Pillar E primer + related work + estate PMPL→MPL-2.0 sweep (harden integration)#73
Merged
Merged
Conversation
…verifier)
flake.nix evolved to pin the toolchain reproducibly:
* Agda via nixpkgs nixos-24.11 (2.7.0.1)
* standard-library tag v2.3 as a flake input (was nixpkgs-bundled,
a DIFFERENT version than CI/local verify against)
* absolute-zero @3ff5cee as a flake input (was a local ~/dev
checkout — not reproducible / not CI-usable)
plus a hermetic checks.suite (guardrail + 4 roots + N5 xfail) under
that pinned toolchain.
CI: additive job runs . ADDITIVE and
continue-on-error: the apt + jobs remain the
gate, so the 2.7.0.1-vs-verified-2.8.0 delta (if any) is SURFACED,
not a regression. First green run is the P1 verification.
Honest constraints, flagged not hidden (triage, not a blind cutover):
* no in the dev env → flake authored designed-correct,
verified BY CI, NOT locally claimed green; libraries file built
via writeText+cp (no heredoc/indentation hazard) to de-risk the
one fragile part by construction.
* cross-stack: a devShell-only flake.nix also lives on the reframe
stack (#47, commit 185eb74); THIS strictly supersedes it (adds
pins+checks, no behavioural conflict) — take this at integration.
* Agda 2.7.0.1 vs verified 2.8.0 is an explicit surfaced decision,
not an assumption; reconcile via the logged CI delta.
docs/foundation.adoc P1 item moved tracked-followup -> implemented,
pending first-green CI verification; revision history appended.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…026-05-18 # Conflicts: # flake.nix
Clear two of the [EXPAND] tags on the establishment-track paper against the canonical post-retraction structure: * paper.adoc §Background and notation: self-contained primer for readers fluent in one of HoTT fibres / coeffect-graded-modality lineage but not both. Six subsections (type-theoretic setting, Σ-types and identity, HoTT fibres, coeffect/graded-modality lineage, thin-poset reindexing modalities, notation summary) plus an 18-row notation table whose every symbol is sourced from a real Agda module. Explicit on the post-retraction framing: Echo is the fibre; Echo is motivated by — not an instance of — the graded-comonad lineage; the load-bearing hypothesis is `≤g-prop`; there is no funext anywhere. * paper.adoc §Related work: cherry-picked from a parallel agent's worktree, eight per-neighbour subsections (HoTT fibres, graded-comonad/coeffect/QTT lineage, lenses/optics, refinement types, setoid quotients, provenance semirings, IFC/modal type theories, synthesis), each with the (a) nearest construction, (b) what Echo adds, (c) what Echo does NOT add structure. All <<reframing-note>> cross-references resolve. * types-abstract.adoc: added a per-neighbour related-work positioning block (6 bullets) mirroring the paper §Related work at abstract length. Abstract status remains "NOT submission-ready, pending re-review against reframed paper.adoc" — content alignment only, no submission-readiness change. The Evaluation [EXPAND] and Ordinal consumer-evidence [EXPAND] tags remain open (the latter is gated on the ordinal track hitting Bachmann–Howard, firewalled per roadmap.md). Build invariant unchanged: no Agda touched. Authority of every "Echo does X" claim still backed by a verified module. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…26-05-20) Owner direction (2026-05-20) supersedes the prior PMPL-1.0-or-later estate policy: the *stated* licence (SPDX-License-Identifier, LICENSE file, README badge) becomes MPL-2.0; the PMPL framing is preserved as a narrative/cultural overlay in docs/PMPL-NARRATIVE.adoc, not as a separate SPDX identifier or legal text. No legal effect change: MPL-2.0 was already the lawyer-confirmed operative legal effect of PMPL-1.0-or-later. What is dropped is the foreign SPDX identifier that registries / scanners / downstream tooling treated as non-standard. Changes: * 29 source/config/workflow files: SPDX header PMPL-1.0-or-later/PMPL-1.0 → MPL-2.0 (.a2ml, .adoc, .yml, Containerfile, .nix, shell scripts, .editorconfig, .envrc). * README.md: licence badge → MPL-2.0 (https://www.mozilla.org/en-US/MPL/2.0/). * stapeln.toml + arghda-core/Cargo.toml: `license = "MPL-2.0"`. * scripts/kernel-guard.sh + .github/workflows/agda.yml: removed the now-stale "MPL-2.0 is the legal fallback until PMPL is formally recognised" comment. * .machine_readable/6a2/STATE.a2ml: license field → MPL-2.0. * .machine_readable/6a2/ECOSYSTEM.a2ml: convention block re-worded to point at docs/PMPL-NARRATIVE.adoc as the narrative location. * contractiles/Trustfile.a2ml: LICENSE-check trust grep now looks for "Mozilla Public License" instead of the prior PMPL pattern. * docs/PMPL-NARRATIVE.adoc (new): records what the Palimpsest framing contributed (multi-author/palimpsest reading, source-availability discipline, narrative coherence over registry convenience), the working-discipline commitments that survive MPL-2.0, what is no longer claimed, the going-forward header convention, and the history. LICENSE and LICENSE-docs files unchanged: they were already MPL-2.0 / CC-BY-4.0 respectively (no PMPL text to migrate). Intentional remaining PMPL strings: docs/PMPL-NARRATIVE.adoc (the narrative itself) and the one pointer to it in ECOSYSTEM.a2ml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…026-05-18 # Conflicts: # docs/echo-types/paper.adoc
🔍 Hypatia Security ScanFindings: 10 issues detected
View findings[
{
"reason": "No test directory or test files found",
"type": "no_tests",
"file": "/home/runner/work/echo-types/echo-types",
"action": "flag",
"rule_module": "honest_completion",
"severity": "high",
"deduction": 20
},
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in secret-scanner.yml",
"type": "missing_workflow",
"file": "secret-scanner.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action actions/cache@v4 needs attention",
"type": "unpinned_action",
"file": "agda.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "No dependabot.yml or renovate.json found in echo-types",
"type": "DependencyUpdate",
"file": "/home/runner/work/echo-types/echo-types",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "high",
"remediation": "Add .github/dependabot.yml or renovate.json configuration.",
"scorecard_check": "Dependency-Update-Tool"
},
{
"reason": "Nominal-only SAST in echo-types: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/echo-types/echo-types",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in echo-types",
"type": "DependencyPinning",
"file": "/home/runner/work/echo-types/echo-types",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
"scorecard_check": "Pinned-Dependencies"
},
{
"reason": "Repository has 1 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the
harden/ci-flake-pin-2026-05-18stack onto main, with three logical groupings:8a24530) — clears two[EXPAND]tags ondocs/echo-types/paper.adoc:<<reframing-note>>xrefs resolve.types-abstract.adoc: per-neighbour related-work positioning block mirroring the paper. Abstract status remains "NOT submission-ready, pending re-review" — content alignment only.2e78761) — collapses thePMPL-1.0-or-laterSPDX identifier toMPL-2.0per owner direction 2026-05-20. 29 source/config files swept; README badge updated;stapeln.toml+arghda-core/Cargo.tomllicense fields; newdocs/PMPL-NARRATIVE.adocrecords the cultural/discipline overlay PMPL represented (no legal effect change — MPL-2.0 was already the lawyer-confirmed operative legal effect).Reconciliation needed before merge
origin/mainhas advanced by 7 PRs (#64–#70) since this branch's last merge from main:EchoJanusBridge.agda+221 /EchoApprox.agda+132)EchoAccess.agda, 262 lines)AntiEcho.agda, 93 lines)Expected conflicts (deliberate, owner-resolved):
paper.adoc— this PR adds Background primer + Related work; parallel sessions may have edited adjacent sectionstypes-abstract.adoc— this PR adds a related-work blockflake.nix— this PR is the full harden-P1 flake; parallel sessions retained the simpler devShell flake.github/workflows/*.yml,.machine_readable/6a2/*.a2ml,contractiles/*.a2ml,stapeln.toml,README.md,arghda-core/Cargo.toml,Containerfile,EXPLAINME.adoc,QUICKSTART-*.adoc,TOPOLOGY.adoc,docs/echidna-design-search-2026-04-28.adoc,docs/echo-types/MAP.adoc,docs/echo-types/echo-kernel-note.adoc,scripts/kernel-guard.sh,tools/check-guardrails.sh— licence sweep; conflicts with parallel sessions that kept PMPL headers (resolve by taking this PR's MPL-2.0)Test plan
flake.nixnix flake checkpasses (additive verifier)agda proofs/agda/All.agdaandagda proofs/agda/Smoke.agdaboth exit 0 under--safe --without-K, zero postulates (no Agda was touched by this branch's recent commits, so this should be a verification-only step)paper.adoc— confirm all<<reframing-note>>xrefs resolvedocs/PMPL-NARRATIVE.adocreads coherentlyPMPL/Palimpseststrings outsidedocs/PMPL-NARRATIVE.adoc+ the one intentional pointer inECOSYSTEM.a2ml🤖 Generated with Claude Code