fix(launcher-standard): resolve 3 cross-doc contradictions#170
Open
hyperpolymath wants to merge 1 commit into
Open
fix(launcher-standard): resolve 3 cross-doc contradictions#170hyperpolymath wants to merge 1 commit into
hyperpolymath wants to merge 1 commit into
Conversation
The launcher standard and the LM-LA lifecycle standard disagreed on three points. Each was a real contradiction (not just stylistic drift) and would have left a downstream implementer asking which doc to follow. 1. `--browser` listed as an independent required mode in the a2ml while prose calls it an alias for `--auto`. Split [required-modes] (canonical only) from a new [aliases] table that maps `--browser`/`--web` to `--auto`. Same enforcement, cleaner taxonomy. 2. `--integ`/`--disinteg` (per launcher-standard.adoc v0.2.0) supersede the separate `scripts/install.sh` / `scripts/uninstall.sh` from the lifecycle doc, but LM-LA never absorbed the change and still mandated the standalone scripts. Added IMPORTANT callouts to §Installation Standard and §Uninstallation Standard that scope the templates as reference for what `--integ`/`--disinteg` must do internally, and mark the standalone scripts optional when those modes exist. 3. The launcher standard requires "no elevated privileges / no sudo" (design principle 5) but the LM-LA install templates ran `sudo dnf`, `sudo cp`, `sudo systemctl`. Added a "Privilege model" callout clarifying that sudo paths are opt-in platform-maintainer extensions for machine-wide deployment only, and a launcher's `--integ` MUST NOT invoke them without explicit `--system` opt-in. Missing deps under a user install fail with an actionable message, not escalate. Spec version bumped 0.2.0 → 0.3.0 (taxonomy change in [required-modes]). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 192 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/deno-ci-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "deno-ci-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance-reusable.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Python file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/lol/test/vitest.config.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/standards/standards/k9-svc/bindings/deno/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "Agda postulate assumes without proof -- potential soundness hole (4 occurrences, CWE-704)",
"type": "agda_postulate",
"file": "/home/runner/work/standards/standards/lol/proofs/theories/information_theory.agda",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/standards/standards/lol/src/abi/Locale.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "Wildcard CORS -- restrict to specific origins or use env var (1 occurrences, CWE-942)",
"type": "js_wildcard_cors",
"file": "/home/runner/work/standards/standards/consent-aware-http/examples/reference-implementations/deno/aibdp_middleware.js",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
5 tasks
This was referenced May 26, 2026
hyperpolymath
added a commit
that referenced
this pull request
May 26, 2026
…ifest Filed alongside the 8 launcher-standard PRs (#170, #171, #172, #173, #175, #176, #177, #179) so reviewers landing on any individual PR can find the full picture in one place. Two files following the existing `docs/audits/` convention: - launcher-standard-review-2026-05-26.adoc — prose narrative for humans. Headline findings table (class × finding × addressed-in PR), PR map (number, branch, files, class), what-this-campaign-produces summary, deferred follow-ups, method notes including the parallel-session amend incident and how recovery worked. - launcher-standard-review-2026-05-26.a2ml — machine-readable manifest for tooling (PR-batching bots, change-impact analyzers, launch-scaffolder regenerators). Same PR set as parseable A2ML: per-PR file lists, addressed-issues, new-files lists, new-a2ml-keys lists, plus coordination notes (spec-version conflict resolution, lock-step gate trigger map) and deferred-followups with gating conditions. Includes a session-lessons-captured block pointing at the two memory entries written during this campaign. Pattern matches existing gap-matrix-2026-04-17.a2ml (A2ML extension syntax including @abstract: block). Pure tomllib does NOT parse A2ML; the repo's A2ML tooling does. Signing-key fingerprint deliberately NOT recorded inline — gitleaks's generic-api-key rule misclassifies 40-char PGP fingerprints as secrets. The all-prs-gpg-signed flag is the load-bearing assertion; the fingerprint is recoverable from `git log --show-signature` if anyone needs to verify against a specific key. Independent of all 8 review PRs — touches only docs/audits/. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The launcher standard (
docs/UX-standards/launcher-standard.adoc+launcher/launcher-standard.a2ml) and the lifecycle standard(
docs/UX-standards/LM-LA-LIFECYCLE-STANDARD.adoc) disagreed on threepoints. Each was a real contradiction — not stylistic drift — and would
have left a downstream implementer unsure which doc to follow.
--browserwas listed as an independent required mode in the a2mlwhile prose calls it an alias for
--auto. Split[required-modes](canonical only) from a new
[aliases]table mapping--browser/--web→--auto. Same enforcement, cleaner taxonomy.--integ/--disintegsupersede the standalone install/uninstallscripts (per launcher-standard.adoc v0.2.0), but LM-LA never absorbed
the change. Added
IMPORTANTcallouts to §Installation Standard and§Uninstallation Standard scoping the script templates as reference for
what
--integ/--disintegmust do internally, and marking thestandalone scripts optional when those modes exist.
sudoviolation: launcher-standard.adoc design principle 5 forbidselevated privileges, but the LM-LA templates ran
sudo dnf,sudo cp,sudo systemctl. Added a "Privilege model" callout: sudo paths areopt-in platform-maintainer extensions for machine-wide deployment only;
a launcher's
--integMUST NOT invoke them without explicit--systemopt-in. Missing deps under a user install fail with an actionable
message, not escalate.
Spec version bumped 0.2.0 → 0.3.0 (taxonomy change in
[required-modes];behaviour for compliant launchers is unchanged because every accepted
input is still accepted).
Out of scope (follow-ups identified but deferred)
Surfaced during the same review, not bundled here so this PR stays
small enough to read:
launcher/README.adoc:37-39./var/mnt/eclipse/repos/...paths in the a2ml fallback and.desktopexamples — breaks on non-eclipse hosts.open, WSLwslview,\$BROWSER.wait_for_serverflat-1s polling ignores thewait-for-url-timeout-secondsconstant the a2ml already declares./tmp/names — symlink-attack target onshared hosts; should use
\$XDG_RUNTIME_DIR/\$XDG_STATE_HOME.keepopen.shdoesn't honourNO_COLOR.gui-dialog-chainand[soft-attach]declared in a2ml withoutreference impl → every downstream launcher will reinvent.
--versionmode missing entirely from required-modes.Happy to take any of these in follow-up PRs.
Test plan
[IMPORTANT]blocks and one bullet)[aliases]table + literal-string list shortening)launch-scaffolderrebuild picks up the new[aliases]table (separate repo)🤖 Generated with Claude Code