Refs #260 (do not auto-close).
Gap: Hypatia ingests Scorecard into its own pipeline but never writes back to GitHub alert state. Non-actionable (#44 Maintained) and accepted-exception (#63 SLSA) findings re-accumulate as open every audit — the structural recurrence cause.
Build: Hypatia.ScorecardReconciler — pull live code-scanning alerts via GitHub API; per alert classify via the 4-axis taxonomy → {actionable→dispatch fix, accepted-exception→dismiss won't-fix+rationale, non-actionable/info→dismiss won't-fix+rationale}. Idempotent. Persist every decision keyed by stable (repo, rule, location_fingerprint) so re-scans never re-open. Mirror registry to .git-private-farm for offline-survivable learning.
Refs #260 (do not auto-close).
Gap: Hypatia ingests Scorecard into its own pipeline but never writes back to GitHub alert state. Non-actionable (#44 Maintained) and accepted-exception (#63 SLSA) findings re-accumulate as open every audit — the structural recurrence cause.
Build:
Hypatia.ScorecardReconciler— pull live code-scanning alerts via GitHub API; per alert classify via the 4-axis taxonomy → {actionable→dispatch fix, accepted-exception→dismiss won't-fix+rationale, non-actionable/info→dismiss won't-fix+rationale}. Idempotent. Persist every decision keyed by stable(repo, rule, location_fingerprint)so re-scans never re-open. Mirror registry to .git-private-farm for offline-survivable learning.