Skip to content

fix(ci): repair doc-truthing guard after #614's .md→.adoc migration#617

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/inspiring-newton-dg5wov
Jun 21, 2026
Merged

fix(ci): repair doc-truthing guard after #614's .md→.adoc migration#617
hyperpolymath merged 1 commit into
mainfrom
claude/inspiring-newton-dg5wov

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 21, 2026

Copy link
Copy Markdown
Owner

What

Repairs main's red CI after #614 merged. The build job's ./tools/check-doc-truthing.sh governance guard failed because #614 migrated six status/history docs from .md.adoc, but the guard still keyed off the old .md paths in two places:

  • Presence list (BANNERED_DOCS) → bannered doc is missing for BACKEND-IMPLEMENTATION, COMPILER-CAPABILITIES, ALPHA-1-RELEASE-NOTES.
  • Over-claim ratchet baseline (tools/doc-overclaims.allow) → new over-claim(s) for the migrated .adoc history/roadmap snapshots (identical, already-blessed claims — just at .adoc paths with .adoc markup).

On the previous main tip (2aa00ff) this guard was green, so this is a regression introduced purely by the migration — not new over-claiming.

Fix (hotfix + hardening)

  1. Re-key the over-claim baseline to the migrated .adoc paths via the tool's documented --update. This is a 1:1 re-bless of identical historical/roadmap content — every removed .md signature has an equivalent .adoc one added; zero new live over-claims.
  2. Harden the presence check so it can't re-break on a future migration: BANNERED_DOCS are now extension-less stems resolved to whichever of .adoc/.md is present (.adoc preferred).

Verification

  • ./tools/check-doc-truthing.sh → exit 0: "OK: doc-truthing intact — presence invariants + over-claim ratchet (DOC-04/05/08/09)."
  • Resolver unit-tested: both-present → .adoc; only .md.md; neither → missing.
  • dune build clean. (The only build-job step after the guard is dune build @fmt; this change touches no OCaml, so it's unaffected.)

Greens the build job / CI on main.

🤖 Generated with Claude Code

https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8

Generated by Claude Code

@claude
fix(ci): repair doc-truthing guard after #614's .md->.adoc migration
517a442 
#614 migrated six status/history docs from .md to .adoc, but the
doc-truthing guard kept the old .md paths in two places, turning main's
`build` job red:
  - BANNERED_DOCS presence list -> "bannered doc is missing" for
    BACKEND-IMPLEMENTATION / COMPILER-CAPABILITIES / ALPHA-1-RELEASE-NOTES
  - over-claim ratchet baseline (tools/doc-overclaims.allow) -> "new
    over-claim(s)" for the migrated .adoc history/roadmap snapshots
    (identical already-blessed claims, now at .adoc paths + .adoc markup)

Fix (hotfix + hardening):
  - Re-key the over-claim baseline to the migrated .adoc paths via
    `--update`: a 1:1 re-bless of identical historical/roadmap content,
    no new live over-claims.
  - Harden the presence check so it cannot re-break on a future
    migration: BANNERED_DOCS are now extension-less stems resolved to
    whichever of .adoc/.md is present (.adoc preferred).

Verified: guard exits 0 on the merged tree; resolver tested for the
.adoc / .md / neither cases.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
@hyperpolymath hyperpolymath marked this pull request as ready for review June 21, 2026 02:02
@hyperpolymath hyperpolymath enabled auto-merge (squash) June 21, 2026 02:02
@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 42 issues detected

Severity Count
🔴 Critical 2
🟠 High 24
🟡 Medium 16

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action denoland/setup-deno@v2 needs attention",
    "type": "unpinned_action",
    "file": "publish-jsr.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "expect() in hot path (32 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (29 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath disabled auto-merge June 21, 2026 02:09
@hyperpolymath hyperpolymath merged commit 33a4bfb into main Jun 21, 2026
15 of 16 checks passed
@hyperpolymath hyperpolymath deleted the claude/inspiring-newton-dg5wov branch June 21, 2026 02:09
hyperpolymath added a commit that referenced this pull request Jun 21, 2026
@hyperpolymath @claude
fix(ci): format lib/borrow_polonius/dune to satisfy dune fmt
d907b6c 
#614 added lib/borrow_polonius/dune unformatted; the build job's
`dune build @fmt` requires a blank line between the comment block and
the (library ...) stanza. It was masked on main until #617 fixed the
doc-truthing guard that failed earlier in the same job.

Only the blank line is added (canonical `dune format-dune-file` output);
no other dune files are touched — root dune-project / .build/dune-project
"drift" only under newer local dune and is not flagged by CI's dune.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
@hyperpolymath hyperpolymath mentioned this pull request Jun 21, 2026
Merged
hyperpolymath added a commit that referenced this pull request Jun 21, 2026
@hyperpolymath @claude
fix(ci): format lib/borrow_polonius/dune to satisfy dune fmt (#619)
88a0cf0 
## What

Greens `main`'s `build` job. After #617 fixed the doc-truthing guard,
the next `build` step — `dune build @fmt` — fails because **#614 added
`lib/borrow_polonius/dune` without the blank line** `dune fmt` requires
between the comment block and the `(library …)` stanza.

## Fix

Add the single blank line (canonical `dune format-dune-file` output).
Nothing else changes.

> Note: root `dune-project` / `.build/dune-project` show "drift" only
under newer **local** dune (3.14.0) and drift identically on `2aa00ff`
where CI's `@fmt` was green — i.e. CI's dune does **not** flag them, so
they're deliberately left untouched.

## Why this is a separate PR

#614 was merged (bypass) while its CI was incomplete — the `build` job
died at doc-truthing *before* reaching `@fmt`, so its `@fmt` compliance
was never checked. #617 fixed the first failure; this fixes the one it
unmasked. After this, the `build` job should be green.

Verified: `dune format-dune-file lib/borrow_polonius/dune` is now a
no-op.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8

---
_Generated by [Claude
Code](https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8)_

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude