feat(aggregator): estate organization — manifest, thread runner, generated superproject#63
Merged
Merged
Conversation
🔍 Hypatia Security ScanFindings: 195 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/reposystem/reposystem/tools/rsr-certified/extensions/vscode/src/extension.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/browser-extension/scripts/popup.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/browser-extension/scripts/content.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (4 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/dashboard/js/dashboard.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/annotation-layer/annotations.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (7 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/web/app.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "HTTP URL in code -- use HTTPS for non-localhost (16 occurrences, CWE-319)",
"type": "js_http_url_in_code",
"file": "/home/runner/work/reposystem/reposystem/web/app.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…rated superproject Establish one source of truth + one coordination layer: - repos.toml: generated manifest of all 297 estate repos (regen: just repos-manifest) - repos.groups.toml: hand-maintained epic/group index (survives regen) - scripts/thread.sh: cross-repo thread runner; each repo merges via its own PR - scripts/sync-aggregator.sh: regenerate repos-monorepo as a generated artifact; per-submodule walk to survive the URL-less .git-private-farm entry - scripts/gen-repos-manifest.sh: .gitmodules -> repos.toml generator - ESTATE-ORGANIZATION.adoc: the rule + migration checklist - Justfile: add repos-manifest/thread/sync-aggregator/aggregator-drift recipes; fix pre-existing parse-breaking dedent in the doctor recipe (panic-attack block) that was breaking the entire Justfile No STATE/contractiles/.bot_directives changes. Not pushed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
sync-aggregator leaves repos with stale .gitmodules URLs as `warn ... left as-is` (root cause: GitHub repo rename, e.g. snif -> snifs). This script resolves each warned submodule's canonical name via the GitHub API (follows rename redirects), rewrites submodule.<name>.url, and `git submodule sync`s. DRY-RUN default; --apply writes .gitmodules (no commit/push). Hard guard: refuses to run while sync-aggregator.sh is active (git lock contention). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- gen-repos-manifest.sh now emits SPDX header into repos.toml (estate requires SPDX on all files); manifest regenerated - README.adoc: add discoverable "Estate Organization" section linking ESTATE-ORGANIZATION.adoc (was orphaned) - ESTATE-ORGANIZATION.adoc: document the deliberate generated-file exception vs 0-AI-MANIFEST.a2ml policy - STATE.a2ml: record this work in metadata/recent-changes/session-history per 0-AI-MANIFEST.a2ml delivery promise (was stale at 2026-04-25) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ne separately Empirical finding from the live pointer reconcile: warns are NOT one class. At 239/297 sync there are 57 warns spanning renames, over-declared repos that never existed (URL already basename-correct — a rewrite cannot help), wiki entries, and transient blips. Rebuild fix-stale-submodule-urls.sh as a classifier: - RENAMED -> --apply-renames (safe URL rewrite) - NONEXISTENT -> --prune-nonexistent (destructive, separately gated) - WIKI -> --prune-nonexistent (labelled) - TRANSIENT -> re-run sync-aggregator (no action) Section lookup handles slash/leading-dot paths. Lock guard + no-commit behaviour retained. ESTATE-ORGANIZATION.adoc documents the four classes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`gh api` writes its error JSON body to STDOUT on 4xx, so a bare capture
yielded `{"message":"Not Found"...}` and was mis-read as a value — every
NONEXISTENT repo was misclassified RENAMED with a corrupt
`git@github.com:{...}.git` target. --apply-renames would have written
garbage URLs into the published .gitmodules. Add canon_name() which
strictly validates the result matches ^owner/name$.
Verified on the full 80-warn set: RENAMED 69->2 (snif->snifs,
panic-attacker->panic-attack), NONEXISTENT 0->67, WIKI 2, TRANSIENT 9.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…odules A .gitmodules-only prune leaves an orphan gitlink in the tree (status disagreement). Prune now also git-rm --cached the path, drops the stale .git/config section, and removes the empty placeholder dir. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
force-pushed
the
feat/estate-aggregator-organization
branch
from
5e2a28b to
f8b77f8
Compare
🔍 Hypatia Security ScanFindings: 195 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/reposystem/reposystem/tools/rsr-certified/extensions/vscode/src/extension.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/browser-extension/scripts/popup.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (1 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/browser-extension/scripts/content.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (4 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/dashboard/js/dashboard.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (5 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/stateful-artefacts/annotation-layer/annotations.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (7 occurrences, CWE-79)",
"type": "js_innerhtml",
"file": "/home/runner/work/reposystem/reposystem/web/app.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "HTTP URL in code -- use HTTPS for non-localhost (16 occurrences, CWE-319)",
"type": "js_http_url_in_code",
"file": "/home/runner/work/reposystem/reposystem/web/app.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Owner
Author
|
Rebased onto current main (12 commits ahead); only conflict was the additive |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Establishes the one-aggregator organization for the ~300-repo estate so the dual-layout confusion (flat clones vs. stale submodule superproject) is removed.
The rule: flat clones in
$REPOS_DIR= single source of truth ·reposystem= coordination layer ·repos-monorepo= generated output (Pages/mirror/governance keep working).Changes
repos.toml— generated manifest of all 297 estate repos (just repos-manifest)repos.groups.toml— hand-maintained epic/group index, survives regenerationscripts/thread.sh— cross-repo thread runner; each repo merges via its own PRscripts/sync-aggregator.sh— regeneratesrepos-monorepoas generated artifact; per-submodule walk survives the URL-less.git-private-farmentryscripts/gen-repos-manifest.sh—.gitmodules→repos.tomlgeneratorESTATE-ORGANIZATION.adoc— the rule + migration checklistJustfile— new recipes; fixes a pre-existing parse-breaking dedent indoctorthat was breaking the entire JustfileNotes
STATE/contractiles/.bot_directiveschanges.just --listparses;just repos-manifest→ 297 entries;sync-aggregatordry-run no longer aborts on.git-private-farm.🤖 Generated with Claude Code