Front door: verifiable spec registry + routing + drift automation#357
Draft
hyperpolymath wants to merge 4 commits into
Draft
Front door: verifiable spec registry + routing + drift automation#357hyperpolymath wants to merge 4 commits into
hyperpolymath wants to merge 4 commits into
Conversation
Turn the ~7,000-file monorepo into something an agent or human can read as one coherent thing OR jump straight to what they need, and wire it into the live drift-detection automation. New verifiable registry + generator - scripts/build-registry.sh: generates .machine_readable/REGISTRY.a2ml (one [[spec]] block per standard with home + content-addressed source_hash over `git ls-files -s <home>`) and the DERIVED TOPOLOGY.md, from the file tree + STATE.a2ml. Honest by construction (only emits homes that exist), deterministic, idempotent. `just registry` / `just registry-check`. - .machine_readable/REGISTRY.a2ml: 28 specs across 6 streams. - REGISTRY.adoc: prose on the registry, source_hash, and the drift loop. Drift becomes a detected, routed finding (not noticed 60 days later) - .github/workflows/registry-verify.yml: CI fails on registry/topology drift. - hypatia-rules/registry-staleness.a2ml (HYP-S006): recomputes hashes, emits doc.drift; @router defaults to auto_execute (regenerate) but HARD-CAPS any licence/SPDX-overlapping drift to :review (Manual-Only guardrail). Front door + routing - README.adoc: 'Start Here' + 'if you want X, go here' routing table covering the three streams, the registry, A2ML/K9 foundation, protocols, readiness grades, enforcement/CI. - 0-AI-MANIFEST.a2ml: rewritten as the real machine entry (was a generic template) with machine routing + registry pointer + real invariants. Kill duplication / fix drift - TOPOLOGY.md: now DERIVED/generated (was hand-frozen at 2026-04-04, 80% while integration read 0%); SPDX header preserved. - EXPLAINME.adoc: thin stub (drops the drifted ReScript-as-Primary line and the dead groove-protocol/ + palimpsest-license/ local links; defers the spec inventory to the registry). - llm-warmup-{dev,user}.md: were byte-identical; now role-specific stubs. - QUICKSTART-{DEV,USER,MAINTAINER}.adoc: filled the {{PLACEHOLDER}} markers. - REORGANIZATION-PLAN.md: marked SUPERSEDED (premises predate the monorepo consolidation + registry); points at the new front door. Licence note: this commit only REMOVES now-false PMPL-1.0 claims (replaced with neutral 'see LICENSE' / Manual-Only wording) and asserts no identifier. No LICENSE file or SPDX header is edited; TOPOLOGY.md keeps its AGPL header. https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82
…E [OWNER REVIEW]⚠️ OWNER REVIEW REQUIRED — documentation-accuracy fix, NOT a relicensing. The repo's actual LICENSE file is MPL-2.0 (set owner-directed in #354), but several DOC BADGES / prose lines still asserted PMPL-1.0-or-later. This commit corrects only those human-facing descriptions to match the LICENSE file: - README.adoc: License badge PMPL-1.0 -> MPL-2.0; dropped the Palimpsest 'Philosophy' badge (this is not a Palimpsest carve-out repo); Licensing bullet, repo-structure LICENSE line, and == License section -> MPL-2.0 with a Manual-Only / owner-only note. - ROADMAP.adoc: License row -> MPL-2.0. - QUICKSTART-MAINTAINER.adoc: Security-Notes licence line -> MPL-2.0. - PALIMPSEST.adoc: added a clarifying NOTE that this document describes the PMPL framework generally and that THIS repo is MPL-2.0; Palimpsest applies only to palimpsest-license / palimpsest-plasma / consent-aware-http. This commit is deliberately isolated so it can be reviewed or dropped on its own. NO LICENSE file and NO SPDX header is touched (those remain owner-only, Manual-Only). Per .claude/CLAUDE.md this is proposed for owner review, not swept. https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82
The generator stamped a commit-derived date into REGISTRY.a2ml and TOPOLOGY.md, so the output changed on every commit and 'build-registry.sh --check' (and thus registry-verify CI) would spuriously report drift. Remove the timestamp: the output is now a pure function of the committed tree (spec hashes + STATE), so --check is stable. https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82
🔍 Hypatia Security ScanFindings: 223 issues detected
View findings[
{
"reason": "Action for the check script)\n uses: actions/checkout@de0f needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action for the check script)\n uses: actions/checkout@de0f needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in affinescript-verify.yml",
"type": "missing_timeout_minutes",
"file": "affinescript-verify.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in changelog-reusable.yml",
"type": "missing_timeout_minutes",
"file": "changelog-reusable.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql-reusable.yml",
"type": "missing_timeout_minutes",
"file": "codeql-reusable.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in deno-ci-reusable.yml",
"type": "missing_timeout_minutes",
"file": "deno-ci-reusable.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Closes the one Hypatia workflow_audit finding (missing_timeout_minutes) that applies to the workflow this PR adds. The other 223 findings in the scan are pre-existing estate-wide workflow hygiene on unrelated workflows, out of scope for this PR. https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82
🔍 Hypatia Security ScanFindings: 222 issues detected
View findings[
{
"reason": "Action for the check script)\n uses: actions/checkout@de0f needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action for the check script)\n uses: actions/checkout@de0f needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in affinescript-verify.yml",
"type": "missing_timeout_minutes",
"file": "affinescript-verify.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "missing_timeout_minutes",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in casket-pages.yml",
"type": "missing_timeout_minutes",
"file": "casket-pages.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in changelog-reusable.yml",
"type": "missing_timeout_minutes",
"file": "changelog-reusable.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql-reusable.yml",
"type": "missing_timeout_minutes",
"file": "codeql-reusable.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "missing_timeout_minutes",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in deno-ci-reusable.yml",
"type": "missing_timeout_minutes",
"file": "deno-ci-reusable.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Turns the ~7,000-file standards monorepo into something an agent or human can read as one coherent thing or jump straight to exactly what they need — and wires it into live drift-detection automation so documentation rot becomes a detected, routed finding instead of something noticed 60 days later.
Built on a fresh inventory (103 top-level entries, 7,026 tracked files, 28 spec homes verified to exist).
Commit
f805bdcis isolated and contains the only licence-touching changes: it corrects human-facing doc badges/prose that assertedPMPL-1.0-or-latertoMPL-2.0, matching the actualLICENSEfile (set owner-directed in #354). This is a documentation-accuracy fix, not a relicensing.LICENSEfile and no SPDX header is edited — those stay owner-only / Manual-Only per.claude/CLAUDE.md.README.adoc(badge + Licensing bullet + structure line +== License; also dropped the "Philosophy: Palimpsest" badge since this is not a Palimpsest carve-out repo),ROADMAP.adoc,QUICKSTART-MAINTAINER.adoc,PALIMPSEST.adoc(added a NOTE that the doc describes PMPL generally and that this repo is MPL-2.0).The other commits only remove now-false
PMPL-1.0claims (replaced with neutral "see LICENSE" / Manual-Only wording) — they assert no identifier.The two front doors
README.adoc— now opens with a "Start Here" + "if you want X, go here" routing table0-AI-MANIFEST.a2ml— rewritten from a generic template into the real machine entry, with routing + registry pointer + real invariantsEvery other "what is this repo" doc is now a thin pointer back to these two.
The verifiable registry (Task 3)
.machine_readable/REGISTRY.a2ml— generated index of 28 specs across 6 streams; each[[spec]]hashome,canonical_doc, and a content-addressedsource_hash(sha256overgit ls-files -s <home>).scripts/build-registry.sh— the generator (honest by construction: only emits homes that exist; deterministic; idempotent).just registry/just registry-check.REGISTRY.adoc— prose on the registry, howsource_hashcatches drift, and the router.Drift becomes a detected, routed finding (Task 3)
.github/workflows/registry-verify.yml— in-repo half: fails the build on registry/topology drift.hypatia-rules/registry-staleness.a2ml(HYP-S006) — estate half: recomputes hashes, emitsdoc.drift. Its@routerdefaults toauto_execute(regenerate) but hard-caps any licence/SPDX-overlapping drift to:review, honouring the Manual-Only guardrail andlicense_finding_strategy/0.Confirmed drift fixed (Task 4)
EXPLAINME.adoc→ thin stub: drops theReScript-as-Primary line (banned 2026-04-30) and the deadgroove-protocol/+palimpsest-license/local links (both confirmed absent); defers the spec inventory to the registry.llm-warmup-{dev,user}.mdwere byte-identical → now role-specific stubs.QUICKSTART-{DEV,USER,MAINTAINER}.adoc— all{{PLACEHOLDER}}markers filled (USER re-framed for a specs repo, not an app install).TOPOLOGY now derived (Task 5)
TOPOLOGY.mdwas hand-frozen at2026-04-04(80% overall while integration read 0%). It is now generated from the registry +STATE.a2ml— it can't freeze. Its existingAGPL-3.0-or-laterSPDX header is preserved (not touched).REORGANIZATION-PLAN.md superseded (Task 6)
Marked SUPERSEDED with a banner: its premise (move content out to separate repos) predates the 2026-02-08 monorepo consolidation; discoverability/drift are now handled by the registry + automation.
Notes for the reviewer
AGPL-3.0-or-laterto match the repo's current per-file SPDX convention (Phase 1/2 sweeps chore(license): flip 700 PMPL→AGPL-3.0-or-later SPDX stamps (Phase 1) #344/chore(license): replace 7 subdir LICENSEs + flip 2717 SPDX → AGPL-3.0-or-later (Phase 2) #345) and to preserve TOPOLOGY.md's existing header. Note theLICENSEfile is MPL-2.0 — the LICENSE-vs-per-file-SPDX classification is an owner-only question I did not resolve.just registry-checkis green; output is deterministic (commit83e83a6removed a volatile timestamp that would have spuriously tripped CI).Out of scope (untouched)
A2ML/K9 spec internals (Stream 1); AffineScript spec text (Stream 2); any
LICENSE/SPDX edits (owner-only — flagged, not fixed).https://claude.ai/code/session_011xv3VLrqeXkpjXxUojKz82
Generated by Claude Code