docs: record tech-debt audit findings (2026-05-26) by hyperpolymath · Pull Request #29 · hyperpolymath/universal-language-server-plugin

hyperpolymath · 2026-05-26T12:30:49Z

Summary

Adds docs/tech-debt-2026-05-26.md with this repo's findings from the estate-wide tech-debt scan.

Companion estate-wide audits

docs(audits): estate-wide proof-debt audit 2026-05-26 standards#195 — proof-debt
docs(audits): estate-wide licence-debt audit 2026-05-26 standards#196 — licence-debt
docs(audits): estate-wide documentation-debt audit 2026-05-26 standards#197 — documentation-debt

Records findings only. Closing the debt is follow-up work.

🤖 Generated with Claude Code

Adds docs/tech-debt-2026-05-26.md with this repo's findings from the estate-wide tech-debt scan: proof debt, licence debt, documentation debt. This file records the findings only — it does not close the debt. Cross-references: - hyperpolymath/standards#195 (estate proof-debt audit) - hyperpolymath/standards#196 (estate licence-debt audit) - hyperpolymath/standards#197 (estate documentation-debt audit) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

github-actions · 2026-05-26T14:13:40Z

🔍 Hypatia Security Scan

Findings: 51 issues detected

Severity	Count
🔴 Critical	3
🟠 High	31
🟡 Medium	17

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Workflow executes remote script directly (curl/wget piped to shell). Download, verify checksum/signature, then execute.",
    "type": "download_then_run",
    "file": "mirror.yml",
    "action": "verify_download_integrity",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/clients/sublime/UniversalConnector.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/clients/vscode/extension.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (6 occurrences, CWE-79)",
    "type": "js_innerhtml",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/web/app.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 53,
    "reason": "Secret found: Generic secret",
    "type": "secret_detected",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/server/src/lib.rs",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Nominal-only SAST in universal-language-server-plugin: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "Repository has 3 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/code_safety/shell_download_then_run -- Hypatia code_safety: shell_download_then_run -- 3 day(s) old",
    "type": "CSA001",
    "file": "setup.sh",
    "action": "update",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

github-actions · 2026-05-26T19:48:36Z

🔍 Hypatia Security Scan

Findings: 48 issues detected

Severity	Count
🔴 Critical	3
🟠 High	28
🟡 Medium	17

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Workflow executes remote script directly (curl/wget piped to shell). Download, verify checksum/signature, then execute.",
    "type": "download_then_run",
    "file": "mirror.yml",
    "action": "verify_download_integrity",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Python file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/clients/sublime/UniversalConnector.py",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/clients/vscode/extension.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "innerHTML assignment -- XSS risk, use textContent or SafeDOM (6 occurrences, CWE-79)",
    "type": "js_innerhtml",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/web/app.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 53,
    "reason": "Secret found: Generic secret",
    "type": "secret_detected",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin/server/src/lib.rs",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Nominal-only SAST in universal-language-server-plugin: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/universal-language-server-plugin/universal-language-server-plugin",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "Repository has 6 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 0 day(s) old",
    "type": "CSA001",
    "file": ".github/workflows/hypatia-scan.yml",
    "action": "update",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

hyperpolymath enabled auto-merge (squash) May 26, 2026 12:30

Merge branch 'main' into claude/tech-debt-2026-05-26

088cbae

hyperpolymath merged commit feacbce into main May 27, 2026
22 of 23 checks passed

hyperpolymath deleted the claude/tech-debt-2026-05-26 branch May 27, 2026 12:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

docs: record tech-debt audit findings (2026-05-26)#29

docs: record tech-debt audit findings (2026-05-26)#29
hyperpolymath merged 2 commits into
mainfrom
claude/tech-debt-2026-05-26

hyperpolymath commented May 26, 2026

Uh oh!

github-actions Bot commented May 26, 2026

Uh oh!

github-actions Bot commented May 26, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

hyperpolymath commented May 26, 2026

Summary

Companion estate-wide audits

Uh oh!

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Uh oh!

github-actions Bot commented May 26, 2026

🔍 Hypatia Security Scan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant