hardening: 3 latent Hypatia findings (unsafe SAFETY comments, setup-deno SHA-pin, secret presence-gate)

[hyperpolymath]

Context

Surfaced by the Hypatia security-scan comment on PR #651 (a docs-only PR). Per .claude/CLAUDE.md, that comment reports findings across the whole repo and is treated as noise unless a finding is a delta in the PR's changed files — none of these are; they are pre-existing and outside #651's changeset (NAVIGATION.adoc, tutorial/lesson-01-hello.adoc, STATE.a2ml). Filing here so the genuine ones are tracked rather than lost in the recurring scan output. The gating Hypatia check-run is separate and unaffected.

Items

• unsafe blocks missing SAFETY: comments (CWE-676): runtime/src/panic.rs (2), runtime/src/alloc.rs (1), runtime/src/ffi.rs (3). Add a // SAFETY: justification to each.
• denoland/setup-deno@v2 unpinned in .github/workflows/publish-jsr.yml — pin to a full commit SHA, per the repo's "pin every uses: to a SHA" rule (also avoids the tag-pinned-ref startup_failure class).
• secret_action_without_presence_gate (high) in .github/workflows/instant-sync.yml — gate the peter-evans/repository-dispatch step on presence of its secret.

Explicitly NOT in scope (documented exemptions / accepted)

• packages/affinescript-cli/mod.js js_exec_sync — approved Runtime Exemption (distribution-shim node:child_process); see CLAUDE.md.
• packages/affine-vscode/mod.js, affinescript-vite/src/affine-plugin-improved.js js_exec_sync — JS carve-outs / tooling shims.
• expect_in_hot_path in affinescriptiser/src/codegen/{wasm_gen,affine_gen}.rs — expect() with messages in codegen is acceptable; lower priority, can revisit separately.

Follow-up

The scan reported 2 "critical" findings not enumerated in the comment's truncated JSON. Confirming/triaging those needs the full Hypatia finding set — separate task; can be pulled on request.

[hyperpolymath]

The 2 "critical" findings — identified and triaged (no action needed)

Followed up on the unenumerated criticals noted above. Hypatia's comment/artifact/log never list them (only an aggregate critical=2 + a 10-item sample that excluded both), so I identified them deductively against Hypatia's rule source:

Both are code_safety rule :unwrap_dangerous_default (~r/\.unwrap_or\(0\)/, CWE-754, severity: :critical):

• tools/affinescript-lsp/src/main.rs:155
• tools/affinescript-lsp/src/handlers.rs:575

Conclusive: exactly two .unwrap_or(0) exist repo-wide (= critical=2); every other critical pattern checked returns zero (transmute, Obj.magic/Obj.repr, Coq Admitted/admit, JS eval(, hardcoded-secret); tools/ is in-scope; and neither site is in .hypatia-ignore (which only covers tools/res-to-affine/** .res fixtures) and there is no .hypatia-baseline.json. So they necessarily produce the 2 criticals and nothing else does.

Disposition: false positives — no AffineScript change. .unwrap_or(0) is the panic-free, idiomatic-safe form:

• handlers.rs:575 — 0 is the correct start-of-line word-boundary default.
• main.rs:155 — defaults version to 0, then explicitly checks if version < 1 || version > 2 and falls back gracefully; the exceptional case is handled, so CWE-754 doesn't apply.

The rule itself is miscalibrated (it rates the panic-free form critical/"DoS via panic" while rating .unwrap() only high), and the reporting gap (criticals counted but never surfaced) is the reason this needed manual reconstruction. Both are filed against Hypatia: hyperpolymath/hypatia#521.

This resolves the "2 critical (follow-up)" item; the three checklist items above remain the only actionable hardening work here.

---

Generated by Claude Code