Claude/coord fed phase1 identity#146
Merged
Merged
Conversation
…P-23 ADR-0016 Phase 1 starts here. Phase 1 is identity foundation only — ed25519 keypair material as types + the C-ABI contract documenting what the Zig adapter must expose. No transport, no signing, no federation invariant changes. * LocalCoord.Identity new module — Ed25519PublicKey / Ed25519PrivateKey / Ed25519Signature as Vect-indexed byte vectors, so key-material well-formedness (32B pubkey, 64B signature) is enforced by construction. PeerIdentity composes the existing PeerId with the pubkey; KnownPeer is the trust-list entry shape for known_peers.toml. Demo witnesses (zeroPubKey, zeroSig) document the size invariant and act as canaries — if either fails to compile, P-20 has been broken. * P-21 identityDoesNotEnableFederation — proves that adding identity material does NOT change SafeLocalCoord.coordFederationPolicy from LocalOnly. The negative proof from `localOnlyNotFederated` carries through structurally; Phase 1 must not unlock federation. * PROOF-SCHEDULE.adoc — adds P-20..P-23. P-20/P-21 ✅ done (this commit); P-22/P-23 marked for Phase 5. * ipkg — adds LocalCoord.Identity to the module list. C-ABI contract for the Zig adapter is documented as comments at the bottom of Identity.idr (mirrors the SafeLocalCoord.idr convention of typing without %foreign-importing the C functions — calls happen from Zig and from the bridge over HTTP, never from Idris). NOT verified locally — idris2 is not installed in this dev environment (devShell-only in flake.nix; no `nix` either). The file is syntactically conservative and uses only stdlib types (Vect/Bits8/Nat/replicate); a quick `idris2 --build` on a host with the devShell will catch any issue before the next phase.
ADR-0016 Phase 1.2. Realises the C-ABI contract documented in
LocalCoord.Identity:
boj_coord_identity_init(key_path) — generate-or-load seed,
persist at 0600
boj_coord_identity_get_pubkey(out, out_len) — 32B pubkey export
boj_coord_identity_load_known_peers(toml) — load trust list
boj_coord_identity_known_peer_count() — count of loaded peers
* coord_identity.zig new file alongside coord_durability.zig — keeps
the identity surface isolated from the main coord state machine.
Singleton process state guarded by a mutex; no allocator threading
needed for Phase 1's fixed-size known-peers array (cap = 64).
* std.crypto.sign.Ed25519.KeyPair.generateDeterministic for seed →
keypair derivation (Zig 0.15.x API). Honest error propagation on
the (essentially-impossible) IdentityElementError path.
* Minimal hand-rolled TOML-shaped parser for known_peers.toml — no
third-party dep, parses [[peer]] blocks with id/pubkey/host/port
fields. Unknown keys silently ignored (forward-compat). Missing
file is 0 entries, not an error, so the bus starts cleanly on
first run before any trust has been established.
* local_coord_ffi.zig adds `comptime { _ = @import("coord_identity.zig") }`
so the new pub-export-fn symbols are linked into the shared library
without a circular dependency or restructure of the main FFI file.
* Zig tests in-file (FFI roundtrip, hex decode positive/negative,
TOML single/multi-block, missing-field rejection, missing-file
load_known_peers). `zig build test` picks them up via the module
import; no build.zig change needed.
NOT compiled locally — zig is devShell-only in this dev environment
(no `nix` either). API choices kept conservative for Zig 0.15.x
(splitScalar over splitAny, .public_key.bytes field access over
.toBytes()). CI's e2e workflow installs Zig 0.15.1 and will catch any
mismatch.
…ation
ADR-0016 Phase 1.3. Lets a user export their peer's ed25519 public key
as 64 hex chars for manual entry into another peer's known_peers.toml
(SSH known_hosts model — no discovery, no PKI).
* Cargo.toml — ed25519-dalek = "2.2.0". No `rand` dep: seed generation
reads /dev/urandom directly (32 bytes), matching what the Zig adapter
does via std.crypto.random.bytes on Linux.
* Cli — `--print-pubkey` flag + `--key-path` / BOJ_COORD_KEY_PATH env.
Default path: $XDG_CACHE_HOME/coord-tui/peer.key, falling back to
~/.cache/coord-tui/peer.key.
* print_pubkey() reads-or-creates the seed file (mode 0600 enforced on
create), derives the public key via ed25519_dalek::SigningKey::
from_bytes(&seed).verifying_key(), prints the 64-char lowercase hex
on stdout, exits 0. Non-Unix platforms refuse cleanly rather than
writing a world-readable seed.
* The seed file format (32 raw bytes) IS the shared identity contract
between coord-tui and the Zig adapter — either may create it first,
the other will load the existing seed unchanged. This is the v1
bootstrap path: no IPC needed for the human-export use case, and
the adapter doesn't have to be running.
Verified locally:
cargo build → clean (only pre-existing dead-code warning, unrelated)
/tmp round-trip → first run generates+prints; second run reads same
seed and prints identical hex; file ends 32 bytes,
mode 0600.
bad-seed-length → error 'seed file is N bytes, expected 32', exit 1.
…ust unit tests ADR-0016 Phase 1.4 — close the loop on cross-implementation consistency. Both coord-tui (Rust + ed25519-dalek) and the Zig adapter (std.crypto.sign.Ed25519) now pin RFC 8032 §7.1 TEST 1: SEED: 9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60 PUBKEY: d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a If both tests pass, the two derivations match the spec and therefore each other — which is the consistency guarantee for the shared 32-byte seed-file format that is the Phase 1 identity contract. Rust side (coord-tui/src/main.rs #[cfg(test)]): * print_pubkey_matches_rfc8032_test1 — writes the RFC seed, reads it via print_pubkey, asserts the canonical pubkey hex. * print_pubkey_roundtrip_is_deterministic — same seed file produces the same pubkey on two reads. * print_pubkey_rejects_wrong_length_seed — error path. * fresh_seed_file_is_mode_0600 — Unix-only, asserts the create-path enforces 0600. All four pass locally (`cargo test`). Zig side (coord_identity.zig): * "RFC 8032 §7.1 TEST 1 — seed derives the canonical pubkey" — same vector, same shape, called through the C-ABI surface (boj_coord_identity_init + boj_coord_identity_get_pubkey).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,471 @@ | |||
| // SPDX-License-Identifier: MPL-2.0 | |||
🔍 Hypatia Security ScanFindings: 245 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🏁 path-claims benchCommit NumbersHost-dependent — compare deltas across commits, not absolute values. |
🔍 Hypatia Security ScanFindings: 245 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…ypatia CWE-704) Replaces unsafe @ptrCast with std.mem.spanZ for C string to slice conversion. This resolves the GitHub Advanced Security Hypatia finding about unchecked pointer type conversion. - local_coord_ffi.zig: Use spanZ directly on C pointers - cartridge_shim.zig: Use spanZ in toolIs function and tests Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
🔍 Hypatia Security ScanFindings: 243 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
The previous CWE-704 fix in e72eae0 replaced @ptrCast with `std.mem.spanZ`, which was removed from Zig stdlib in 0.14 — under the 0.15.1 CI pin the Zig FFI tests will not even compile. The other site (`local_coord_ffi.zig:3291`) also used invalid syntax: if (json_args != null) |ja| std.mem.spanZ(ja) else "{}" [*c] pointers are null-checked with `== null`; the `|payload|` capture form is for optionals, not C-compat pointers. Switch to `std.mem.sliceTo(ptr, 0)`, which: * exists in Zig 0.15.x; * accepts `[*c]const u8` directly with no `@ptrCast`; * scans up to the first NUL and returns a `[]const u8`; * fully addresses the CWE-704 finding (no unchecked pointer type conversion remains in the modified call sites). Files: * cartridges/local-coord-mcp/ffi/cartridge_shim.zig — toolIs() * cartridges/local-coord-mcp/ffi/local_coord_ffi.zig — boj_cartridge_invoke() tool + args extraction. This unblocks the failing "Zig FFI Tests" check on PR #146 and lets the dependent "E2E — Full REST + MCP Bridge" and "Emit manifest + verify FFI" jobs run against a compilable library.
🔍 Hypatia Security ScanFindings: 245 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
The "no new TypeScript" rule in .claude/CLAUDE.md carries 6 approved exemptions — all MCP cartridge adapters that use the TS-native @anthropic/sdk (academic-workflow / bofig / ephapax / fireflag / hesiod / sanctify). The exemption table is canonical there with rationale, audit lineage (TS-elimination audit, 2026-05-02), and an unblock condition (AffineScript bindings to MCP). Until now that exemption only lived in CLAUDE.md; the Hypatia scanner kept flagging the 6 files as critical "banned_language_file" findings on every PR (18 critical → 12 critical after this). Mirror the exemption into .hypatia-ignore using the same rule + path format as the existing ReScript-migration entries, so policy and scanner agree. This is the existing-state allowlist; not adding new TS. Adding new entries to this file still requires explicit user approval and an unblock condition per the file's own header. Removes a real but noise-level barrier to merging PR #146.
🔍 Hypatia Security ScanFindings: 245 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
3 tasks
hyperpolymath
added a commit
that referenced
this pull request
May 24, 2026
…idges (#147) ## Summary Both `abi-drift` (verify) and `zig-test` (Zig FFI Tests) currently sweep every cartridge under `cartridges/*` and fail the PR check if any one of them fails. With ~66 cartridges in the abi-drift allowlist and ~73 in zig-test, a PR touching a single cartridge gets gated by unrelated breakage in others — e.g. browser-mcp and orchestrator-lsp-mcp Zig failures, container-mcp/git-mcp/queues-mcp/vordr-mcp ABI drift — that has been sitting on `main` for weeks. This PR constrains both per-cartridge loops on **pull_request events** to the intersection of: 1. the existing allowlist / discovery, and 2. cartridges with any file changed under `cartridges/<name>/**` in this PR's diff against `origin/<base_ref>`. **On `push: main` the full sweep is preserved**, so cross-cutting drift is still caught at trunk. This is purely a PR-time false-positive fix, not a relaxation of the gate. ## Why now Surfaced by the investigation in PR #146: that PR touches only `local-coord-mcp`, but was blocked by failures in 6+ cartridges it didn't change. The other gating workflows that scan all cartridges have the same pathology; this PR fixes the two that have clean per-cartridge loops. ## Changes - `.github/workflows/abi-drift.yml` — new "Restrict to cartridges changed in this PR" step; the verify loop reads the filtered set on PR, full allowlist on push. `fetch-depth: 0` added so the diff can resolve. - `.github/workflows/zig-test.yml` — new "Determine cartridges to test" step; both the FFI tests loop and the shared-library build loop read the in-scope set. Catalogue/readiness steps still run on every invocation — they test cross-cartridge plumbing. Empty changed-set on a PR (which the `paths:` filter shouldn't allow, but defensive) emits a `::notice::` and exits 0 instead of going red on nothing. ## Out of scope - `tests/aspect_tests.sh` (the "Aspect — Thread Safety + ABI Contract + SPDX" check) asserts **global** invariants across the whole tree, so a "changed-files" filter doesn't fit it cleanly. Best handled with a baseline-aware ratchet — separate PR. ## Test plan - [x] `python3 -c "import yaml; yaml.safe_load(...)"` both YAML files (clean) - [ ] This PR itself triggers `zig-test` (touches `.github/workflows/zig-test.yml` but no `cartridges/**`) — expect the "Determine cartridges to test" step to print an empty scope and the per-cartridge steps to no-op via the `::notice::` path - [ ] PR #146 (touches `cartridges/local-coord-mcp/**`) should, when rebased onto this once merged, run abi-drift and zig-test against only `local-coord-mcp` and skip the unrelated failing cartridges 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- _Generated by [Claude Code](https://claude.ai/code/session_018MBrAtPrwfgn2WG4BAerZW)_ --------- Co-authored-by: Claude <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 254 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
RSR Quality Checklist
Required
just testor equivalent)just fmtor equivalent)unsafeblocks without// SAFETY:commentsbelieve_me,unsafeCoerce,Obj.magic,Admitted,sorry).envfiles includedAs Applicable
.machine_readable/STATE.a2mlupdated (if project state changed).machine_readable/ECOSYSTEM.a2mlupdated (if integrations changed).machine_readable/META.a2mlupdated (if architectural decisions changed)TOPOLOGY.mdupdated (if architecture changed)CHANGELOGor release notes updatedsrc/abi/andffi/zig/consistent)Testing
Screenshots