Review SCM files and security updates#1
Merged
Conversation
…r pinning - Add SSH known_hosts verification for GitLab, Codeberg, and Bitbucket to prevent MITM attacks during git push operations - Pin runner version to ubuntu-22.04 for reproducible builds - Add concurrency controls to prevent race conditions on parallel pushes
- GitLab: Use hardcoded official SSH host keys (ed25519, rsa, ecdsa) - Codeberg: Use ssh-keyscan with fingerprint verification against official SHA256:mIlxA9k46MmM6qdJOdMnAQpzGxF4WIVVL+fj+wZbw0g - Bitbucket: Use hardcoded official SSH host keys from /site/ssh This eliminates the MITM attack window that existed when fetching keys at runtime without verification. Sources: - https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints - https://docs.codeberg.org/security/ssh-fingerprint/ - https://bitbucket.org/site/ssh
hyperpolymath
pushed a commit
that referenced
this pull request
Jan 26, 2026
DOGFOODING FIX #1: Hypatia fixes itself! BEFORE: - 8 HIGH severity unwrap() calls on Regex::new() - Would panic at runtime if regex compilation failed - No error messages on failure AFTER: - 8 MEDIUM severity expect() calls with descriptive messages - Static Lazy<Regex> compiled at startup - Clear error messages if compilation fails - Proper expect() messages explain WHY failure is a bug CHANGES: - Added once_cell dependency for Lazy statics - Converted Scanner struct fields to static REGEX constants - Replaced unwrap() with expect() + descriptive messages - Removed unused struct fields (Scanner is now zero-sized) SEVERITY REDUCTION: - HIGH → MEDIUM (8 findings downgraded) - Pattern: unwrap_without_check → expect_without_check - This is acceptable: expect() with messages is Rust best practice LEARNING ENGINE UPDATE: - Pattern observed: unwrap_on_regex_compilation - Fix applied: Use Lazy<Regex> with expect() - Outcome: SUCCESS (compiles, tests pass, severity reduced) This proves the dogfooding loop works: 1. ✅ Scanner found real issues in its own code 2. ✅ Applied recommended fix (static Lazy patterns) 3. ✅ Verified fix works (cargo check passes) 4. ✅ Re-scanned to confirm improvement Next: Fix CLI unwraps, then test/adapter code. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Apr 22, 2026
…188) Promotes the benchmark harness at `fixer/benches/hypatia_bench.rs` from "scaffolded" to "partial" per the Six Sigma classification in TESTING-AUDIT.md: * Runs criterion on every PR touching `fixer/**` or the bench infrastructure itself (and on main). * Compares results against a committed baseline in `.machine_readable/benchmarks/baselines.json`. * Fails CI if any benchmark regresses by more than the configured threshold (default 50% per the Acceptable / Unacceptable boundary in TESTING-TAXONOMY.adoc). ## Files * `.github/workflows/bench.yml` — criterion run + gate + artefact upload. Supports `workflow_dispatch` with a `regenerate-baseline` mode that produces an artefact for human review (no auto-commit). * `.machine_readable/benchmarks/baselines.json` — seed file with empty `baselines` map. Until populated the gate runs in "advisory mode" (logs current numbers, passes). * `.machine_readable/benchmarks/README.md` — full convention documentation: schema, regeneration flow, what is and isn't in scope. * `scripts/check-bench-regression.py` — compares current bench output against baselines, writes Markdown summary for `$GITHUB_STEP_SUMMARY`, exits 1 on regression. * `scripts/update-bench-baselines.py` — parses bencher-format output and rewrites baselines.json preserving metadata keys. ## Design choices * **Quick mode:** `--warm-up-time 1 --measurement-time 2 --sample-size 10` caps total runtime at ~2 minutes. Good enough to catch >20% regressions. * **Bencher text output, not JSON:** criterion's JSON lives in `target/criterion/<name>/new/estimates.json` and needs a walker. The bencher line format is stable and Python-friendly. * **Baselines in git, not cache:** cache-based baselines are brittle under branch isolation and eviction. Committed JSON survives reviews and history. * **No auto-commit of regenerated baselines:** baseline updates are meaningful and deserve human review. The regenerate mode emits an artefact; a person downloads and commits. ## Local usage cargo bench --bench hypatia_bench -- \ --warm-up-time 1 --measurement-time 2 --sample-size 10 \ --output-format bencher > /tmp/bench.txt python3 scripts/check-bench-regression.py \ /tmp/bench.txt \ .machine_readable/benchmarks/baselines.json ## What this does NOT do * Does not yet benchmark startup, build time, energy, FFI overhead — those remain in the punch list. * Does not benchmark the Elixir engine. Elixir benching via `Benchee` is a separate follow-up. Scripts validated end-to-end with synthetic bencher output: * advisory mode (empty baselines) → exit 0, clean summary. * 1.5% change → ✅ pass. * 35% change →⚠️ warning, still pass. * 147% change → ❌ fail, exit 1, `::error::` annotation emitted. Co-authored-by: Claude <noreply@anthropic.com>
This was referenced May 16, 2026
hyperpolymath
added a commit
that referenced
this pull request
May 18, 2026
…ion (#265) (#271) Refs #260 / #263 / #265 — **do not auto-close**. Follow-up increment to merged #264 (which explicitly deferred this). ### Problem (natsci-studio live calibration) `BranchProtectionID` / `CodeReviewID` were `:open_escalate` — correct (never silently dropped) but suboptimal: they are *repository-configuration-actionable* via the GitHub settings API, not code fixes and not non-actionable. natsci-studio dry-run: alerts #1 BranchProtection / #3 CodeReview should auto-remediate under full-auto. ### Change Third, narrow action class between `:fix` (code) and `:open_escalate`: - `classify/2`: `BranchProtectionID`/`CodeReviewID` → `:fix_settings`. - `reconcile/3`: new `:policy` opt (default `:full_auto`); `do_fix_settings/3` is an idempotent branch-protection PUT requiring ≥1 PR review on the default branch (satisfies both checks). `:conservative` escalates instead. - `mix hypatia.reconcile … --conservative`; summary gains `settings_remediated`/`settings_actionable`. ### Verification `mix compile` clean. Full suite **809/809** (+3 new tests). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.