Claude/post phase 1 1 cleanup#41
Open
hyperpolymath wants to merge 14 commits into
Open
Conversation
The previous body referenced undefined symbols (download_dir,
do_ingest/2) and used invalid struct literal syntax
(%__MODULE__{...}). The module is on the v1 critical path at step 3
(Phase 1.3) — after the FHI parser — so a real implementation is
premature, but the broken code was a foot-gun: if anyone enabled
:etma_handler, :auto_ingest the supervision tree would fail with
opaque compile-time errors instead of an actionable message.
This change:
- Removes the broken init/1 and handle_call/3 bodies
- Adds a compiling init/1 that logs a clear "not implemented (Phase
1.3)" error and stops with {:stop, :not_implemented}
- Exposes the three module constants (filename_pattern,
document_extensions, code_extensions) as zero-arity functions so
callers and tests can reference them without duplicating regex
literals
- Updates BouncerTest to use the exposed constants and adds a smoke
test for the new init/1 contract
No behaviour change in the default configuration (auto_ingest is off).
Removed:
- CHANGELOG.md (content-identical to CHANGELOG.adoc; project uses
Asciidoctor for the canonical changelog)
- CODE_OF_CONDUCT.md (short stub; CODE_OF_CONDUCT.adoc has the full
Contributor Covenant)
- MAINTAINERS.md (placeholder with "TBD" entries; MAINTAINERS.adoc
has the real list)
- ABI-FFI-README.md (unfilled template — still contained literal
{{PROJECT}} placeholder, never adapted to this repo)
- Containerfile.simple (unused; Containerfile is the dev/base variant,
Containerfile.hardened the production one)
- well-known-template.tar.gz + well-known-template/ (template
scaffolding for setting up a .well-known directory — this repo
already has its own populated .well-known/; the scaffolding belongs
in a separate template repository)
- schemas/config.cue (CUE is prohibited by the language policy; the
schema was unreferenced)
Updated references:
- CONTRIBUTING.md, GOVERNANCE.adoc, SECURITY.md, CODE_OF_CONDUCT.adoc,
QUICKSTART-MAINTAINER.adoc — point at the .adoc replacements
- 0-AI-MANIFEST.a2ml — drop Containerfile.simple from the container
list
- tests/fuzz/placeholder.txt → test/fuzz/.gitkeep (Elixir convention is
the singular form `test/`; the fuzz subdir is a placeholder for
future property/fuzz suites)
- licenses/{MPL-2.0-NL,PALIMPSEST-EN,PALIMPSEST-NL}.txt → LICENSES/translations/
(case-collision on case-insensitive filesystems; SPDX/REUSE
convention is the uppercase LICENSES/ directory)
- configs/config.ncl → docs/examples/nickel-config-example.ncl
(the file is a generic Nickel sample for "my-app", not project
config; it belongs as a documentation example)
- Update CONTRIBUTING.md and TEST-NEEDS.md to point at the new paths
The docs/ tree was a flat dump and several long-form documents were
camped at the repo root. Reorganised into named subgroups so a human
or agent can find things by intent.
New structure under docs/:
- architecture/ — already existed; unchanged
- ai/ — LLM briefings (warmup-dev.md, warmup-user.md)
- examples/ — illustrative examples (forensics-report,
nickel-config-example)
- operations/ — runbooks & operational concerns (failure-modes,
reversibility)
- research/ — background & rationale (palimpsest, competitors,
ideas, citations)
- sessions/ — STATE.scm session checkpoints
- specs/ — protocol & format specs (fhi-schema, integrity)
- status/ — live status reports (test-needs, proof-needs,
seams-review)
Moves out of root → docs/{group}/<kebab-case-name>:
- llm-warmup-dev.md → docs/ai/warmup-dev.md
- llm-warmup-user.md → docs/ai/warmup-user.md
- PALIMPSEST.adoc → docs/research/palimpsest.adoc
- REVERSIBILITY.md → docs/operations/reversibility.md
- TEST-NEEDS.md → docs/status/test-needs.md
- PROOF-NEEDS.md → docs/status/proof-needs.md
- SEAMS_REVIEW.adoc → docs/status/seams-review.adoc
Moves within docs/:
- docs/CITATIONS.adoc → docs/research/citations.adoc
- docs/COMPETITORS.md → docs/research/competitors.md
- docs/IDEAS.md → docs/research/ideas.md
- docs/FAILURE-MODES.md → docs/operations/failure-modes.md
- docs/FHI-SCHEMA.adoc → docs/specs/fhi-schema.adoc
- docs/INTEGRITY.adoc → docs/specs/integrity.adoc
- docs/FORENSICS-REPORT-EXAMPLE.adoc → docs/examples/forensics-report.adoc
- docs/SESSION-2026-01-06.scm → docs/sessions/2026-01-06.scm
ROADMAP.adoc and TOPOLOGY.md stay at the root because they are the
two highest-traffic "where are we / what's next" files.
Cross-references updated:
- ROADMAP.adoc, Justfile, 0-AI-MANIFEST.a2ml — point at new paths
- docs/specs/integrity.adoc — peer-link adjusted (FHI-SCHEMA.adoc →
fhi-schema.adoc; architecture link prefixed with ../)
…L→MPL migration GitHub config: - Remove root FUNDING.yml. .github/FUNDING.yml is the canonical GitHub-recognised path and was already populated with real handles; the root copy was an empty stub from earlier scaffolding. Scripts: - build-affine.sh → experiments/affine-frontend/build.sh, since AffineScript is post-v1 experimental work. Path-handling updated: walk up two levels to project root for priv/static/wasm, look for main.affine next to the script. Justfile updated accordingly. - setup.sh and setup.ps1 stay at the repo root because their one-line installer URLs are part of the public contract (curl ...raw.githubusercontent.com/.../main/setup.sh). License migration aftermath (the PMPL-1.0 → MPL-2.0 migration in 50863bf was incomplete): - Update 4 stale SPDX-License-Identifier headers from PMPL-1.0 to MPL-2.0: 3 workflows (codeql, secret-scanner, scorecard) and lib/etma_handler/proven/safe_state_machine.ex. - README.adoc shield: PMPL-1.0 → MPL-2.0. - Rewrite docs/research/palimpsest.adoc to describe the post-migration state (Palimpsest is MPL-2.0 in SPDX terms) and link to LICENSE / NOTICE / LICENSES/translations/. - Update k9 setup-repo example to reference the Palimpsest (MPL-2.0) license. - Delete LICENSES/PMPL-1.0.txt and LICENSES/PMPL-1.0-or-later.txt; the binding text is now LICENSES/MPL-2.0.txt and the standard text is in the root LICENSE.
Two new entry-point documents: - docs/README.adoc — a single index that lets a reader (human or AI) start from "what I want to do" and arrive at the right file. Maps goals (run the app, set up dev, audit tests, …) to documents, and explains the docs/ taxonomy by directory. - RSR_COMPLIANCE.adoc — this project's compliance state against the Rhodium Standard Repository spec. Replaces the misnomer RSR_OUTLINE.adoc, which was actually a copy of the upstream RSR template's own README. Tracks: required files, language policy, build system, container strategy, and the two intentional deviations (lib/ + test/ are Elixir conventions; STATE lives in .machine_readable/6a2/STATE.a2ml). - RSR_OUTLINE.adoc → docs/research/rsr-template.adoc — the template-describes-itself content lives in research/ as reference material rather than masquerading as this project's compliance document. README.adoc updates: - Reflect that the CubDB Repo is now real (Phase 1.1 landed) when describing the Status section. - Add pointers to docs/README.adoc and RSR_COMPLIANCE.adoc. - Fix broken link (CONTRIBUTING.adoc → CONTRIBUTING.md). - Rewrite License section to use the post-migration wording (Palimpsest License (MPL-2.0)) and link to LICENSE / NOTICE / docs/research/palimpsest.adoc. - Remove duplicate "Architecture" section that appeared at EOF. - Tech-stack table: Elixir 1.14+/OTP 25+ → Elixir 1.18+/OTP 25 (matches .tool-versions). .machine_readable/agent_instructions/debt.a2ml — update commented-out debt entry to reference the new path.
CHANGELOG.adoc — full rewrite: - Convert from mixed Markdown/AsciiDoc syntax to clean AsciiDoc. - Fix bogus SPDX header (was "MIT" in HTML comments; file is MPL-2.0). - Drop the fictional [2.0.0] / [1.0.0] historical entries — this project is 0.1.0-alpha scaffold with no formal release ever cut. - Move the "rewrote from Java" framing to a single "Earlier history" section that's honest about origin. - Populate [Unreleased] with the actual recent changes: Phase 1.1 Repo, repo reorganisation, Bouncer fix, PMPL→MPL migration finish, doc taxonomy. TOPOLOGY.md — refresh dashboard: - Repo (CubDB): 0% → 70% (Phase 1.1 landed: 280 LOC + 237 LOC tests). - Bouncer: 10% → 20% (init/1 fixed to compile cleanly). - ApiController /health: 30% → 70% (uses Repo.cubdb/0; the stale "Repo.get/1 does not exist" note is no longer true). - ExUnit suite: 4 files → 5 files; 20% → 30%. - Overall: 25-30% → 30-35%. - v1 critical path diagram: mark step 1 done; add note that step 2 is waiting on real .fhi fixtures. - "Last updated" date bumped. .machine_readable/6a2/STATE.a2ml — refresh: - last-updated, version, completion %, phase string. - Add [layout] section pointing at the new entry-point documents. - Add [v1-critical-path] section so agents can read step status without parsing TOPOLOGY's ASCII bars. 0-AI-MANIFEST.a2ml — final Nix mop-up: - packaging list still referenced flake.nix as Nix fallback; replaced with mix.exs (Mix release) to match guix.scm primary cascade.
🔍 Hypatia Security ScanFindings: 98 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Code.eval_* -- arbitrary code execution risk (1 occurrences, CWE-94)",
"type": "elixir_code_eval",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/logic/calculator.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (1 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/settings.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (2 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/tma-mark2/tma-mark2/docs/examples/nickel-config-example.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (21 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/tma-mark2/tma-mark2/native/tma_crypto/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (4 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/tma-mark2/tma-mark2/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 36,
"reason": "Secret found: Generic secret",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"line": 266,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/suite.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in tma-mark2: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/tma-mark2/tma-mark2",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
The wiki at https://github.com/hyperpolymath/tma-mark2/wiki was a single default "Welcome" page. Populated it with a complete navigation layer that mirrors the in-repo documentation: - Home — landing page, quick-link table, repo metadata - _Sidebar, _Footer — global navigation chrome - Getting-Started — install / run / just recipes - Roadmap-and-Status — v1 critical path, dashboard summary - Architecture — diagram + links to docs/architecture/ - Development — language policy, daily loops, testing philosophy - AI-Agent-Briefing — entry points for LLM agents - Documentation-Index — mirrors docs/README.adoc - RSR-Compliance — summary of RSR_COMPLIANCE.adoc - FHI-Format — pointer to docs/specs/fhi-schema.adoc - Governance — pointer to GOVERNANCE.adoc and the MAA/RMR/RMO trio - License — Palimpsest (MPL-2.0) summary The pages live under docs/wiki/ as the canonical source of truth. The wiki itself is a separate Git repository (tma-mark2.wiki.git) outside this repo's signing/CI scope, so it must be synced manually — docs/wiki/README.md documents the procedure (three-line shell snippet) and the optional GitHub Action that can automate it. Every wiki page is a navigation layer only: authoritative content remains in the repository (docs/, README.adoc, TOPOLOGY.md, …) and the wiki pages link back rather than duplicating. docs/README.adoc — add a row for docs/wiki/ so the staging area is discoverable from the main documentation index.
🔍 Hypatia Security ScanFindings: 98 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Code.eval_* -- arbitrary code execution risk (1 occurrences, CWE-94)",
"type": "elixir_code_eval",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/logic/calculator.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (1 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/settings.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (2 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
"type": "ncl_missing_spdx",
"file": "/home/runner/work/tma-mark2/tma-mark2/docs/examples/nickel-config-example.ncl",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "expect() in hot path (21 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/tma-mark2/tma-mark2/native/tma_crypto/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (4 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/tma-mark2/tma-mark2/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 36,
"reason": "Secret found: Generic secret",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"line": 266,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/suite.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in tma-mark2: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/tma-mark2/tma-mark2",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…ample Captures the state of PR #41's CI at session end so the open red checks have context for the next reader. Files: - docs/examples/nickel-config-example.ncl — add SPDX header. Direct consequence of the configs/ → docs/examples/ move; Hypatia bot flagged the missing header on PR #41. - docs/status/ci-state.md (new) — full snapshot: check-by-check disposition, Hypatia bot findings categorised (mine vs pre-existing), and a punchlist for taking CI to green that lives outside the scope of this PR. - TOPOLOGY.md — CI workflows row: 60% → 50% with a pointer to docs/status/ci-state.md (was previously hand-waving "most are governance, not value-adding"; now points at the actual red list). - CHANGELOG.adoc — record the SPDX fix in [Unreleased]. - .machine_readable/6a2/STATE.a2ml — add [open-prs] and [ci-state] sections so agents can read the PR situation without parsing TOPOLOGY's ASCII or the CHANGELOG.
Owner
Author
Summary of this PR9 commits, ~110 files, net −1500 / +1100. Repo tidy + docs taxonomy + GitHub wiki staging, plus three opportunistic fixes done in passing. What landed
CI status5 red checks. One was mine and is fixed (Hypatia flagged a missing SPDX on the moved Nickel file — fixed in The other four are pre-existing and out of scope for this PR — captured in
Hypatia findings98 total. 3 critical, 58 high, 37 medium. Only one was mine (the SPDX, now fixed). The rest pre-date this PR — see ci-state.md for the breakdown. WikiWiki content is staged at Session ending. PR is ready for human review; happy to pick up after merge or feedback. Generated by Claude Code |
🔍 Hypatia Security ScanFindings: 97 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Code.eval_* -- arbitrary code execution risk (1 occurrences, CWE-94)",
"type": "elixir_code_eval",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/logic/calculator.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (1 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/settings.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (2 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (21 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/tma-mark2/tma-mark2/native/tma_crypto/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (4 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/tma-mark2/tma-mark2/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 36,
"reason": "Secret found: Generic secret",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"line": 266,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/suite.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in tma-mark2: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/tma-mark2/tma-mark2",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…no fmt/lint scope Three independent CI fixes to unblock #41 (post-phase-1-1-cleanup): 1. **actions/cache deprecated SHA** — bump `0c45773b...4f9` → `0057852b...830` (current v4 tag). The old SHA was hard-failed by GitHub's automatic deprecation policy. Two workflows affected: `casket-pages.yml` and `elixir-ci.yml`. 2. **`.hypatia-ignore`** — exempt `examples/SafeDOMExample.res` from the `cicd_rules/banned_language_file` rule. Scheduled for ReScript→AffineScript migration in affinescript#57; until then, exempting unblocks unrelated PRs (same pattern just landed on the-nash-equilibrium#43 + universal-chat-extractor#68). 3. **`deno.json`** — scope `deno fmt` to `assets/js/` so it doesn't require formatting of every markdown / YAML / issue-template file in the repo; exclude `assets/vendor/` from both lint+fmt because `topbar.js` is third-party. Applied formatting to `assets/js/app.js` (let → const, spaces around braces, trailing semicolons). Closes the three CI blockers on #41 — no source-logic changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 97 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Code.eval_* -- arbitrary code execution risk (1 occurrences, CWE-94)",
"type": "elixir_code_eval",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/logic/calculator.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (1 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/settings.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (2 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (21 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/tma-mark2/tma-mark2/native/tma_crypto/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (4 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/tma-mark2/tma-mark2/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 36,
"reason": "Secret found: Generic secret",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"line": 266,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/suite.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in tma-mark2: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/tma-mark2/tma-mark2",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…/0.22) The lock previously pinned finch 0.20.0 while req 0.5.18 requires finch ~> 0.21.0 or ~> 0.22.0, so mix deps.get exit-1'd in CI. Regenerated locally (mix deps.unlock --all && mix deps.get) bumps finch to 0.22.0 — req 0.5.18's preferred dependency. No mix.exs changes; req ~> 0.5 still resolves to 0.5.18 as before. Refs PR #41 — Elixir CI Install deps step.
🔍 Hypatia Security ScanFindings: 97 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Code.eval_* -- arbitrary code execution risk (1 occurrences, CWE-94)",
"type": "elixir_code_eval",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/logic/calculator.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (1 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/settings.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (2 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (21 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/tma-mark2/tma-mark2/native/tma_crypto/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (4 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/tma-mark2/tma-mark2/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 36,
"reason": "Secret found: Generic secret",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"line": 266,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/suite.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in tma-mark2: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/tma-mark2/tma-mark2",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
The estate-wide Deno CI logic now lives in hyperpolymath/standards/.github/workflows/deno-ci-reusable.yml (filed 2026-05-26 as standards#168). The reusable fixes three bugs that bit this repo in CI: * deno test ran unconditionally and failed 'No test modules found' * deno lint / deno fmt ran unconditionally and failed 'No target files' * no top-level permissions: tripping the workflow security linter Drops the legacy 'npx rescript' step (banned in new code 2026-04-30). Pinned to the #168 head SHA. After #168 merges to main, the pin can be flipped to @main as part of estate cleanup (governance.yml already follows this pattern). Refs hyperpolymath/standards#168.
Owner
Author
|
Added a CI follow-up commit ( The reusable fixes the three bugs the legacy template was hitting estate-wide:
Also drops the banned |
🔍 Hypatia Security ScanFindings: 97 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Code.eval_* -- arbitrary code execution risk (1 occurrences, CWE-94)",
"type": "elixir_code_eval",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/logic/calculator.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (1 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/settings.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (2 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (21 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/tma-mark2/tma-mark2/native/tma_crypto/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (4 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/tma-mark2/tma-mark2/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 36,
"reason": "Secret found: Generic secret",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"line": 266,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/suite.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in tma-mark2: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/tma-mark2/tma-mark2",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
CI was using Elixir 1.15 but mix.exs declares 'elixir: "~> 1.17"',
so mix compile exit-1'd at the very first step:
** (Mix) You're trying to run :etma_handler on Elixir v1.15.8
but it has declared in its mix.exs file it supports only
Elixir ~> 1.17
OTP 26 (already pinned) is compatible with Elixir 1.17. No mix.exs
or .tool-versions change needed — the constraint there is the
source-of-truth; this aligns CI with it.
Refs PR #41 Elixir CI / test step.
🔍 Hypatia Security ScanFindings: 97 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Code.eval_* -- arbitrary code execution risk (1 occurrences, CWE-94)",
"type": "elixir_code_eval",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/logic/calculator.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (1 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/settings.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (2 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (21 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/tma-mark2/tma-mark2/native/tma_crypto/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (4 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/tma-mark2/tma-mark2/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 36,
"reason": "Secret found: Generic secret",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"line": 266,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/suite.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in tma-mark2: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/tma-mark2/tma-mark2",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…t fail strict-mode build
mix compile --warnings-as-errors applies to whatever is being
compiled — including transitive dependencies. CI was failing on
upstream warnings we don't own:
* rustler's lib/mix/tasks/rustler.new.ex:224 uses :json.decode/1
(added to the Erlang stdlib in OTP 27 / Elixir 1.18)
* use Bitwise deprecated in favour of import Bitwise
* unused 'files' / 'opts' vars in a transitive zip-handling dep
Splitting into two steps:
1. mix deps.compile — compile deps without strict mode
2. mix compile --warnings-as-errors — strict only on our code
Project's own modules still gated by --warnings-as-errors, so the
hygiene we want for our code stays enforced.
Refs PR #41 Elixir CI / Compile step.
🔍 Hypatia Security ScanFindings: 29 issues detected
View findings[
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Code.eval_* -- arbitrary code execution risk (1 occurrences, CWE-94)",
"type": "elixir_code_eval",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/logic/calculator.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (1 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/settings.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "binary_to_term without :safe option -- deserialization attack (2 occurrences, CWE-502)",
"type": "elixir_send_unsanitised",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"reason": "expect() in hot path (21 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/tma-mark2/tma-mark2/native/tma_crypto/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "medium"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (4 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/tma-mark2/tma-mark2/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 36,
"reason": "Secret found: Generic secret",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/encrypted_storage.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"line": 266,
"reason": "Secret found: Password",
"type": "secret_detected",
"file": "/home/runner/work/tma-mark2/tma-mark2/lib/etma_handler/crypto/suite.ex",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in tma-mark2: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/tma-mark2/tma-mark2",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 2 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.