v0.1.3 — lint confidence honesty + approvals/ privacy default#3
Merged
Conversation
…vacy default (v0.1.3) drift: - score_lint: switch to sys.executable -m ruff (PATH-resolution consistency with the other v0.1.2 scorers). Return (0.0, 0.0) unmeasured sentinel when ruff cannot be launched or its output is unparseable, instead of fabricating a 0.99/1.0 score. - 4 new unit tests for the lint sentinel behavior. - Re-seeded .mek/drift-baseline.json with the corrected lint score. compliance: - Scaffold compliance/.gitignore that ignores approvals/ by default — HITL records frequently contain names + infra details. - /mek-compliance-audit now surfaces tracked files under approvals/ as a privacy warning; --strict fails the audit on any tracked approval. - docs/compliance.md documents both the static-block (mek.toml gate=block) and conditional-block (project-local hook) hardening patterns. - Updated docs/compliance.md to enumerate all 6 risky-op categories (was still listing 5 — drift since v0.1.2's repo_visibility_flip add). - New integration test verifies the scaffold ships the .gitignore. build: - .markdownlint.json with MD024 siblings_only=true so Keep-a-Changelog '### Added' / '### Fixed' repetition across version sections stops firing lint warnings on every release. All findings sourced from dogfood (lint asymmetry surfaced by Max running /mek-drift init on helix-context; approvals privacy concern flagged after the compliance subagent's verification pass).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two dogfood findings shipped together.
Drift: honest lint confidence
Surfaced when Max ran
/mek-drift initon helix-context and noticedlint_scorereported confidence 1.0 while other dims correctly reported 0.0 for "didn't measure." Root cause:score_lintreturned(0.99, 1.0)whenever ruff couldn't be launched, fabricating a high-confidence score from a regex-match fallthrough. Plus the invocation was bare"ruff"notsys.executable -m ruff— same PATH-resolution issue I fixed for the other scorers in v0.1.2.Fix: return
(0.0, 0.0)unmeasured sentinel when ruff didn't produce "All checks passed" or a "Found N error" line.sys.executable -m rufffor consistency. 4 new unit tests verify all the discriminator paths.Compliance: approvals/ privacy default
HITL approval files frequently contain names, infrastructure details, and rationale you don't want in public git history — especially with
repo_visibility_flipnow flagged as risky./mek-initnow dropscompliance/.gitignorethat ignoresapprovals/by default. Opt specific (redacted) approvals into tracking via!approvals/<file>negations./mek-compliance-auditadvisory warns on tracked approvals;--strictfails the audit.docs/compliance.mddocuments static-block (mek.toml > [compliance.gates] > repo_visibility_flip = "block") and conditional-block (project-local hook) hardening patterns.Bonus
.markdownlint.jsonwithMD024 siblings_only=trueso Keep-a-Changelog's repeated### Added/### Fixedheadings stop firing lint warnings on every release.docs/compliance.mdupdated to list all 6 risky-op categories (was still listing 5 — drift since v0.1.2 addedrepo_visibility_flip)..mek/drift-baseline.jsonre-seeded with the corrected lint scorer behavior.Local verification
pip install -e ".[dev]"✓Test plan
🤖 Generated with Claude Code