fix: un-break Hypatia Neurosymbolic Analysis (Phase-2 hard-fail + GS005 CI false-positive)#252
Merged
Merged
Conversation
The "Hypatia Neurosymbolic Analysis" check failed identically on every
consuming repo's PR regardless of content. Root cause: the "Submit
findings to gitbot-fleet (Phase 2)" step runs whenever findings_count
> 0, clones gitbot-fleet, and execs scripts/submit-finding.sh — a path
that no longer exists on gitbot-fleet's default branch (its main now
holds only .github/). The missing script exited 127, hard-failing the
job for any repo with >=1 finding.
Phase 2 is the collaborative LEARNING side-channel ("bots share
findings via gitbot-fleet"), not the security gate. The gate is the
separate baseline-aware "Check for critical or high-severity issues"
step. A fleet-side regression must never break every consuming repo's
scan — same reasoning the "Comment on PR with findings" step already
applies.
Fix at source, two layers:
- continue-on-error: true on the Phase-2 step (decouples the learning
side-channel from pass/fail, matching the PR-comment step).
- Self-healing run body: non-fatal clone, probe known submit-script
locations, skip gracefully with ::warning:: if absent or non-zero.
Findings are still uploaded as an artifact and gated below, so
security enforcement is unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The deeper root cause behind the estate-wide "Hypatia Neurosymbolic
Analysis" failure. Once the Phase-2 telemetry hard-fail was decoupled,
the real gate ("Check for critical or high-severity issues") still
failed with exactly:
[high] git_state/GS005 — . (1 new finding outside baseline)
GitHub Actions checks out a *detached HEAD* by design on every
pull_request build (refs/pull/N/merge) and for pinned-SHA pushes. The
runner is ephemeral and makes no working-tree commits, so GS005's
data-loss rationale ("commits will be lost") simply does not apply.
The result: GS005 fired `high` on `.` for every PR in every consuming
repo regardless of content — content-independent, exactly the
reported symptom.
Fix at source per the repo's "prevent FPs at source" mandate
(fix > inline directive > .hypatia-ignore > baseline): GS005 is
exempt under CI. Detected via the de-facto `CI` env var plus
GITHUB_ACTIONS / GITLAB_CI / BUILD_ID / RUNNER_OS markers. Detached
HEAD remains a real, flagged risk on a developer's persistent
working copy.
Testability: extracted gs005_detached_head/2 with an explicit ci?
flag so detection is exercised deterministically without mutating
process env in async tests. Added a CI-exemption test; existing
tests pin ci?=false. Full git_state suite: 16 tests, 0 failures.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
changed the title
🔍 Hypatia Security ScanFindings: 10 issues detected
View findings[
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/hypatia/hypatia/src/abi/RuleEngine.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Docker reference in Nickel config -- RSR requires Podman/Containerfile (1 occurrences, CWE-1104)",
"type": "ncl_docker_not_podman",
"file": "/home/runner/work/hypatia/hypatia/.machine_readable/svc/k9/hypatia-metadata.k9.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/hypatia/hypatia/configs/config.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (22 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "as_ptr exposes raw pointer that may dangle or alias unsafely (10 occurrences, CWE-676)",
"type": "as_ptr",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/codeberg.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/radicle.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"line": 35,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/hypatia/hypatia/.hypatia-exemptions.md",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in hypatia",
"type": "DependencyPinning",
"file": "/home/runner/work/hypatia/hypatia",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
"scorecard_check": "Pinned-Dependencies"
},
{
"reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Adds scripts/sweeps/ — drafted, validated tooling to propagate the Phase-2 fix to the ~85 consuming repos that carry their own copy of hypatia-scan.yml (Layer 2/GS005 needs no propagation; it ships in the scanner binary). - phase2-canonical.fragment.yml: canonical fixed Phase-2 block (SoT). - patch_phase2.py: idempotent, surgical block replacer. Verified — patching the pre-#252 workflow yields a file byte-identical to the post-#252 canonical workflow. Exit 0/2/3/1. - resync-hypatia-scan-phase2.sh: dry-run-by-default driver (enumerate -> clone -> patch -> validate YAML -> diff | branch+PR). Honours estate policy: ReScript-handsoff exclusions, Refs not Closes, no -u on token-bearing push, Co-Authored-By trailer, merges left to maintainer. - README.adoc: rationale, usage, guarantees. Dry-run proven on real repos: already-patched -> skip, excluded -> skip, unpatched -> clean surgical diff. No PRs opened (draft). Refs #252 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hypatia's own self-scan correctly flagged scripts/sweeps/patch_phase2.py as [critical] cicd_rules/banned_language_file. Python is banned estate-wide (the entire point of the #31 work). Replaced with patch_phase2.sh (pure shell: grep/sed/awk/head/tail) and removed the .py. Driver now shells out to it and validates post-patch via yq when available, else a structural sanity check — no python3 invocation anywhere. Verified unchanged behaviour: patching the pre-#252 workflow yields a file byte-identical to the post-#252 canonical workflow; idempotent rc=2; not-applicable/missing rc=3. Dry-run proven on real repos. Refs #252 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 10 issues detected
View findings[
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/hypatia/hypatia/src/abi/RuleEngine.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Docker reference in Nickel config -- RSR requires Podman/Containerfile (1 occurrences, CWE-1104)",
"type": "ncl_docker_not_podman",
"file": "/home/runner/work/hypatia/hypatia/.machine_readable/svc/k9/hypatia-metadata.k9.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/hypatia/hypatia/configs/config.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "unsafe block -- requires SAFETY comment (22 occurrences, CWE-676)",
"type": "unsafe_block",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "as_ptr exposes raw pointer that may dangle or alias unsafely (10 occurrences, CWE-676)",
"type": "as_ptr",
"file": "/home/runner/work/hypatia/hypatia/clients/rust/hypatia-client/src/ffi.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/codeberg.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/adapters/src/radicle.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"line": 35,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/hypatia/hypatia/.hypatia-exemptions.md",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "1 workflow(s) with tag-pinned (not SHA-pinned) actions in hypatia",
"type": "DependencyPinning",
"file": "/home/runner/work/hypatia/hypatia",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Pin GitHub Actions and Docker base images by SHA hash.",
"scorecard_check": "Pinned-Dependencies"
},
{
"reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
to hyperpolymath/gitbot-fleet
that referenced
this pull request
May 16, 2026
…uard main had been silently gutted from 1777 files to 2 by a squash-merge from a near-empty base (the post-#126/#128/#141/#142 sequence). The loss went unrepaired for months and broke hypatia's Phase-2 learning submission estate-wide: scripts/submit-finding.sh — the findings sink hypatia-scan.yml execs in every consuming repo — no longer existed, exit-127ing the security gate for any repo with >=1 finding. This restores the full repo to last-good tree 9b0a29e (the last first-parent commit on main before the deletion: all bots, scripts/, shared-context/, dashboard, docs, robot-repo-automaton/, etc.), preserving the only two legitimate post-deletion improvements: * .github/workflows/secret-scanner.yml — kept current main (#141: step-level Cargo.toml gate). * .github/workflows/hypatia-scan.yml — replaced with the canonical post-hypatia#252 hardened workflow (Layer-1: Phase-2 step is continue-on-error + self-healing, so a future fleet-side hiccup can never again hard-fail the gate). scripts/submit-finding.sh is the already-hardened version (input validation, JSON-shape normalisation, best-effort push with ::warning::, repository_dispatch intake) — restored verbatim, mode 0755. "Forever" guard: .github/workflows/repo-integrity-guard.yml fails any push/PR to main that (a) deletes >50 tracked files vs base without an explicit [mass-delete-ok] marker, or (b) drops a critical path (scripts/submit-finding.sh, run-fleet.sh, fleet-coordinator.sh, README.adoc). A stale-base squash can no longer silently nuke main. Refs hyperpolymath/hypatia#252 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/gitbot-fleet
that referenced
this pull request
May 16, 2026
After the mass-deletion restore, gitbot-fleet had no .hypatia-baseline.json,
so hypatia-scan ran legacy-mode and failed on ANY critical/high finding
(127 in the restored legacy tree). This bootstraps the baseline exactly
as hypatia itself did, making the gate baseline-aware: pre-existing
findings are accepted, genuinely-new critical/high findings still fail.
Generated from the real CI scan (run 25958894642) with the gate's own
identity projection — {severity, rule_module, type, file} with runner
paths normalised — so it matches the gate byte-for-byte (verified:
simulated gate subtraction yields new_count=0). 99 unique entries.
Triage of the accepted findings (all pre-existing, none introduced
here; confirmed false positives / legacy debt, not live leaks):
* 35 cicd_rules/banned_language_file — restored gsbot Python scripts.
* 32 migration_rules/deprecated_api — legacy bot code.
* 27 security_errors/secret_detected — scanner-self-match: cipherbot's
own detection regexes + test fixtures, and commented-out
placeholders in echidnabot.toml/.example.toml/docs. No real secret.
* 24 code_safety/unwrap_without_check — Rust unwraps in bot code.
Fixing these at source (banned-language migration, secret-FP markers,
unwrap hardening) is tracked separately as legacy debt; baselining is
the designed bootstrap, not the end state.
Refs hyperpolymath/hypatia#252
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 16, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
hyperpolymath
added a commit
to hyperpolymath/nextgen-languages
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/ochrance
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/odds-and-sods-package-manager
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/patch-bridge
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/phronesis
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/polyglot-i18n
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/pow-the-game
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/presswerk
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/qubes-sdp
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/raze-tui
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/robot-vacuum-cleaner
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/session-sentinel
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/statistease
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/the-nash-equilibrium
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/thejeffparadox
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/volumod
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/voyage-enterprise-decision-system
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/vscode-a2ml
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/wokelang
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/cloud-sync-tuner
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/heterogenous-mobile-computing
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/ipv6-site-enforcer
that referenced
this pull request
May 16, 2026
Layer-1 propagation of hyperpolymath/hypatia#252. This repo's own copy of hypatia-scan.yml hard-failed (exit 127) for any commit with >=1 finding: the "Submit findings to gitbot-fleet (Phase 2)" step cloned gitbot-fleet and exec'd scripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch. Phase 2 is the collaborative LEARNING side-channel, not the security gate. Fix: continue-on-error + self-healing body (non-fatal clone, probe known script paths, graceful ::warning:: skip). Security enforcement (the baseline-aware critical/high step) is unchanged. Refs hyperpolymath/hypatia#252 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/polysafe-gitfixer
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/preference-injector
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
to hyperpolymath/fireflag
that referenced
this pull request
May 16, 2026
Layer-1 propagation of **hyperpolymath/hypatia#252**. This repo carries its own copy of `.github/workflows/hypatia-scan.yml`. The **"Submit findings to gitbot-fleet (Phase 2)"** step hard-failed the job (exit 127) for any commit with ≥1 finding — it clones `gitbot-fleet` and execs `scripts/submit-finding.sh`, which no longer exists on gitbot-fleet's default branch. That is the estate-wide "Hypatia Neurosymbolic Analysis fails regardless of content" symptom. Phase 2 is the collaborative **learning** side-channel, not the security gate (the gate is the separate baseline-aware critical/high step, which is untouched). Fix mirrors the canonical workflow: - `continue-on-error: true` on the Phase-2 step. - Self-healing body: non-fatal clone, probe known submit-script paths, skip with `::warning::` if absent or non-zero. Surgical: only the Phase-2 step changed; every other step preserved. Security enforcement is unchanged. Refs hyperpolymath/hypatia#252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 16, 2026
The Layer-1 sweep (`scripts/sweeps/resync-hypatia-scan-phase2.sh`, delivered in #252) commits with `user.email=jonathan.jewell@gmail.com`. With GitHub email-privacy enabled, every `git push` in `--apply` is rejected, so the sweep opens **zero** PRs while reporting push failures. Observed live during the Layer-1 propagation: an `--apply` run failed **55/83** repos this way until the email was patched locally; the retry with the noreply form opened all 51 remaining PRs with **zero** push errors. One-line fix: use `6759885+hyperpolymath@users.noreply.github.com` — the estate's standard author identity (already used for the gitbot-fleet restore and #145) — so unattended sweeps work. Refs #252 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the estate-wide Hypatia Neurosymbolic Analysis check failure — failed identically regardless of content on every consuming repo (#29/#30/#34/#35) and hypatia's own
main. Two stacked root causes, both fixed at source; plus drafted propagation tooling for the consuming repos.Layer 1 — Phase-2 fleet submission hard-failed the gate
Scanner emits findings → "Submit findings to gitbot-fleet (Phase 2)" step clones
gitbot-fleetand execsscripts/submit-finding.sh, which no longer exists on gitbot-fleet's default branch → exit 127, job fails for any repo with ≥1 finding. Phase 2 is the learning side-channel, not the gate.continue-on-error: true+ self-healing body (non-fatal clone, probe known script paths, graceful::warning::).Layer 2 — GS005 flagged CI's by-design detached HEAD
With L1 fixed, the real baseline-aware gate still failed:
[high] git_state/GS005 — .. GitHub Actions checks out a detached HEAD on every PR build; GS005's data-loss rationale doesn't apply to an ephemeral runner, yet it firedhighon every PR regardless of content.CI/GITHUB_ACTIONS/GITLAB_CI/BUILD_ID/RUNNER_OS); still flagged on a dev's persistent working copy. Fixed at source (not baselined).gs005_detached_head/2testable seam + CI-exemption test;git_statesuite 16/0.Layer-1 propagation sweep (
scripts/sweeps/)~85 consuming repos carry their own copy of the workflow (L2 ships in the scanner binary, so it needs no propagation). Drafted, validated, dry-run-by-default tooling:
phase2-canonical.fragment.yml— canonical fixed block (source of truth).patch_phase2.sh— idempotent surgical block replacer (pure shell — the estate bans Python; the first cut used.pyand hypatia's own scanner correctly flagged itbanned_language_file, now fixed).resync-hypatia-scan-phase2.sh— driver: enumerate → clone → patch → validate → diff | branch+PR. Honours estate policy (ReScript-handsoff exclusions,RefsnotCloses, no-uon token URLs,Co-Authored-By, merges left to maintainer).Verified: patching the pre-#252 workflow yields a file byte-identical to the post-#252 canonical workflow; idempotent; dry-run proven on real repos (already-patched→skip, excluded→skip, unpatched→clean diff). No PRs opened — it is a draft, run with
--applywhen ready.Security posture unchanged
Findings still uploaded as an artifact and gated by the unchanged baseline-aware critical/high step. L1 only de-fangs telemetry; L2 removes a CI-only self-inflicted FP.
Out of scope
Restoring/relocating
submit-finding.shingitbot-fleetis a separate gitbot-fleet concern; this PR makes hypatia robust to its absence either way.🤖 Generated with Claude Code