chore(close-out): CI hardening + hexad proof + doc accuracy + 6a2 metadata#122
Merged
Conversation
Adds timeout-minutes to every runs-on job across the workflow suite that lacked one (27 jobs, 12 files); reusable-workflow-call jobs are exempt (GitHub rejects job-level timeout-minutes there). Clears the bulk of the Hypatia missing_timeout_minutes findings. Lint/policy jobs 10m, build/ test/scan 20m, heavy chapel/e2e/release jobs 45m. https://claude.ai/code/session_01K2TJLeQSyz4tpydZ18aRcb
…round-trip
- assay::assimilate: replace `source.unwrap()` (flagged CWE-754 by Hypatia,
though guarded) with a `let Some(source) = source else { ... }` that folds
the already-handled None branch in. No behaviour change; zero unwrap.
- storage: add proptest `hexad_json_roundtrip_is_identity` (PROOF-PROGRAMME
§3.1, faithful form). The gateway octad projection is lossy by design, so
the load-bearing integrity property is the on-disk serde round-trip used by
write_*_hexad -> load_hexad_dir; this proves it is the identity on the
hexad JSON representation.
https://claude.ai/code/session_01K2TJLeQSyz4tpydZ18aRcb
- 20 -> 38 subcommands (CLAUDE.md, EXPLAINME, README) - 47 -> 49 languages (CLAUDE.md overview, EXPLAINME claim-1) - add aggregate/ + assay/ to the CLAUDE.md module tree - list assay/assimilate/aggregate among the CLI examples https://claude.ai/code/session_01K2TJLeQSyz4tpydZ18aRcb
Fills .machine_readable/6a2/ to the echidna/standards shape: - new AGENTIC.a2ml (panicbot / Hypatia / echidnabot agent roles), NEUROSYM.a2ml (miniKanren engine as the symbolic layer + proof obligations), PLAYBOOK.a2ml (build/test/scan runbooks + 3 deployment modes), ANCHOR.a2ml (clade=diagnostic) - META.a2ml + ECOSYSTEM.a2ml fleshed out from stubs (architecture decisions, practices, hospital-model ecosystem position) - STATE.a2ml untouched https://claude.ai/code/session_01K2TJLeQSyz4tpydZ18aRcb
🔍 Hypatia Security ScanFindings: 86 issues detected
View findings[
{
"reason": "Action uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f5599 needs attention",
"type": "unpinned_action",
"file": "e2e.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action es: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb needs attention",
"type": "unpinned_action",
"file": "e2e.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in governance.yml",
"type": "missing_timeout_minutes",
"file": "governance.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in hypatia-scan.yml",
"type": "missing_timeout_minutes",
"file": "hypatia-scan.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_timeout_minutes",
"file": "mirror.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in release.yml",
"type": "missing_timeout_minutes",
"file": "release.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in rust-ci.yml",
"type": "missing_timeout_minutes",
"file": "rust-ci.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard.yml",
"type": "missing_timeout_minutes",
"file": "scorecard.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in secret-scanner.yml",
"type": "missing_timeout_minutes",
"file": "secret-scanner.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced Jun 4, 2026
hyperpolymath
added a commit
that referenced
this pull request
Jun 4, 2026
… registry (#125) The two remaining close-out items from the 2026-06-04 session ("both now"). ### `756e3c4` — attestation-chain unforgeability proof (Idris2) · closes #123 New `src/abi/AttestationUnforgeability.idr` (PROOF-PROGRAMME §3.2). Models the seal — `chain_hash = H(intent‖evidence‖report)`, Ed25519-signed — with the cryptographic facts as a **`parameters` block (hypotheses, not `postulate`** — PA021 bans escape hatches), so it is an honest *conditional* theorem. Under `%default total` it Qed-closes: - **`integrity`** — tampering with any phase invalidates the seal; - **`authenticity`** — a verifying seal comes from the matching secret key; - **`nonRepudiation`** — a genuine seal verifies (publicly checkable); - plus two corollaries (`sealValid`, `sealNoCollision`). Conditional on chain-hash collision-resistance + Ed25519 EUF-CMA (message- and signer-binding) + signature correctness. **Typechecks under Idris2 0.8.0** (verified). `PROOF-NEEDS.md` ledger updated (also records the §3.1 hexad round-trip that landed in #122). ### `7d4b90b` — contractile registry · refs #124 Adds the previously-missing `.machine_readable/contractiles/INDEX.a2ml`, modelled on echidna's canonical registry. Catalogues all six verbs with their **actual on-disk locations** across panic-attack's three pre-consolidation trees, flags the **duplicate `trust` Trustfile**, and records the canonical trident target. **Scope note:** this is the safe, additive half of #124. The *physical* consolidation of the three trees is intentionally **not** done here — the root `contractiles/` tree feeds `contractile gen-just`, so moving files blind would break the generator, and the authoritative `CONTRACTILE-SPEC` lives in the `standards` repo (unreachable from the session). #124 stays open for that migration. ## Verification - Idris2 proof typechecks (exit 0); no `postulate`/`believe_me`/`Admitted`/holes. - No Rust touched → library suite remains green (unchanged from `main`). https://claude.ai/code/session_01K2TJLeQSyz4tpydZ18aRcb --- _Generated by [Claude Code](https://claude.ai/code/session_01K2TJLeQSyz4tpydZ18aRcb)_ --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up close-out batch after #121. Four coherent commits:
ef1e235— CI hardening (Hypatiamissing_timeout_minutes)Adds
timeout-minutesto 27runs-onjobs across 12 workflow files that lacked one; reusable-workflow-call jobs are correctly exempt (GitHub rejects job-leveltimeout-minutesthere). Purely additive (27 insertions, 0 deletions); all 19 workflow files still parse as YAML. (The remaining Hypatia "unpinned_action" flags are either false positives —dtolnay/Swatinemare already full-SHA-pinned — or the policy-governedstandards/...@mainreusable workflow.)b4fb18e— flagged unwrap + a real proofassay::assimilate: replaced the Hypatia-flaggedsource.unwrap()(CWE-754, though guarded) with alet Some(source) = source else { … }that folds in the already-handledNonebranch. No behaviour change; zero unwrap.storage: new proptesthexad_json_roundtrip_is_identity(PROOF-PROGRAMME §3.1, faithful form). The gateway octad projection is lossy by design, so the load-bearing integrity property is the on-disk serde round-trip used bywrite_*_hexad → load_hexad_dir; this proves it is the identity on the hexad JSON representation.94aed04— doc accuracy20 → 38subcommands and47 → 49languages across CLAUDE.md / EXPLAINME / README;assay/assimilate/aggregateadded to the module tree and CLI examples.37e73ea— 6a2 metadataCompletes
.machine_readable/6a2/to the echidna/standards shape: newAGENTIC/NEUROSYM/PLAYBOOK/ANCHOR(clade=diagnostic), fleshed-outMETA/ECOSYSTEM;STATE.a2mluntouched.Tests
Full library suite green; the new proptest and the refactored
assimilatepass. Zero new warnings.Still open (not in this PR)
INDEX.a2ml) — pending location of theCONTRACTILE-SPEC.https://claude.ai/code/session_01K2TJLeQSyz4tpydZ18aRcb
Generated by Claude Code