State
Per session investigation 2026-06-02:
Hypatia (this repo) — detection module EXISTS but is UNREGISTERED:
Gitbot-fleet — actuation script EXISTS but is UNWIRED:
scripts/propagate-sha-bump.sh (consumes finding rule reusable_workflow_sha_bump_needs_propagation)tests/propagate-sha-bump-smoke.sh existsscripts/dispatch-runner.sh does NOT route this recipe_id to the script- So even if hypatia fired a finding, the dispatcher would default to writing it to
findings/pending/ for rhodibot pickup — and rhodibot doesn't know to call this specific actuator
Net effect: 2026-06-02 session needed manual SHA pin bumps in 4 repos (conative-gating, http-capability-gateway, hybrid-automation-router, burble) for standards reusables — work that should have auto-propagated when standards updated fc7abf5. The 3-system propagation architecture is half-built.
What's needed
- Hypatia side — register the rule in the rule engine so it fires on PR-merge events. Likely changes
lib/rules.ex (or wherever the rule list lives). One-line module add + smoke test.
- Gitbot-fleet side — add a routing branch in
dispatch-runner.sh that detects recipe_id = reusable_workflow_sha_bump_needs_propagation and calls scripts/propagate-sha-bump.sh. Or register it in fix-script-registry.json under by_recipe.
- End-to-end test — manual trigger of a standards reusable bump should result in propagation PRs in consumer repos within (say) 1 hour.
Why the gap matters
Estate has ~290 repos. Every standards reusable change requires manual fan-out today. The architecture was designed to remove that. Wiring is the unblock.
Reference
- This issue: hypatia#XXX (auto-generated)
- Sister issue (to file): gitbot-fleet —
propagate-sha-bump.sh not in dispatch routing
- Source incident: 2026-06-02 session — see hyperpolymath/.claude memory
feedback_scorecard_startup_failure_2026_06_02_park.md + the SHA-pin bump commits in the 4 repos above.
Scope note (no auto-licence-edits guardrail)
The actuation script already pre-filters by feedback_pr_sweep_title_keyword_exclusion — title containing license|SPDX|PMPL|MPL|AGPL|GPL|Apache|copyright|attribution|relicens|secret|vulnerab|CVE- is rejected before propagation. That guardrail is good as-is; this issue does NOT propose changes to the licence-edit refusal path.
State
Per session investigation 2026-06-02:
Hypatia (this repo) — detection module EXISTS but is UNREGISTERED:
lib/rules/sha_bump_propagation.ex(182 LoC, defined in Rule: detect estate-wide reusable workflow SHA bumps needing propagation #418) implements the detectionlib/Gitbot-fleet — actuation script EXISTS but is UNWIRED:
scripts/propagate-sha-bump.sh(consumes finding rulereusable_workflow_sha_bump_needs_propagation)tests/propagate-sha-bump-smoke.shexistsscripts/dispatch-runner.shdoes NOT route this recipe_id to the scriptfindings/pending/for rhodibot pickup — and rhodibot doesn't know to call this specific actuatorNet effect: 2026-06-02 session needed manual SHA pin bumps in 4 repos (conative-gating, http-capability-gateway, hybrid-automation-router, burble) for standards reusables — work that should have auto-propagated when
standardsupdatedfc7abf5. The 3-system propagation architecture is half-built.What's needed
lib/rules.ex(or wherever the rule list lives). One-line module add + smoke test.dispatch-runner.shthat detectsrecipe_id = reusable_workflow_sha_bump_needs_propagationand callsscripts/propagate-sha-bump.sh. Or register it infix-script-registry.jsonunderby_recipe.Why the gap matters
Estate has ~290 repos. Every standards reusable change requires manual fan-out today. The architecture was designed to remove that. Wiring is the unblock.
Reference
propagate-sha-bump.shnot in dispatch routingfeedback_scorecard_startup_failure_2026_06_02_park.md+ the SHA-pin bump commits in the 4 repos above.Scope note (no auto-licence-edits guardrail)
The actuation script already pre-filters by
feedback_pr_sweep_title_keyword_exclusion— title containinglicense|SPDX|PMPL|MPL|AGPL|GPL|Apache|copyright|attribution|relicens|secret|vulnerab|CVE-is rejected before propagation. That guardrail is good as-is; this issue does NOT propose changes to the licence-edit refusal path.