ci: fix Cargo.lock wasmparser dup + allowlist nextgen-languages/ in aspect test#105
Merged
Merged
Conversation
Two pre-existing red checks on main, both unrelated to the source-of-truth code changes that introduced them, blocking auto-merge on documentation PRs: 1. Cargo.lock had duplicate `wasmparser 0.251.0` entries with differing feature sets (one with `serde, hashbrown`, one without), from out-of-order merge of independent dependabot bumps #91 (wasmparser) and #92 (wasm-encoder). Cargo error: "package `wasmparser` is specified twice in the lockfile". Regenerated lockfile from `Cargo.toml` to reconcile. 2. `tests/aspect/claim-envelope.mjs` §8 ("Path references in docs resolve to real files") flagged a stale path in README.adoc: `nextgen-languages/docs/disambiguation/ephapax-vs-affinescript.md`. That reference is to a sibling repo (`hyperpolymath/nextgen-languages`), reached via `link:https://github.com/...[displayed-text]` — the displayed-text just happens to look like a local path. The ALLOWLIST already had `affinescript/`, `ephapax/`, `hypatia/`, `standards/`, `typell/`, `vql-ut/`, `echidna/` for exactly this case. Added `nextgen-languages/` to the same list. Local verification: `node tests/aspect/claim-envelope.mjs` reports 57 passed / 0 failed (was 56 / 1). Unblocks #101 + #104 auto-merge (both doc-only PRs hit by these pre-existing reds). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 96 issues detected
View findings[
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "unknown",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in c5-regenerate.yml",
"type": "unknown",
"file": "c5-regenerate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cargo-audit.yml",
"type": "unknown",
"file": "cargo-audit.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "unknown",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
The comment-stripping pre-pass in security-envelope.mjs §4 (believe_me
/ assert_total / postulate badge accuracy check) handled `--` line
comments and `{- ... -}` block comments, but not Idris2 `|||`
docstrings. `src/abi/TypedWasm/ABI/Proofs.idr:1427` has a docstring:
||| Total, no `believe_me`, no `assert_total`.
…which *describes* the absence of those constructs but was being
matched as actual code. False-positive: README badge claims 0
believe_me / 0 assert_total, source files agree, but the docstrings
about the absence trip the detector.
Add `src.replace(/\|\|\|[^\n]*/g, "")` to the strip pass. Local
verification: `node tests/aspect/security-envelope.mjs` reports
10 passed / 0 failed (was 8 / 2).
Same root cause shape as the nextgen-languages allowlist fix in the
prior commit: aspect-test false positive that masked the real signal.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 96 issues detected
View findings[
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "unknown",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in c5-regenerate.yml",
"type": "unknown",
"file": "c5-regenerate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cargo-audit.yml",
"type": "unknown",
"file": "cargo-audit.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "unknown",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…isible text The asciidoc link macro's visible text matched the local-path-resolution heuristic of `Aspect (claim envelope)` test #8 (`Path references in docs resolve to real files`), which interpreted the bracketed display string `nextgen-languages/docs/disambiguation/ephapax-vs-affinescript.md` as a path inside *this* repo and reported it stale (file does live under hyperpolymath/nextgen-languages — the URL target is correct; only the visible text triggered the false positive). Change visible text to a prose label that doesn't look like a relative path. URL target unchanged. Unblocks PR #99 and every other typed-wasm cargo CI run currently failing on Smoke test for the same envelope-check violation. Refs #99
🔍 Hypatia Security ScanFindings: 96 issues detected
View findings[
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "unknown",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in c5-regenerate.yml",
"type": "unknown",
"file": "c5-regenerate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cargo-audit.yml",
"type": "unknown",
"file": "cargo-audit.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "unknown",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced May 30, 2026
Closed
hyperpolymath
added a commit
that referenced
this pull request
May 30, 2026
… 0002 §5) (#108) ## Summary Closes the remaining doc gate for both proposals: - Proposal 0001 §Acceptance criterion 4 (spec section in \`spec/type-safety-levels-for-wasm.adoc\`) - Proposal 0002 §Gate 5 (same) Adds a new top-level **\"Wire-Level Carrier Sections\"** section after \"Implementation Architecture\" with all 4 carriers documented: \`typedwasm.ownership\` (existing), \`typedwasm.regions\` + \`typedwasm.capabilities\` (proposal 0001 \`[review]\`), \`typedwasm.access-sites\` (proposal 0002 \`[review]\`). ## Content Per-section: full wire format (verbatim from the proposals), Idris2 spec-type mappings, codec entry points (\`parse_*\` / \`build_*\` in \`crates/typed-wasm-verify/src/section.rs\`). Plus overview table, versioning policy, and cross-references to #106 roadmap + #94 / #95 / #96 / #97 open questions. Net +187 lines of doc, no code change. ## What this leaves for [accepted] Per proposal 0001 §Acceptance criteria: - [x] Criterion 1 — paired producer sign-off (4 review comments on #165 + #402) - [ ] Criterion 2 — wire format mapped against \`Region.idr\` / \`Pointer.idr\` / \`ResourceCapabilities.idr\` (could land as proof-side review) - [x] Criterion 3 — codec landed (regions via #77, capabilities + access-sites via #107) - [x] Criterion 4 — **this PR** - [x] Criterion 5 — cross-repo producer issues filed (ephapax#221, affinescript#444 shipped) Per proposal 0002 §Acceptance criteria: - [x] Gate 1 — ADR-021 v2 emit-flip protocol drafted - [x] Gate 2 — paired producer review (ephapax#222 + affinescript#449) - [x] Gate 3 — codec landed (via #107) - [ ] Gate 4 — \`verify_access_sites\` verifier pass (needs cross-section MissingDependentCarrier check) - [x] Gate 5 — **this PR** - [ ] Gate 6 — cross-repo producer codegen issues Remaining for both proposals to flip to \`[accepted]\`: the verifier-pass plumbing (\`verify_capabilities\` for 0001, \`verify_access_sites\` for 0002 — both cross-section). Tracked under #106. ## Test plan - [x] AsciiDoc renders cleanly (table columns balanced, code blocks valid) - [x] No path/file references break (verified against current section.rs API names) - [x] No collisions with existing spec doc sections - [x] Doc-only change — no code, no CI implications beyond aspect tests (which now pass after #105 root-cause fix) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two pre-existing red checks on main, both blocking auto-merge on doc-only PRs (#101, #104), fixed at root.
Cargo.lock dup — `wasmparser 0.251.0` appeared twice with differing feature sets after out-of-order merge of dependabot bumps chore(deps): bump wasmparser from 0.250.0 to 0.251.0 #91 (wasmparser 0.250→0.251) + chore(deps): bump wasm-encoder from 0.250.0 to 0.251.0 #92 (wasm-encoder 0.250→0.251). Cargo error: `package wasmparser is specified twice in the lockfile`. Regenerated lockfile from `Cargo.toml`.
Aspect test §8 — README.adoc has `link:https://...[nextgen-languages/docs/disambiguation/ephapax-vs-affinescript.md]` (link macro with display text that happens to look like a local path). The aspect-test ALLOWLIST already covered sibling repos (`affinescript/`, `ephapax/`, `hypatia/`, etc.); added `nextgen-languages/` for parity.
Test plan
🤖 Generated with Claude Code