCT_EMAIL}}/{{CONDUCT_TEAM}}/{{RESPONSE_TIME}}j.d.a.jewell@open.ac.uk,panic-attack maintainers,48 hours).github/ISSUE_TEMPLATE/bug_report.md.github/ISSUE_TEMPLATE/feature_request.md.github/ISSUE_TEMPLATE/custom.mdabout: Describe this issue template's purpose here.SECURITY.mdTest plan
{{PLACEHOLDER}}markers (verified via grep)🤖 Generated with Claude Code