Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/governance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ permissions:

jobs:
governance:
uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main
uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@7c9db0e5909aab77bf11a444ade3b95c1d2b702e
2 changes: 1 addition & 1 deletion .github/workflows/hypatia-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,5 @@ permissions:

jobs:
hypatia:
uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@d135b05bfc647d0c0fbfedc7e80f37ea50f49236
uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@7c9db0e5909aab77bf11a444ade3b95c1d2b702e
secrets: inherit
2 changes: 1 addition & 1 deletion .github/workflows/mirror.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,5 @@ permissions:

jobs:
mirror:
uses: hyperpolymath/standards/.github/workflows/mirror-reusable.yml@d135b05bfc647d0c0fbfedc7e80f37ea50f49236
uses: hyperpolymath/standards/.github/workflows/mirror-reusable.yml@7c9db0e5909aab77bf11a444ade3b95c1d2b702e
secrets: inherit
2 changes: 1 addition & 1 deletion .github/workflows/rust-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ permissions:

jobs:
rust-ci:
uses: hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@d135b05bfc647d0c0fbfedc7e80f37ea50f49236
uses: hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@7c9db0e5909aab77bf11a444ade3b95c1d2b702e
with:
enable_audit: true
enable_coverage: true
73 changes: 53 additions & 20 deletions .github/workflows/scorecard-enforcer.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# SPDX-License-Identifier: MPL-2.0
# Prevention workflow - runs OpenSSF Scorecard and fails on low scores
# Prevention workflow — runs OpenSSF Scorecard and enforces the repo-side,
# deterministically-satisfiable posture. The aggregate Scorecard number embeds
# org-plane checks (Branch-Protection, Code-Review) that cannot be satisfied from
# inside the repository, so it is reported for visibility but NOT hard-gated here
# (that would be an un-winnable gate — see docs / the PR FLAGS section). What we
# DO hard-gate is everything the repository itself controls: SECURITY.md, a
# Dependabot config, SHA-pinned actions, and per-workflow permissions blocks.
name: OpenSSF Scorecard Enforcer

on:
Expand Down Expand Up @@ -43,39 +49,66 @@ jobs:
with:
sarif_file: results.sarif

- name: Check minimum score
- name: Report posture (informational)
run: |
# Parse score from results
SCORE=$(jq -r '.runs[0].tool.driver.properties.score // 0' results.sarif 2>/dev/null || echo "0")
# Scorecard SARIF encodes PER-CHECK results, not a single aggregate
# score at .runs[0].tool.driver.properties.score — the old parse always
# yielded 0 and always failed. Full per-check detail is now in the
# Security tab (SARIF) and in the scorecard.yml JSON artifact. The
# aggregate (which includes owner-plane Branch-Protection / Code-Review)
# is tracked there, not hard-gated in-repo.
echo "OpenSSF Scorecard SARIF uploaded to the Security tab."
echo "Repo-side posture is enforced by the check-critical job below."

echo "OpenSSF Scorecard Score: $SCORE"

# Minimum acceptable score (0-10 scale)
MIN_SCORE=5

if [ "$(echo "$SCORE < $MIN_SCORE" | bc -l)" = "1" ]; then
echo "::error::Scorecard score $SCORE is below minimum $MIN_SCORE"
exit 1
fi

# Check specific high-priority items
# Deterministic, repo-controllable posture — every item here is satisfiable
# without owner/org-plane settings, so a red here is a real, actionable defect.
check-critical:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- name: Check SECURITY.md exists
- name: Require SECURITY.md
run: |
if [ ! -f "SECURITY.md" ]; then
echo "::error::SECURITY.md is required"
exit 1
fi

- name: Check for pinned dependencies
- name: Require Dependabot config
run: |
# Check workflows for unpinned actions
unpinned=$(grep -r "uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true)
if [ ! -f ".github/dependabot.yml" ] && [ ! -f ".github/dependabot.yaml" ]; then
echo "::error::.github/dependabot.yml is required (automated dependency updates)"
exit 1
fi

- name: Require SHA-pinned actions
run: |
# OpenSSF Pinned-Dependencies: every `uses:` must reference a 40-char
# commit SHA, never a floating @vN / @branch tag.
unpinned=$(grep -rnE "uses:[[:space:]]*[^#]*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -vE "^\s*#" || true)
if [ -n "$unpinned" ]; then
echo "::warning::Found unpinned actions:"
echo "::error::Unpinned actions found (must pin to a full commit SHA):"
echo "$unpinned"
exit 1
fi
echo "All actions are SHA-pinned."

- name: Require per-workflow permissions blocks
run: |
# OpenSSF Token-Permissions: every workflow declares a top-level
# least-privilege permissions block.
missing=""
for f in .github/workflows/*.yml; do
if ! grep -qE '^permissions:' "$f"; then
missing="$missing $f"
fi
done
if [ -n "$missing" ]; then
echo "::error::Workflows missing a top-level permissions block:$missing"
exit 1
fi
echo "All workflows declare a top-level permissions block."
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,5 @@ permissions: read-all

jobs:
analysis:
uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@d135b05bfc647d0c0fbfedc7e80f37ea50f49236
uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@7c9db0e5909aab77bf11a444ade3b95c1d2b702e
secrets: inherit
2 changes: 1 addition & 1 deletion .github/workflows/secret-scanner.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,5 @@ permissions:

jobs:
scan:
uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@d135b05bfc647d0c0fbfedc7e80f37ea50f49236
uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@7c9db0e5909aab77bf11a444ade3b95c1d2b702e
secrets: inherit
74 changes: 13 additions & 61 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ ndarray-rand = "0.16"
# rand 0.9). A dependabot bump to rand 0.10 broke the build: rand 0.10 is a
# separate, incompatible rand in the tree (Distribution/Rng traits don't match
# ndarray-rand's). Revert until ndarray-rand ships a rand-0.10-compatible release.
rand = "0.10"
rand_distr = "0.6"
rand = "0.9"
rand_distr = "0.5"
rayon = "1.12"

# Serialization
Expand Down
20 changes: 16 additions & 4 deletions crates/claude-client/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -608,10 +608,16 @@ mod tests {
"stream",
];
for k in obj.keys() {
assert!(ALLOWED.contains(&k.as_str()), "unexpected egress field: {k}");
assert!(
ALLOWED.contains(&k.as_str()),
"unexpected egress field: {k}"
);
}
for forbidden in ["api_key", "x-api-key", "key", "device", "sensor", "secret"] {
assert!(!obj.contains_key(forbidden), "sensitive field leaked: {forbidden}");
assert!(
!obj.contains_key(forbidden),
"sensitive field leaked: {forbidden}"
);
}
}

Expand Down Expand Up @@ -668,7 +674,13 @@ mod tests {
stream: None,
};
let v = serde_json::to_value(&req).unwrap();
assert!(v.get("injected").is_none(), "content broke out of its field");
assert_eq!(v["messages"][0]["content"][0]["text"].as_str().unwrap(), nasty);
assert!(
v.get("injected").is_none(),
"content broke out of its field"
);
assert_eq!(
v["messages"][0]["content"][0]["text"].as_str().unwrap(),
nasty
);
}
}
5 changes: 4 additions & 1 deletion crates/esn/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -370,7 +370,10 @@ mod tests {
w[[2, 2]] = 0.5;
let scaled = EchoStateNetwork::scale_to_spectral_radius(&w, 0.9);
let rho = EchoStateNetwork::estimate_spectral_radius(&scaled);
assert!((rho - 0.9).abs() < 1e-3, "expected spectral radius 0.9, got {rho}");
assert!(
(rho - 0.9).abs() < 1e-3,
"expected spectral radius 0.9, got {rho}"
);
}

#[test]
Expand Down
6 changes: 5 additions & 1 deletion crates/lsm/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -504,7 +504,11 @@ impl LiquidStateMachine {

/// Longest per-neuron spike history (number of retained spikes).
pub fn max_spike_history_len(&self) -> usize {
self.spike_history.iter().map(|h| h.len()).max().unwrap_or(0)
self.spike_history
.iter()
.map(|h| h.len())
.max()
.unwrap_or(0)
}
}

Expand Down
Loading
Loading