docs+scanners: ReScript retirement sweep#180
Merged
Merged
Conversation
Follow-up to the ReScript retirement that landed via merge commit 3e36682. That commit fixed the enforcement surface (rsr-antipattern.yml, hooks, supervision config). This one scrubs the policy-stating docs and simplifies the scanner rules. ## Policy docs — now consistent with the ban * README.adoc: removed the `rescript:` language-ruleset entry from the example config (replaced with a 2026-04 breadcrumb pointing to Ephapax/Gossamer). * READINESS.md: updated the recipe-matcher target list (line 17), estate-wide scan languages (line 44), and language-diversity evidence (line 115). All three now state that ReScript is retired but legacy repos still get scanned so they can be flagged for migration. * TOPOLOGY.md: annotated `migration_rules.ex` (line 96) to clarify that it now drives *legacy* ReScript → Ephapax migration rather than generic ReScript API migration. * SYSTEM-INTEGRATION.md: two changes. First, flagged the three `.lgt` entries in "What Was Built" as retired (commit d27fe4b) and added a note that rule logic now lives in `lib/rules/*.ex`. Second, annotated the two ReScript detection rules in "Current Rules Coverage" to mark them as legacy/migration audits. * design-decisions.adoc: added a NOTE at the top of the "Storage Paradigm" section explaining that VeriSimDB's registry layer needs migration because ReScript was retired. The rest of the document is preserved as the original architecture record. ## Scanner scripts — simplified to "ReScript file = violation" The user's directive was "well rescript is banned" — stronger than the tiered "detect specific unsafe patterns" approach the scanners had. Banning the whole language is strictly stronger than flagging three dangerous constructs inside it, so the constructs-level rules become redundant. * poc-scanner.sh: dropped the ReScript `getExn` rule (was Rule 1) and the `Obj.magic` rule (was Rule 6). Added Rule 12: flag any `.res`/`.resi` file as CRITICAL banned-language. Updated banned-language recommendation messages to point at "Ephapax (systems) / Gossamer (UI)" instead of ReScript. * hypatia-scanner-v2.sh: the per-file `getExn` pattern scan (Pattern 1) replaced with a flat "any `.res`/`.resi` file is CRITICAL" check. * hypatia-cli-bash.sh: dropped the three ReScript pattern rules (Obj.magic, getExn, JSON.parseExn) — replaced with two catch-all banned-language rules (one for `*.res`, one for `*.resi`). Two side-comments about "JavaScript/ReScript" in later rules (eval, dangerouslySetInnerHTML) were clarified to note that any ReScript match is legacy-slip-through. ## What wasn't touched * TEST-NEEDS.md — references ReScript in historical scan-result tables (burble, stapeln, boj-server etc.). Those are records of what was scanned, not policy statements, so they stay as-is. * .audittraining/security-errors/*.md — historical audit artefacts. Same reasoning. * .gitattributes / .gitignore — contain `*.res` / `*.resi` and a `# ReScript` section. Harmless (just line-ending + ignore patterns) and marked intentional by recent edits. Left alone. No file deletions in this commit — purely content edits.
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
hyperpolymath
added a commit
that referenced
this pull request
May 27, 2026
## Root-cause summary `governance / Language / package anti-pattern policy` has been failing on hypatia/main (and on every open PR) because: - `.github/workflows/governance.yml:34` pinned `governance-reusable.yml@66271d3` (2026-05-22) — predates [hyperpolymath/standards#219](hyperpolymath/standards#219) (merged `ad366b6`, 2026-05-27). - standards#219 fixes a `workflow_sha` resolution bug: in a reusable workflow, `github.workflow_sha` resolves to the **caller's** SHA, not the reusable's SHA. The inner self-checkout of `hyperpolymath/standards` therefore asked the standards repo for a SHA that only exists in hypatia → `exit 128` after 3 retries. This PR bumps both standards-reusable pins past that fix. ## Pins changed | File | Before | After | |---|---|---| | `.github/workflows/governance.yml:34` | `66271d3...` (2026-05-22) | `5eb28d7d8790d5389b7b6a5233fe6265a775e3d0` (standards/main, 2026-05-27) | | `.github/workflows/hypatia-scan.yml:28` | `97df762...` (orphan SHA on PR-branch for #193) | `5eb28d7d8790d5389b7b6a5233fe6265a775e3d0` (canonical main) | ## Delta picked up (governance side) 7 commits, all fixes / hardening: - `ad366b6` `fix(governance-reusable): pin standards self-checkout to main` (#219) **— the load-bearing fix** - `481c496` `feat(governance): add check-trusted-base CI enforcement` (#211) - `0ec0b83` `fix(governance): eradicate inline Python from governance-reusable.yml` (#189) - `3285ac1` `fix(baseline): file_pattern glob matching + jq scoping bugs` (#180) - `431adbb` `refactor(governance): subsume language-policy.yml + add deno-ci-reusable` (#168) - `91d8b88` `feat: consume .hypatia-baseline.json in governance gate` (#166) - `43b6563` `fix: checkout caller's repo in governance-reusable workflow` Delta on hypatia-scan side: **none** (reusable file unchanged since #193 squash-merge). ## Estate implication This same stale-pin pattern affects every repo whose `governance.yml` wrapper points to a pre-`ad366b6` SHA of `governance-reusable.yml`. An estate-wide fan-out bump-PR sweep is the comprehensive remedy (cf. session memory on the doomed-CI pilot). This PR is the per-repo first cut for hypatia. ## Auto-merge SQUASH (per estate policy). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to the ReScript retirement that landed via merge commit 3e36682. That commit fixed the enforcement surface (rsr-antipattern.yml, hooks, supervision config). This one scrubs the policy-stating docs and simplifies the scanner rules.
Policy docs — now consistent with the ban
README.adoc: removed the
rescript:language-ruleset entry from the example config (replaced with a 2026-04 breadcrumb pointing to Ephapax/Gossamer).READINESS.md: updated the recipe-matcher target list (line 17), estate-wide scan languages (line 44), and language-diversity evidence (line 115). All three now state that ReScript is retired but legacy repos still get scanned so they can be flagged for migration.
TOPOLOGY.md: annotated
migration_rules.ex(line 96) to clarify that it now drives legacy ReScript → Ephapax migration rather than generic ReScript API migration.SYSTEM-INTEGRATION.md: two changes. First, flagged the three
.lgtentries in "What Was Built" as retired (commit d27fe4b) and added a note that rule logic now lives inlib/rules/*.ex. Second, annotated the two ReScript detection rules in "Current Rules Coverage" to mark them as legacy/migration audits.design-decisions.adoc: added a NOTE at the top of the "Storage Paradigm" section explaining that VeriSimDB's registry layer needs migration because ReScript was retired. The rest of the document is preserved as the original architecture record.
Scanner scripts — simplified to "ReScript file = violation"
The user's directive was "well rescript is banned" — stronger than the tiered "detect specific unsafe patterns" approach the scanners had. Banning the whole language is strictly stronger than flagging three dangerous constructs inside it, so the constructs-level rules become redundant.
poc-scanner.sh: dropped the ReScript
getExnrule (was Rule 1) and theObj.magicrule (was Rule 6). Added Rule 12: flag any.res/.resifile as CRITICAL banned-language. Updated banned-language recommendation messages to point at "Ephapax (systems) / Gossamer (UI)" instead of ReScript.hypatia-scanner-v2.sh: the per-file
getExnpattern scan (Pattern 1) replaced with a flat "any.res/.resifile is CRITICAL" check.hypatia-cli-bash.sh: dropped the three ReScript pattern rules (Obj.magic, getExn, JSON.parseExn) — replaced with two catch-all banned-language rules (one for
*.res, one for*.resi). Two side-comments about "JavaScript/ReScript" in later rules (eval, dangerouslySetInnerHTML) were clarified to note that any ReScript match is legacy-slip-through.What wasn't touched
TEST-NEEDS.md — references ReScript in historical scan-result tables (burble, stapeln, boj-server etc.). Those are records of what was scanned, not policy statements, so they stay as-is.
.audittraining/security-errors/*.md — historical audit artefacts. Same reasoning.
.gitattributes / .gitignore — contain
*.res/*.resiand a# ReScriptsection. Harmless (just line-ending + ignore patterns) and marked intentional by recent edits. Left alone.No file deletions in this commit — purely content edits.