feat(rules): :nodejs_detected — add vscode-*, tree-sitter-*, Lake, Office, bindings carve-outs (standards#253)#405
Merged
hyperpolymath merged 1 commit intoMay 30, 2026
Conversation
…fice, bindings carve-outs (standards#253) Expands `:nodejs_detected` `path_allow_prefixes` to cover legitimate manifest classes the 6-class baseline missed, surfaced during the 2026-05-30 STEP-3 batch: - `vscode-` substring: VSCode-* extension repos / subdirs not under `/vscode/` segment (vscode-extension/, editors/vscode-007/, repo-root manifests vscode-a2ml, vscode-k9). Same VSCode host-required toolchain rationale; just a different path-segment shape than (1a). - `tree-sitter-` substring: tree-sitter grammar npm-publish targets (tree-sitter-a2ml, tree-sitter-k9, editors/tree-sitter-ephapax, tree-sitter-affinescript). Class C consumer artifact — these ship via npm with `node-gyp` native binding so every tree-sitter consumer (Atom/Neovim/VSCode TextMate) links the addon. - `/.lake/`: Lean4 vendored package directory, parallel to /deps/. - `/office-addin/`: Office.js add-in host-required toolchain, parallel to VSCode extension carve-out (Office host loads .js from a Node- packaged manifest). - `/bindings/javascript/`, `/bindings/typescript/`: consumer-facing estate exports (proven JS/TS bindings published to npm consumers), parallel to `/bindings/deno/` under `:typescript_detected`. Closes ~10 false-positive flags on estate scan with no behaviour change for the truly migrate-able npm consumers. Refs: standards#253 STEP 3 (smallest-first batch). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/standards
that referenced
this pull request
May 30, 2026
…ve-outs (standards#253) (#320) ## Summary Mirrors hyperpolymath/hypatia#405 (expanded `:nodejs_detected` carve-outs) into standards' two policy surfaces: - `.claude/CLAUDE.md §npm Exemptions (Approved)` — adds 6 new rows (vscode- substring, tree-sitter- substring, /.lake/, /office-addin/, /bindings/javascript/, /bindings/typescript/). - `rhodium-standard-repositories/.github/workflows/language-policy.yml` — adds parallel grep filters to the NEW_NPM_LOCK block. Closes the rule/policy gap surfaced during the standards#253 STEP 3 batch (root-level vscode-* and tree-sitter-* repos were flagged by the previous narrower `/vscode/` segment match). ## Test plan - [x] Documentation table mirrors hypatia rule exactly. - [x] Bash `grep -vE` filters added for: vscode-, tree-sitter-, /\.lake/, /office-addin/, /bindings/(javascript|typescript)/. - [ ] Workflow run on a PR that adds e.g. `vscode-k9/package-lock.json` → does not flag (carve-out hit). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
deleted the
campaign-253/nodejs-detected-vscode-and-tree-sitter-carveouts
branch
hyperpolymath
added a commit
that referenced
this pull request
May 30, 2026
…F018) (#407) PR #404 added scorecard_wrapper_missing_job_permissions to cicd_rules.ex, but #403 had concurrently implemented the same #390 detection as WF018 in workflow_audit.ex. Removes the redundant cicd_rules copy (rule, facade delegate, test, changelog); WF018 remains the single implementation. The #362 cron rule and #405 nodejs carve-outs are untouched. Verified locally (Elixir 1.14): zero-warning compile; format-isolation shows a pure deletion. https://claude.ai/code/session_01J8oLNn6MjKDRRUF65e2jLf
Merged
3 tasks
hyperpolymath
added a commit
that referenced
this pull request
May 31, 2026
#275 closeout cleanup) (#412) ## Summary Surfaced during the hyperpolymath/standards#275 STEP 7 closeout **estate-wide hypatia scan**: `proven-servers/bindings/rescript/package-lock.json` was the single uncarved hit across 20 estate-wide `package-lock.json` files. The `rescript` variant is **host-required for the rescript-to-js compile chain** (same pattern as JS/TS consumer exports, just produced from `.res` sources) and is symmetric to the existing `/bindings/javascript/` and `/bindings/typescript/` carve-out class (5c). ## Changes **`lib/rules/cicd_rules.ex`** — carve-out class 5c extended: | Before | After | |---|---| | `/bindings/javascript/` | `/bindings/javascript/` | | `/bindings/typescript/` | `/bindings/typescript/` | | — | `/bindings/rescript/` | Comment block updated to reflect the rescript variant + reference the standards#275 STEP 7 surfacing context. **`test/rules/cicd_rules_rescript_npm_js_test.exs`** — 1 new test case in the `nodejs_detected rule` describe block asserting that lockfiles under any of the three sibling consumer-export bindings paths are exempt. ## Why this closes the loop The standards#253 closeout PR (hyperpolymath/standards#325) merged 2026-05-31T07:11Z, declaring the npm → Deno migration "substantially complete" with "zero `:nodejs_detected` flags outside carve-outs". The estate-wide scan during that closeout's STEP 7 audit (hyperpolymath/standards#275) surfaced one uncarved hit. This PR makes the closeout declaration **exactly true** (was 19/20 prior). ## Test plan - [ ] CI: existing nodejs_detected suite passes - [ ] New test: `exempts */bindings/{javascript,typescript,rescript}/ consumer exports` passes (already syntactically validated via `Code.string_to_quoted!`) - [ ] Hypatia self-scan: no false-positive flagging on `proven-servers/bindings/rescript/` Refs hyperpolymath/standards#253 (umbrella, CLOSED 2026-05-31) Refs hyperpolymath/standards#275 (STEP 7, CLOSED 2026-05-31) Refs #405 (predecessor — first batch of class-5c carve-outs added vscode-*, tree-sitter-*, Lake, Office, javascript/typescript bindings) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 103 issues detected
View findings[
{
"reason": "Action urin 21 JRE\n uses: actions/setup-java@be666c2fcd27 needs attention",
"type": "unpinned_action",
"file": "verify-proofs.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in ci.yml",
"type": "missing_timeout_minutes",
"file": "ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in clusterfuzzlite.yml",
"type": "missing_timeout_minutes",
"file": "clusterfuzzlite.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
STEP 3 of campaign #253 (npm → Deno estate migration). Carve-out gap-fix surfaced during the smallest-first batch.
Expands
:nodejs_detectedpath_allow_prefixesto cover ~10 false-positive manifest classes:vscode-substring — VSCode-* extension repos / subdirs not under/vscode/segmenttree-sitter-substring — tree-sitter grammar npm-publish targets withnode-gypnative binding (Class C)/.lake/— Lean4 vendored packages/office-addin/— Office.js add-in host-required toolchain/bindings/javascript/,/bindings/typescript/— consumer-facing estate exportsThese are all legitimate non-migrate-able npm manifest cases. Adding them as carve-outs prevents incorrect migration PRs against e.g.
vscode-k9,tree-sitter-a2ml,proven/bindings/typescript/.Test plan
coq-jr/package.json,civic-connect/indieweb2-bastion/package.json) still flag — verified by current STEP-3 batch (~13 PRs filed against repos NOT in the new carve-out classes).🤖 Generated with Claude Code