Skip to content

docs(audits): orphan-SHA pin + BP wrapper-prefix mismatch — 2026-05-27 sidecar to #215#220

Merged
hyperpolymath merged 1 commit into
mainfrom
docs/audit-hypatia-pin-orphan-2026-05-27
May 27, 2026
Merged

docs(audits): orphan-SHA pin + BP wrapper-prefix mismatch — 2026-05-27 sidecar to #215#220
hyperpolymath merged 1 commit into
mainfrom
docs/audit-hypatia-pin-orphan-2026-05-27

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 26, 2026

Summary

Sidecar audit to audit-admin-merge-wrapper-sweep-2026-05-26.{adoc,a2ml} (PR #215 closure track) documenting a regression class introduced by the parent reusables-campaign sweep:

Sidebar finding

The audit also documents a sibling failure class — wrapper-prefix BP mismatch. The wrapper-emitted check name hypatia / Hypatia Neurosymbolic Analysis (<caller-job> / <reusable-display-name>) does not match branch protection's required bare Hypatia Neurosymbolic Analysis (the pre-wrapper monolithic name). Required check never satisfied even when the workflow succeeds. Fixed on typed-wasm with explicit sign-off; out of scope for this audit on the 99 others.

Test plan

  • Review the .adoc narrative for accuracy against the actual sweep
  • Review the .a2ml schema for machine-readability + parent-campaign linkage
  • Note the three not-discharged items for the next reusables session

🤖 Generated with Claude Code

@hyperpolymath @claude
docs(audits): orphan-SHA pin + BP wrapper-prefix mismatch — 2026-05-27
abf3127 
Sidecar to docs/audits/audit-admin-merge-wrapper-sweep-2026-05-26.{adoc,a2ml}
(the parent reusables-campaign closure).

The 278-wrapper sweep filed in the parent campaign pinned each wrapper's
`hypatia-scan-reusable.yml@SHA` to the PR-branch HEAD of standards#193
(97df762...). After standards#193 was squash-merged on 2026-05-26T19:37,
that SHA was orphaned (status: diverged, ahead_by=1, behind_by=24
against standards/main); the merge-commit SHA on main is 915139d...
with byte-identical content.

GitHub Actions cannot resolve reusable-workflow references to orphaned
commits, so every hypatia-scan run on any estate repo with the orphan
pin fails at parse-stage (banner "This run likely failed because of a
workflow file issue"; jobs: [] in the run JSON).

Estate scope: 100 repos affected per
`gh search code "@97df762" --owner hyperpolymath path:.github/workflows/hypatia-scan.yml`.
Sweep filed 2026-05-27 (this session): 99 PRs, Contents API + auto-merge
SQUASH armed, paced at 5-per-12s. typed-wasm received the fix via
PR #75 directly + cherry-picks onto #72/#74.

Sidecar finding documented: the wrapper-prefix BP-mismatch class.
Reusable resolves but the published check is
`hypatia / Hypatia Neurosymbolic Analysis` (caller-job `/` reusable
display name) — whereas every estate repo's branch protection still
requires the bare pre-wrapper name `Hypatia Neurosymbolic Analysis`.
Fix is per-repo `gh api -X PATCH .../protection/required_status_checks`;
applied on typed-wasm (single repo, sign-off explicit), out of scope
for this audit on the 99 others.

Three lessons + three not-discharged items listed for the next reusable
rollout. Future-prevention is a standards-repo PR-review checklist item:
"Reusable-workflow sweep PRs MUST pin to merge-commit SHAs."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 26, 2026 23:08
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 27, 2026

🔍 Hypatia Security Scan

Findings: 123 issues detected

Severity Count
🔴 Critical 65
🟠 High 48
🟡 Medium 10

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/changelog-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "changelog-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/deno-ci-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "deno-ci-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/elixir-ci-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "elixir-ci-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/elixir-ci-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "elixir-ci-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "rust-ci-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "rust-ci-reusable.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/a2ml-templates/state-scm-to-v2.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/standards/standards/a2ml/bindings/deno/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit d9ecb5c into main May 27, 2026
18 checks passed
@hyperpolymath hyperpolymath deleted the docs/audit-hypatia-pin-orphan-2026-05-27 branch May 27, 2026 05:35
@hyperpolymath hyperpolymath mentioned this pull request May 27, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath