feat(rules): Group-B #333-cohort detectors — SD021/WF023/stale-issue-refs (#363/#364/#366)

[hyperpolymath]

What

Three #333-cohort ("Group-B") detectors. Each is a pure function taking its external signal as a parameter (branch list / closed-issue set), so they unit-test without live API access. The live-signal scan-flow wiring (fetching that signal during a scan) is the remaining follow-up each issue calls out.

• SD021 — StructuralDrift.check_workflow_branch_refs/3 (hypatia: detect workflow triggers referencing non-existent branches (from #333 cohort, pattern 4) #363): workflow trigger branches (on.push/pull_request.branches, inline [a, b] or block - a form) that aren't in the repo's live branch list; globs and the default branch are exempt.
• WF023 — WorkflowAudit.check_stale_continue_on_error/2 (hypatia: detect stale continue-on-error masks tied to closed issues (from #333 cohort, pattern 5) #364): a continue-on-error: true job whose "until/remove when #N" comment names an issue in the injected closed-issue set. Standalone (not wired into audit/3 — it needs the issue-state signal).
• HonestCompletion.check_stale_issue_refs/2 (hypatia: detect stale issue references in workflow/source comments (from #333 cohort, pattern 7) #366): source/workflow comments referencing a closed/merged issue via stale-marker phrasing (until/blocked by/remove when/…).

Not implemented (de-dup, per the #390 lesson)

• rule: detect phantom required status-check contexts in branch protection #339 (phantom required contexts) — already shipped as BP008 (zero-recent-check-runs detection). Issue already closed.
• hypatia: detect required-check dependency listed only in optionalDependencies (from #333 cohort, pattern 2) #361 (optionalDependencies) — overlaps existing build_system_rules (org-pkg-in-optionalDependencies); the required-check-correlation angle is distinct but partial-duplicate + API-dependent. Deferred to avoid a third near-duplicate — flagging rather than guessing.

Tests + docs

• test/rules/group_b_detectors_test.exs — sensitivity + specificity for each detector.
• CHANGELOG (md + adoc) entries; STATE.a2ml session-history entry.

Verified at source (local Elixir 1.14)

• each module compiles with no new warnings
• format-isolation (HEAD vs branch, both 1.14-formatted) → pure additions, removed=0 (no pre-existing reflow)
• the real compiled modules pass every fixture (SD021 inline/block/exempt, WF023 closed/open/no-coe, hypatia: detect stale issue references in workflow/source comments (from #333 cohort, pattern 7) #366 closed/open)

These detectors are public on their modules but not auto-wired into the scan aggregators (they require an injected signal not yet available in the scan flow) — consistent with each issue's "via GitHub API / git index" note. I'll update #363/#364/#366 with this state rather than closing them.

Refs #363 #364 #366

---

Generated by Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 103 issues detected

Severity	Count
🔴 Critical	0
🟠 High	0
🟡 Medium	103

View findings

[
  {
    "reason": "Action urin 21 JRE\n        uses: actions/setup-java@be666c2fcd27 needs attention",
    "type": "unpinned_action",
    "file": "verify-proofs.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "missing_timeout_minutes",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in clusterfuzzlite.yml",
    "type": "missing_timeout_minutes",
    "file": "clusterfuzzlite.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence