Skip to content

chore(grammar): vendor Mojo tree-sitter parser#744

Merged
DeusData merged 1 commit into
mainfrom
feat/vendor-mojo-grammar
Jul 1, 2026
Merged

chore(grammar): vendor Mojo tree-sitter parser#744
DeusData merged 1 commit into
mainfrom
feat/vendor-mojo-grammar

Conversation

@DeusData

@DeusData DeusData commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Refs #502

Summary

  • vendor the Mojo tree-sitter C parser/scanner from lsh/tree-sitter-mojo at 33193a99afe6
  • add the normal one-translation-unit wrapper so tree_sitter_mojo can link when Mojo support is wired
  • document Mojo provenance, MIT license, ABI 15 status, and the Helix source caveat in the grammar manifest

Security / provenance

  • vendored only parser.c, scanner.c, tree_sitter/*.h, and LICENSE
  • did not vendor package manager hooks, workflows, generated lockfiles, or prompt/agent instruction files
  • local scan found no file, process, or network API usage in the vendored C surface

Validation

  • make -f Makefile.cbm build/c/test-runner
  • build/c/test-runner was attempted locally; this checkout is not fully green locally. The retained failures are outside this vendor change: existing Kotlin label/C-LSP read-only guards plus local HTTP listener and DNS clone setup failures in the sandbox.

Signed-off-by: Martin Vogel <martin.vogel.tech@gmail.com>
@DeusData DeusData merged commit 5b75b16 into main Jul 1, 2026
15 checks passed
@DeusData

DeusData commented Jul 1, 2026

Copy link
Copy Markdown
Owner Author

Maintainer security/provenance note after merge:

  • The vendored Mojo grammar is pinned to lsh/tree-sitter-mojo@33193a99afe6d0dbe865d56f6e7514c4087f87b2.
  • Upstream reports MIT licensing, and the vendored copy includes the MIT license/provenance metadata.
  • CI license/provenance gates passed, including the vendored dependency integrity checks.
  • Static review of the vendored parser sources did not find process execution, outbound network behavior, environment exfiltration, sensitive-path file IO, or telemetry-style code paths. The only URL-like reference found was a docs URL used in scanner handling.
  • This is still a community grammar rather than an official Modular grammar, so future grammar refreshes should go through the same license, provenance, and static security review before merge.

Based on those checks, I consider this acceptable for vendoring in the project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant