Phase 2c: Extend walker to all six anti-patterns, make it default#357
Open
hyperpolymath wants to merge 3 commits into
Open
Phase 2c: Extend walker to all six anti-patterns, make it default#357hyperpolymath wants to merge 3 commits into
hyperpolymath wants to merge 3 commits into
Conversation
🔍 Hypatia Security ScanFindings: 112 issues detected
View findings[
{
"reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
"type": "banned",
"file": "AI.a2ml",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Superseded by 0-AI-MANIFEST.a2ml",
"type": "banned",
"file": "AI.djot",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/checkout@v6 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/example/smoke_driver.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/cli.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/compile.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/runner.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
1 similar comment
🔍 Hypatia Security ScanFindings: 112 issues detected
View findings[
{
"reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
"type": "banned",
"file": "AI.a2ml",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Superseded by 0-AI-MANIFEST.a2ml",
"type": "banned",
"file": "AI.djot",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/checkout@v6 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/example/smoke_driver.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/cli.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/compile.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/runner.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced May 25, 2026
hyperpolymath
added a commit
that referenced
this pull request
May 25, 2026
…-queue clear) Every open PR (#357–#360) is MERGEABLE/UNSTABLE because main itself has three independent baselines red. Same red shows up on every new PR. Fix each at source so it stops blocking the whole queue. ## 1. `bench/dune` — `Unknown field "alias"` (build + lint) `(test ...)` in dune 3.x does not accept `(alias <name>)` as an inline field. The pattern that works under dune 3.14: (executable ...) ; build the bench runner without auto-@runtest (rule (alias bench) ; only run when explicitly targeted via @bench (action (run ...))) Preserves the visibility-only contract (`just bench` / `dune runtest @bench` still work; normal `dune runtest` no longer pulls bench in). ## 2. Anti-pattern false-positive on `.res` test fixture (governance) `tools/res-to-affine/test/fixtures/sample.res` is the input corpus for the `.res → .affine` migration tool (#57). The estate ban on `.res` files correctly flags it, but the file is fixture-by-construction. The governance bundle already supports an in-file pragma read from the first 8 lines — add `// hypatia:ignore cicd_rules/banned_language_file` to the fixture header so the exemption travels with the file rather than living in a side-channel `.hypatia-ignore` list. ## 3. npm 404 on `@hyperpolymath/affine-vscode` (vscode-smoke) The adapter package is gated on owner action #104 (org create + NPM_TOKEN + `affine-vscode-v0.1.0` tag push) and has not landed. Until then `npm install` 404s and the smoke harness can't even load the extension. Two layers of fix: - `editors/vscode/package.json`: move `@hyperpolymath/affine-vscode` from `dependencies` → `optionalDependencies` so `npm install` tolerates the 404 instead of erroring out. When the package eventually publishes, real installs pick it up automatically. - `lib/codegen_node.ml`: the `--vscode-extension` codegen was emitting an unconditional `const _makeVscodeBindings = require("...")` at top level. Replace with a defensive `try { } catch (_e) { if code !== MODULE_NOT_FOUND throw }` wrapper plus a guarded `extraImports` that returns `{}` when the adapter is absent. Other require errors (syntax, transitive failure) are still rethrown so real bugs aren't masked. Same patch applied to the already-committed `editors/vscode/out/extension.cjs` so today's CI sees the fix without a compiler rebuild round-trip. This is the upstream fix — any future extension compiled with `--vscode-extension` inherits graceful degradation. activate() / deactivate() resolve cleanly when the adapter is missing; the in-editor smoke harness (#139) verifies activation + command registration + restartLsp cycling, which do not require the binding adapter. Refs #104 (adapter publish remains owner-blocked but no longer load-bearing for CI); Refs #57 (migration assistant); Refs #139 (vscode smoke harness). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 25, 2026
…ure exemption (#361) ## Summary Every open PR (#357–#360) is `MERGEABLE` / `UNSTABLE` because **main itself** has three independent baselines red. The same four checks fail on each PR. Fix each red at source so the queue inherits a clean baseline. - **`bench/dune`** — `Unknown field "alias"` (breaks `build` + `lint`) - **anti-pattern policy** — flags `tools/res-to-affine/test/fixtures/sample.res` (intentional fixture for #57) - **`vscode-smoke`** — `npm install` 404s on the not-yet-published `@hyperpolymath/affine-vscode` (#104 owner-blocked) ## Foundational fixes (one PR; each at the correct upstream level) | Surface | File | Fix | |---|---|---| | dune 3.x compatibility | `bench/dune` | Replace `(test ...) (alias bench)` with `(executable ...)` + a dedicated `(rule (alias bench) ...)`. Keeps `just bench` / `dune runtest @bench` working; doesn't auto-pull bench into `@runtest`. | | Banned-language fixture exemption | `tools/res-to-affine/test/fixtures/sample.res` | In-file `// hypatia:ignore cicd_rules/banned_language_file` pragma (governance bundle reads first 8 lines for `hypatia:ignore <rule>`). Exemption travels with the file rather than living in a side-channel `.hypatia-ignore`. | | Compiler upstream | `lib/codegen_node.ml` | Wrap the `--vscode-extension` adapter require in `try { } catch (_e) { if (_e.code !== "MODULE_NOT_FOUND") throw _e; }`. `extraImports` returns `{}` when the adapter is absent. Real require errors (syntax, transitive failures) are still rethrown so genuine bugs aren't masked. Any future extension built with this flag inherits graceful degradation. | | Committed compiler output | `editors/vscode/out/extension.cjs` | Apply the same try/catch in the regenerated `.cjs` so today's CI picks up the fix without a full compiler rebuild round-trip. | | Package metadata | `editors/vscode/package.json` | Move `@hyperpolymath/affine-vscode` from `dependencies` → `optionalDependencies` so `npm install` tolerates the 404 instead of failing the install. When `#104` lands the publish-tag, real installs pick the package up automatically. | ## Why one PR, not three The three fixes touch independent surfaces but the queue is blocked on the **union** of the three failures. Splitting would require landing this PR first (otherwise the dune red blocks every dependent fix), then landing the other two on a now-green main. Bundling avoids that rebase round-trip and lets PRs #357–#360 inherit a clean baseline in one merge. ## Why this is foundational, not a workaround - The dune fix matches dune ≥3.0's canonical pattern for "build this but only run on explicit alias" — not a hack. - The fixture pragma uses the governance bundle's documented in-file exemption mechanism (same machinery used by other estate repos). - The defensive adapter load is at the **codegen source** in `lib/codegen_node.ml`, so any future extension compiled with `--vscode-extension` inherits the behaviour. The committed `.cjs` patch is a regen-equivalent (would be reproduced verbatim by a fresh `dune build && affinescript compile … --vscode-extension`). ## Test plan - [ ] `build` job passes (`dune build` no longer hits the `(alias bench)` syntax error) - [ ] `lint` job passes (same) - [ ] `governance / Language / package anti-pattern policy` passes (fixture exempted by pragma) - [ ] `vscode-smoke` passes (`npm install` tolerates optional `@hyperpolymath/affine-vscode`; extension activates without the adapter; commands register; restartLsp cycles; deactivate resolves) - [ ] No regression on green checks (CodeQL, Semgrep, Hypatia scans, governance subjobs, migration-assistant, etc.) - [ ] After merge: PRs #357–#360 transition `UNSTABLE` → `CLEAN` (after rebase or new CI cycle) Refs #104 (adapter publish remains owner-blocked but no longer load-bearing for CI), Refs #57 (migration assistant — fixture intent), Refs #139 (vscode smoke harness). 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
pushed a commit
that referenced
this pull request
May 25, 2026
…T.adoc Three pure-rename/delete operations to unblock the standing Hypatia `root_hygiene` rule for this repo and re-canonicalise the coordination ledger filename that the rest of the repo points at. - `AI.a2ml` → `0-AI-MANIFEST.a2ml`. Matches the sibling-repo convention (`road-skate/`, `affinescript-vite/`, `affinescriptiser/` all already carry `0-AI-MANIFEST.a2ml`) and clears the Hypatia HIGH finding "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only". Content preserved verbatim; canonical-structure refresh deferred to a later tidy phase so the rename is reviewable in isolation. - `AI.djot` deleted. Hypatia HIGH "Superseded by 0-AI-MANIFEST.a2ml"; the same project metadata is already covered by 0-AI-MANIFEST.a2ml and the six `.machine_readable/6a2/*.a2ml` files it points at. - `docs/TECH-DEBT-alt.adoc` → `docs/TECH-DEBT.adoc`. The whole repo references `TECH-DEBT.adoc` (META.a2ml, STATE.a2ml, CAPABILITY-MATRIX, ECOSYSTEM, RESCRIPT-ELIMINATION, STDLIB-EXTERN-AUDIT, TYPED-WASM- ROADMAP all link to it). PR #356 had renamed it `-alt` as a conflict- avoidance manoeuvre during the #351 split; with #351 now resolved (via #355/#356) the alt suffix is dead weight and every cross-link was silently broken. Restoring the canonical name; no content change. - One incidental edit: CONTRIBUTING.md's repo-layout block pointed at the old `AI.a2ml` path — updated to `0-AI-MANIFEST.a2ml`. No-op on CI semantics; this is pure filesystem hygiene. Phase 2c (#357) is unaffected — it lives on a separate branch and does not touch any of these paths.
hyperpolymath
force-pushed
the
claude/epic-gauss-Mbi0E
branch
from
e7a3a44 to
9831bbe
Compare
🔍 Hypatia Security ScanFindings: 108 issues detected
View findings[
{
"reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
"type": "banned",
"file": "AI.a2ml",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Superseded by 0-AI-MANIFEST.a2ml",
"type": "banned",
"file": "AI.djot",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/checkout@v6 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/example/smoke_driver.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/cli.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/compile.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/runner.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
May 25, 2026
`dune build @fmt` rejects the one-line forms my #361 commit landed on main — dune's formatter wants `(modules ...)` with each module on its own line, and `(action ...)` with the body on its own line. This is a follow-up to PR #361 (already merged); the @fmt check has been failing on every build since #361 because of that one-liner. The `dune runtest` / `just bench` semantics are unchanged. Combined with the env_at/arg_at wiring and string_length codegen lowering earlier in this PR, this should clear the build red on the 4-PR queue (#357-#360) and on this branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
pushed a commit
that referenced
this pull request
May 25, 2026
…T.adoc Three pure-rename/delete operations to unblock the standing Hypatia `root_hygiene` rule for this repo and re-canonicalise the coordination ledger filename that the rest of the repo points at. - `AI.a2ml` → `0-AI-MANIFEST.a2ml`. Matches the sibling-repo convention (`road-skate/`, `affinescript-vite/`, `affinescriptiser/` all already carry `0-AI-MANIFEST.a2ml`) and clears the Hypatia HIGH finding "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only". Content preserved verbatim; canonical-structure refresh deferred to a later tidy phase so the rename is reviewable in isolation. - `AI.djot` deleted. Hypatia HIGH "Superseded by 0-AI-MANIFEST.a2ml"; the same project metadata is already covered by 0-AI-MANIFEST.a2ml and the six `.machine_readable/6a2/*.a2ml` files it points at. - `docs/TECH-DEBT-alt.adoc` → `docs/TECH-DEBT.adoc`. The whole repo references `TECH-DEBT.adoc` (META.a2ml, STATE.a2ml, CAPABILITY-MATRIX, ECOSYSTEM, RESCRIPT-ELIMINATION, STDLIB-EXTERN-AUDIT, TYPED-WASM- ROADMAP all link to it). PR #356 had renamed it `-alt` as a conflict- avoidance manoeuvre during the #351 split; with #351 now resolved (via #355/#356) the alt suffix is dead weight and every cross-link was silently broken. Restoring the canonical name; no content change. - One incidental edit: CONTRIBUTING.md's repo-layout block pointed at the old `AI.a2ml` path — updated to `0-AI-MANIFEST.a2ml`. No-op on CI semantics; this is pure filesystem hygiene. Phase 2c (#357) is unaffected — it lives on a separate branch and does not touch any of these paths.
…efault-engine flip (Refs #57) Brings the tree-sitter walker to full parity with the Phase-1 regex scanner on the three remaining ported kinds (raw-js, untyped-exception, mutable-global), adds the two anti-patterns that were explicitly deferred from Phase 1 because they need real AST (inline-callback-record, oversized-function), and flips --engine=walker to the default in main.ml. Scope (per PR #322's "What is NOT in this PR" / Phase 2c plan): - raw-js: any extension_expression node (covers %raw / %bs.raw). - untyped-exception: try_expression, call_expression with function text "raise", and member_expression / value_identifier_path whose text starts with "Js.Exn" or ends with "Promise.catch". - mutable-global: top-level let_declaration whose let_binding body is a call to ref(), plus top-level mutation_expression (:=). The "at module top level" predicate now walks the ancestor chain outward, refusing if a function or let_binding body intervenes before source_file / module_declaration. - inline-callback-record: record literal or call_expression with ≥3 inline function values (directly, or wrapped in labeled_argument / record_field). Threshold matches LESSONS.md. - oversized-function: function node whose stop.row - start.row +1 exceeds 50 source rows. Findings deduped by (kind, line) to match the regex scanner's "one match per regex per line" contract. CLI default flips to --engine=walker; the walker auto-falls-back to the scanner if the vendored grammar is missing or tree-sitter parse fails (unchanged fallback path from #322). Tests - test_walker.ml now exercises every kind on the existing fixtures/sample.res (raw-js line 11, mutable-global lines 14+15, untyped-exception lines 19/22/28). All gated on tree-sitter + vendored grammar being present, same skip discipline as Phase 2b. - New fixtures/phase2c.res exercises the two walker-only kinds: a 4-field handlers record + a Widget.make call with 3 labelled- argument lambdas (inline-callback-record), plus a let-bound function spanning 60 source rows (oversized-function). Docs - tools/res-to-affine/README.md updated: walker is the default, coverage matrix shows ✓ for all six kinds, what-gets-flagged table replaces the old Phase-1/Phase-2 split. - walker.mli docstring updated for Phase 2c scope. - scanner.mli kind type extended with Inline_callback_record and Oversized_function; scanner.ml gives them labels + guidance. The scanner.ml scan pipeline is unchanged (these two kinds are walker-only by construction). Test plan - [ ] CI build green (dune build + dune runtest). - [ ] CI migration-assistant job green. - [ ] Local: just install-grammar && dune runtest tools/res-to-affine/ reports all walker tests OK. Local-build caveat: container has no OCaml toolchain (per CLAUDE.md §Agent operations notes); dune build / dune runtest were not run locally. CI is the source of truth. Refs #57
…Phase 2b style (Refs #57) CI build + lint failed on the initial Phase 2c push. Root cause: the labeled-only `mk_finding ~kind:K ~line:L ~excerpt:E :: acc` pattern I introduced was ambiguous against OCaml's operator precedence / labeled- application parsing for the multi-line indented call form. The PR #322 walker.ml used an explicit `let finding : Scanner.finding = { ... } in finding :: acc` pattern that the build was already happy with. This change: - Removes the `mk_finding` helper. - Rewrites every detector's emit-point to construct the record literal inline with explicit `Scanner.finding` type annotation, the same style as the Phase 2b code already in the file. - For [detect_untyped_exception]'s three emit-paths that share the same finding shape, introduces a local closure `let push acc = ...` over `node` and `source` instead of repeating the literal. - Replaces non-ASCII Unicode (the comment ellipsis `…` and the greater-than-or-equal `≥`) with `...` and `>=` defensively, even though prior OCaml in this repo already uses UTF-8 in comments elsewhere without trouble — eliminates one more variable while diagnosing CI from a container without an OCaml toolchain. - Tightens indentation to match the surrounding existing-file style. No behavioural change. Same six detectors fire on the same node shapes; same dedupe pass; same public entry point.
hyperpolymath
force-pushed
the
claude/epic-gauss-Mbi0E
branch
from
9831bbe to
199f90f
Compare
🔍 Hypatia Security ScanFindings: 108 issues detected
View findings[
{
"reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
"type": "banned",
"file": "AI.a2ml",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Superseded by 0-AI-MANIFEST.a2ml",
"type": "banned",
"file": "AI.djot",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/checkout@v6 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/example/smoke_driver.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/cli.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/compile.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/runner.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
May 25, 2026
…adoc (#359) ## Summary Phase T-1 of the repo-tidy stack the owner requested ("tidy of the repo and cleanup of any mess so it is all tidy and readable"). Three pure-rename / delete operations: 1. **`AI.a2ml` → `0-AI-MANIFEST.a2ml`** — clears the standing Hypatia HIGH finding `root_hygiene "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only"` and matches the sibling-repo convention (`road-skate/`, `affinescript-vite/`, `affinescriptiser/` already carry `0-AI-MANIFEST.a2ml`). Content preserved verbatim; a canonical-structure refresh (the sibling template's STOP-banner format declaring canonical-location invariants) is deferred to a later tidy phase to keep this PR reviewable. 2. **`AI.djot` deleted** — clears the Hypatia HIGH finding `root_hygiene "Superseded by 0-AI-MANIFEST.a2ml"`. The same project metadata is already covered by `0-AI-MANIFEST.a2ml` + the six `.machine_readable/6a2/*.a2ml` files it points at. 3. **`docs/TECH-DEBT-alt.adoc` → `docs/TECH-DEBT.adoc`** — restores the canonical filename every cross-link in the repo already points at (`META.a2ml`, `STATE.a2ml`, `CAPABILITY-MATRIX.adoc`, `ECOSYSTEM.adoc`, `RESCRIPT-ELIMINATION.adoc`, `STDLIB-EXTERN-AUDIT.adoc/.a2ml`, `docs/specs/TYPED-WASM-ROADMAP.adoc`). PR #356 had appended `-alt` during the #351 split to avoid a merge conflict; with #351 resolved via #355/#356 the alt suffix is dead weight and every existing cross-link was silently broken. Incidental: one stale path in `CONTRIBUTING.md`'s repo-layout block updated `AI.a2ml` → `0-AI-MANIFEST.a2ml`. ## Hypatia delta (expected) Before this PR the standing scan reports two HIGH `root_hygiene` findings against this exact pair of files. They should drop on the next scan, taking the totals from the 143-finding baseline down to ~141. The TypeScript-exemption findings under `affinescript-deno-test/` are out of scope for this PR — they're documented carve-outs in `.claude/CLAUDE.md` §"TypeScript Exemptions (Approved)" and the policy check has no allowlist for them. ## Test plan - [ ] CI `governance / Language / package anti-pattern policy` and `vscode-smoke` remain at their pre-existing baseline-failure state (these are the documented known-failing checks in `.claude/CLAUDE.md` §"Known-failing baseline checks"; not introduced or worsened by this PR). - [ ] `build`, `lint`, `migration-assistant`, `governance / Workflow security linter`, `governance / Security policy checks`, `governance / Well-Known (RFC 9116 + RSR)`, `governance / Code quality + docs`, `governance / Guix primary / Nix fallback policy`, `Semgrep OSS`, `CodeQL`, `Hypatia`, `analyze (actions, none)`, `enforce-lowercase-stdlib`, `spark-theatre-gate` all green. - [ ] The next Hypatia scan comment drops the two `AI.a2ml` / `AI.djot` HIGH lines. ## Stack This is part of a stack the owner authorised — see issue thread for the wider scope. Subsequent phases land on separate branches off `main`: - **T-2** — delete out-of-scope game files (`DAMAGE-SYSTEM.md`, `CONTROLS-REFERENCE.md`, `GAME-BUNDLING-STRATEGY.md`). - **T-3** — move loose root docs (`ABI-FFI-README.md`, `ALPHA-1-RELEASE-NOTES.md`, `BACKEND-*`, `COMPILER-CAPABILITIES.md`, `KNOWN-ISSUES.md`, `LICENSING-GUIDE.md`, `NAVIGATION.adoc`, `PROOF-NEEDS.md`, `ROADMAP.adoc`, `SECURITY-SETUP.md`, `EXPLAINME.adoc`, `RSR_OUTLINE.adoc`) into the existing `docs/` subtree. - **T-4** — add `RSR_COMPLIANCE.adoc` + `STATE.scm` per RSR template. - **T-5** — refresh `wiki/`. - **T-6** — issue/PR triage pass. Phase 2c (#357) is on a separate branch and unaffected by this PR. --- _Generated by [Claude Code](https://claude.ai/code/session_01WNkH8UucP3PppG5R36kGcu)_ Co-authored-by: Claude <noreply@anthropic.com>
This was referenced May 26, 2026
🔍 Hypatia Security ScanFindings: 103 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/checkout@v6 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action denoland/setup-deno@v2 needs attention",
"type": "unpinned_action",
"file": "publish-jsr.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/example/smoke_driver.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/cli.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/compile.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/runner.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/affinescript-deno-test/lib/discover.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/affinescript/affinescript/packages/affine-js/types.d.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Completes Phase 2 of the tree-sitter AST walker by extending it from detecting only
side-effect-import(Phase 2b) to all six anti-patterns identified in the idaptik Wave 3 pilot. The walker now detects the remaining three Phase-1 kinds (raw-js,untyped-exception,mutable-global) plus the two kinds explicitly deferred from Phase 1 because they require real AST (inline-callback-record,oversized-function). The--engine=walkerflag becomes the CLI default.Key Changes
Extended anti-pattern detection in
walker.ml:detect_raw_js: flags anyextension_expressionnode (%raw,%bs.raw, etc.)detect_untyped_exception: detectstry_expression,raise()calls,Js.Exn.*references, andPromise.catchmember accessdetect_mutable_global: flags top-levellet x = ref(...)bindings and top-levelmutation_expression(:=operator)detect_inline_callback_record: counts inlinefunctionvalues in record literals and call argument lists; flags when ≥3 appear in a single containerdetect_oversized_function: flags functions whose row span exceeds 50 source lines (proxy for >50 LOC body)Structural improvements:
at_module_toplevelas a reusable predicate to distinguish module-scoped state from local bindings inside function bodiesdedupefilter to eliminate structurally-overlapping AST matches on the same line (e.g., aJs.Exnreference nested inside atry_expression)node_text,starts_with,ends_with,mk_finding) for cleaner detector implementationsCLI and documentation:
main.ml: flipped--engine=walkerto the default;--engine=scanneris now the fallbackREADME.md: updated usage examples, coverage table, and Phase 2 architecture notes to reflect Phase 2c completionscanner.mliandscanner.ml: addedInline_callback_recordandOversized_functionto thekindtype and guidance text (for consistency, though the scanner itself does not detect these)Test coverage:
test_walker_finds_raw_js,test_walker_finds_mutable_global,test_walker_finds_untyped_exceptionto verify Phase 2c parity with Phase-1 scanner on the four shared kindstest_walker_finds_inline_callback_recordandtest_walker_finds_oversized_functionto verify the two walker-only kindsphase2c.resexercises inline callback records (record literal with 4 lambdas, call site with 3 labelled-argument lambdas) and an oversized function (60-row span)Notable Implementation Details
Module-toplevel detection: The walker now correctly distinguishes
let _ = Mod.valueat module scope (anti-pattern) from the same shape inside a function body (normal "discard return value" idiom). This eliminates the false-positive class that the Phase-1 regex had to band-aid in docs(res-to-affine): corpus run + regex precision fixes (Refs #57) #319.Deduplication: Because the AST walker visits structural overlaps (e.g., a
Js.Exnmember expression nested inside atry_expressionyields twoUntyped_exceptionfindings on the same line), findings are deduplicated by(kind, line)before sorting. This keeps the output consistent with what the line-based scanner would produce.Row-span proxy for oversized functions: Rather than counting lines in the function body subtree, the walker uses
node.stop.row - node.start.row + 1as a cheap proxy. This is sufficient for surfacing decomposition candidates; precise line counting belongs to Phase 3 where thehttps://claude.ai/code/session_01WNkH8UucP3PppG5R36kGcu